Regulation Systems Compliance and Integrity, 72251-72447 [2014-27767]

Download as PDF Vol. 79 Friday, No. 234 December 5, 2014 Part II Securities and Exchange Commission mstockstill on DSK4VPTVN1PROD with RULES2 17 CFR Parts 240, 242, and 249 Regulation Systems Compliance and Integrity; Final Rule VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\05DER2.SGM 05DER2 72252 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 240, 242, and 249 [Release No. 34–73639; File No. S7–01–13] RIN 3235–AL43 Regulation Systems Compliance and Integrity Securities and Exchange Commission. ACTION: Final rule and form; final rule amendment; technical amendment. AGENCY: The Securities and Exchange Commission (‘‘Commission’’) is adopting new Regulation Systems Compliance and Integrity (‘‘Regulation SCI’’) under the Securities Exchange Act of 1934 (‘‘Exchange Act’’) and conforming amendments to Regulation ATS under the Exchange Act. Regulation SCI will apply to certain selfregulatory organizations (including registered clearing agencies), alternative trading systems (‘‘ATSs’’), plan processors, and exempt clearing agencies (collectively, ‘‘SCI entities’’), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities. DATES: Effective date: February 3, 2015. Compliance date: The applicable compliance dates are discussed in Section IV.F of this release. FOR FURTHER INFORMATION CONTACT: David Liu, Senior Special Counsel, Office of Market Supervision, at (312) 353–6265, Heidi Pilpel, Senior Special Counsel, Office of Market Supervision, at (202) 551–5666, Sara Hawkins, Special Counsel, Office of Market Supervision, at (202) 551–5523, Yue Ding, Special Counsel, Office of Market Supervision, at (202) 551–5842, David Garcia, Special Counsel, Office of Market Supervision, at (202) 551–5681, and Elizabeth C. Badawy, Senior Accountant, Office of Market Supervision, at (202) 551–5612, Division of Trading and Markets, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–7010. SUPPLEMENTARY INFORMATION: Regulation SCI will, with regard to SCI entities, supersede and replace the Commission’s current Automation Review Policy (‘‘ARP’’), established by the Commission’s two policy statements, each titled ‘‘Automated Systems of SelfRegulatory Organizations,’’ issued in 1989 and 1991.1 Regulation SCI also mstockstill on DSK4VPTVN1PROD with RULES2 SUMMARY: 1 See Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 will supersede and replace aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act, applicable to significant-volume ATSs that trade NMS stocks and non-NMS stocks.2 Regulation SCI will require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act. It will also require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. In addition, Regulation SCI will require SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events. Regulation SCI will further require SCI entities to disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity. In addition, Regulation SCI will require SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records. Finally, the Commission also is adopting modifications to the volume thresholds in Regulation ATS 3 for significantvolume ATSs that trade NMS stocks and non-NMS stocks, applying them to SCI ATSs (as defined below), and moving this standard from Regulation ATS to adopted Regulation SCI for these asset classes. III. Overview IV. Description of Adopted Regulation SCI and Form SCI A. Definitions Establishing the Scope of Regulation SCI—Rule 1000 1. SCI Entities a. SCI Self-Regulatory Organization or SCI SRO b. SCI Alternative Trading System c. Plan Processor d. Exempt Clearing Agency Subject to ARP 2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems a. Overview b. SCI Systems c. Critical SCI Systems d. Indirect SCI Systems (Proposed as ‘‘SCI Security Systems’’) 3. SCI Events a. Systems Disruption b. Systems Compliance Issue c. Systems Intrusion B. Obligations of SCI Entities—Rules 1001– 1004 1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and Security—Rule 1001(a) 2. Policies and Procedures to Achieve Systems Compliance—Rule 1001(b) 3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information—Rule 1002 a. Triggering Standard b. Corrective Action—Rule 1002(a) c. Commission Notification—Rule 1002(b) d. Dissemination of Information—Rule 1002(c) 4. Notification of Systems Changes—Rule 1003(a) 5. SCI Review—Rule 1003(b) 6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants—Rule 1004 C. Recordkeeping, Electronic Filing on Form SCI, and Access—Rules 1005–1007 1. Recordkeeping—Rules 1005–1007 2. Electronic Filing and Submission of Reports, Notifications, and Other Communications—Rule 1006 3. Access to the Systems of an SCI Entity D. Form SCI E. Other Comments Received F. Effective Date and Compliance Dates V. Paperwork Reduction Act VI. Economic Analysis VII. Regulatory Flexibility Act Certification VIII. Statutory Authority and Text of Amendments Table of Contents I. Introduction I. Introduction II. Background A. Automation Review Policy Inspection Program B. Recent Events The U.S. securities markets attract a wide variety of issuers and broad investor participation, and are essential for capital formation, job creation, and economic growth, both domestically and across the globe. The U.S. securities markets have been transformed by regulatory and related technological developments in recent years. They have, among other things, substantially enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to 1989) (‘‘ARP I Release’’ or ‘‘ARP I’’) and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (‘‘ARP II Release’’ or ‘‘ARP II’’ and, together with ARP I, the ‘‘ARP Policy Statements’’). 2 See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (‘‘ATS Release’’). 3 17 CFR 242.300–303 (‘‘Regulation ATS’’). PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 market participants.4 At the same time, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Given the speed and interconnected nature of the U.S. securities markets, a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors. This transformation of the U.S. securities markets has occurred in the absence of a formal regulatory structure governing the automated systems of key market participants. Instead, for over two decades, Commission oversight of the technology of the U.S. securities markets has been conducted primarily pursuant to a voluntary set of principles articulated in the Commission’s ARP Policy Statements,5 applied through the Commission’s Automation Review Policy inspection program (‘‘ARP Inspection Program’’).6 Section 11A(a)(2) of the Exchange Act,7 enacted as part of the Securities Acts Amendments of 1975 (‘‘1975 Amendments’’),8 directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.9 Among the findings and objectives in Section 11A(a)(1) is that ‘‘[n]ew data processing 4 See Securities Exchange Act Release No. 61358 (January 14, 2010), 75 FR 3594, 3598 (January 21, 2010) (Concept Release on Equity Market Structure). 5 While participation in the ARP Inspection Program is voluntary, the underpinnings of ARP I and ARP II are rooted in Exchange Act requirements. See infra notes 7–12 and accompanying text. 6 See infra Section II.A (discussing the ARP Inspection Program). See also supra note 1. The ARP Inspection Program has historically been administered by the Commission’s Division of Trading and Markets. In February 2014, to consolidate the inspection function of the group with the Commission’s Office of Compliance Inspections and Examinations (‘‘OCIE’’), the ARP Inspection Program was transitioned to OCIE and has been renamed the Technology Controls Program (‘‘TCP’’). However, for ease of reference to the historical ARP Inspection Program, relevant portions of the SCI Proposal, and references in comment letters, this Release will continue to use the terms ARP, ARP Inspection Program, and ARP staff, unless the context otherwise requires. 7 15 U.S.C. 78k–1(a)(2). 8 Pub. L. 94–29, 89 Stat. 97 (1975). 9 15 U.S.C. 78k–1(a)(1). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and communications techniques create the opportunity for more efficient and effective market operations’’ 10 and ‘‘[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.’’ 11 In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ‘‘so organized’’ and ‘‘[have] the capacity to . . . carry out the purposes of [the Exchange Act].’’ 12 In March 2013, the Commission proposed Regulation Systems Compliance and Integrity (‘‘Regulation SCI’’) 13 to require certain key market participants to, among other things: (1) Have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the federal securities laws and with their own rules; and (2) provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure. As discussed in further detail below and in the SCI Proposal, Regulation SCI was proposed to update, formalize, and expand the Commission’s ARP Inspection Program, and, with respect to SCI entities, to supersede and replace the Commission’s ARP Policy Statements and rules regarding systems capacity, integrity and security in Rule 301(b)(6) of Regulation ATS.14 A confluence of factors contributed to the Commission’s proposal of Regulation SCI and to the Commission’s current determination that it is necessary and appropriate at this time to address the technological vulnerabilities, and improve Commission oversight, of the core technology of key U.S. securities markets entities, including national securities exchanges and associations, significant alternative trading systems, clearing agencies, and plan processors. These considerations include: the 10 Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k–1(a)(1)(B). 11 Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k–1(a)(1)(C)(i). 12 See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the Exchange Act, 15 U.S.C. 78f(b)(1), 78o– 3(b)(2), 78q–1(b)(3), respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, and Section 19 of the Exchange Act, 15 U.S.C. 78s. 13 Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083 (March 25, 2013) (‘‘Proposing Release’’ or ‘‘SCI Proposal’’). 14 See 17 CFR 242.301(b)(6) and ATS Release, supra note 2. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 72253 evolution of the markets to become significantly more dependent upon sophisticated, complex and interconnected technology; the current successes and limitations of the ARP Inspection Program; a significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues,15 increased concerns over ‘‘single points of failure’’ in the securities markets; 16 and the views of a wide variety of commenters received in response to the SCI Proposal. The Commission received 60 comment letters on the proposal from national securities exchanges, registered securities associations, registered clearing agencies, ATSs, broker-dealers, institutional and individual investors, industry trade groups, software and technology vendors, and academics.17 Commenters generally supported the goals of the proposal, but as further discussed below, some expressed concern about various specific elements of the proposal, and recommended certain modifications or clarifications. After careful review and consideration of the comment letters, 15 See Proposing Release, supra note 13, at 18085–91 for a further discussion of these developments and infra Section II.B (discussing recent events related to technology issues). In addition, prior to issuing the Proposing Release, in October 2012 the Commission convened a roundtable entitled ‘‘Technology and Trading: Promoting Stability in Today’s Markets’’ (‘‘Technology Roundtable’’). The Technology Roundtable examined the relationship between the operational stability and integrity of the securities market and the ways in which market participants design, implement, and manage complex and interconnected trading technologies. See Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 56697 (September 13, 2012) (File No. 4–652) and Technology Roundtable Transcript, available at: https://www.sec.gov/news/other webcasts/2012/ttr100212-transcript.pdf. A webcast of the Roundtable is available at: www.sec.gov/ news/otherwebcasts/2012/ttr100212.shtml. As noted in the Proposing Release, the Commission believes that the information presented at the Technology Roundtable further highlighted that quality standards, testing, and improved response mechanisms are among the issues needing very thoughtful and focused attention in today’s securities markets. See Proposing Release, supra note 13, at 18090–91 for further discussion of the Technology Roundtable. 16 See infra Section IV.A.2.c (discussing single points of failure in the securities markets in conjunction with the adopted term ‘‘critical SCI system’’). 17 Comments received on the proposal are available on the Commission’s Web site, available at: https://www.sec.gov/comments/s7-01-13/ s70113.shtml. See Exhibit A for a citation key to the comment letters cited in this release. Upon request from some commenters, the Commission extended the comment period for an additional 45 days in order to give the public additional time to comment on the matters addressed by the SCI Proposal. See Securities Exchange Act Release No. 69606 (May 20, 2013), 78 FR 30803 (May 23, 2013). E:\FR\FM\05DER2.SGM 05DER2 72254 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations the Commission is adopting Regulation SCI (‘‘Rule’’) and Form SCI (‘‘Form’’) with certain modifications from the SCI Proposal, as discussed below, to respond to concerns expressed by commenters and upon further consideration by the Commission of the more appropriate approach to further the goals of the national market system by strengthening the technology infrastructure of the U.S. securities markets. II. Background mstockstill on DSK4VPTVN1PROD with RULES2 A. Automation Review Policy Inspection Program For over two decades, the Commission’s ARP Inspection Program has helped the Commission oversee the technology infrastructure of the U.S. securities markets. This voluntary information technology review program was developed by staff of the Commission to implement the Commission’s ARP Policy Statements issued in 1989 and 1991.18 Through these Policy Statements, the Commission articulated its views on the steps that SROs should take with regard to their automated systems, set forth recommendations for how SROs should conduct independent reviews, and provided that SROs should notify the Commission of material systems changes and significant systems problems.19 In 1998, the Commission adopted Regulation ATS which, among other things, imposed by rule certain aspects of the ARP Policy Statements on significant-volume ATSs.20 Further, Commission staff subsequently provided additional guidance regarding various aspects of the ARP Inspection Program through letters to ARP entities, including recommendations regarding reporting planned systems changes and systems issues to the Commission.21 Under the ARP Inspection Program, Commission staff (‘‘ARP staff’’) conducts inspections of the trading and related systems of national securities exchanges and associations, certain ATSs, clearing agencies, and plan processors (collectively ‘‘ARP entities’’), attends periodic technology briefings by 18 See ARP Policy Statements, supra note 1. For a detailed discussion of the ARP Policy Statements, see Proposing Release, supra note 13, at 18085–86. 19 See ARP Policy Statements, supra note 1. 20 See 17 CFR 242.301(b)(6) and ATS Release, supra note 2. 21 In June 2001, staff from the Division of Market Regulation sent a letter to the SROs and other participants in the ARP Inspection Program regarding Guidance for Systems Outage and System Change Notifications (‘‘2001 Staff ARP Interpretive Letter’’). See Proposing Release, supra note 13, at 18087, n. 35. The 2001 Staff ARP Interpretive Letter is available at: https://www.sec.gov/divisions/ marketreg/sroautomation.shtml. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 ARP entities, monitors planned significant system changes, and responds to reports of system failures, disruptions, and other systems problems of ARP entities. The goal of the ARP inspections is to evaluate whether an ARP entity’s controls over its information technology resources in nine general areas, or information technology ‘‘domains,’’ 22 is consistent with ARP and industry guidelines. Such guidelines are identified by ARP staff from a variety of information technology publications that ARP staff believes reflects industry standards for securities market participants.23 At the conclusion of an ARP inspection, ARP staff typically issues a report to the ARP entity with an assessment of the ARP entity’s information technology program for its key systems, including any recommendations for improvement.24 Because the ARP Inspection Program was established pursuant to Commission policy statements rather than Commission rules, participation in and compliance with the ARP Inspection Program by ARP entities is voluntary. As such, despite its general success in working with SROs to improve their automated systems, there are certain limitations with the ARP Inspection Program. In particular, because of the voluntary nature of the ARP Inspection Program, the Commission is constrained in its ability to assure compliance with ARP standards. The Government Accountability Office (‘‘GAO’’) has identified the voluntary nature of the ARP Inspection Program as a limitation and recommended that the Commission make compliance with ARP guidelines 22 These information technology ‘‘domains’’ include: application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. Each domain itself contains subcategories. For example, ‘‘contingency planning’’ includes business continuity, disaster recovery, and pandemic planning, among other things. See id. at 18086. 23 See id. at 18086–87. 24 In addition, Commission staff conducts inspections of SROs, as part of the Commission’s oversight of them. Unlike ARP inspections, however, which focus on information technology controls, such Commission staff primarily conducts risk-based examinations of securities exchanges, FINRA, and other SROs to evaluate whether they and their member firms are complying with the Exchange Act, the rules thereunder, and SRO rules, as applicable. As part of the Commission’s oversight of the SROs, Commission staff also reviews systems compliance issues reported to Commission staff. The information gained from the Commission staff review of reported systems compliance issues helps to inform its examination risk-assessments for SROs. See id. at 18087. PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 mandatory.25 In addition, as more fully discussed in the SCI Proposal, the evolution of the U.S. securities markets in recent years to become almost entirely electronic and highly dependent on sophisticated trading and other technology, including complex and interconnected routing, market data, regulatory, surveillance and other systems, has posed challenges for the ARP Inspection Program.26 B. Recent Events A series of high-profile recent events involving systems-related issues further highlights the need for market participants to bolster the operational integrity of their automated systems in this area. In the SCI Proposal, the Commission identified several systems problems experienced by SROs and ATSs that garnered significant public attention and illustrated the types and risks of systems issues affecting today’s markets.27 Since Regulation SCI’s proposal in March 2013, additional systems problems among market participants have occurred, further underscoring the importance of bolstering the robustness of U.S. market infrastructure to help ensure its stability, integrity, and resiliency. In particular, since Regulation SCI’s proposal, disruptions have continued to occur across a variety of market participants. For example, with respect to the options markets, some exchanges have delayed the opening of trading,28 25 See GAO, Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters, Report No. GAO– 04–984 (September 27, 2004). GAO cited instances in which the GAO believed that entities participating in the ARP Inspection Program failed to adequately address or implement ARP staff recommendations as the reasoning behind its recommendation to make compliance with ARP guidelines mandatory. 26 See Proposing Release, supra note 13, at 18087–89. 27 See id. at 18089–90. The Proposing Release also discussed the effects of Superstorm Sandy on the U.S. securities exchanges, noting certain weaknesses in business continuity and disaster recovery planning that were highlighted by the event. See id. at 18091. 28 On April 25, 2013, the Chicago Board Options Exchange, Inc. (‘‘CBOE’’) delayed the opening of trading on its exchange for over three hours due to what CBOE described as an internal ‘‘software bug.’’ See CBOE Information Circular IC13–036, April 29, 2013, available at: https://www.cboe.com/publish/ InfoCir/IC13-036.pdf. During this time, while trading in many products was able to continue on the other options exchanges, trading was completely halted for those products that are singlylisted on CBOE, including options on the S&P 500 Index and the CBOE Volatility Index (‘‘VIX’’). Trading was able to resume by approximately 1:00 p.m. ET, though some residual systems problems continued. Specifically, certain auction mechanisms were unavailable for the remainder of the day and some of the trade data from April 25 was erroneously re-transmitted to OCC on April 26. See id. and CBOE System Status notifications for E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 halted trading,29 or experienced other errors as a result of systems issues,30 and trading in options was halted due to a systems issue with the securities information processor for options market information.31 Systems issues have also impacted consolidated market data in the equities markets, including one incident that led to a trading halt in all securities listed on a particular exchange.32 Systems issues have also April 25, 2013, available at: https://www.cboe.com/ aboutcboe/systemstatus/search.aspx. CBOE subsequently reported that preliminary staging work related to a planned reconfiguration of CBOE’s systems in preparation for extended trading hours on the CBOE Futures Exchange and CBOE options exchange ‘‘exposed and triggered a design flaw in the existing messaging infrastructure configuration.’’ See CBOE Information Circular IC13–036, April 29, 2013, available at: https:// www.cboe.com/publish/InfoCir/IC13-036.pdf. 29 On November 1, 2013, Nasdaq halted trading on the Nasdaq Options Market (‘‘NOM’’) for more than five hours through the close of the trading day. Nasdaq stated that the halt was a result of ‘‘a significant increase in order entries which inhibited the system’s ability to accept orders and disseminate quotes on a subset of symbols.’’ As Nasdaq stated, Nasdaq determined that it was in the best interest of market participants and investors to cancel all orders on the NOM book and continue the market halt through the close. See Nasdaq Market System Status Updates for November 1, 2013, available at: https://www.nasdaqtrader.com/ Trader.aspx?id=MarketSystemStatusSearch. 30 On April 29, 2014, NYSE Arca and NYSE Amex Options experienced a systems issue that resulted in numerous complex orders booking at incorrect prices. In some cases, this resulted in erroneous fill reports, all of which were subsequently nullified. See Trader Update to All NYSE Amex Options and NYSE Arca Options Participants, ‘‘Erroneous Complex Order Executions,’’ dated April 29, 2014, available at: https://www1.nyse.com/pdfs/2014_04_ 29_NYSE_Amex_and_Arca_Options_Erroneous_ Complex_Order_Executions.pdf. 31 On September 16, 2013, options market trading was halted for approximately 20 minutes due to a systems issue with the Options Price Reporting Authority (‘‘OPRA’’), the securities information processor for options market information that disseminates option quotation and last sale information to market data vendors. OPRA reported that it experienced problems processing quotes as a result of a software issue originating from a limited rollout of certain software upgrades. See Notice to All OPRA Market Data Recipients from OPRA, LLC, dated September 18, 2013, available at: https://www.opradata.com/specs/16-sept-2013-opraoutage.pdf. 32 On August 22, 2013, the NASDAQ Stock Market LLC (‘‘Nasdaq’’) halted trading in all Nasdaq-listed securities for more than three hours after the Nasdaq UTP Securities Information Processor (‘‘SIP’’), the single source of consolidated market data for Nasdaq-listed securities, was unable to process quotes from exchanges for dissemination to the public. According to Nasdaq, a sequence of events created a spike in message traffic volume into the SIP exceeding the SIP’s capacity and causing the system to fail. Nasdaq cited ‘‘more than 20 connect and disconnect sequences from NYSE Arca’’ and a ‘‘stream of quotes for inaccurate symbols from NYSE Arca’’ as events contributing to the systems problem. Nasdaq noted that the stream of messages, which was 26 times greater than usual activity, degraded the system and exceeded its capacity, ultimately resulting in the failure. Nasdaq stated that these events exposed a flaw in the SIP’s software code which prevented a successful failover VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 affected trading off of national securities exchanges, including an incident where FINRA halted trading in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by an ATS.33 Systems issues during this time to the backup system. See ‘‘NASDAQ OMX Provides Updates on Events of August 22, 2013,’’ by NASDAQ OMX (August 29, 2013), available at: https://www.nasdaqomx.com/newsroom/ pressreleases/pressrelease? messageId=1204807&displayLanguage=en; and Nasdaq Market System Status notifications for August 22, 2013, available at: https:// www.nasdaqtrader.com/Trader.aspx?id= MarketSystemStatusSearch. Nasdaq experienced another outage related to the SIP on September 4, 2013. This incident lasted only several minutes and affected only a subset of Nasdaq-listed securities. See ‘‘NASDAQ OMX Issues Statement on the Securities Information Processor,’’ by NASDAQ OMX (September 4, 2013), available at: https://ir.nasdaqomx.com/ releasedetail.cfm?ReleaseID=788700. The SIP consolidates quotation information and transaction reports from market centers and disseminates such consolidated information to market participants pursuant to the Commissionapproved Joint Self-Regulatory Organization Plan Governing the Collection, Consolidation and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privilege Basis, available at: https://www.utpplan.com/. See generally Rule 608 of Regulation NMS, 17 CFR 242.608 (‘‘Filing and amendment of national market system plans’’). More recently, on October 30, 2014, according to the NYSE, a network hardware failure impacted the Consolidated Tape System, Consolidated Quote System, and Options Price Reporting Authority data feeds at the primary data center. Exchanges experienced issues publishing and receiving trades and quotes as a result. After investigation of the issue, the Securities Industry Automation Corporation (‘‘SIAC’’) (the processor for the affected data feeds) switched over to the secondary data center for these data feeds and normal processing subsequently resumed. The exchanges then connected to the secondary data center as provided for in SIAC’s business continuity plan. See ‘‘Service Advisory—CTA Update,’’ by NYSE (October 30, 2014), available at: https://markets.nyx.com/nyse/ market-status/view/13467 and ‘‘NMS SIP market wide issue,’’ by NYSE (October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/ view/13465. 33 On November 7, 2013, FINRA halted trading for over 31⁄2 hours in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by OTC Markets Group Inc.’s OTC Link ATS. See ‘‘Market-Wide Quotation and Trading Halt for all OTC Equity Securities,’’ FINRA Uniform Practice Advisory, UPC #47–13, November 7, 2013, available at: https://www.finra.org/web/groups/industry/@ip/@ comp/@mt/documents/upcnotices/p381590.pdf; ‘‘Quotation and Trading Halt for OTC Equity Securities,’’ FINRA Uniform Practice Advisory, UPC #48–13, November 7, 2013, available at: https:// www.finra.org/web/groups/industry/@ip/@comp/@ mt/documents/upcnotices/p381593.pdf; ‘‘OTC Markets Group Issues Statement on OTC Link® ATS Trading on November 7, 2013,’’ OTC Disclosure & News Service, November 7, 2013, available at: https://www.otcmarkets.com/stock/OTCM/news/ OTC-Markets-Group-Issues-Statement-on-OTCLinkreg-ATS-Trading-on-November-7-2013? id=71144. OTC Markets Group subsequently reported that a network outage at one of its core network providers caused the lack of connectivity PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 72255 have not been limited to systems disruptions, but have also included allegations of systems compliance issues.34 Systems issues are not unique to the U.S. securities markets, with similar incidents occurring in the U.S. commodities markets as well as foreign markets.35 However, the Commission to its primary data center in New Jersey. See ‘‘OTC Markets Group Issues Statement on OTC Link® ATS Trading on November 7, 2013,’’ OTC Disclosure & News Service, November 7, 2013, available at: https://www.otcmarkets.com/stock/OTCM/news/ OTC-Markets-Group-Issues-Statement-on-OTCLinkreg-ATS-Trading-on-November-72013?id=71144. 34 For example, in June 2013, the Commission charged CBOE and its affiliate (C2 Options Exchange, Incorporated (‘‘C2’’)) for various systemic breakdowns in their regulatory and compliance responsibilities as self-regulatory organizations, including failure to enforce the federal securities laws and Commission rules. See Securities Exchange Act Release No. 69726, In the Matter of Chicago Board Options Exchange, Incorporated and C2 Options Exchange, Incorporated (settled action: June 11, 2013), available at: https://www.sec.gov/ litigation/admin/2013/34-69726.pdf (‘‘CBOE Order’’). CBOE and C2 consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-andDesist Order. In the CBOE Order, among other charges, the Commission stated that ‘‘CBOE’s automated surveillance programs for manually handled trades were ineffective’’ and that ‘‘CBOE failed to maintain a reliable or accurate audit trail of orders’’ on its trading facility. See id. at 11, 13. In addition, in May 2014, the Commission sanctioned the New York Stock Exchange LLC (‘‘NYSE’’) and two of its affiliated exchanges (NYSE Arca, Inc. (‘‘NYSE Arca’’), NYSE MKT LLC (‘‘NYSE MKT’’)) for alleged failure to comply with their responsibilities as self-regulatory organizations to conduct their business operations in accordance with Commission-approved exchange rules and the federal securities laws. See Securities Exchange Act Release No. 72065, In the Matter of New York Stock Exchange LLC, NYSE Arca, Inc., NYSE MKT LLC, and Archipelago Securities, L.L.C. (settled action: May 1, 2014), available at: https://www.sec.gov/ litigation/admin/2014/34-72065.pdf (‘‘NYSE Order’’). NYSE, NYSE Arca, NYSE MKT, and Archipelago Securities consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-andDesist Order. In the NYSE Order, the Commission cited various instances of NYSE systems not operating in compliance with their effective rules, such as NYSE’s block trading facility not functioning in accordance with applicable rules; NYSE distributing an automated feed of closing order imbalance information to its floor brokers at an earlier time than specified in NYSE rules; and NYSE failing to execute certain orders in locked markets contrary to exchange rules. See id. In the NYSE Order, the Commission stated that the exchanges ‘‘lacked comprehensive and consistentlyapplied policies and procedures for . . . evaluating whether business operations were being conducted fully in accordance with existing exchange rules and the federal securities laws.’’ Id. at 3. 35 See, e.g., Jacob Bunge, Bradley Hope, and Leslie Josephs, ‘‘Technical Glitch Hits CME Trading,’’ Wall St. J., April 8, 2014; Jeremy Grant, ‘‘Glitch Delays Singapore Derivative Trade,’’ Fin. Times, April 9, 2013; Tamsyn Parker, ‘‘NZX Trading E:\FR\FM\05DER2.SGM Continued 05DER2 72256 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 believes that it is critical that key U.S. securities market participants bolster their operational integrity to prevent, to the extent reasonably possible, these types of events, which can not only lead to tangible monetary losses,36 but which commenters believe to have the potential to reduce investor confidence in the U.S. markets.37 The SCI Proposal also noted that the risks associated with cybersecurity, and how to protect against systems intrusions, are increasingly of concern to all types of entities.38 On March 27, 2014, the Commission conducted a Cybersecurity Roundtable (‘‘Cybersecurity Roundtable’’).39 The Cybersecurity Roundtable addressed the cybersecurity landscape and cybersecurity issues faced by participants in the financial markets today, including exchanges, brokerdealers, investment advisers, transfer agents and public companies.40 Resumes After Technical Glitch,’’ The New Zealand Herald, July 1, 2013; Matt Clinch, ‘‘Flash Crash: Israel Stocks Hit by Typo,’’ CNBC.com, available at: https://www.cnbc.com/id/100986999; and Ksenia Galouchko, ‘‘Moscow Exchange Halts Derivatives Trading for Almost an Hour,’’ Bloomberg, November 13, 2013. 36 See, e.g., Proposing Release, supra note 13 (discussing systems issues affecting the initial public offerings (‘‘IPO’’) of BATS Global Markets, Inc. and Facebook, Inc.). In a rule change approved by the Commission in March 2013, Nasdaq implemented a $62 million accommodation program to compensate certain members for their losses in connection with the Facebook IPO. Securities Exchange Act Release No. 69216 (March 22, 2013), 78 FR 19040 (March 28, 2013). In its quarterly earnings announcement for the second quarter of 2013, UBS reported a $356 million loss tied to Facebook’s IPO, while The Knight Capital Group and Citadel Investment Group claimed losses of $30 million to $35 million and Citigroup cited losses close to $20 million. See Michael J. De La Merced, ‘‘Behind the Huge Facebook Loss at UBS,’’ N.Y. Times, July 21, 2012. See also Angel Letter at 15 (stating that catastrophic failures in exchange systems are extremely costly in terms of direct losses to participants and result in reduced investor confidence in markets); and Better Markets Letter at 2 (citing to the systems related problems at Knight Capital, Direct Edge, BATS, and during the Facebook IPO that resulted in investor or company losses). 37 See, e.g., Angel2 Letter at 2; Sungard Letter at 2; Better Markets Letter at 2; Leuchtkafer Letter at 3; FSI Letter at 3; and Angel Letter at 10, 15. 38 See Proposing Release, supra note 13, at 18089–90. 39 See Securities Exchange Act Release No. 71742 (March 19, 2014), 79 FR 16071 (March 24, 2014) (File No. 4–673). A webcast of the Cybersecurity Roundtable is available at: https://www.sec.gov/ news/otherwebcasts/2014/cybersecurity-roundtable032614.shtml. 40 The first panel discussed the cybersecurity landscape, and panelists included: Cyrus AmirMokri, Assistant Secretary for Financial Institutions, Department of the Treasury; Mary E. Galligan, Director, Cyber Risk Services, Deloitte and Touche LLP; Craig Mundie, Member, President’s Council of Advisors on Science and Technology; Senior Advisor to the Chief Executive Officer, Microsoft Corporation; Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Panelists discussed, among other topics, the scope and nature of cybersecurity threats to the financial industry; how market participants can effectively manage cybersecurity threats, including public and private sector coordination efforts and information sharing; the role that government should play to promote cybersecurity in the financial markets and market infrastructure; cybersecurity disclosure issues faced by public companies; and the identification of appropriate best practices and standards with regard to cybersecurity. Although the views of panelists varied, many emphasized the significant risk that cybersecurity attacks pose to the financial markets and market infrastructure today and the need to effectively manage that risk through TaaSera, Inc.; Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP; Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House; Adam Sedgewick, Senior Information Technology Policy Advisor, national Institute of Standards and Technology; and Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security. The second panel discussed public company disclosure of cybersecurity risks and incidents, and panelists included: Peter Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, Inc.; David Burg, Global and U.S. Advisor Cyber Security Leader, PricewaterhouseCoopers LLP; Roberta Karmel, Centennial Professor of Law, Brooklyn Law School; Jonas Kron, Senior Vice President, Director of Shareholder Advocacy, Trillum Asset Management LLC; Douglas Meal, Partner, Ropes & Gray LLP; and Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. and Washington Gas Light Company. The third panel addressed cybersecurity issues faced by the securities markets, and panelists included: Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation; Mark Graff, Chief Information Security Officer, Nasdaq OMX; Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury; Thomas Sinnott, Managing Director, Global Information Security, CME Group; and Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc. The final panel discussed how broker-dealers, investment advisers, and transfer agents address cybersecurity issues, and panelists included: John Denning, Senior Vice President, Operational Policy Integration, Development and Strategy, Bank of America/Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors LLC; Mark R. Manley, Senior Vice President, Deputy General Counsel and Chief Compliance Officer, AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate Information Security Officer, ITG; Karl Schimmeck, Managing Director, Financial Services Operations, Securities Industry and Financial Markets Association; Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA; John Reed Stark, Managing Director, Stroz Friedberg; Craig Thomas, Chief Information Security Officer, Computershare; and David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association. PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 measures such as testing, risk assessments, adoption of consistent best practices and standards, and information sharing. III. Overview The Commission acknowledges that the nature of technology and the level of sophistication and automation of current market systems prevent any measure, regulatory or otherwise, from completely eliminating all systems disruptions, intrusions, or other systems issues.41 However, given the issues outlined above, the Commission believes that the adoption of, and compliance by SCI entities with Regulation SCI, with the modifications from the SCI Proposal as discussed below, will advance the goals of the national market system by enhancing the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In this respect, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems. As proposed, Regulation SCI would have applied to ‘‘SCI entities’’ (estimated in the SCI Proposal to be 44 entities), a term which would have included all self-regulatory organizations (excluding security futures exchanges), ATSs that exceed specified volume thresholds, plan processors for market data NMS plans, and certain exempt clearing agencies. The most significant elements of the SCI Proposal 42 would have required each SCI entity to: • Implement policies and procedures reasonably designed to ensure that its ‘‘SCI systems’’ and ‘‘SCI security systems’’ have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and 41 See, e.g., October 2, 2012 remarks by Dr. Nancy Leveson, Professor of Aeronautics and Astronautics and Professor of Engineering Systems, MIT, Technology Roundtable (stating, for example, that ‘‘it is impossible to build totally secure software systems’’ and ‘‘we’ve learned that we cannot build an unsinkable ship and cannot build unfailable software’’), available at: https://www.sec.gov/news/ otherwebcasts/2012/ttr100212-transcript.pdf. 42 Each provision of the SCI Proposal is described in further detail below in Section IV. See also Proposing Release, supra note 13, at Section III. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations promote the maintenance of fair and orderly markets, with deemed compliance for policies and procedures that are consistent with current SCI industry standards, including identified information technology publications listed on proposed Table A; • Implement policies and procedures reasonably designed to ensure that its systems operate in the manner intended, including in compliance with the federal securities laws and rules, and the entity’s rules and governing documents, with safe harbors from liability for SCI entities and individuals; • Upon any ‘‘responsible SCI personnel’’ becoming aware of the occurrence of an ‘‘SCI event’’ (defined to include systems disruptions, systems compliance issues, and systems intrusions), begin to take appropriate corrective action, including mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as practicable; • Report to the Commission the occurrence of any SCI event; and notify its members or participants of certain types of SCI events; • Notify the Commission 30 days in advance of ‘‘material systems changes’’ (subject to an exception for exigent circumstances) and provide semi-annual summary progress reports on such material systems changes; • Conduct an annual review, to be performed by objective, qualified personnel, of its compliance with Regulation SCI and submit a report of such annual review to its senior management and to the Commission; • Designate those of its members or participants that would be required to participate in the testing (to occur at least annually) of its business continuity and disaster recovery plans, and coordinate such testing with other SCI entities on an industry- or sector-wide basis; and • Meet certain other requirements, including maintaining records related to compliance with Regulation SCI and providing Commission representatives reasonable access to its systems to assess compliance with the rule. The Commission received substantial comment on the SCI Proposal from a wide range of entities. Commenters generally expressed support for the goals of the rule, but many suggested that the SCI Proposal’s scope was unnecessarily broad and could be more tailored to lower compliance costs and still achieve the goal of reducing significant technology risk in the markets. Broadly speaking, the areas of concern garnering the greatest comment included the: (i) Breadth of certain key VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 72257 proposed definitions; (ii) costs associated with the scope of the proposed rule, including its reporting obligations; (iii) publications designated on Table A as proposed examples of ‘‘current SCI industry standards;’’ (iv) proposed entity safe harbor for systems compliance policies and procedures; (v) breadth of the proposed mandatory testing requirements; and (vi) proposed access provision.43 The Commission has carefully considered the views of commenters in crafting Regulation SCI to meet its goals to strengthen the technology infrastructure of the securities markets and improve its resilience when technology falls short. Many of these modifications are intended to further focus the scope of the requirements from the proposal and to lessen the costs and burdens on SCI entities, while still allowing the Commission to achieve its goals. While Section IV below provides a detailed discussion of the changes the Commission has made to the SCI Proposal in adopting Regulation SCI today,44 broadly speaking, the key changes include: • Refining the scope of the proposal by, among other things, revising certain key definitions (including the definition of SCI systems and the definition of SCI ATS to exclude ATSs that trade only municipal securities or corporate debt securities (together, ‘‘fixed-income ATSs’’)), refining the reporting framework for SCI events, and replacing the proposed 30-day advanced reporting requirement for material systems changes with a quarterly reporting requirement; • Modifying the proposal to differentiate certain obligations and requirements, including tailoring certain obligations based on the criticality of a system (by, for example, adopting a new defined term ‘‘critical SCI system’’ for which heightened requirements will apply), and based on the significance of an event (such as adopting a new defined term ‘‘major SCI event’’ for purposes of the dissemination requirements, and establishing differing reporting obligations for SCI events that have had no or a de minimis impact on the SCI entity’s operations or on market participants); • Modifying the proposed policies and procedures requirements relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance; • Refining the scope of SCI entity members and participants that would be required to participate in mandatory business continuity/disaster recovery plan testing; and • Eliminating the proposed requirement that SCI entities provide Commission representatives reasonable access to their systems because the Commission can adequately assess an SCI entity’s compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. In addition, the Commission notes that proposed Regulation SCI consisted of a single rule (Rule 1000) that included subparagraphs ((a) through (f)) addressing the various obligations of the rule. However, for clarity and simplification, adopted Regulation SCI is renumbered as Rules 1000 through 1007, as follows: • Adopted Rule 1000 (which corresponds to proposed Rule 1000(a)) contains definitions for terms used in Regulation SCI; • Adopted Rule 1001 (proposed Rules 1000(b)(1)–(2)) contains the policies and procedures requirements for SCI entities relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance; • Adopted Rule 1002 (proposed Rules 1000(b)(3)–(5)) contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination; • Adopted Rule 1003 (proposed Rules 1000(b)(6)–(8)) contains requirements relating to material systems changes and SCI reviews; • Adopted Rule 1004 (proposed Rule 1000(b)(9)) contains requirements relating to business continuity and disaster recovery testing; • Adopted Rule 1005 (proposed Rule 1000(c)) contains requirements relating to recordkeeping; • Adopted Rule 1006 (proposed Rule 1000(d)) contains requirements relating to electronic filing and submission; • Adopted Rule 1007 (proposed Rule 1000(e)) contains requirements for service bureaus. 43 A more detailed discussion of commenters’ views can be found below in Section IV. 44 The Economic Analysis, infra Section VI, discusses the economic effects, including the costs and benefits, of the provisions of Regulation SCI, as adopted. A series of definitions set forth in Rule 1000 relate to the scope of Regulation SCI. These include the definitions for ‘‘SCI entity’’ (as well as the types of entities that are SCI entities, PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 IV. Description of Adopted Regulation SCI and Form SCI A. Definitions Establishing the Scope of Regulation SCI—Rule 1000 E:\FR\FM\05DER2.SGM 05DER2 72258 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations namely ‘‘SCI SRO,’’ SCI ATS,’’ ‘‘plan processor,’’ and ‘‘exempt clearing agency subject to ARP’’), ‘‘SCI systems’’ (and related definitions for ‘‘indirect SCI systems’’ and ‘‘critical SCI systems’’), and ‘‘SCI event’’ (as well as the types of events that constitute SCI events, namely ‘‘systems disruption,’’ ‘‘systems compliance issue,’’ and ‘‘systems intrusion’’).45 mstockstill on DSK4VPTVN1PROD with RULES2 1. SCI Entities Regulation SCI imposes requirements on entities meeting the definition of ‘‘SCI entity’’ under the rule. Proposed Rule 1000(a) defined ‘‘SCI entity’’ as an ‘‘SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP.’’ 46 The Commission is adopting the definition of ‘‘SCI entity’’ in Rule 1000 as proposed.47 Some commenters discussed the definition of SCI entity generally and advocated for an expansion of the proposed definition, asserting that additional categories of market participants may have the potential to impact the market in the event of a systems issue.48 For example, one commenter suggested that the definition of ‘‘SCI entity’’ be extended to include the ATS and broker-dealer entities covered by the Regulation NMS definition of a ‘‘trading center.’’ 49 45 Rule 1000 contains additional defined terms that are discussed in subsequent sections below. See infra Section IV.B.3 (discussing the definition of ‘‘responsible SCI personnel’’), Section IV.B.3.d (discussing ‘‘major SCI event’’ and deletion of the proposed definition of ‘‘dissemination SCI event’’), Section IV.B.4 (discussing deletion of the proposed definition for ‘‘material systems change’’), Section IV.B.5 (discussing ‘‘SCI review’’ and ‘‘senior management’’), and Section IV.C.2 (discussing ‘‘electronic signature’’). 46 See proposed Rule 1000(a) and Proposing Release supra note 13, at Section III.B.1. 47 Proposed Rule 1000(a) also defined each of the terms within the definition of SCI entity for the purpose of designating specifically the entities that would be subject to Regulation SCI. As described in the Sections IV.A.1.a–d below, the Commission is also adopting these terms as proposed and without modification, with the exception of the definition of ‘‘SCI ATS,’’ which is being revised to exclude ATSs that trade only municipal securities or corporate debt securities. 48 See, e.g., NYSE Letter at 8–9 and Liquidnet Letter at 2–3. See also BlackRock Letter at 4 (stating, among other things, that Regulation SCI should extend to any trading platforms that transact significant volume because these venues have a meaningful role and impact on the equity market). See also infra Section IV.E (discussing comments regarding the potential inclusion of other types of entities, such as broker-dealers generally, within the scope of Regulation SCI). 49 Specifically, Section 600(b)(78) of Regulation NMS includes within the definition of a ‘‘trading center’’ ‘‘an ATS, an exchange market maker, an OTC market maker, or any other broker or dealer that executes orders internally by trading as principal or crossing orders as agent.’’ 17 CFR 242.600(b)(68). See NYSE Letter at 8–9. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Another commenter stated that the Commission should potentially expand the definition of SCI entity to also include dark pools if they met the volume thresholds of ATSs.50 Other commenters believed that the scope of the definition should be more limited.51 For example, one commenter suggested that the definition should only include those entities that are systemically important to the functioning of the U.S. securities markets and should utilize volume thresholds for exchanges and ATSs to make this determination.52 Several commenters advocated the adoption of a ‘‘risk-based’’ approach, which would entail categorizing market participants based on the criticality of the functions performed rather than applying Regulation SCI to all ‘‘SCI entities’’ equally.53 Some commenters suggested replacing the term ‘‘SCI entity’’ with categories of participants based on potential market impact or including in the definition only those participants that are essential to continuous market-wide operation or that are the sole providers of a service in the securities markets.54 Other commenters agreed with the proposed scope of the term ‘‘SCI entity,’’ but believed that the various requirements under the rule should be tiered based on risk profiles.55 Several commenters identified various factors that should be considered in conducting a riskassessment such as whether an entity is a primary listing market, is the sole market where the security is traded, or performs a monopoly or utility type role 50 See CoreOne Letter at 7–9. CoreOne recommended that the Commission require dark pools to publicly disclose their aggregate volume in a manner similar to disclosures made by exchanges and ATSs. CoreOne stated that, once dark pools publicly disclose their volumes, it would be easier to evaluate whether dark pools should be included as SCI entities. Id. 51 See, e.g., KCG Letter at 6–8; ITG Letter at 2– 4; and CME Letter at 2–5. 52 See ITG Letter at 2–4, 7. This commenter argued that, alternatively, the Commission could impose a lower set of obligations on ‘‘lesser’’ SCI entities. See id., at 9–11. See also infra notes 81– 82 (discussing this commenter’s suggested thresholds for exchanges) and note 131 (discussing this commenter’s recommended thresholds for ATSs). See discussion in Sections IV.A.1.a and IV.A.1.b (relating to SCI SROs and SCI ATSs, respectively). 53 See, e.g., BIDS Letter at 5–6; SIFMA Letter at 4–5; KCG Letter at 2–3, 6–8; Fidelity Letter at 2–4; UBS Letter at 2–4; and LiquidPoint Letter at 2–3. 54 See, e.g., BIDS Letter at 3–6; Direct Edge Letter at 1–2; and KCG Letter at 2–3, 6–8. Specifically, Direct Edge stated that SCI entities should include Commission-registered exchanges, securities information processors under approved NMS plans for market data, and clearance and settlement systems. 55 See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3–4. PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 where there is no redundancy built into the marketplace, among others.56 Some commenters identified specific functions that they believed to be highly critical to the functioning of the securities markets and thus pose the greatest risk to the markets in the event of a systems issue, including securities information processing, clearance and settlement systems, and trading of exclusively listed securities, among others.57 After careful consideration of the comments, the Commission has determined to adopt the overall scope of entities covered by Regulation SCI as proposed.58 As discussed below, the Commission continues to believe that it is appropriate and would further the goals of the national market system to subject all SROs (excluding securities futures exchanges), ATSs meeting certain volume thresholds with respect to NMS stocks and non-NMS stocks (discussed further below), plan processors, and certain exempt clearing agencies to the requirements of Regulation SCI. The Commission believes that this definition appropriately includes those entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities.59 While some commenters supported expanding the definition of SCI entity to encompass various other types of entities, the Commission has determined not to expand the scope of entities subject to Regulation SCI at this time. As noted in the SCI Proposal, Regulation SCI is based, in part, on the ARP Inspection Program, which has included the voluntary participation of all active registered clearing agencies, all registered national securities exchanges, the only registered national securities association—Financial Industry Regulatory Authority (‘‘FINRA’’), one exempt clearing agency, and one ATS.60 The ARP Inspection Program has also included the systems of entities that process and disseminate quotation and transaction data on behalf of the Consolidated Tape Association System (‘‘CTA Plan’’), Consolidated Quotation System (‘‘CQS Plan’’), Joint Self-Regulatory Organization Plan 56 See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3–4. 57 See, e.g., SIFMA Letter at 4; Direct Edge Letter at 1–2; and KCG Letter at 2–3. 58 But see infra Section IV.A.1.b (discussing revisions to the definition of ‘‘SCI ATS’’). 59 See infra Sections IV.A.1.a–d (discussing more specifically each category of entity included within the definition of ‘‘SCI entity’’). 60 See Proposing Release, supra note 13, at 18086. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Governing the Collection, Consolidation, and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privileges Basis (‘‘Nasdaq UTP Plan’’), and Options Price Reporting Authority (‘‘OPRA Plan’’).61 Significant-volume ATSs have also been subject to certain aspects of the ARP Policy Statements pursuant to Regulation ATS.62 In addition, one entity that has been granted an exemption from registration as a clearing agency has been subject to the ARP Inspection Program pursuant to the conditions of the exemption order issued by the Commission.63 The scope of the definition of SCI entity is intended to largely reflect the historical reach of the ARP Inspection Program and existing Rule 301 of Regulation ATS, while also expanding the coverage to certain additional entities that the Commission believes play a significant role in the U.S. securities markets and/ or have the potential to impact investors, the overall market, or the trading of individual securities. The Commission acknowledged in the SCI Proposal that there may be other categories of entities not included within the definition of SCI entity that, given their increasing size and importance, could pose risks to the market should an SCI event occur.64 However, as discussed in further detail below,65 the Commission believes that, at this time, the entities included within the definition of SCI entity, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Although some commenters suggested that Regulation SCI should cover a greater range of market participants,66 the Commission believes that it is important to move forward now on rules that will meaningfully enhance the technology standards and oversight of key markets and market infrastructure. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the 61 See infra note 196 and accompanying text. Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6). 63 See Proposing Release, supra note 13, at 18096–97. See also infra Section IV.A.1.d (discussing the inclusion in Regulation SCI of exempt clearing agencies subject to ARP). 64 See Proposing Release, supra note 13, at 18138–39. 65 See infra Sections IV.A.1.a-d (discussing more specifically each category of entity included within the definition of ‘‘SCI entity’’). 66 See supra notes 48–50 and accompanying text. mstockstill on DSK4VPTVN1PROD with RULES2 62 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 mandatory requirements of Regulation SCI at this time given the potential costs of compliance. This approach will enable the Commission to monitor and evaluate the implementation of Regulation SCI, the risks posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS brokerdealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants. As noted in the SCI Proposal, should the Commission decide to propose to apply some or all of the requirements of Regulation SCI to additional types of entities, the Commission will issue a separate release discussing such a proposal and seeking public comment.67 With respect to another commenter’s recommendation regarding dark pools, to the extent that this commenter intended its comment to refer to ATSs, ATSs would be included within the scope of Regulation SCI if they met the applicable volume thresholds discussed below.68 To the extent that this commenter intended its comment to refer to other types of non-ATS dark venues where broker-dealers internalize order flow, the Commission notes that it has determined not to extend the scope of Regulation SCI to other types of broker-dealers at this time for the reasons discussed below.69 The Commission has also determined not to further limit the scope of entities subject to Regulation SCI as suggested by some commenters. As discussed in more detail below, the Commission continues to believe that each of the identified categories of entities plays a 67 See Proposing Release, supra note 13, at 18138. infra Section IV.A.1.b (discussing definition of ‘‘SCI ATS’’). This commenter also recommended that the Commission require dark pools to publicly disclose their aggregate volume to make it easier to evaluate whether dark pools should be included as SCI entities, and supported FINRA’s plans to require such trading volume disclosures. The Commission notes that FINRA recently adopted new Rule 4552, which requires each ATS to report to FINRA weekly volume information regarding transactions in NMS stocks and OTC equity securities, and FINRA makes such information publicly available on its Web site. See Securities Exchange Act Release No. 71341 (January 17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 requiring each ATS to report to FINRA weekly volume information and number of securities transactions). The Commission also notes that all ATSs (including dark pool ATSs) are required under Regulation ATS to provide the Commission with quarterly trading volume information. See Rule 301(b)(9) of Regulation ATS, 17 CFR 242.301(b)(9). 69 See infra text accompanying notes 121–125. 68 See PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 72259 significant role in the U.S. securities markets and/or has the potential to impact investors, the overall market, or the trading of individual securities, and thus should be subject to the requirements of Regulation SCI. Accordingly, the Commission does not agree that it should adopt a ‘‘risk-based’’ approach to further limit the categories of market participants subject to Regulation SCI. The Commission believes that limiting the applicability of Regulation SCI to only the most systemically important entities posing the highest risk to the markets is too limited of a category of market participants, as it would exclude certain entities that, in the Commission’s view, have the potential to pose significant risks to the securities markets should an SCI event occur. However, the Commission believes it is appropriate to incorporate risk-based considerations in various other aspects of Regulation SCI. Consistent with the views of some commenters advocating that the requirements of Regulation SCI should be tailored to the specific risk-profile of a particular entity or particular system,70 the Commission notes that Regulation SCI, as proposed, was intended to incorporate a consideration of risk within its requirements and believes it is appropriate to more explicitly incorporate risk considerations in various provisions of adopted Regulation SCI. For example, as discussed in further detail below, the requirement to have reasonably designed policies and procedures relating to operational capability was designed to permit SCI entities to take a risk-based approach in developing their policies and procedures based on the criticality of a particular system.71 In addition, the Commission believes that it is appropriate to further incorporate a risk-based approach into other aspects of the regulation, and thus, as discussed below, is adopting a new term—‘‘critical SCI systems’’—to identify systems that the Commission believes should be subject to heightened requirements in certain areas.72 Further, the Commission has determined that certain other definitions (such as the definition of ‘‘SCI systems’’), and certain requirements of the rule (such as Commission notification for SCI events and material systems changes), should be scaled back and refined consistent with a risk-based approach, as discussed 70 See supra note 55 and accompanying text. infra Section IV.B.1 (discussing the policies and procedures requirement under adopted Rule 1001(a)). 72 See infra Section IV.A.2.c (discussing the definition of ‘‘critical SCI systems’’). 71 See E:\FR\FM\05DER2.SGM 05DER2 72260 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations below. The Commission believes that these modifications, further incorporating risk-based considerations in the requirements and scaling back certain requirements, provide the proper balance between requiring that the appropriate entities are subject to baseline standards for systems capacity, integrity, resiliency, availability, security, and compliance, while reducing the overall burden of the rule for all SCI entities, which is consistent with, and responsive to, the views of those commenters that the Commission take a more risk-based approach to SCI entities. a. SCI Self-Regulatory Organization or SCI SRO mstockstill on DSK4VPTVN1PROD with RULES2 Proposed Rule 1000(a) defined ‘‘SCI self-regulatory organization,’’ or ‘‘SCI SRO,’’ to be consistent with the definition of ‘‘self-regulatory organization’’ set forth in Section 3(a)(26) of the Exchange Act.73 This definition covered all national securities exchanges registered under Section 6(b) of the Exchange Act,74 registered securities associations,75 registered clearing agencies,76 and the Municipal 73 See 15 U.S.C. 78c(a)(26): ‘‘The term ‘selfregulatory organization’ means any national securities exchange, registered securities association, or registered clearing agency, or (solely for purposes of sections 19(b), 19(c), and 23(b) of this title) the Municipal Securities Rulemaking Board established by section 15B of this title.’’ 74 Currently, these registered national securities exchanges are: (1) BATS Exchange, Inc. (‘‘BATS’’); (2) BATS Y-Exchange, Inc. (‘‘BATS–Y’’); (3) Boston Options Exchange LLC (‘‘BOX’’); (4) CBOE; (5) C2; (6) Chicago Stock Exchange, Inc. (‘‘CHX’’); (7) EDGA Exchange, Inc. (‘‘EDGA’’); (8) EDGX Exchange, Inc. (‘‘EDGX’’); (9) International Securities Exchange, LLC (‘‘ISE’’); (10) Miami International Securities Exchange, LLC (‘‘MIAX’’); (11) NASDAQ OMX BX, Inc. (‘‘Nasdaq OMX BX’’); (12) NASDAQ OMX PHLX LLC (‘‘Nasdaq OMX Phlx’’); (13) Nasdaq; (14) National Stock Exchange, Inc. (‘‘NSX’’); (15) NYSE; (16) NYSE MKT; (17) NYSE Arca; and (18) ISE Gemini, LLC (‘‘ISE Gemini’’). 75 FINRA is the only registered national securities association. 76 Currently, there are seven clearing agencies (Depository Trust Company (‘‘DTC’’); Fixed Income Clearing Corporation (‘‘FICC’’); National Securities Clearing Corporation (‘‘NSCC’’); Options Clearing Corporation (‘‘OCC’’); ICE Clear Credit; ICE Clear Europe; and CME) with active operations that are registered with the Commission. The Commission notes that in 2012 it adopted Rule 17Ad–22, which requires registered clearing agencies to have effective risk management policies and procedures in place. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012) (‘‘Clearing Agency Standards Release’’). The Commission believes that Regulation SCI, to the extent it addresses areas of risk management similar to those addressed by Rule 17Ad–22(d)(4), complements Rule 17Ad–22(d)(4). Additionally, on March 12, 2014, the Commission proposed rules that would apply to SEC-registered clearing agencies that have been designated as systemically important by the Financial Stability Oversight Council or that are involved in activities VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Securities Rulemaking Board (‘‘MSRB’’).77 The definition, however, excluded an exchange that lists or trades security futures products that is noticeregistered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, as well as any limited purpose national securities association registered with the Commission pursuant to Exchange Act Section 15A(k).78 Accordingly, the with a more complex risk profile, such as clearing security-based swaps. See Securities Exchange Act Release No. 71699 (Mar. 12, 2014), 79 FR 16865 (March 26, 2014) (‘‘Covered Clearing Agencies Proposal’’). Regulation SCI and proposed Rule 17Ad–22(e)(17) are intended to be consistent and complementary. See also Covered Clearing Agencies Proposal, 79 FR at 16866, n.1 and accompanying text (discussing the Commission’s consideration of the relevant international standards). 77 15 U.S.C. 78c(a)(26). As noted in the Proposing Release, historically, the ARP Inspection Program did not include the MSRB, but instead focused on entities having trading, quotation and transaction reporting, and clearance and settlement systems more closely connected to the equities and options markets. The Commission believes that it is appropriate to apply Regulation SCI to the MSRB, particularly given the fact that the MSRB is the only SRO relating to municipal securities and is a key provider of consolidated market data for the municipal securities market. Accordingly, as proposed, the term ‘‘SCI SRO’’ included the MSRB. In 2008, the Commission amended Rule 15c2–12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established the Electronic Municipal Market Access system (‘‘EMMA’’). EMMA now serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB’s Real-Time Transaction Reporting System (‘‘RTRS’’), with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB’s EMMA Web site. While pre-trade price information is not as readily available in the municipal securities market, the Commission’s Report on the Municipal Securities Market also recommended that the Commission and MSRB explore the feasibility of enhancing EMMA to collect best bids and offers from material ATSs and make them publicly available on fair and reasonable terms. See Report on the Municipal Securities Market (July 31, 2012), available at: https://www.sec.gov/news/studies/2012/ munireport073112.pdf. The Commission believes that the MSRB’s SCI systems currently are limited to those operated by or on behalf of the MSRB that directly support market data (i.e., currently limited to the EMMA, RTRS, and SHORT systems). As discussed more fully below, the EMMA, RTRS, and SHORT systems referenced by the MSRB in its comment letter would be market data systems within the definition of SCI systems because they provide or directly support price transparency. See infra note 253 and accompanying text. 78 See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities are security futures exchanges and the National Futures Association, for which the CFTC serves as their primary regulator. See generally CFTC Concept Release on Risk Controls and System Safeguards for Automated Trading Environments, 78 FR 56542 (September 12, 2013) (‘‘CFTC Concept Release’’) (describing the CFTC’s regulatory scheme PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 proposed definition of SCI SRO in Rule 1000(a) included all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associations, all registered clearing agencies, and the MSRB.79 The definition of ‘‘SCI self-regulatory organization’’ or ‘‘SCI SRO’’ is being adopted in Rule 1000 as proposed.80 One commenter suggested that the rule should include volume thresholds for exchanges.81 Specifically, this commenter recommended that, with regard to exchanges, the definition should include only those exchanges that have five percent or more of average daily dollar volume in at least five NMS stocks for four of the previous six months.82 Another commenter asked the Commission to adopt certain specific exceptions to the definition of SCI SRO and SCI entity for entities that are dually registered with the CFTC and Commission where the CFTC is the entity’s ‘‘primary regulator’’ and for any entity that does not play a ‘‘significant role’’ in the markets subject to the Commission’s jurisdiction and that cannot have a ‘‘significant impact’’ on the markets subject to the Commission’s jurisdiction.83 The Commission does not believe that a trading volume threshold is for addressing risk controls relating to automated systems). 79 For any SCI SRO that is a national securities exchange, any facility of such national securities exchange, as defined in Section 3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also is covered because such facilities are included within the definition of ‘‘exchange’’ in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 78c(a)(1). 80 The Commission notes that NSX ceased trading as of the close of business on May 30, 2014. See Securities Exchange Act Release No. 72107 (May 2, 2014), 79 FR 27017 (May 12, 2014) (Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Cease Trading on Its Trading System) (‘‘NSX Trading Cessation Notice’’). In the NSX Trading Cessation Notice, NSX stated: ‘‘[T]he Exchange will continue to be registered as a national securities exchange and will continue to retain its status as a self-regulatory organization[;]’’ and further, that it ‘‘shall file a proposed rule change pursuant to Rule 19b–4 of the Exchange Act prior to any resumption of trading on the Exchange pursuant to Chapter XI (Trading Rules).’’ Because NSX remains a national securities exchange registered under Section 6(b) of the Exchange Act, it continues to meet the definition of SCI entity, and is counted as an SCI entity for purposes of this release. 81 See ITG Letter at 10. This commenter also suggested similar revised thresholds for SCI ATSs. See also infra note 131 and accompanying text. Although only one commenter specifically commented on the proposed inclusion of SCI SROs within the scope of Regulation SCI, as discussed above, some commenters believed that Regulation SCI should generally take a more risk-based or tiered approach generally which, in some cases, would affect which entities (including SCI SROs) would be subject to Regulation SCI. See supra notes 53–56 and accompanying text. 82 See ITG Letter at 10. 83 See CME Letter at 2. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 appropriate for SCI SROs that are exchanges, but instead believes that Regulation SCI should apply to all SCI SROs. The threshold suggested by the commenter would exclude from Regulation SCI those exchanges with volumes below the suggested threshold; however, the Commission believes that all exchanges play a significant role in our securities markets. For example, all stock exchanges are subject to a variety of specific public obligations under the Exchange Act, including the requirements of Regulation NMS which, among other things, designates the best bid or offer of such exchanges to be protected quotations.84 Accordingly, every exchange may have a protected quotation that can obligate market participants to send orders to that exchange. Among other reasons, given that market participants may be required to send orders to any one of the exchanges at any given time if such exchange is displaying the best bid or offer, the Commission believes that it is important that the safeguards of Regulation SCI apply equally to all exchanges irrespective of trading volume. With regard to one commenter’s suggestion to except from the definition of SCI SRO those entities dually registered with the CFTC and Commission where the CFTC is the entity’s ‘‘primary regulator,’’85 the Commission disagrees that such entities should be relieved from the requirements of Regulation SCI solely because they are dually registered.86 84 See generally 17 CFR 242.600–612. In addition, as the commenter’s suggested thresholds would apply only with respect to exchanges that trade NMS stocks, national securities exchanges that do not trade NMS stocks (i.e., options exchanges) would also be excluded from Regulation SCI under the commenter’s suggestion. The Commission believes that it would be inappropriate to exclude options exchanges from the requirements of Regulation SCI, because technology risks are equally applicable to such exchanges, as evidenced by recent significant technology incidents affecting the options markets. See supra notes 28–31 and accompanying text. As such, systems issues at options exchanges can pose significant risks to the markets, and the Commission believes that the inclusion of options exchanges within the scope of Regulation SCI is necessary to achieve the goals of Regulation SCI. 85 See supra note 83 and accompanying text. 86 The commenter notes that the Commission has proposed to exclude from the definition of SCI SRO those exchanges that list or trade security futures products that are notice-registered with the Commission pursuant to Section 6(g), as well as limited purpose national securities associations registered with the Commission pursuant to Exchange Act Section 15A(k). See Proposing Release, supra note 13, at 18093, n. 97 and accompanying text. The Commission notes that such entities are subject to the joint jurisdiction of the Commission and the CFTC. To avoid duplicative regulation, however, the CFMA established a system of notice registration under VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 While the CFTC is responsible for overseeing such an entity with regard to its futures activities, it does not have oversight responsibility for the entity’s securities-related activities and systems. While the commenter stated that it (as a dual registrant) is already subject to similar requirements to adopt controls and procedures with regard to operational risk and reliability, security, and capacity of its systems pursuant to CFTC regulations, the Commission again notes that such requirements do not apply to such an entity’s securitiesrelated systems as such systems are outside of the CFTC’s jurisdiction and, as such, such systems would not be subject to inspection and examination by the CFTC for compliance with such requirements.87 Further, Regulation SCI imposes a notification framework to inform the Commission of SCI events and material systems changes, as well as other requirements unique to Regulation SCI. Accordingly, the Commission believes that such entities should be subject to the requirements of Regulation SCI. In addition, as noted above, this commenter also asked the Commission to create an exception for any entity that does not play a which trading facilities and intermediaries that are already registered with either the Commission or the CFTC may register with the other agency on an expedited basis for the limited purpose of trading security futures products. A ‘‘notice registrant’’ is then subject to primary oversight by one agency, and is exempted under the CFMA from all but certain specified provisions of the laws administered by the other agency. See Section 6(g)(4) and Section 15A(k)(3)–(4) (enumerating the provisions of the Exchange Act from which a notice-registered exchange and limited purpose national securities association, respectively, are exempted). Given this, the Commission believes that it is appropriate to defer to the CFTC regarding the systems integrity of these entities). See also generally CFTC Concept Release, supra note 78. This regulatory scheme does not apply outside of the specific contexts of security futures exchanges and associations. In contrast, entities that are registered with both the Commission and the CFTC in other capacities, such as clearing agencies, are subject to a full set of regulations by each regulator. The Exchange Act and Commodity Exchange Act do not exempt these entities, due to any dual regulatory scheme, from any provisions of the laws administered by the Commission and, as discussed further below, the Commission believes they should not be afforded an exclusion from Regulation SCI. 87 The Commission notes that, to the extent that such an entity’s systems for its functions that fall in the purview of the Commission (relating to securities and securities-based swaps) and that fall in the purview of the CFTC (relating to futures and swaps) are integrated, it believes that the focus of the CFTC’s exams and inspections of such systems would be on such systems’ functionality related to non-securities-related activities, such as swaps or futures, and not those related to securities activities. Thus, the Commission believes that the potential examination and inspection of such integrated systems by both the CFTC and SEC does not support the exclusion of the SCI entities operating such systems, or the systems themselves, from the scope of Regulation SCI. PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 72261 ‘‘significant role’’ in the markets subject to the Commission’s jurisdiction and that cannot have a ‘‘significant impact’’ on the markets subject to the Commission’s jurisdiction.88 While the Commission disagrees with excluding SROs from coverage as discussed above, the Commission notes that it is revising the proposed definition of SCI systems to clarify that the term SCI systems encompasses only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance, as discussed below.89 Accordingly, the Commission believes this change should address the commenter’s concerns about the requirements applying to entities whose systems cannot affect the markets subject to the Commission’s jurisdiction, i.e., the U.S. securities markets. b. SCI Alternative Trading System Proposed Rule 1000(a) defined the term ‘‘SCI alternative trading system,’’ or ‘‘SCI ATS,’’ as an alternative trading system, as defined in § 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks—(i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the selfregulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either—(i) the average daily dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States.90 The proposed definition would have modified the thresholds currently appearing in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs.91 Specifically, 88 See supra note 83 and accompanying text. adopted Rule 1000 (emphasis added). See also infra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). 90 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.1. 91 17 CFR 242.301(b)(6). 89 See E:\FR\FM\05DER2.SGM 05DER2 72262 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 the proposed definition would have: Used average daily dollar volume thresholds, instead of an average daily share volume threshold, for ATSs that trade NMS stocks or equity securities that are not NMS stocks (‘‘non-NMS stocks’’); used alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities; lowered the volume thresholds applicable to ATSs for each category of asset class; and moved the proposed thresholds to Regulation SCI. In particular, with respect to NMS stocks, the Commission proposed to change the volume threshold from 20 percent of average daily volume in any NMS stock such that an ATS that traded NMS stocks that met either of the following two alternative threshold tests would be subject to the requirements of proposed Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. With respect to non-NMS stocks, municipal securities, and corporate debt securities, the Commission proposed to reduce the standard from 20 percent to five percent for these types of securities,92 the same percentage threshold for such types of securities that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.93 The proposed definition of ‘‘SCI ATS’’ is being adopted substantially as proposed with regard to ATSs trading NMS stocks and ATSs trading non-NMS stocks, with the addition of a six-month compliance period for entities satisfying the thresholds in the definition for the first time, as discussed in more detail below. However, for the reasons discussed below, the Commission has determined to exclude from the definition of ‘‘SCI ATS’’ ATSs that trade only municipal securities or corporate debt securities and accordingly, such ATSs will not be subject to the requirements of Regulation SCI. Inclusion of ATSs Generally Many commenters provided comment on the inclusion of ATSs within the scope of Regulation SCI. Some commenters believed that more ATSs 92 See proposed Rule 1000(a). Rule 301(b)(5) of Regulation ATS under the Exchange Act. 17 CFR 242.301(b)(5). In addition, as noted above, the proposed rule used alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities. 93 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 should be covered by Regulation SCI.94 For example, some commenters suggested that the term ‘‘SCI ATS’’ should include all ATSs, because these commenters believed that they have the potential to negatively impact the market in the event of a systems issue.95 Moreover, one commenter stated that the Commission should not distinguish between ATSs based on calculated thresholds because an ATS might limit trading on its system so as to avoid being subject to the requirements of Regulation SCI.96 Conversely, other commenters stated that fewer, or even no, ATSs should be covered.97 Such commenters generally argued that there are key differences between ATSs and exchanges, and thus, ATSs should be regulated differently from exchanges and not be included in Regulation SCI with exchanges.98 The differences identified by commenters included: ATSs’ relative market shares and sizes; the fact that ATSs are already subject to various regulations as brokerdealers (including Rule 15c3–5 under the Exchange Act, various FINRA rules, and Regulation ATS); and certain fundamental economic differences between the two types of entities (including that exchanges can gain revenue from listing and market data, have self-clearing, and have a protected quote).99 One commenter argued that, if the Commission were to include ATSs in Regulation SCI, it should treat ATSs and SROs equally by allowing ATSs to have the same benefits of SROs, including allowing ATSs to derive an income stream from contributions to the SIP, have access to clearing, and have immunity from lawsuits.100 Other commenters also noted that, although ATSs have an increasingly large, collective market share, ATSs have not contributed to any of the recent major systems issues that have impacted the market.101 Another commenter stated that the SCI Proposal unfairly discriminated against ATSs by including them within the definition of SCI entity.102 Specifically, although this commenter did not believe that Regulation SCI should be expanded to include more 94 See, e.g., NYSE Letter at 9–10; Lauer Letter at 4; and CoreOne Letter at 7–8. 95 See, e.g., NYSE Letter at 9–10; and Lauer Letter at 4. 96 See, e.g., NYSE Letter at 9–10. 97 See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 8; and OTC Markets Letter at 9. 98 See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 9, 14–17; TMC Letter at 2; and OTC Markets Letter at 9. 99 Id. 100 See OTC Markets Letter at 9. 101 See ITG Letter at 4; and BIDS Letter at 3. 102 See ITG Letter at 9. PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 entities, it stated that the SCI Proposal’s failure to capture certain entities (such as clearing firms, market makers, block positioners, and order routing firms) that it believed could have a greater impact on market stability in the event of a systems issue, while including ATSs, demonstrates that the proposal is arbitrary, capricious, and unfairly discriminatory in nature.103 After careful consideration of the comment letters, the Commission continues to believe that the inclusion of ATSs that trade NMS stocks and nonNMS stocks in Regulation SCI is appropriate.104 The Commission believes that certain of those ATSs play an important role in today’s securities markets, and thus should be subject to the safeguards and obligations of Regulation SCI. As noted in the SCI Proposal, the equity markets have evolved significantly over recent years, resulting in an increase in the number of trading centers and a reduction in the concentration of trading activity.105 As such, even smaller trading centers, such as certain higher-volume ATSs, now collectively represent a significant source of liquidity for NMS stocks and some ATSs have similar and, in some cases, greater trading volume than some national securities exchanges, with no single national securities exchange executing more than approximately 19 percent of volume in NMS stocks in today’s securities markets.106 Accordingly, the Commission believes that ATSs meeting certain volume thresholds can play a significant role in the securities markets and, given their heavy reliance on automated systems, have the potential to significantly impact investors, the overall market, 103 See id. the inclusion of ATSs that trade NMS stocks and non-NMS stocks within the scope of Regulation SCI, Regulation ATS is also being amended to remove paragraphs (b)(6)(i)(A) and (b)(6)(i)(B) of Rule 301 so that Rule 301(b)(6) will no longer apply to ATSs trading NMS stocks and non-NMS stocks. However, as described below, the Commission has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI, and such ATSs will remain subject to the requirements of Rule 301(b)(6) if they meet the volume thresholds therein. 17 CFR 242.301(b)(6). See supra notes 14 and 20 and accompanying text. 105 See Proposing Release, supra note 13, at 18094. 106 See market volume statistics reported by BATS, available at: https://www.batstrading.com/ market_summary/ (no single stock exchange executed more than approximately 19 percent during the second quarter of 2014, with Nasdaq having the highest market share of 18.6 percent). In comparison, according to data from Form ATS–R for the second quarter of 2014, approximately 18 percent of consolidated NMS stocks dollar volume took place on ATSs. 104 Given E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations and the trading of individual securities should an SCI event occur. Commenters identified certain differences between exchanges and ATSs, which commenters argued justified different treatment under Regulation SCI for ATSs or exclusion of ATSs from the regulation completely.107 While the Commission recognizes that there are some fundamental differences between ATSs and exchanges, including certain of those identified by commenters, the Commission does not agree that all ATSs should be excluded from Regulation SCI because, as discussed above, it believes that there are certain significant-volume ATSs that have the potential to significantly impact investors, the overall market, or the trading of individual securities should an SCI event occur. At the same time, the risk-based considerations permitted in adopted Regulation SCI may result in the systems of those ATSs that are subject to Regulation SCI (i.e., SCI ATSs) being subject to less stringent requirements than the systems of SROs or other SCI entities in certain areas. For example, as discussed in further detail below, the Commission is adopting a definition of ‘‘critical SCI systems,’’ which are a subset of SCI systems that are subject to certain heightened requirements under Regulation SCI. This definition is intended to capture those systems that are core to the functioning of the securities markets or that represent ‘‘single points of failure’’ and thus, pose the greatest risk to the markets. The Commission believes that, as currently constituted, relative to the systems of SCI SROs, the systems of SCI ATSs generally would not fall within this category of critical SCI systems, and thus such SCI ATSs would not be subject to the more stringent requirements that would be applicable to the critical SCI systems of other SCI entities. The Commission also notes that other requirements under Regulation SCI are designed to be consistent with a risk-based approach. The Commission believes that this approach recognizes the different roles played by different SCI systems at various SCI entities and, where permitted, allows each SCI entity, including SCI ATSs, to tailor the applicable requirements accordingly. While some commenters noted that ATSs have not contributed to any of the recent high-profile systems issues,108 the Commission does not believe that the relative lack of high-profile systems issues at ATSs to date is an indication that ATSs do not have the potential to 107 See 108 See supra notes 98–99 and accompanying text. supra note 101 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 have a significant impact on the market in the event of a future systems issue.109 Other commenters noted the competitive environment of ATSs and argued that, if one ATS experiences a systems issue and becomes temporarily unavailable, trading can be easily rerouted to other venues.110 The Commission acknowledges that a temporary outage at an ATS (or at a SCI SRO, for that matter) may not lead to a widespread systemic disruption. However, the Commission notes that Regulation SCI is not designed to solely address system issues that cause widespread systemic disruption, but also to address more limited systems malfunctions and other issues that can harm market participants or create compliance issues.111 Some commenters also stated that inclusion of ATSs is not necessary because ATSs are already subject to sufficient regulations as broker-dealers, citing Rule 15c3–5 under the Exchange Act, various FINRA rules, and Regulation ATS.112 While the Commission acknowledges that these rules similarly impose requirements related to the capacity, integrity and/or security of a broker-dealer’s systems and are designed to address some of the same concerns that Regulation SCI is intended to address, the Commission notes that these rules generally take a different approach than Regulation SCI. For example, the obligations of an ATS under Rule 15c3–5 address vulnerability in the national market system that relate specifically to market access,113 whereas Regulation SCI is designed to further the goals of the national market system more broadly by helping to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets.114 Thus, the Commission has 109 The Commission also notes that, as discussed above, in November 2013, a systems issue at OTC Link ATS led FINRA to halt trading in all OTC securities for over three hours. See supra note 33 and accompanying text. 110 See ITG Letter at 3; and KCG Letter at 9. 111 The Commission notes that each ATS provides different services in terms of, among other things, pricing, latency, and order fills to meet investors’ specific needs. Thus, for example, an ATS outage could interfere with the supply of certain services that investors demand and, thus, could impose costs on investors. 112 See supra notes 98–99 and accompanying text. 113 See Securities Exchange Act Release No. 63241 (November 3, 2010), 75 FR 69792 (November 15, 2010) (‘‘Market Access Release’’). 114 The Commission notes that Rule 15c3–5 focuses on addressing the particular risks that arise when broker-dealers provide electronic access to exchanges or ATSs and therefore does not address the same range of technology-related issues as Regulation SCI is designed to address. Both Rule 15c3–5 and Regulation SCI are policies and PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 72263 determined to include ATSs within the scope of Regulation SCI because of their role as markets and a potential significant source of liquidity. With regard to the FINRA rules identified by commenters, the Commission does not believe that these rules, even when considered in combination with Rule 15c3–5, are an appropriate substitute for the comprehensive approach in Regulation SCI for ATSs in their role as markets.115 Finally, as noted above, procedures-based rules that are designed to address the risks presented by the pervasive use of technology in today’s markets.The policies and procedures required by Regulation SCI apply broadly to technology that supports trading, clearance and settlement, order routing, market data, market regulation, and market surveillance and, among other things, address their overall capacity, integrity, resilience, availability, and security. Rule 15c3–5, by contrast, is more narrowly focused on those technology and other errors that can create some of the more significant risks to broker-dealers and the markets, namely those that arise when a broker-dealer enters orders into an exchange or ATS, including when it provides sponsored or direct market access to customers or other persons, where the consequences of such an error can rapidly magnify and spread throughout the markets. See also infra note 115 (discussing FINRA rules applicable to broker-dealers). The Commission will continue to monitor and evaluate the risks posed by broker-dealer systems to the market and the implementation of the Market Access Rule, and may consider extending the types of requirements in Regulation SCI to additional market participants in the future. 115 For example, NASD Rule 3010(b)(1) requires a member to establish, maintain, and enforce written procedures to supervise the types of business in which it engages and to supervise the activities of registered representatives, registered principals, and other associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations. This rule relates to policies and procedures to achieve compliance with applicable securities laws and regulations, and thus the Commission believes that this requirement is broadly related to adopted Rule 1001(b) regarding policies and procedures to ensure systems compliance. However, the Commission notes that, unlike adopted Rule 1001(b), which focuses on ensuring that an entity’s systems operate in compliance with the Exchange Act, the rules and regulations thereunder and the entity’s rules and governing documents, this NASD rule does not specifically address compliance of the systems of FINRA members. Further, the Commission does not believe this provision covers more broadly policies and procedures akin to those in adopted Rule 1001(a) that are designed to ensure that SCI systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operation capability and promote fair and orderly markets. Similarly, while FINRA Rule 3130 relates to adopted Rule 1001(b) regarding policies and procedures to ensure systems compliance in that it requires a member’s chief compliance officer to certify that the member has in place written policies and procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules, and federal securities laws and regulations, it does not specifically address compliance of the systems of FINRA members, and does not require similar policies and procedures to those in adopted Rule 1001(a) regarding operational capability of SCI entities. Further, while FINRA Rule 4530 imposes a reporting regime for, among other things, E:\FR\FM\05DER2.SGM Continued 05DER2 72264 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Rule 301(b)(6) of Regulation ATS imposed by rule certain aspects of the ARP Policy Statements on significantvolume ATSs. As described in detail herein, Regulation SCI seeks to expand upon, update, and modernize the requirements of the ARP Policy Statements and Rule 301(b)(6), by, for example, expanding the requirements to a broader set of systems, imposing new requirements for information dissemination regarding SCI events, and requiring Commission notification for additional types of events, among others. Accordingly, the Commission believes that, for SCI ATSs, the existing broker-dealer rules and regulations identified by commenters are complemented by the requirements of Regulation SCI (other than Rule 301(b)(6), which will no longer apply to ATSs that trade NMS stocks and nonNMS stocks), and do not serve as substitutes for the regulatory framework being adopted today. The Commission also believes that, unlike with respect to exchanges, it is appropriate that Regulation SCI not apply to all ATSs. Exchanges, as selfregulatory organizations, play a special role in the U.S. securities markets, and as such, are subject to certain requirements under the Exchange Act and are able to enjoy certain unique benefits.116 Accordingly, as discussed compliance issues and other events where a member has concluded or should have reasonably concluded that a violation of securities or other enumerated law, rule, or regulation of any domestic or foreign regulatory body or SRO has occurred, the Commission notes that these reporting requirements are different in several respects from the Commission notification requirements relating to systems compliance issues (e.g., scope, timing, content, the recipient of the reports) and, importantly, would not cover reporting of systems disruptions or systems intrusions that did not also involve a violation of a securities law, rule, or regulation. In addition, FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption, which is akin to adopted Rule 1001(a)(2)(v) requiring policies and procedures for business continuity and disaster recovery plans. Unlike Regulation SCI, however, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans, which the Commission believes to be instrumental in achieving the goals of Regulation SCI with respect to SCI entities. 116 See supra Section IV.A.1.a (discussing the definition of ‘‘SCI SRO’’) and infra notes 120–121 and accompanying text. As identified by one commenter, benefits afforded to SROs include, among others, the ability to receive market data revenue and immunity from private liability for regulatory activities. See supra note 100. See also ATS Release, supra note 2, at 70902–03 (discussing generally some of the obligations and benefits to be VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 above, the Commission believes it is appropriate to subject all national securities exchanges to the requirements of Regulation SCI regardless of trading volume.117 In contrast, in recognition of the more limited role that certain ATSs may play in the securities markets and the costs that will result from compliance with the requirements of the regulation, the Commission believes that it is appropriate to adopt volume thresholds, as discussed below, to identify those ATSs that have the potential to significantly impact the market should an SCI event occur, therefore warranting inclusion within the scope of the regulation. One commenter, in advocating for the application of the regulation to all ATSs, stated that the Commission should not adopt volume thresholds because ATSs may limit trading so as to avoid being subject to the requirements of Regulation SCI.118 The Commission does not believe that the possibility of some ATSs structuring their business to fall below the thresholds of the rule is a sufficient justification for applying the rule to all ATSs. The Commission notes that, to the extent that an ATS limits its trading so as not to reach the volume thresholds for SCI ATSs, it would have less potential to impact investors and the market and may appropriately not be subject to the requirements of the rules. As discussed further below, the Commission believes that the dual dollar volume threshold for NMS stocks being adopted today is appropriately designed to ensure that ATSs that have either the potential to significantly impact the market as a whole or the potential to significantly impact the market for a single NMS stock (and have some impact on the market as a whole at the same time) will be subject to the requirements of Regulation SCI. Thus, only those ATSs that limit their trading so as to fall below both the single NMS stock threshold and the broad NMS stocks threshold will not be subject to the requirements of Regulation SCI. As noted above, one commenter asserted that, if ATSs are subject to the same requirements of Regulation SCI as exchanges, they similarly should be entitled to the benefits afforded to SROs.119 The Commission notes that, as discussed above, SROs are subject to a variety of obligations as self-regulatory organizations under the Exchange Act— including filing proposed rules with the considered when determining whether to register as a national securities exchange or as a broker-dealer acting as an ATS). 117 See supra notes 81–83 and accompanying text. 118 See supra notes 95–96 and accompanying text. 119 See supra note 100 and accompanying text. PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 Commission and enforcing those rules and the federal securities laws with respect to their members—that do not apply to other market participants, including ATSs.120 Although SRO and non-SRO markets are subject to different regulatory regimes, with a different mix of benefits and obligations, the Commission believes it is appropriate to subject them to comparable requirements for purposes of Regulation SCI given the importance of assuring that the technology of key trading centers, regardless of regulatory status, is reliable, secure, and functions in compliance with the law.121 At the same time, while questions have been raised as to whether the broader regulatory regimes for exchanges and ATSs should be harmonized, the Commission does not believe it appropriate to delay implementing Regulation SCI or necessary to resolve these issues before proceeding with Regulation SCI. The Commission notes that ATSs have the ability to apply for registration as a SRO should they so wish and, if such application were to be approved by the Commission, such entities could assume the additional responsibilities that are imposed on SROs, as well as avail themselves of the same benefits. As noted above, one commenter objected to the regulation’s inclusion of ATSs while excluding certain other entities that the commenter believed similarly had the potential to impact the market, concluding that the proposal was therefore arbitrary, capricious, and unfairly discriminatory in nature.122 At the same time, this commenter stated that it did not recommend that additional entities be included within the scope of the regulation.123 First, as noted above, the Commission has determined to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI because of their unique role as markets rather than because of their role as traditional broker-dealers. All broker-dealers are subject to Rule 15c3–5 and other FINRA rules as noted by some commenters, which impose certain requirements 120 See supra Section IV.A.1.a (discussing the definition of ‘‘SCI SRO’’); see also Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b)(1), and Section 6(b) of the Exchange Act, 15 U.S.C. 78f(b). Because these important regulatory responsibilities are imposed upon SROs, SROs also are afforded certain unique benefits, such as immunity from private liability with respect to their regulatory functions and the ability to receive market data revenue. See supra note 116 and accompanying text. 121 But see discussion supra regarding potentially different requirements for ATSs and exchanges, including those relating to SCI ATSs and critical SCI systems. 122 See supra note 103 and accompanying text. 123 See supra note 103 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations related to the capacity, integrity and/or security of a broker-dealer’s systems appropriately tailored to their role as broker-dealers. Further, as noted above, the scope of Regulation SCI is rooted in the historical reach of the ARP Inspection Program and Rule 301 of Regulation ATS (which applies to significant-volume ATSs).124 The Commission acknowledged in the SCI Proposal that there may be other categories of broker-dealers not included within the definition of SCI entity that, given their increasing size and importance, could pose a significant risk to the market should an SCI event occur.125 The Commission solicited comment on whether there are additional categories of market participants that should be subject to all or some of the requirements of Regulation SCI and noted that, were the Commission to decide to apply the requirements of Regulation SCI to such additional entities, it would issue a separate release outlining such a proposal and the rationale therefor.126 As discussed above, the Commission believes that, at this time, the entities included within the scope of Regulation SCI, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the mandatory requirements of Regulation SCI at this time. As such, while the Commission believes that the types of entities subject to Regulation SCI as adopted are appropriate, the Commission may consider extending the types of requirements in Regulation SCI to additional market participants in the future. SCI ATS Thresholds Several commenters discussed the specific proposed volume thresholds for SCI ATSs, and many offered what they believed to be more appropriate alternative methods for including ATSs within Regulation SCI.127 For example, some commenters urged the Commission to retain the existing 20 mstockstill on DSK4VPTVN1PROD with RULES2 124 See supra notes 60–67 and accompanying text. Proposing Release, supra note 13, at 18138–39. 126 See id. 127 See, e.g., Direct Edge Letter at 2; SIFMA Letter at 6–7; BIDS Letter at 6; ITG Letter at 10; and OTC Markets Letter at 11. But see BlackRock Letter at 4 (agreeing with the Commission’s approach in the SCI Proposal of lowering the thresholds for SCI ATSs from the thresholds in Rule 301(b)(6) of Regulation ATS). 125 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 percent threshold under Regulation ATS for purposes of Regulation SCI or asked the Commission to provide further explanation as to why the current threshold under Regulation ATS should be altered.128 One commenter agreed with the Commission that the 20 percent threshold currently in Regulation ATS might be too high, and suggested using a threshold for ATSs trading NMS stocks of five percent or more of the volume in all NMS stocks during a 12-month period, to be determined once a year in the same given month.129 Another commenter suggested that the Commission apply its ATS threshold for NMS stocks to only the 500 most active securities.130 An additional recommendation by one commenter with regard to NMS stocks was to include only those ATSs with five percent or more of at least five NMS stocks with an aggregate average daily share volume greater than 500,000 shares and 0.25 percent or more of all NMS stocks for four of the previous six months, or those ATSs that have three percent or more of all NMS stocks in four of the previous six months.131 Another commenter suggested retaining Rule 301(b)(6) as part of Regulation ATS, but amending the rule by lowering the average daily volume threshold to 2.5 percent.132 One commenter requested clarification on the phrase ‘‘0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan.’’ 133 Because there is more than one transaction reporting plan, this commenter asked whether the proposed volume thresholds would be calculated per plan or calculated based on all NMS volume.134 Some commenters provided suggestions with regard to the proposed measurement methodology for the thresholds.135 A few commenters argued that the proposed time period measurement of ‘‘at least four of the preceding six calendar months’’ is cumbersome to apply in practice and believed that the time period should be 128 See, e.g., Direct Edge Letter at 2; and KCG Letter at 10–11. 129 See SIFMA Letter at 6. 130 See BIDS Letter at 6. 131 See ITG Letter at 10. 132 See OTC Markets Letter at 11. This commenter also suggested leaving in place the existing five percent average daily share volume threshold for the display requirement of Rule 301(b)(3) under Regulation ATS. 133 See SIFMA Letter at 6–7. 134 See SIFMA Letter at 6–7. 135 See, e.g., BIDS Letter at 6; KCG Letter at 19; SIFMA Letter at 7; and Lauer Letter at 4–5. PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 72265 over a longer term.136 For example, two commenters stated that the rule should utilize a 12-month measurement period.137 Conversely, another commenter generally opposed the thresholds stating that all ATSs should be subject to the rule, but noted that if the rule includes a trading volume metric, the measurement period should be much shorter (such as two to four weeks).138 In addition, one commenter stated that the measurement should be based on number of shares traded rather than dollar value.139 Two commenters also suggested that ATSs should be given six months after meeting the given threshold in the definition of SCI ATS to come into compliance with Regulation SCI.140 The Commission is adopting the thresholds for ATSs that trade NMS stocks and non-NMSs stock as proposed. In setting the thresholds for Regulation SCI, the Commission believes it is establishing an appropriate and reasonable scope for the application of the regulation. Although commenters provided various suggestions for different thresholds, nothing persuaded the Commission that these suggestions would better accomplish the goals of Regulation SCI than the thresholds the Commission is adopting. As discussed below, the Commission has analyzed the number of entities it believes are likely to be covered by the thresholds it is establishing. The Commission recognizes that these thresholds ultimately represent a matter of judgment by the Commission as it takes the step of promulgating Regulation SCI, and the Commission intends to monitor these thresholds to determine whether they continue to be appropriate. With regard to the threshold for ATSs trading NMS stocks, the Commission has determined to adopt this threshold as proposed. After careful consideration of the comments, the Commission continues to believe that this threshold is an appropriate measure of when a market is of sufficient significance so as to warrant the protections and requirements of Regulation SCI.141 The 136 See, e.g., BIDS Letter at 6; and KCG Letter at 19. 137 See BIDS Letter at 6; and KCG Letter at 19. Lauer Letter at 4–5. 139 See BIDS Letter at 6. 140 See KCG Letter at 19; and SIFMA Letter at 7. 141 The numerical thresholds in the definition of SCI ATS reflect an informed assessment by the Commission, based on qualitative and quantitative analysis, of the likely economic consequences of the specific numerical thresholds included in the definition. In making such assessment and, in turn, selecting the numerical thresholds, in addition to considering the views of commenters, the Commission has reviewed relevant data. See infra notes 150 and 175 and accompanying text. 138 See E:\FR\FM\05DER2.SGM 05DER2 72266 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Commission is, however, making one technical modification in response to a commenter to clarify that the threshold will be calculated based on all NMS volume, rather than on a per plan basis.142 The Commission agrees with the commenter that the proposed language should be clarified and, as such, the threshold language within the definition of ‘‘SCI ATS’’ in Rule 1000 is being revised to refer to ‘‘applicable effective transaction reporting plans,’’ rather than ‘‘an effective transaction reporting plan.’’ 143 Under the adopted definition of SCI ATS, with regard to NMS stocks, an ATS will be subject to Regulation SCI if, during at least four of the preceding six calendar months, it had: (i) Five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans.144 The Commission continues to believe that this threshold will identify those ATSs that could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time.145 While some commenters advocated for thresholds higher than those proposed and/or retaining the 20 percent threshold in Regulation ATS,146 as the Commission discussed in the SCI Proposal, the securities markets have significantly evolved since the time of the adoption of Regulation ATS, 142 See supra note 134 and accompanying text. As noted above, this commenter asked the Commission for clarification on this aspect of the rule. 143 Because the threshold has two prongs, one of which is based on all NMS volume, it is necessary to specify that there is more than one transaction reporting plan that would be applicable in calculating all NMS stock trading volume. At the same time, since the other prong of the threshold is based on the trading volume of single NMS stocks, it is necessary to also add the term ‘‘applicable’’ before the term ‘‘transaction reporting plans’’ as only one transaction reporting plan would be applicable per security. The definition of ‘‘eligible securities’’ in each of the transaction reporting plans are mutually exclusive, ensuring that each security is subject to only one transaction reporting plan. See CTA Plan, available at: https:// www.nyxdata.com/cta; and Nasdaq UTP Plan, available at: https://www.utpplan.com. 144 But see infra notes 169–170 and accompanying text (discussing a six-month compliance period for SCI entities satisfying the thresholds for the first time). 145 Under the adopted thresholds, because of the requirement to meet the threshold for at least four of the preceding six calendar months, inactive and newly operating ATSs would not be included in the definition of SCI ATS. See infra note 152. 146 See supra note 128 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 resulting in trading activity in stocks being more dispersed among a variety of trading centers. For example, in today’s markets, national securities exchanges, once the predominant type of venue for trading stocks, each account for no more than approximately 19 percent of volume in NMS stocks.147 By way of contrast, based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014, the trading volume of ATSs accounted for approximately 18 percent of the total dollar volume in NMS stocks, with no individual ATS executing more than five percent.148 Given this dispersal of trading volume among an increasing number of trading venues, the increasingly interconnected nature of the markets, and the increasing reliance on a variety of automated systems, the Commission believes that there is a heightened potential for systems issues originating from a number of sources to significantly affect the market. Due to these developments, the Commission believes that the 20 percent threshold as adopted in Regulation ATS is no longer an appropriate measure for determining those entities that can have a significant impact on the market and thus should be subject to the protections of Regulation SCI. Rather, the Commission believes that lower volume thresholds are appropriate, and as noted in the SCI Proposal, the Commission believes that the adopted thresholds would include ATSs having NMS stock dollar volume comparable to or in excess of the NMS stock dollar volume of certain national securities exchanges subject to Regulation SCI.149 Based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014,150 the 147 See supra note 106. infra note 150. 149 See Proposing Release, supra note 13, at 18094. 150 See Securities Exchange Act Release No. 71341 (January 17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 requiring each ATS to report to FINRA weekly volume information and number of securities transactions). Commission staff analyzed FINRA ATS data for the period of May 19, 2014 through September 19, 2014. The recently available FINRA ATS data is consistent with the OATS data used in the SCI Proposal. In addition, the analysis of FINRA ATS data examines a threshold of trading volume over four out of six time periods, each period defined as a period of three consecutive weeks as a rough approximation of the threshold test on four out of the preceding six calendar months as prescribed in the definition of SCI ATS. The Commission noted in the SCI Proposal that the staff analysis of OATS data may overestimate the number of ATSs that may meet the proposed thresholds. While the calculation based on FINRA ATS data may not overestimate the number of ATSs as much as the data analysis in the proposal, it could still overestimate the number of ATSs that would meet the thresholds. Nevertheless, the Commission believes the analysis of FINRA 148 See PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 Commission believes that approximately 12 ATSs trading NMS stocks would exceed the adopted thresholds and fall within the definition of SCI entity, accounting for approximately 66 percent of the dollar volume market share of all ATSs trading NMS stocks.151 The Commission acknowledges that its analysis of the FINRA ATS data did not reveal an obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs. However, for the following reasons, the Commission continues to believe that the adopted thresholds for ATSs trading NMS stock are an appropriate measure to identify those ATSs that should be subject to the requirements of Regulations SCI. First, by imposing both a single NMS stock threshold and an all NMS stocks threshold in the first prong of the definition, the thresholds will help to ensure that Regulation SCI will not apply to an ATS that has a large volume in a small NMS stock and little volume in all other NMS stocks. At the same time, the Commission believes that inclusion of the dual-prong dollar volume thresholds is appropriate. Specifically, it will require not only that ATSs that have significant trading volume in all NMS stocks are subject to the requirements of Regulation SCI, but also that ATSs that have large trading volume in a single NMS stock and could significantly affect the market for that stock are also covered by the safeguards of Regulation SCI provided they have levels of trading in all NMS stocks that could allow such ATSs to also have some impact on the market as a whole. The Commission also believes that, as discussed further below, the adopted thresholds will also appropriately capture not only ATSs that have significant trading volume in active stocks, but also those that have significant trading volume in less active stocks. The Commission believes that a systems issue at an ATS that is a significant market for the trading of a less actively traded stock could similarly impose significant risks to the market for such securities, because a systems outage at such a venue could significantly impede the ability to trade ATS data offers useful insights. See Proposing Release, supra note 13, at 18094. 151 According to the FINRA ATS data, during this time period, a total of 44 ATSs traded NMS stocks. The Commission notes that the number of ATSs exceeding the adopted thresholds, and the percentage of volume of trading in NMS stocks that they represent, may change over time in response to market and competitive forces. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 such securities, thereby having a significant impact on the market for such less-actively traded securities. In addition, the Commission continues to believe that thresholds that account for 66 percent of the dollar volume market share of all ATSs trading NMS stocks is a reasonable level that would not exclude new entrants to the ATS market.152 Further, as noted above, the thresholds would include ATSs having NMS stock dollar value comparable to the NMS stock dollar volume of the equity exchanges subject to Regulation SCI. Finally, the Commission believes that the adopted thresholds are appropriate to help ensure that entities that have determined to participate (in more than a limited manner) in the national market system as markets that bring buyers and sellers together, are subject to the requirements of Regulation SCI. As noted above, several commenters provided specific suggestions for alternative standards for determining which ATSs should be included within 152 Consistent with the Commission’s statement in the SCI Proposal, the Commission has considered barriers to entry and the promotion of competition in setting the threshold such that new ATSs trading NMS stocks would be able to commence operations without, at least initially, being required to comply with—and thereby not incurring the costs associated with—Regulation SCI. See Proposing Release, supra note 13, at n. 102. In particular, a new ATS could engage in limited trading in any one NMS stock or all NMS stocks, until it reached an average daily dollar volume of five percent or more in any one NMS stock and 0.25 percent or more in all NMS stocks, or one percent in all NMS stocks, over four of the preceding six months. Because a new ATS could begin trading in NMS stocks for at least three months (i.e., less than four of the preceding six months), and conduct such trading at any dollar volume level without being subject to Regulation SCI, and would have to exceed the specified volume levels for the requisite period to become so subject, the Commission believes that these thresholds should not prevent a new ATS entrant from having the opportunity to initiate and develop its business. Further, the Commission notes that, as discussed below, it is adopting an additional six-month compliance period (in addition to the general nine-month compliance period from the Effective Date of Regulation SCI afforded to all SCI entities) for ATSs newly meeting the thresholds, so that once an ATS meets the threshold, it will have six months from that time to become fully compliant with Regulation SCI. See infra Section IV.F (discussing effective dates and compliance periods). The Commission believes that, for ATSs that have newly entered the market, this additional compliance period will give such ATSs additional opportunity to develop and grow their business without incurring the costs of compliance with Regulation SCI during this time. This additional compliance period should also provide such ATSs with time to plan on how they would meet the requirements of Regulation SCI, and could also potentially allow SCI ATSs to become more equipped to bear the cost of Regulation SCI once compliance is required, and thus not significantly discourage new ATSs from entering the market and growing. See infra Section VI.C.1.c (discussing further barriers to entry and the potential effects on competition of the adopted thresholds). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 the scope of Regulation SCI.153 While the Commission recognizes that some of the suggested alternatives could have certain benefits, it also believes that each recommended standard also has corresponding limitations, and thus believes that the adopted thresholds are an appropriate measure for identifying those ATSs that should be subject to Regulation SCI. First, as described above, the Commission believes that adopting a two-prong standard is necessary to identify those ATSs that, in the event of a systems issue, could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time. The Commission notes that several of the thresholds suggested by commenters lacked such a dual-prong standard (and, in particular, the prong relating to individual NMS stocks) and thus do not provide the advantages associated with the adopted threshold in protecting the trading venues for a single NMS stock. With regard to one commenter’s suggestion that the first prong of the threshold should, among other things, consider five NMS stocks, rather than a single stock, the Commission does not believe the commenter has provided any clear rationale for this standard.154 As discussed, the purpose of the first prong is to identify significant trading venues (or markets) for a single security where a systems disruption could have a significant effect on the market for that security, and setting the threshold to consider five NMS securities could potentially exclude trading venues that host large trading activity for a single NMS security. Additionally, the Commission notes that the suggested alternative approach would be unlikely to have any significant practical effect when used in conjunction with the second prong of the threshold, which looks at trading across all NMS stocks, because the second prong would likely capture an ATS with five percent or more volume in five NMS stocks. With regard to one commenter’s suggestion to apply the threshold to only the 500 most active NMS stocks 155 and another commenter’s suggestion to include only stocks with an aggregate average daily share volume greater than 500,000,156 the Commission disagrees that the threshold should be structured to capture only ATSs that have significant trading volume in active stocks. Rather, the first prong of the adopted threshold is designed to capture any ATS that has five percent or more of the trading volume of any NMS stock, irrespective of how actively traded it is, so that Regulation SCI can effectively address risks relating to the trading of all NMS stocks, and not only the most active of NMS stocks. If the Commission were to apply the threshold only to the 500 most active NMS stocks or stocks only with average daily share volumes greater than 500,000, an ATS that, for example, served as the primary venue for the trading of less actively traded NMS stocks, but had negligible market share for more actively traded NMS stocks, would not be subject to Regulation SCI. However, an SCI event that resulted in an outage of such an ATS could have a significant impact on the market for such less actively traded NMS stocks. As such, failure to include such an ATS within the scope of Regulation SCI would be contrary to the goals of the regulation. Finally, with regard to one commenter’s suggestion to retain Rule 301(b)(6) as part of Regulation ATS and amend the threshold to 2.5 percent,157 as discussed throughout this release, Regulation SCI is intended to expand upon the requirements of Rule 301(b)(6) and to supersede and replace such requirements for ATSs that trade NMS stocks.158 For the reasons noted above, the Commission believes it is appropriate to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI, and the Commission does not believe it is appropriate to retain Rule 301(b)(6) as part of Regulation ATS, thereby subjecting ATSs to a separate and differing set of regulatory requirements than other SCI entities with regard to systems capacity, integrity, resiliency, availability, security, and compliance.159 For all of the reasons discussed above, the Commission does not believe that any of the alternative standards suggested by commenters would better capture those entities that 156 See 153 See supra notes 127–132 and accompanying text. 154 See supra note 131 and accompanying text. This commenter argued generally that the thresholds should be revised so as to only include those entities that would have an ‘‘immediate and substantial impairment of a functioning marketplace.’’ However, the commenter did not explain why it advocated the use of five NMS stocks, rather than a single NMS stock. See ITG Letter at 9. 155 See supra note 130 and accompanying text. PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 72267 supra note 131 and accompanying text. supra note 132 and accompanying text. 158 But see infra notes 189–192 and accompanying text (discussing the Commission’s determination to retain the applicability of Rule 301(b)(6) to fixed-income ATSs). 159 The Commission notes that, with regard to the specific threshold level suggested by this commenter (2.5%), the Commission believes the adopted thresholds to be an appropriate measure to identify those ATSs that should be subject to the requirements of Regulations SCI for the reasons discussed above. See supra note 141. 157 See E:\FR\FM\05DER2.SGM 05DER2 72268 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations have the potential to pose significant risk to the market. One commenter urged the Commission to utilize number of shares traded rather than dollar value, stating that while most of the world uses value traded, available data for the U.S. equity markets is share-based.160 The Commission disagrees with this commenter and notes that daily dollar volume is readily available from a number of sources, including the SIPs.161 The time measurement period for ATSs that trade NMS stocks and nonNMS stocks is also being adopted as proposed. Thus, ATSs will be subject to Regulation SCI only if they meet the numerical thresholds for at least four of the preceding six months.162 The Commission notes that the adopted time measurement period is consistent with the current standard in Rule 301(b)(6) of Regulation ATS.163 The Commission believes that this time measurement period is an appropriate time period over which to evaluate the trading volume of an ATS and should help to ensure that it does not capture ATSs with relatively low trading volume that may have had an anomalous increase in trading on a given day or few days. Contrary to concerns raised by some commenters,164 under this time measurement methodology, an ATS would not qualify as an SCI entity simply by trading a single large block of an illiquid security during one month (or even two or three months). While one commenter suggested that the time measurement period be shorter and recommended a period of two to four weeks,165 the Commission believes that this could cause ATSs to fall within the scope of the definition solely as a result of an atypical, short-term increase in trading or a small number of large block trades that is not reflective of ATSs’ general level of trading. Specifically, with such a short period of measurement, a short-term spike in trading volume uncharacteristic of an ATS’s overall trading volume history 160 See supra note 139 and accompanying text. also Proposing Release, supra note 13, at 18094 (stating that the use of dollar thresholds may better reflect the economic impact of trading activity). 162 See adopted Rule 1000 (definition of ‘‘SCI ATS’’). The Commission notes that if an ATS that was not previously subject to Regulation SCI meets the SCI ATS volume threshold for four consecutive months, it would become subject to Regulation SCI at the end that four-month period. However, as discussed further below, such an ATS would have an additional six months from that time to comply with the requirements of Regulation SCI. See infra text accompanying notes 169–170. 163 17 CFR 242.301(b)(6). 164 See, e.g., BIDS Letter at 6. 165 See supra note 138 and accompanying text. mstockstill on DSK4VPTVN1PROD with RULES2 161 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 could (and if large enough, likely would) skew the overall trading volume for that time period, causing an ATS to meet the volume thresholds and thus become subject to Regulation SCI even though the overall risk posed by the ATS does not warrant it. Further, the Commission believes that such a shorter time measurement period could provide more barriers to entry for ATSs, because new ATSs would not have as long of a time period to develop their business prior to having to incur the costs of compliance associated with being subject to the requirements of Regulation SCI.166 This potential to incur such costs almost immediately after the initial start of operations could act as a barrier to entry for some new ATSs. Other commenters recommended a longer measurement period, such as 12 months.167 The Commission does not believe, however, that a longer time period is necessary or more appropriate to identify those entities that play a significant role in the market for a particular asset class and/or that have the potential to significantly impact investors or the market, warranting inclusion in the scope of Regulation SCI. The Commission believes that the adopted time measurement period provides sufficient trading history data so as to indicate an ATS’s significance to the market, and that the structure of the test (i.e., requiring an ATS to meet the threshold for four out of six months) ensures sustainability of such trading levels. In addition, modifying the time measurement period to 12 months (and thus eliminating the four out of six month measurement period) would make such a measure more susceptible to capturing ATSs that have a major but isolated spike in trading during a single month. Specifically, as noted above, a single anomalous large increase in trading volume during one month (or such a spike in two or three months) could never result in an ATS becoming subject to Regulation SCI solely as a result of such a spike in trading, because 166 See supra note 152 and accompanying text. See also infra Section VI.C.1.c (discussing barriers to entry and the effects on competition of the adopted thresholds and time measurement period for SCI ATSs). 167 See supra notes 136–137 and accompanying text. One of these commenters noted that the ‘‘four out of the preceding six months’’ measurement is cumbersome to apply in practice. See KCG Letter at 19. The Commission does not believe this measurement period to be overly cumbersome to apply in practice, as it would require only that an ATS undertake an assessment once at the end of each month as to whether the ATSs had exceeded the volume thresholds set forth in the rule and then make a determination at the end of a six month period whether the ATS met this threshold for four out of the six preceding months. PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 the ATS would meet the threshold only for one month, rather than the four months required by the rule. On the other hand, a threshold based on an average over 12 months could be skewed by the occurrence of one large spike in trading that results in the overall average for the 12-month period being increased to such a level that it meets the volume threshold levels. Thus, contrary to one commenter’s suggestion that a 12-month period would require ‘‘a sustained trading level at the threshold,’’ 168 the Commission believes that the structure of the adopted measurement period test (i.e., four out of six months) may be a better indicator of actual sustained trading levels at the threshold warranting the protections of the rule. Further, the Commission believes that 12 months is a less appropriate time measurement period than the period adopted because, for example, an ATS could have significant trading volume early on during such a time period such that it may pose significant risk to the markets in the event of a systems issue at such an ATS without being subject to Regulation SCI for a significant period of time. The Commission believes that the adopted time period strikes an appropriate balance between being a long enough period so as to not be triggered by atypical periods of increased trading or a few occurrences of very large trades, while also not causing unnecessary delay in requiring that ATSs playing an important role in the market are subject to Regulation SCI. Finally, as discussed further in Section IV.F, the Commission agrees with commenters that it is appropriate to provide ATSs meeting the volume thresholds in the definition of SCI ATS for the first time a period of time before they are required to comply with Regulation SCI.169 Thus, consistent with the recommendation of these commenters, the Commission is revising the definition of SCI ATS to provide that an SCI ATS will not be required to comply with the requirements of Regulation SCI until six months after satisfying any of the applicable thresholds in the definition of SCI ATS for the first time.170 ATSs Trading Non-NMS Stocks Some commenters addressed whether Regulation SCI should apply to ATSs trading non-NMS stocks.171 Specifically, 168 See KCG Letter at 19. See also supra notes 136–137 and accompanying text. 169 See supra note 140 and accompanying text. 170 See Rule 1000 (definition of SCI ATS). 171 See, e.g., OTC Markets Letter at 7; SIFMA Letter at 7; TMC Letter at 1–3 (asserting that retail E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 one commenter stated that the rules should apply only to trading in NMS securities because non-NMS stock trading—which is dispersed among broker-dealers—does not have a single point of failure and is therefore less susceptible to rapid, widespread issues that occur as a result of a high degree of linkage or inter-dependency.172 Another commenter stated that, with respect to non-NMS stocks (as well as municipal securities and corporate debt securities), the proposed five percent threshold was too low and would unnecessarily include ATSs for these product types that are ‘‘not systemic to maintaining fair, orderly, and efficient markets’’ and asked the Commission to further study the appropriate threshold for these ATSs.173 With regard to equity securities that are not NMS stocks and for which transactions are reported to a selfregulatory organization, the adopted thresholds remain unchanged from the SCI Proposal. Thus, for such securities, an ATS will be subject to the requirements of Regulation SCI if, during four of the preceding six calendar months, it had five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported.174 The Commission continues to believe that this threshold will appropriately identify ATSs that play a significant role in the market for those securities and, thus, should be subject to the requirements of Regulation SCI. Using data from the second quarter of 2014, an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level exceeding $45.2 million daily.175 Based on data collected from Form ATS–R for the second quarter of 2014, the Commission estimates that two ATSs would exceed this threshold and fall within the definition of SCI entity, accounting for approximately 99 percent fixed-income ATSs should not be subject to Regulation SCI); and KCG Letter at 3, 10–11. 172 See OTC Markets Letter at 7. 173 See SIFMA Letter at 7. 174 However, as noted above, an ATS meeting the definition of SCI ATS for the first time will be afforded a six-month compliance period. See supra notes 169–170 and accompanying text. 175 In the Proposing Release, the Commission used data from the first six months of 2012 to estimate that an ATS executing transactions in nonNMS stocks at a level exceeding five percent of the average daily volume traded in the United States would be executed trades at a level exceeding $31 million daily. See Proposing Release, supra note 13, at n.111 and accompanying text. The Commission has updated this estimate using over-the-counter reporting facility data available from FINRA. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 of the dollar volume market share of all ATSs trading non-NMS stocks.176 These thresholds reflect an assessment by the Commission, based on qualitative and quantitative analysis, of the likely consequences of the specific quantitative thresholds included in the definition. From this analysis and in conjunction with considering the views of commenters, the Commission has derived what it believes to be an appropriate threshold to identify those ATSs that should be subject to the requirements of Regulation SCI. As discussed above, one commenter objected to the inclusion of ATSs trading non-NMS stocks within the scope of Regulation SCI.177 This commenter argued that non-NMS trading is not susceptible to the issues that Regulation SCI is designed to address because such trading is dispersed among broker-dealers and does not create the types of single points of failure that pose widespread systemic risk.178 First, as noted above, while the Commission is particularly concerned with systems issues that pose the greatest risk to our markets and have the potential to cause the most widespread effects and damage (such as those that are single points of failure), Regulation SCI is intended to address a broader set of risks of systems issues. Accordingly, the adopted threshold for non-NMS stock ATSs is designed to identify those ATSs that play a significant role in the market for such securities. Further, the Commission disagrees with the commenter’s assertion that trading in non-NMS stocks cannot result in widespread disruptions.179 While one commenter stated that the five percent threshold was too low, this commenter did not provide an alternative threshold but rather asked the Commission to further study this issue.180 As noted above, based on qualitative and quantitative analysis, the Commission believes the five percent threshold to be an appropriate measure to determine which ATSs are of sufficient significance in the current market for non-NMS stocks to warrant their inclusion within the scope of Regulation SCI. The Commission notes that it intends to monitor the level of this threshold, and other thresholds 176 The Commission notes that the number of ATSs exceeding the adopted threshold, and the percentage of volume of trading in non-NMS stocks that they represent, may change over time in response to market and competitive forces. 177 See supra note 172 and accompanying text. 178 See id. 179 See supra note 33 and accompanying text. 180 See supra note 173. PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 72269 being adopted today, to ensure that they continue to be appropriate. The Commission notes that adoption of a higher threshold for non-NMS stocks than for NMS stocks reflects the Commission’s acknowledgement of certain differences between the two markets. In particular, as noted in the SCI Proposal, while the Commission believes that similar concerns about the trading of NMS stocks on ATSs apply to the trading of non-NMS stocks, the Commission also believes that certain characteristics of the market for nonNMS stocks, such as the lower degree of automation, electronic trading, and interconnectedness, generally result in an overall lower risk to the market in the event of a systems issue.181 In particular, the Commission believes that a systems issue at an SCI entity that trades non-NMS stocks would not be as likely to have as significant or widespread an impact as readily as a systems issue at an SCI entity that trades NMS stocks. Therefore, the Commission believes that there is less risk of market impact in the markets for those securities at this time. As such, the Commission has determined not to adopt the same, more stringent, thresholds that would trigger the requirements of Regulation SCI that the Commission is adopting for ATSs trading NMS stocks. The Commission also believes that imposition of a threshold that is set too low in markets that lack automation could have the unintended effects of discouraging automation in these markets and discouraging new entrants into these markets. Specifically, it could increase the cost of automation in relation to other methods of executing trades, and thus market participants might make a determination that the costs associated with becoming subject to Regulation SCI preclude a shift to automated trading or the development of a new automated trading system, particularly given the expected lower trading volume when beginning operations. Further, the Commission notes that it has traditionally provided special safeguards with regard to NMS stocks in its rulemaking efforts relating to market structure.182 For these reasons, the Commission believes that it is appropriate at this time to apply a different threshold to ATSs trading NMS stocks than those ATSs trading non-NMS stocks. 181 See Proposing Release, supra note 13, at 18096. 182 See, e.g., Regulation NMS, 17 CFR 242.600– 612; Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 2005) (Regulation NMS Adopting Release). E:\FR\FM\05DER2.SGM 05DER2 72270 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 ATSs Trading Fixed-Income Securities Several commenters specifically addressed the inclusion of municipal security and corporate debt security ATSs within the scope of Regulation SCI, stating that these ATSs should not be subject to Regulation SCI or that the proposed thresholds should be modified.183 These commenters identified differences in the nature of fixed-income trading as compared to the markets for NMS securities and concluded that the thresholds were inappropriate and would be detrimental to the market for these types of securities.184 In particular, commenters stated that inclusion of fixed-income ATSs and/or the adoption of the proposed thresholds would impose unduly high costs on these entities given their size, scope of operations, lack of automation, low speed, and resulting low potential to pose risk to systems.185 Further, one commenter noted that the cost of compliance for these types of entities would discourage the shift from manual fixed-income trading in the OTC markets to more transparent and efficient automated trading venues.186 In addition, one commenter stated that if retail fixed-income ATSs are included in the final rule, a better measurement would be to look at par amount traded rather than volume.187 Finally, one commenter requested that the Commission clarify that ATSs relating to listed-options are not subject to the obligations of proposed Regulation SCI.188 While the adopted definition of SCI ATS remains unchanged from the proposal for NMS stocks and non-NMS stocks, the Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.189 Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they 183 See, e.g., SIFMA Letter at 7; TMC Letter at 1– 3; and KCG Letter at 2–3, 10–11. 184 See, e.g., SIFMA Letter at 7; TMC Letter at 1– 3; and KCG Letter at 2–3, 10–11. 185 See, e.g., SIFMA Letter at 7; TMC Letter at 1– 3; and KCG Letter at 2–3, 10–11. 186 See KCG Letter at 3, 10–11 (noting that the vast majority of fixed-income trades are done in the OTC markets and only a few ATSs for the fixedincome market have emerged in recent years). 187 See TMC Letter at 1–3. 188 See LiquidPoint Letter at 2–3. 189 See supra notes 183–186. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.190 The Commission believes that this change is warranted given the unique nature of the current fixed-income markets, as noted by several commenters. In particular, fixed-income markets currently rely much less on automation and electronic trading than markets that trade NMS stocks or non-NMS stocks.191 In addition, the municipal and corporate fixed-income markets tend to be less liquid than the equity markets, with slower execution times and less complex routing strategies.192 As such, the Commission believes that a systems issue at a fixed-income ATS would not have as significant or widespread an impact as in other markets. Thus, while ensuring the capacity, integrity and security of the systems of fixed-income ATSs is important, the benefits of lowering the threshold applicable to fixed-income ATSs from the current twenty percent threshold in Regulation ATS and subjecting such ATSs to the safeguards of Regulation SCI would not be as great as for ATSs that trade NMS stock or non-NMS stock. As commenters pointed out, the cost of the requirements of Regulation SCI could be significant for fixed-income ATSs relative to their size, scope of operations, and more limited potential for systems risk. The Commission is cognizant that lowering the current threshold applicable to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the requirements of Regulation SCI could have the unintended effect of discouraging automation in these markets and discouraging the entry of new fixed-income ATSs into the market, which could impede the evolving transparency and efficiency of these markets and negatively impact liquidity in these markets. For these reasons, the Commission believes that it is appropriate to continue to apply the requirements in 190 See 17 CFR 242.301(b)(6). e.g., supra notes 183–186 and accompanying text (discussing the unique nature of fixed-income trading). See also Tracy Alloway and Michael Mackenzie, ‘‘Goldman Retreats from Bond Platform,’’ Fin. Times, February 17, 2014 (noting that, despite efforts to make the market for bond trades more electronic, large bond trading continues to occur overwhelmingly by ‘voice-brokered’ transactions); and Lisa Abramowicz, ‘‘Humans Beat Machines as Electronic Trading Slows: Credit Markets,’’ Bloomberg, February 19, 2014 (stating that a shift in corporate bond transactions to electronic systems is failing to keep up with total volume). 192 See, e.g., TMC Bonds Letter at 1 (stating that fixed-income markets have significantly lower volumes and slower execution times than equity markets and have no meaningful connectivity between fixed-income ATS participants). 191 See, PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 Rule 301(b)(6) of Regulation ATS to fixed-income ATSs that meet the volume thresholds of that rule and to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI at this time. c. Plan Processor Under Proposed Rule 1000(a), the term ‘‘plan processor’’ had the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines ‘‘plan processor’’ as ‘‘any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.’’ 193 The Commission is adopting the definition of ‘‘plan processor’’ as proposed.194 The Commission received no comments on the proposed definition of ‘‘plan processor.’’ 195 As noted in the SCI Proposal, the ARP Inspection Program included the systems of the plan processors of four national market system plans—the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan.196 193 See 17 CFR 242.600(b)(55). proposed Rule 1000(a) and Proposing Release supra note 13, at Section III.B.1. 195 However, some commenters did support the overall scope of the term ‘‘SCI entity’’ or agreed specifically that plan processors should be included within the definition of that term. See, e.g., Lauer Letter at 3 (urging the Commission to expand the scope of entities covered) and KCG Letter at 5–6 (recommending that Regulation SCI be targeted to services offered by only one or a few entities, such as plan processors). In addition, one commenter, although commenting specifically on the definition of ‘‘SCI system,’’ stated that Regulation SCI should be tailored to focus only on systems impacting the core functions of the overall market, which should include the exclusive SIPs that transmit market data. See OTC Markets Letter at 12–13. 196 See ARP I Release, supra note 1, at n. 8 and n. 17. Each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a ‘‘national market system plan’’ (‘‘NMS Plan’’) as defined under Rule 600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(55), defines a ‘‘plan processor’’ as ‘‘any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.’’ Section 3(a)(22)(B) of the Exchange Act, 15 U.S.C. 78c(22)(B), defines ‘‘exclusive processor’’ to mean ‘‘any securities information processor or self-regulatory organization which, directly or indirectly, engages on an exclusive basis on behalf of any national securities exchange or registered securities association, or any national securities exchange or registered securities association which engages on an exclusive basis on its own behalf, in collecting, processing, or preparing for distribution or publication any information with respect to (i) transactions or quotations on or effected or made by means of any facility of such exchange or (ii) quotations 194 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Although an entity selected as the processor of an SCI Plan acts on behalf of a committee of SROs, such entity is not required to be an SRO, nor is it required to be owned or operated by an SRO.197 The Commission believes, however, that the systems of such entities, because they deal with key market data, are central features of the national market system 198 and should be subject to the same systems standards as SCI SROs. The inclusion of plan processors in the definition of SCI entity is designed to ensure that the processor for an SCI Plan, regardless of its identity, is independently subject to the requirements of Regulation SCI. The Commission believes that it is important for such plan processors to be subject to the requirements of Regulation SCI because of the important role they serve in the national market system: Operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of the plan. Recent SIP incidents further highlighted the importance of plan processors to the U.S. securities markets and the necessity of including such processors within the scope of Regulation SCI.199 As evidenced by the distributed or published by means of any electronic system operated or controlled by such association.’’ As a processor involved in collecting, processing, and preparing for distribution transaction and quotation information, the processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan meets the definition of ‘‘exclusive processor;’’ and because each acts as an exclusive processor in connection with an NMS Plan, each also meets the definition of ‘‘plan processor’’ under Rule 600(a)(55) of Regulation NMS, as well as Rule 1000(a) of Regulation SCI. For ease of reference, an NMS Plan having a current or future ‘‘plan processor’’ is referred to herein as an ‘‘SCI Plan.’’ The Commission notes that not every processor of an NMS Plan would be a ‘‘plan processor’’ under Rule 1000, and therefore not every processor of an NMS Plan would be an SCI entity subject to the requirements of Regulation SCI. For example, the processor of the Symbol Reservation System associated with the National Market System Plan for the Selection and Reservation of Securities Symbols (File No. 4–533) would not be a ‘‘plan processor’’ subject to Regulation SCI because it does not meet the ‘‘exclusive processor’’ statutory definition, as it is not involved in collecting, processing, and preparing for distribution transaction and quotation information. 197 Pursuant to Section 11A of the Exchange Act (15 U.S.C. 78k–1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), such entities, as ‘‘exclusive processors,’’ are required to register with the Commission as securities information processors on Form SIP. See 17 CFR 249.1001 (Form SIP, application for registration as a securities information processor or to amend such an application or registration). 198 See Concept Release on Equity Market Structure, supra note 4, at 3594–95. 199 As noted above, a disruption of the Nasdaq SIP on August 22, 2013 resulted in a three hour halt VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 incidents, the availability of consolidated market data is central to the functioning of the securities markets. The unavailability of a system, such as a plan processor, that is a single point of failure with no backups or alternatives can result in a significant impact on the entire national market system. Accordingly, the Commission believes that that it is essential to ensure that the automated systems of the entities responsible for the consolidation and processing of important market data, namely, plan processors, have adequate levels of capacity, integrity, resiliency, availability, and security.200 Further, pursuant to its terms, each SCI Plan is required to periodically review its selection of its processor, and may in the future select a different processor for the SCI Plan than its current processor.201 Thus, the definition of ‘‘plan processor’’ covers any entity selected as the processor for a current or future SCI Plan.202 d. Exempt Clearing Agency Subject to ARP Proposed Rule 1000(a) defined the term ‘‘exempt clearing agency subject to ARP’’ to mean ‘‘an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.’’ This definition is being adopted as proposed. in trading in all Nasdaq-listed securities because of the SIP’s inability to process quotes. See supra note 32 and accompanying text. Also as noted above, on October 30, 2014, according to the NYSE, a network hardware failure impacted the Consolidated Tape System, Consolidated Quote System, and Options Price Reporting Authority data feeds at the primary data center, and SIAC switched over to the secondary data center for these data feeds. See id. 200 Systems directly supporting functionality relating to the provision of consolidated market data are included within the definition of ‘‘critical SCI systems,’’ for which heightened obligations under Regulation SCI will apply. See adopted Rule 1000. See also supra Section IV.A.2.c (discussing the definition of ‘‘critical SCI systems’’). 201 See CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/ cta; OPRA Plan Section V, available at: https:// www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section V, available at: https:// www.utpplan.com. 202 Currently, SIAC is the processor for the CTA Plan, CQS Plan, and OPRA Plan, and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered with the Commission as securities information processors, as required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k– 1(b)(1), and in accordance with Rule 609 of Regulation NMS, 17 CFR 242.609. PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 72271 As noted in the SCI Proposal, this definition of ‘‘exempt clearing agency subject to ARP’’ currently covers one entity, Omgeo Matching Services—US, LLC (‘‘Omgeo’’).203 In its comment letter, Omgeo stated that it believed its inclusion as an SCI entity was reasonable because clearing agencies that provide matching services, such as Omgeo, perform a critical role in the infrastructure of the U.S. financial markets in handling large amounts of highly confidential proprietary trade data.204 Omgeo requested, however, that the Commission clarify that other similarly situated clearing agencies would also be subject to the requirements of Regulation SCI, and further requested that the Commission expand the definition of SCI entity, as applied to clearing agencies, to include, without limitation, any entity providing either matching services or confirmation/affirmation services for depository eligible securities that settle in the United States, as contemplated by FINRA Rule 11860.205 The Commission notes that the adopted definition of ‘‘exempt clearing agency subject to ARP’’ does provide that any entity that receives from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Automation Review Policies or any Commission regulation that supersedes or replaces the Commission’s Automation Review Policies (such as Regulation SCI) would be included within the scope of Regulation SCI. Therefore, clearing agencies that are similarly situated as Omgeo (i.e., those that are subject to an exemption that contains the relevant conditions) will be subject to Regulation SCI.206 The Commission does not believe, therefore, that an expansion of the definition as suggested by Omgeo is necessary to further clarify that 203 On April 17, 2001, the Commission issued an order granting Omgeo an exemption from registration as a clearing agency subject to certain conditions and limitations in order that Omgeo might offer electronic trade confirmation and central matching services. See Global Joint Venture Matching Services—US, LLC; Order Granting Exemption from Registration as a Clearing Agency, Securities Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 23, 2001) (File No. 600–32) (‘‘Omgeo Exemption Order’’). Because the Commission granted it an exemption from clearing agency registration, Omgeo is not a self-regulatory organization. 204 See Omgeo Letter at 2–3. 205 See id. 206 Any entity seeking an exemption from registration as a clearing agency is responsible for requesting and obtaining such an exemption from the Commission. E:\FR\FM\05DER2.SGM 05DER2 72272 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations similarly situated entities will be subject to the requirements of Regulation SCI. Among the operational conditions required by the Commission in the Omgeo Exemption Order were several that directly related to the ARP policy statements.207 For the same reasons that it required Omgeo to abide by the conditions relating to the ARP policy statements set forth in the Omgeo Exemption Order, the Commission believes it is appropriate that Omgeo (or any similarly situated exempt clearing agency) should be subject to the requirements of Regulation SCI, and thus is including any ‘‘exempt clearing agency subject to ARP’’ within the definition of SCI entity. 2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems a. Overview mstockstill on DSK4VPTVN1PROD with RULES2 Regulation SCI, as adopted, distinguishes three categories of systems of an SCI entity: ‘‘SCI systems;’’ ‘‘critical SCI systems,’’ and ‘‘indirect SCI systems.’’ The SCI Proposal broadly defined SCI systems to mean ‘‘all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.’’ The SCI Proposal also defined the term SCI security systems (to which only the provisions of Regulation SCI relating to security and intrusions would apply) as: ‘‘any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.’’ 208 Many commenters stated that the proposed definitions of SCI systems and SCI security systems were too broad and urged the Commission to target systems that pose the greatest risk to the market 207 These conditions require Omgeo to, among other things: Provide the Commission with an audit report addressing all areas discussed in the Commission ARP policy statements; provide annual reports prepared by competent, independent audit personnel in accordance with the annual risk assessment of the areas set forth in the ARP policy statements; report all significant systems outages to the Commission; provide advance notice of any material changes made to its electronic trade confirmation and central matching services; and respond and require its service providers to respond to requests from the Commission for additional information relating to its electronic trade confirmation and central matching services, and provide access to the Commission to conduct inspections of its facilities, records and personnel related to such services. See supra note 203. 208 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 if they malfunction.209 After careful consideration of the comments, and as discussed more fully below, the Commission agrees that certain types of systems included in the proposed definition of SCI systems may be appropriately excluded from the adopted definition. However, because U.S. securities market infrastructure is highly interconnected and seemingly minor systems problem at a single entity can spread rapidly across the national market system, the Commission does not believe it is appropriate to apply Regulation SCI only to the most critical SCI systems, as some commenters suggested. Instead, the adopted regulation applies to a broader set of systems than urged by some commenters, but a more targeted set of systems than proposed. In addition, the adopted approach recognizes that some systems pose greater risk than others to the maintenance of fair and orderly markets if they malfunction. To this end, adopted Regulation SCI identifies three broad categories of systems of SCI entities that are subject to the regulation: ‘‘SCI systems,’’ ‘‘critical SCI systems,’’ and ‘‘indirect SCI systems,’’ with each category subject to differing requirements under Regulation SCI. As discussed more fully below, the adopted definition of ‘‘SCI systems’’ includes those systems that directly support six areas that have traditionally been considered to be central to the functioning of the U.S. securities markets, namely trading, clearance and settlement, order routing, market data, market regulation, and market surveillance. SCI systems are subject to all provisions of Regulation SCI, except for certain requirements applicable only to critical SCI systems. In addition, the Commission is adopting a definition of ‘‘critical SCI systems,’’ a subset of SCI systems that are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. Guided significantly by commenters’ views on those systems that are most critical, the Commission is defining the term ‘‘critical SCI systems’’ as SCI systems that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on primary trading markets; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data (i.e., SIPs); or (vi) exclusively-listed securities; or (2) 209 See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 3; Liquidnet Letter at 3; and OTC Markets Letter at 12–13. PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.210 As more fully discussed below, systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets. In addition, the Commission is adopting a definition of ‘‘indirect SCI systems,’’ in place of the proposed definition of ‘‘SCI security systems.’’ ‘‘Indirect SCI systems’’ are subject only to the provisions of Regulation SCI relating to security and intrusions. The term ‘‘indirect SCI systems’’ is defined to mean ‘‘any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems’’ and, if an SCI entity puts in place appropriate security measures, is intended to refer to few, if any, systems of the SCI entity. b. SCI Systems SCI Systems Generally Proposed Rule 1000(a) defined the term ‘‘SCI systems’’ to mean ‘‘all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.’’ 211 After careful consideration of the comments, the Commission is refining the scope of the systems covered by the definition of ‘‘SCI systems.’’ As adopted, the term ‘‘SCI systems’’ in Rule 1000 means ‘‘all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.’’ One commenter generally supported the proposed definition of SCI systems, and stated that the definition should be expanded to include any technology system that has direct market access.212 In response to this comment, the Commission believes that many systems with direct market access are captured by the adopted definition. However, as 210 See Rule 1000. proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. 212 See Lauer Letter at 5. 211 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations discussed above, the Commission has determined not to propose to expand the scope of Regulation SCI to include other broker-dealer entities and their systems at this time.213 Contrary to the commenter who urged expansion of the proposed definition, many commenters believed the term to be too broad and recommended that it be revised in various ways.214 These commenters argued that the definition was over-inclusive, with some believing that it could potentially apply to all systems of an SCI entity. Specifically, several commenters recommended that the definition of SCI systems be revised to include a more limited set of systems than proposed.215 Commenters advocating this general approach provided various suggestions for the specific standard that they believed should apply. For example, among commenters’ recommendations were suggestions that the definition of SCI systems should include only those systems: whose failure or degradation would reasonably be expected to have an adverse material impact on the sound operation of financial markets; 216 that are highly critical to functioning as an SCI entity; 217 that have the potential to impact the protection of securities investors and the maintenance of fair and orderly markets; 218 that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance in realtime; 219 that support the SCI entity’s ‘‘core functions . . . which the SCI entity performs pursuant to applicable mstockstill on DSK4VPTVN1PROD with RULES2 213 See supra Section IV.A.1 (discussing scope of SCI entities covered by Regulation SCI) and infra Section IV.E (discussing comments on the inclusion of broker-dealers generally within the scope of Regulation SCI). 214 See, e.g., NYSE Letter at 10–11; Omgeo Letter at 3–6; MSRB Letter at 7–9; FIF Letter at 3; ICI Letter at 4; BIDS Letter at 15–16; ITG Letter at 5; Liquidnet Letter at 3; CME Letter at 5; DTCC Letter at 3–5; OCC Letter at 3–4; Joint SROs Letter at 5; FINRA Letter at 5–10; SIFMA Letter at 8; Oppenheimer Letter at 3; OTC Markets Letter at 12; and Direct Edge Letter at 2. 215 See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 3; Liquidnet Letter at 3; and OTC Markets Letter at 12–13. See infra text accompanying notes 216–225. 216 See Omgeo Letter at 4. 217 See KCG Letter at 3. See also ICI Letter at 3 and Oppenheimer Letter at 3 (stating generally that the proposed definitions should be revised to more specifically focus on system events that are truly disruptive to the markets and the systems themselves that are likely to pose a risk to the fair and orderly operation of the markets or participants in the markets). 218 See CME Letter at 5. 219 See Joint SROs Letter at 5. This group of commenters further stated that non-real-time systems should not be included, as they do not warrant the level of oversight and added costs that the regulation imposes. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission regulations;’’ 220 that are reasonably likely to pose a plausible risk to the markets (namely, systems that route or execute orders, clear and settle trades, or transmit required market data); 221 or that impact the core functions of the overall market, which, according to the commenter, would include exclusive SIPs that transmit market data and systems responsible for primary NMS auction markets that set daily opening and closing prices.222 In addition, one commenter suggested that the term should be defined as a production system that connects to and is part of the electronic network that comprises the market.223 This commenter also noted that the definition should distinguish between systems that connect to the markets and those that are used to run a business.224 Another commenter suggested that, if Regulation SCI were to apply only to exchanges and ATSs, the term should be limited to exchange and ATS systems operated by the entity and should not include, for example, brokerage systems.225 The Commission is further focusing the scope of the definition of SCI systems in response to these comments.226 The Commission is replacing the proposed language referring to ‘‘systems . . . whether in production, development, or testing that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance’’ with the following language: ‘‘systems, with 220 See DTCC Letter at 4. NYSE Letter at 3, 10. In addition, this commenter added that the key to whether a proposed ‘‘supporting’’ function should be included is whether or not it is critical to the proper operation of a core functionality. 222 See OTC Markets Letter at 13. 223 See BIDS Letter at 15–16. Thus, this commenter argued that, for a venue that does not route orders, the reporting of trade executions to the tape should not be enough to qualify such a system as an ‘‘SCI system.’’ 224 See id. 225 See Liquidnet Letter at 3. 226 See supra notes 215–218, 220–222, and 224– 225, and accompanying text. The definition is not limited strictly to real-time systems, however, or those that ‘‘connect to’’ and are ‘‘part of the electronic network that comprises the market,’’ because those limitations could exclude relevant systems, such as certain market regulation or market surveillance systems operated by or on behalf of an SCI entity, which the Commission views as integral to one or more of the six functions identified in the definition. In response to the commenter requesting that ‘‘brokerage’’ systems be excluded from the definition of SCI systems, the Commission notes that the adopted definition of SCI systems applies to systems that directly support the enumerated six functions, operated by or on behalf of an SCI entity. The definition therefore would exclude systems, including brokerage systems, that are not operated by or on behalf of an SCI entity. See, respectively, supra notes 219 and 223 and accompanying text. 221 See PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 72273 respect to securities, that directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.’’ As such, the adopted definition has been limited to apply to production systems that relate to securities market functions, and in particular to those six functions— trading, clearance and settlement, order routing, market data, market regulation, or market surveillance—that traditionally have been considered to be central to the functioning of the U.S. securities markets, as urged by several commenters.227 The Commission believes that systems providing these six functions may pose a significant risk to the maintenance of fair and orderly markets if their capacity, integrity, reliability, availability or security is compromised, and therefore that they should be covered by the definition of ‘‘SCI systems.’’ Although some commenters pointed to the phrase ‘‘directly support’’ in the proposed rule as vague and overbroad,228 the Commission has retained this phrase in the adopted definition. The term ‘‘directly support,’’ is retained to acknowledge that systems of SCI entities are complex and highly interconnected and that the definition of SCI systems should not exclude functionality or supporting systems on which the six identified categories of systems rely to remain operational.229 In response to comment that the definition of SCI systems should distinguish between systems that connect to the markets and those that are used to run a business,230 the Commission notes that the adopted definition would not include systems ‘‘used to run a business’’ if they are not within the six identified categories of market-related production systems and not necessary to their continued functioning. Further, the adopted definition clarifies that SCI systems encompass only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. The Commission believes 227 See supra notes 219–221 and accompanying text. 228 See OCC Letter at 3; and NYSE Letter at 10. Commission notes that it believes that specifying that the definition applies to those systems that ‘‘directly support’’ these core functions is necessary so as to not result in a definition that is overly broad and would capture systems that only peripherally or indirectly support these functions. See generally supra notes 214–225 and accompanying text (discussing comments that urged revisions to the definition of SCI systems). See also infra Section IV.A.2.d (discussing the definition of ‘‘indirect SCI systems’’). 230 See supra note 224 and accompanying text. 229 The E:\FR\FM\05DER2.SGM 05DER2 72274 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations that this change appropriately responds to one commenter’s concerns that the proposed definition would capture systems operated by an SCI entity that have ‘‘practically no relevance or relation to SEC markets’’ and suggested that the definition should be revised to include only those systems that would directly impact a market that was subject to the Commission’s jurisdiction. 231 As a result of this modification, if an SCI SRO does not use its systems to conduct business with respect to securities, its systems would not fall within the definition of ‘‘SCI systems.’’ Further, if an SCI entity operates systems for the trading of both futures and securities, only its trading systems for securities would be subject to the requirements of Regulation SCI.232 In addition, one commenter urged that the Commission should initially limit the scope of SCI systems to those systems covered by the ARP Policy Statements (trading, clearance and settlement, and order routing) and phase in other types of systems later.233 The Commission believes that the adopted definition of SCI systems obviates the need for such an approach, as many systems for which the commenter urged a delay in compliance will not be covered by the regulation, as adopted. SCI Systems: Inclusions and Exclusions Various commenters objected to specific categories proposed to be included in the definition of SCI systems. First, many commenters opposed the proposed inclusion of development and testing systems in the definition, noting that issues in development and testing systems would have little or no impact on the operations of SCI entities and that such systems are designed to identify and address problems before they are introduced into production systems.234 231 See CME Letter at 5. the Commission notes that, if an SCI entity has systems that do not relate to securities, and that have not been properly walled off from its SCI systems for securities, they may be captured by the definition of ‘‘indirect SCI systems’’ (as discussed below) and subject to certain requirements of the rule including those relating to security and intrusions standards. See infra Section IV.A.2.d (discussing definition of ‘‘indirect SCI systems’’). 233 See MSRB Letter at 9. 234 See NYSE Letter at 11; FINRA Letter at 10–11; Omgeo Letter at 5; DTCC Letter at 4; SIFMA Letter at 8; BIDS Letter at 16; MSRB Letter at 7–8; OCC Letter at 5; CME Letter at 6; Joint SROs Letter at 5; and Direct Edge Letter at 2. One commenter qualified this position by stating that, to the extent that a systems issue in a development and testing environment were to give rise to an issue affecting an SCI system, the proposal should apply to that development and testing environment. See OCC Letter at 5. mstockstill on DSK4VPTVN1PROD with RULES2 232 However, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Some commenters argued that inclusion of development and testing systems in the definition of SCI systems would subject such systems to more requirements under Regulation SCI than was necessary and noted that certain other provisions of Regulation SCI would necessarily include reporting information to the Commission on such systems, even without their inclusion in the definition of SCI systems.235 For example, one commenter stated that application of most provisions of Regulation SCI to testing and development systems would provide little benefit, and noted that updates regarding systems in development and material new features of existing systems could instead be done through the semi-annual reports to the Commission under proposed Rule 1000(b)(8).236 Similarly, one commenter noted that information regarding the status of systems that are in development and testing would be captured in the notices regarding material systems changes under proposed Rule 1000(b)(6) and in the updates under proposed Rule 1000(b)(8).237 Alternatively, this commenter suggested that the Commission could require that any testing errors be corrected (and such corrections be retested) prior to implementation of those changes in production.238 The Commission believes that certain modifications to the elements of the proposed definition of SCI systems are appropriate. First, in response to comments, the reference to development and testing systems in the proposed definition of SCI systems has been deleted.239 As commenters pointed out, development and testing systems are generally designed to identify and address problems before new systems or systems changes are introduced into production systems and, by their nature, can often experience issues, both intentional and unplanned, during the testing process. The Commission believes that systems issues that occur with respect to such systems are less likely to have a significant impact on the operations of an SCI entity or on the securities markets as a whole than issues occurring with respect to MSRB Letter at 7; and DTCC Letter at 4. MSRB Letter at 7. 237 See DTCC Letter at 4. 238 See id. 239 Because the Commission is removing development and testing systems from the definition of SCI systems, the reference to production systems in the definition of SCI systems is also being deleted as it is unnecessary to distinguish between development, testing and production systems within the definition. See adopted Rule 1000 (definition of ‘‘SCI systems’’). production systems. Further, subjecting these systems to the Commission notification requirements in adopted Rule 1002(b) could have the unintended effect of deterring SCI entities from fully utilizing the testing and development processes to test new systems and systems changes and develop solutions to issues prior to implementation of such systems or changes in production. At the same time, the Commission notes that, in order to have policies and procedures reasonably designed to achieve capacity, integrity, resiliency, availability, and security for SCI systems in accordance with adopted Rule 1001(a), an SCI entity will be required to have policies and procedures that include a program to review and keep current systems development and testing methodology for SCI systems.240 Accordingly, review of programs relating to systems development and testing for SCI systems is within the scope of Regulation SCI, and an SCI entity should reasonably expect Commission staff to review such processes and systems during the course of its exams and inspections. In addition, the Commission notes that the definition of SCI review in adopted Rule 1000 and corresponding requirements for an annual SCI review in adopted Rule 1003(b) require an assessment of internal control design and effectiveness, which includes development processes.241 Further, if development and testing systems are not appropriately walled off from production systems, such systems could be captured under the definition of indirect SCI systems as discussed below and be subject to the requirements of Regulation SCI. If an SCI entity’s development and testing systems are not walled off from production systems, the SCI entity should consider whether its policies and procedures should specify safeguards to ensure that its personnel can clearly distinguish the development and testing systems from the production systems, in order to avoid inadvertent errors that may result in an SCI event. Some commenters also opposed the proposed inclusion of regulatory and surveillance systems within the definition of SCI systems or suggested that the Commission refine or clarify the scope of such systems.242 Some of these 235 See 236 See PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 240 See adopted Rule 1001(a) and discussion in infra Section IV.B.1 (discussing the policies and procedures requirement under adopted Rule 1001(a)). 241 See adopted Rule 1000 and 1003(b) and discussion in infra Section IV.B.5 (discussing the SCI review requirement). The Commission also notes that development processes include testing processes. 242 See NYSE Letter at 11; BATS Letter at 5; MSRB Letter at 8–9; and FINRA Letter at 7–8. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations commenters argued that inclusion of such systems was not necessary because these systems do not operate on a realtime basis or have a real-time impact on trading.243 Further, one commenter suggested that periodic reporting of material outages or delays in the operation of regulatory and surveillance systems, pursuant to appropriate policies and procedures, would support the goals of Regulation SCI without imposing undue burdens on SCI entities or raising the risk that market participants would purposefully direct order flow to SCI entities experiencing regulatory or surveillance systems issues.244 Another commenter advocated for replacing the terms ‘‘regulation’’ and ‘‘surveillance’’ with ‘‘market regulation’’ and ‘‘market surveillance,’’ respectively, and asked the Commission to clarify the difference between ‘‘regulatory’’ and ‘‘surveillance’’ systems.245 In consideration of these comments, the Commission has determined to limit SCI systems to those systems relating to market regulation and market surveillance rather than including all regulation and surveillance systems. As proposed, the definition contained no such limitations and could potentially be interpreted to cover systems used for member regulation and member surveillance. The Commission does not believe that inclusion of member regulation or member surveillance systems such as those, for example, relating to member registration, capital requirements, or dispute resolution, would advance the goals of Regulation SCI. Issues relating to such systems are unlikely to have the same level of impact on the maintenance of fair and orderly markets or an SCI entity’s operational capability as those systems identified in the definition of SCI systems. The Commission believes that this change will more appropriately capture only those regulatory and surveillance systems that are related to core market functions, such as trading, clearance and settlement, order routing, and market data.246 Another element of 243 See NYSE Letter at 11; and Joint SROs Letter mstockstill on DSK4VPTVN1PROD with RULES2 at 5. 244 See NYSE Letter at 11 (citing concerns regarding the potential that dissemination of information regarding issues with regulatory or surveillance systems to members or participants could provide a ‘‘roadmap for violative market behavior’’). 245 See FINRA Letter at 7–8. 246 The Commission notes that Rule 613 of Regulation NMS requires the creation of an NMS plan to govern the creation, implementation, and maintenance of a consolidated audit trail and central repository. See 17 CFR 242.613. See also Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (‘‘Consolidated VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 72275 the proposed definition of ‘‘SCI systems’’ that some commenters addressed was the inclusion of market data systems. Specifically, one commenter believed that the inclusion of all market data systems was too broad, and argued that only ‘‘systems that directly support ‘the transmission of market data as required by the Exchange Act’’’ should be included, thus limiting the types of market data systems to those relating to consolidated data and excluding those that transmit proprietary market data.247 Although the term ‘‘market data’’ is not defined in Regulation SCI, that term generally refers to price information for securities, both pre-trade and post-trade, such as quotations and transaction reports.248 In response to the commenter urging that only market data systems relating to consolidated data be included, the term ‘‘market data’’ does not refer exclusively to consolidated market data, but includes proprietary market data generated by SCI entities as well. The Commission notes that both consolidated and proprietary market data systems are widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions, and that if a consolidated or a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the maintenance of fair and orderly markets. Therefore, systems of an SCI entity directly supporting proprietary market data or consolidated market data are both within the scope of the definition of SCI systems and subject to Regulation SCI. However, the Commission has repeatedly emphasized the importance of consolidated market data to the national market system and the protection of investors 249 and the severe impact of its unavailability was evidenced by the SIP outage in August 2013.250 Thus, as discussed below, systems directly supporting functionality related to the provision of consolidated market data are distinguished by their inclusion in the definition of ‘‘critical SCI systems.’’ 251 Further, one commenter questioned whether the phrase ‘‘market data systems’’ was intended to be limited to data-driven systems devoted to price transparency or whether the Commission also intended to include document-based systems devoted to public disclosure.252 In response to this comment, the Commission notes that systems providing or directly supporting price transparency are within the scope of SCI systems.253 However, systems solely providing or directly supporting other types of data, such as systems used by market participants to submit disclosure documents, or systems used by SCI entities to make disclosure documents publicly available, are not within the scope of SCI systems, so long as they do not also directly support price transparency. Several commenters also argued that the term SCI systems should not include systems operated on behalf of an SCI entity by a third party.254 Some of these commenters pointed to potential difficulties with meeting the requirements of Regulation SCI with regard to third party systems.255 One Audit Trail Adopting Release’’). Although the consolidated audit trail central repository has not yet been created, the Commission believes that the consolidated audit trail repository will be a market regulation system that falls within the definition of SCI systems, and further that it will be an SCI system of each SCI SRO that is a member of an approved NMS plan under Rule 613, because it will be a facility of each SCI SRO that is a member of such plan. See Consolidated Audit Trail Adopting Release, 77 FR at 45774 (stating, ‘‘[T]he central repository will be jointly owned by, and be a facility of, each SRO that is a sponsor of the NMS plan.’’). See also SCI Proposing Release, supra note 13, at 18099 (contemplating inclusion of the consolidated audit trail central repository as an SCI system). 247 See NYSE Letter at 10–11. 248 See Exchange Act Section 11A (15 U.S.C. 78K–1(a)(1)(C)(iii)), granting the Commission authority to assure the availability to brokers, dealers, and investors of ‘‘information with respect to quotations for and transactions in securities’’). See also Regulation of Market Information Fees and Revenues, Securities Exchange Act Release No. 42208, 64 FR 70613 (December 17, 1999) (describing ‘‘market information’’ as information concerning quotations for and transactions in equity securities and options that are actively traded in the U.S. markets). 249 See, e.g., Concept Release on Equity Market Structure, supra note 198; and Regulation NMS Adopting Release, supra note 182, at 37503–04. 250 See supra note 32 and accompanying text. 251 See infra Section IV.A.2.c (discussing definition of ‘‘critical SCI systems’’). 252 See MSRB Letter at 8–9 (citing its EMMA Primary Market Disclosure Service and EMMA Continuing Disclosure Service system as an example of a document-based system devoted to public disclosure). 253 With regard to this particular comment, the Commission notes that the specific systems referenced—the RTRS, EMMA Primary Market Disclosure Service, EMMA Continuing Disclosure Service and SHORT System—all include pricing information for securities, and thus would fall within the definition of ‘‘SCI systems.’’ 254 See Omgeo Letter at 5–6; DTCC Letter at 4; SIFMA Letter at 8–9; BIDS Letter at 16; and BATS Letter at 4. See also ITG Letter at 5 (expressing concern about the inclusion of systems of third parties operated on behalf of an SCI entity and systems that are unrelated to the trading operations of an ATS). 255 See, e.g., Omgeo Letter at 5–6; and BATS Letter at 4 (arguing that it would be difficult for SCI entities to ensure compliance by third party PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 E:\FR\FM\05DER2.SGM Continued 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72276 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations commenter specifically suggested that the proposal should be limited to those systems under the control of the SCI entity.256 Another commenter noted that the SCI entity should instead be responsible for managing these relationships through due diligence, contract terms, and monitoring of third party performance.257 One commenter also requested that the Commission clarify how SCI entities should comply with the oversight of vendor systems as part of Regulation SCI.258 Although several commenters argued that the term SCI systems should not include third-party systems, the Commission continues to believe that, if a system is operated on behalf of an SCI entity and directly supports one of the six key functions listed within the definition of SCI system, it should be included as an SCI system subject to the requirements of Regulation SCI. The Commission believes that any system that directly supports one of the six functions enumerated in the definition of SCI system is important to the functioning of the U.S. securities markets, regardless of whether it is operated by the SCI entity directly or by a third party. The Commission believes that permitting such systems to be excluded from the requirements of Regulation SCI would significantly reduce the effectiveness of the regulation in promoting the national market system by ensuring the capacity, integrity, resiliency, availability, and security of those systems important to the functioning of the U.S. securities markets. Further, if the definition did not include systems operated on behalf of an SCI entity, the Commission is concerned that some SCI entities might be inclined to outsource certain of their systems solely to avoid the requirements of Regulation SCI, which would further undermine the goals of Regulation SCI. The Commission agrees with the comment that an SCI entity should be responsible for managing its relationship with third parties operating systems on behalf of the SCI entity through due diligence, contract terms, and monitoring of third party performance. However, the Commission believes that these methods may not be sufficient in all cases to ensure that the requirements of Regulation SCI are met for SCI systems operated by third parties. The fact that they might be sufficient some of the time is therefore vendors absent their willingness to disclose to SCI entities highly detailed information about their intellectual property and proprietary systems). 256 See SIFMA Letter at 9. 257 See BIDS Letter at 16. 258 See FIF Letter at 3. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 not a basis for excluding these systems from the definition of SCI systems. Instead, if an SCI entity determines to utilize a third party for an applicable system, it is responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on behalf of the SCI entity by a third party. The Commission believes that it would be appropriate for an SCI entity to evaluate the challenges associated with oversight of third-party vendors that provide or support its applicable systems subject to Regulation SCI. If an SCI entity is uncertain of its ability to manage a third-party relationship (whether through due diligence, contract terms, monitoring, or other methods) to satisfy the requirements of Regulation SCI,259 then it would need to reassess its decision to outsource the applicable system to such third party.260 For example, if a thirdparty vendor is unwilling to disclose to an SCI entity information regarding the vendor’s intellectual property or proprietary system that the SCI entity believes it needs to satisfy the requirements of Regulation SCI, as some commenters suggested might be the case, an SCI entity will need to reassess its relationship with that vendor, because the vendor’s unwillingness to provide necessary information or other assurances would not exclude the outsourced system from the definition of SCI systems. Accordingly, the definition of SCI system, as adopted in Rule 1000, retains the reference to systems operated ‘‘on behalf of’’ SCI entities. Finally, some commenters asked for clarification on miscellaneous aspects of the definition. For example, one commenter requested that the Commission clarify that the definition of SCI system for purposes of Regulation SCI is separate and distinct from the definition of a facility set forth in Section 3(a)(2) of the Exchange Act.261 The Commission notes that the term ‘‘SCI system’’ under Regulation SCI is distinct from the term ‘‘facility’’ in Section 3(a)(2) of the Exchange Act.262 Because a facility of an exchange would 259 See BIDS Letter at 16 (suggesting these methods of managing third-party relationships to comply with the proposed rule). 260 See FIF Letter at 3 and FINRA Letter at 22– 23 (requesting Commission guidance on how an SCI entity should manage third-party relationships in the context of adopted Regulation SCI). See also infra notes 851–852 and accompanying text (discussing comments on the risk of noncompliance by an SCI entity in connection with reporting SCI events and material systems changes due to challenges posed by third-party systems). 261 See NYSE Letter at 10. 262 See 15 U.S.C. 78c3(a)(2). PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 only fall within the definition of ‘‘SCI systems’’ if it is a system that directly supports any one of the six functions provided in the definition of ‘‘SCI systems,’’ not all systems that are facilities of an exchange will be SCI systems. For example, as noted in the SCI Proposal, the definition of SCI systems would apply to systems of exchange-affiliated routing brokers that are facilities of national securities exchanges.263 But a system used for member regulation that may meet the definition of a facility under the Exchange Act, would not be within the scope of the definition of ‘‘SCI systems.’’ Another commenter requested confirmation that internal systems are excluded from the definition of SCI system.264 The Commission notes that the definition of ‘‘SCI system’’ does not differentiate between ‘‘internal systems’’ and those systems accessed by market participants or other outside parties.265 The Commission notes that, while some internal systems of an SCI entity may not meet the definition of SCI system, it does not believe that that all internal systems (as described by this commenter) would be outside of the scope of the definition of SCI system.266 Other commenters advocated that SCI entities should be permitted to conduct their own risk-based assessment to determine which of their systems should be considered SCI systems.267 One commenter noted that SCI entities should be required to develop and maintain an established methodology for identifying which systems qualify as SCI systems,268 while other commenters advocated for coordination with the Commission in establishing criteria to be used in conducting such risk-based assessments or review by the Commission of an SCI entity’s own riskbased assessment.269 The Commission has carefully considered these comments and generally agrees that 263 See Proposing Release, supra note 13, at 18099. 264 See FINRA Letter at 10. 265 See adopted Rule 1000 (definition of SCI systems). 266 In addition, the Commission notes that, while certain internal systems may not be ‘‘SCI systems,’’ they may instead meet the definition of ‘‘indirect SCI systems’’ under adopted Rule 1000, if they are not properly walled off from SCI systems. However, as discussed below, the Commission is clarifying the meaning of this defined term to note that systems that are effectively physically or logically separated from SCI systems would be outside of the definition of indirect SCI systems and thus outside of the scope of Regulation SCI. See infra Section IV.A.2.d (discussing the definition of ‘‘indirect SCI systems’’). 267 See DTCC Letter at 3–5; Omgeo Letter at 5– 6; and OCC Letter at 3–4. 268 See Omgeo Letter at 5. 269 See OCC Letter at 3–4; and DTCC Letter at 3–4. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations certain systems pose greater risk to the markets in the event of a systems issue and are of paramount importance to the functioning of the U.S. securities markets. Rather than include only those in the definition of SCI systems, the Commission believes that it is more prudent to instead identify these systems as ‘‘critical SCI systems’’ subject to certain heightened obligations. Further, adopted Rule 1001(a) requiring SCI entities to have policies and procedures reasonably designed to ensure that their systems have adequate levels of capacity, integrity, resiliency, availability, and security is consistent with a risk-based approach.270 Specifically, as discussed in further detail below, an SCI entity may tailor its policies and procedures based on the relative criticality of a given SCI system to the SCI entity and to the securities markets generally.271 mstockstill on DSK4VPTVN1PROD with RULES2 c. Critical SCI Systems As discussed above, in response to comments, the Commission is incorporating a risk-based approach in certain aspects of Regulation SCI.272 To that end, the Commission is adopting a definition of ‘‘critical SCI systems’’ to designate SCI systems that the Commission believes should be subject to the highest level of requirements. As a subset of ‘‘SCI systems,’’ ‘‘critical SCI systems’’ are subject to the same provisions as ‘‘SCI systems,’’ except that critical SCI systems are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. In these respects, critical SCI systems are subject to an increased level of obligation as compared to other SCI systems.273 Rule 1000 defines ‘‘critical SCI systems’’ as ‘‘any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; 274 (ii) openings, reopenings, 270 See adopted Rule 1001(a). See also infra Section IV.B.1 (discussing policies and procedures for operational capability). 271 See infra Section IV.B.1.a–b (discussing the use of risk-based considerations to tailor policies and procedures for operational capability). 272 See supra notes 53–56 and accompanying text (discussing comments on a risk-based approach). 273 See infra Sections IV.B.1.b and IV.B.3.d (discussing the two-hour resumption goal for ‘‘critical SCI systems’’ and information dissemination requirement for ‘‘major SCI events,’’ respectively). 274 ‘‘Clearance and settlement systems of clearing agencies’’ includes systems of registered clearing agencies and exempt clearing agencies subject to ARP. See Rule 1000 (definition of ‘‘exempt clearing agency subject to ARP,’’ which by its terms would also include an entity that has received from the Commission an exemption from registration as a VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.’’ As noted above, many commenters advocated for a risk-based approach to Regulation SCI and either suggested that only the entities or systems that pose the greatest risk to the markets should be within the scope of the regulation or, alternatively, that the requirements of Regulation SCI be tailored to the specific risk-profile of a particular entity or particular system.275 While the Commission disagrees with commenters who suggested that Regulation SCI should apply only to ‘‘critical systems,’’ as it believes that these are not the only systems that could pose a significant risk to the securities markets, the Commission believes that it is appropriate to hold systems that pose the greatest risk to the markets if they malfunction to higher standards and more stringent requirements under Regulation SCI. Recent events have also demonstrated the importance of certain critical systems functionality, including those that represent ‘‘single points of failure’’ to the securities markets, and the need for more robust market infrastructure, particularly with regard to critical market systems.276 The Commission believes that the adoption of the definition of ‘‘critical SCI systems’’ and heightened requirements for such systems recognizes that some systems are critical to the continuous and orderly functioning of the securities markets more broadly and, as such, ensuring their capacity, integrity, resiliency, availability, and security is of the utmost importance. Therefore, as discussed further below, the clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to ARP, or any Commission regulation that supersedes or replaces such policies, including Regulation SCI). 275 See supra notes 53–56 and 216–222 and accompanying text (discussing comments on a riskbased approach and limiting SCI systems to only core or critical systems). 276 See supra Section II.B (describing recent events involving systems-related issues). In particular, the Nasdaq SIP incident, which caused a disruption in the dissemination of consolidated market data in the equity markets and led to a trading halt in all Nasdaq-listed stocks for several hours, confirmed that disruptions in systems that represent single points of failure can have a major and detrimental impact across an entire national market system. PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 72277 Commission believes that it is appropriate for such critical SCI systems to be held to heightened requirements (as compared to those for SCI systems) related to capacity, integrity, resiliency, availability, and security generally; rapid recovery following wide-scale disruptions; and disclosure of SCI events. The Commission believes that the definition of critical SCI systems is appropriately designed to identify those SCI systems whose functions are critical to the operation of the markets, including those systems that represent potential single points of failure in the securities markets. Systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets. The first prong of the definition identifies six specific categories of systems that the Commission believes are the most critical to the securities markets, and the most likely to have widespread and significant market impact should a systems issue occur. These are: clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing market; trading halts; initial public offerings; the provision of consolidated market data (i.e., SIPs); and exclusively-listed securities. In the context of suggesting the adoption of a risk-based approach for Regulation SCI, some commenters identified those functions that they believed were most critical to the functioning of the markets. Among those identified were clearance and settlement, opening and closing auctions, IPO auctions, the provision of consolidated market data by the SIPs; and trading of exclusively-listed securities.277 The Commission agrees with commenters who characterized these categories of systems as critical. In addition, as discussed below, the Commission believes that systems that directly support functionality relating to 277 See, e.g., Direct Edge Letter at 2 (citing, among others, SIPs and clearance and settlement systems as essential to continuous market-wide operation); KCG Letter at 2–3 (identifying opening and closing auctions, IPO auctions, trading of exclusively-listed options, market data consolidators, and settlement and central clearing as ‘‘single points of failure’’ that should be subject to heightened regulatory requirements); and SIFMA Letter at 4 (stating that highly critical functions should include primary listing exchanges, trading exclusively listed securities, SIPs, clearance and settlement, distribution of unique post-trade transparency information, and real-time market surveillance). Although these commenters were urging that Regulation SCI apply only to these critical systems, as explained above, the Commission believes that such an approach would be too limited. E:\FR\FM\05DER2.SGM 05DER2 72278 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 trading halts should be included in the definition of critical SCI systems. With respect to ‘‘clearance and settlement systems of clearing agencies,’’ the clearance and settlement of securities is fundamental to securities market activity.278 Clearing agencies perform a variety of services that help ensure that trades settle on time and at the agreed upon terms. For example, clearing agencies compare transaction information (or report to members the results of exchange comparison operations), calculate settlement obligations (including net settlement), collect margin (such as initial and variation margin), and serve as a depository to hold securities as certificates or in dematerialized form to facilitate automated settlement. Because of their role, clearing agencies are critical central points in the financial system. A significant portion of securities activity flows through one or more clearing agencies. Clearing agencies have direct links to participants and indirect links to the customers of participants. Clearing agencies are also linked to each other through common participants and, in some cases, by operational processes. Safe and reliable clearing agencies are essential not only to the stability of the securities markets they serve but often also to payment systems, which may be used by a clearing agency or may themselves use a clearing agency to transfer collateral.279 The safety of securities settlement arrangements and post-trade custody arrangements is also critical to the goal of protecting the assets of investors from claims by creditors of intermediaries and other entities that perform various functions in the operation of the clearing agency.280 Investors are more likely to participate in markets when they have confidence in the safety and reliability of clearing agencies as well as settlement systems.281 Accordingly, the Commission believes ‘‘clearance and settlement systems of clearing agencies’’ are appropriate for inclusion in the definition of critical SCI systems.282 278 See Clearing Agency Standards Release, supra note 76, at 66220, 66264. 279 See Clearing Agency Standards Release, supra note 76, at 66264. 280 See id. 281 See id. 282 The Commission notes that systems of SCI entities other than clearing agencies that are used in connection with the clearance and settlement of trades are not captured by the definition of ‘‘critical SCI systems,’’ but rather would fall within the definition of ‘‘SCI systems,’’ as discussed above. See supra Section IV.2. The Commission believes that such systems of other SCI entities, such as SROs and ATSs, do not provide the same critical functions or pose the same level of risk to the VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Similarly, reliable openings, reopenings, and closings on primary listing markets are key to the establishment and maintenance of fair and orderly markets. NYSE and Nasdaq, for example, each have an opening cross for their listed securities that solicits trading interest and generates a single auction price that attracts widespread participation and is relied upon as a benchmark by other markets and market participants.283 Similar processes are used, and heavy levels of participation typically are generated, at the primary listing markets in the reopening cross that follows a trading halt.284 Closing auctions at the primary listing markets also attract widespread participation, and the closing prices they establish are commonly used as benchmarks, such as to value derivative contracts and generate mutual fund net asset values. As such, during these critical trading periods, market participants rely on the processes of the primary listing markets to effect transactions, and establish benchmark prices that are used in a wide variety of contexts so that the unavailability or disruption of systems directly supporting the opening, reopening and closing processes on the primary listing markets could have widespread detrimental effects.285 In addition, the Commission believes that systems directly supporting functionality relating to trading halts 286 are essential to the orderly functioning of the securities markets, and therefore market as the clearance and settlement systems of clearing agencies as discussed above. 283 See Nasdaq Rule 4752 (Opening Process) and NYSE Rules 115A (Orders at the Opening) and 123D (Openings and Halts in Trading). 284 See, e.g., Nasdaq Rule 4753 (Nasdaq Halt and Imbalance Crosses) and NYSE Rules 115A (Orders at the Opening) and 123D (Openings and Halts in Trading). 285 For example, press reports indicated that the decision to close the New York Stock Exchange in the wake of Superstorm Sandy, and the resulting lack of availability of the NYSE opening and closing prices, was a significant contributing cause of the unscheduled closure of the U.S. national securities exchanges. See, e.g., Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ‘‘Behind Decision to Close Markets,’’ Wall St. J., October 29, 2012. See also Proposing Release, supra note 13, at 18091 (discussing the effects of Superstorm Sandy on the securities markets). While other exchanges outside of the path of Superstorm Sandy did not experience the same risks to their electronic trading systems as the NYSE and could have otherwise opened for business, the risk that opening and closing prices might not be set by NYSE for its listed securities contributed to the consensus recommendation of market participants that the markets remain closed. See Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ‘‘Behind Decision to Close Markets,’’ Wall St. J., October 29, 2012. 286 For purposes of clarity, the Commission notes that the term ‘‘trading halts’’ as used in this context is intended to capture market-wide halts, such as regulatory halts, rather than a halt to trading for securities on a particular market (for example, caused by a systems issue specific to that market). PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 should be included in the definition of critical SCI systems. In the event a trading halt is necessary, it is essential that the systems responsible for communicating the trading halt— typically maintained by the primary listing market—are robust and reliable so that the trading halt is effective across the U.S. securities markets. For example, when there is material ‘‘news pending’’ with respect to an issuer, it is the responsibility of the primary listing market to call a regulatory halt by generating a halt message which, when received by other trading centers, requires them to cease trading the security.287 Similar responsibilities are placed on the primary listing market with respect to calling trading halts under the National Market System Plan to Address Extraordinary Market Volatility, as well as on plan processors to disseminate this information to the public.288 Thus, systems which communicate information regarding trading halts provide an essential service in the U.S. markets and, should a systems issue occur affecting the ability of an SCI entity to provide such notifications, the fair and orderly functioning of the securities markets may be significantly impacted. Companies offer shares of capital stock to the general public for the first time through the IPO process, in which the primary listing market initiates public trading in a company’s shares. The IPO is conducted exclusively on that exchange, and secondary market trading cannot commence on any other exchange until the opening trade is printed on the primary listing market.289 As such, the Commission believes that an exchange’s systems that directly support the IPO process and the initiation of secondary market trading are a critical element of the capital formation process and the effective functioning of the securities markets. The Commission believes that these 287 See, e.g., CTA Plan Section IX(a), available at: https://www.nyxdata.com/cta; National Market System Plan To Address Extraordinary Market Volatility, Section VII (‘‘Limit Up/Limit Down Plan’’); NYSE Arca Rule 7.12, BATS Rule 11.18, and EDGA Rule 11.14. See also Securities Exchange Act Release No. 67091 (May 31, 2012), 77 FR 33498 (June 6, 2012) (File No. 4–631) (Order Approving, on a Pilot Basis, the National Market System Plan To Address Extraordinary Market Volatility) (‘‘Limit Up/Limit Down Plan Approval Order’’). 288 See Limit Up/Limit Down Plan, supra note 287 and Limit Up/Limit Down Plan Approval Order, supra note 287. 289 See Rule 12f–2 under the Exchange Act, 17 CFR 240.12f–2 (providing that a national securities exchange may extend unlisted trading privileges to a security when at least one transaction in the security has been effected on the national securities exchange upon which the security is listed and the transaction has been reported pursuant to an effective transaction reporting plan). E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 systems, which are the sole responsibility of the primary listing market, can adversely affect not only the IPO of a particular issuer, but may also result in significant monetary losses and harm to investors if they fail.290 As noted in the SCI Proposal, systems issues affecting the two recent highprofile IPOs highlighted how disruptions in IPO systems can have a significant impact on the market.291 Systems directly supporting the provision of consolidated market data are also critical to the functioning of U.S. securities markets and represent potential single points of failure in the delivery of important market information. When Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would be central features of the national market system.292 Further, one of the findings of the recent report by the staffs of the Commission and the CFTC on the market events of May 6, 2010 was that ‘‘fair and orderly markets require that the standards for robust, accessible, and timely market data be set quite high.’’ 293 Accurate, timely, and efficient collection, processing, and dissemination of consolidated market data provides the public with ready access to a comprehensive and reliable source of information for the prices and volume of any NMS stock at any time during the trading day.294 This information helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market 290 See, e.g., supra note 36 (discussing the losses associated with Nasdaq’s Facebook IPO). 291 Specifically, in March 2012, BATS announced that a ‘‘software bug’’ caused BATS to shut down the IPO of its own stock, and in May 2012, issues with Nasdaq’s trading systems delayed the start of trading in the IPO of Facebook, Inc. and some market participants experienced delays in notifications of whether orders had been filled. See Proposing Release, supra note 13, at 18089; and Securities Exchange Act Release No. 69655, In the Matter of The NASDAQ Stock Market, LLC and NASDAQ Execution Services, LLC (settled action: May 29, 2013), available at: https://www.sec.gov/ litigation/admin/2013/34-69655.pdf. Nasdaq and Nasdaq Execution Services, LLC consented to an Order Instituting Administrative and Cease-andDesist Proceedings Pursuant to Sections 19(h)(1) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-and-Desist Order. 292 See H.R. Rep. No. 94–229, 94th Cong., 1st Sess. 93 (1975). See also Concept Release on Equity Market Structure, supra note 4, at 3600, and Proposing Release, supra note 13, at 18108 (each discussing the importance of consolidated market data). 293 See Findings Regarding The Market Events Of May 6, 2010, Report Of The Staffs Of The CFTC And SEC To The Joint Advisory Committee On Emerging Regulatory Issues, September 30, 2010, at 8 (‘‘May 6 Staff Report’’). 294 See id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 system.295 It also enables investors to monitor the prices at which their orders are executed and serves as a data point that helps them to assess whether their orders received best execution.296 Finally, systems directly supporting functionality relating to exclusivelylisted securities represent single points of failure in the securities markets, because exclusively-listed securities, by definition, are listed and traded solely on one exchange.297 As such, a trading disruption on the exclusive listing market necessarily will disrupt trading by all market participants in those securities.298 The second prong of the definition is a broader catch-all provision intended to capture any SCI systems, beyond those specifically identified within the first prong of the definition, that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. The Commission is not aware of any SCI systems that would fall under this prong of the critical SCI systems definition at this time, and notes that this prong of the definition is intended to account for further technology advancements and the continual evolution of the securities markets, in recognition that such developments could result in additional or new types of systems that would, similar to the enumerated categories of systems in the first prong of the definition, become so critical to the continuous and orderly functioning of the securities markets such that they should be subject to the requirements of Regulation SCI imposed on those systems specifically enumerated in the first prong of the definition. The Commission also notes that the definition applies to those systems ‘‘of, or operated by or on behalf of, an SCI 295 See id. id. Also, as discussed above, the recent Nasdaq SIP disruption demonstrated that the availability, accuracy, and reliability of consolidated market data is currently central to the functioning of the securities markets, and systems issues affecting such systems can result in major disruptions to the national market system, undermining the maintenance of fair and orderly markets. 297 As noted above, commenters identified the systems supporting the trading of exclusively-listed securities as representing critical points of failure or critical functionality in the securities markets. See, e.g., KCG Letter at 2–3; and SIFMA Letter at 4. 298 For example, as noted above, in April 2013, CBOE delayed the opening of trading on its exchange for over three hours due to an internal ‘‘software bug,’’ preventing investors from trading in those products that are singly-listed on CBOE, including options on the S&P 500 Index and the VIX. See supra note 28 and accompanying text. 296 See PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 72279 entity.’’ This language mirrors the language in the definitions of SCI system and indirect SCI system, and as discussed above, is intended to cover systems that are third-party systems operated on behalf of SCI entities.299 d. Indirect SCI Systems (Proposed as ‘‘SCI Security Systems’’) Proposed Rule 1000 defined the term ‘‘SCI security systems’’ to mean ‘‘any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.’’ 300 As adopted, Regulation SCI includes the new term ‘‘indirect SCI systems,’’ in place of the proposed term ‘‘SCI security systems.’’ The term ‘‘indirect SCI systems’’ is defined to mean ‘‘any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.’’ As an initial matter, the Commission has determined to replace the proposed term ‘‘SCI security systems’’ with the adopted term ‘‘indirect SCI systems’’ because it believes that the latter term, in using the word ‘‘indirect,’’ better reflects that it is intended to cover nonSCI systems only if they are not appropriately secured and segregated from SCI systems, and therefore could indirectly pose risk to SCI systems.301 The adopted definition of indirect SCI systems includes systems ‘‘of, or operated by or on behalf of’’ of an SCI entity that, ‘‘if breached, would be reasonably likely to pose a security threat to SCI systems.’’ As discussed below, in response to comment that the proposed term would cover too many systems unrelated to SCI systems, the adopted term excludes the phrase ‘‘share network resources.’’ One commenter expressly supported the definition of SCI security systems and urged that it be expanded to include any technology system that has direct market access.302 In response to this comment, the Commission notes that the adopted definition includes any technology system of, or operated by or on behalf of an SCI entity, that has direct market access if that system meets the definition’s test: whether a breach of 299 See supra notes 254–260 and accompanying text. 300 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. 301 The Commission also believes that eliminating the word ‘‘security’’ from the defined term will help clarify that the term is not limited to systems relating only to security of the SCI entity and its systems (e.g., firewalls, VPNs). 302 See Lauer Letter at 5. E:\FR\FM\05DER2.SGM 05DER2 72280 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations that system would be reasonably likely to pose a security threat to SCI systems. This commenter also suggested that the Commission additionally require SCI entities to have independent security audits performed and allow the auditor to have the ability to define which systems should be included and which can be safely excluded.303 The Commission is not requiring ‘‘independent security audits’’ to determine which systems would fall within the definition of indirect SCI system as suggested by this commenter,304 because the Commission believes its adopted rule requiring an annual SCI review addresses the commenter’s request. The Commission notes that the adopted annual SCI review requirement requires that such review be performed by objective, qualified personnel, and that it include an assessment of logical and physical security controls for SCI systems and indirect SCI systems. The Commission believes that an SCI entity is generally in the best position to assess in the first instance which of its systems may fall within the definition of indirect SCI systems, and that having an independent third party audit to make that determination should be optional rather than required at this time. Contrary to the commenter urging expansion of the proposed definition of SCI security systems, many commenters argued that the proposed definition was overbroad,305 with several of these same commenters suggesting that the term be deleted from the rule entirely.306 The Commission believes that Regulation SCI warrants inclusion of a definition of indirect SCI systems because an issue or systems intrusion with respect to a nonSCI system still could cause or increase the likelihood of an SCI event with respect to an SCI entity’s SCI systems.307 In particular, because systems that are not adequately walled off from SCI systems may present potential entry points to an SCI entity’s network and thus represent potential vulnerabilities to SCI systems, the 303 See id. adopted Rule 1000 (definition of ‘‘SCI review’’) and infra Section IV.B.5 (discussing the SCI review requirement). 305 See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA Letter at 6 (noting specifically that the definition could be read to extend to broker-dealers or other third parties); SIFMA Letter at 8; ITG Letter at 5, 12; BIDS Letter at 16–17; MSRB Letter at 7; OCC Letter at 4; FINRA Letter at 12–13; CME Letter at 6; DTCC Letter at 5; Oppenheimer Letter at 3; and Direct Edge Letter at 3. 306 See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5. 307 See Proposing Release, supra note 13, at 18099. mstockstill on DSK4VPTVN1PROD with RULES2 304 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission believes that it is important that the provisions of Regulation SCI relating to security standards and systems intrusions apply to such systems (i.e., indirect SCI systems). Many commenters objecting to the proposed definition as too broad addressed particular elements of the proposed definition of SCI security systems or provided specific recommendations for modifications or limitations to the definition.308 For example, some commenters criticized the use of the phrase ‘‘share network resources,’’ noting that it was vague and too broad, potentially encompassing almost any system of an SCI entity.309 Similarly, one commenter stated that the definition of SCI security system should include only systems that ‘‘directly’’ share network resources with an SCI system.310 One commenter argued that the definition should only include those systems that are materially and directly connected to the trading operations of an SCI entity.311 Several commenters recommended that systems that are logically and/or physically separated from SCI systems should be excluded from the definition.312 Some commenters qualified this position by stating that such systems should be excluded, for example, as long as SCI entities monitor those systems for security breaches and have the ability to shut the system off if they detect a security breach; 313 or provided that the separation is routinely monitored and has appropriate risk controls in place and the system is ‘‘air gapped’’ (i.e., has no point of entry) from the public internet.314 One commenter believed that the definition should exclude any system with ‘‘compensatory controls in place,’’ which it stated would protect and secure SCI systems from vulnerabilities that could arise from shared network links.315 Another commenter asked for 308 See NYSE Letter at 12; BATS Letter at 5–6; ISE Letter at 7–8; BIDS Letter at 16–17; SROs Letter at 15; Direct Edge Letter at 3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5; and ITG Letter at 12. 309 See NYSE Letter at 12; BATS Letter at 5; and ISE Letter at 7–8. 310 See BIDS Letter at 16–17. 311 See ITG Letter at 12 (stating that its suggested approach would, in its case, cover systems for order handling and execution, processing of market data, transaction reporting, and clearing and settlement of trades). 312 See, e.g., Joint SROs Letter at 15 (stating that the term ‘‘SCI security systems’’ should be deleted, but if retained, should exclude those systems that are physically and logically separated); BATS Letter at 5–6; Direct Edge Letter at 3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5. 313 See BATS Letter at 5–6. 314 See Direct Edge Letter at 3. 315 See FINRA Letter at 13. PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 greater clarity on the extent to which SCI security systems that are isolated from production, such as email and intranet sites, raise security issues that are within the scope of the proposal.316 After careful consideration of these comments, the Commission believes that inclusion of the phrase ‘‘share network resources’’ in the proposed definition could be interpreted in a manner that would include almost any system that is part of an SCI entity’s network. In response to commenters who expressed concern about the breadth of the proposed definition, the Commission has determined to eliminate the phrase ‘‘share network resources’’ from the definition, so that the adopted result-oriented test depends on whether a system ‘‘if breached, would be reasonably likely to pose a security threat to SCI systems.’’ As a result, the inquiry into whether any system is an indirect SCI system will depend on whether it is effectively physically or logically separated from SCI systems. Systems that are adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems. The Commission believes that having adequate separation and security controls should protect SCI systems from vulnerabilities caused by other systems. To the extent that non-SCI systems are sufficiently walled off from SCI systems using appropriate security measures, and thus are not reasonably likely to pose a security threat to SCI systems if breached, they would not be included in the definition of indirect SCI systems, and thus would be outside of the scope of Regulation SCI. The Commission notes that the definition of indirect SCI systems will not include any systems of an SCI entity for which the SCI entity establishes reasonably designed and effective controls that result in SCI systems being logically or physically separated from such non-SCI systems. Thus, the universe of an SCI entity’s indirect SCI systems is in the control of each SCI entity, and SCI entities should reasonably expect Commission staff to assess its security controls around SCI systems in connection with an inspection or examination for compliance with Regulation SCI. If these controls are not present or are not reasonably designed, the applicable non-SCI systems would be within the scope of the definition of indirect SCI systems and subject to the security 316 See E:\FR\FM\05DER2.SGM ISE Letter at 8. 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 standards and systems intrusions provisions of Regulation SCI. Some commenters recommended that, rather than including SCI security systems in the scope of the regulation, the Commission should instead require SCI entities to establish policies and procedures designed to ensure the security of their systems.317 According to these commenters, such an approach would require an evaluation of the risks posed to SCI systems by non-SCI systems. As noted, the Commission believes that the adopted definition of ‘‘indirect SCI systems’’ will effectively require SCI entities to evaluate the risks posed to SCI systems by non-SCI systems. However, the Commission believes that the adopted approach will incentivize SCI entities to seek to have in place strong security controls around SCI systems. As noted, if an SCI entity designs and implements security controls so that none of its non-SCI systems would be reasonably likely to pose a security threat to SCI systems, then it will have no indirect SCI systems. If, however, an SCI entity does have indirect SCI systems, then certain provisions of Regulation SCI will apply to those indirect SCI systems.318 The Commission believes this approach to indirect SCI systems is more appropriate than the policies and procedures approach suggested by some commenters because the Commission believes that its approach is more comprehensive as it includes, for example, the requirements to take corrective action, provide notifications to the Commission, and disseminate information for certain SCI events relating to indirect SCI systems which, by definition, if breached, would be reasonably likely to pose a security threat to SCI systems. Another commenter stated that a more precise definition of SCI security systems is important and that it would be valuable for the Commission to work with representatives within the securities industry to collectively craft the most appropriate definition that will ensure that critical security systems are captured.319 In crafting the definition, the Commission has taken into account comments received, with such commenters representing a wide variety of types of participants in the securities markets, and believes the adopted definition of indirect SCI systems, along 317 See, e.g., NYSE Letter at 12; MFA Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5. 318 See infra notes 323–328 (discussing the provisions of Regulation SCI applicable to indirect SCI systems). 319 See DTCC Letter at 5. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 with the definition of SCI systems, is responsive to a broad range of commenters’ concerns.320 Another commenter suggested that the definition be limited to systems ‘‘of, or operated by or on behalf of, an SCI entity,’’ noting that the definition of SCI security systems should have parallel construction to the definition of ‘‘SCI systems’’ and without this phrase, SCI entities would be tasked inappropriately with controlling for systems outside of their effective control.321 As noted, the adopted definition of ‘‘indirect SCI systems’’ applies to those systems ‘‘of, or operated by or on behalf of, an SCI entity.’’ As a result, the adopted definition of indirect SCI systems provides (as is the case for SCI systems) that systems ‘‘of, or operated by or on behalf of’’ an SCI entity, are included in the definition of indirect SCI systems if their breach would be reasonably likely to pose a security threat to SCI systems.322 The Commission believes that the addition of this language is warranted to make clear that security of SCI systems is not limited solely to threats from systems operated directly by the SCI entity. If it were, outsourced systems of SCI entities would not be subject to the requirements of Regulation SCI, which would undermine the goals of Regulation SCI. As discussed in further detail below, unlike SCI systems, those systems meeting the definition of ‘‘indirect SCI systems’’ will only be subject to certain provisions of Regulation SCI. Specifically, references to ‘‘indirect SCI systems’’ are included in the definitions of ‘‘responsible SCI personnel,’’ ‘‘SCI review,’’ and ‘‘systems intrusion’’ in adopted Rule 1000.323 Rule 1001(a), requiring reasonably designed policies and procedures to ensure operational capability, will apply to indirect SCI systems only for purposes of security standards.324 In addition, Rule 1002, which relates to an SCI entity’s obligations with regard to SCI events, will apply to indirect SCI systems only with respect to systems intrusions.325 Further, pursuant to Rule 1003(a), the obligations related to systems changes 320 See supra note 17 and accompanying text. MSRB Letter at 7. 322 See supra Section IV.A.2.b (discussing the inclusion of third party systems in the definition of ‘‘SCI systems’’). 323 See adopted Rule 1000. 324 See adopted Rule 1001(a) and supra Section IV.B.1 (discussing the policies and procedures requirement under Rule 1001(a)). 325 See adopted Rule 1000 (definitions of system compliance and systems disruption, which do not include indirect SCI systems, and the definition of systems intrusion, which includes indirect SCI systems) and supra Section IV.B.3 (discussing an SCI entity’s obligations with respect to SCI events). 321 See PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 72281 will apply to material changes to the security of indirect SCI systems.326 In addition, the requirements regarding an SCI review will apply to indirect SCI systems.327 Finally, Rules 1005 through 1007, relating to recordkeeping and electronic filing and submission of Form SCI, respectively, will also apply to indirect SCI systems.328 The Commission believes that it is appropriate to subject indirect SCI systems to only these specified provisions because the Commission believes that the primary risk posed by indirect SCI systems is that they may serve as vulnerable entry points to SCI systems. The Commission’s objective with respect to indirect SCI systems is to guard against a non-SCI system being breached in a manner that threatens the security of any SCI system. The Commission believes that its approach to defining indirect SCI systems, and requiring SCI entities to consider, address, and report on security changes and intrusions into systems where vulnerabilities have been identified, is tailored to meet this objective. 3. SCI Events Regulation SCI specifies the types of events—i.e., SCI events—that give rise to certain obligations under the rule, including taking corrective action, reporting to the Commission, and disseminating information about such SCI events.329 Proposed Rule 1000(a) defined the term ‘‘SCI event’’ as ‘‘an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.’’ 330 The Commission is adopting the definition of ‘‘SCI event’’ as proposed. Many commenters believed that the proposed definition of ‘‘SCI event’’ was vague 331 or overly broad because it was not limited to capturing material SCI events 332 or events that the commenters believed are truly disruptive and pose a risk to the market.333 Specifically, 326 See adopted Rule 1003(a)(i) and Section IV.B.4 (discussing requirements relating to material systems changes). 327 See adopted Rule 1003(b) and Section IV.B.5 (discussing the SCI review requirement). 328 See adopted Rules 1005–1007 and Section IV.C (discussing the recordkeeping and electronic filing of Form SCI). 329 See infra Section IV.B.3 (discussing an SCI entity’s obligations with respect to SCI events). 330 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3. 331 See ITG Letter at 12; and OTC Markets Letter at 16. 332 See FIF Letter at 2; ITG Letter at 12; DTCC Letter at 5; and OTC Markets Letter at 16. 333 See NYSE Letter at 3; ICI Letter at 4; Oppenheimer Letter at 3. See also supra note 231 and accompanying text (discussing comment that E:\FR\FM\05DER2.SGM Continued 05DER2 72282 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 several commenters recommended that the definition of SCI event include a materiality threshold, so that only events determined by the SCI entity to be material would trigger certain obligations under the rule.334 One commenter stated that the definition of SCI event could be interpreted to include trivial events, and therefore believed that the definition needed clarity.335 Finally, one commenter suggested that SCI event be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS,336 which requires a qualifying ATS to notify the Commission of material systems outages and significant systems changes.337 After careful consideration of the views of commenters, although the Commission is adopting the definition of ‘‘SCI event’’ as proposed, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to the concerns of commenters about the breadth of the definition.338 Specifically, and as explained in further detail below, the Commission is incorporating a riskbased approach to the obligations of SCI entities with respect to SCI events.339 The Commission is not incorporating a materiality threshold as requested by some commenters,340 including by limiting the definition of SCI event to only those events that are considered by SCI entities to be truly disruptive to the the definition of SCI systems should be revised to cover only those systems where a disruption, compliance issue, intrusion or material systems change would impact investors and markets that are subject to the Commission’s jurisdiction). 334 See, e.g., FIF Letter at 2 (suggesting factors for determining what is a material SCI event, and urging that only material SCI events be subject to notification requirements); ITG Letter at 12 (suggesting that a Commission notification requirement apply only to those events that have a material impact on the ongoing maintenance of fair and orderly markets in an NMS security); and DTCC Letter at 5 (recommending that each component of the term SCI event be limited by a materiality threshold and be ‘‘risk-based’’ so that the term includes events that cause a disruption to the SCI entity’s ability to conduct its core functions). 335 See ITG Letter at 12. 336 17 CFR 242.301(b)(6)(ii)(G). 337 See OTC Markets Letter at 16. In addition, some commenters objected to the inclusion of systems compliance issues within the definition of SCI events. See infra notes 403–405 and accompanying text. 338 See supra notes 331–337 and accompanying text. 339 Under this risk-based approach, for example, de minimis SCI events will not be subject to the immediate Commission reporting requirements as proposed, but rather, SCI entities will only be required to make, keep, and preserve records regarding de minimis SCI events and submit de minimis systems disruptions and de minimis systems intrusions to the Commission in quarterly summary reports. See Rule 1002(b)(5). 340 See supra notes 334 and 337 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 market.341 Rather, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events will help to focus the Commission’s and SCI entities’ resources on the more significant SCI events by providing appropriate exceptions from reporting and dissemination for events that have no or de minimis impacts on an SCI entity’s operations or market participants. In addition, the Commission believes that SCI event should not be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS as suggested by one commenter,342 because Rule 301(b)(6)(ii)(G) requires Commission notification of ‘‘material systems outages.’’ 343 Such an approach would exclude any systems compliance issues or systems intrusions, two types of events that the Commission believes should be included as SCI events. This approach would also create a materiality threshold for systems disruptions, which the Commission believes would not be appropriate, as discussed below. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all such events, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity’s records of de minimis SCI events may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis SCI events that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which an SCI event causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view such events in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to SCI events that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis 341 See supra note 333 and accompanying text. supra note 337 and accompanying text. 343 See 17 CFR 242.301(b)(6)(ii)(G). Rule 301(b)(6)(ii)(G) also requires that ATSs promptly notify the Commission of significant systems changes. 342 See PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 SCI events that SCI entities encounter. Moreover, information about trends and notifications of de minimis SCI events generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of SCI events or issues with certain types of SCI systems across SCI entities. This information also will permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities’ classification of SCI events as de minimis SCI events. In addition, although the definition of SCI event is unchanged, to address commenters’ concerns, the Commission has determined to modify the various components of that definition (i.e., the definition of systems disruption, systems compliance issue, and systems intrusion), in certain respects, as discussed below. a. Systems Disruption Proposed Rule 1000(a) would have defined ‘‘systems disruption’’ as ‘‘an event in an SCI entity’s SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including a switchover to back up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any SCI system; (4) a loss of transaction or clearance and settlement data; (5) significant backups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between systems components or queuing of messages to or from customers of such duration that normal service delivery is affected.’’ 344 As discussed below, in response to comments, the Commission is substantially modifying the proposed definition of systems disruption in adopted Rule 1000. One commenter stated that the proposed definition of systems disruption was reasonable, but recommended that it be expanded to encompass disruptions originating from a third party.345 However, many other commenters believed that the definition of systems disruption was too broad and would include minor events that they believed should be excluded from the 344 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.a. 345 See Lauer Letter at 5–6. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 definition.346 Several commenters suggested ways to limit the scope of the defined term. For example, some commenters suggested limiting the definition to material disruptions.347 One of these commenters added that systems disruptions should exclude any regularly planned outages occurring during the normal course of business.348 Another commenter recommended that development and testing environments should be excluded from the definition of systems disruption.349 One commenter suggested modifying the definition to include only two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.350 Two commenters believed that the proposed definition of systems disruption was too rigid and should provide for more flexibility and discretion.351 Both commenters were skeptical that an event should be reportable solely because it matched the description of one of the seven elements of the definition.352 One of these commenters noted that the Commission’s proposed definition seeks to codify as a formal definition language used by the ARP Inspection Program that was meant to provide flexibility and latitude in determining what constitutes a systems disruption.353 The other commenter thought that the seven prongs of the proposed definition of ‘‘systems disruption’’ were appropriate considerations in determining whether a systems disruption had occurred, but that an SCI entity should be afforded more discretion and flexibility in 346 See, e.g., FINRA Letter at 16; BATS Letter at 9; Omgeo Letter at 7; NYSE Letter at 14; Joint SROs Letter at 6; OCC Letter at 6; SIFMA Letter at 9–10; and OTC Markets Letter at 21. 347 See DTCC Letter at 6; SIFMA Letter at 9; OCC Letter at 6; OTC Markets Letter at 21; and Joint SROs Letter at 6. 348 See DTCC Letter at 7. 349 See FINRA Letter at 11, 16 (noting also that the many elements of the defined term were vague). See also Section IV.A.2.b (discussing the definition of ‘‘SCI systems,’’ including the elimination of test and development systems from its definition). 350 See Omgeo Letter at 11. 351 See Omgeo Letter at 7; and OCC Letter at 6–8. 352 See Omgeo Letter at 7; and OCC Letter at 6–8. 353 See Omgeo Letter at 7. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 72283 determining whether a particular issue meets the definition.354 included if they result in a material impact on an SCI entity’s operations.363 Service Level Agreements Two commenters believed that the first element of the definition regarding service level agreements should be eliminated.355 One of these commenters stated that an SCI entity’s regulatory requirements should not depend upon the negotiated language of an agreement between business partners, while the other commenter noted that, in some cases, a private contract might have more stringent requirements than required by regulation, which would, in effect, transform such agreements into new regulatory obligations.356 Other commenters stated this element should be revised to capture only the most significant disruptions to a service level agreement.357 In addition, one commenter expressed concern that SCI entities may forgo negotiating detailed and stringent service level agreements if the first element were to be adopted as proposed.358 Loss of Use of Any System Disruptions of Normal Operations Two commenters stated that the second element of the definition needs clarification because the phrase ‘‘disruption of normal operations’’ is vague and overbroad and therefore could potentially include minor events.359 Two commenters stated that, if a switchover is utilized and there is no material impact on the core services, then there should not be a requirement to notify the Commission of a systems disruption.360 One of these commenters added that programming errors that occur prior to production and regularly scheduled maintenance should not be considered disruptions.361 Several commenters also recommended that testing errors should not be included in the definition,362 and one commenter stated that testing errors should only be 354 See OCC Letter at 6. This commenter also critiqued or requested clarification for each prong of the definition, as discussed further below. 355 See NYSE Letter at 13; and BATS Letter at 9. 356 See NYSE Letter at 13; and BATS Letter at 9. 357 See DTCC Letter at 7 (suggesting that the definition capture only the most significant disruptions to a service level agreement that are caused by the SCI entity and that impede its ability to perform its core functions and critical operations); and OCC Letter at 7. See also Omgeo Letter at 9 (noting concerns that this element could require reporting of events too minor to be noticed by participants and that do not cause any disruptions of service or material risks to the entity or users). 358 See OCC Letter at 7. 359 See NYSE Letter at 13; and Omgeo Letter at 8. 360 See BATS Letter at 9; and SIFMA Letter at 10. 361 See BATS Letter at 10. 362 See BATS Letter at 11; SIFMA Letter at 10; and NYSE Letter at 13. PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 One commenter stated that the term ‘‘loss of use of any SCI system’’ is unclear and expressed concern that the lack of clarity may lead to interpretive differences and inconsistencies in application among SCI entities.364 Three commenters discussed failovers to backup systems, with one commenter stating the Commission should clarify whether this constitutes a loss of use of a system,365 another commenter stating that it should not be considered a systems disruption,366 and the third commenter stating that it should only be considered a systems disruption if there is an impact on normal operations.367 Loss of Data Several commenters stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions.368 One commenter suggested that the rule be revised to include as a systems disruption data that is altered or corrupted in some way.369 Another commenter stated that this prong of the definition should include a materiality qualifier.370 Backups or Delays and Market Data Dissemination With respect to the fifth and sixth elements of the definition regarding significant backups or delays in processing and a significant diminution of ability to disseminate timely and accurate market data, one commenter expressed support for the inclusion of such performance degradations in the definition of systems disruptions but stated that it believed that the Commission’s interpretation of the term ‘‘significant’’ in the SCI Proposal was overly broad because it would encompass delays that are small and, in fact, insignificant.371 363 See Omgeo Letter at 9 (noting that inclusion of testing errors would discourage SCI entities from conducting effective quality assurance programs and could undermine good quality engineering practices). 364 See OCC Letter at 7. 365 See id. 366 See NYSE Letter at 13. 367 See Direct Edge Letter at 3. 368 See, e.g., OCC Letter at 7; DTCC Letter at 7; SIFMA Letter at 10; and Omgeo Letter at 11. 369 See Omgeo Letter at 11. 370 See NYSE Letter at 14. 371 See Omgeo Letter at 9. See also Proposing Release, supra note 13, at 18101–02. E:\FR\FM\05DER2.SGM 05DER2 72284 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Data Queuing With respect to the seventh element, one commenter stated that queuing of data is a very good indicator of a problem, but also noted that it is not necessarily being properly monitored by most firms and suggested that the Commission require SCI entities to monitor queue depth.372 However, several other commenters stated that queuing of data is normal and necessary.373 Some commenters suggested that the Commission should only require reporting of such queuing if it materially affects the delivery of core services to customers.374 One commenter asked for additional clarification on this element because all systems have queues to some extent with normal functionality and only certain queues should trigger recovery actions.375 One commenter expressed concern that language in the SCI Proposal stating that ‘‘queuing of data is a warning signal of significant disruption’’ 376 would make events that are precursors to system disruptions themselves become system disruptions.377 Customer Complaints Several commenters objected to the Commission’s discussion in the SCI Proposal regarding customer complaints,378 stating that the Commission should not consider each instance in which a customer or systems user complains or inquires about a slowdown or disruption of operations as an indicator of a systems disruption.379 For example, one commenter noted that customer complaints are often ultimately determined to be the result of system errors or discrepancies on the customer’s end, and stated that requiring an SCI entity to treat these complaints as significant systems disruptions simply because they are made would impose an unnecessary burden on the SCI entity.380 372 See Lauer Letter at 5. e.g., BATS Letter at 10; DTCC Letter at 7; SIFMA Letter at 10; Omgeo Letter at 10; and Joint SROs Letter at 6. 374 See, e.g., BATS Letter at 10–11; DTCC Letter at 7; Omgeo Letter at 10; and OCC Letter at 8. 375 See NYSE Letter at 14. 376 See Proposing Release, supra note 13, at 18102. 377 See Omgeo Letter at 9. 378 See Proposing Release, supra note 13, at 18102. 379 See, e.g., DTCC Letter at 7; Omgeo Letter at 10; BATS Letter at 11; NYSE Letter at 14; and OCC Letter at 8. 380 See Omgeo Letter at 10–11. mstockstill on DSK4VPTVN1PROD with RULES2 373 See, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Definition of ‘‘Systems Disruption’’ as Adopted After careful consideration of the views of commenters, the Commission is removing the seven specific types of systems malfunctions that were proposed to define systems disruption. As adopted, ‘‘systems disruption’’ is defined in Rule 1000 to mean ‘‘an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system.’’ The Commission has considered commenters’ suggestions and feedback with respect to the proposed definition, including the criticisms of various aspects of the seven specific types of systems malfunctions delineated in the SCI Proposal and believes that the adopted definition, which largely follows the definition suggested by a commenter, is appropriate.381 Specifically, this commenter recommended that the definition of systems disruption be revised to have two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.382 The Commission agrees with commenters that the proposed definition of systems disruption had the potential to be both over-inclusive and under-inclusive. The Commission believes that the adopted definition appropriately represents a change in focus of the definition from the prescriptive seven prongs in the SCI Proposal’s definition that represented the effects caused by a disruption of an SCI entity’s systems to, instead, whether a system is halted or degraded in a manner that is outside of its normal operation. The Commission believes the revised definition sets forth a standard that SCI entities can apply in a wide variety of circumstances to determine in their discretion whether a systems issue should be appropriately categorized as a systems disruption. Further, because the adopted definition of systems disruption takes into account whether a systems problem is outside of normal operations, the Commission also believes that partly addresses the concerns of the commenters suggesting 381 See 382 See PO 00000 id. at 11. supra note 353 and accompanying text. Frm 00034 Fmt 4701 Sfmt 4700 that the definition of systems disruption include a materiality qualifier.383 Because the Commission agrees with commenters regarding the difficulties of the proposed definition of ‘‘systems disruption,’’ it is not including any of the specific types of systems malfunctions in the adopted definition of ‘‘systems disruption.’’ Thus, the Commission believes SCI entities would likely find it helpful to establish parameters that can aid them and their staff in determining what constitutes the ‘‘normal operation’’ 384 of each of its SCI systems, and when such ‘‘normal operation’’ has been disrupted or significantly degraded because those parameters have been exceeded. The Commission agrees with commenters who noted that, given its voluntary nature, entities that participate in the ARP Inspection Program are afforded a certain degree of flexibility and discretion in reporting systems outages, and agrees that, given its proposed application to a mandatory rule, the proposed definition limited the flexibility and discretion of SCI entities in a manner that was overly rigid.385 Although the specific types of systems malfunctions have been removed from the adopted definition of systems disruption, the Commission nonetheless continues to believe, as suggested by one commenter,386 that the types of systems malfunctions that comprised the proposed definition may be useful to SCI entities to consider as indicia of a systems disruption. 383 As discussed more fully below, an SCI entity’s assessment of the impact of an event meeting the definition of a systems disruption will affect whether it is subject to an immediate Commission notification obligation, or a recordkeeping and quarterly reporting obligation. See infra Section IV.B.3.c (discussing the exclusion of de minimis systems disruptions from immediate Commission notification requirements in Rule 1002(b)(5)). 384 The Commission notes that, for certain SCI systems, ‘‘normal operation’’ may include a certain degree of operational variability that would allow for a given amount of degradation of functionality (e.g., some data queuing or some slowing of response times) before the system’s operations reach the point of being ‘‘significantly degraded.’’ However, such variability parameters may be included as part of an SCI entity’s policies and procedures so that the SCI entity and its personnel would be aware of them before the occurrence of systems issues. 385 Commenters highlighted many examples where a rigid interpretation of the proposed definition had the potential to incorporate into the definition events that could be considered part of normal operation. See, e.g., supra notes 361, 364, 368, 369, 374, and 379 and accompanying text. As adopted, however, such events would not be captured by the definition of systems disruptions because an event that disrupts, or significantly degrades, the normal operation of an SCI system would not be considered the ‘‘normal operation’’ of such SCI system. 386 See supra note 354 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations As discussed in the SCI Proposal 387 and by certain commenters,388 the seven categories of malfunctions in the proposed definition of ‘‘systems disruption’’ have their origin in ARP staff guidance regarding when ARP participants should notify the Commission of system outages and represent practical examples that SCI entities should consider to be systems disruptions in many circumstances. The Commission notes that the revised definition is intended to address some commenters’ concerns with the particular elements of the definition of systems disruption as originally proposed. For example, under the modified definition, if an SCI system experiences an unplanned outage but fails over smoothly to its backup system such that there is no disruption or significant degradation of the normal operation of the system, the outage of the primary system would not constitute a systems disruption. On the other hand, an SCI entity may determine that, even when a primary system fails over smoothly to its backup system such that users are not impacted by the failover, operating from the backup system without additional redundancy would not constitute normal operation. In this case, the outage of the primary system would fall within the definition of systems disruption. Further, the Commission believes it would be appropriate for an SCI entity to take into account regularly scheduled outages or scheduled maintenance as part of ‘‘normal operations.’’ 389 In particular, a planned disruption to an SCI system that is a part of regularly scheduled outages or scheduled maintenance would not constitute a systems disruption or be subject to the requirements of Regulation SCI, if such regularly scheduled outages or scheduled maintenance are part of the SCI entity’s normal operations. With regard to data queuing, to the extent that such queuing is part of the normal functionality of a system and does not cause a disruption or significant degradation of normal operations, it would not be captured by the rule, which is limited to events occurring to an SCI system that are outside its normal operations.390 Additionally, by eliminating the seven types of malfunctions from the definition as proposed, the Commission has responded to commenters who 387 See Proposing Release, supra note 13, at 18101. 388 See supra note 353 and accompanying text. 389 See supra note 361 and accompanying text. 390 See supra notes 372–377 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 expressed concern that events that are precursors to system disruptions, such as the queuing of data, would themselves be systems disruptions.391 Similarly, by eliminating the seven types of malfunctions, the Commission has addressed comments that called for the elimination of specific elements of the proposed definition, such as service level agreements.392 Further, the Commission agrees with commenters that customer complaints may be indicia of a systems issue,393 but that a customer complaint alone would not be determinative of whether a system problem has occurred that meets the definition of systems disruption under Regulation SCI.394 With respect to the commenters who stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions, the adopted definition would exclude these events if they do not disrupt or significantly degrade the normal operations of an SCI system.395 However, if loss of transaction or clearance and settlement data disrupts or significantly degrades the normal operation of an SCI system, it would constitute a systems disruption and be subject to the requirements of Regulation SCI (e.g., immediate or quarterly Commission notification, depending on the impact of the disruption). Several commenters also suggested that testing errors or other disruptions in development and testing environments should be excluded from 391 See supra note 377 and accompanying text. supra notes 355 and 358 and accompanying text. 393 The Commission agrees, as noted by some commenters, that in some instances, customer complaints may be the result of a problem at a system not operated by (or on behalf of) an applicable SCI entity, but rather a system operated by the customer itself. See supra note 380 and accompanying text. 394 See supra notes 379–380 and accompanying text. 395 See supra note 368. The Commission notes that for clearance and settlement systems, normal operations would include all steps necessary to effectuate timely and accurate end of day settlement. In response to the commenter who stated that the definition of systems disruption should be revised to include data that is altered or corrupted in some way, because the Commission has determined to eliminate the pronged approach to the definition of systems disruption, the Commission notes that, under the adopted definition, data that is altered or corrupted in some way may be a systems disruption if such altered or corrupted data disrupt or significantly degrade the affected SCI system’s normal operation. See supra note 369. 392 See PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 72285 the definition of systems disruption.396 The Commission notes that, as discussed above, development and testing systems have been excluded from the definition of SCI systems, and thus such disruptions would not be subject to the requirements of Regulation SCI.397 The Commission is not incorporating a materiality threshold into the definition of systems disruption as requested by some commenters.398 Rather, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters’ concerns regarding the breadth of the definition of systems disruption (while stopping short of including a materiality standard).399 In particular, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events (i.e., quarterly Commission reporting of de minimis systems disruptions, and an exception for de minimis systems disruptions from the information dissemination requirement) will help to focus the Commission’s and SCI entities’ resources on the more significant systems disruptions. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems disruptions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems disruptions at the SCI entity. An SCI entity’s records of de minimis systems disruptions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems disruptions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems disruption causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis SCI events in the aggregate and across multiple SCI 396 See supra notes 361–363 and accompanying text. 397 See supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). 398 See supra note 347 and accompanying text. 399 See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems disruptions). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing information dissemination requirement for certain SCI events, but excluding de minimis systems disruptions). E:\FR\FM\05DER2.SGM 05DER2 72286 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations entities is important to the Commission and its staff to be able to gather information about trends related to such systems disruptions that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems disruptions that SCI entities encounter. Moreover, information about trends can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems disruptions with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities’ classification of events as de minimis systems disruptions. Moreover, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems further focuses the scope of the definition of systems disruption.400 The Commission also believes that it is unnecessary to modify the definition of systems disruption specifically to encompass disruptions originating from a third party, as one commenter suggested.401 The definition of systems disruption does not limit such events with respect to the source of the disruption, whether an internal source at the SCI entity or an external third party source. 403 See mstockstill on DSK4VPTVN1PROD with RULES2 b. Systems Compliance Issue VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Omgeo Letter at 13; and NYSE Letter at 16. Proposed Rule 1000(a) would have defined the term ‘‘systems compliance issue’’ as ‘‘an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity’s rules or governing documents, as applicable.’’ 402 The Commission is adopting the definition of systems compliance issue substantially as proposed, with modifications to refine its scope. Two commenters stated that the term ‘‘systems compliance issue’’ should be deleted from the definition of SCI event 400 See supra Sections IV.A.2.b (discussing the definition of ‘‘SCI systems’’). 401 See supra note 345. 402 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.b. entirely.403 One of these commenters stated that the inclusion of systems compliance issue as an SCI event would be a departure from the ARP Inspection Program and ARP Policy Statements.404 The other commenter argued that any report regarding a systems compliance issue is an admission that the SCI entity has violated a law, rule, or one of its governing documents, creating a risk of an enforcement action or other liability for the SCI entity.405 Other commenters stated that the proposed definition is too broad and should be refined to include only those issues that are material or significant.406 Commenters’ specific recommendations included limiting the definition to those systems compliance issues that: have a material and significant effect on members; 407 can be reasonably expected to result in significant harm or loss to market participants or impact the operation of a fair and orderly market; 408 or have a materially negative impact on the SCI entity’s ability to perform its core functions.409 One commenter also noted that the term should be specifically defined to take account of an SCI entity’s function, such as clearing agencies’ ability to comply with Section 17A.410 After considering the view of commenters that the proposed definition of systems compliance issue is too broad,411 the Commission is revising the definition to mean an event that has caused an SCI system to operate ‘‘in a manner that does not comply with the Act’’ and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable.412 The Commission believes the 404 See Omgeo Letter at 14. NYSE Letter at 16. 406 See, e.g., Joint SROs Letter at 2, 8; ISE Letter at 6; SIFMA Letter at 13; Liquidnet Letter at 3; CME Letter at 8; DTCC Letter at 6; OCC Letter at 13; and FINRA Letter at 17 (stating that systems compliance issues should be reportable only if they would directly impact the market or a member firm’s ability to comply with FINRA rules). See also BATS Letter at 13. 407 See ISE Letter at 6–7. 408 See Liquidnet Letter at 3; and CME Letter at 8. See also FINRA Letter at 17. 409 See DTCC Letter at 6; and OCC Letter at 13. 410 See DTCC Letter at 6. See also infra Sections IV.B.3.c and IV.B.3.d (discussing comments with respect to systems compliance issues and their relation to Commission notification and information dissemination to members or participants). 411 See supra note 406 and accompanying text. 412 As noted above, proposed Rule 1000 defined systems compliance issue as an event at an SCI entity that has caused any SCI system of such entity to operate ‘‘in a manner that does not comply with the federal securities laws’’ and rules and regulations thereunder or the entity’s rules and governing documents, as applicable. 405 See PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 refinement from ‘‘federal securities laws’’ to ‘‘the Act’’ (i.e., the Securities Exchange Act of 1934) will appropriately focus the definition on Exchange Act compliance rather than other areas of the federal securities laws. Although the Commission did not receive specific comment suggesting that it amend the definition of systems compliance issue by using the term ‘‘the Act’’ instead of the broader ‘‘federal securities laws,’’ commenters did suggest that the Commission limit the scope of the definition to only apply to those sections of the Act that are applicable to a particular SCI entity 413 or the SCI entity’s rules.414 The Commission agrees with these commenters insofar as they advocated for focusing the scope to a more specific set of securities laws and for reducing the burden on SCI entities, and further believes this refinement does not compromise the objective of the definition, which is to capture systems compliance issues with respect to SCI entities’ obligations under the Exchange Act. The Commission believes that the refinement provides additional clarity to SCI entities that, for purposes of Regulation SCI, their obligations are with respect to compliance with the Exchange Act and the rules and regulations thereunder and the entity’s rules and governing documents.415 The Commission disagrees with commenters who suggested removing systems compliance issues from the definition of SCI event altogether.416 Although systems compliance issues have not been within the scope of the ARP Inspection Program,417 the Commission believes that inclusion of systems compliance issues in the definition of SCI event and the resulting applicability of the Commission reporting, information dissemination, and recordkeeping requirements to systems compliance issues is important to help ensure that SCI systems are operated by SCI entities in compliance with the Exchange Act, rules thereunder, and their own rules and governing documents. 413 See supra note 410 and accompanying text. supra note 406 and accompanying text. 415 Notwithstanding this provision’s focus on compliance with the Exchange Act and the rules and regulations thereunder and the entity’s rules and governing documents, the Commission notes that its objective in adopting Regulation SCI is not, for example, to change the obligations of SCI entities that are public companies with respect to their disclosure obligations under the Securities Act of 1933. See 15 U.S.C. 77a et seq. 416 See supra notes 403–405 and accompanying text. 417 See supra note 404 and accompanying text. See also Proposing Release, supra note 13, at 18087. 414 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 In addition, the Commission is not adopting a materiality qualifier 418 or other limiting threshold 419 in the definition of systems compliance issue as suggested by some commenters. Instead, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters’ concerns regarding the breadth of the definition of systems compliance issue.420 In particular, the Commission believes that the adopted Commission notification requirement and the information dissemination requirement (each of which provides an exception for systems compliance issues that have no or de minimis impacts on an SCI entity’s operations or market participants) will help to focus the Commission’s and SCI entities’ resources on those systems compliance issues with more significant impacts. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems compliance issues, some of which may initially seem to have little or no impact, but which may later prove to be the cause of significant systems compliance issues at the SCI entity. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules, as applicable. Therefore, even if an SCI entity determines that a systems compliance issue has no or a de minimis impact, the Commission believes that it is important that it have ready access to records regarding such de minimis systems compliance issues to allow it to more effectively oversee SCI entities’ compliance with the Exchange Act and relevant rules. An SCI entity’s records of de minimis systems compliance issues may also be useful to the Commission in that they may, for example, aid the Commission in identifying areas of potential weaknesses, or persistent or recurring problems, at an SCI entity or across multiple SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI 418 See supra notes 406–407 and 409 and accompanying text. 419 See supra note 408. 420 See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and the exclusion for de minimis systems compliance issues). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing the information dissemination requirement for certain SCI events, but excluding de minimis systems compliance issues). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 entities’ classification of events as de minimis systems compliance issues. Finally, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems, as described in Section IV.A.2 above, further focuses the scope of the definition of systems compliance issue. With respect to a commenter’s concern that any report regarding a systems compliance issue would be an admission of a violation and thus create a risk of enforcement action or other liability,421 the Commission notes that the Commission notification requirement is not triggered until a responsible SCI personnel has a reasonable basis to conclude that a systems compliance issue has occurred.422 The Commission acknowledges that it could consider the information provided to the Commission in determining whether to initiate an enforcement action. However, the Commission notes that the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.423 With respect to the potential for other types of liability as suggested by this commenter, many entities that fall within the definition of SCI entity already currently disclose to the Commission and their members or participants certain information regarding systems issues, including issues that may potentially give rise to liability.424 Moreover, the Commission recognizes that compliance with Regulation SCI will increase the amount of information about SCI events available to the Commission and SCI entities’ members and participants, and that the greater availability of this information has some potential to increase litigation risks for SCI entities, including the risk of private civil litigation. The Commission believes that the value of disclosure to the Commission, market participants and investors justifies the potential increase in litigation risk. Moreover, the Commission notes that, to the extent members and participants or the public suffer damages when SCI events occur, 421 See supra note 405 and accompanying text. supra Section IV.B.3.a (discussing the triggering standard). 423 See, e.g., infra notes 626–628 and accompanying text. 424 See supra Section II.B (discussing recent events related to systems issues). 422 See PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 72287 SCI entities are already subject to litigation risk. As adopted, Rule 1000 defines ‘‘systems compliance issue’’ as ‘‘an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity’s rules or governing documents, as applicable.’’ As noted in the SCI Proposal, a systems compliance issue could, for example, occur when a change to an SCI system is made by information technology staff, without the knowledge or input of regulatory staff, that results in the system operating in a manner that does not comply with the Act and rules thereunder or the entity’s rules and other governing documents.425 For an SCI SRO, systems compliance issues would include SCI systems operating in a manner that does not comply with the SCI SRO’s rules as defined in the Act and the rules thereunder.426 For a plan processor, systems compliance issue would include SCI systems operating in a manner that does not comply with an applicable effective national market system plan. For an SCI ATS or exempt clearing agency subject to ARP, a systems compliance issue would include SCI systems operating in a manner that does not comply with documents such as subscriber agreements and any rules provided to subscribers and users and, for an ATS, described in its Form ATS filings with the Commission.427 c. Systems Intrusion Proposed Rule 1000(a) defined ‘‘systems intrusion’’ as ‘‘any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.’’ 428 The proposed definition is being adopted as proposed, with one technical modification to replace the term ‘‘SCI security systems’’ with ‘‘indirect SCI systems.’’ 429 While one commenter noted its general support for the inclusion of systems intrusions within the scope of 425 See Proposing Release, supra note 13, at 18103. 426 The rules of an SCI SRO include, among other things, its constitution, articles of incorporation, and bylaws. See 15 U.S.C. 78c(a)(27)–(28). See also 17 CFR 240.19b–4(c). 427 Subscriber agreements and other similar documents that govern operations of SCI ATSs and exempt clearing agencies subject to ARP are generally not publicly available, but are typically provided to subscribers and users of such entities. See 17 CFR 242.301(b) for a description of the filing requirements for ATSs. 428 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.c. 429 See supra Section IV.A.2.d (discussing the definition of ‘‘indirect SCI systems’’). E:\FR\FM\05DER2.SGM 05DER2 72288 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Regulation SCI,430 this commenter and others stated that the proposed definition was too broad or vague.431 Several commenters asserted that the proposed definition would capture too many insignificant and minor incidents.432 Some commenters recommended limiting the definition to material systems intrusions, and offered various suggestions for how to do so.433 One commenter stated that the proposed definition was overbroad because it would include both intentional and unintentional conduct, as well as events that have no adverse impact.434 Another commenter also stated that the definition should be modified to make clear that an intrusion that is inadvertent would not qualify as a systems intrusion.435 This commenter further stated that a systems intrusion should be limited to unauthorized access to confidential information or to the SCI systems of an SCI entity that materially disrupts the operations of such systems.436 Another commenter suggested that the definition focus on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data.437 Some commenters noted that the proposed definition of systems intrusion did not take into account the multilayered nature of today’s technology systems. Two commenters stated that the multi-layered protections of systems 430 See NYSE Letter at 15. e.g., NYSE Letter at 15; BATS Letter at 12; DTCC Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10–11; and Joint SROs Letter at 7. 432 See, e.g., BATS Letter at 12; DTCC Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10–11; and Joint SROs Letter at 7. 433 See, e.g., NYSE Letter at 15 (recommending that the definition include only major intrusions that pose a plausible risk to the trading, routing, or clearance and settlement operations of the exchange or to required market data transmission); Omgeo Letter at 11–12 (expressing concern that the definition did not contain a reference to the materiality of an intrusion, nor the intrusion’s impact on markets or market participants); DTCC Letter at 7 (suggesting that the definition capture only unauthorized entries where the SCI entity has reason to believe such entry could materially impact its ability to perform its core functions or critical operations); Joint SROs Letter at 7 (stating that the definition should include only those intrusions that the SCI entity reasonably estimated would result in significant harm or loss to market participants); FINRA Letter at 18 (arguing that only intrusions that have a material impact on the SCI system or a direct impact on the market or market participants should be included); and OCC Letter at 13 (suggesting, as an alternative to a ‘‘risk-based’’ approach, that the definition be limited to any unauthorized entry into the SCI systems or SCI security systems of an SCI entity, which the SCI entity reasonably believes may materially impact its ability to perform its core functions or critical operations). 434 See, e.g., BATS Letter at 12. 435 See SIFMA Letter at 11. 436 See id. 437 See NYSE Letter at 15. mstockstill on DSK4VPTVN1PROD with RULES2 431 See, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 architecture are designed to anticipate intrusions into the outer layer without material risk or impact, thus intrusions into such a peripheral system should not constitute a systems intrusion under the rule.438 Several commenters stated that only successful systems intrusions should be covered in the definition.439 One commenter suggested that this concept be made explicit in the rule text by adding the term ‘‘successful’’ to the definition.440 Two commenters, while supporting the inclusion of only successful systems intrusions in the definition, pointed out the value of sharing information regarding unsuccessful systems intrusions, stating that this practice already occurs today among SCI entities, their regulators, and appropriate law enforcement agencies.441 As adopted, Rule 1000 defines ‘‘systems intrusion’’ to mean ‘‘any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.’’ This definition is intended to cover any unauthorized entry into SCI systems or indirect SCI systems, regardless of the identity of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI entity), and regardless of whether or not the intrusion was part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI entities. Thus, for example, this definition is intended to cover the introduction of malware or other attempts to disrupt SCI systems or indirect SCI systems provided that such systems were actually breached. In addition, the definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that resulted from weaknesses in the SCI entity’s access controls and/or procedures. In response to comments, the Commission emphasizes that the definition of systems intrusion does not include unsuccessful attempts at unauthorized entry because an unsuccessful systems intrusion is much less likely to disrupt the systems of an SCI entity than a successful intrusion. The Commission believes that it is unnecessary and redundant to specifically state in the definition of systems intrusion that unauthorized entries must be ‘‘successful’’ because the term ‘‘entry’’ incorporates the concept of successfully gaining access to an SCI system or indirect SCI system. Further, the Commission is not incorporating a materiality threshold for the definition of systems intrusion or otherwise limiting the definition of systems intrusion to only those systems intrusions that are major or significant as requested by some commenters. The Commission believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems further focus the scope of the definition of systems intrusion. Further, because any unauthorized entry into an SCI system or indirect SCI system is a security breach of which the Commission, having responsibility for oversight of the U.S. securities markets, should be notified, the Commission is not including a materiality threshold. In addition, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters’ concerns regarding the breadth of the definition of systems intrusion.442 By not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems intrusions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity’s records of de minimis systems intrusions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems intrusions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems intrusion causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis systems intrusions in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to such systems intrusions that could not otherwise be properly discerned. Information about trends will 438 See SIFMA Letter at 11; and Omgeo Letter at 12. The Commission discusses below the comments that advocated greater Commission use of FS–ISAC for reporting systems intrusions. 439 See BIDS Letter at 17; SIFMA Letter at 11; NYSE Letter at 15; DTCC Letter at 8. 440 See NYSE Letter at 15. 441 See BIDS Letter at 17; and DTCC Letter at 8. 442 See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems intrusions). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing information dissemination requirement for certain SCI events, but excluding de minimis systems intrusions). PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems intrusions that SCI entities encounter. Moreover, information about trends and notifications of de minimis systems intrusions generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems intrusions or issues with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities’ classification of events as de minimis systems intrusions. The Commission also is not distinguishing between intentional and unintentional systems intrusions, as suggested by some commenters.443 The Commission acknowledges that intentional systems intrusions may result in more severe disruptions to the systems of an SCI entity than unintentional or inadvertent intrusions. On the other hand, the Commission believes that it should be notified of successful unintentional or inadvertent systems intrusions because they can still indicate weaknesses in a system’s security controls. To the extent that these systems intrusions have no or a de minimis impact on the SCI entity’s operations or on market participants, they will only be subject to a quarterly reporting requirement and will be excepted from the information dissemination requirement.444 Additionally, the Commission does not agree that the definition of systems intrusion should be limited to unauthorized access to confidential information 445 or should be focused on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data 446 because the Commission believes that these modifications would create a definition that would limit the Commission’s ability to be aware of events that fall outside the limited 443 See supra notes 434–435 and accompanying mstockstill on DSK4VPTVN1PROD with RULES2 text. 444 See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems intrusions). See Rule 1002(c)(4), and infra Sections IV.B.3.d (discussing the information dissemination requirements for certain SCI events, but excluding de minimis systems intrusions). 445 See supra note 436 and accompanying text. 446 See supra note 437 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 definition that commenters suggested but that could, for example, have industry-wide implications. Similarly, with respect to the comment that intrusions into a peripheral system should not constitute a systems intrusion because the multi-layered protections of systems architecture are designed to anticipate intrusions into the outer layer and help prevent material risk or impact,447 the Commission believes that its discussion of indirect SCI systems in Section IV.A.2.d above responds to commenters’ concerns by explaining that systems intrusions into an indirect SCI system could cause or increase the likelihood of an SCI event with respect to an SCI system. And to the extent a system intrusion occurs with respect to an SCI system or indirect SCI system but the SCI entity’s multi-layered systems architecture helps prevent material risk or impact, the Commission notes that de minimis systems intrusions (if such a system intrusion was determined to be de minimis) would be subject to less frequent Commission reporting requirements and would not be subject to the information dissemination requirements. B. Obligations of SCI Entities—Rules 1001–1004 Proposed Rules 1000(b)(1)–(9) are renumbered as adopted Rules 1001– 1004. Adopted Rule 1001 corresponds to proposed Rules 1000(b)(1)–(2) and contains the policies and procedures requirements for SCI entities with respect to operational capability and the maintenance of fair and orderly markets (Rule 1001(a)), systems compliance (Rule 1001(b)), and identification and designation of responsible SCI personnel and escalation procedures (Rule 1001(c)).448 Adopted Rule 1002 corresponds to proposed Rules 1000(b)(3)–(5) and contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination. Adopted Rule 1003 corresponds to proposed Rules 1000(b)(6)–(8) and contains requirements relating to material systems changes and SCI reviews. Finally, adopted Rule 1004 corresponds to proposed Rule 1000(b)(9) and contains requirements relating to business continuity and disaster recovery plan testing, including requiring participation of designated 447 See supra note 438 and accompanying text. discussion of Rule 1001(c), which relates to the triggering standard for Rule 1002, is discussed below in Section IV.B.3.a. 448 The PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 72289 members or participants of SCI entities in such testing. 1. Policies and Procedures To Achieve Capacity, Integrity, Resiliency, Availability and Security—Rule 1001(a) a. Proposed Rule 1000(b)(1) Proposed Rule 1000(b)(1) would have required an SCI entity to: (1) Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets; and (2) include certain required elements in such policies and procedures. As proposed, these policies and procedures were required to provide for: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. Proposed Rule 1000(b)(1)(i) also provided that an SCI entity’s applicable policies and procedures would be deemed to be reasonably designed if they were consistent with ‘‘current SCI industry standards.’’ Proposed Rule 1000(b)(1)(ii) provided that ‘‘current SCI industry standards’’ were to be comprised of ‘‘information technology practices that are widely available for free to information technology professionals in the financial sector . . . and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely E:\FR\FM\05DER2.SGM 05DER2 72290 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations recognized organization.’’ 449 The SCI Proposal also included, on ‘‘Table A,’’ a list of publications that the Commission had preliminarily identified as examples of current SCI industry standards in each of nine information security domains.450 The SCI Proposal stated that an SCI entity, taking into account its nature, size, technology, business model, and other aspects of its business, could, but would not be required to, use the publications listed on Table A to establish, maintain, and enforce reasonably designed policies and procedures that satisfy the requirements of proposed Rule 1000(b)(1).451 The SCI Proposal also stated that ‘‘current SCI industry standards’’ were not limited to those identified in the publications on Table A and could include other publications meeting the proposed criteria for ‘‘current SCI industry standards.’’ 452 In addition, proposed Rule 1000(b)(1)(ii) stated that compliance with ‘‘current SCI industry standards’’ would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1).453 b. Comments Received on Proposed Rule 1000(b)(1) and Commission Response mstockstill on DSK4VPTVN1PROD with RULES2 i. Policies and Procedures Generally— Rules 1001(a)(1) and (3) The Commission received a wide range of comments on proposed Rule 1000(b)(1). With respect to policies and procedures generally, some commenters believed the proposal was too prescriptive.454 Several characterized it as a ‘‘one-size-fits-all’’ approach that did not adequately take into account differences between SCI entities and SCI entity systems.455 Several commenters objecting to the rule as too prescriptive urged that the adopted rule incorporate 449 See Proposing Release, supra note 13, at 18178. 450 The domains covered in Table A of the SCI Proposal are: application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. See id. at 18111. 451 See id. at 18110. 452 See id. at 18110 (stating that an SCI entity could elect standards contained in publications other than those identified on proposed Table A to comply with the rule). 453 See id. at 18109. 454 See, e.g., Angel Letter at 2, 8; BIDS Letter at 7; FIF Letter at 3–4; Joint SROs Letter at 4; LiquidPoint Letter at 3–4; MFA Letter at 3; and SIFMA Letter at 12–13. 455 See, e.g., FIF Letter at 3–4; FINRA Letter at 31; Joint SROs Letter at 4; KCG Letter at 2–3, 6–8; Liquidpoint Letter at 3–4; MFA Letter at 3; OCC Letter at 3–4; SIFMA Letter at 12–13; UBS Letter at 2–4; Tellefsen Letter at 13; and BIDS Letter at 2– 3, 6–9. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 a risk-based framework, so that SCI entities and/or systems of greater criticality would be required to adhere to a stricter set of policies and procedures than SCI entities and/or systems of lesser criticality.456 These commenters maintained that each SCI entity should have discretion to calibrate its policies and procedures based on its own assessment of the criticality of the SCI entity and its systems to market stability, or that the Commission should ‘‘tier’’ the obligations of SCI entities or SCI entity systems based on their market function.457 In contrast, some commenters stated that the Commission’s proposed approach was too vague or insufficient.458 For example, one commenter characterized the minimum elements of policies and procedures in proposed Rule 1000(b)(1)(A)–(F) as ‘‘so vague that they will fail to provide any meaningful improvement in technological systems.’’ 459 Another commenter stated that the proposed scope of required policies and procedures was appropriate, but that further elaboration on the details was warranted.460 One commenter stated that the proposed rule lacked adequate discussion of what it means for policies and procedures to be reasonably designed ‘‘to maintain . . . operational capability and promote the maintenance of fair and orderly markets.’’ 461 The Commission has carefully considered the views of commenters on its proposed policies and procedures approach to ensuring adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems). The Commission agrees with commenters who stated that requiring SCI entities to have policies and procedures relating to the capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) should not be a ‘‘one-size-fits-all’’ approach and, as discussed in detail below, is therefore clarifying that the adopted rule is consistent with a risk-based approach, 456 See, e.g., Joint SROs Letter at 4; LiquidPoint Letter at 3; MFA Letter at 3; and SIFMA Letter at 8, 12–13. See also FIF Letter at 4; MSRB Letter at 3; Fidelity Letter at 2; NYSE Letter at 3, 4, 21; FINRA Letter at 13–14; and OCC Letter at 3. 457 See, e.g., Joint SROs Letter at 4; FINRA Letter at 13–14; MSRB Letter at 3; MFA Letter at 6; NYSE Letter at 3, 4, and 21; SIFMA Letter at 12–13; FIF Letter at 4; Fidelity Letter at 2; and OCC Letter at 3. 458 See Better Markets Letter at 3–5; CAST Letter at 4; CISQ Letter at 2, 5; CISQ2 Letter at 5; and Direct Edge Letter at 4. 459 See Better Markets Letter at 3. 460 See CISQ Letter at 2. 461 See Direct Edge Letter at 4. PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 as it allows an SCI entity’s policies and procedures to be tailored to a particular system’s criticality and risk. As noted above, while some commenters characterized the proposed rule as too vague and sought further specificity, others found the rule to be too prescriptive. The Commission believes that the adopted rule provides an appropriate balance between these two opposing concerns by providing a framework that identifies the minimum areas that are required to be addressed by an SCI entity’s policies and procedures without prescribing the specific policies and procedures that an SCI entity must follow, or detailing how each element in Rule 1001(a)(2) should be addressed. Given the various types of systems at SCI entities, each of which represent a different level of criticality and risk to each SCI entity and to the securities markets more broadly, the adopted rule seeks to provide flexibility to SCI entities to design their policies and procedures consistent with a riskbased approach, as discussed in further detail below. At the same time, because the Commission believes that additional guidance on how an SCI entity may comply with the rule is warranted in certain areas, the Commission is providing further guidance below. In response to comment, the Commission is adopting Rule 1001(a) with modifications that it believes will better provide SCI entities with sufficient flexibility to develop their policies and procedures to achieve robust systems, while also providing guidance on how an SCI entity may comply with the final rule. Specifically, adopted Rule 1001(a) is modified to: (i) Clarify that the rule is consistent with a risk-based approach that requires more robust policies and procedures for higher-risk systems and provides an SCI entity with flexibility to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems; (ii) make clear that an SCI entity’s reasonable policies and procedures remain subject to ongoing self-assessment; (iii) provide increased flexibility in the manner in which an SCI entity may satisfy the minimum elements of required policies and procedures; and (iv) revise the criteria for ‘‘current SCI industry standards.’’ In addition, proposed Table A is recharacterized and will be issued as staff guidance that will evolve over time. Response to Commenters Advocating a Risk-Based Approach Adopted Rule 1001(a)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. The text of this part of the rule is largely unchanged from the proposal. Although several commenters expressed concern that the proposed rule would have imposed a ‘‘one-size-fits-all’’ approach, requiring all SCI entities to hold all of their SCI systems to the same standards,462 this was not the intent of proposed Rule 1000(b)(1), nor is it what adopted Rule 1001(a)(1) requires. By requiring an SCI entity to have policies and procedures ‘‘reasonably designed’’ and ‘‘adequate’’ to maintain operational capability and promote the maintenance of fair and orderly markets, the adopted rule provides an SCI entity with flexibility to determine how to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems.463 Although the adopted rule does not assign differing obligations to an SCI entity based on its registration status, or its general market function, as some commenters urged, by allowing each SCI entity to tailor its policies and procedures accordingly, the adopted approach recognizes that there are differences between, and varying roles played by, different systems at various SCI entities. In tandem with the refined definition of ‘‘SCI systems,’’ the modified definition of ‘‘SCI security systems’’ (adopted as ‘‘indirect SCI systems’’), and the new definition of ‘‘critical SCI systems,464 adopted Rule 1001(a)(1) explicitly recognizes that policies and procedures that are ‘‘reasonably designed’’ and ‘‘adequate’’ to maintain operational capability and promote the maintenance of fair and orderly markets for critical SCI systems may differ from those that are ‘‘reasonably designed’’ and ‘‘adequate’’ to maintain operational capability and 462 See supra note 455 and accompanying text. Proposing Release, supra note 13, at 18109 (stating: ‘‘The Commission intends to . . . provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures that would meet the articulated standard, namely that they be reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.’’). 464 As a result of these changes, the adopted rule applies to fewer systems than as proposed, and only to those types of systems that the Commission believes pose significant risk to market integrity if not adequately safeguarded. mstockstill on DSK4VPTVN1PROD with RULES2 463 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 promote the maintenance of fair and orderly markets for other SCI systems, or indirect SCI systems. As such, the Commission believes that its adopted approach in Regulation SCI is consistent with a risk-based approach, and that adopted Regulation SCI may result in the systems of certain SCI entities (for example, those that have few or no critical SCI systems) generally being subject to less stringent policies and procedures than the systems of other SCI entities. Thus, a risk assessment is appropriate for an SCI entity to determine how to tailor its policies and procedures for its SCI systems and indirect SCI systems. The Commission also believes that requiring an SCI entity to tailor its policies and procedures so that they are reasonably designed and adequate will entail that an SCI entity assess the relative criticality and risk of each of its SCI systems and indirect SCI systems. Evaluation of the risk posed by any particular SCI system to the SCI entity’s operational capability and the maintenance of fair and orderly markets will be the responsibility of the SCI entity in the first instance. The Commission believes this approach will achieve the goal of improving Commission review and oversight of U.S. securities market infrastructure, but will do so within a more focused framework than as proposed. By being subject to requirements for a more targeted set of SCI systems, and guided by consideration of the relative risk of each of its SCI systems, SCI entities may more easily determine how to allocate their resources to achieve compliance with the regulation than they would have under the proposed regulation. As noted above, one commenter urged the Commission to discuss what it means for policies and procedures to be reasonably designed ‘‘to maintain . . . operational capability and promote the maintenance of fair and orderly markets.’’ 465 This commenter characterized the proposed standard of ‘‘maintaining operational capability’’ as an ‘‘introspective standard relevant to the applicable SCI entity,’’ and the proposed standard of ‘‘promoting the maintenance of fair and orderly markets’’ as implying ‘‘some incremental responsibility to the collective market.’’ 466 The Commission agrees with this commenter’s characterization and believes that it is appropriate for SCI entities to assess the risk of their systems taking into consideration both objectives, which are 465 See 466 See PO 00000 supra note 461 and accompanying text. Direct Edge Letter at 4. Frm 00041 Fmt 4701 Sfmt 4700 72291 related and complementary.467 Specifically, the Commission believes that it is important that an SCI entity’s policies and procedures are reasonably designed to ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities. At the same time, an SCI entity’s own operational capability can have broader effects and, as entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities,468 the Commission believes that the policies and procedures should also be reasonably designed to promote the maintenance of fair and orderly markets. Periodic Review Some commenters expressed concern that, when an SCI entity’s policies and procedures fail to prevent an SCI event, the Commission might use such failure as the basis for an enforcement action, charging that the policies and procedures were not reasonable.469 One commenter suggested that the Commission’s focus should be on an entity’s adherence to its own set of policies and procedures, developed based on ‘‘experience, annual SCI reviews, and other inputs,’’ rather than a ‘‘set of generic standards.’’ 470 In response to these comments, the Commission notes that the reasonably designed policies and procedures approach taken in adopted Rule 1001(a) does not require an entity to guarantee flawless systems. But the Commission believes it should be understood to require diligence in maintaining a reasonable set of policies and procedures that keeps pace with changing technology and circumstances and does not become outdated over time. The Commission is therefore adopting a requirement for periodic review by an SCI entity of the effectiveness of its policies and procedures required by Rule 1001(a), and prompt action by the SCI entity to 467 The Commission notes that the identification of ‘‘critical SCI systems’’ in Regulation SCI emphasizes that some systems pose greater risk than others to the maintenance of fair and orderly markets if they malfunction, and that it is appropriate for an SCI entity to consider the risk to other SCI entities and market participants in the event of a systems malfunction. 468 See supra note 59 and accompanying text. 469 See, e.g., BATS Letter at 3–4; Angel Letter at 2; and FSR Letter at 5. See also ITG Letter at 14 (stating that no set of policies and procedures could guarantee perfect operational compliance); and NYSE Letter at 32 (urging inclusion of a good faith safe harbor). 470 See FIF Letter at 4. E:\FR\FM\05DER2.SGM 05DER2 72292 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 remedy deficiencies in such policies and procedures.471 An SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency in its policies and procedures immediately after the deficiency occurred if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered, as required by Rule 1001(a)(3). Further, the occurrence of a systems disruption or systems intrusion will not necessarily mean that an SCI entity has violated Rule 1001(a), or that it will be subject to an enforcement action for violation of Regulation SCI. The Commission will exercise its discretion to initiate an enforcement action if the Commission determines that such action is warranted, based on the particular facts and circumstances. While a systems problem may be probative as to the reasonableness of an SCI entity’s policies and procedures, it is not determinative. ii. Minimum Elements of Reasonable Policies and Procedures—Rule 1001(a)(2) Proposed Rule 1000(b)(1)(i) would have required that an SCI entity’s policies and procedures provide for, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. References to ‘‘systems’’ in the proposed rule were to the proposed 471 See Rule 1001(a)(3). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 definition of SCI systems, and with respect to security standards only, the proposed definition of SCI security systems. Adopted Rule 1001(a)(2) includes the items formerly proposed as Rules 1001(b)(1)(i)(A)–(F) as renumbered Rules 1001(2)(i)–(vi) and a new item (vii), relating to monitoring of SCI systems. Proposed items (A), (D), and (E) are revised in certain respects in response to comment. In addition, the Commission discusses below each of the adopted provisions of Rule 1001(a)(2) in the context of the adopted definitions of SCI systems and indirect SCI systems, where relevant.472 Capacity Planning The SCI Proposal stated that policies and procedures for the establishment of reasonable current and future capacity planning (proposed item (A)) would help an SCI entity determine its systems’ ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity.473 One commenter expressed support for the requirement in proposed item (A),474 and another commenter recommended that proposed item (A) be revised to make clear that SCI entity capacity planning estimates apply to ‘‘technology infrastructure’’ capacity, as opposed to capacity with respect to nontechnology infrastructure of an SCI entity.475 Because the Commission intended proposed item (A) to relate to capacity planning for SCI systems, rather than capacity planning more broadly (for example, in relation to an SCI entity’s office space), the Commission is including this suggested clarification in adopted Rule 1001(a)(2)(i), and thus requires that an SCI entity’s policies and procedures include the establishment of reasonable current and future technology infrastructure capacity planning estimates. Stress Testing A few commenters raised concerns about proposed item (B), which required 472 In particular, the Commission is adopting the language of items (B) and (C) as proposed (renumbered as Rule 1001(a)(2)(ii) and (iii), respectively) but elaborates on the scope of these provisions, as well as the scope of revised item (D) (renumbered as Rule 1001(a)(2)(iv)) and in the context of the adopted definitions of SCI systems and indirect SCI systems. 473 See Proposing Release, supra note 13, at 18107. 474 See MSRB Letter at 9. 475 See DTCC Letter at 14–15. The Commission also received comments in regard to capacity planning as it relates to proposed industry standards on the capacity planning domain set out in proposed Table A. See, e.g., infra note 580 and accompanying text. PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 periodic capacity stress tests.476 Some of these commenters urged that the adopted rule provide an SCI entity with flexibility to determine, using a riskbased assessment, when capacity stress tests are appropriate.477 Others suggested that capacity stress tests be required in specified circumstances or time frames, such as when new capabilities are released into production,478 whenever required system capacity increases by 10 percent, on a quarterly basis, or in conjunction with any material systems change.479 One commenter suggested that SCI entities should supplement dynamic stress and load testing with static analysis, a technique used to help uncover structural weaknesses in software.480 In proposing item (B), the Commission intended for SCI entities to engage in a careful risk-based assessment (as suggested by some commenters) 481 of its SCI systems to determine when to stress test its systems.482 Rule 1001(a)(2)(ii), as adopted, affords SCI entities the flexibility to consider the factors suggested by commenters, as appropriate for their specific systems and circumstances.483 The adopted rule does not prescribe a particular frequency or trigger for stress testing; however, because the Commission believes that, in light of the variability in SCI systems, an SCI entity’s experience with its particular systems 476 See, e.g., CISQ Letter at 5; DTCC Letter at 14; Lauer Letter at 6; MSRB Letter at 9; OCC Letter at 10; and SIFMA Letter at 12. 477 See DTCC Letter at 14; and OCC Letter at 10. See also SIFMA Letter at 12 (suggesting that periodic capacity monitoring would be more appropriate and cost-effective than periodic capacity stress testing). 478 See MSRB Letter at 9. 479 See Lauer Letter at 6. 480 See CISQ Letter at 5. See also infra notes 491 and 497, and 498 and accompanying text (further discussing this comment and the commenter’s views on the value of assessing the structural quality of software). 481 See supra note 477 and accompanying text. 482 In response to the commenter that suggested periodic capacity monitoring would be more appropriate and cost-effective than periodic capacity stress testing, see supra note 477 and accompanying text, the Commission believes that such monitoring is appropriate and may play an important role in an SCI entity’s assessing when to stress tests its systems. However, the Commission continues to believe that stress testing is necessary to help an SCI entity determine its systems’ ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity. See Proposing Release, supra note 13, at 18107. While monitoring may be a cost-effective method to determine when a stress test is warranted, the Commission does not believe monitoring alone will be an effective substitute for stress testing, which, unlike monitoring, is designed to challenge systems capacity. 483 See supra notes 478–479 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations and assessment of risk in this area will dictate when capacity stress testing is warranted. The requirement for periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner is therefore adopted as proposed as Rule 1001(a)(2)(ii). current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, its ability to assess the capacity, integrity, reliability, availability and security of its SCI systems and indirect SCI systems, as applicable, would be undermined. In complying with this adopted requirement, an SCI entity may wish to consider how closely its testing environment simulates its production environment; whether it designs, tests, installs, operates, and changes SCI systems through use of appropriate development, acquisition, and testing controls by the SCI entity and/or its third-party service providers, as applicable; whether it identifies and corrects problems detected in the development and testing stages; whether it verifies change implementation in the production stage; whether development and test environments are segregated from SCI systems in production; and whether SCI entity personnel have adequately segregated roles between the development and/or test environment, and the production environment. mstockstill on DSK4VPTVN1PROD with RULES2 Systems Development and Testing Methodology In the SCI Proposal, the Commission explained that proposed item (C), which would require SCI entities to have policies and procedures for a ‘‘program to review and keep current systems development and testing methodology,’’ would help an SCI entity monitor and maintain systems capacity and availability.484 The Commission is adopting the language of this item as proposed as Rule 1001(a)(2)(iii). Two commenters supported this requirement as proposed.485 Another commenter argued that sufficient controls were in place with respect to production systems, as proposed, and therefore that separate policies and procedures specifically for the development and testing environment would be unnecessary and duplicative.486 This commenter added that, if development and testing systems were not excluded from the definition of SCI systems altogether, then the policies and procedures requirements regarding systems development and testing methodology should not apply separately to these environments. The Commission agrees with this comment, and believes it logically follows that policies and procedures requiring a program to review and keep current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, are important if development and testing systems are excluded from the definition of SCI systems, as they are under the adopted regulation.487 An SCI entity’s systems development and testing methodology is a core part of the systems development life cycle for any SCI system. Therefore, the Commission believes that if an SCI entity did not have a program to review and keep Reviews of SCI Systems and Indirect SCI Systems The SCI Proposal explained that proposed item (D), which would have required an SCI entity to establish, maintain, and enforce policies and procedures to review and test regularly SCI systems (and SCI security systems, as applicable), including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, would assist an SCI entity in ascertaining whether such systems are and remain sufficiently secure and resilient.488 Proposed item (D) garnered a range of comments. Some commenters addressing this item focused on internal SCI entity testing,489 whereas others focused more broadly on industry-wide testing and testing of backup systems.490 With respect to comments on internal testing, one commenter suggested that the proposed requirement be expanded beyond testing to cover a range of ‘‘quality assurance activities’’ with each 484 See Proposing Release, supra note 13, at 18107. 485 See CISQ Letter at 2; and MSRB Letter at 9. 486 See FINRA Letter at 12. 487 See supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). Because development and testing systems are not part of the adopted definition of ‘‘SCI systems,’’ systems issues with regard to development and testing systems would not be subject to the requirements of adopted Rule 1002 relating to corrective action, Commission notification, and dissemination of information on SCI events; or Rule 1003(a) regarding notification of systems changes. 488 See Proposing Release, supra note 13, at 18107. 489 See, e.g., CAST Letter at 4; CISQ Letter at 3– 7; FIA PTG Letter at 4; Lauer Letter at 6; and MSRB Letter at 10. 490 See, e.g., Angel Letter at 2; CoreOne Letter at 3–5; DTCC Letter at 13; FIA PTG Letter at 2; FIX Letter at 1–2; Tradebook Letter at 1–4; UBS Letter at 4; and CISQ Letter at 6. See also infra Section IV.B.6 (discussing adopted Rule 1004, requiring business continuity and disaster recovery testing, including required participation of designated members or participants of SCI entities in such testing). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 72293 release of software into production.491 Two commenters advocated for requiring an SCI entity to focus on identifying structural deficiencies, which they stated pose much greater risks than functional deficiencies.492 A few commenters urged that groups independent of the team that designed and developed the systems should be involved in testing to offer a diverse perspective.493 One of these commenters further suggested that enforcement of the policies governing development and testing activities should be conducted by a ‘‘process audit’’ role that evaluates compliance with policies, provides guidance to development and testing teams on how to comply, and reports on compliance to senior management.494 After careful consideration of the comments, the Commission is adopting this provision with modifications as Rule 1001(a)(2)(iv). Specifically, adopted Rule 1001(a)(2)(iv) requires an SCI entity’s reasonably designed policies and procedures to include ‘‘[r]egular reviews and testing, as applicable, of [its SCI systems and, for purposes of security standards, indirect SCI systems], including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.’’ As adopted, this provision will afford an SCI entity greater flexibility, through the addition of the phrase ‘‘as applicable,’’ to determine how to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters. Specifically, the adopted rule replaces the proposed rule’s requirement that an SCI entity conduct ‘‘regular reviews and testing’’ of relevant systems (including backup systems) with a more flexible requirement that an SCI entity conduct ‘‘regular reviews and 491 See CISQ Letter at 3–7 (encouraging the Commission to require quality assurance activities other than testing, including that an SCI entity evaluate and measure the structural quality of its SCI systems because ‘‘the attributes of an SCI system most critically affecting its capacity, integrity, resiliency, availability, and security are predominantly structural (engineering) rather than functional (correctness)’’). 492 See CAST Letter at 4; and CISQ Letter at 3– 7. 493 See, e.g., CISQ Letter at 7; and Lauer Letter at 6. 494 See CISQ Letter at 7. This commenter further recommended that such process audits be conducted at least annually for each SCI system, and more often for SCI systems with operational problems, a record of non-compliance, or those being developed, tested, or operated by an inexperienced staff, and stated that process auditors who perform a mentoring role to software teams have proven a cost-effective mechanism for on-thejob training. E:\FR\FM\05DER2.SGM 05DER2 72294 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations testing, as applicable’’ of relevant systems, including backup systems. In response to some commenters’ concerns that the proposed requirement focused too much on regular testing and not enough on other methods to assess systems operation,495 the adopted rule provides an SCI entity the flexibility to determine an assessment methodology that would be most appropriate for a given system, or particular functionality of a system. Thus, consistent with commenters’ views, the adopted provision does not specifically require both regular reviews and regular testing in connection with an SCI entity’s identification of vulnerabilities. Instead, the provision requires reviews or testing (or both) to occur as applicable, so long as the approach is effective to identify vulnerabilities in SCI systems, and indirect SCI systems, as applicable. While Rule 1001(a)(2)(iv) specifically identifies reviews and testing as means to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, it does not dictate the precise manner or frequency of reviews and testing, and does not prohibit an SCI entity from determining that there are methods other than reviews and testing that may be effective in identifying vulnerabilities. For example, reviews and testing would each be one of the methods that an SCI entity could employ, and each SCI entity would be able to determine which method(s) are most appropriate for each SCI system (or indirect SCI system, as applicable) or particular functionality of a given system, as well as the frequency with which such method(s) should be employed.496 In addition, in response to 495 See supra notes 491–492 and accompanying mstockstill on DSK4VPTVN1PROD with RULES2 text. 496 Rule 1001(a)(2)(iv) would also permit an SCI entity to engage personnel independent of the team that designed and developed the systems in testing, or to employ a process audit role, to comply with this requirement, as some commenters suggested. See supra notes 493–494 and accompanying text. Like other methods of review and testing, such engagements could identify vulnerabilities in a number of ways, such as through assessments of the SCI entity’s compliance with applicable standards, its risk management and control framework, or its use of resources. In response to the comment suggesting that process audits be conducted at least annually for each SCI system, and more often for SCI systems with operational problems, a record of noncompliance, or those being developed, tested, or operated by an inexperienced staff, the Commission notes that Rule 1001(a)(2)(iv) does not specify the precise manner or frequency of reviews and tests. Rather, Rule 1001(a)(2)(iv) provides flexibility to an SCI entity in determining the precise manner and frequency of reviews and/or tests. For example, an SCI entity could determine that, in order for its policies and procedures to be reasonably designed, as required by Rule 1001(a), its policies and procedures should provide that process audits be VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 commenters advocating that SCI entities should focus on identifying structural vulnerabilities or weaknesses,497 an SCI entity may also find it useful to conduct reviews of its software and systems architecture and design to assess whether they have flaws or dependencies that constitute structural risks that could pose a threat to SCI systems’ operational capability.498 Likewise, an inspection by an SCI entity of its physical premises may be a method of assessing some of the vulnerabilities listed in the rule (such as physical hazards). Business Continuity and Disaster Recovery Proposed item (E) would have required an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The Commission received significant comment on this aspect of the proposal, with several commenters questioning or challenging the principle that securities market infrastructure resilience is achieved by requiring both geographic diversity and specific recovery times for the backup and recovery capabilities of all SCI entities.499 Although several commenters were supportive of the broad goals of the proposed requirement,500 others maintained that, because the national market system has built-in redundancies, the proposed geographic diversity and resumption requirements need not apply to all SCI entities to ensure securities market resilience.501 Some of these commenters conducted at least annually for some SCI systems, and more frequently for certain other SCI systems. 497 See supra note 492 and accompanying text. 498 As noted by one commenter, static analysis could be a technique SCI entities could choose to utilize to help uncover structural weaknesses in software. See supra note 480 and accompanying text. 499 See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF Letter at 3; Group One Letter at 2–3; KCG Letter at 6–8, 11–14; FINRA Letter at 35–36; Angel Letter at 12; and ITG Letter at 15. 500 See Direct Edge Letter at 4; FINRA Letter at 35; ISE Letter at 2; and MSRB Letter at 10. 501 See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF Letter at 3; Group One Letter at 2–3; and KCG Letter at 6–8, 11–14. According to these commenters, because of the ease with which market participants are able to shift their order flow when there is an issue at one or more markets, the proposed requirements are burdensome and unnecessary. See also Angel Letter at 12 (stating that, if an exchange experiences an issue, other exchanges have more than enough capacity to handle the trading volume, and suggesting that it is not necessary for each exchange to have totally PO 00000 Frm 00044 Fmt 4701 Sfmt 4700 urged that the specific redundancy requirement implicit in the proposed geographic diversity provision should apply to a more limited set of SCI entities.502 In addition, some commenters stated that proposed time frames were too inflexible.503 The Commission has carefully considered commenters’ views and is revising this provision from the proposal to: (i) Specify that the stated recovery timeframes in Regulation SCI are goals, rather than inflexible requirements; 504 and (ii) provide that the stated two-hour recovery goal applies to critical SCI systems generally. In addition, the Commission is adopting the geographic diversity requirement, which does not specify any minimum distance for an SCI entity’s backup and recovery facilities, as proposed. As explained below, the Commission continues to believe that geographic diversity of physical facilities is an important component of every SCI entity’s BC/DR plan. Recovery Timeframes as Goals Several commenters addressing proposed item (E) focused their comments specifically on the proposed recovery timeframes.505 A few commenters that are clearing agencies specifically expressed concern about the proposed requirement for the two-hour resumption of clearance and settlement services, urging that the two-hour standard be a goal rather than a requirement.506 One commenter noted redundant backup facilities if the market network as a whole has sufficient capacity). 502 See, e.g., FIA PTG Letter at 4. See also supra note 53 and accompanying text. 503 See, e.g., SIFMA Letter at 13; and Joint SROs Letter at 17. 504 See Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial Systems, Securities Exchange Act Release No. 47638 (April 7, 2003), 68 FR 17809, 17812 (April 11, 2003) (‘‘Interagency White Paper’’), stating: ‘‘Recovery-time objectives provide concrete goals to plan for and test against. They should not be regarded as hard and fast deadlines that must be met in every emergency situation;’’ and 2003 Policy Statement on Business Continuity Planning for Trading Markets, Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656, 56658 (October 1, 2003) (‘‘2003 BCP Policy Statement’’), stating: ‘‘Consistent with the approach taken in the Interagency Paper, the next-day resumption objective should provide a concrete goal to plan for and test against. This should not be regarded as a hard and fast deadline that must be met in every emergency situation.’’ 505 See, e.g., SIFMA Letter at 3, 13, 18; KCG Letter at 11–12; DTCC Letter at 15; OCC Letter at 9–10; Omgeo Letter at 27–28; Angel Letter at 16–17; Direct Edge Letter at 4–5; ISE Letter at 2–5; Joint SROs Letter at 16–17; FINRA Letter at 36; MSRB Letter at 10; Tellefsen Letter at 6; and Group One Letter at 2. 506 See DTCC Letter at 15 (‘‘[P]roposed Rule 1000(b)(l)(i)(E) has made what is currently a target within the 2003 Interagency White Paper that E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 that the ‘‘Interagency White Paper itself recognizes that ‘various external factors surrounding a disruption such as time of day, scope of disruption, and status of critical infrastructure—particularly telecommunications can affect actual recovery times,’ and concludes that ‘[r]ecovery-time objectives provide concrete goals to plan for and test against . . . they should not be regarded as hard and fast deadlines that must be met in every emergency situation.’ ’’ 507 Several commenters suggested that SCI entities generally be given more discretion to decide when to resume trading following a wide-scale disruption.508 Other commenters stated more broadly that the proposed recovery timeframes were too rigid and inconsistent with the Interagency White Paper and the 2003 BCP Policy Statement.509 Other commenters similarly noted that it might be in the public interest and consistent with the protection of investors and the maintenance of fair and orderly markets for the markets to remain closed following a wide-scale disruption.510 In response to comments that the proposed two-hour recovery time frame was too inflexible,511 the Commission is eliminating the proposed requirement that an SCI entity must ‘‘ensure’’ next business day resumption of trading and two-hour resumption of clearance and settlement services following a widescale disruption. The Commission clearing and settling services be resumed within 2 hours of a disruption into a requirement that may not be attainable in all circumstances. . . .’’); OCC Letter at 9–10 (‘‘While a two-hour recovery time objective is a laudable goal . . . current guidelines remain appropriate to recover and resume clearing and settlement activities within the business day on which the disruption occurs, with the overall aspiration of achieving recovery and resumption within two hours’’); and Omgeo Letter at 27–28 (‘‘While Omgeo agrees that SCI entities should be required to rapidly recover from a wide-scale disruption and resume operations to avoid disrupting the critical markets beyond a single business day, it is unreasonable to require these operations to be resumed within two hours.’’). 507 See Omgeo Letter at 27–28. 508 See Angel Letter at 16–17; Direct Edge Letter at 4–5; ISE Letter at 2; Joint SROs Letter at 16–17; and Group One Letter at 2. 509 See SIFMA Letter at 13 (noting that the Interagency White Paper recommends that ‘‘core clearing and settlement organizations develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall goal of achieving recovery and resumption within two hours after an event.’’ See also Joint SROs Letter at 17 (noting that the 2003 BCP Policy Statement, supra note 504, provides that rapid recovery should not be regarded as a hard and fast deadline that must be met in every emergency situation). 510 See, e.g., Angel Letter at 16–17; Direct Edge Letter at 4–5, 9; ISE Letter at 2–5; and Joint SROs Letter at 16–17. 511 See supra notes 506–510 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 acknowledges that a hard and fast resumption timeframe may not be achievable in each and every case, given the variety of disruptions that potentially could arise and pose challenges even for well-designed business continuity and disaster recovery. For this reason, the Commission is revising the proposed requirement by replacing it with a requirement that an SCI entity have policies and procedures that include ‘‘business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.’’ Replacement of the phrase ‘‘to ensure’’ with the phrase ‘‘reasonably designed to achieve’’ means that Regulation SCI’s enumerated recovery timeframes are concrete goals, consistent with the Interagency White Paper and 2003 BCP Policy Statement.512 As such, the rule’s specified recovery timeframes are the standards against which the reasonableness of business continuity and disaster recovery (‘‘BC/DR’’) plans will be assessed by the Commission and its inspection staff. Moreover, as recovery goals, rather than hard and fast deadlines, the enumerated time frames in the rule will continue to allow for SCI entities to account for the specific facts and circumstances that arise in a given scenario to determine whether it is appropriate to resume a system’s operation following a wide-scale disruption. Recovery Timeframe Distinctions In the SCI Proposal, the Commission solicited comment on whether the proposed next business day resumption of trading following a wide-scale disruption and proposed two-hour resumption of clearance and settlement services following a wide-scale disruption were appropriate.513 The Commission also solicited comment on whether it should consider revising the proposed next business day resumption requirement for trading to a shorter period for certain entities that play a significant role within the securities markets.514 One commenter stated that it agreed with imposing more stringent requirements for resumption of clearance and settlement services than 512 See Interagency White Paper, supra note 504, at 17812–13, and the 2003 BCP Policy Statement, supra note 504, at 56658. 513 See Proposing Release, supra note 13, at 18112, question 73. 514 See id. at 18112, question 76. PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 72295 for trading services following a widescale disruption.515 However, this commenter also urged more broadly that the Commission take into account the criticality of the functions performed by an SCI entity to the maintenance of fair and orderly markets in order to tailor the obligations of the rule more effectively.516 According to this commenter, ‘‘[n]otification and remediation requirements . . . should be tailored to the time sensitivity of each of the functions performed, not applied uniformly across all activities of an SCI entity.’’ This commenter identified ‘‘highly critical functions’’ as including the primary listing exchanges, trading of securities on an exclusive basis, securities information processors, clearance and settlement agencies, distribution of unique post-trade transparency information, and real-time market surveillance,’’ and urged the Commission to ‘‘leverage the best practices of the Interagency White Paper, and expand them to include the [highly] critical functions. . . .’’ 517 Other commenters also urged the Commission to consider the criticality of SCI systems functionality and tailor requirements accordingly.518 One 515 See SIFMA Letter at 12–13. Specifically, this commenter noted that the Interagency White Paper, supra note 504, distinguishes between ‘‘core clearing and settlement organizations’’ and firms that play ‘‘significant roles in the financial markets’’ and recommended that the Commission continue to distinguish between SCI entities that are responsible for the highly critical function of centralized counterparties (e.g., clearing agencies registered with the Commission) and SCI entities that are not. 516 See SIFMA Letter at 4. 517 See id. at 4, 18. SIFMA also listed the distribution of unique post-trade transparency information and real-time market surveillance as highly critical functions. While such systems are not specifically identified in the first prong of the definition of critical SCI systems (as are SCI systems that directly support functionality relating to: (1) Clearance and settlement systems of clearing agencies; (2) openings, reopenings, and closings on the primary listing market; (3) trading halts; (4) initial public offerings; (5) the provision of consolidated market data; or (6) exclusively-listed securities), the Commission notes that systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets are considered critical SCI systems under its second prong. See supra Section IV.A.2.c (discussing the definition of ‘‘critical SCI systems’’). 518 See, e.g., KCG Letter at 8, 13–14 (suggesting that proposed item (E) apply only to SCI entities that perform critical, unique functions in the market), and at 5 (stating ‘‘when critical services are provided, additional heightened regulatory requirements, as proposed in Regulation SCI, may be appropriate’’). See also UBS Letter at 3 (urging the Commission to take into consideration the difference between ‘‘interruptions of activities that hold significant implications for the National Market System’’ and ‘‘low criticality activities [that] are much more manageable and localized in impact E:\FR\FM\05DER2.SGM Continued 05DER2 72296 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 commenter noted that the August 2013 Nasdaq SIP outage revealed each of SIAC and Nasdaq (in their roles as plan processors) as a potential ‘‘single point of failure’’ in the national market system, and specifically urged improved backup capabilities for these systems.519 Another commenter, in the context of questioning the need for all markets to have geographically diverse backups, acknowledged that specific redundancy might be appropriate in certain areas, such as where an instrument is traded only on one exchange or in the case of a primary market during the open and closing periods of the market.520 The Commission has carefully considered these comments and believes they support revising the proposed rule to provide that the twohour recovery goal specified in the adopted rule, as the standard against which BC/DR plans are to be assessed, should apply not only to ‘‘clearance and settlement services,’’ but more generally to the functions performed by critical SCI systems. Given that the securities markets are dependent upon the reliable operation of critical SCI systems, the Commission believes it is reasonable to distinguish the two-hour and nextbusiness day recovery goals in a manner consistent with other provisions of adopted Regulation SCI: Specifically, to have the shorter recovery goal apply to critical SCI systems, and the longer recovery goal apply to resumption of trading by non-critical SCI systems. The Commission also notes that, because the proposed recovery timeframes are being adopted as concrete goals that the policies and procedures must be reasonably designed to achieve, rather than hard and fast requirements, the adopted approach is somewhat more flexible than that proposed. Accordingly, adopted Rule 1001(a)(2)(v) holds BC/DR plans for critical SCI systems (as defined in Rule 1000) to a higher standard than BC/DR plans for resumption of trading operations more generally. Specifically, an SCI entity responsible for a given critical SCI system will be expected to design BC/ DR plans that contemplate resumption of critical SCI system functionality to meet a recovery goal of two hours or less. The Commission believes that this approach is consistent with the broader . . . because market participants are not directly touched or are equipped to quickly route around the problem’’). According to this commenter, activities that hold such significant implications would include: ‘‘disruption at primary exchange during [the] open/close, [a] problem with protected quote data, [an] outage at listing exchange during [an] IPO, [and] SIP data disruptions.’’ 519 See Angel Letter 2 at 3–4. 520 See FIA PTG Letter at 4. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 risk-based approach urged by commenters.521 The Commission also believes that its approach to holding critical SCI systems to stricter resiliency standards than other systems is an appropriate measure that responds not only to comments received, but also to recent events highlighting the effects of malfunctions in critical SCI systems.522 Two commenters requested clarification on the expectations for resumption of SCI systems that are not related to trading, clearance, or settlement.523 In response to this comment, the Commission notes that the adopted definition of SCI systems has been refined from the proposed definition of SCI systems and that all SCI systems could be considered to be ‘‘related to’’ trading. However, systems that directly support market regulation and/or market surveillance will not be held to the resumption goals of Rule 1001(a)(2)(v) (unless they are critical SCI systems) because the Commission believes that the resumption of trading and critical SCI systems could occur following a wide-scale disruption without the immediate availability of market regulation and/or market surveillance systems (unless they are critical SCI systems). However, systems that directly support trading, order routing, and market data would be subject to the next-business day resumption goal, unless they are also critical SCI systems, in which case they would be subject to the two-hour resumption goal. One commenter questioned what the expectations are with respect to nextday resumption if an SCI entity loses functionality towards the end of the trading day.524 In response to this comment, the Commission notes that neither the next-business day resumption of trading goal nor the twohour recovery goal for critical SCI systems is dependent on the time of day that the loss of functionality occurs. Consistent with the Interagency White Paper and 2003 BCP Policy Statement, however, the Commission acknowledges that the time of day of a disruption can 521 See supra notes 53–57 and accompanying text (summarizing commenters’ recommendations with regard to adopting a risk-based approach generally). 522 See supra Section II.B (discussing recent systems issues, including a systems problem that resulted in certain exclusively-listed securities being unable to trade for over three hours, and a systems problem affecting the SIP that halted trading in all Nasdaq-listed securities for more than three hours). 523 See FINRA Letter at 36; and MSRB Letter at 10. 524 See Tellefsen Letter at 6. PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 affect actual recovery times.525 The Commission believes it is important, particularly with respect to clearing agencies, that SCI entities endeavor to take all steps necessary to effectuate end of day settlement. Geographic Diversity To Ensure Resilience Several commenters addressing proposed item (E) expressed concern about the proposed geographic diversity requirement.526 Some commenters cited a reluctance on the part of SCI entity members or participants to incur the cost or assume the risk of connecting to a backup site that would only be used infrequently.527 In addition, some commenters cited concerns, such as challenges to market makers generating quotes, if a backup site did not have the same low latency as the primary site.528 One of these commenter suggested that allowing other fully operational exchanges to fill in and perform the duties of an exchange experiencing an outage would offer the advantages of continued operation on tested systems and the introduction of fewer variables.529 Another of these commenters argued that, in many respects, the goal of resilient and redundant markets is already in place due to the existence of multiple competing and interconnected venues, operating as a collective system under Regulation NMS.530 One commenter agreed that it is a best business practice for a market to have backup disaster recovery facilities and robust BC/DR plans, but stated that ‘‘significant geographic diversity’’ should not be an absolute requirement,’’ because a wide-scale disruption in New York or Chicago would make next day resumption difficult, even with a geographically diverse backup.531 This commenter noted that the more remote the backup, the more difficult it would be to staff such a facility, and even more so in a surprise disaster, unless the backup was fully staffed at all times.532 Several commenters also argued that SCI entities that are ATSs are less critical to market stability, and therefore 525 See Interagency White Paper, supra note 504, at 17812, and the 2003 BCP Policy Statement, supra note 504, at 56658. 526 See, e.g., KCG Letter at 13; FIA PTG Letter at 3–4; Group One Letter at 2–3; ISE Letter at 2–5; BIDS Letter at 8; and ITG Letter at 15. 527 See KCG Letter at 13; FIA PTG Letter at 3–4; and Group One Letter at 2–3. 528 See KCG Letter at 13; and FIA PTG Letter at 3–4. 529 See Group One Letter at 2–3. 530 See FIA PTG Letter at 4. See also Angel 2 Letter at 3. 531 See ISE Letter at 2–5. 532 See id. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 should be subject to less stringent geographic diversity and recovery requirements.533 One commenter suggested eliminating the reference to ‘‘geographic diversity’’ in favor of requiring ‘‘comprehensive business continuity and disaster recovery plans with recovery time objectives of the next business day for trading and two hours for clearance and settlement,’’ and emphasizing as guidance that geographic diversity of physical facilities would be an expected component of any such plan.534 The Commission has carefully considered commenters’ views on the proposed geographic diversity requirement and continues to believe that geographic diversity of physical facilities is an important component of every SCI entity’s BC/DR plan.535 The Commission believes that challenges to recovery are increased when a disruption impacts a broad geographic area, and therefore that an SCI entity’s arrangements to assure resilience in the event of a wide-scale disruption cannot reliably be achieved without geographic diversity of its BC/DR resources.536 The Commission does not agree with commenters who argued that the existence of multiple competing and interconnected venues operating as a collective system under Regulation NMS obviates the need for geographic diversity at the individual SCI entity level.537 For example, a wide-scale disruption, such as a natural disaster or man-made attack, could affect a large number of SCI entities, and absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational, so that the continued maintenance of fair and orderly markets 533 See BIDS Letter at 8; FIA PTG Letter at 4; ITG Letter at 15; and KCG Letter at 8, 13. These commenters believed that the proposed geographic diversity requirements are burdensome and unnecessary because of the ease with which market participants are able to shift their order flow when there is an issue at one or more markets. In addition, two commenters argued that, because ATSs are subject to FINRA regulations with respect to BC/DR plans, further regulation would be redundant and unnecessary. See ITG Letter at 15; and OTC Markets Letter at 9. 534 See Direct Edge Letter at 4. 535 The Commission’s view is consistent with the 2003 BCP Policy Statement. See 2003 BCP Policy Statement, supra note 504, at 56658. See also infra Section VI.C.2.b (discussing the benefits of geographic diversity). 536 See, e.g., 2003 BCP Policy Statement, supra note 504, at 56657 (stating that a critical ‘‘lesson learned’’ from the events of September 11, 2001 is the need for more rigorous business continuity planning in the financial sector to address problems of wider geographic scope and longer duration than those previously addressed). 537 See supra notes 530 and 533 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 could be impacted. The Commission notes that some of the practical difficulties commenters cited as the basis for objecting to a backup site requirement, such as the cost and operational risk of maintaining a redundant connection to an SCI entity backup facility that would be used infrequently, are concerns raised on behalf of SCI entity members and participants.538 In response to commenters who expressed concern regarding the cost for members or participants to co-locate their systems at backup sites to replicate the speed and efficiency of the primary site, the Commission emphasizes that adopted Rule 1001(a)(2)(v) does not require an SCI entity to require members or participants to use the backup facility in the same way it uses the primary facility. Rather, the assessment of the effectiveness of a BC/DR plan that includes geographically diverse backup facilities is whether it is reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption. In response to comments that geographic diversity should be encouraged but not required for all SCI entities, the Commission does not believe that it would be appropriate to eliminate the proposed requirement that SCI entities maintain geographically diverse backup and recovery capabilities (which the Commission understands many SCI entities already have) because, as stated, absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational following a wide-scale disruption. In response to comment that ATSs are less critical to market stability, and therefore should be subject to less stringent geographic diversity and recovery requirements, the Commission notes that ATSs that do not have critical SCI systems will be subject to less stringent geographic diversity and recovery requirements than SCI entities that do.539 However, because the 538 See infra Section IV.B.6 (discussing SCI entity BC/DR testing requirements for members or participants). 539 In addition, in response to commenters who argued that, because ATSs are subject to FINRA regulations with respect to BC/DR plans further regulation would be redundant and unnecessary (see supra note 533), the Commission notes that FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption. Unlike Regulation SCI, however, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 72297 Commission believes that SCI ATSs have the potential to significantly impact investors, the overall market, and the trading of individual securities as a result of an SCI event, the Commission believes that these entities are appropriate for inclusion in the definition of SCI entity and for the application of the geographic diversity requirement.540 Like the proposed rule, the adopted rule does not specify any particular minimum distance or geographic location that would be necessary to achieve geographic diversity.541 However, as stated in the SCI Proposal, the Commission continues to believe that backup sites should not rely on the same infrastructure components, such as for transportation, telecommunications, water supply, and electric power.542 The Commission also continues to believe that an SCI entity should have a reasonable degree of flexibility to determine the precise nature and location of its backup site depending on the particular vulnerabilities associated with those sites, and the nature, size, technology, business model, and other aspects of its business.’’ 543 In response to comment that a geographically diverse backup facility is impractical if key personnel do not live sufficiently close to the backup facility, the Commission notes that adopted Regulation SCI does not require an SCI entity to have a geographically diverse backup facility so distant from the primary facility that the SCI entity may not rely primarily on the same labor pool to staff both facilities if it believed it to be appropriate.544 Given that the Commission did not propose a specified minimum distance to achieve geographic diversity, the Commission believes that the geographic diversity requirement is reasonable and appropriate for all SCI entities. The achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans, which the Commission believes to be instrumental in achieving the goals of Regulation SCI with respect to SCI entities. See also supra note 115. 540 See supra notes 107–109 and accompanying text. 541 See Proposing Release, supra note 13, at 18108, n. 182 and accompanying text. 542 See id. 543 See id. 544 An SCI entity with critical SCI systems subject to a two-hour recovery goal may, however, find it prudent to establish back-up facilities a significant distance away from their primary sites, or otherwise address the risk that a wide-scale disruption could impact either or both of the sites and their labor pool. See Interagency White Paper, supra note 504, at 17813. E:\FR\FM\05DER2.SGM 05DER2 72298 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations proprietary market data as well and, as such, SCI systems directly supporting proprietary market data or consolidated market data are subject to the requirements of item (F). As stated in the SCI Proposal, the Commission believes that the accurate, timely, and efficient processing of data is important to the proper functioning of the securities markets. The Commission continues to believe that it is important that each SCI entity’s market data systems are reasonably designed to maintain market integrity and that the proposed requirement would facilitate that goal.548 This element, requiring that an SCI entity’s policies and procedures include standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, is adopted as proposed, as Rule 1001(a)(2)(vi). Robust Standards for Market Data Proposed item (F), requiring an SCI entity to have standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, received little comment. One commenter supported the proposed requirement, subject to further clarification about what constitutes market data.545 Another commenter believed that this proposed requirement is redundant because SROs and other market participants are already subject to substantial requirements for market data.546 While consolidated market data is collected and distributed pursuant to a variety of Exchange Act rules and joint industry plans,547 the Commission does not believe that existing requirements have the same focus on ensuring the operational capability of the systems for collecting, processing, and disseminating market data. Thus, the Commission believes that this provision, while consistent with existing rules, acts as a complement to such requirements and is not redundant. Further, as explained above, the term ‘‘market data’’ is not intended to include only consolidated market data, but mstockstill on DSK4VPTVN1PROD with RULES2 geographic diversity requirement is therefore adopted as proposed. In sum, the Commission believes that adopted Rule 1001(a)(2)(v), requiring an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, is consistent with, and builds upon, both the Interagency White Paper and the 2003 BCP Policy Statement by applying their principles to SCI entities in today’s trading environment, one with a heavy reliance on technological infrastructure. The Commission believes that individual SCI entity resilience is fundamental to achieving the goal of improving U.S. securities market infrastructure resilience. The Commission is adopting an additional provision, designated as Rule 1001(a)(2)(vii), that requires an SCI entity’s policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. Several commenters argued that Regulation SCI should allow entities to adopt and follow escalation procedures instead of providing that obligations under Regulation SCI are triggered by one employee’s awareness of a systems issue.549 The Commission is modifying Regulation SCI in three respects in response to these comments: revising the definition of responsible SCI personnel to focus on senior managers; requiring that an SCI entity have policies and procedures to identify, designate, and escalate potential SCI events to responsible SCI personnel; and explicitly requiring policies and procedures for monitoring.550 The requirement that an SCI entity have policies and procedures to provide for monitoring of SCI systems and, for purposes of security standards, indirect SCI systems, is added to make explicit that escalation of a systems problem should occur not only if a systems problem is identified by chance, but 545 See MSRB Letter at 8. 546 See Angel Letter at 19. 547 See, e.g., Rules 601–604 of Regulation NMS and Rule 301(b)(3) of Regulation ATS. See also supra Section IV.A.1.c (discussing definition of plan processor) and Concept Release on Equity Market Structure, supra note 4, at 3600 (discussing various rules and requirements relating to consolidated market data). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Monitoring 548 See Proposing Release, supra note 13, at 18108. 549 See, e.g., OCC Letter at 12; FINRA Letter at 25– 26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19–20. See also infra notes 758–761 and accompanying text (discussing comments on the proposed ‘‘becomes aware’’ standard). 550 See infra Section IV.B.3.a (discussing the Commission’s determination to further focus the definition of ‘‘responsible SCI personnel’’). PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 rather that an SCI entity should have a monitoring process in place so that systems problems are able to be identified as a matter of standard operations and pursuant to parameters reasonably established by the SCI entity. In addition, the Commission believes that the reliability of escalation of potential SCI events to designated responsible SCI personnel for determination as to whether they are, in fact, SCI events is likely to be more effective when it occurs in connection with established procedures for monitoring of SCI systems and indirect SCI systems and pursuant to a process for the communication of systems problems by those who are not responsible SCI personnel to those who are. The Commission notes that several commenters discussed the role that technology staff play in monitoring and identifying potential systems problems and escalating issues up the chain of command to management as well as legal and/or compliance personnel. Although systems monitoring may already be routine in many SCI entities, there are expected benefits of monitoring and thus it is appropriate to require an SCI entity’s policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. The Commission believes that monitoring in tandem with escalation to responsible SCI personnel is an appropriate approach to ensuring SCI compliance. As noted, the requirement that an SCI entity have policies and procedures for monitoring provides an SCI entity with flexibility to establish parameters that define the types of systems problems to which technology personnel should be alert, as well as the frequency and duration of monitoring. The Commission also believes this requirement is consistent with a riskbased approach, and that an SCI entity’s policies and procedures for monitoring may be tailored to the relative criticality of SCI systems, with critical SCI systems likely to be subject to relatively more rigorous policies and procedures for monitoring than other SCI systems. iii. Policies and Procedures Consistent With ‘‘Current SCI Industry Standards’’—Rule 1001(a)(4) Proposed Rule 1000(b)(1)(ii) stated that an SCI entity’s policies and procedures would be deemed to be reasonably designed if they are consistent with ‘‘current SCI industry standards,’’ such as those listed on proposed Table A. ‘‘Current SCI industry standards’’ were not limited to those listed on proposed Table A, but E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 were proposed to be required to be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The rule further stated that ‘‘compliance with such current SCI industry standards . . . shall not be the exclusive means to comply with the requirements of paragraph (b)(1).’’ The goal of proposed Rule 1000(b)(1)(ii) was to provide guidance to SCI entities on policies and procedures that would meet the articulated standard of being ‘‘reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.’’ The proposal sought to provide this guidance by identifying example information technology publications describing processes, guidelines, frameworks, and/ or standards that SCI entities could elect to look to in developing its policies and procedures. Proposed Table A set forth an example of one set of technology publications that the Commission preliminarily believed was an appropriate set of reference documents. The SCI Proposal acknowledged that ‘‘current SCI industry standards’’ would not be limited to the publications identified on proposed Table A. As such, an SCI entity’s choice of a current SCI industry standard in a given domain or subcategory thereof could appropriately be different from those contained in the publications identified in proposed Table A.551 Many commenters, however, objected to the proposed objective criteria for reference publications, and/or one or more of the specific publications listed on proposed Table A. The Commission has carefully considered commenters’ views and is adopting Rule 1000(b)(1)(ii), renumbered as Rule 1001(a)(4), with certain modifications as described below. information technology professionals in the financial sector.’’ Several commenters argued that there were significant disadvantages to requiring that standards be available free of charge.552 One of these commenters stated that requiring standards to be available for free ‘‘may encourage SCI entities to use standards that may be outdated when more suitable standards may be available and would be more appropriate.’’ 553 Another of these commenters stated that ‘‘the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard or framework and bears no significance to the maintenance of fair and orderly markets.’’ 554 Two standard setting organizations commented regarding the use of consensus standards, citing OMB Circular No. A–119, which directs agencies to use voluntary consensus standards (i.e., standards developed by professional standards organizations), and urged the Commission to eliminate the requirement that SCI industry standards be ‘‘available for free.’’ 555 Another commenter similarly urged that it was important for SCI entities to use publications generated by professional organizations that regularly update their standards and employ open processes for gathering industry input.556 The Commission agrees that the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard, and also that SCI entities should be encouraged to use appropriate standards developed by professional organizations that regularly update their standards and employ open processes for gathering industry input. While the Commission did not propose to require that particular standards be used, in response to comment, the Commission is adopting Rule 1001(a)(4) without the criterion in the SCI Proposal that a technology standard be available free of charge. The other criteria are adopted as proposed. Thus, to qualify as an ‘‘SCI industry standard,’’ a publication must be comprised of information technology practices that are widely available to information technology professionals in Criteria for Identifying SCI Industry Standards: Comments Received and Commission Response Some commenters disagreed with the Commission’s proposal to require SCI industry standards to be ‘‘comprised of information technology practices that are widely available for free to 552 See ANSI Letter at 1; DTCC Letter at 15; OCC Letter at 9; Omgeo Letter at 33–34; and X9 Letter at 1. 553 See OCC Letter at 9. 554 See Omgeo Letter at 33 (noting also that the proposed criteria would eliminate appropriate standards such ITIL and ISO 27000). 555 See ANSI Letter at 1; and X9 Letter at 1. 556 See CISQ2 Letter at 6. See also Angel Letter at 8 (suggesting that the proposed criteria could potentially result in the creation of race-to-thebottom standards organizations that establish lax standards). 551 See Proposing Release, supra note 13, at 18109. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 72299 the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The Commission believes that this criterion is sufficiently flexible to include technology practices issued by professional organizations, including the professional organizations referenced by commenters.557 Proposed Table A: Comments Received The SCI Proposal stated that written policies and procedures that are consistent with the relevant examples of SCI industry standards contained in the publications identified in Table A would be deemed to be ‘‘reasonably designed’’ for purposes of proposed Rule 1000(b)(1).558 Proposed Table A listed publications covering nine inspection areas, or ‘‘domains,’’ that Commission staff historically has evaluated under the ARP Inspection Program.559 Proposed Table A elicited significant and varied comment. Some commenters objected generally to the Table A framework.560 Others objected more specifically to Table A’s proposed content,561 and some commenters objected to Table A as a premature attempt to establish consensus on SCI industry standards where consensus has not yet emerged.562 Table A Framework and Process One group of commenters suggested that, in lieu of the publications identified in Table A, the Commission should characterize policies and procedures as reasonably designed if they comply with ‘‘generally accepted standards.’’ 563 Another commenter similarly suggested that the Commission replace the proposed rule’s reference to ‘‘current SCI industry standards’’ with 557 See infra notes 583–601 and accompanying text. The Commission expresses no view, however, on any particular publication that is not specifically identified in infra notes 584–601, or standards that remain in development (e.g., a standard being drafted by AT 9000) (see infra note 601 and accompanying text). 558 See Proposing Release, supra note 13, at 18109. 559 See id. 560 See, e.g., Angel Letter at 8–9; BATS Letter at 6–7; BIDS Letter at 7; Direct Edge Letter at 2; Joint SROs Letter at 4; MSRB Letter at 11–12; and NYSE Letter at 20–21. 561 See, e.g., Angel Letter at 8–9; BATS Letter at 6–7; FIF Letter at 3–4; ISE Letter at 11–12; CAST Letter at 10; MSRB Letter at 11–12; DTCC Letter at 15; FINRA Letter at 31; Omgeo Letter at 33; CISQ Letter at 1–2; OCC Letter at 9; Lauer Letter at 5– 7; BIDS Letter at 7; and Liquidnet Letter at 3–4. 562 See, e.g., FIF Letter at 3–4; Liquidnet Letter at 3–4; UBS Letter at 7; and ISE Letter at 11–12. 563 See Joint SROs Letter at 4. E:\FR\FM\05DER2.SGM 05DER2 72300 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations the phrase ‘‘generally accepted technology principles,’’ and delete Table A and the proposed Table A criteria.564 These commenters viewed proposed Table A as flawed in concept.565 Specifically, one of these commenters expressed concern that the standards set forth in Table A might not keep pace with a constantly evolving technological landscape and that, despite this evolution, Commission staff might take a checklist approach to its review of policies and procedures, which would result in unintended consequences.566 The other commenter stated that it was more common, and more appropriate in any industry that relies heavily on technology, for an entity to review a variety of different standards for frameworks or best practices, and then adopt a derivative of multiple standards, customizing them for the systems at issue.567 According to this commenter, SCI entities would be unlikely to comply with all aspects of any particular standard in Table A at any particular time, thereby ‘‘obviating its usefulness.’’ 568 Other commenters argued that the Table A concept was flawed because Table A would always be on the verge of being outdated. For example, one commenter characterized the proposed Table A publications as ‘‘soon-to-be outdated’’ and stated that it is crucial that SCI entity policies and procedures be ‘‘forward-looking’’ and able to respond to future threats.569 Another commenter stated that the proposed process for updating Table A 570 would 564 See mstockstill on DSK4VPTVN1PROD with RULES2 565 See NYSE Letter at 20–21. Joint SROs Letter at 4; and NYSE Letter at 20. 566 See Joint SROs Letter at 4. Other commenters similarly expressed concern that SCI entities would closely adhere to the publications listed in Table A (even though the SCI Proposal specified that such adherence would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1)), rather than take advantage of the flexibility built into the proposed rule out of concern that if they did not, they would expose themselves to potential regulatory action for failure to comply with Regulation SCI. See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 6; and NYSE Letter at 20–21. 567 See NYSE Letter at 20. 568 See id. 569 See id. See also ISE Letter at 10 (stating that the standards listed in Table A are not the most current or appropriate standards). See also infra notes 577–578 and accompanying text. 570 In the SCI Proposal, the Commission stated that it ‘‘preliminarily believes that, following its initial identification of one set of SCI industry standards . . . it would be appropriate for Commission staff, from time to time, to issue notices to update the list of previously identified set of SCI industry standards after receiving appropriate input from interested persons. . . . However, until such time as Commission staff were to update the identified set of SCI industry VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 not be sufficiently nimble to assure that SCI entities adhere to the best possible then-current standards, and suggested that the Commission defer to the expertise of the organizations that have established the listed standards and rely on the updates provided by these organizations.571 Another commenter stated that any ‘‘hard coded’’ solutions are likely to become obsolete very quickly.572 After careful consideration of these comments, the Commission acknowledges that the proposed framework for identifying and updating publications on Table A may not be sufficiently nimble to assure that its list of publications does not become obsolete as technology and standards change. The Commission agrees that, in an industry that relies heavily on technologies that are constantly evolving, the prescription of hard-coded solutions that may become quickly outdated is not the better approach. However, because several commenters stated that there is currently a lack of consensus on what constitutes generally accepted standards or principles in the securities industry,573 the Commission continues to believe that there is value in identifying example publications for SCI entities to consider looking to in establishing policies and procedures that are consistent with ‘‘current SCI industry standards.’’ 574 After considering the potential disadvantages of ‘‘hard-coding’’ Table A in a Commission release, and the potential benefits of providing further guidance to SCI entities on the meaning of ‘‘current SCI industry standards,’’ the Commission has determined that, rather than the Commission issuing Table A in this release, Commission staff should issue guidance to assist SCI entities in developing policies and procedures consistent with ‘‘current SCI industry standards’’ in a manner that is consistent with the Commission’s response to comments received on standards, the then-current set of SCI industry standards would be the [relevant] standards. . . .’’ Proposing Release, supra note 13, at 18111. 571 See MSRB Letter at 11–12. 572 See Direct Edge Letter at 2. 573 See supra note 633 and accompanying text. 574 See Rule 1001(a)(4), which states: ‘‘For purposes of [complying with Rule 1001(a)], such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with [Rule 1001(a)].’’ PO 00000 Frm 00050 Fmt 4701 Sfmt 4700 proposed Table A, as discussed in this Section IV.B.1.b.iii, and periodically update such guidance as appropriate. The Commission believes that guidance issued by the Commission staff will have the advantage of easier updating and allow for emerging consensus on standards more focused on the securities industry. Thus, concurrent with the Commission’s adoption of Regulation SCI, Commission staff is issuing guidance to SCI entities on developing policies and procedures consistent with ‘‘current SCI industry standards.’’ 575 Table A Publications Many commenters who did not urge elimination of Table A altogether addressed the content of proposed Table A. Those commenters did not express opposition to the identification of certain inspection areas or domains on proposed Table A, but some commenters identified issues with specific publications listed on Table A.576 Specifically, two commenters stated that the NIST publication listed for the Systems Development Methodology domain was outdated.577 One of these commenters objected to this publication as reflecting a burdensome staged process to software development that favors the ‘‘waterfall methodology’’ over ‘‘agile’’ software development, which generally uses more ‘‘nimble processes’’ and is more typical in the financial services industry today.578 Another commenter noted that this publication had both strengths and weaknesses.579 Two commenters objected to the FFIEC’s Operations IT Examination Handbook in the capacity planning domain as too generic.580 One commenter objected to the inclusion of FFIEC’s Audit IT Examination Handbook.581 Another commenter stated more broadly that the proposed Table A publications focus too heavily 575 Staff Guidance on Current SCI Industry Standards will be available on the Commission’s Web site at: www.sec.gov. 576 See, e.g., Angel Letter at 9; BATS Letter at 6– 7; FIF Letter at 3–4; and ISE Letter at 10. 577 See BATS Letter at 6; and ISE Letter at 10 (objecting to the inclusion of NIST Security Considerations in the System Development Life Cycle (Special Publication 800–64 Rev. 2) as a suitable ‘‘current SCI industry standard’’ in the systems development methodology domain). 578 See BATS Letter at 6–7. 579 See CISQ2 Letter at 4–5 (stating that NIST Special Publication 800–64, Rev. 2 and any derivative standard should ‘‘be reviewed and if necessary revised by a panel of industry practitioners and technical experts to balance the requirement for rigor with the amount of practices and documentation specified in the standard’’). 580 See ISE Letter at 10; and FIF Letter at 3–4 (both described this publication as setting forth a process for conducting capacity planning). 581 See ISE Letter at 10. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations on firm-level risks and do not take into account the technological and economic stability of the U.S. market as a whole.582 In addition, several commenters suggested specific additions to the proposed list of publications on Table A.583 For example, more than one commenter suggested the following standards as appropriate for inclusion on Table A: COBIT/ISACA; 584 ISO– 27000; 585 ISO 25000; 586 and NFPA– 1600.587 Other standards or publications mentioned by commenters as useful, particularly in the area of software quality or software security, include the CISQ Software Quality Specification,588 the Capability Maturity Model Integration (CMMI) framework, 589 ‘‘SANS 20 Critical Security Controls,’’ 590 ‘‘CWE/SANS Top 25 Most Dangerous Software Errors,’’ 591 the Open Source Security Testing Methodology Manual (OSSTMM),592 the BITS Financial Services Roundtable Software Assurance Framework (January 2012),593 the ‘‘Build Security In Maturity Model’’ (BSTMM),594 582 See Angel Letter at 9. e.g., CAST Letter; ISE Letter; MSRB Letter; DTCC Letter; FINRA Letter; Omgeo Letter; CISQ2 Letter; OCC Letter; BIDS Letter; Liquidnet Letter; and X9 Letter. 584 See CAST Letter at 10; ISE Letter at 11; and MSRB Letter at 11. COBIT (formerly known as Control Objectives for Information and related Technology) is an enterprise information technology governance framework developed by ISACA (formerly known as the Information Systems Audit and Control Association). 585 See DTCC Letter at 15; ISE Letter at 11; FINRA Letter at 31; and Omgeo Letter at 33. FINRA recommended ISO–27000 series because it provides ‘‘greater specificity’’ and may be ‘‘less burdensome’’ than the standards identified in proposed Table A. ISE and DTCC recommended ISO 27000 specifically for application controls, information security and networking, and physical security controls. Omgeo stated more broadly that it models aspects of its program on widely accepted international standards and frameworks such as ITIL and ISO 27000. 586 See CAST Letter and CISQ2 Letter. CAST suggested supplementing the SCI industry standards with standards that address development, as well as standards that pertain to structural software quality, such as ISO 25010 and CISQ Software Quality Specification. See CAST Letter at 5. CISQ2 agreed that standards addressing structural software quality are needed and suggested including CISQ Specification for Automated Quality Characteristic Measures: CISQ– TR–2012–01 in Table A. CISQ also pointed to the Capability Maturity Model Integration (CMMI) as another potential option, noting that it was the most widely adopted process standard for rigorous software development practices. See CISQ2 Letter at 3–4. 587 See OCC Letter at 9; and ISE Letter at 11. ISE also specifically recommended BS 25999 as an alternative contingency planning standard. 588 See CAST Letter at 5; and CISQ Letter at 1. 589 See CAST Letter at 10. 590 See FIF Letter at 4. 591 See id. 592 See Lauer Letter at 5–7. 593 See BIDS Letter at 7. 594 See id. mstockstill on DSK4VPTVN1PROD with RULES2 583 See, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Microsoft’s SDL,595 and resources for defining secure software development practices from organizations such as OWASP, WASC and SAFECode,596 and publications issued by Scrum Alliance,597 the Association for Software Testing (AST),598 the Institute of Electrical and Electronics Engineers (IEEE),599 and the Association for Computing Machinery (ACM).600 In addition, one commenter suggested a standard currently being drafted by AT 9000, a working group which focuses on trading safety, regulatory requirements, and achieving efficiency and effectiveness of systems involved in automated trading.601 A few commenters opposed referencing standards in Regulation SCI at the outset and instead supported establishing a process that they believed would, after a certain period of time, yield a coherent set of standards.602 One of these commenters urged that best practices should evolve from the Commission’s experience with the annual SCI review process and experience with the ARP program, because such best practices will be specific to the securities industry and reflect the actual practices of SCI entities.603 Finally, several commenters suggested that the Commission establish a working group to develop SCI industry standards.604 The Commission has carefully considered these comments, and continues to believe that there is value in identifying publications for SCI entities to consider looking to in establishing reasonable policies and procedures, because doing so will provide guidance on how an SCI entity may comply with adopted Rule 1001(a). 595 See id. id. 597 See Liquidnet Letter at 4. 598 See id. 599 See id. 600 See id. 601 See X9 Letter at 2. 602 See, e.g., FIF Letter at 4, 6; Liquidnet Letter at 3; UBS Letter at 7; and ISE Letter at 11. 603 See FIF Letter at 4, 6. 604 See, e.g., Liquidnet Letter at 3 (urging that a working group consisting of regulators, industry participants (from exchanges, ATSs and brokerdealers) and security and controls experts be established to develop a security and controls framework for the industry). See also UBS Letter at 7 (urging the Commission to convene a ‘‘crossindustry, multi-disciplinary Working Group’’ to be responsible for developing recommendations for appropriate standards); and ISE Letter at 11 (recommending that the Commission authorize SCI entities to establish a standards committee to review and recommend specific sets of standards). See also CISQ Letter at 2, 6 (supporting the Table A approach but also seeing value in tailoring existing standards from professional organizations into an industry-specific set of standards for SCI entities). 596 See PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 72301 The Commission therefore believes that issuance of staff guidance that does this, as discussed above, will be useful for SCI entities. However, after careful consideration of commenters’ views regarding the publications on proposed Table A, the Commission believes it is useful to characterize how such staff guidance should be used by SCI entities. In particular, the Commission understands that some commenters who objected to the proposed Table A concept and/or the proposed Table A content were more broadly taking issue with the characterization of certain of the documents on proposed Table A, such as the NIST 800–53 document, as a ‘‘standard,’’ rather than a ‘‘framework’’ or a ‘‘process.’’ 605 The Commission believes that many commenters implicitly were questioning why certain identified technology frameworks (such as NIST 800–53) were being labeled as, and thereby elevated to, an example of ‘‘current SCI industry standards’’ when many SCI entities were already following ISO 27000, COBIT, or other technology standards that they viewed as more specific, relevant, and/or cost effective than the NIST frameworks identified on proposed Table A.606 In response to these comments, the Commission believes it is appropriate that the staff’s guidance be characterized as listing examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing industry standards. Thus, the Commission believes it is appropriate if Commission staff were to list publications that provide guidance to SCI entities on suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system. With respect to the publications commenters suggested for inclusion on proposed Table A, the Commission is not disputing the value of such standards, and believes that each, when considered with respect to a particular system at an SCI entity, may contain appropriate standards for the SCI entity to use as, or incorporate within, its 605 The Commission also notes that this point was made by a member of the third panel at the Cybersecurity Roundtable, supra note 39. See also FINRA Letter at 31. 606 See supra notes 577–601 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72302 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations policies and procedures.607 The Commission notes that the guidance is intended to be used as a baseline from which the staff may work with SCI entities and other interested market participants to build consensus on industry-specific standards, as discussed more fully below. Further, the Commission believes that the goal of providing general and flexible guidance to SCI entities does not necessitate providing a lengthy list of all the publications that meet the criteria set forth in Rule 1001(a)(4).608 The Commission continues to believe that it may be appropriate for an SCI entity to choose to adhere to a standard or guideline in a given domain or subcategory thereof that is different from those contained in the staff guidance, and emphasizes that nothing that the staff may include in its guidance precludes an SCI entity from adhering to standards such as ISO 27000, COBIT, or others referenced by commenters to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a).609 Moreover, adopted Rule 1001(a)(4) explicitly provides that compliance with current SCI industry standards (i.e., including those publications identified by the Commission staff) is not the exclusive method of compliance with Rule 1001(a). Accordingly, an SCI entity’s determination not to adhere to some or all of the publications included in the staff guidance in developing its policies and procedures does not necessarily mean that its policies and procedures will be deficient or unreasonable for purposes of Rule 1001(a)(1). Importantly, the publications listed by Commission staff should be understood to provide guidance to SCI entities on selecting appropriate controls for applicable systems, as well as suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system. Thus, for example, the Commission believes it would be 607 See supra notes 577–601 and accompanying text. 608 See supra note 557 and accompanying text. such guidance would not preclude an SCI entity from adopting a derivative of multiple standards, and/or customizing one or more standards for the particular system at issue, as one commenter suggested. See supra note 567 and accompanying text. In assessing whether an SCI entity’s use of such an approach in designing its policies and policies and procedures would be ‘‘deemed’’ to be reasonably designed, the Commission’s inquiry would be into whether its policies and procedures were consistent with standards meeting the criteria in adopted Rule 1001(a)(4). mstockstill on DSK4VPTVN1PROD with RULES2 609 Likewise, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 reasonable for the most robust controls to be selected and implemented for ‘‘critical SCI systems,’’ as compared to other types of SCI systems, and the Commission believes it would be appropriate that the staff’s guidance include publications that require more rigorous controls for higher-risk systems. The staff guidance is not intended to be static, however. As the Commission staff works with SCI entities, as well as members of the securities industry, technology experts, and interested members of the public, and as technology standards continue to evolve, the Commission anticipates that the Commission staff will periodically update the staff guidance as appropriate. Another way in which the publications identified by Commission staff should provide guidance to SCI entities is by providing transparency on how the staff will, at least initially, prepare for and conduct inspections relating to Regulation SCI. As discussed in the SCI Proposal and above,610 for over two decades, ARP staff has conducted inspections of ARP entity systems, with a goal of evaluating whether an ARP entity’s controls over its information technology resources in each domain are consistent with ARP and industry guidelines,611 as identified by ARP staff from a variety of information technology publications that ARP staff believed were appropriate for securities market participants.612 With the adoption of Regulation SCI, and the resultant transition away from the voluntary ARP Inspection Program to an inspection program under Regulation SCI, the Commission believes it is helpful to establish consistency in its approach to examining SCI entities for compliance with Regulation SCI. Importantly, establishing consistency does not mean that the Commission will take a onesize-fits-all or checklist approach. Because the publications identified by Commission staff should be general and flexible enough to be compatible with many widely-recognized technology standards that SCI entities currently use, the Commission believes the publications identified by Commission staff should provide guidance for an SCI entity to self-assess whether its policies and procedures comply with Rules 610 See supra Section II.A. stated in the SCI Proposal, the domains covered during an ARP inspection depend in part upon whether the inspection is a regular inspection or a ‘‘for-cause’’ inspection. Typically, however, to make the most efficient use of resources, a single ARP inspection will cover fewer than nine domains. See Proposing Release, supra note 13, at 18086. 612 See id. and supra Section II.A (discussing the ARP Inspection Program). 611 As PO 00000 Frm 00052 Fmt 4701 Sfmt 4700 1001(a)(1)–(2). Moreover, because use of the publications identified by Commission staff is not mandatory, the staff guidance should not be regarded as establishing a checklist, the use of which could result in unintended consequences, but rather a basis for considering how an SCI entity’s selected standards relate to the guidance provided by Commission staff and whether they are appropriate standards for use by that particular SCI entity for a given system. The Commission believes that it would be appropriate that the publications initially identified by Commission staff at a minimum include the nine inspection areas, or ‘‘domains,’’ that the Commission identified on Table A in the SCI Proposal and that are relevant to SCI entities’ systems capacity, integrity, resiliency, availability, and security, namely: Application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. The Commission believes it would be appropriate that each publication identified by Commission staff be identified with specificity and include the particular publication’s date, volume number, and/or publication number, as the case may be. Thus, for SCI entities that establish or self-assess their policies and procedures in reliance on the guidance provided by the publications identified by Commission staff, the Commission believes that the publications should be the relevant publications until such time as the list is updated by Commission staff. Of course, SCI entities may elect to use publications describing processes, guidelines, frameworks, and/or standards other than those identified by Commission staff to develop policies and procedures that satisfy the requirements of Rules 1001(a)(1)–(2). As stated in the SCI Proposal, however, the Commission continues to believe that the development of securities-industry specific standards is a worthy goal. Although some commenters urged the Commission not to adopt Table A at the outset, and instead establish a process to achieve that end,613 the Commission believes that the better approach is for Commission staff to provide examples of publications through its guidance that form a baseline and remain open to emerging consensus on industryspecific standards. In response to the 613 See E:\FR\FM\05DER2.SGM supra note 604 and accompanying text. 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 commenter that suggested that the Commission leverage the annual SCI review process and the SCI inspection process to yield a coherent set of industry-specific standards that could be referenced on Table A, the Commission believes that such an approach could serve as an appropriate input into the future development of such standards.614 In response to the commenter who stated that the proposed Table A publications do not take into account the technological and economic stability of the U.S. market as a whole,615 the Commission notes that the technological stability of individual SCI entities, in tandem with a heightened focus on critical SCI systems, are necessary prerequisites to achieving such market-wide goals. Accordingly, the Commission believes that the publications identified by Commission staff today should serve as an appropriate initial set of publications, processes, guidelines, frameworks, and standards for SCI entities to use as guidance to develop their policies and procedures under Rule 1001(a). With this guidance as a starting point, the Commission expects that the Commission staff will seek to work with members of the securities industry, technology experts, and interested members of the public towards developing standards relating to systems capacity, integrity, resiliency, availability, and security appropriately tailored for the securities industry and SCI entities, and periodically issue staff guidance that updates the guidance with such standards. 2. Policies and Procedures To Achieve Systems Compliance—Rule 1001(b) Proposed Rule 1000(b)(2)(i) would have required each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable. Proposed Rule 1000(b)(2) also would have included safe harbors for an SCI entity and its employees. Specifically, proposed Rule 1000(b)(2)(ii) provided that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if the SCI entity: (1) Established policies and procedures reasonably designed to provide for specified elements; (2) established and maintained a system for applying such 614 See 615 See supra note 602 and accompanying text. supra note 582 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (3) reasonably discharged the duties and obligations incumbent upon it by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that the SCI entity’s policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable. In addition, proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. After careful consideration of the comments, proposed Rule 1000(b)(2) is adopted as Rule 1001(b) with modifications, as discussed below. a. Reasonable Policies and Procedures To Achieve Systems Compliance The Commission received significant comment on its proposal to require that SCI entities establish, maintain, and enforce written policies and procedures reasonably designed to ensure systems PO 00000 Frm 00053 Fmt 4701 Sfmt 4700 72303 compliance. Some commenters supported the broad goals of a policies and procedures requirement to help ensure that SCI systems operate as intended.616 Other commenters questioned whether any set of policies and procedures could guarantee perfect operational compliance.617 One commenter emphasized that no set of policies and procedures can guarantee 100% operational compliance and that, historically, the Commission has allowed entities to use a reasonableness standard so that policies and procedures are required to be reasonably designed to promote compliance, and the same should be used for the underlying predicate requirement in Regulation SCI.618 A few commenters expressed concern that, in instances where an SCI entity’s policies and procedures failed to prevent SCI events, the Commission might use such failures as the basis for an enforcement action, charging that the policies and procedures were not reasonable.619 One commenter believed that compliance with Regulation SCI should be measured against a firm’s adherence to its own set of policies and procedures that are in keeping with SCI system objectives, and such policies should be reviewed and updated as part of the annual SCI review process.620 Another commenter requested that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events, stating that compliance with Regulation SCI and compliance with other federal securities laws and rules must remain distinct.621 Whereas adopted Rule 1001(a) 622 concerns the robustness of the SCI entity’s systems, adopted Rule 1001(b) 623 concerns the operational compliance of an SCI entity’s SCI systems with the Exchange Act, the rules and regulations thereunder, and 616 See MSRB Letter at 12–13; SIFMA Letter at 12; and MFA Letter at 3. Two of these commenters believed that SCI entities that perform critical market functions should be required to have more stringent policies and procedures than less critical SCI entities. See SIFMA Letter at 12; and MFA Letter at 3–4. 617 See ITG Letter at 14. See also BATS Letter at 3–4, 6. 618 See ITG Letter at 14. 619 See BATS Letter at 3–4; Angel Letter at 4; and FSR Letter at 5. One of these commenters considered this possibility as, in effect, imposing a strict liability standard with respect to systems issues, and was concerned that the proposed approach would result in ‘‘finger-pointing’’ and constant enforcement actions for immaterial violations that desensitize people to actual material violations. See FSR Letter at 3–8. 620 See FIF Letter at 4. 621 See FSR Letter at 6. 622 Adopted Rule 1001(a) was proposed as Rule 1000(b)(1). 623 Adopted Rule 1001(b) was proposed as Rule 1000(b)(2). E:\FR\FM\05DER2.SGM 05DER2 72304 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 the SCI entity’s governing documents. The Commission continues to believe, as stated in the SCI Proposal, that a rule requiring SCI entities to establish, maintain, and enforce policies and procedures reasonably designed to ensure operational compliance will help to: ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; 624 reinforce existing SRO rule filing processes to assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate; and assist SCI SROs in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS.625 It will similarly help other SCI entities (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) to achieve operational compliance with the Exchange Act, the rules and regulations thereunder, and their governing documents. The Commission notes that Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities. The Commission discussed in Section IV.A.3.b the rationale for further focusing the definition of systems compliance issue (i.e., replacing the reference to operating ‘‘in the manner intended, including in a manner that complies with the federal securities laws’’ with a reference to operating ‘‘in a manner that complies with the Act’’). To provide consistency between the definition of systems compliance issue and the requirement for policies and procedures to ensure systems compliance, the Commission is similarly revising Rule 1001(b)(1) to require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate ‘‘in a manner that complies with the Act’’ and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable. As noted above, some commenters expressed concern that an SCI entity would be found to be in violation of Rule 1001(b) if an SCI event occurs.626 624 See 15 U.S.C. 78s(b)(1) (requiring each SRO to file with the Commission copies of any proposed rule or any proposed change in, addition to, or deletion from the rules of the SRO). 625 See Proposing Release, supra note 13, at 18115. 626 See supra notes 617–620 and accompanying text. One of these commenters believed that compliance with Regulation SCI should be measured against a firm’s adherence to its own set of policies and procedures that are in keeping with SCI systems objectives. See supra note 620 and accompanying text. The Commission understands this commenter to be expressing the same concern as other commenters that an SCI entity would be found to be in violation of Rule 1001(b) if an SCI event occurs. This commenter also noted that VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Consistent with the discussion above regarding Rule 1001(a), the Commission emphasizes that the occurrence of a systems compliance issue at an SCI entity does not necessarily mean that the SCI entity has violated Rule 1001(b) of Regulation SCI. As stated in the SCI Proposal, an SCI entity will not be deemed to be in violation of Rule 1001(b) solely because it experienced a systems compliance issue.627 The Commission also notes that Rule 1001(b) requires systems compliance policies and procedures to be reasonably designed.628 The Commission acknowledges that reasonable policies and procedures will not ensure the elimination of all systems issues, including systems compliance issues. While a systems compliance issue may be probative as to the reasonableness of an SCI entity’s policies and procedures, it is not determinative. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. In response to one commenter’s request that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events,629 the Commission notes that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI event. In particular, policies and procedures should be reviewed and updated as part of the annual SCI review process. See supra note 620 and accompanying text. The comment regarding reviews and updates of policies and procedures is addressed below. See infra note 673 and accompanying text. 627 Also, as noted in the SCI Proposal, an employee of an SCI entity would not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of Rule 1001(b) merely because the SCI entity at which the employee worked experienced a systems compliance issue. See Proposing Release, supra note 13, at 18116. 628 As stated above, one commenter noted that no set of policies and procedures can guarantee 100% operational compliance and that historically, the Commission has allowed entities to use a reasonableness standard so that policies and procedures are required to be reasonably designed to promote compliance, and the same approach should be used for Regulation SCI. See supra note 618 and accompanying text. The Commission agrees with this commenter that reasonably designed policies and procedures might not completely eliminate the occurrence of systems compliance issues. Also, adopted Rule 1001(b) is consistent with this commenter’s suggestion, because it requires policies and procedures that are ‘‘reasonably designed’’ to ensure systems compliance. 629 See supra note 621 and accompanying text. PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 whether an SCI entity violated Regulation SCI does not affect the determination of whether the underlying SCI event also caused the SCI entity to violate other laws or rules, and compliance with Regulation SCI is not a safe harbor or other shield from liability under other laws or rules. Thus, even if the occurrence of an SCI event does not cause an SCI entity to be found to be in violation of Regulation SCI, the SCI entity may still be liable under other Commission rules or regulations, the Exchange Act, or SRO rules for the underlying SCI event.630 b. Proposed Safe Harbor for SCI Entities i. Comments Received In the SCI Proposal, the Commission solicited comment on the proposed approach to include safe harbor provisions in proposed Rule 1000(b)(2) and specifically asked whether commenters agreed with the proposed inclusion of safe harbors.631 Many commenters specifically addressed the safe harbors in proposed Rule 1000(b)(2). Two commenters urged elimination of the proposed safe harbors.632 One of these commenters stated that the safe harbors were framed so generally that they would be easy to invoke.633 This commenter also stated that inclusion of a safe harbor provision for compliance standards would unnecessarily and severely limit the Commission’s ability to deter violations through meaningful enforcement actions.634 The other commenter stated that, if a safe harbor is adopted, the Commission should be as specific as possible in establishing how to qualify for the safe harbor, and recommended that Commission guidance ensure that SCI entities are actively building and improving upon safety systems and not simply checking boxes and doing the minimal amount necessary to ensure compliance.635 In contrast, several commenters supported the inclusion of a safe harbor in proposed Rule 1000(b)(2) in theory, but objected to the proposed 630 For example, it is possible for an SCI SRO to have established, maintained, and enforced reasonably designed systems compliance policies and procedures consistent with the requirements of Rule 1001(b) of Regulation SCI, but still potentially violate Section 19(g) of the Exchange Act if the operation of its systems is inconsistent with its own rules. See 15 U.S.C. 78s(g) (requiring every SRO to comply with the Exchange Act, the rules and regulations thereunder, and its own rules). 631 See Proposing Release, supra note 13, at 18117, question 104. 632 See Better Markets Letter at 5–6; and Lauer Letter at 7–8. 633 See Better Markets Letter at 5–6. 634 See id. at 6. 635 See Lauer Letter at 7–8. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 approach.636 Some commenters stated that the proposed safe harbor, with its prescriptive requirements, would evolve into the de facto rule itself as SCI entities decide to adhere to the requirements of the safe harbor rather than risk a potential enforcement action stemming from an SCI event.637 One of these commenters noted that the safe harbor merely further defined the elements that the policies and procedures must have by providing a list of points that reasonably designed policies and procedures must cover.638 This commenter believed that including a requirement for reasonably designed policies and procedures and providing a safe harbor when those policies and procedures are reasonably designed is inherently circular, and expressed concern about liability under Regulation SCI whenever there is a systems or technology malfunction or error.639 This commenter also compared the proposed SCI entity safe harbor to other rules, stating that the other rules requiring policies and procedures recognize the need for those policies and procedures to be reasonably designed in light of the manner in which business is conducted.640 This commenter further noted that, if the Commission intends that all SCI entities conform to the standards articulated in the safe harbor, the Commission should set them forth as express provisions of the rule, although this commenter believed that such an approach would be misguided because it would create strictures that impose protocols that may not be suitable for certain market participants.641 Several other commenters expressed concern that the proposed safe harbors were unclear.642 One group of commenters noted that the provisions in the proposed safe harbors were vague, subjective, and merely duplicate elements that would result from a logical interpretation of Rule 1000(b)(1),643 which these commenters 636 See, e.g., Angel Letter; Direct Edge Letter; FSR Letter; ITG Letter; MSRB Letter; NYSE Letter; OCC Letter; OTC Markets Letter; and Joint SROs Letter. 637 See ITG Letter at 14 (stating that ‘‘[t]he safe harbor contains so many requirements that it operates as a rule by itself’’); and FSR Letter at 8. 638 See FSR Letter at 4–5. 639 See id. at 5–6. 640 See FSR Letter at 8–9 (expressing concern that the safe harbor will become the sole yardstick by which conduct is measured and, even if the safe harbor were non-exclusive, it could become the de facto standard to the exclusion of other, legitimate approaches). 641 See FSR Letter at 9. 642 See, e.g., FSR Letter; OCC Letter; and OTC Markets Letter. 643 See Joint SROs Letter at 13 (stating that the proposed safe harbor should provide a more objective and transparent approach, and provide VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 believed offered no safe harbor protection at all.644 Another commenter stated that the use of a reasonableness standard with respect to the design of systems and the discharge of duties under an SCI entity’s policies and procedures would mean that an SCI entity and its employees would never know with certainty whether they met the terms of the safe harbor.645 Another commenter similarly stated that SCI entities cannot know if they have complied with the safe harbor unless more guidance is provided on the concept of ‘‘reasonable policies and procedures’’ and the Commission explains what constitutes adequate testing, monitoring, assessments, and review for each system.646 One commenter agreed with the need for a safe harbor but stated that the proposed safe harbor is not sufficiently robust because it contains ‘‘vague and extensive requirements that are overly subjective’’ and the Commission therefore would be ‘‘likely to review an SCI entity’s interpretation of the safe harbor in the event of a systems issue with the benefit of 20/20 hindsight.’’ 647 This commenter expressed concern that the occurrence of a significant systems event would mean that an exchange did not have reasonable policies and procedures and would be outside the terms of the proposed safe harbor.648 A few commenters suggested specific alternatives to the proposed safe harbors.649 One commenter recommended that the Commission adopt a safe harbor with objective criteria to protect SCI entities from enforcement actions under Regulation SCI except in cases of intentional or reckless non-compliance or patterns of non-compliance with Regulation SCI, or if an SCI entity fails to implement reasonable corrective action in response to a written communication from the Commission regarding Regulation SCI.650 This commenter urged that, even SCI entities a clear, affirmative defense from allegations of having violated Regulation SCI). 644 See Joint SROs Letter at 13. 645 See OCC Letter at 11. This commenter also questioned the value of the safe harbors as proposed and requested that the Commission consider including bright-line tests and minimum standards in the safe harbor provisions to better guide SCI entities and their employees in avoiding liability under Regulation SCI. See OCC Letter at 11. See also NYSE Letter at 30 (noting that the Commission provided no guidance on the phrase ‘‘policies and procedures reasonably designed’’). 646 See OTC Markets Letter at 15. 647 See NYSE Letter at 30. 648 See id. 649 See, e.g., FSR Letter; ITG Letter; OTC Markets Letter; Joint SROs Letter; and NYSE Letter. 650 See NYSE Letter at 29, 31–32. This commenter also suggested that SCI entity employees be protected except in instances where employees PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 72305 if the Commission does not include the suggested safe harbor, the adopting release should clearly state that the Commission will not pursue enforcement actions against SCI entities that establish, maintain, and enforce compliance policies and procedures or act in good faith, notwithstanding a violation of Regulation SCI.651 One group of commenters similarly recommended that the Commission adopt an objective safe harbor.652 These commenters noted that minor mistakes and unintentional errors occur in the daily operations of running a business, and a safe harbor should provide protection to SCI entities that follow the policies and procedures as intended, including in the resolution and containment of such mistakes and errors.653 These commenters believed that it should be sufficient for an SCI entity to qualify for the safe harbor if it adopts policies and procedures reasonably designed to comply with Regulation SCI and does not knowingly violate such policies and procedures.654 These commenters further requested that the Commission clarify its views on the protections of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI and expand the safe harbor to explicitly cover such instances.655 One commenter suggested simplifying the safe harbor to require only that an SCI entity adopt reasonable policies and procedures to comply with proposed Regulation SCI, which should include reasonable ongoing responsibilities related to testing and monitoring.656 Another commenter believed that the safe harbor should grant immunity from enforcement penalties for all problems that are self-reported by SCI entities and individuals.657 One commenter suggested that Regulation SCI should: (1) Encourage parties to discover and intentionally or recklessly fail to discharge their duties and obligations under the SCI entity’s policies and procedures. See NYSE Letter at 29, 31– 32. This comment and the individual safe harbor are addressed in Section IV.B.2.d below. Another commenter, expressing support for NYSE’s suggested approach for SCI entities and their employees, stated that an objective standard would provide the proper incentives for compliance and allow SCI entities to reasonably evaluate their potential exposure when an SCI event occurs and act quickly in the critical moments following an SCI event. See OTC Markets Letter at 16. 651 See NYSE Letter at 32, n. 41. 652 See Joint SROs Letter at 13–14. 653 See id. 654 See id. These commenters suggested a parallel safe harbor for employees of SCI entities. See id. at 14. 655 See id. 656 See ITG Letter at 14. 657 See Angel Letter at 4. E:\FR\FM\05DER2.SGM 05DER2 72306 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations remediate technology errors and malfunctions, and/or deficiencies in their policies and procedures; (2) avoid ipso facto liability under Regulation SCI for failures by technology or systems; and (3) require some form of causation in order for liability to attach.658 This commenter also recommended that the Commission provide safe harbors from liability under both proposed Rules 1000(b)(1) and (2) where either: (1) The SCI entity or SCI personnel discovers and remediates a problem without regulatory intervention and assuming no underlying material violation; or (2) no technology error or problem has occurred, but the policies and procedures might benefit from improvements.659 According to this commenter, the remediation safe harbor should also apply to underlying technology problems if the SCI entity had complied with Regulation SCI.660 One commenter expressed concern that, without a safe harbor and a guarantee of immunity, the disclosures to the Commission required under Regulation SCI would provide a roadmap for litigation against non-SRO entities.661 ii. Elimination of Proposed Safe Harbor for SCI Entities and Specification of Minimum Elements As discussed in greater detail below, after careful consideration of the comments, and in light of the more focused scope of Regulation SCI, the Commission has determined not to adopt the proposed safe harbor for SCI entities.662 Rather, Rule 1001(b) sets forth non-exhaustive minimum elements that an SCI entity must include in its systems compliance policies and procedures. The Commission recognizes that the precise nature, size, technology, business model, and other aspects of each SCI entity’s business vary. Therefore, the minimum elements are intended to be general in order to accommodate these 658 See FSR Letter at 9. id. at 9–10. 660 See id. at 3, 9–10. 661 See OTC Markets Letter at 15–16 (stating that ‘‘entities that do not have SRO immunity, such as ATSs, may be subject to liability based on information reported under Reg. SCI’s Rule 1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of immunity, this kind of disclosure provides a roadmap for litigation against non-SRO SCI entities’’). 662 The Commission’s decision not to adopt an SCI entity safe harbor also addresses a commenter’s concern that the inclusion of a safe harbor provision in Rule 1001(b) could unnecessarily and severely limit the Commission’s ability to deter violations through meaningful enforcement actions. See supra notes 633–634 and accompanying text. As discussed in Section IV.B.2.d below, however, the Commission is adopting a safe harbor for personnel of SCI entities. mstockstill on DSK4VPTVN1PROD with RULES2 659 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 differences, and each SCI entity will need to exercise judgment in developing and maintaining specific policies and procedures that are reasonably designed to achieve systems compliance. The Commission also believes that SCI entities should consider the evolving nature of the securities industry, as well as industry practices and standards, in developing and maintaining such policies and procedures. As such, the elements specified in Rule 1001(b) are non-exhaustive, and each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed. In the SCI Proposal, the Commission stated that, ‘‘[b]ecause of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities’ rules and governing documents, the Commission preliminarily believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in order to provide greater clarity as to how they can ensure that their conduct will comply with [Rule 1000(b)(2)].’’ 663 One reason that the Commission is not adopting the proposed safe harbor for SCI entities is that the Commission has focused the scope of Regulation SCI as adopted. For example, adopted Rule 1001(b) requires policies and procedures that are reasonably designed to ensure compliance with ‘‘the Act’’— rather than operating ‘‘in the manner intended, including in a manner that complies with the federal securities laws’’ as was proposed—and the rules and regulations thereunder, and the SCI entity’s rules and governing documents. Therefore, the requirement under adopted Rule 1001(b) is more targeted than the requirement under proposed Rule 1000(b)(2), and alleviates some of the concern regarding the ‘‘breadth of the federal securities laws and rules and regulations thereunder’’ that was expressed in the SCI Proposal. The Commission expects that SCI entities are familiar with their obligations under the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. In addition, as discussed in Section IV.A.2.b above, the Commission has further focused the scope of SCI systems, which also alleviates some of the concern regarding the ‘‘complexity of SCI systems’’ that was expressed in the SCI Proposal.664 663 See Proposing Release, supra note 13, at 18115. 664 See id. PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 Further, as noted above, in the SCI Proposal, the Commission stated its preliminary belief that it would be appropriate to provide an explicit safe harbor for SCI entities in order to provide greater clarity on how they could comply with proposed Rule 1000(b)(2).665 Rather than achieving this goal, commenters argued that the proposed safe harbor merely further defined the elements that the policies and procedures must have, and did not include sufficient guidance or specificity to SCI entities seeking to rely on it.666 For example, one commenter noted that the policies and procedures specified in the safe harbor would still need to be ‘‘reasonably designed.’’ 667 Further, the Commission acknowledges some commenters’ concern that the proposed safe harbor, ‘‘with its prescriptive requirements,’’ could evolve into the de facto rule itself.668 As discussed above, the Commission is not adopting a safe harbor for SCI entities. Rather, adopted Rule 1001(b)(1) requires an SCI entity to have reasonably designed policies and procedures to achieve systems compliance and adopted Rule 1001(b)(2) specifies non-exhaustive, general minimum elements that an SCI entity must include in its systems compliance policies and procedures. These minimum elements are based on the elements contained in the proposed safe harbor for SCI entities, but modified in 665 See id. supra notes 638–639, 643–648 and accompanying text. With respect to the group of commenters who suggested that the safe harbor should give SCI entities a clear, affirmative defense from allegations of having violated Regulation SCI, as discussed above, the Commission is eliminating the proposed safe harbor for SCI entities. See supra note 643. As discussed below, the Commission believes that, by specifying non-exhaustive minimum elements that an SCI entity must include in its systems compliance policies and procedures, the rule will encourage SCI entities to actively build and improve upon the compliance of their systems, rather than limit their compliance to some fixed elements of a safe harbor. 667 See supra notes 638–639 and accompanying text. This commenter also compared the proposed SCI entity safe harbor to other rules, stating that the other rules requiring policies and procedures recognize the need for those policies and procedures to be reasonably designed in light of the manner in which business is conducted. See supra note 640 and accompanying text. Rule 1001(b), as adopted, requires policies and procedures to be ‘‘reasonably designed’’ to ensure the compliance of SCI systems. Therefore, Rule 1001(b) recognizes the need for policies and procedures to be reasonably designed in light of the manner in which an SCI entity’s business is conducted. 668 See supra note 637 and accompanying text and supra note 640. The Commission acknowledges that some commenters who believed that the proposed safe harbor was inadequate also advocated for alternative safe harbors, such as those that require knowledge or recklessness for liability. These comments are discussed below in Section IV.B.2.b.iii. 666 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations iii. Response to Other Comments on the SCI Entity Safe Harbor With respect to commenters who requested clarification on the protection of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI,669 as noted above, the Commission clarifies that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI events under other laws and rules. Specifically, Regulation SCI imposes new requirements on SCI entities and is not intended to alter the standards for determining liability under other laws or rules. Therefore, if an SCI entity is in compliance with Regulation SCI but inadvertently violates another law or rule, whether or not the SCI entity will be liable under the other law or rule depends on the standards for determining liability under such law or rule. Because the new requirements under Regulation SCI are separate and distinct from existing requirements under other laws or rules, Regulation SCI is not a shield from liability under such laws or rules. The Commission also does not believe that it would be appropriate to provide a safe harbor for all problems that are self-reported by SCI entities and individuals or that are discovered and remediated without regulatory intervention, as suggested by commenters.670 In particular, Rule 1001(b) is intended to help ensure that SCI entities operate their systems in compliance with the Exchange Act and relevant rules in the first place, and thus is not only focused on helping to ensure that SCI entities appropriately respond to a compliance issue (e.g., by taking corrective action or reporting the issue to the Commission) after it has occurred and impacted the market or market participants. Therefore, the Commission does not believe that the suggested selfreport or remediation safe harbors will effectively further this intent of Rule 1001(b). In particular, the Commission notes that reporting and remediation of SCI events are separately required under Rules 1002(b) and (a) of Regulation SCI, respectively. The purposes of Rule 1002(b) include keeping the Commission informed of SCI events after they have occurred. Moreover, Rule 1002(a) is intended to ensure that SCI entities remedy a systems issue and mitigate the resulting harm after the issue has already occurred. The Commission believes that, if an SCI entity is protected from liability under Rule 1001(b) simply because it selfreported systems compliance issues or discovered and remediated systems compliance issues without regulatory intervention, the SCI entity will not be effectively incentivized to have reasonably designed policies and procedures to ensure systems compliance in the first place. As discussed above, the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an 669 See supra notes 655 and 660 and accompanying text. 670 See supra notes 657 and 659 and accompanying text. mstockstill on DSK4VPTVN1PROD with RULES2 response to concerns raised by commenters. As adopted, Rules 1001(b)(1) and (b)(2) specify the minimum elements of reasonably designed policies and procedures to achieve systems compliance, and at the same time provide flexibility by permitting an SCI entity to establish policies and procedures that are reasonably designed based on the nature, size, technology, business model, and other aspects of its business. Moreover, the Commission believes that, by specifying non-exhaustive, general minimum elements of systems compliance policies and procedures, the rule will encourage SCI entities to actively build and improve upon the compliance of their systems rather than limit their compliance to bright-line tests or the fixed elements of a safe harbor, and encourage the evolution of sound practices over time. In addition, the Commission notes that there currently are no publicly available written industry standards regarding systems compliance that are applicable to all SCI entities that can serve as the basis for a clear, objective safe harbor, as there is with current SCI industry standards (e.g., the publications listed in staff guidance) relating to operational capability. Even if such standards existed, the Commission believes that the specificity necessary to achieve the goal of a clear, objective safe harbor would disincentivize SCI entities from continuing to improve their systems over time. Finally, the Commission believes that, because the minimum elements specified in Rule 1001(b)(2) are non-exhaustive, Rule 1001(b) can accommodate the possibility that, as technology evolves, additional or updated elements could become appropriate for SCI entities to include in their systems compliance policies and procedures to ensure that such policies and procedures remain reasonably designed on an ongoing basis. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 72307 enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. As discussed above, some commenters expressed concern that the occurrence of a significant systems issue would mean that an SCI entity did not have reasonable policies and procedures and therefore suggested ‘‘objective’’ safe harbors.671 The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with these laws and rules. The Commission does not believe that Rule 1001(b) would further this goal to the same degree if the Commission were to adopt commenters’ safe harbor suggestions (i.e., an SCI entity is deemed to be in compliance with Rule 1001(b) so long as: The SCI entity is not knowingly out of compliance; such noncompliance is not intentional, reckless, or in bad faith; or there is no pattern of non-compliance) because, with these suggested ‘‘objective’’ safe harbors, SCI entities may not be effectively incentivized to establish, maintain, and enforce reasonably designed policies and procedures to ensure systems compliance. Moreover, the Commission notes that Rule 1001(b) requires ‘‘reasonably designed’’ policies and procedures, which already provides flexibility to SCI entities in complying with the rule. The Commission also emphasizes again that, while it is eliminating the safe harbor for SCI entities, the occurrence of a systems compliance issue may be probative, but is not determinative, of whether an SCI entity violated Regulation SCI. As noted above, an SCI entity would not be 671 See supra notes 650–654 and accompanying text. As discussed above, some of these commenters suggested that the safe harbor should protect SCI entities from enforcement action except in cases of intentional or reckless non-compliance, or patterns of non-compliance with Regulation SCI. See supra note 650 and accompanying text. As an alternative to the intentional and recklessness standard, one of these commenters requested that the Commission specifically state that the Commission will not pursue enforcement actions against SCI entities that establish, maintain, and enforce systems compliance policies and procedures or act in good faith, notwithstanding a violation of Regulation SCI. See supra note 651 and accompanying text. One commenter noted that it should be sufficient for an SCI entity to qualify for the safe harbor if it adopts policies and procedures reasonably designed to comply with Regulation SCI and does not knowingly violate such policies and procedures. See supra note 654 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72308 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 deemed to be in violation of Rule 1001(b)(1) merely because it experienced a systems compliance issue. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. Further, as noted above, one commenter recommended that the Commission provide a safe harbor where no technology error or problem has occurred, but the policies and procedures might benefit from improvements.672 The Commission believes that there may be instances where an SCI entity’s policies and procedures might benefit from improvement, even though they are reasonably designed. In such instances, the SCI entity is in compliance with Rule 1001(b) and therefore does not need a safe harbor. At the same time, the Commission notes that there may be instances where no technology error or problem has occurred, but an SCI entity’s policies and procedures with regard to systems compliance might nonetheless be deficient and not satisfy the requirements of Rule 1001(b). The Commission does not believe that it would be appropriate to provide a safe harbor in these instances. As noted above, Rule 1001(b) is intended to help ensure that SCI entities operate their SCI systems in compliance with the Exchange Act and relevant rules. The Commission does not believe that a safe harbor that effectively insulates deficient policies and procedures will further the intent of this rule. Further, the Commission notes that one requirement of Rule 1001(b)(1) is that an SCI entity ‘‘maintain’’ its policies and procedures. To explicitly set forth an SCI entity’s obligation to review and update its policies and procedures, similar to Rule 1001(a), the Commission is adopting a requirement for periodic review by an SCI entity of the effectiveness of its systems compliance policies and procedures, and prompt action by the SCI entity to remedy deficiencies in such policies and procedures.673 The Commission notes 672 See supra note 659 and accompanying text. Rule 1001(b)(3). The adoption of this review and update requirement is consistent with the views of some commenters. See supra notes 620 and accompanying text (discussing a commenter’s suggestion that policies and procedures should be reviewed and updated as part of the annual SCI review process) and 658 and accompanying text (discussing a commenter’s suggestion that 673 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that an SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency immediately after the deficiency occurred, if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise appropriately reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered. Finally, as noted above, one commenter believed that, without a safe harbor and a guarantee of immunity (such as the regulatory immunity of SROs), information provided to the Commission pursuant to Rule 1000(b)(4)(iv) would provide a roadmap for litigation. As discussed below in Section IV.B.3.c, the Commission acknowledges that, if an SCI entity experiences an SCI event, it could become the subject of litigation (including private civil litigation). At the same time, the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law.674 On the other hand, the Commission acknowledges that it could consider the information provided to the Commission pursuant to Rule 1002(b) in determining whether to initiate an enforcement action. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the requirement for Commission notification of systems compliance issues is intended to assist the Commission in its oversight of such compliance. With respect to the regulatory immunity of SROs, the Commission notes that, although courts have found that SROs are entitled to absolute immunity from private claims Regulation SCI should encourage parties to discover and remediate deficiencies in policies and procedures). The Commission notes that Rule 1001(b)(3) requires SCI entities to review and update their systems compliance policies and procedures rather than simply ‘‘encourage’’ the discovery and remediation of deficiencies because, in order to achieve the intended benefits of Rule 1001(b), an SCI entity’s systems compliance policies and procedures must remain reasonably designed. If the Commission simply encourages SCI entities to review and update their systems compliance policies and procedures, the Commission believes that there would be a greater likelihood that such policies and procedures might become outdated and less effective in preventing systems compliance issues. 674 The Commission notes that the General Instructions to Form SCI, Item G. Paperwork Reduction Act Disclosure, provides that the Commission ‘‘will keep the information collected pursuant to Form SCI confidential to the extent permitted by law.’’ See infra Section IV.C.2. PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 under certain circumstances,675 if an SRO fails to comply with the provisions of the Exchange Act, the rules or regulations thereunder, or its own rules, the Commission is still authorized to impose sanctions.676 As such, like other SCI entities, SROs are not immune from Commission sanctions. Finally, as discussed in detail above, the Commission does not believe that it would be appropriate to provide a safe harbor for all problems that are selfreported to the Commission by SCI entities and individuals. c. Minimum Elements of Reasonable Policies and Procedures The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that, to qualify for the safe harbor, the SCI entity’s policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity’s rules and governing documents, as applicable. In the SCI Proposal, the Commission asked whether each element of the proposed safe harbor for SCI entities was appropriate.677 Several commenters addressed one or more of the proposed safe harbor elements. As discussed above, rather than adopting the proposed safe harbor for SCI entities, the Commission is specifying non-exhaustive, general 675 The Commission notes that SRO immunity applies only under certain circumstances. In particular, ‘‘when acting in its capacity as a SRO, [the SRO] is entitled to immunity from suit when it engages in conduct consistent with the quasigovernmental powers delegated to it pursuant to the Exchange Act and the regulations and rules promulgated thereunder.’’ See DL Capital Group, LLC v. NASDAQ Stock Market, Inc., 409 F.3d 93, 97 (2d Cir. 2005) (quoting D’Alessio v. New York Stock Exchange, Inc., 258 F.3d 93, 106 (2d Cir. 2001)). 676 See 15 U.S.C. 78s(g). 677 See Proposing Release, supra note 13, at 18116–17. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations minimum elements that an SCI entity must include in its systems compliance policies and procedures. The minimum elements are based on the proposed safe harbor. These elements are: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Each of these elements is discussed below. As noted above, some commenters requested more guidance or certainty regarding the safe harbor elements (e.g., by including bright-line tests and minimum standards).678 As discussed above in Section IV.B.2.b, the Commission is not adopting a safe harbor but is specifying the minimum elements that an SCI entity must include in its systems compliance policies and procedures. By generally requiring policies and procedures to be reasonably designed and specifying non-exhaustive, general minimum elements of systems compliance policies and procedures, the Commission intends to provide specificity on how to comply with Rule 1001(b), and at the same time provide a reasonable degree of flexibility to SCI entities in establishing and maintaining policies and procedures that are appropriately tailored to each SCI entity. Regarding elements (1) and (2) of the proposed safe harbor, a few commenters opposed the inclusion of a requirement that an SCI entity conduct periodic testing of systems absent systems changes.679 One commenter stated that it performs testing prior to implementation of trading systems changes in the production environment and conducts regression testing to ensure that the changes did not introduce any undesired side-effects.680 This commenter explained that the proposed periodic testing requirement 678 See supra notes 645–647 and accompanying text. 679 See FINRA Letter at 33; BATS Letter at 7; and ISE Letter at 7. 680 See ISE Letter at 7. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 would impose additional cost and not provide any benefit.681 One commenter believed that the pre- and postimplementation testing components of the safe harbor, which would apply to all systems changes, could potentially drive SCI entities to take a narrow view of what constitutes a systems change.682 Another commenter sought further guidance from the Commission on the scope of periodic testing of all SCI systems and whether, for example, systems testing would be required following a systems change if the SCI entity has already provided notice of the systems change to the Commission.683 One commenter requested clarification that the testing described in proposed Rules 1000(b)(2)(ii)(A)(1) and (2) refers to testing to ensure that SCI systems operate in the manner intended, and noted that testing should not be required to be periodic, but instead should be based on the relative risks of non-compliance arising from any changes being introduced into production or any changes to the applicable laws or rules.684 One commenter stated that it believed that the frequency and type of testing under proposed Rules 1000(b)(2)(ii)(A)(1) and (2) are open to interpretation.685 After consideration of the views of commenters, the Commission believes that testing of SCI systems and changes to such systems prior to implementation is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, elements (1) and (2) of the proposed safe harbor were intended to help SCI entities to identify potential problems before such problems have the ability to impact markets and investors.686 The Commission believes that testing prior to implementation of SCI systems and prior to implementation of any SCI systems changes would likely be an important 681 See id. See also FINRA Letter at 33. Direct Edge Letter at 6. This commenter expressed concern that, under the proposed approach, any opening of a customer port, the removal of access rights from a departing employee, and the previously unscheduled closing of the market for the death of a U.S. president all involve ‘‘changes’’ to SCI systems that need to be tracked, approved, and catalogued within the construct of an enterprise-wide change management system. See id. This commenter stated that these ‘‘changes’’ cannot all be tested, either prior to or after implementation, without an extraordinary amount of redundancy and bureaucracy, if at all. See id. This commenter therefore suggested requiring instead ‘‘[a]ppropriate testing of [SCI] systems and changes to such systems prior to their implementation.’’ See id. 683 See OCC Letter at 11. 684 See MSRB Letter at 13–14. 685 See NYSE Letter at 30. 686 See Proposing Release, supra note 13, at 18115. 682 See PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 72309 component for achieving this goal and it is included as a required element of systems compliance policies and procedures.687 In contrast, the Commission believes that the value of the proposed element for additional testing in the absence of systems changes may be variable, depending on the SCI system or change to an SCI system at issue.688 At the same time, each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed, including whether its policies and procedures should provide for testing of certain systems changes after their implementation to ensure that they operate in compliance with the Exchange Act and relevant rules. With regard to element (3) of the proposed safe harbor, one commenter stated that it is unclear what minimum standards are required for the internal controls under proposed Rule 1000(b)(2)(ii)(A)(3).689 As discussed above, the Commission believes it is appropriate to set forth minimum elements of systems compliance policies and procedures that are broad enough to provide SCI entities with reasonable flexibility to design their policies and procedures based on the nature, size, technology, business model, and other aspects of their businesses. Therefore, while the Commission believes that a system of internal controls over changes to SCI systems is appropriate for inclusion as a required element of systems compliance policies and 687 With respect to a commenter’s concern that ‘‘changes’’ to SCI systems could include, for example, any opening of a customer port, the removal of access rights from a departing employee, and the previously unscheduled closing of the market for the death of a U.S. president, the Commission does not view these as changes to an SCI entity’s systems, because the Commission believes that these actions are part of an SCI entity’s standard operations. See supra note 682. In particular, the Commission believes that the opening of a customer port, the removal of access rights, and the closing of the market are existing functionalities at SCI entities, and are routinely performed by SCI entities without the need to change existing functionalities. 688 See supra notes 681–682 and accompanying text. The Commission notes that a commenter asked about the scope of periodic testing under the proposed safe harbor, and whether systems testing under the proposed safe harbor would be required following a systems change if the SCI entity has already provided notice of the systems change to the Commission. Another commenter noted that testing under the proposed safe harbor should not be required to be periodic, but instead could be based on the relative risks of non-compliance arising from any changes being introduced into production or any changes to applicable laws or rules. The Commission is not requiring periodic testing or testing following systems changes in Rule 1001(b), and, as discussed above, the Commission is not adopting the proposed safe harbor. 689 See NYSE Letter at 30. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72310 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations procedures, the Commission is not specifying the minimum standard for internal controls. As stated in the SCI Proposal, a system of internal controls and ongoing monitoring of systems functionality are intended to help ensure that an SCI entity adopts a framework that will help it bring newer, faster, and more innovative SCI systems online without compromising due care, and to help prevent SCI systems from becoming noncompliant resulting from, for example, inattention or failure to review compliance with established written policies and procedures. The Commission believes that such internal controls would likely include, for example, protocols that provide for: Communication and cooperation between legal, business, technology, and compliance departments in an SCI entity; appropriate authorization of systems changes by relevant departments of the SCI entity prior to implementation; review of systems changes by legal or compliance departments prior to implementation; and monitoring of systems changes after implementation. With regard to elements (4)–(6) of the proposed safe harbor, one commenter noted that the proposed requirement related to ongoing monitoring was too broad and should be eliminated or revised to be more flexible.690 This commenter noted that the proposal for ‘‘monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended’’ is potentially quite broad and seems to suggest some form of independent validation.691 Another commenter asked the Commission to clarify how the testing requirements in proposed Rules 1000(b)(2)(ii)(1) and (2) (testing prior to and after implementation) differ from those in proposed Rule 1000(b)(2)(ii)(A)(5) (assessments of systems compliance by personnel familiar with applicable laws and rules).692 One commenter noted that the monitoring, assessments, and reviews under proposed Rules 1000(b)(2)(ii)(A)(4), (5), and (6) are unclear.693 Two commenters sought guidance on how an SCI entity could satisfy the requirements related to reviews and assessments by legal and compliance personnel (i.e., proposed Rules 1000(b)(2)(ii)(A)(5) and (6)).694 One of these commenters suggested that each SCI entity be given the discretion 690 See FINRA Letter at 33–34. id. 692 See MSRB Letter at 13. 693 See NYSE Letter at 30. 694 See FINRA Letter at 34–35; and MSRB Letter at 13. 691 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 to determine the level of familiarity necessary to qualify as personnel able to undertake the assessments and which personnel are regulatory personnel, and asked whether these two categories of personnel are different.695 Another commenter also sought clarification on the meaning of the term ‘‘regulatory personnel’’ and suggested that each SCI entity should have discretion in determining which of its employees constitute regulatory personnel.696 One commenter expressed concern that review by regulatory personnel of SCI systems would unreasonably expose non-technology persons to potential liability if an SCI entity suffers a malfunction.697 After consideration of the views of commenters, the Commission believes that ‘‘a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents’’ is appropriate for inclusion as a required element of systems compliance policies and procedures. In particular, rather than ‘‘ongoing monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended’’ and also ‘‘assessments of SCI systems compliance . . . ,’’ the Commission believes that ‘‘a plan for assessments’’ of SCI systems compliance would be more appropriate.698 The Commission notes that ‘‘a plan for assessments’’ could include, for example, not only a plan for monitoring, but also a plan for testing or assessments, as appropriate, and at a frequency (e.g., periodic or continuous) that is based on the SCI entity’s risk assessment of each of its SCI systems.699 The Commission is not 695 See MSRB Letter at 13–14. OCC Letter at 11. See also FINRA Letter at 34–35 (requesting more guidance on which types of personnel are intended to fulfill the requirements of proposed Rules 1000(b)(2)(ii)(A)(5) and (6)). 697 See ITG Letter at 14. 698 The Commission notes that ‘‘a plan for assessments’’ is derived from a combination of the ‘‘ongoing monitoring’’ and ‘‘assessments’’ elements of the proposed SCI entity safe harbor. Because ‘‘a plan for assessments’’ could provide for ongoing (i.e., periodic or continuous) monitoring, the Commission believes that it would be duplicative to include both monitoring and a plan for assessments as required elements of systems compliance policies and procedures. 699 See supra note 690 and accompanying text (discussing the view of a commenter that the proposed element of the SCI entity safe harbor related to ongoing monitoring was too broad and should be eliminated or revised to be more flexible) and supra note 694 and accompanying text (discussing comments seeking guidance on how an SCI entity could satisfy the requirements related to 696 See PO 00000 Frm 00060 Fmt 4701 Sfmt 4700 specifying the manner and frequency of assessments that must be set forth in such plan because the Commission believes that each SCI entity will likely be in the best position to assess and determine the assessment plan that is most appropriate for its SCI systems. The Commission emphasizes that the nature and frequency of the assessments contemplated by an SCI entity’s plan will vary based on a range of factors, including the entity’s governance structure, business lines, and legal and compliance framework. The plan for assessments does not require the SCI entity to conduct a specific kind of assessment, nor does it require that assessments be performed at a certain frequency. The plan, however, may address the specific reviews required by Rule 1003(b)(1). In addition, in response to a commenter’s concern that the proposed safe harbor element of ‘‘monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended’’ is potentially quite broad and seems to suggest some form of independent validation, the Commission notes that it is not requiring SCI entities to include independent validation in their assessment plans.700 However, if an SCI entity determines that its reasonably designed systems compliance policies and procedures should provide for independent validation in its assessment plan under certain circumstances, then the SCI entity should design its policies and procedures accordingly. In that case, pursuant to Rule 1001(b), which requires an SCI entity to establish, maintain, and enforce its written policies and procedures, the SCI entity would be required to enforce its own policies and procedures, including those related to independent validation. In addition, the Commission believes that ‘‘a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues’’ is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, assessments of SCI systems compliance by personnel familiar with applicable laws and rules reviews and assessments by legal and compliance personnel). Further, in response to a commenter, a plan for assessments is different from the testing of SCI systems prior to implementation of systems changes. See supra note 692 and accompanying text. 700 See supra note 691 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 and regulatory personnel review of SCI systems design, changes, testing, and controls are intended to help foster coordination between the information technology and regulatory staff of an SCI entity so that SCI events and other issues related to SCI systems would be more likely to be addressed by a team of staff in possession of the requisite range of knowledge and skills.701 They are also intended to help ensure that an SCI entity’s business interests do not undermine regulatory, surveillance, and compliance functions and, more broadly, the requirements of the Exchange Act, during the development, testing, implementation, and operation processes for SCI systems.702 The Commission believes that a plan of coordination and communication between regulatory and other personnel, including by responsible SCI personnel, would further these same goals. The Commission expects that an SCI entity will determine for itself the responsible SCI personnel and other personnel who have sufficient knowledge of relevant laws and rules to be able to effectively implement systems assessments,703 such that the SCI entity’s policies and procedures are reasonably designed to ensure that SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).704 Similarly, the Commission expects that an SCI entity will determine for itself the regulatory and other personnel, including responsible SCI personnel, who have sufficient knowledge with respect to the legal and technical aspects of systems design, changes, testing, and controls to engage in coordination and communication regarding such operations, such that the SCI entity’s policies and procedures are reasonably designed to ensure that its SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).705 One commenter sought clarity on how an SCI entity would satisfy the 701 See Proposing Release, supra note 13, at 18116. 702 For example, profit incentive could lead an SCI entity to introduce a new functionality before regulatory personnel are able to adequately check that the functionality will operate in compliance with relevant laws and rules. 703 See supra notes 694–696 and accompanying text (describing comments on the proposed safe harbor related to who would be involved in systems assessments). 704 Criteria for identification of such personnel could, for example, be set forth in the SCI entity’s systems compliance policies and procedures. 705 Some commenters expressed concern regarding the potential liability for regulatory personnel. See supra note 697 and accompanying text. The Commission discusses individual liability in Section IV.B.2.d below. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 requirement that it does ‘‘not have reasonable cause to believe the policies and procedures were not being complied with.’’ 706 Another commenter stated that there is no guidance for SCI entities on how to appropriately follow the procedures that they have developed and stated that as proposed, it would be reasonable to interpret the safe harbor as excluding any SCI entity that suffers a significant systems event.707 One commenter believed that the Commission should resolve any potential ambiguity between the requirements of proposed Rule 1000(b)(2)(ii)(C)(1) (requiring SCI entities to reasonably discharge the duties and obligations set forth in the policies and procedures) and proposed Rule 1000(b)(2)(ii)(C)(2) (requiring that SCI entities not have reasonable cause to believe such policies and procedures were not being complied with).708 As discussed throughout this section, the Commission is not adopting the proposed safe harbor for SCI entities. Therefore, as adopted, Rule 1001(b) does not include the provisions of proposed Rules 1000(b)(2)(ii)(B) and (C). Further, the Commission believes that proposed Rules 1000(b)(2)(ii)(B) and (C) reiterated the requirements for SCI entities to establish, maintain, and enforce their systems compliance policies and procedures, and provided an example of how SCI entities could satisfy these requirements. For example, the SCI Proposal noted that proposed Rules 1000(b)(2)(ii)(B) and (C) specified that an SCI entity’s policies and procedures must be reasonably designed to achieve SCI systems compliance, and that, as part of such policies and procedures, the SCI entity must establish and maintain systems for applying those policies and procedures, and enforce its policies and procedures, in a manner that would reasonably allow it to prevent and detect violations of the policies and procedures.709 The Commission believes that Rule 1001(b), as adopted, provides flexibility to SCI entities regarding their methods for establishing, maintaining, and enforcing their systems compliance policies and procedures. d. Individual Safe Harbor Proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, 706 See FINRA Letter at 35. OTC Markets Letter at 15. 708 See MSRB Letter at 13–15. 709 See Proposing Release, supra note 13, at 18116. 707 See PO 00000 Frm 00061 Fmt 4701 Sfmt 4700 72311 caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. In the SCI Proposal, the Commission asked whether commenters agreed with the requirements of the proposed safe harbor for employees of SCI entities, and whether a similar safe harbor should be available to individuals other than employees of SCI entities.710 Some commenters specifically addressed the proposed safe harbor for individuals.711 Several commenters urged that individuals not be subject to liability under Regulation SCI absent an intentional act of willful misconduct.712 Two commenters questioned the need for a safe harbor for individuals generally,713 and one commenter stated 710 See id. at 18117, question 103. e.g., Angel Letter; Direct Edge Letter; FINRA Letter; FSR Letter; and MSRB Letter. 712 See Direct Edge Letter at 6; and MSRB Letter at 17. See also supra notes 650 and 654 and accompanying text (discussing comments suggesting individual safe harbors). One commenter suggested that the safe harbor should provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person unless such violation directly or indirectly relates to the duties and obligations of such person under the policies and procedures described in Rule 1000(b)(2)(i) and such person: (A) Has not reasonably discharged the applicable duty or obligation under such policies and procedures; (B) was not directed by his or her supervisor, SCI entity legal counsel, SCI senior management, or the governing body of the SCI entity to act in a manner that would constitute such a failure to discharge such duty or obligation; and (C) acted recklessly or intentionally with respect to such failure to discharge such duty or obligation. See MSRB Letter at 17. The Commission believes that elements (A) and (B) of this commenter’s suggestion are consistent with the adopted individual safe harbor. In particular, the Commission notes that the safe harbor specifies that an individual must have reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures. The Commission believes that there can be instances where a person has reasonably discharged his or her duties and obligations under the SCI entity’s policies and procedures, even though such person was directed by his or her supervisor, SCI entity legal counsel, SCI entity senior management, or the governing body of the SCI entity to act in a manner that is inconsistent with his or her duties that are set forth the policies and procedures. For example, the SCI entity’s reasonably designed policies and procedures could specifically set forth circumstances where certain personnel of the SCI entity may direct another person to act outside of his or her duties or obligations that are set forth in the policies and procedures. 713 See FINRA Letter at 35; and FSR Letter at 3– 8 (stating that the proposed rule lacks clarity over 711 See, E:\FR\FM\05DER2.SGM Continued 05DER2 72312 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 that inclusion of a safe harbor would unnecessarily and severely limit the Commission’s ability to deter violations through meaningful enforcement actions.714 Two commenters questioned why the proposed safe harbor for individuals was limited to SCI entity employees.715 One commenter expressed concern that the proposed safe harbor for individuals could be counterproductive and create an environment of second-guessing and distrust, where employees act in a way to avoid potential liability (i.e., each person would be effectively deputized to police others’ actions).716 A few commenters added that the proposed safe harbor for individuals, and the resulting implication of potential individual liability, may have the unintended consequence of limiting the ability of SCI entities to hire the best available talent in information technology, risk-management, and compliance disciplines.717 One commenter questioned why the proposed safe harbor for individuals would apply only to actions of aiding any other person and not apply to any actions of the reporting individual.718 After careful consideration of these comments, the Commission is adopting the individual safe harbor with certain modifications. With respect to the commenter who expressed concern that a safe harbor would ‘‘unnecessarily and severely’’ limit the Commission’s ability to deter violations through meaningful enforcement actions,719 the Commission notes that Regulation SCI only imposes obligations directly on SCI entities and the Commission is not adopting a safe harbor for SCI entities. Further, personnel of SCI entities qualify for the individual safe harbor under Rule 1001(b) only if they satisfy certain requirements.720 In particular, in why individuals need a safe harbor when the policies and procedures requirement is placed exclusively on SCI entities, and lacks clarity regarding to whom SCI entities or SCI personnel would be liable for a breach and how liability would be apportioned between market participants for an SCI event). See also MSRB Letter at 15 (seeking further clarification from the Commission regarding the nature of the potential liabilities faced by individuals). 714 See Better Markets Letter at 6. 715 See FINRA Letter at 35; and MSRB Letter at 17. These commenters suggested extending the safe harbor to contractors, consultants, and other nonemployees used by SCI entities in connection with their SCI systems. See FINRA Letter at 35; and MSRB Letter at 17. 716 See MSRB Letter at 15–17. 717 See Direct Edge Letter at 6; and MSRB Letter at 17. 718 See Angel Letter at 4. 719 See supra note 714 and accompanying text. 720 As discussed below in this section, the Commission is extending the safe harbor to all VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 connection with a Commission finding that an SCI entity violated Rule 1001(b), the individual safe harbor will not apply if an SCI entity personnel failed to reasonably discharge his or her duties and obligations under the policies and procedures. In addition, for an SCI entity personnel who is responsible for or has supervisory responsibility over an SCI system, the individual safe harbor also will not apply if he or she had reasonable cause to believe that the policies and procedures related to such an SCI system were not in compliance with Rule 1001(b) in any material respect. Therefore, the Commission does not believe that the individual safe harbor will ‘‘unnecessarily and severely’’ limit the Commission’s ability to deter violations. With respect to commenters who questioned the need for an individual safe harbor because Rule 1001(b) imposes an obligation on SCI entities,721 the Commission agrees that Regulation SCI imposes direct obligations on SCI entities, and does not impose obligations directly on personnel of SCI entities. At the same time, as with all other violations of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. The Commission is therefore revising the individual safe harbor to clarify that personnel of an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by ‘‘an SCI entity’’ (rather than ‘‘any other person’’) of Rule 1001(b) if the elements of the safe harbor are satisfied. As noted above, one commenter questioned why the proposed safe harbor for individuals would only apply to actions of aiding another and not apply to any direct violative action of the reporting individual.722 The Commission notes that the individual safe harbor only applies to actions of aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity because Regulation SCI does not impose any direct obligations on personnel of SCI entities. Therefore, individuals could not be found to be in violation of Regulation SCI, except through aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity of Regulation SCI. personnel of an SCI entity, rather than only persons employed by an SCI entity, as proposed. 721 See supra note 713 and accompanying text. 722 See supra note 718 and accompanying text. PO 00000 Frm 00062 Fmt 4701 Sfmt 4700 With respect to commenters who suggested extending the individual safe harbor to contractors, consultants, and other non-employees used by SCI entities in connection with their SCI systems,723 the Commission agrees with these comments and is extending the safe harbor to all ‘‘personnel of an SCI entity,’’ rather than only persons employed by an SCI entity, as was proposed. Specifically, the Commission believes that contractors, consultants, and other similar non-employees may act in a capacity similar to an SCI entity’s employees, and thus should be able to avail themselves of the individual safe harbor if they satisfy its requirements. To be covered by the individual safe harbor, for which the individual has the burden of proof, personnel of an SCI entity must: (i) Have reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures; and (ii) be without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Element (i) of the adopted individual safe harbor is substantively unchanged from the proposal. For the reasons discussed below in this section, element (ii) of the adopted individual safe harbor specifies that it applies only to a person who is responsible for or has supervisory responsibility over an SCI system. In addition, rather than requiring an individual to be without reasonable cause to believe that systems compliance policies and procedures ‘‘were not being complied with in any material respect’’ as proposed, element (ii) of the adopted safe harbor requires the applicable personnel to be without reasonable cause to believe that the relevant systems compliance policies and procedures ‘‘were not established, maintained, or enforced’’ in accordance with Rule 1001(b) in any material respect. The Commission notes that element (ii) of the adopted safe harbor tracks the language of the general requirement under Rule 1001(b) that an SCI entity ‘‘establish, maintain, and enforce’’ written policies and procedures reasonably designed to ensure systems compliance, and appropriately reflects the responsibilities of a person who is responsible for or has supervisory responsibility over an SCI system.724 723 See supra note 715 and accompanying text. noted below, the Commission believes it is appropriate in the context of the safe harbor that, 724 As E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 The Commission believes that it is appropriate to not provide a safe harbor to a person with responsibility over an SCI system if such person had reasonable cause to believe that the policies and procedures for such system were not established, maintained, or enforced as required by Rule 1001(b) in a material respect. The limited application of this element to such personnel (rather than to any person employed by an SCI entity as proposed) is intended to mitigate commenters’ concerns that the proposed safe harbor would create an environment of distrust and limit the ability of SCI entities to hire high quality personnel.725 In particular, personnel who are not responsible for and do not have supervisory responsibility over SCI systems can qualify for the individual safe harbor, regardless of their belief regarding the reasonableness of the SCI entity’s systems compliance policies and procedures. Therefore, such personnel would not be ‘‘deputized to police’’ the actions of other personnel, as a commenter believed they would.726 Further, with respect to personnel who are responsible for or have supervisory responsibility over an SCI system, such personnel likely already have the responsibility to supervise others’ activities related to that SCI system, which would provide such personnel with information to form a reasonable belief regarding the reasonableness of the policies and procedures. Because Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities, the Commission believes that it is appropriate for supervisory personnel to be knowledgeable regarding the entity’s policies and procedures regarding systems compliance, which may be accomplished through training provided by the SCI entity. Moreover, the Commission believes it is appropriate in the context of the safe harbor that, if a person with responsibility over an SCI system becomes aware of potential material non-compliance of the SCI entity’s policies and procedures related to that system, such person should take action to review and address, or direct other personnel to review and address, such material non-compliance. Finally, to further mitigate commenters’ concern if a person with responsibility over an SCI system becomes aware of potential material noncompliance of the SCI entity’s policies and procedures related to that system, such person should take action to review and address, or direct other personnel to review and address, such material non-compliance. 725 See supra notes 716–717 and accompanying text. 726 See supra note 716 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that potential individual liability may limit the hiring ability of SCI entities,727 as noted above, personnel of an SCI entity will not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Regulation SCI merely because the SCI entity experienced a systems compliance issue, whether or not the person was able to take advantage of the individual safe harbor. As noted above, with respect to a personnel of an SCI entity who is not responsible for and does not have supervisory responsibility over SCI systems, the safe harbor provides that such personnel shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if such person has reasonably discharged the duties and obligations incumbent upon him or her by the systems compliance policies and procedures. Therefore, unlike personnel who are responsible for or have supervisory responsibility over SCI systems, these persons would not be liable even if the SCI entity itself did not have reasonably designed systems compliance policies and procedures or did not enforce its policies and procedures, as long as they discharged their duties and obligations under the policies and procedures in a reasonable manner.728 The Commission believes this safe harbor is appropriate because the persons who will seek to rely on this safe harbor are those who do not have responsibility for the establishment, maintenance, and enforcement of the policies and procedures, or the actions of other personnel of the SCI entity. With respect to commenters who argued that individuals should not be subject to liability under Regulation SCI absent an intentional act of willful misconduct,729 the Commission notes again that Regulation SCI imposes direct obligations only on SCI entities, and not on individuals. However, as with all other violations of provisions of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. As discussed above in the context of SCI entities, all SCI entities are required to comply with the 727 See supra note 717 and accompanying text. Commission believes that, in order for a person to reasonably discharge his duties and obligations under the SCI entity’s policies and procedures, that person must be able to understand his duties and obligations under such policies and procedures, which may be accomplished through training provided by the SCI entity. 729 See supra note 712 and accompanying text. 728 The PO 00000 Frm 00063 Fmt 4701 Sfmt 4700 72313 Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. The Commission does not believe that the rule would further this goal to the same degree if the Commission adopts commenters’ suggestions for the individual safe harbor (i.e., personnel of an SCI entity are permitted to cause an SCI entity to be out of compliance with Rule 1001(b) so long as the personnel did not act intentionally or willfully). 3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information—Rule 1002 Adopted Rule 1002, which corresponds to proposed Rules 1000(b)(3)–(5), requires an SCI entity to take corrective action, notify the Commission, and disseminate information regarding certain SCI events. a. Triggering Standard As proposed, the obligation of an SCI entity to take corrective action (proposed Rule 1000(b)(3)), notify the Commission (proposed Rule 1000(b)(4)), and disseminate information (proposed Rule 1000(b)(5)) would have been triggered upon ‘‘any responsible SCI personnel becoming aware of’’ an SCI event.730 Proposed Rule 1000(a) defined ‘‘responsible SCI personnel’’ to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of an SCI entity having responsibility for such system.731 In the SCI Proposal, the Commission noted that this proposed definition was intended to include any personnel of the SCI entity having responsibility for the specific system(s) impacted by a given SCI event.732 The Commission stated that such personnel would include any technology, business, or operations staff with responsibility for such systems, and with respect to systems compliance issues, any regulatory, legal, or compliance personnel with legal or compliance responsibility for such systems.733 The Commission also 730 See proposed Rules 1000(b)(3), 1000(b)(4)(i)– (ii), and 1000(b)(5)(i)–(ii). 731 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.C.3.a. 732 See Proposing Release, supra note 13, at 18118. 733 See id. E:\FR\FM\05DER2.SGM 05DER2 72314 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations explained that ‘‘responsible SCI personnel’’ would not be limited to managerial or senior-level employees of the SCI entity and could include junior personnel with responsibility for a particular system.734 After considering the views of commenters, the Commission is modifying the proposed standard for triggering corrective action, Commission notification, and dissemination of information obligations in adopted Rule 1002, including by amending the definition of responsible SCI personnel, as discussed below. Responsible SCI Personnel Many commenters expressed concern that the proposed definition of responsible SCI personnel was too broad.735 These commenters generally urged the Commission to revise the scope of the definition to cover only those employees in management or supervisory roles that have responsibility over an SCI system, rather than including relatively junior or inexperienced employees.736 Some of these commenters stated that junior employees and/or technology personnel may not have the training or breadth of knowledge or experience necessary to identify, analyze, and determine whether a systems issue is an SCI event under the rule.737 Similarly, one commenter advocated limiting responsible SCI personnel to employees with full knowledge and authority over a system.738 Some commenters also suggested that SCI entities should have the discretion to decide which employees are responsible SCI personnel.739 Similarly, several commenters emphasized the importance of escalation policies and procedures, 734 See id. e.g., Omgeo Letter at 13; MSRB Letter at 6; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25–26; and OTC Markets Letter at 19. See also NYSE Letter at 19 (stating that the proposed definition was too vague and suggesting an alternative approach). See also infra note 761 and accompanying text. 736 See, e.g., Omgeo Letter at 13; MSRB Letter at 6, 18; NYSE Letter at 19; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25– 26; and OTC Markets Letter at 19. Similarly, with regard to the Commission notification requirement in proposed Rule 1000(b)(4), one commenter stated that the obligation to notify the Commission should only be triggered when the responsible SCI personnel notifies the officer or senior staff responsible for the SCI system or systems generally. See DTCC Letter at 9. 737 See, e.g., OCC Letter at 12; FINRA Letter at 25– 26; and OTC Markets Letter at 19. 738 See FIF Letter at 3, 5. 739 See, e.g., Liquidnet Letter at 3; NYSE Letter at 19; and Joint SROs Letter at 12. mstockstill on DSK4VPTVN1PROD with RULES2 735 See, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 pursuant to which technology staff or junior employees could assess a systems problem and escalate the issue up the chain of command to management as well as legal and/or compliance personnel, who will help determine whether a systems issue was an SCI event and whether the obligations under Regulation SCI are triggered.740 These commenters argued that the rule should allow entities to adopt and follow such escalation procedures rather than triggering the obligations under Regulation SCI upon one employee’s awareness of a systems issue.741 One commenter also asserted that limiting the definition of responsible SCI personnel would be appropriate if the Commission also required a robust escalation procedure.742 Some commenters also expressed concern about the potential liability that responsible SCI personnel could face if the rule were adopted as proposed, given the breadth of the definition of ‘‘responsible SCI personnel.’’ 743 Specifically, commenters asserted that, as a result of including junior and information technology personnel within the definition and the potential liability of such individuals, the proposed provision would make it more difficult for SCI entities to attract and retain high quality information technology employees.744 Another commenter noted that responsible operations or technical personnel may not be in a position to make legal determinations about when a compliance issue has arisen.745 After consideration of the views of commenters, the Commission has revised the term ‘‘responsible SCI personnel’’ to mean, ‘‘for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).’’ 746 The Commission agrees that the proposed definition of responsible SCI personnel was broad and, consistent with the views of some 740 See, e.g., OCC Letter at 12; FINRA Letter at 25– 26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19–20. 741 See, e.g., OCC Letter at 12; FINRA Letter at 25– 26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19–20. 742 See FIF Letter at 5. 743 See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs Letter at 13; and OTC Markets Letter at 18. See also supra note 717. 744 See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs Letter at 13; and OTC Markets Letter at 18. These commenters therefore recommended that the definition include only senior personnel who would more appropriately be responsible for making a determination as to whether an SCI event had occurred given their knowledge and authority. 745 See Omgeo Letter at 13. 746 See adopted Rule 1000. PO 00000 Frm 00064 Fmt 4701 Sfmt 4700 commenters, believes that it is appropriate to instead focus the adopted definition on senior personnel of SCI entities that have responsibility for a particular system.747 The Commission believes that adopting a more focused definition of responsible SCI personnel to include only senior managers having responsibility for a given system (and their designees) addresses commenters’ concerns that the obligations of the rule could have been triggered upon the awareness of junior or inexperienced employees who lack the knowledge or experience to be able to make a determination regarding whether an SCI event had, in fact, occurred.748 The Commission believes that the revised definition is a better approach than the proposed definition because, consistent with suggestions from some commenters, it will appropriately allow SCI entities to adopt procedures that would require personnel of an SCI entity to escalate a systems issue to senior individuals who are responsible for a particular system and who have the ability and authority to appropriately analyze and assess the issue affecting the SCI system or indirect SCI system, and their designees, as applicable.749 The Commission also notes that, consistent with some commenters’ recommendations, under the adopted rule, SCI entities will be afforded flexibility to determine which personnel to designate as ‘‘responsible SCI personnel.’’ 750 Specifically, SCI entities will need to affirmatively identify one or more senior managers that have responsibility for each of its SCI systems or indirect SCI systems.751 In addition, the Commission notes that the definition of responsible SCI personnel affords SCI entities with the flexibility to designate one or more other personnel as designees for a given system.752 The Commission believes that it is important to include designees within the definition of responsible SCI personnel to provide an SCI entity with the flexibility that it may need, and 747 See generally supra notes 735–738 and accompanying text. 748 See supra notes 736–737. See also note 738 and accompanying text. 749 See supra Section IV.B.1.b (discussing Rule 1001(a)(1)(2)(vii), which requires an SCI entity to have policies and procedures to provide for monitoring of SCI systems, and indirect SCI systems, as applicable, to identify potential SCI events, and escalate them to responsible SCI personnel); and infra notes 758–761 and accompanying text. 750 See supra note 739 and accompanying text. 751 See Rule 1001(c). 752 The Commission notes that the rules do not, however, require SCI entities to have designees. Rather, each SCI entity has the discretion to have designees if they choose to do so. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations which the Commission believes is necessary, given the varying sizes, natures, and complexities of each SCI entity. A senior manager may name a designee (or designees) who would also have responsibility for a given system with regard to Regulation SCI, for example, if the senior manager is absent, is occupied with other oversight responsibilities for a period of time, or because of other practical limitations, is otherwise unavailable to assess the SCI entity’s obligations under Regulation SCI at a given point in time. The Commission believes it is likely that the designation of a designee and such designee’s particular responsibilities with regard to an SCI system or indirect SCI system would be addressed by an SCI entity’s policies and procedures, as discussed below. However, the Commission notes that while the definition of ‘‘responsible SCI personnel’’ does not permit the senior manager having responsibility for an applicable system to disclaim responsibility under the rule by delegating it fully to one or more designees (i.e., the adopted rule reads ‘‘and their designees’’ rather than ‘‘or their designees’’), it may assist SCI entities in fulfilling their responsibilities under Regulation SCI by allowing them to delegate to personnel other than senior managers such that those designees can also serve in the role of responsible SCI personnel. The Commission further believes that the modifications to the definition addresses some commenters’ concerns regarding the potential liability of junior SCI personnel, as the obligations of the rule are now triggered only when senior managers, rather than junior employees, having responsibility for a particular system have a reasonable basis to conclude that an SCI event has occurred.753 Further, the Commission reiterates that Regulation SCI imposes direct obligations on SCI entities and does not impose obligations directly on personnel of SCI entities. For these reasons, the Commission believes that an SCI entity’s ability to attract and retain employees should not be negatively affected by the requirements of Regulation SCI, as adopted.754 The 753 See supra notes 743–744 and accompanying mstockstill on DSK4VPTVN1PROD with RULES2 text. 754 See supra notes 721 and 743–744 and accompanying text. The Commission notes that commenters’ concerns regarding potential liability of employees were related to the scope of the proposed definition of responsible SCI personnel and the effect on the hiring and retention of junior and information technology personnel. Commenters believed that the definition should instead focus on senior managers who could appropriately be held responsible given their responsibilities and authority to take necessary actions under the rule. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission also reiterates that the occurrence of an SCI event may be probative, but is not determinative of whether an SCI entity violated Regulation SCI.755 In light of the more focused definition of responsible SCI personnel and consistent with commenters’ suggestions,756 the Commission believes it is appropriate to also adopt a policies and procedures requirement with respect to the designation of responsible SCI personnel and escalation procedures. As discussed above, many commenters highlighted the importance of escalation procedures and advocated for their use as an alternative to the adoption of a broader definition of responsible SCI personnel.757 Specifically, the Commission is adopting Rule 1001(c), which requires each SCI entity to ‘‘[e]stablish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events.’’ The Commission believes that it is important for an SCI entity’s policies and procedures to have a defined set of criteria for identifying responsible SCI personnel so that such personnel are identified in a consistent manner across all of an SCI entity’s operations and with regard to all of its SCI systems and indirect SCI systems. The Commission believes that SCI entities are best suited to establish the appropriate criteria for such a designation but notes that such criteria could include, for example, consideration of the level of knowledge, skills, and authority necessary to take the required actions under the rules. The Commission also believes it is important for policies and procedures to include the designation and documentation of responsible SCI personnel, so that it is clear to all employees of the SCI entity who the designated responsible SCI personnel are for purposes of the escalation procedures and so that Commission staff can easily identify such responsible SCI personnel in the course of its inspections and examinations and other interactions with SCI entities. The Commission also believes that, given the more focused definition of responsible SCI personnel, escalation procedures to 755 See, e.g., supra notes 470 and 627 and accompanying text. 756 See supra notes 740–742 and accompanying text and infra notes 759–761 and accompanying text. 757 See supra notes 740–742 and accompanying text. PO 00000 Frm 00065 Fmt 4701 Sfmt 4700 72315 quickly inform responsible SCI personnel of potential SCI events are necessary to help ensure that the appropriate person(s) are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. Such escalation procedures would establish the means by which, and actions required for, escalating information regarding a systems issue that may be an SCI event up the chain of command to the responsible SCI personnel, who will be responsible for determining whether an SCI event has occurred and what resulting obligations may be triggered. The Commission notes that each SCI entity may establish escalation procedures that conform to its needs, organization structure, and size. By requiring that responsible SCI personnel are ‘‘quickly inform[ed]’’ of potential SCI events, the Commission intends to require that escalation procedures emphasize promptness and ensure that responsible SCI personnel are informed of potential SCI events without delay. At the same time, the rule does not prescribe a specific time requirement in order to give flexibility to SCI entities in recognition that immediate notification may not be possible or feasible. Further, similar to adopted Rules 1001(a) and 1001(b), Rule 1001(c) requires that an SCI entity periodically review the effectiveness of the policies and procedures related to responsible SCI personnel, and to take prompt action to remedy deficiencies in such policies and procedures. Becomes Aware Several commenters criticized the proposed requirement that certain obligations under Regulation SCI be triggered when a responsible SCI personnel ‘‘becomes aware’’ of an SCI event. Some commenters stated that the standard was vague and lacked clarity regarding when, exactly, responsible SCI personnel would be deemed to become aware of an SCI event.758 Further, some commenters noted that the ‘‘becomes aware’’ standard emphasized immediate action over methodical escalation, diagnosis, and resolution procedures.759 As noted above, several commenters emphasized the importance of escalation policies and procedures, and argued that the rule should allow entities to adopt and follow such escalation procedures rather 758 See, e.g., BATS Letter at 8–9; NYSE Letter at 19; and Joint SROs Letter at 12. 759 See Joint SROs Letter at 3, 9, and 12. See also OCC Letter at 12; FINRA Letter at 25–26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19– 20. E:\FR\FM\05DER2.SGM 05DER2 72316 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations than triggering the obligations under Regulation SCI upon one employee’s awareness of a systems issue.760 Another commenter suggested specific revisions to the triggering standard so that the phrase ‘‘responsible SCI personnel becoming aware’’ would be eliminated entirely and replaced with ‘‘SCI entity having a reasonable basis to conclude,’’ which it believed would allow for escalation through a normal chain of command.761 With regard to the Commission notification requirements specifically,762 one commenter suggested that SCI entities should only be required to notify the Commission ‘‘upon confirming the existence of an SCI event,’’ 763 while another commenter stated that the rule should require notification to the Commission as soon as reasonably practicable after responsible personnel becomes aware of the SCI event.764 Similarly, one commenter believed that the ‘‘becomes aware’’ standard was problematic because it would require notification before an SCI entity has accurate information upon which to act.765 After consideration of the views of commenters, the Commission has determined to revise the triggering standard so that SCI entities will be required to comply with the obligations of adopted Rule 1002 upon responsible SCI personnel having ‘‘a reasonable basis to conclude’’ that an SCI event has occurred, as suggested by a commenter.766 This standard permits an SCI entity to gather relevant information and perform an initial analysis and assessment as to whether a systems issue may be an SCI event, rather than requiring an SCI entity to take corrective action, notify the Commission, and/or disseminate information about an SCI event immediately upon responsible SCI personnel becoming aware of an SCI event.767 Thus, the Commission believes 760 See supra notes 740–742 and accompanying text. 761 See NYSE Letter at 19. infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). 763 See Direct Edge Letter at 8. 764 See Omgeo Letter at 17. 765 See FIF Letter at 5 (urging that notification be required when ‘‘accurate and actionable’’ information is provided to responsible SCI personnel). See also BATS Letter at 9. 766 See adopted Rules 1002(a), (b), and (c). See also supra note 761. 767 See supra notes 759 and 763–765 and accompanying text. Additionally, the Commission does not agree with the commenter who stated that notification should be required only as soon as reasonably practicable after responsible personnel become aware of an SCI event because that standard would unnecessarily delay the requirement for an SCI entity to take necessary actions under the rule mstockstill on DSK4VPTVN1PROD with RULES2 762 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that the ‘‘reasonable basis to conclude’’ standard should provide some additional flexibility and time for judgment to determine whether there is a ‘‘reasonable basis to conclude’’ in contrast to the ‘‘becomes aware’’ standard which many commenters noted would be difficult to apply in practice due to the difficulty of determining when an individual, in fact, ‘‘becomes aware’’ of an SCI event.768 Further, the Commission believes that, consistent with commenters’ recommendations, the revised standard, in conjunction with the revised definition of ‘‘responsible SCI personnel,’’ will allow an SCI entity to adopt and follow its internal escalation policies and procedures to inform senior SCI entity personnel of systems issues, and allow meaningful assessment of the issues by such senior management prior to triggering obligations of the rule.769 At the same time, the Commission believes that the obligations of the rule will continue to be triggered in a timely manner because the Commission is adopting a separate requirement in Rule 1001(c), as noted above, for escalation procedures to quickly inform and the Commission’s knowledge of an SCI event. See supra note 764. 768 See supra note 758 and accompanying text. 769 See supra notes 758–760 and accompanying text. The Commission believes that the adopted standard similarly allows for escalation of a systems issue to senior officials because the Commission believes that having ‘‘a reasonable basis to conclude’’ is a good indication that an SCI event has likely occurred and does not require that the responsible SCI personnel come to a definitive conclusion, which would cause unnecessary delay in taking the actions required by Regulation SCI. Rather, once responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, the Commission believes that an SCI entity should begin to take corrective action, provide notice to the Commission, and/or disclose such event, as applicable, because these requirements are designed to ensure that the SCI entity begins to take action in a timely fashion to mitigate potential harm arising from the incident and that the Commission and relevant market participants are kept apprised of an SCI event even where a definitive conclusion is not yet available. The Commission does not agree with the commenter that it should apply the triggering standard only to the SCI entity rather than responsible SCI personnel. The Commission notes, as discussed above, that the adopted definition of responsible SCI personnel imposes obligations only upon the senior personnel of an SCI entity that have responsibility for a particular system. Additionally, the Commission believes that it is important to apply the triggering standard to responsible SCI personnel rather than to the SCI entity because, when combined with an SCI entity’s policies and procedures with respect to the designation of responsible SCI personnel and escalation and monitoring procedures, the triggering standard is designed to ensure that senior managers are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. PO 00000 Frm 00066 Fmt 4701 Sfmt 4700 responsible SCI personnel of potential SCI events. b. Corrective Action—Rule 1002(a) Proposed Rule 1000(b)(3) required an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable.770 The corrective action requirement is being adopted substantially as proposed, but with the triggering standard modified as discussed above.771 Two commenters supported the corrective action provision generally.772 Several commenters stated that the proposed requirement put too great an emphasis on immediately taking corrective action at the expense of thoroughly analyzing the SCI event and its cause, considering potential remedies, and/or acting in accordance with internal policies and procedures before committing to a plan to take corrective action.773 One group of commenters suggested that the rule should make clear that ‘‘corrective action’’ should also include a variety of other potential actions, such as communicating with responsible parties, diagnosing the root cause, disclosing to members and the public, and mitigating potential harm by following their policies and procedures.774 Another commenter stated that, in certain circumstances, it is ‘‘aggressive to presume that one individual’s knowledge should prompt an immediate response by the SCI [e]ntity at large.’’ 775 This commenter further stated that a standard requiring an SCI entity to mitigate potential harm to investors is extremely vague.776 As adopted, Rule 1002(a) requires an SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting 770 See proposed Rule 1000(b)(3) and Proposing Release, supra note 13, at 18117. 771 See supra Section IV.B.3.a (discussing the triggering standard). 772 See MSRB Letter at 17 and DTCC Letter at 9– 10. 773 See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge Letter at 7. 774 See Joint SROs at 11. 775 See Direct Edge Letter at 7. 776 Id. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission continues to believe that this provision of Regulation SCI is important to make clear that each SCI entity has the obligation to respond to SCI events with appropriate steps necessary to remedy the problem or problems causing such SCI event and mitigate the negative effects of the SCI event, if any, on market participants and the securities markets more broadly. As discussed below, the specific steps that an SCI entity will need to take to mitigate the harm will be dependent on the particular systems issue, its causes, and the estimated impact of the event, among other factors. To the extent that a systems issue affects not only the particular users of an SCI system, but also has a more widespread impact on the market generally, as may be likely with regard to systems issues affecting critical SCI systems, the SCI entity will need to consider how it might mitigate any potential harm to the overall market to help ensure market integrity. For example, an SCI entity would need to take steps to regain a system’s ability to process transactions in an accurate, timely, and efficient manner, or to ensure the accurate, timely, and efficient collection, processing, and dissemination of market data. As noted above, many of the comments on this requirement are related to the standard for triggering the obligation to take corrective action under this provision, namely ‘‘upon any SCI responsible personnel becoming aware of’’ an SCI event. As discussed above, the Commission has further focused the scope of the term ‘‘responsible SCI personnel’’ in response to commenters’ concerns that the term was too broad and could inappropriately capture junior and/or inexperienced employees. Further, as discussed above, the Commission has revised the ‘‘becomes aware’’ standard to instead trigger obligations when responsible personnel have ‘‘a reasonable basis to conclude’’ an SCI event has occurred. As explained above, the Commission believes that these important modifications are responsive to commenters’ concerns that the corrective action requirement could be triggered upon the knowledge of only one individual or a junior employee of a systems issue without sufficient time to analyze and assess the systems problem and follow internal escalation procedures. Under the adopted standard, only when (i) suspected systems problems are escalated to senior managers of the SCI entity who have VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 responsibility for the SCI system or indirect SCI system experiencing an SCI event and their designees, and (ii) such personnel have ‘‘a reasonable basis to conclude’’ that an SCI event has occurred are the appropriate corrective actions required by Rule 1002(a) triggered. Further, in response to commenters who stated that the proposed rule places too large an emphasis on immediate corrective action,777 in addition to the modifications noted above which are intended to allow for appropriate time for an SCI entity to perform an initial analysis and preliminary investigation into a potential systems issue before the obligations under Rule 1002(a) are triggered, the Commission notes that it does not use the term ‘‘immediate’’ in either the proposed or adopted rules. Rather, the Commission emphasizes that the rule requires that corrective action be taken ‘‘as soon as reasonably practicable’’ once the triggering standard has been met. The Commission believes that, because the facts and circumstances of each specific SCI event will be different, this standard ensures that an SCI entity will take necessary corrective action soon after an SCI event, but not without sufficient time to first consider what is the appropriate action to remedy the SCI event in a particular situation and how such action should be implemented. Moreover, the Commission has considered the comment that the rule prescribe in more specificity the particular types of corrective action that must be taken by an SCI entity and believes that it is appropriate to adopt, as proposed, a rule that requires more generally that ‘‘appropriate’’ corrective action be taken and requires that, at a minimum, the SCI entity take appropriate steps to mitigate potential harm to investors and market integrity resulting from the SCI event and devote adequate resources to remedy the SCI event. The Commission notes that the rule is designed to afford flexibility to SCI entities in determining how to best respond to a particular SCI event in order to remedy the problem causing the SCI event and mitigate its effects. As a general matter, though, the Commission agrees that such corrective action would likely include a variety of actions, such as those identified by one group of commenters, including determining the scope of the SCI event and its causes, making a determination regarding its known and anticipated impact, following adequate internal diagnosis and resolution policies and procedures, 777 See supra notes 773–775 and accompanying and taking additional action to respond as each SCI entity deems appropriate.778 The Commission also notes that certain other specific types of corrective action identified by such commenters are already required by other provisions of Regulation SCI, such as communicating and escalating the issue to responsible personnel and making appropriate disclosures to members or participants regarding the SCI event.779 c. Commission Notification—Rule 1002(b) i. Proposed Rule 1000(b)(4) Proposed Rule 1000(b)(4) addressed the Commission notification obligations of an SCI entity upon any responsible SCI personnel becoming aware of an SCI event.780 Specifically, proposed Rule 1000(b)(4)(i) required an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimated would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion (‘‘immediate notification SCI event’’), to notify the Commission of such SCI event, which could be done orally or in writing (e.g., by email). Proposed Rule 1000(b)(4)(ii) required an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) required an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event was resolved. Proposed Rule 1000(b)(4)(iv) detailed the types of information that was required for written notifications under proposed Rule 1000(b)(4).781 In 778 See supra note 774 and accompanying text. adopted Rule 1001(c) (requiring policies and procedures that include, among other things, escalation procedures to quickly inform responsible SCI personnel of potential SCI events) and Rule 1002(c) (requiring dissemination of information regarding SCI events). 780 See proposed Rule 1000(b)(4) and Proposing Release, supra note 13, at Section III.C.3.b. 781 Specifically, the SCI Proposal required written notifications and updates to be made electronically and required initial written notifications to include all pertinent information known about an SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity’s current assessment of the SCI event, including a discussion of the SCI entity’s determination regarding whether the SCI event was a dissemination SCI event or not. In addition, as proposed, to the extent available as of the time of 779 See text. PO 00000 72317 Continued Frm 00067 Fmt 4701 Sfmt 4700 E:\FR\FM\05DER2.SGM 05DER2 72318 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations addition, proposed Rule 1000(b)(4)(iv)(C) required an SCI entity to provide a copy of any information disseminated regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site. As described below, adopted Rule 1002(b) retains the general framework of proposed Rule 1000(b)(4) for Commission notification of SCI events, but makes several modifications in response to comments. mstockstill on DSK4VPTVN1PROD with RULES2 Comments Regarding Commission Notification of SCI Events One commenter generally supported proposed Rule 1000(b)(4), stating that it would enhance transparency and might allow the Commission to see patterns in small, seemingly non-material SCI events that are worthy of attention.782 However, many other commenters expressed concerns about proposed Rule 1000(b)(4).783 Many of these commenters stated that the scope of proposed Rule 1000(b)(4) was too broad, and that the notification requirement would lead to over-reporting to the Commission.784 Commenters also suggested various ways to revise the reporting requirement. For example, several commenters recommended requiring notification to the Commission only for ‘‘material’’ or ‘‘significant’’ events.785 For example, one commenter recommended reporting most SCI events as part of the annual SCI review process, while focusing the initial notification, Exhibit 1 to Form SCI would have required inclusion of the following information: (1) A description of the steps the SCI entity was taking, or planned to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event was expected to be resolved; (3) a description of the SCI entity’s rule(s) and/or governing documents, as applicable, that related to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. See proposed Rule 1000(b)(4)(iv)(A). 782 See Lauer Letter at 6. The Commission also notes that, although many other commenters expressed reservations with proposed Rule 1000(b)(4), many of these commenters also expressed their general support for a notification rule that is more limited in scope. See, e.g., ITG Letter at 12 (stating that a reduction in notifications would result in lower costs, reduce the overreporting of events, and allow the Commission to focus on events that warrant review); and FINRA Letter at 18 (‘‘FINRA fully supports the Commission’s goal of ensuring that Commission staff is informed of events that could potentially impact the market’’). 783 See, e.g. NYSE Letter at 21; BATS Letter at 12– 13; ITG Letter at 12; FINRA Letter at 16–17; Omgeo Letter at 16; SIFMA Letter at 13; ISE Letter at 6; OCC Letter at 11; and CME Letter at 9. 784 See, e.g., NYSE Letter at 22; Omgeo Letter at 16; SIFMA Letter at 14; ISE Letter at 6; and OCC Letter at 12. 785 See, e.g., ITG Letter at 12; CME Letter at 9; DTCC Letter at 8; and Omgeo Letter at 15. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission notification on material SCI events.786 Similarly, another commenter suggested that SCI entities should only be required to report information relating to ‘‘impactful’’ systems disruptions in an annual report to the Commission rather than in near real time reports.787 Another commenter recommended requiring notification only for systems issues that warrant notification to an SCI entity’s subscribers or participants.788 Some commenters recommended a risk-based approach under which each SCI event would be subject to a risk-based assessment, in which the obligation to notify the Commission would be based on the attendant risk, with only material events requiring notification.789 Commenters also identified potential problems resulting from a notification requirement that they perceived as too broad. For example, one commenter stated that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, which would diminish an SCI entity’s ability to be responsive to investors and damage market efficiency.790 Similarly, several commenters stated that the proposed Commission notification provision would require SCI entities to divert resources to comply with the requirement which, in turn, would risk delaying resolution of the SCI event that is being reported on.791 Other commenters suggested that the proposed rule would result in large volumes of data and reporting, which would present challenges to, and burdens on, SCI entities as well as Commission staff.792 One commenter also questioned the extent to which the reported information provided by the notifications would be useful to the Commission.793 Some commenters focused their comments on the proposal’s requirements for Commission reporting of systems intrusions and offered 786 See FIF Letter at 4. BATS Letter at 10. 788 See OTC Markets Letter at 19 (stating that the notification requirement to the Commission should be aligned with the current industry practice of notifying SCI entities’ subscribers of material events, explaining that competitive forces motivate entities to promptly notify subscribers about significant issues). 789 See, e.g., OCC Letter at 13; SIFMA Letter at 13; Omgeo Letter at 1; FINRA Letter at 14; and NYSE Letter at 25. 790 See UBS Letter at 3. 791 See Omgeo Letter at 16; MSRB Letter at 19; and OCC Letter at 14. 792 See SunGard Letter at 5; and Joint SROs Letter at 7. 793 See NYSE Letter at 22. 787 See PO 00000 Frm 00068 Fmt 4701 Sfmt 4700 alternative approaches to reporting systems intrusions. One commenter stated that, in order to limit the number of notifications, SCI entities should be required to investigate and keep a record of all systems intrusions that did not cause a material disruption of service, or that were a malicious (but unsuccessful) attempt in gaining unauthorized access to confidential data, and make these records available to the Commission staff if requested.794 Another commenter recommended that non-material systems intrusions be recorded within the SCI entity’s records.795 Another commenter suggested that systems intrusions in a development or testing environment should only be reportable if there is a likelihood that the same issue or vulnerabilities exist in the current production environment and cannot be verified within a certain period, such as, for example, 24 to 48 hours.796 In addition, one commenter suggested that, for systems intrusions, rather than impose the Commission notification requirement on SCI entities, the Commission should instead require SCI entities to establish policies and procedures reasonably designed to prevent, detect, and respond to systems intrusions.797 One commenter stated that the Commission should support the enhancement of the Financial Services Information Sharing and Analysis Center (‘‘FS–ISAC’’) 798 and another commenter suggested that non-material cyber-relevant events be provided to and disseminated through FS–ISAC rather than the Commission.799 Some commenters further suggested that certain systems intrusions should be reported to FS–ISAC.800 Other commenters stated that reporting a systems compliance issue is 794 See Omgeo Letter at 12. DTCC Letter at 8. 796 See FINRA Letter at 11–12. 797 See BATS Letter at 12. This commenter believed that the cost of the proposed requirement would outweigh any benefits because the proposed rule would require SCI entities to ‘‘rapidly investigate and report a multitude of minor incidents that regularly occur during the normal course of business.’’ Id. 798 FS–ISAC is a service that gathers information from a multitude of sources related to threat, vulnerability, and risk of cyber and physical security and communicates timely notifications and authoritative information specifically designed to help protect critical systems and assets from physical and cybersecurity threats. See FS–ISAC: Financial Services—Information Sharing and Analysis Center, available at: www.fsisac.com. 799 See BIDS Letter at 10; and Omgeo Letter at 12. 800 See SIFMA Letter at 14 (recommending that systems intrusions be reported to FS–ISAC in addition to the Commission); and Omgeo Letter at 12 and 21 (recommending that non-material systems intrusions be reported solely to FS–ISAC). 795 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 reporting a legal conclusion, and that requiring an SCI entity to do so would overburden them with extensive technical and legal analysis and potentially expose those entities to Commission sanctions or litigation.801 Several commenters expressed concerns regarding the confidentiality of the information provided pursuant to proposed Rule 1000(b)(4), and stated that the such information should be confidential and protected from public disclosure.802 One of these commenters requested that the Commission confirm in the final rule that the information will remain confidential.803 Commenters also raised other general concerns and made suggestions with regard to proposed Rule 1000(b)(4). One commenter argued that the proposed rules could cause SCI entities to release information before all relevant factors are known, which could be counterproductive and harmful.804 Another commenter was concerned that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event.805 Another commenter suggested that the proposed requirement is onerous and costly and thus, to realize benefits, the Commission, based on notifications received from SCI entities, should provide regular summary-level feedback that communicates the types, frequency, severity, and impact of market incidents across all reporting entities and other related data on the root cause of problems.806 Another commenter suggested that the Commission provide examples, such as publications and reference blueprints, which could be useful to SCI entities as they attempt to understand the types of SCI events that warrant Commission notification.807 Finally, some commenters broadly questioned the Commission’s legal authority to adopt Regulation SCI as proposed, asserting, among other things that the Commission’s proposed notification requirement was beyond its legal authority.808 801 See OTC Markets Letter at 16. See also NYSE Letter at 16. 802 See NYSE Letter at 24; Joint SROs Letter at 12; and DTCC Letter at 11. 803 See DTCC Letter at 11. 804 See ITG Letter at 13. 805 See NYSE Letter at 22. Another commenter suggested that the notification requirement with respect to system disruptions should make clear that multiple notifications are not required if a disruption impacts multiple SCI entities. See FINRA Letter at 22. 806 See BIDS Letter at 10. 807 See SunGard Letter at 6. 808 See NYSE Letter at 4–6; and OTC Markets at 6. See infra notes 833–837 and accompanying text (discussing ‘‘Commission Legal Authority’’). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 ii. Rule 1002(b) After careful consideration of the comments on proposed Rule 1000(b)(4), the Commission is adopting Rule 1002(b), with several modifications in response to comments.809 Overview The Commission notes that, even without the modifications the Commission is making in adopted Rule 1002(b), the proposed Commission notification rule would require Commission notice of fewer SCI events than as proposed as a result of the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, and the revised triggering standard discussed above. In addition, the Commission has determined to refine the scope of the adopted Commission notification requirement by incorporating a risk-based approach that requires SCI entities, for purposes of Commission notification, to divide SCI events into two main categories: SCI events that ‘‘[have] had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants’’ (‘‘de minimis’’ SCI events); and SCI events that are not de minimis SCI events. De minimis SCI events will not be subject to an immediate Commission notification requirement as proposed. Instead, all de minimis SCI events will be subject to recordkeeping requirements, and de minimis systems disruptions and de minimis systems intrusions will be subject to a quarterly reporting obligation, as set forth in adopted Rule 1002(b)(5). For SCI events that are not de minimis, Commission notification will be governed by adopted Rules 1002(a)(1)–(4), which is substantially similar to proposed Rules 1000(b)(4)(ii)– (iv), but relaxed in certain respects in response to comment, as discussed below. Effect of Revised Definitions and Revised Triggering Standard on Commission Notification Requirement The Commission believes that the revisions made to a number of definitions already focus the scope of the Commission notification requirement in adopted Rule 1002(b) from the SCI Proposal. For example, elimination of member regulation and member surveillance systems from the adopted definition of SCI systems will 809 Specific comments on proposed Rules 1000(b)(4)(i)–(iii) that are not discussed above are discussed below in conjunction with the Commission’s response to those comments. PO 00000 Frm 00069 Fmt 4701 Sfmt 4700 72319 substantially reduce the potential number of SCI events that would be subject to Commission notification under the proposal.810 Likewise, systems problems that would otherwise meet the definition of SCI event do not meet the definition of an SCI event if they occur in the development or testing environment.811 In addition, the Commission believes that the revised definition of ‘‘systems disruption’’ and ‘‘systems compliance issue’’ also will result in fewer systems issues being identified as SCI events.812 In tandem with the revised definitions, the Commission also believes that the revised triggering standard for notification of SCI events, which affords an SCI entity time to evaluate whether a potential SCI event is an actual SCI event, will also result in fewer SCI events being subject to the requirements of Rules 1002(b)(1)–(4).813 The Commission believes that these changes respond to comments that proposed Rule 1000(b)(4) was overbroad and overly burdensome for SCI entities.814 Exclusion of De Minimis SCI Events From Immediate Notification Requirements: Adopted Rule 1002(b)(5) Adopted Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)–(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. For such de minimis events, Rule 1002(b)(5) requires that an SCI entity: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems 810 See supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). 811 See supra note 796 and accompanying text. See also supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). According to one commenter who supported excluding non-market systems from the definition of SCI systems and the notification and dissemination requirements, applying the reporting requirements to non-market systems ‘‘would significantly increase the volume of the reports the Commission receives.’’ FINRA Letter at 10. (‘‘If the definition of SCI systems is broadly construed to apply to non-market regulatory and surveillance systems, approximately 111 FINRA systems could be subject to Regulation SCI.’’) FINRA Letter at 7. 812 See supra Section IV.A.3 (discussing the definition of ‘‘SCI event,’’ ‘‘systems disruption,’’ and ‘‘systems compliance issue’’). 813 See supra Section IV.B.3.a (discussing the definition of ‘‘responsible SCI personnel’’) and Section IV.B.3.a (discussing the triggering standard). 814 See supra note 784 and accompanying text. See also Section VI (discussing comments regarding the burdens associated with proposed Rule 1000(b)(4)). E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72320 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. The Commission believes that this exception will result in a less burdensome reporting framework for de minimis SCI events than for other SCI events, and therefore responds to comment that the proposed reporting framework was too burdensome. The Commission believes that the quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will reduce the frequency and volume of SCI event notices submitted to the Commission and also will allow both the SCI entity and its personnel, as well as the Commission and its staff, to focus their attention and resources on other, more significant SCI events. Consistent with taking a riskbased approach in other aspects of Regulation SCI, the Commission believes this modification from the SCI Proposal will result in more focused Commission monitoring of SCI events than if this aspect of the SCI Proposal was adopted without modification. Further, by reducing the number of SCI event notices provided to the Commission on an immediate basis as compared to the SCI Proposal, the adopted rule should also impose lower compliance costs and fewer burdens than if this aspect of the SCI Proposal was adopted without modification. However, the Commission has determined not to incorporate a materiality threshold as requested by some commenters,815 to limit the Commission reporting requirements to those events that are considered by SCI entities to be truly disruptive to the markets, as suggested by other commenters,816 or to limit the Commission reporting requirement only to those events that warrant notification to an SCI entity’s subscribers or participants, as suggested by still other commenters.817 The Commission has made this determination because while there may be SCI events with little apparent impact on an SCI entity’s operations or on market participants and the burden on an SCI entity to provide immediate notice to the Commission every time such an event occurs may not justify the benefit of providing such notice to the Commission on an immediate basis, the Commission does not believe that such 815 See, e.g., supra note 785 and accompanying text. 816 See, 817 See e.g., supra notes 785–787. supra note 788. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 de minimis events are irrelevant or that the Commission should never be made aware of them. To fulfill its oversight role, the Commission believes that the Commission and its staff should regularly be made aware of de minimis systems disruptions and de minimis systems intrusions and should have ready access to records regarding de minimis systems compliance issues that SCI entities are facing and addressing because, as the regulator of the U.S. securities markets, it is important that the Commission and its staff have access to information regarding all SCI events (including de minimis SCI events) and their impact on the technology systems and systems compliance of SCI entities, which may also provide useful insights into learning about indications of more impactful SCI events. The Commission has, however, determined to distinguish the timing of its receipt of information regarding SCI events based on their impact: those SCI events that an SCI entity reasonably estimates to have a greater impact are subject to ‘‘immediate’’ notification upon responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred; and those SCI events that an SCI entity reasonably estimates to have no or a de minimis impact are subject to recordkeeping obligations, and for de minimis systems disruptions and de minimis systems intrusions, a quarterly summary notification. Despite commenters’ arguments to the contrary that de minimis SCI events do not warrant the Commission’s and its staff’s attention, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions and review of records regarding de minimis systems compliance issues is beneficial to the Commission and its staff in understanding SCI entity systems operations at the level of the individual SCI entity, as well as across the spectrum of SCI entities, and to monitor compliance with the Exchange Act and rules thereunder. The Commission notes that, while it is not requiring that de minimis systems compliance issues be submitted to the Commission in quarterly reports, Commission staff may request records relating to such de minimis systems compliance issues as necessary. The Commission encourages and does not intend to inhibit an evaluation by SCI entities of systems compliance issues, including de minimis systems compliance issues, which may inherently involve legal analysis. PO 00000 Frm 00070 Fmt 4701 Sfmt 4700 As noted, some commenters focused specifically on systems intrusions, urging the Commission to modify or significantly reduce the instances in which notice of systems intrusions would be required,818 or provide that non-material systems intrusions not be reported at all, and only be recorded by the SCI entity.819 The Commission believes that the recordkeeping and quarterly reporting requirement for de minimis systems intrusions described in Rule 1002(b)(5) is partially responsive to these comments, but also believes that notice of intrusions in SCI systems and indirect SCI systems is important to allow the Commission and its staff to detect patterns or understand trends in the types of systems intrusions that may be occurring at multiple SCI entities. However, as compared to what would have been required if the SCI Proposal was adopted without modification, the Commission expects that the exception from the immediate reporting requirement provided for de minimis SCI events under Rule 1002(b)(5) will result in a much lower number of systems intrusions that SCI entities will be required to immediately report to the Commission than commenters believed,820 and will achieve this result without compromising the Commission’s interest in receiving more timely notification of impactful SCI events. In addition, some commenters suggested that certain types of systems intrusions or non-material SCI events be reported exclusively to FS–ISAC or to both the Commission and FS–ISAC, and some advocated that the Commission support the enhancement of FS– ISAC.821 The Commission believes that FS–ISAC, and other information sharing services play an important role in assisting SCI entities and other entities with respect to security issues. Consistent with views shared by several members of the third panel at the Cybersecurity Roundtable, to the extent SCI entities determine that such information sharing services are useful, the Commission encourages SCI entities to cooperate with and share information relating to information security threats and related issues with such entities to 818 See supra notes 794–797 and accompanying text. 819 See supra notes 794–795 and accompanying text. 820 See, e.g., supra note 794 and accompanying text (discussing a commenter’s suggestion to limit the number of notifications by requiring recordkeeping of all systems intrusions that did not cause a material disruption of service or that were a malicious (but unsuccessful) attempt in gaining unauthorized access to confidential data). 821 See supra notes 799–800 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 further enhance their utility.822 At the same time, for the reasons discussed above,823 the Commission believes that it is important that the Commission directly receive information regarding systems intrusions from SCI entities, through immediate notifications or quarterly reports, as applicable. In response to comments that recordkeeping of non-material SCI events would be more appropriate than reporting, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will better achieve the goal of keeping Commission staff informed regarding the nature and frequency of SCI events that arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity’s operations or on market participants. Importantly, submission and review of regular reports will facilitate Commission staff comparisons among SCI entities and thereby permit the Commission and its staff to have a more holistic view of the types of systems operations challenges that were posed to SCI entities in the aggregate. With regard to de minimis systems compliance issues, however, the Commission believes the goals of Regulation SCI can be achieved through the SCI entity’s obligation to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issues. The Commission believes that systems compliance issues generally are more specific to a particular entity’s systems and rules and less likely, as compared to systems disruptions and systems intrusions, to raise market-wide issues that could affect several SCI entities. Accordingly, information on such events are less likely to provide valuable insight into trends and risks across the industry and, therefore, the Commission believes that the benefits of receiving quarterly reports on such de minimis systems compliance issues would be less relative to de minimis systems disruptions and de minimis systems intrusions. Further, the Commission notes that, based on Commission staff’s experience with notifications of compliance-related issues at SROs, the Commission believes 822 See supra notes 39–40 and accompanying text. During the Cybersecurity Roundtable, panelists referenced other services that they believed useful to SROs, including the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), the Clearing House and Exchange Forum (CHEF), and the Worldwide Federation of Exchange’s recently established Global Exchanges Cyber Security Working Group (GLEX). See supra note 39. 823 See supra notes 904–906 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that SCI entities will experience a relatively small number of systems compliance issues each year, and thus, its regular examinations of SCI entities will provide an adequate mechanism for reviewing and addressing de minimis systems compliance issues affecting SCI entities. As noted above, Commission staff may request records relating to such de minimis systems compliance issues as necessary. In response to the concerns raised by one commenter that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, the Commission believes that these concerns have been mitigated by the numerous changes made from the proposal, such as the adoption of a quarterly reporting framework for de minimis systems disruptions and de minimis systems intrusions and revised definitions of the terms SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, in addition to the reduction in the obligations SCI entities have with respect to reporting requirements.824 In addition, ARP entities today are able to regularly notify the Commission of systems related issues, such as systems outages, and the Commission therefore believes that the notification requirements will not require a majority of SCI entities to develop policies and procedures that are incongruous with their current practice. Moreover, the Commission believes that providing SCI entities with 30 days after the end of each quarter is adequate time for an SCI entity to prepare its report without unduly diverting SCI entity resources away from focusing on SCI events occurring in real time.825 The Commission believes that requiring SCI entities to report de minimis systems disruptions and de minimis systems intrusions quarterly balances the interest of SCI entities in having a limited reporting burden for such types of events with the Commission’s interest in oversight of the information technology programs and systems compliance of SCI entities.826 Similarly, the Commission believes that requiring recordkeeping of de minimis systems compliance issues 824 See 825 See supra note 790. supra notes 791–793 and accompanying text. 826 The Commission notes an SCI entity should be prepared for the possibility that Commission staff may, whether upon request pursuant to Rule 1002(b)(3), Rule 1005(b)(3), or Rule 1007 or during an examination of its compliance with Regulation SCI, include a review of the entity’s classification of SCI events as de minimis SCI events under Rule 1002(b). PO 00000 Frm 00071 Fmt 4701 Sfmt 4700 72321 allows the Commission to adequately monitor compliance with the Exchange Act and rules thereunder, while reducing the burdens on SCI entities with regard to providing information to the Commission on such de minimis systems compliance issues. Accordingly, the Commission has determined to exclude certain SCI events from the immediate Commission reporting requirements, subject to certain recordkeeping and reporting requirement for such events, as applicable.827 As described above, the de minimis exception from the immediate Commission notification requirements applies to systems compliance issues as well as systems disruptions and systems intrusions. The Commission believes that this approach strikes a balance that will help focus the Commission’s and SCI entities’ resources on those systems compliance issues with more significant impacts. Even if an SCI entity determines that the impact of the systems compliance issue is none or negligible, however, the Commission believes that it should have ready access to records regarding such systems compliance issues, and notes that Rule 1002 requires that an SCI entity take corrective action with respect to all SCI events, including de minimis systems compliance issues.828 The Commission recognizes that in many cases, the discovery of a potential systems compliance issue may be of a different nature than the discovery of potential systems disruptions or systems intrusions, as the latter types of events often have an immediately apparent and negative impact on the operations of a given system of the SCI entity. In contrast, in many instances, a systems compliance issue may require the involvement of various personnel 827 While the facts and circumstances surrounding a particular SCI event will ultimately determine the severity of a given event, including whether the event is reasonably estimated to be a de minimis event, a wide range of factors may be relevant to an SCI entity in making such a determination. For example, such factors could include, but are not limited to: whether critical SCI systems are impacted; the duration of the SCI event; whether there is a loss of redundancy (that negatively impacts, for example, a source of power, telecommunications, or other key service); whether an alternate trading system is available following a trading system disruption; the size of the affected market trading volume; whether the processes for trade completion or clearance and settlement are adversely impacted; whether settlement is completed on time; whether an event is resolved prior to the market’s open; whether a post-trade event is resolved before the market closes; whether a failover, despite being successful, results in a given system operating without a backup; and the number of securities symbols that are adversely affected. 828 See infra note 829 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72322 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 (potentially including compliance and/ or legal personnel) and a period of time may be required to afford such personnel the chance to perform a preliminary legal analysis to analyze whether a systems compliance issue had, in fact, occurred. Because Rule 1002(b)(1) only requires notification to the Commission when responsible SCI personnel have a ‘‘reasonable basis to conclude’’ that a non-de minimis SCI event has occurred, the Commission believes it is appropriate for an SCI entity to notify the Commission of a non-de minimis systems compliance issue after it has conducted such a preliminary legal analysis, unless the nature of the issue makes it readily identifiable as a systems compliance issue.829 Further, if an SCI entity determines that a systems compliance issue is de minimis, such event will not be required to be reported immediately to the Commission, but rather the SCI entity will be required to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issue. Thus, the Commission believes that, as adopted, the requirements with respect to systems compliance issues are reasonable because SCI entities are afforded flexibility to assess and understand potential SCI events and are not required to notify the Commission prior to forming a reasonable basis to conclude that an SCI event has occurred. The Commissions also believes that, as part of its oversight of the securities markets, it should have access to information regarding de minimis systems compliance issues when requested. And, although some commenters expressed concern that a systems compliance issue is a legal conclusion that requires time to analyze and could possibly expose the entity to liability if reported,830 as discussed above, the Commission believes these concerns will be mitigated by the revised triggering standard for the obligations in Rule 1002.831 However, 829 At the same time, the Commission cautions SCI entities against unnecessarily delaying Commission notifications of SCI events, including systems compliance issues. The Commission notes that the notification requirement is triggered when responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred and not, for example, when responsible SCI personnel have definitively concluded that an SCI event has occurred. As discussed above, the Commission does not believe it is appropriate for an SCI entity to delay notifying its regulator of a systems compliance issue once the SCI entity has a reasonable basis to conclude there is one. See supra note 828 and accompanying text. 830 See OTC Markets Letter at 16; and NYSE Letter at 16. 831 See supra Section IV.B.3.a (discussing the triggering standard). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 while commenters are correct that the occurrence of a systems compliance issue may expose an SCI entity to liability,832 the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. Commission Legal Authority As noted above, some commenters broadly questioned the Commission’s legal authority to adopt certain provisions of Regulation SCI as proposed, including those relating to Commission notification of SCI events, as well as Commission notification of material systems changes.833 Section 11A(a)(2) of the Exchange Act directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act. Among the findings and objectives in Section 11A(a)(1) is that ‘‘[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations’’ and ‘‘[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.’’ In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ‘‘so organized’’ and 832 If an SRO fails to, among other things, comply with the provisions of the Exchange Act, the rules or regulations thereunder, or its own rules, the Commission is authorized to impose sanctions. See 15 U.S.C. 78s(g). 833 See supra note 808 and accompanying text. See infra note 1268 (noting comments relating to the Commission’s legal authority for the proposed access provision, which the Commission has determined not to adopt in its final rules because the Commission can adequately assess an SCI entity’s compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI). PO 00000 Frm 00072 Fmt 4701 Sfmt 4700 ‘‘[have] the capacity to . . . carry out the purposes of [the Exchange Act].’’ Consistent with this statutory authority, the Commission is adopting Regulation SCI to require, among other things, that SCI entities: (1) Provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure; and (2) have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the Exchange Act, rules thereunder, and with their own rules and governing documents. These requirements are important to furthering the directives in Section 11A(a)(2) of the Exchange Act that the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act, including the economically efficient execution of securities transactions. As discussed in Section I, the U.S. securities markets have been transformed in recent years by technological advancements that have enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to market participants. Central to these technological advancements have been changes in the automated systems that route and execute orders, disseminate quotes, clear and settle trades, and transmit market data. At the same time, however, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Accordingly, in today’s securities markets, properly functioning technology is central to the maintenance of fair and orderly markets, the national market system, and the efficient and effective market operations and the execution of securities transactions. While the Commission’s ARP Inspection Program has been active in this area, the Commission has not adopted rules specific to these matters. The Commission believes that the adoption of Regulation SCI, with the modifications from the SCI Proposal as discussed above, and compliance with the regulation by SCI entities, will further the goals of the national market system. It will help to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In addition, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of these systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. For these reasons, the Commission disagrees with the comments questioning the Commission’s legal authority to adopt Regulation SCI. More specifically, the Commission disagrees with comment regarding its legal authority under Rule 1002(b) related to Commission notification of SCI events. As discussed above, having immediate notice and continuing updates of non-de minimis SCI events, quarterly reports related to de minimis systems disruptions and de minimis systems intrusions, and recordkeeping requirements for de minimis SCI events, directly enables the Commission to have more effective oversight of the systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. In this respect, Rule 1002(b) is integral to furthering the statutory purposes of Section 11A of the Act under which the Commission is directed to act. Moreover, the Commission underscores that the adopted Commission notification provisions would require immediate Commission notice of fewer SCI events than as proposed because the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue have been refined from the proposal, and de minimis SCI events are not subject to immediate notice. Some commenters also questioned the Commission’s legal authority to require Commission notification of material systems changes.834 As discussed in more detail below, the material systems change reports are intended to make the Commission and its staff aware of significant systems changes at SCI entities, and thereby improve Commission oversight of U.S. securities market infrastructure, which directly furthers the findings and objectives set forth in Section 11A(a)(1) of the 834 See infra note 1046 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Exchange Act.835 The Commission believes that the adopted material systems change notification requirement will allow the Commission to more efficiently and effectively participate in discussions with SCI entities when systems issues occur and will allow Commission staff to effectively prepare for inspections and examinations of SCI entities. Moreover, Rule 1003(a), as adopted, differs significantly from the proposed requirements as it no longer requires 30-day advance notification, but rather requires quarterly reports of material systems changes. As such, the requirement is designed not to result in ‘‘close, minute regulation of computer systems and computer security.’’ 836 Additionally, the Commission notes that Regulation SCI does not provide for a new review or approval process for SCI entities’ material systems changes.837 Immediate Commission Notification— Proposed Rule 1000(b)(4)(i) Commenters also specifically discussed proposed Rule 1000(b)(4)(i) regarding reporting to the Commission on immediate notification SCI events. One commenter stated that it generally supported the immediate notification requirement of proposed Rule 1000(b)(4)(i) in the case of material SCI events,838 but other commenters were critical.839 For example, some commenters stated that the Commission should adopt a materiality threshold which would only require an SCI entity to immediately report material SCI events.840 Similarly, one group of 835 See infra Section IV.B.4 (discussing the requirement to notify the Commission of material systems changes). 836 See infra note 1046. 837 As noted below in Section IV.B.4, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI. 838 See MSRB Letter at 18. 839 See, e.g., NYSE Letter at 22. 840 See SIFMA Letter at 13; FIF Letter at 4; ITG Letter at 12; NYSE Letter at 23; FINRA Letter at 10, 22; and OCC Letter at 13. One commenter stated that, in considering factors that would determine whether or not an SCI event is material, the Commission should consider the overall market disruption caused by the SCI event, the length of the event, the financial impact of the event, and the inability to meet core regulatory obligations regarding order handling and execution activities. See ITG Letter at 13. Similarly, two commenters stated that, with respect to systems compliance issues or systems intrusions, immediate notification SCI events should be limited to systems compliance issues or systems intrusions that the SCI entity reasonably estimates would have a material impact on its operations or on market participants. See MSRB Letter at 18; and Omgeo Letter at 15. Further, in the case of intrusions, one commenter stated that notifications could also include intrusions that would cause a malicious unauthorized access to PO 00000 Frm 00073 Fmt 4701 Sfmt 4700 72323 commenters suggested a tiered method that would reserve immediate notification to the Commission for truly critical events ‘‘where the Commission’s input would contribute to an expedient resolution,’’ while requiring SCI entities to have written policies and procedures that focus the SCI entity’s attention primarily on taking corrective measures during an SCI event and maintaining records to provide information to the Commission and members and participants as appropriate.841 Two commenters suggested that different reporting standards should apply to different types of systems, suggesting, for example, that immediate notification should be required only for higher priority systems.842 One commenter questioned the adequacy of the Commission’s asserted basis and purpose for requiring notification for the vast majority of SCI events.843 In this commenter’s view, the Commission’s asserted rationale for the Commission notification requirement 844 would only support requiring immediate notification for a limited number of SCI events, where the Commission’s involvement is necessary.845 For other SCI events, in which the Commission would only be gathering and analyzing submitted information, the commenter stated that the Commission’s rationale for requiring immediate notification is insufficient.846 Some commenters addressed the use of the term ‘‘immediately’’ in the proposed rule. One commenter characterized the proposed immediate reporting requirements as rigid, and questioned why reporting could not occur ‘‘promptly’’ with follow-up as reasonably requested by the Commission staff.847 Another commenter stated that immediate notification is unrealistic and predicted confidential data, but recommended that other types of intrusions be subject to recordkeeping. See Omgeo Letter at 15. One group of commenters supported implementing a materiality threshold for systems compliance issues, which it stated should be based on factors such as the number of members affected, financial impact and operation impact, and these guidelines should be articulated in the SCI entities’ policies and procedures. See Joint SROs Letter at 9. 841 See Joint SROs Letter at 10. 842 See FINRA Letter at 22 (suggesting, for example, that immediate Commission notification should not be required for SCI events that occur in systems that do not provide real-time data to the market); and SIFMA Letter at 13 (stating that that lower priority systems should only be reported on an aggregate and periodic basis). 843 See NYSE Letter at 21–22. 844 See Proposing Release, supra note 13, at 18119. 845 See NYSE Letter at 22; see also Joint SROs Letter at 10. 846 See NYSE Letter at 22. 847 See BATS Letter at 12. E:\FR\FM\05DER2.SGM 05DER2 72324 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations that it could trigger an innumerable amount of false alarms.848 Other commenters addressed SCI events that occur outside of normal business hours. Two commenters believed that an SCI entity should not be required to notify the Commission of an SCI event outside of normal business hours.849 Other commenters stated that material events should require immediate notification to the Commission, but all other types of events should be reported by the next business day.850 One commenter stated that immediate notification of an SCI event may be difficult where an SCI entity uses a third party to operate its systems, and therefore believed that an SCI entity should not be responsible for reporting an SCI event caused by a third party unless there is a material impact to the market or the SCI entity’s ability to meet its service level agreements.851 This commenter stated that the rule should permit SCI entities flexibility on how to address third party issues and requested further guidance from the Commission in this area.852 Immediate Notification of SCI Events: Adopted Rule 1002(b)(1) Adopted Rule 1002(b)(1) requires each SCI entity to notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred (unless it is a de minimis SCI event). Such notification may be provided orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI). Although many commenters were critical of the immediate notification provision, Rule 1002(b)(1) substantially retains the requirements of proposed Rule 1000(b)(4)(i), but is modified in certain respects in response to comments. The Commission has considered the views of commenters who stated that 848 See Direct Edge Letter 8. FINRA Letter at 21; and BATS Letter at 12. FINRA also stated that an SCI entity should have one full business day to report an SCI event. 850 See, e.g., DTCC Letter at 9 (stating that, outside of normal business hours, an SCI entity should only be required to notify the Commission of the most critical events; i.e., those with the potential to impact the core functions and critical operations of the SCI entity); and OCC Letter at 14 (stating that when an event is material because it could have a market-wide impact or impact the core functions of an SCI entity, immediate notification should be required even outside of normal business hours, but all other SCI events should be reported no later than the next business day). 851 See FINRA Letter at 22; see also supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’ as it relates to third parties). 852 See FINRA Letter at 22. mstockstill on DSK4VPTVN1PROD with RULES2 849 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 the Commission should require immediate notification only for material SCI events, or when Commission involvement would contribute to an expedient resolution.853 Given the Commission’s oversight responsibilities over SCI entities and the U.S. securities market generally, the notification rule is not intended to be limited to instances in which SCI entities might believe that it would be useful for the Commission to provide input. SCI event notifications also serve the function of providing the Commission and its staff with information about the potential impact of an SCI event on the securities markets and market participants more broadly, which potential impacts may not be readily apparent or important to the SCI entity reporting such an event. Moreover, the Commission believes that there will be instances in which an SCI entity will not know the significance of an SCI event at the time of the occurrence of an event, or whether such event (or, potentially, the aggregated impact of several SCI events occurring, for example, across many SCI entities) will warrant the Commission’s input or merit the Commission’s awareness, nor does the Commission believe it should be solely within an SCI entity’s discretion to make such a determination. And SCI entities retain the flexibility to revise their initial assessments should they subsequently determine that the event in question was incorrectly initially assessed to be a de minimis event (or incorrectly initially assessed to not be a de minimis event). Consequently, the Commission does not agree with commenters who stated that only material SCI events should be reported to the Commission immediately.854 The Commission has also considered comments that the term ‘‘immediately’’ as used in proposed Rule 1000(b)(4) is rigid and unrealistic.855 The Commission, in adopting Rule 1002(b), has retained the requirement that SCI entities must notify the Commission immediately; however, as discussed in detail above,856 the triggering standard has been modified so that the notification obligations of Rule 1002(b) are triggered only upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. The Commission believes this modification responds to commenters concerns that the ‘‘immediate’’ reporting 853 See supra notes 838–846 and accompanying text. 854 See, e.g., supra note 842 and accompanying text. 855 See supra note 847 and accompanying text. supra Section IV.B.3.a (discussing the triggering standard). 856 See PO 00000 Frm 00074 Fmt 4701 Sfmt 4700 requirement is too rigid or would pose practical difficulties, as it allows additional time for escalation to senior SCI entity personnel and for the performance of preliminary analysis and assessment regarding whether an SCI event has, in fact, occurred before requiring notification to the Commission. As such, the Commission believes that the immediate notification requirement of Rule 1002(b)(1) will not unduly cause ‘‘false alarms,’’ as one commenter stated.857 At the same time, the Commission believes that the immediate notification requirement, as adopted, will help ensure that the Commission and its staff are kept apprised of SCI events after they occur, and as their impact unfolds and is mitigated and, ultimately, as the SCI entity engages in corrective action to resolve the SCI events. Additionally, the Commission notes that immediate notifications made pursuant to Rule 1002(b)(1) may be made orally (e.g., by telephone) or in a written form (e.g., by email or on Form SCI).858 The Commission notes that, by not prescribing the precise method of communication for an immediate notification, SCI entities are afforded the flexibility to determine the most effective and efficient method to communicate with the Commission. The Commission has also considered comments that immediate notification should not be required outside of normal business hours, or that it should only be required outside of normal business hours in the case of material SCI events.859 The Commission notes that the adopted rule will afford SCI entities considerable flexibility in how to communicate an immediate notification to the Commission—that is, SCI entities may satisfy the immediate 857 See supra note 848 and accompanying text. The Commission notes that, if an SCI entity at some point after submitting an immediate notification concludes after further investigation and analysis that it was incorrect in its initial determination that an SCI event had occurred, the SCI entity should alert the Commission of its updated assessment pursuant to Rule 1002(b)(3). Relatedly, Rule 1002(b) is designed to provide SCI entities flexibility in notifying the Commission of the details regarding an SCI event (for example, through the ability to provide the Rule 1002(b)(2) written notification on a good faith, best efforts basis) and time to assess and analyze the SCI event (for example, by requiring that the Rule 1002(b)(2) written notification only provide a description of the SCI event, including the system(s) affected, and with additional information only required to the extent available at that time). 858 The Commission notes that, prior to the compliance date of Regulation SCI, Commission staff intends to notify SCI entities of the email addresses, phone numbers, and contact persons that SCI entities should use when notifying the Commission of SCI events under Rule 1002(b). 859 See, e.g., supra notes 849 and 794–797 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations notification requirement simply by communicating with the Commission via telephone or email. In addition, because an SCI entity’s obligation to report to the Commission is not triggered until responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred,860 the Commission does not believe that timely notification, even outside of normal business, is so onerous that it necessitates allowing a full business day to comply. Particularly because it has determined to exclude de minimis SCI events from the immediate notification requirement, the Commission believes that it is reasonable to require that an SCI event (except those specified in Rule 1002(b)(5)) be reported to the Commission orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI) when responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, even if such communication may be outside of normal business hours. Because the rule provides flexibility to more easily enable communication—by permitting oral notification—of the fact of an SCI event to the Commission, and because only non-de minimis SCI events are subject to this requirement, the Commission believes notice to the Commission is appropriate sooner rather than later. In addition, as discussed above, the Commission believes that there may be situations where the severity of an SCI event may not be immediately apparent to an SCI entity experiencing the event, but the Commission, from its unique position, may determine as a result of receiving multiple immediate notifications, each related to an SCI event of a similar nature, that the SCI event is part of a pattern of a larger, more significant occurrence. The Commission is therefore adopting Rule 1002(b) to require that an SCI entity notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, without an exception for periods outside of normal business hours. In addition, as noted above, the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law 861 and, as noted in Sections IV.B.1.b.i and IV.B.2.a, the occurrence of an SCI event does not necessarily mean that an SCI entity has violated Regulation SCI. The Commission disagrees with the commenter who stated that the Commission should not require SCI entities to be responsible for reporting an SCI event caused by a third party because immediate notification would be difficult.862 An SCI event, whether or not caused by a third party system, by definition relates to an SCI system or indirect SCI system. As explained in Section IV.A.2 above (discussing the definitions of ‘‘SCI systems’’ and ‘‘indirect SCI systems’’), the Commission has adopted the definition of SCI systems to include, specifically, those systems of SCI entities that would be reasonably likely to impact the protection of investors and the maintenance of fair and orderly markets and an SCI entity’s operational capability, and has not excluded third party systems from the definition. As stated above, if an SCI entity is uncertain of its ability to manage a third-party relationship to satisfy the requirements of Regulation SCI, then it would need to reassess its decision to outsource the applicable system to such third party.863 In response to comment that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event,864 the Commission notes that rule does not include such a requirement. In addition, the Commission also disagrees with the commenter who stated that, for systems disruptions, notifications should not be required from each separate entity where a disruption impacts multiple SCI entities.865 Excusing immediate notification where a given event seems to be affecting multiple SCI entities would not be appropriate because the Commission, as the centralized receiver of notifications, will be the entity that will be in a position to determine whether, in fact, SCI entities are concurrently experiencing the same SCI event. Moreover, even if a given event affects multiple SCI entities, it may be the case that the event impacts each SCI entity and the affected systems in a different manner, and thus the Commission believes it is important to receive individual notifications from each affected SCI entity. 862 See 863 See 860 See supra Section IV.B.3.a (discussing the triggering standard). 861 See supra note 674. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 supra notes 851–852 and accompanying text. supra note 260 and accompanying text. e.g., supra note 805 and accompanying 864 See, text. 865 See, PO 00000 e.g., id. Frm 00075 Fmt 4701 Sfmt 4700 72325 Written Commission Notification: Proposed Rule 1000(b)(4)(ii) Commenters also specifically discussed and suggested alternatives to proposed Rule 1000(b)(4)(ii), which would have required an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification pertaining to such SCI event to the Commission. Many commenters stated that the proposed 24-hour time frame was too short or burdensome.866 Several commenters specifically suggested that the Commission extend the time frame to allow SCI entities to attend to the SCI event without also devoting resources to notifying the Commission, suggesting different time frames they believed to be appropriate.867 One commenter suggested that SCI entities be given until 24 to 48 hours after final resolution of the SCI event to submit a written notification.868 Another commenter similarly recommended that, where real-time notification is needed, written notification should not be required unless an SCI event remains unresolved after a reasonable period (such as 10 or 15 days).869 Some commenters also suggested that, if the Commission retains the 24-hour requirement, it should require provision of less information. For example, one commenter suggested that SCI entities should only be required to provide whatever information is sufficiently reliable at that time.870 Two other commenters stated that SCI entities should not be required to include an estimate of the markets and participants 866 See NYSE Letter at 23; FINRA Letter at 19; BATS Letter at 12; DTCC Letter at 9; MSRB Letter at 18; SIFMA Letter at 13; FIF Letter at 5; BIDS Letter at 10; Omgeo Letter at 17; and CME Letter at 9. 867 Commenters suggested time frames of 48 hours (CME Letter at 9); 72 hours (OCC Letter at 12; DTCC Letter at 9, 11 (noting, however, that details surrounding an SCI event should not be required to be provided in writing until after the investigation of the event is complete and the event has been resolved)); and five business days (BIDS Letter at 10). 868 See FINRA Letter at 20. This commenter further suggested that, if an SCI event has not been fully resolved within a reasonable period, e.g.,10 or 15 days, an SCI entity could be required to submit written notification based on currently available information at the end of that period, with periodic status updates via telephone or email, and a final written submission within 24 to 48 hours after the event has been fully resolved. 869 See SIFMA Letter at 14. 870 See FINRA Letter at 20. This commenter also suggested that the rule require an SCI entity to assess the ‘‘business impact’’ of an SCI event, noting that this information may provide more context than requiring an SCI entity to estimate the number of market participants impacted by an SCI event (which in some cases could be zero, but still have a negative impact on the SCI entity). See FINRA Letter at 30. E:\FR\FM\05DER2.SGM 05DER2 72326 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity.871 Another commenter recommended that the rule require only a brief written summary that is one or two paragraphs, which could be supplemented by oral communications and a longer summary within 15 days after an SCI event has been fully resolved.872 With respect to the information provided to the Commission via notification of an SCI event, one commenter suggested that the rule provide a safe harbor for entities and employees for either inadvertent omissions in a submitted report, or when a good faith, documented determination is made that no report is required.873 One commenter stated that that the Commission should expressly provide that initial written submissions are to be made on a best efforts basis and SCI entities will incur no liability or penalty for any unintentional inaccuracies or omissions contained in these submissions.874 Some commenters stated that entities should not be liable for information that is later found to be incomplete or inaccurate.875 Some commenters 876 questioned the purpose of requiring that information disseminated to members and participants (under proposed Rule 1000(b)(5)) be copied and attached to Form SCI as part of notifications to the Commission, and considered it ‘‘an overly broad inclusion of communications’’ that would have ‘‘a chilling effect on communications between the SCI entities and their members and participants,’’ 877 while another commenter argued that, when an exchange is having a technology issue, many members may be reaching out to the exchange’s staff with requests for information and status. Therefore, that commenter questioned the feasibility, need, and potential impact of 871 See DTCC Letter at 10; and Omgeo Letter at 30. Omgeo added that such a calculation would be difficult to compute, likely inaccurate, and of little use to the Commission. 872 See Omgeo Letter at 17. 873 See id. at 18. 874 See FINRA Letter at 20. 875 See, e.g., SIFMA Letter at 14; and UBS Letter at 4 (stating that SCI entities acting in good faith should not be held accountable if details offered in reports to the Commission are substantially different from what is revealed by further analysis). 876 Because the requirement to provide information disseminated to an SCI entity’s members or participants is now included in the Final Report (Rule 1002(b)(4)) instead of with the 24-written notification requirement as proposed, the Commission’s response to these comments is discussed below in the subsection ‘‘Final Report: Adopted Rule 1002(b)(4).’’ 877 See Joint SROs Letter at 11. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 the proposed requirement that SCI entities provide a copy of any information disseminated to date regarding the SCI event to their members or participants.878 One commenter stated that, to reduce the cost of compliance, the Commission should accept the same notifications of service interruptions that an ATS already provides to its subscribers.879 Commenters also provided suggestions for limiting the circumstances for which 24-hour written notification would be required under proposed Rule 1000(b)(4)(ii). One commenter stated that only SCI events that materially impact an SCI entity’s operations or market participants should be subject to the 24-hour written notification requirement, but questioned whether 24 hours was realistic even for those events.880 One commenter suggested that proposed Rule 1000(b)(4)(ii) only apply to significant SCI events and that other events only be subject to a recordkeeping requirement.881 In addition, some commenters suggested that if an SCI entity has provided oral notification to the Commission, it should not be required to file written notice within 24 hours after the initial report unless reasonably requested by the Commission.882 Written Notification Within 24 Hours: Adopted Rule 1002(b)(2) Adopted Rule 1002(b)(2) requires an SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a written notification pertaining to such SCI event to the Commission. Rule 1002(b)(2) allows for such written notifications to be made on a good faith, best efforts basis and requires that it include: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of the notification: the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other 878 See Direct Edge Letter at 7–8. BIDS Letter at 11. 880 See MSRB Letter at 18. 881 See CME Letter at 9. 882 See BATS Letter at 12; and Omgeo Letter at 17. See also DTCC Letter at 10; and OCC Letter at 14 (suggesting 72 hours to provide written information after providing verbal notification). 879 See PO 00000 Frm 00076 Fmt 4701 Sfmt 4700 pertinent information known by the SCI entity about the SCI event. The Commission has considered comments stating that 24 hours is too short and burdensome a duration for an SCI entity to submit a compliant written notification.883 The Commission understands commenters’ concerns that SCI entities may still be actively investigating and working to resolve an SCI event and that information it initially provides to the Commission about an SCI event may not ultimately prove correct.884 Therefore, in line with commenters’ concerns regarding a good faith and best efforts standard,885 the Commission has modified the 24-hour written notification requirement in adopted Rule 1002(b) to make clear that the written notification should be provided on a ‘‘good faith, best efforts basis.’’ This modification acknowledges that a written notification provided within 24 hours may provide only a preliminary assessment of the SCI event, that additional information may come to light after the initial 24-hour period, and that the initial assessment may prove in retrospect to be incorrect or incomplete. Consequently, the adopted rule requires that the written notification provided within 24 hours be submitted on a good faith, best efforts basis, and does not require that the written notification be a comprehensive or complete assessment of the SCI event (unless, of course, an SCI entity has completed a full assessment by such time). The Commission believes that a ‘‘good faith’’ standard will help to ensure that SCI entities will not be accountable for unintentional inaccuracies or omissions contained in these submissions, and a ‘‘best efforts’’ standard will help to ensure that SCI entities will make a diligent and timely attempt to provide all the information required by the written notification requirement. The Commission also notes that an SCI entity will not need to submit a written notification where an SCI entity documents that an SCI event is determined to be a de minimis SCI event, other than including de minimis systems disruptions and de minimis systems intrusions in the quarterly report required by Rule 1002(b)(5). As discussed in further detail below, in the event that new information comes to light or previously reported information is found to be materially incorrect, adopted Rule 1002(b)(3) requires an SCI entity to update the information at that 883 See, e.g., supra note 866 and accompanying text. 884 See supra notes 873–875 and accompanying text. 885 See E:\FR\FM\05DER2.SGM id. 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 time, and does not require that such updates be written.886 The Commission believes these modifications will help ensure that SCI entities are able to provide the information required by Rule 1002(b)(2) within 24 hours, and therefore the Commission is not modifying the timeframe to extend beyond 24 hours, as requested by several commenters.887 Moreover, because the information need only be provided on a good faith, best efforts basis and, pursuant to Rule 1002(b)(3), updates can be provided on a regular basis to correct any materially incorrect information previously provided or when new material information is discovered, the Commission disagrees with commenters that stated that the information required by Rule 1002(b) should be provided only after resolution of the SCI event. The Commission continues to believe that Rule 1002(b)(2)’s requirement to provide information to the Commission within 24 hours is appropriately tailored to help the Commission and its staff quickly assess the nature and the scope of an SCI event and will contribute to more timely and effective Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets, and that this would particularly be the case for SCI events that are not yet resolved.888 Adopted Rule 1002(b)(2) is also responsive to comments urging the Commission to require less information in a 24-hour written notification.889 Specifically, whereas proposed Rule 1000(b)(4) required a detailed description of the SCI event, adopted Rule 1002(b)(2)(i) specifies that an SCI entity must only provide ‘‘a description of the SCI event, including the system(s) affected.’’ Additional information is only required to the extent available as of the time of the notification, which includes an ‘‘SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity 886 See infra note 909 and accompanying text. supra notes 867–869 and accompanying text; and Proposing Release, supra note 13, at 18119. 888 See supra notes 868 and 872 and accompanying text. 889 See supra notes 870–872 and accompanying text. 887 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 about the SCI event.’’ 890 This information is the type of necessary information that SCI entities are able to provide in a short timeframe and that the Commission has come, over time, to rely upon to properly assess systems issues. Additionally, the Commission notes that adopted Rule 1002(b) does not require that an SCI entity provide the Commission, at the time of the initial notice to the Commission, with its current assessment of the SCI event, including a discussion of the determination of whether it is subject to a dissemination requirement, as proposed in Rule 1000(b)(4). The Commission has also determined to further refine the scope of information that needs to be reported in the 24-hour written notification by requiring that the following items instead be included in the final report under Rule 1002(b)(4), rather than in the 24-hour written notification required by Rule 1002(b)(2): A description of the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.891 In response to commenters who suggested that the Commission limit the events for which 24-hour written notification would be required to material events,892 the Commission notes that it has partially responded to such comments by providing an exception to the immediate notification requirement for de minimis events in Rule 1002(b)(5). The Commission believes that this exception should reduce the overall number of SCI events subject to immediate notification requirements as compared to what would have been required if the SCI 890 Rule 1002(b)(2)(ii). The information required to be provided in Rule 1002(b)(2)(ii) is a subset of information proposed to be required under Rule 1000(b)(4)(iv)(A)(1)–(2) of the SCI Proposal. 891 At the same time, if such information is known at the time of the notification, the SCI entity will be required to provide it pursuant to Rule 1002(b)(2)(ii)’s requirement that the SCI entity provide ‘‘any other pertinent information known . . . about the SCI event.’’ Additionally, such information would be provided under the requirement to provide the Commission with regular updates under Rule 1002(b)(3)’s requirement to provide any of the information listed in Rule 1002(b)(2)(ii) if it becomes available after the time of submission of the 24-hour notification. The Commission also notes that Rule 1002(b)(4)(ii) requires that an SCI entity include in the final report a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding an SCI event to any of its members or participants. 892 See supra note 880 and accompanying text. PO 00000 Frm 00077 Fmt 4701 Sfmt 4700 72327 Proposal was adopted without modification and, consequently, the requirement to submit a written notification within 24 hours of an SCI event, thereby alleviating some of the burdens about which commenters expressed concerns. Moreover, the Commission believes that a materiality threshold would likely exclude from the 24-hour written notification a large number of SCI events that are not de minimis SCI events but that the Commission, as part of its oversight role, should be updated on so that the Commission and its staff can quickly assess the nature and scope of those SCI events and potentially assist the SCI entity in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets. The Commission reemphasizes that the information to be provided under the 24-hour written notification would represent the SCI entity’s preliminary assessment— performed on a good faith, best efforts basis—of the SCI event, and only certain key information is required under the 24-hour written notification, with ‘‘other pertinent information’’ required only where ‘‘known by the SCI entity’’ within the 24-hour timeframe. For these reasons, the Commission has determined not to adopt a materiality threshold for the requirement that an SCI entity update the Commission within 24 hours after it has a reasonable basis to conclude that an SCI event has occurred. Additionally, the Commission disagrees with those commenters who stated that written notification should only be required when reasonably requested by the Commission.893 The Commission believes that it should be notified of all SCI events and that all SCI events (other than those specified in Rule 1002(b)(5)) should be subject to the 24-hour written notification requirement because, by articulating in a single notification what is currently known about an SCI event and the steps expected to be taken to respond to the SCI event, the Commission will be better able to assess the nature and scope of, and respond to, SCI events and potentially assist SCI entities in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets. In response to the comment that the Commission should accept the same notifications of service interruptions that an ATS provides to its 893 See E:\FR\FM\05DER2.SGM supra note 882 and accompanying text. 05DER2 72328 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations subscribers,894 the Commission believes that SCI ATSs can use the types of information contained in ATS notices to subscribers when completing Form SCI, but nevertheless believes that it is more useful and efficient for the Commission and its staff to be able to have all SCI event notifications standardized in a single format (i.e., Form SCI). As discussed above, the information required under the adopted 24-hour written notification requirement has been refined as compared with the requirements in the proposal. Consequently, the Commission believes that SCI entities should be able to provide the Commission with this information in a written format, and does not agree that such information should be provided in an oral format, as requested by some commenters, regardless of the manner in which the immediate notification was provided to the Commission.895 The Commission emphasizes that regular updates provided under Rule 1002(b)(3) may, however, be provided either orally or in written form.896 In response to commenters that stated SCI entities should not be required to include an estimate of the market participants impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity,897 the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law, including amended Rule 24b–2.898 Moreover, the requirement to provide a 24-hour written notification does not itself create a risk of civil liability, but the Commission acknowledges that the information provided to it may be subject to FOIA requests. Regarding the comment that the requirement to include an estimate of the markets and participants impacted by an SCI event or to quantify such impact would be difficult to compute, likely inaccurate, and of little use to the Commission,899 the Commission disagrees. The rule requires an SCI entity to provide its current assessment of the types and number of market participants potentially affected by the SCI event and the potential impact of the SCI event on the market, to the mstockstill on DSK4VPTVN1PROD with RULES2 894 See supra note 879 and accompanying text. 895 See supra notes 872 and 882 and accompanying text. 896 See infra note 911 and accompanying text. 897 See supra note 871. 898 See supra notes 802–803 and accompanying text. For a discussion of the amendment to Rule 24b–2, see infra notes 1245–1248 and accompanying text. 899 See supra note 871 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 extent this information is available as of the time of the notification, rather than an exact computation. In addition, the rule does not require that the assessment be submitted only if the SCI entity ensures that it is free of inaccuracies. Further, contrary to the commenter’s suggestion, the Commission believes that such estimates will be of significant use to the Commission and its staff in understanding the potential severity of the SCI event. In addition, because the SCI entity is likely to be in the best position to assess an SCI event, the Commission also believes that an assessment of the impact of an SCI event on markets and participants is useful because it afford the Commission the opportunity to learn the SCI entity’s perspective on the potential or actual impact of an SCI event.900 Written Commission Updates: Proposed Rule 1000(b)(4)(iii) Commenters also addressed proposed Rule 1000(b)(4)(iii), which required an SCI entity to provide the Commission written updates pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event was resolved. Some commenters urged the Commission to provide clarity on the definition of ‘‘resolved.’’ 901 For example, one commenter suggested that the Commission should define the resolution of an SCI event to be when the affected SCI systems have been normalized,902 and another commenter stated that there should be a precise definition of when an SCI event is resolved and that definition should be linked directly to the definition of the SCI event itself.903 Other commenters expressed concern that the continuing update requirement could divert resources from resolution of the SCI event and suggested that updates be required only to the extent they would not interfere with event resolution.904 One commenter stated that continual updates should only be necessary if the SCI entity had not resolved the event within a reasonable period, such as 10 to 15 days.905 900 The Commission notes that SCI entities retain the flexibility to provide additional information to the Commission as part of their assessments, such as providing the ‘‘business impact’’ of an SCI event, as suggested by one commenter. See supra note 870. 901 See DTCC Letter at 11; and Omgeo Letter at 18. 902 See DTCC Letter at 11. 903 See Omgeo Letter at 18. 904 See MSRB Letter at 19; and OCC Letter at 14. 905 See FINRA Letter at 20. PO 00000 Frm 00078 Fmt 4701 Sfmt 4700 Other commenters addressed the method of providing updates. For example, one commenter stated that only oral communication should be required when an SCI event is ongoing, and that the rule should allow a written supplement to a final or post mortem report if additional information comes to light regarding the SCI event.906 Another commenter suggested that updates should be permitted to be in writing or provided orally based on the judgment of the SCI entity.907 Finally, one commenter stated that requests for updates regarding SCI events should only be permitted to come from senior staff at the Commission.908 Regular Updates: Adopted Rule 1002(b)(3) Rule 1002(b)(3) requires that, until such time as an SCI event is resolved, and the SCI entity’s investigation of the SCI event is closed, an SCI entity provide the Commission with updates pertaining to the SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission. Updates are required to correct any materially incorrect information previously provided, or when new material information is discovered, including not limited to, any of the information listed in Rule 1002(b)(2)(ii). While the Commission recognizes that providing the Commission with such updates imposes an additional reporting requirement on SCI entities, the Commission also believes that updates are important to allow the Commission to fully monitor the SCI event. In addition, the Commission believes that the update requirement will encourage SCI entities to formalize their processes for gathering information on SCI events, which will help to ensure that responsible SCI personnel receive accurate and updated information on SCI events as they are being resolved, and further, that this process may be helpful to SCI entities when providing information about SCI events to their members or participants. Also, because the Commission has revised the requirements of the 24-hour notification to allow SCI entities to provide information on a good faith, best efforts basis and has limited the scope of information required in that report as discussed above, the Commission believes that updates to the Commission to correct materially incorrect information previously reported or when new material information is 906 See Omgeo Letter at 17. MSRB Letter at 19. 908 See NYSE Letter at 24. 907 See E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations discovered as required by the rule is important to keep the Commission up to date with accurate information, including the following: The SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Consequently, the Commission does not agree with the commenter who suggested that updates should be only required if an SCI event has not been resolved within a reasonable amount of time, such as 10 to 15 days.909 The Commission believes that updates regarding this information are important to enhance the Commission’s oversight of the securities markets and its informed and continued understanding of an SCI event. Moreover, the Commission underscores that updates are only required to the extent that they correct any materially incorrect information previously provided or when new material information is discovered, including but not limited to, any of the information listed in Rule 1002(b)(2)(ii), thereby alleviating the burden to SCI entities of providing such updates absent such circumstances.910 The Commission has also eased the requirements of the proposed update provision by eliminating the proposed requirements that an SCI entity attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity’s publicly available Web site; a description of the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Instead, these information requirements must only be provided as part of the final report required by Rule 1002(b)(4), and the Commission therefore believes that burdens associated with the continuing update requirement will be 909 See supra note 870 and accompanying text. requirement that updates regarding new or corrected information be provided on a regular basis (unless an alternative, specific frequency is reasonably requested by a representative of the Commission) is designed to take into account the fact that new or updated information may develop at different frequencies for different SCI events. 910 The VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 streamlined because SCI entities will not need to devote resources to providing written updates while an SCI event is ongoing. At the same time, the Commission is cognizant of the burdens associated with requiring written updates and therefore has revised the update requirement in adopted Rule 1002(b)(3) to remove the proposed requirement that such updates be provided in written form. Thus, submission of updates may be provided either orally or in written form, and will result in a lighter burden on SCI entities than the proposed requirement, and is responsive to commenters that suggested that SCI entity resources would be better directed to resolving an SCI event.911 In response to comment that the Commission provide guidance to clarify when an SCI event has been ‘‘resolved’’ 912 and in line with the particular comment that the concept of resolution should be linked directly to the definition of the SCI event itself,913 the Commission believes that an SCI event is resolved when the event no longer meets the definitions of a systems disruption, systems intrusion, or systems compliance issue, as defined in Rule 1000, and that an SCI entity’s Rule 1002(b) reporting obligations are completed when an SCI entity submits a final report as required by Rule 1002(b)(4). Further, the Commission does not believe that it is necessary to prescribe that requests to SCI entities regarding updates should come solely from senior Commission staff, as suggested by one commenter.914 The Commission believes that requiring an SCI entity to update the Commission at such frequency as reasonably requested by a representative of the Commission provides appropriate flexibility to the Commission to request additional information as necessary, but does not anticipate that requests will be made by multiple members of the Commission staff because the Commission expects that such requests would be coordinated by a particular group of Commission staff that are assigned to handle specific reports from SCI entities. 911 See supra note 791 and accompanying text. SCI entities may, but are not required to, utilize Form SCI to submit such updates. See Section IV.D (discussing Form SCI). The Commission also believes that, to the extent commenters suggested that the Commission permit oral updates, they did so because, at least in part, oral updates are less burdensome to SCI entities than written updates. See supra notes 906–907 and accompanying text. 912 See supra notes 902–903 and accompanying text. 913 See supra note 903 and accompanying text. 914 See supra note 802 and accompanying text. PO 00000 Frm 00079 Fmt 4701 Sfmt 4700 72329 Final Report: Adopted Rule 1002(b)(4) Adopted Rule 1002(b)(4) requires that if an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the SCI entity’s investigation regarding the SCI event, the SCI entity is to submit a final written notification pertaining to such SCI event to the Commission (‘‘final report’’). The final report is required to include: (i) A detailed description of: The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Rule 1002(b)(4) also specifies that, if an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, then, the SCI entity is required to submit a written notification pertaining to such SCI event to the Commission within 30 days after the occurrence of the SCI event containing the information required in Rules 1002(b)(4)(i)–(iii), to the extent known at the time. Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, the SCI entity is required to submit a final written notification pertaining to such SCI event to the Commission containing the information specified in the rule. As an initial matter, the Commission notes that several of the items that are specifically required to be described in the final report (as specified in adopted Rule 1002(b)(4)) were proposed to be required to be provided to the Commission under proposed Rule 1000(b)(4)(ii), within a shorter time frame.915 The Commission believes that 915 The Commission notes that while proposed Rule 1000(b)(4)(iv)(C) specified that an SCI entity E:\FR\FM\05DER2.SGM Continued 05DER2 72330 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 the adopted rule, by requiring that this information be submitted to the Commission after resolution of an SCI event and closure of the SCI entity’s investigation, will encourage SCI entities to devote resources first to resolving the SCI event, and providing status reports when required, and then to preparing a comprehensive final report. In particular, as some commenters suggested, certain information would be more accurate, and therefore more useful, if provided after an SCI event is resolved.916 The Commission believes that the information required under Rule 1002(b)(4) will provide the Commission with a comprehensive analysis to more fully understand and assess the impact caused by the SCI event. In addition, the Commission ordinarily would expect an SCI entity to include the root cause of an SCI event as part of ‘‘any other pertinent information’’ known about the SCI event. The Commission also believes that certain of the information requested by Rule 1002(b)(4) is more suitable to be provided after, rather than prior to, resolution of an SCI event. Specifically, much of the information required by Rule 1002(b)(4) (an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss) can only be comprehensively known after the final resolution of an SCI event.917 Similarly, the Commission is revising the proposed requirement that SCI entities provide to the Commission a copy of any information disclosed by the SCI entity to date regarding the SCI event to any of its members or participants. First, rather than requiring that SCI entities provide a copy of ‘‘any information disclosed by the SCI entity,’’ the adopted rule requires that was required to provide a copy of any information disseminated on the SCI entity’s publicly available Web site, adopted Rule 1002(b)(4) specifies that an SCI entity provide a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants. 916 See supra notes 870–878 and accompanying text. 917 The Commission notes that a notification required pursuant to proposed Rule 1000(b)(4)(ii) required the SCI entity to provide information on the ‘‘potential impact of the SCI event on the market,’’ whereas adopted Rule 1002(b)(4)(ii)(A) requires a description of ‘‘the SCI entity’s assessment of the impact of the SCI event on the market.’’ Because adopted Rule 1002(b)(4) requires a final report upon resolution of an SCI event and the closure of the SCI entity’s investigation of the SCI event, the Commission believes it is appropriate that an SCI entity provide its assessment of the impact of the SCI event in the final report, rather than information on the SCI event’s potential impact. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 SCI entities provide a copy of any information ‘‘disseminated pursuant to paragraph (c) of [Rule 1002]’’ by the SCI entity to date regarding the SCI event to any of its members or participants. The Commission believes that this refined requirement will more appropriately capture only the information needed for the Commission to assess compliance with the dissemination requirements of Rule 1002(c). Further, to limit the burden on, and provide additional flexibility to, SCI entities as they resolve SCI events, the adopted rule does not require this information to be included as part of a Form SCI submission until the final report is to be submitted to the Commission. The Commission believes that it is sufficient to require that this information be included in the final report because it is an important part of the record of an SCI event and SCI entity’s response to such event.918 As noted above, one commenter questioned the purpose of this requirement and expressed concern that it may negatively impact open communication between an SCI entity and its members and participants,919 while another commenter questioned the feasibility, need, and potential impact of this requirement in light of the numerous communications that SCI entities will engage in with their members or participants.920 While the Commission recognizes that it is possible that the requirement could have some chilling effect on such communications, it believes that this information is important for SCI entities to share with the Commission because it is an efficient means for the Commission to assess whether SCI entities are complying with the dissemination requirements of Rule 1002(c). Further, the Commission believes that, by requiring that SCI entities provide a copy only of information disseminated pursuant to Rule 1002(c) (rather than all information disclosed to members or participants regarding the SCI event), it addresses one commenter’s concern that it would be difficult, unnecessary, and could impede open communication, to 918 Under Rule 1002(b)(4), SCI entities are required to provide a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants. 919 See supra note 877. 920 See supra note 878 and accompanying text. Specifically, this commenter noted that there could be hundreds of communications between the SCI entity and its members or participants during a systems incident and questioned the feasibility of, and need for, recreating and providing to the Commission a copy of all such communications. Further, the commenter noted that this requirement could have an unintended effect of discouraging open communication between the SCI entity and its members. PO 00000 Frm 00080 Fmt 4701 Sfmt 4700 provide the Commission with a copy of all information disclosed to members or participants, which could include hundreds of individual communications via email or telephone for each SCI event. The Commission also believes that, if an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, it is reasonable to require that an SCI entity submit within thirty business days after the occurrence of the SCI event the information required in Rule 1002(b)(4)(ii), to the extent known at the time, because this timeframe provides SCI entities with flexibility to continue their investigation while also apprising the Commission of relevant information discovered during the course of the SCI entity’s investigation. Moreover, the rule takes into account the Commission’s recognition that an SCI entity’s investigation regarding an SCI may not yet be complete despite the fact that the SCI event itself has resolved. In such cases, within five business days after the SCI event has resolved and the investigation regarding the SCI event has closed, the Commission believes that it is reasonable and necessary to provide it with a comprehensive and complete understanding of the SCI event. Consequently, SCI entities are required to submit a final written notification that contains all information required by Rule 1002(b). Goals of Adopted Commission Notification Rule As discussed in greater detail above, the Commission has carefully considered the views of commenters as well as what it believes is necessary for the Commission and its staff with respect to the timing and content of notifications regarding SCI events, and believes that the adopted rule will be less burdensome for SCI entities than if the proposed rule was adopted without modification, while still resulting in meaningful notice to the Commission and its staff with information about SCI events in a timely manner that permits the Commission to fulfill its oversight role. With regard to comments on the resource and efficiency demands of the notification requirements,921 the Commission believes that while SCI entities will need to devote resources to fulfilling the notification requirements, the Commission does not believe that these resources will diminish SCI entities’ ability to respond to SCI events because it is the Commission’s 921 See E:\FR\FM\05DER2.SGM supra notes 790–793. 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations experience that the staff that engages in corrective action is generally distinct from the staff that has been charged with notifying the Commission of systems issues. Consequently, the Commission does not believe that, due to this requirement, staff that engages in corrective action will be unable to fulfill its responsibilities after implementation of Regulation SCI. The Commission believes that adopted Rules 1002(b)(1)–(4) are responsive to concerns that the proposed Commission notification requirements would have required SCI entities to notify the Commission of information before all relevant facts are known.922 As discussed, in tandem with the revised triggering standard, which affords an SCI entity time to assess whether an SCI event has occurred,923 the adopted rule affords an SCI entity the flexibility to gather information for the 24-hour written notification on a good faith best, efforts basis,924 and adopted Rule 1002(b)(3) makes clear that an SCI entity is required to update the Commission to correct any materially inaccurate information previously provided, or when pertinent new information is discovered, until such time as the SCI event is resolved, and the SCI entity’s investigation of the SCI event is closed. Further, the final report for a given SCI event is only required once, when both the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed, with an interim report required only when an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event. Taken together, the Commission believes that Rule 1002(b) does not require reporting before all relevant fact are known, which one commenter suggested would be counterproductive and harmful.925 Instead, the Commission believes that the rule is designed to provide SCI entities with a process that gives them sufficient time to submit information to the Commission when known. In addition, and in response to comment questioning the usefulness of the notification requirement for the Commission,926 the Commission believes that adopted Rule 1002(b) will foster a system for comprehensive reporting of SCI events, which should enhance the Commission’s review and 922 See supra note 804 and accompanying text. supra Section IV.B.3.a (discussing the triggering standard). 924 See supra discussion of ‘‘good faith, best efforts’’ above. 925 See supra note 804. 926 See supra note 793. 923 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. The Commission also believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. Some commenters suggested that the Commission provide to SCI entities regular summary-level feedback on SCI entities’ notifications 927 or provide examples of the types of SCI events that warrant notification.928 To the extent it believes that guidance or other information, including summary-level feedback, publications, or reference blueprints, would be appropriate to share, the Commission or its staff may do so in the future. d. Dissemination of Information—Rule 1002(c) i. Proposed Rule 1000(b)(5) Proposed Rule 1000(b)(5) would have required an SCI entity to provide specified information relating to ‘‘dissemination SCI events’’ to SCI entity members or participants. The term ‘‘dissemination SCI event’’ was proposed to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Proposed Rule 1000(b)(5)(i)(A) would have required an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, to disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. Proposed Rule 1000(b)(5)(i)(B) would have required an SCI entity to further disseminate to its members or participants, when known: (1) A detailed description of the SCI event; (2) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would have further required an SCI entity to 927 See 928 See PO 00000 supra note 806 and accompanying text. supra note 807 and accompanying text. Frm 00081 Fmt 4701 Sfmt 4700 72331 provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). In the case of a systems intrusion, the proposed rule permitted a limited delay in dissemination if the dissemination would compromise the security of the SCI entity’s systems.929 Except for the delay in dissemination of information for systems intrusions in specified circumstances, the proposed rule did not distinguish dissemination obligations based on the severity or impact of a dissemination SCI event. ii. Comments Regarding Information Dissemination Two commenters generally supported proposed Rule 1000(b)(5).930 One commenter characterized it as ‘‘one of the major benefits of th[e] proposal.’’ 931 Another commenter suggested broadening the proposal to require an SCI entity to reveal dissemination SCI events to the public at large, and not just to its members or participants.932 This commenter believed that public dissemination of the facts of an SCI event would help enhance investor confidence by preventing speculation and misinformation, and would provide important learning opportunities for the industry and other SCI entities.933 In contrast, many commenters urged the Commission to revise the proposed dissemination requirement.934 For example, a few commenters expressed concern that the proposal would require dissemination of too much information too soon.935 One of these commenters stated that the proposed rule would be counterproductive and harmful because 929 See proposed Rule 1000(b)(5)(ii) (permitting a delay in dissemination of information regarding a systems intrusion if ‘‘the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination’’). 930 See Angel Letter at 5; and MFA Letter at 7. 931 See Angel Letter at 5. This commenter stated: ‘‘Instead of keeping information about hardware failures, system intrusions, and software glitches private, sharing the information will alert others in the industry about such problems and help to reduce system wide costs of diagnosing problems, as well as result in improved responses to technology problems. These will serve as warnings to the other SCI entities to stay vigilant to prevent similar problems from occurring on their platforms.’’ Angel Letter at 5. 932 See MFA Letter at 7. 933 See id. 934 See, e.g., NYSE Letter at 28–29; FINRA Letter at 24; BATS Letter at 13; DTCC Letter at 11–12; OCC Letter at 16; CME Letter at 9–10; ICI Letter at 4; Oppenheimer Letter at 2; Direct Edge Letter at 8; Omgeo Letter at 21; ITG Letter at 13; and FIA PTG Letter at 3. 935 See, e.g., DTCC Letter at 12, NYSE Letter at 29; and ITG Letter at 13. E:\FR\FM\05DER2.SGM 05DER2 72332 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 it would cause the release of information before all relevant facts are known and suggested dissemination should only be required when the SCI entity has credible information that can be acted upon.936 Another commenter suggested that dissemination should only be required when the information to be disseminated is certain and clear.937 Another commenter urged that, if immediate dissemination is required, then the information required to be disseminated should be limited to communication of the basic fact that there is a systems issue and additional information will be provided when known.938 Several commenters opposed requiring information dissemination to all members and participants.939 For example, some commenters urged that an SCI entity be required to provide information only to members or participants actually impacted by an SCI event, or that interact with the SCI system impacted, rather than to all members or participants of an SCI entity.940 One commenter recommended that an SCI entity be required to disseminate information only to persons reasonably likely to be affected by a significant systems issue.941 Two commenters stated that SCI entities should have reasonable discretion to determine who among their members and participants should receive notification of an SCI event, as well as the manner and timing for providing notice.942 A few commenters more broadly expressed concern that the proposed rule would result in overreporting of information about SCI 936 See ITG Letter at 13. See also supra note 804 and accompanying text. 937 See DTCC Letter at 12. 938 See NYSE Letter at 29 (stating also that the scope of the information required to be provided is too extensive, particularly given the timing requirements of the proposed rule). 939 See, e.g., MSRB Letter at 20–21; DTCC Letter at 11; CME Letter at 10; NYSE Letter at 28; FINRA Letter at 24–25; ISE Letter at 6–7; SIFMA Letter at 15; and OCC Letter at 17. 940 See MSRB Letter at 20–21; DTCC Letter at 11; CME Letter at 9; NYSE Letter at 28; FINRA Letter at 25; and ISE Letter at 6–7. In addition, one of these commenters sought clarification on whether the term ‘‘participant’’ refers to a formal participant or, more broadly speaking, any market participant that interacts with the SCI system in question. See MSRB Letter at 20. See also Omgeo Letter at 21, and infra note 954. 941 See NYSE Letter at 28. 942 See SIFMA Letter at 15 (urging that an SCI entity should have discretion to determine which participants or members are affected and how to notify them); and OCC Letter at 17 (urging that an SCI entity should be able to limit the communication to those members and participants that are actually affected and to provide the communication on a confidential and secure basis when the SCI entity has reasonable certainty of the information that is required to be provided). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 events and would have limited usefulness.943 Some of these commenters stated that the proposed approach would result in SCI entity members and participants becoming immunized to the notifications because they would receive too many notifications and therefore would not focus on the truly significant events.944 Several commenters suggested that the Commission apply the proposed dissemination requirement to fewer types of SCI events.945 For example, several commenters stated that information dissemination should only be required for material or significant SCI events.946 One commenter suggested that, for an SCI event that is ‘‘de minimis,’’ information dissemination to members or participants should not be required at all.947 This commenter suggested that a de minimis SCI event would be one that is limited in impact, brief in duration, or involves little or no member or participant harm.948 Another commenter noted that, as proposed, Commission notification would be required for a systems disruption if the systems disruption had a ‘‘material impact’’ on the SCI entity’s operations or on market participants, whereas information dissemination to members or participants would be required if an SCI entity reasonably estimated that the systems disruption would result ‘‘in significant harm or loss to market participants.’’ 949 This commenter criticized the differing standards for Commission notification and member/ participant notification and suggested that the Commission clarify the standards or adopt a uniform standard for both types of notifications.950 Several commenters specifically opposed the proposed dissemination requirement for systems compliance issues. Some commenters urged that an SCI entity be required to disseminate 943 See, e.g., CME Letter at 9; FIA PTG Letter at 3; and Omgeo Letter at 39. See also Fidelity Letter at 5 (requesting that the Commission provide greater specificity regarding the types of dissemination SCI events that must be disclosed and to whom disclosure must be made). 944 See, e.g., Omgeo Letter at 40; FIA PTG Letter at 3; and CME Letter at 9. 945 See, e.g., NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter at 24; BATS Letter at 13; OCC Letter at 16–17; CME Letter at 9–10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 8. 946 See NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter at 24; BATS Letter at 13; OCC Letter at 16–17; CME Letter at 9–10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 8. 947 See BATS Letter at 13. 948 See id. 949 See OCC Letter at 16. 950 See id. PO 00000 Frm 00082 Fmt 4701 Sfmt 4700 information only for material or significant systems compliance issues.951 One of these commenters stated that prompt dissemination of information regarding systems compliance issues to members or participants might lead to widespread dissemination of extraneous and potentially inaccurate information.952 Regarding systems intrusions, a few commenters stated that dissemination of systems intrusions information could raise significant risks and security concerns.953 One commenter recommended that a dissemination requirement apply only in the case of members, participants, or clients for whom confidential data was disclosed, processing was impacted, or where such member, participant, or client could take further action to mitigate the risk of such disclosure.954 This commenter also expressed support for the limited exception for intrusions that would compromise an investigation or resolution of the systems intrusion, noting that once dissemination would no longer compromise an investigation or the resolution of the issue, the entity should notify materially affected members, participants, or clients. One commenter stated that information should not be disseminated regarding disruptions in regulatory or surveillance systems, nor should information be disseminated about intrusions or compliance issues, arguing that the information could be misused, or if disseminated too soon, could be inaccurate and misleading.955 Two other commenters also expressed concern that information dissemination should not be required when the information provided might be misused to the detriment of the markets or investors, such as with respect to systems intrusions or issues relating to surveillance systems.956 iii. Rule 1002(c) In the SCI Proposal, the Commission stated that the intended purpose of the proposed rule was twofold: To aid members or participants of SCI entities 951 See, e.g., FINRA Letter at 24; Joint SROs Letter at 9; SIFMA Letter at 12; BATS Letter at 13; MSRB Letter at 6; and CME Letter at 10. 952 See Joint SROs Letter at 8. 953 See DTCC Letter at 11; and NYSE Letter at 29. See also Direct Edge Letter at 3 (suggesting that, to ensure that sensitive information does not fall into the wrong hands, the Commission should require reporting of systems intrusions to the Commission, and only require public disclosure in instances where there is a risk of significant harm to the SCI entity’s customers). 954 See Omgeo Letter at 21. 955 See NYSE Letter at 29. See also supra note 935 and accompanying text. 956 See ICI Letter at 4; and Oppenheimer Letter at 2. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action; and to provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events.957 Although commenters generally did not object to the Commission’s stated rationale for proposed Rule 1000(b)(5), several commenters suggested that the proposed approach did not adequately consider circumstances in which the proposed information dissemination might not be helpful to the market or market participants, or could be detrimental to the markets or market participants. One commenter, however, urged that public dissemination of information regarding SCI events would help to prevent speculation and misinformation regarding such events.958 The Commission has carefully considered the views of commenters with respect to proposed Rule 1000(b)(5), and has determined to adopt it as Rule 1002(c), with several modifications in response to comment. In particular, the Commission has determined to eliminate the definition of ‘‘dissemination SCI event’’ from the final rule and adopt an information dissemination requirement that scales dissemination obligations in accordance with the nature and severity of an SCI event. In response to comment that the proposed rule would result in overreporting of information about SCI events and have limited usefulness, the Commission has further focused the rule from the proposal by requiring dissemination of information about SCI events that are not major SCI events only to affected SCI entity members and participants, and excepting de minimis SCI events and SCI events regarding market regulation or market surveillance systems from the information dissemination requirement.959 In the case of a ‘‘major SCI event,’’ the Commission agrees with the commenter who stated that requiring dissemination should help to prevent speculation and misinformation regarding such events.960 Therefore, in the case of a ‘‘major SCI event,’’ the adopted rule 957 See Proposing Release, supra note 13, at 18120. 958 See supra note 933 and accompanying text. 959 See supra notes 943–956 and accompanying text. 960 See supra note 933 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 requires an SCI entity to disseminate information to all of its members or participants. At the same time, as with other SCI events, any SCI event that meets the definition of major SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants is excepted from the information dissemination requirement.961 The Commission believes the revised approach will better achieve the purpose of maximizing the utility of information disseminated to SCI entity members and participants while simultaneously reducing compliance burdens for SCI entities. Rule 1002(c)(1): Information Dissemination for Systems Disruptions and Systems Compliance Issues Adopted Rule 1002(c)(1) generally addresses dissemination requirements for systems disruptions and systems compliance issues. Rule 1002(c)(1)(i) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, to disseminate information about such SCI event, unless an exception applies. When the dissemination obligation is triggered,962 Rule 1002(c)(1)(i) requires an SCI entity to disseminate to the persons specified in Rule 1002(c)(3) information on the system(s) affected by the SCI event and a summary description of the SCI event. Thereafter, Rule 1002(c)(1)(ii) provides that, when known, an SCI entity shall promptly further disseminate: A detailed description of the SCI event; the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) provides that, until resolved, an SCI entity shall provide regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii). The specified types of information and the update requirements are unchanged from the proposal. The Commission continues to believe that, for the dissemination of information to be meaningful, it is necessary for an SCI entity to describe the SCI event in sufficient detail to permit a member or participant to determine whether and how it was 961 See Rule 1002(c)(4)(ii). supra Section IV.B.3.a (discussing the triggering standard). 962 See PO 00000 Frm 00083 Fmt 4701 Sfmt 4700 72333 affected by the SCI event and make appropriate decisions based on that determination.963 Adopted Rule 1002(c)(1)(i) requires that the information initially disseminated include the systems affected by the SCI event and a summary description of the SCI event, and only after responsible SCI personnel have a reasonable basis to conclude that a systems disruption or systems compliance issue has occurred. Implicit in this requirement is that the disseminated information be accurate. Without the dissemination of accurate information, the impact on the SCI entity’s members or participants or the market may be more pronounced because market participants may not recognize that an SCI event is occurring, or may mistakenly attribute unusual market activity to some other cause. Adopted Rule 1002(c)(1) also requires that required information be disseminated ‘‘promptly.’’ 964 Although the Commission agrees that SCI entities should not prematurely disseminate information regarding an SCI event, lest it be inaccurate, speculative, misleading, or otherwise unhelpful, as some commenters were concerned about,965 the Commission does not agree with the commenter who suggested that information dissemination be provided at a time chosen by the SCI entity.966 The Commission believes that accurate information that is timely is more likely to aid a market participant in determining whether its trading activity has been or might be impacted by the occurrence of an SCI event than accurate information that is delayed. However, as compared to Commission notification, which is required to be provided immediately after an SCI entity has a reasonable basis to conclude that an SCI event has occurred, and which notice may be provided orally, dissemination of information to SCI entity members or participants is required to be provided promptly. The requirement for prompt dissemination, as opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to determine an efficient way to disseminate information to multiple potentially affected members or participants, or all of its members or participants, as the case may be, in a timely manner. Likewise, as new information becomes 963 See Proposing Release, supra note 13, at 18120. 964 The persons to whom the required information about systems disruptions and systems compliance issues is to be disseminated are specified in Rules 1002(c)(3) and (4). 965 See also supra notes 935–938 and 933 and accompanying text. 966 See supra note 942 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72334 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations known, immediate updates are not required, but an SCI entity is obligated to also disseminate updated information ‘‘promptly’’ after it is known. The Commission believes that adopted Rule 1002(c)(1) strikes an appropriate balance by requiring an SCI entity to disseminate specific information about SCI events, but also permits an SCI entity to have time to check relevant facts before disseminating that information. The Commission therefore believes that adopted Rule 1002(c)(1) is responsive to comment that the proposed rule would have required release of information too soon, before it is determined to be credible, or before relevant facts were known.967 mstockstill on DSK4VPTVN1PROD with RULES2 Rule 1002(c)(2): Information Dissemination for Systems Intrusions Adopted Rule 1002(c)(2) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems intrusion has occurred, to disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. This rule applies to systems intrusions that are not de minimis events. In response to commenters stating that information about a systems intrusion in many cases will be sensitive and raise security concerns, and those urging that the dissemination requirement apply only in limited cases,968 the Commission notes that, although it does not wholly exclude systems intrusions from the dissemination requirement, the rule permits a delay in dissemination of any information about a systems intrusion if dissemination would compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and the SCI entity documents the reason for such determination.969 Adopted Rule 1002(c)(2) also provides that the content of the required disclosure for a 967 See supra notes 935–938 and accompanying text. 968 See, e.g., supra notes 953–954 and accompanying text. 969 See Rule 1002(c)(4) (excepting de minimis systems intrusions and intrusions into market regulation or market surveillance systems from the dissemination requirement) and Rule 1001(c)(2) (permitting a delay in dissemination). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 systems intrusion is less detailed than required for other types of SCI events. These provisions are unchanged from the SCI Proposal.970 As stated in the SCI Proposal, the Commission continues to believe that there may be circumstances in which the dissemination of information related to a systems intrusion should be delayed to avoid compromising the investigation or resolution of a systems intrusion.971 Also, as stated in the SCI Proposal, the affirmative documentation required by Rule 1002(c)(2) is important to allow the Commission to ensure that SCI entities are not improperly invoking the limited exception provided by Rule 1002(c)(2).972 This delayed dissemination provision permits an SCI entity to delay providing information about an intrusion to its members or participants to protect legitimate security concerns. However, under Rule 1002(c)(2), if an SCI entity cannot, or can no longer, determine that information dissemination as required by Rule 1002(c)(2) would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, no delay (or further delay, if applicable) in dissemination is permitted.973 Pursuant to Rule 1002(c)(2), information about a systems intrusion is required to be disseminated eventually, as the Commission believes that circumstances permitting a delay (i.e., dissemination of information would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion), will not continue indefinitely.974 Rule 1002(c)(3): To Whom Information Is To Be Disseminated Adopted Rule 1002(c)(3) provides that the information required to be provided under Rules 1002(c)(1) and (2) promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the 970 The persons to whom the required information about a systems intrusion is to be disseminated (provided the circumstances warranting a delay do not apply) is specified in Rules 1002(c)(3) and (4). 971 See Proposing Release, supra note 13, at 18120. 972 See id. 973 See id. 974 Some commenters urged modifications to the proposed rule that would further circumscribe the proposed dissemination requirement for systems intrusions. See, e.g., supra notes 953–954 and accompanying text (urging that dissemination for systems intrusions only be required for affected persons and only if material). These comments are addressed in the discussion of adopted Rules 1002(c)(3) and (4). PO 00000 Frm 00084 Fmt 4701 Sfmt 4700 SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event. The rule further requires that, for major SCI events, such information shall be disseminated by the SCI entity to all of its members or participants. As noted, several commenters urged that an SCI entity be required to disseminate information relating to an SCI event only to those members or participants affected by the SCI event.975 Some suggested that an SCI entity have discretion to determine who should receive information regarding SCI events,976 and one suggested that SCI events warrant public disclosure.977 Others expressed more general concern that the breadth of the proposed dissemination requirement would result in over-reporting of information about SCI events because they believed that SCI entities would over-report out of an abundance of caution 978 or that SCI entity members and participants would become immunized to reports of SCI events and not focus on significant events.979 After careful consideration of the comments, the Commission believes that, to maximize the utility of information dissemination, a more tailored approach to who should receive information about an SCI event is warranted, based on an SCI event’s impact. Because information about an SCI event is likely to be of greatest value to those market participants affected by it, who can use such information to evaluate the event’s impact on their trading and other activities and develop an appropriate response, adopted Rule 1002(c)(3) requires prompt dissemination to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event. With respect to more serious SCI events, however, the Commission believes that dissemination to all members or participants of an SCI entity is warranted. Accordingly, under adopted Regulation SCI, certain SCI events will be defined as ‘‘major SCI events.’’ Adopted Rule 1000 defines ‘‘major SCI event’’ as ‘‘an SCI event that has 975 See 976 See 977 See supra note 940 and accompanying text. supra note 942 and accompanying text. supra notes 932–933 and accompanying text. 978 See 979 See supra note 943 and accompanying text. supra notes 943–944 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or (2) a significant impact on the SCI entity’s operations or on market participants.’’ The Commission believes that dissemination of information regarding a major SCI event to all members or participants of an SCI entity is appropriate because major SCI events are likely to impact a large number of market participants (e.g., with respect to critical SCI systems, a disruption of consolidated market data or the clearance and settlement system, or an event significantly impacting the operations of an exchange).980 As noted, one commenter suggested broadening the proposed rule to generally require an SCI entity to reveal dissemination SCI events (other than intrusions) to the public at large. This commenter expressed the view that public dissemination of the facts of an SCI event would help ‘‘enhance investor confidence by presenting the facts of the SCI event, preventing speculation and misinformation, and informing the public of corrective action being taken’’ and would ‘‘serve as an important collective learning opportunity’’ that would allow for ‘‘SCI [e]ntities and market participants [to] learn from [the event] . . . and build upon their policies and controls as appropriate.’’ This commenter stated further that such an ‘‘industry protocol would help strengthen and enhance the integrity and security of our markets.’’ 981 The Commission agrees with this commenter that it is appropriate for an SCI entity to present the facts, prevent speculation and misinformation, and provide transparency about corrective action being taken when the impact of an SCI event is most likely to be felt by many market participants (i.e., when it is a major SCI event). In the context of a major SCI event, the Commission believes these goals can be achieved by requiring an SCI entity to disseminate information to all of its members or participants (as opposed to the ‘‘public at large’’). Moreover, the Commission believes it is appropriate to require dissemination of information on major SCI events to all of the SCI entity’s members or participants because these market participants are the most likely to act on this information. Based on the experience of the Commission and its staff, when an entity disseminates 980 At the same time, the Commission recognizes that some SCI events that meet the definition of ‘‘major SCI event’’ could also qualify as de minimis SCI events. Like other de minimis SCI events, they are excepted from the information dissemination requirement. See Rule 1002(c)(4). 981 See supra notes 932–933. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 information about a systems issue to all of its members or participants (e.g., on the entity’s Web site), and that information has the potential to affect the market and investors more broadly (including market participants that may not be members or participants of the SCI entity reporting the event), such information is routinely picked up by financial or other media outlets, and also may be relayed to market participants for whom such information is relevant (e.g., by members or participants of SCI entities to their own clients). Therefore, the Commission believes that when information about a systems issue with broad potential impact is disseminated to all of an SCI entity’s member or participants, such dissemination is tantamount to public dissemination.982 As such, the Commission believes that it can achieve the purposes of the rule without requiring public dissemination, and believes that any additional gain in benefits from public dissemination would be minimal. Rule 1002(c)(3) does not specify how an SCI entity is to disseminate information to all of its members or participants when required to do so, but the Commission believes that posting the information on a Web site accessible to, at a minimum, all of its member or participants (for example, on a ‘‘systems status alerts’’ page) would meet the rule’s requirements.983 For an SCI event that is neither a major SCI event nor an event identified in Rule 1002(c)(4), however, the information specified in Rule 1002(c)(1) or (2), as applicable, is required to be disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event.984 982 The Commission notes that one commenter referred to the dissemination provision in the SCI Proposal as the ‘‘public dissemination provision of Proposed Reg SCI.’’ See NYSE Letter at 28. See also ICI Letter at 4 and Oppenheimer Letter at 4 (each supporting ‘‘transparency of SCI events to members and participants of an SCI entity’’ but recommending that the Commission only require ‘‘public dissemination’’ where such information enhances investor protection). 983 The Commission notes that, irrespective of the medium chosen to disseminate information to the SCI entity members or participants, the SCI entity would also be required to submit the disseminated information to the Commission as part of the report submitted pursuant to Rule 1002(b)(4). See supra Section IV.B.3.c. 984 In response to the commenter seeking clarification on whether the term ‘‘participant’’ refers to a formal participant or, more broadly speaking, any market participant that interacts with the SCI system in question (see supra note 940), for purposes of adopted Rule 1002, the term ‘‘participant’’ refers to a formal participant. The Commission also notes that, with respect to the MSRB, the term ‘‘members’’ as used in Regulation SCI includes entities that are registered with the PO 00000 Frm 00085 Fmt 4701 Sfmt 4700 72335 The Commission believes that an SCI entity is generally in the best position to identify those of its members or participants that are or are reasonably likely to be affected by such events. Under this approach, as commenters urged, members or participants not reasonably estimated to be affected by such events will not be the recipients of information likely to be irrelevant to them. The Commission believes that SCI entities will be able to analyze which members or participants are or reasonably likely will be impacted, and the rule requires SCI entities to disseminate information to such members or participants. The requirement that information is to be disseminated only to those members or participants that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event (other than a major SCI event or a de minimis SCI event) addresses the concern raised by some commenters that members and participants will become immunized by receiving irrelevant notifications 985 because, under the adopted approach, members or participants should only receive notifications relevant to them. Whereas the proposed rule would have required dissemination of information about certain SCI events to all SCI entity members and participants, the adopted rule requires dissemination only to those members and participants reasonably estimated to be affected by an SCI event (other than a major SCI event or a de minimis SCI event). Because it is possible that an SCI entity’s reasonable estimate of members or participants affected may change as an SCI event unfolds, the adopted rule also requires prompt dissemination of information to newly identified members or participants reasonably estimated to be affected by an SCI event.986 This provision reflects the view that newly identified affected members or participants should receive prompt dissemination of information about an SCI event, just as those originally identified as affected members or participants. Although compliance with this requirement may result in an SCI entity disseminating information at several different times to MSRB, but does not include ‘‘a member of the Board,’’ which is the definition of ‘‘member’’ in MSRB Rule D–5. 985 See supra notes 944 and 952 and accompanying text. 986 Rule 1002(c)(1) requires that, among other things, the SCI entity must disseminate the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event, and until resolved, provide regular updates of this and any other information required to be disseminated under the rule. E:\FR\FM\05DER2.SGM 05DER2 72336 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations different members and participants, consistent with commenters’ suggestions, the Commission believes that this requirement is appropriately tailored to result in information dissemination being provided to the relevant members or participants of an SCI entity.987 If an SCI event is a de minimis event—i.e., is an SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants—the adopted rule does not impose any dissemination requirement.988 mstockstill on DSK4VPTVN1PROD with RULES2 Adopted Rule 1002(c)(4): Exceptions to the General Rules on Information Dissemination Adopted Rule 1002(c)(4) provides that the requirements of Rules 1002(c)(1)–(3) shall not apply to: (i) SCI events to the extent they relate to market regulation or market surveillance systems; or (ii) any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. The Commission has added the exception in adopted Rule 1002(c)(4)(i) in response to comments that information should not be disseminated regarding disruptions in regulation and surveillance systems, because dissemination of such information to an SCI entity’s members or participants or the public at large could encourage prohibited market activity.989 The Commission notes that the exception for market regulation or market surveillance systems is limited to dissemination of information about SCI events related to market regulation or market surveillance systems. 987 The Commission notes that an SCI entity would be in compliance with the rule if it disseminated the required information to all members or participants, rather than disseminating only to those members and participants it reasonably initially estimated to be affected by the event (which might require subsequent dissemination(s) to additional members or participants if its estimate regarding those members or participants that were affected by a given SCI event changes over time). 988 See discussion of adopted Rule 1002(c)(4) below (excepting, among other things, de minimis systems SCI events from the dissemination requirement). See also supra Section IV.B.3.c (discussing Rule 1002(b)(5), which requires that, for de minimis SCI events, an SCI entity is required to: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter). 989 See supra notes 955–956 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Information about an SCI event that impacts other SCI systems would still be required to be disseminated in accordance with Rule 1002(c) even if that same SCI event also impacts market regulation or market surveillance systems. The exception in Rule 1002(c)(4)(ii) for de minimis SCI events is consistent with the Commission’s approach to excluding de minimis SCI events from the immediate Commission notification requirements in Rule 1002(b), and is therefore responsive to comment that notification and dissemination of systems disruptions were subject to differing standards under the proposal,990 as well as to the comment that a de minimis SCI event should not be subject to dissemination.991 With respect to the comment that dissemination should only be required for material or significant SCI events,992 while the Commission is not limiting the dissemination requirement as suggested by these commenters, the exception for de minimis SCI events is responsive to this comment, to an extent. Moreover, the Commission believes that a materiality threshold would likely exclude from the information dissemination requirement a large number of SCI events that are not de minimis SCI events, but that an SCI entity’s members or participants should be made aware of so that they can quickly assess the nature and scope of those SCI events and identify the appropriate response, including ways to mitigate the impact of the SCI events. The Commission also believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems significantly focus the scope of the Commission dissemination requirements from the SCI Proposal. Consistent with its statements in the SCI Proposal, the Commission notes that the requirements relating to dissemination of information in Regulation SCI relate solely to Regulation SCI.993 Nothing in adopted Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities or 990 See supra notes 949–950 and accompanying text. 991 See supra notes 947–948 and accompanying text; Section IV.B.3.c (discussing Rule 1002(b)) and supra note 988 and accompanying text. The Commission notes that, because major SCI events are a subset of SCI events, the exception in Rule 1002(c)(4)(ii) also applies to major SCI events that meet the requirements of that rule. 992 See supra note 946 and accompanying text; see also supra notes 941 and 944 and accompanying text. 993 See Proposing Release, supra note 13, at 18119, n. 235. PO 00000 Frm 00086 Fmt 4701 Sfmt 4700 their affiliates under other federal securities laws or regulations. Accordingly, in the case of an SCI event, SCI entities or their affiliates subject to the public company reporting requirements of Section 13 or Section 15(d) of the Exchange Act would need to comply with their disclosure obligations pursuant to those provisions (including, for example, with respect to Regulation S–K and Forms 10–K, 10–Q, and 8–K) in addition to their disclosure and reporting obligations under Regulation SCI.994 In addition, the Commission also wishes to highlight that the requirements of Rule 1002(c) address to whom and when SCI entities are obligated under Regulation SCI to disseminate information. Subject to any applicable laws or regulations, SCI entities still retain the flexibility to disseminate information—e.g., to their members or participants, the public, or market participants that interact with the affected SCI systems—at any time they determine to be appropriate. 4. Notification of Systems Changes— Rule 1003(a) a. Proposed Definition of Material Systems Change, Proposed Rules 1000(b)(6) and (b)(8)(ii) Proposed Rule 1000(a) would have defined the term ‘‘material systems change’’ as a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. In the SCI Proposal, the Commission set forth examples that it preliminarily believed could be included within the proposed definition of material systems change.995 994 As an additional example, nothing in adopted Regulation SCI should be construed as superseding any obligations under Regulation FD. SCI entities may also wish to consider staff guidance on this topic. See CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/ cfguidance-topic2.htm. 995 These examples included: Major systems architecture changes; reconfiguration of systems that would cause a variation greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity’s board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Proposed Rule 1000(b)(6)(i) would have required an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes, including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes. If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change had become materially inaccurate, proposed Rule 1000(b)(6)(ii) would have required the SCI entity to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. A written notification to the Commission made pursuant to proposed Rule 1000(b)(6) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto. Proposed Rule 1000(b)(8)(ii) would have required each SCI entity to submit to the Commission a report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. A written notification to the Commission made pursuant to proposed Rule 1000(b)(8)(ii) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto. b. Quarterly and Supplemental Material Systems Change Reports—Rule 1003(a) mstockstill on DSK4VPTVN1PROD with RULES2 i. Adopted Rule 1003(a)(1): Quarterly Material Systems Change Reports Many commenters viewed the proposed 30-day advance notification requirement for material systems changes as burdensome.996 For example, allocation or use of significant resources. See Proposing Release, supra note 13, at 18105–06. These examples were cited in the 2001 Staff ARP Interpretive Letter. The Commission also stated its preliminary belief that any systems change occurring as a result of the discovery of an actual or potential systems compliance issue would be material. See id. 996 See, e.g., NYSE Letter at 26; BATS Letter at 14; ISE Letter at 8; BIDS Letter at 14; UBS Letter at 3– 4; SIFMA Letter at 15; ITG Letter at 8 and 13; FIF Letter at 5; MFA Letter at 5–6; CME Letter at 11; FINRA Letter at 27; Joint SROs Letter at 7; and OTC Markets Letter at 20. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 one commenter believed that the Commission significantly underestimated the number of material systems changes, and suggested that the proposal might require reporting of as many as 60 material systems changes per week, rather than that same amount per year, as the Commission estimated in the SCI Proposal.997 Some commenters stated that many SCI entities implement frequent agile modifications rather than major episodic or ‘‘waterfall’’ changes, and therefore viewed the proposed 30-day advance notification requirement as favoring a model that employs waterfall changes over agile changes.998 Several commenters stated more broadly that the proposed requirement would mandate constant reporting that would stifle innovation, interfere with an SCI entity’s natural planning and development process, and potentially do more harm than good by curtailing an SCI entity’s ability to respond to systems issues with appropriate fixes.999 Several commenters also expressed concern that the burden of reporting would incentivize an SCI entity to change its systems less often instead of making smaller and more frequent iterative systems adjustments, which they believed would be inconsistent with current software best practices, curtail innovation, and expose their systems to increased risk.1000 One commenter questioned the purpose of the proposed requirement, stating that the Commission has not presented any empirical evidence that major or material technology changes by SCI entities are in fact the leading cause of market disruption, and that nonmaterial systems changes by SCI entities and non-SCI entities have a high likelihood of causing market disruptions, but they are not captured by the proposal.1001 At the same time, this commenter stated that providing 30-day advance notification of these non-material systems changes would hamstring SCI entities.1002 997 See BATS Letter at 14. See also NYSE Letter at 26; and ISE Letter at 8 (stating that the proposal would require reporting of too many routine changes), and infra discussion of the definition of material systems change. 998 See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; and ITG Letter at 8. ‘‘Agile’’ software development, which involves smaller, more frequent changes in software code, is contrasted with the ‘‘waterfall’’ methodology, which involves larger, episodic software overhauls. 999 See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; BATS Letter at 14; and ITG Letter at 8. See also SunGard Letter at 3. 1000 See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; BATS Letter at 14; and ITG Letter at 8. See also SIFMA Letter at 16. 1001 See SunGard Letter at 3. 1002 See id. PO 00000 Frm 00087 Fmt 4701 Sfmt 4700 72337 Some commenters also noted that Regulation ATS already requires an ATS to report material changes to the operation of the ATS at least 20 calendar days prior to their implementation.1003 One of these commenters noted that it is common for an ATS to finalize the systems specifications for a change close to when the ATS wants to go live with the change, but the ATS must wait 20 days before implementation, and occasionally the questions from Commission staff can further delay implementation.1004 This commenter expressed concern that Regulation SCI would lengthen the notification requirement to 30 calendar days and broaden the requirement to include any significant systems change, not just a material change to the operation of the ATS.1005 The Commission continues to believe that it is important to receive notifications of planned and implemented material changes to SCI systems or the security of indirect SCI systems in connection with its oversight of U.S. securities market infrastructure.1006 However, after considering the views of commenters regarding the 30-day advance notification requirement, the Commission is instead adopting a quarterly reporting requirement, which will permit the Commission and its staff to have up-to-date information regarding an SCI entity’s systems development progress and plans, to aid in understanding the operations and functionality of the systems and any material changes thereto, without requiring SCI entities to submit a notification to the Commission for each 1003 See BIDS Letter at 14; and ITG Letter at 8. ITG Letter at 8. 1005 See id. 1006 See Proposing Release, supra note 13, at 18122, 18144. As noted above, one commenter argued that the Commission has not presented any empirical evidence that major or material technology changes by SCI entities are in fact the leading cause of market disruption, and that nonmaterial systems changes have a high likelihood of causing market disruptions. See supra note 1001 and accompanying text. The Commission notes that the primary purpose of Rule 1003(a) is not to prevent market disruptions. Rather, it is to keep the Commission and its staff informed of the systems changes that SCI entities determine to be material, which will assist the Commission with its oversight of U.S. securities market infrastructure. While the Commission acknowledges that non-material systems changes could cause market disruptions, the Commission agrees with this commenter that requiring Commission notification of all systems changes would be burdensome. See supra note 1002 and accompanying text (noting this commenter’s view that providing 30-day advance notification of non-material systems changes would hamstring SCI entities). 1004 See E:\FR\FM\05DER2.SGM 05DER2 72338 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 material systems change.1007 Specifically, Rule 1003(a)(1) requires an SCI entity, within 30 calendar days after the end of each calendar quarter, to submit to the Commission a report describing completed, ongoing, and planned material systems changes to its SCI systems and security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion.1008 The Commission believes that elimination of the 30-day advance notification requirement for material systems changes is responsive to commenters who were concerned that the proposed approach was unsuited to the agile systems development methodology that some SCI entities use today. In particular, an SCI entity will have the ability to implement material systems changes without having to individually report each material systems change to the Commission 30 days in advance, which commenters noted could lead SCI entities to favor the waterfall methodology of systems changes over the agile methodology.1009 The Commission also believes that the adopted quarterly reporting requirement provides more flexibility to SCI entities with respect to the timing of implementing material systems changes. In particular, SCI entities will not be required to wait 30 calendar days after 1007 As discussed in more detail below, the Commission is also not adopting the proposed definition of material systems change or the proposed semi-annual reporting requirement. 1008 Using the quarter ending December 31, 2014 as an example, an SCI entity would be required to submit a report by January 30, 2015 (i.e., within 30 calendar days after December 31, 2014) that describes material systems changes that the SCI entity has made (including the dates when those changes commenced and were completed), are currently implementing (including the dates when those changes commenced and are expected to be completed), and plan to make (including the dates those changes are expected to commence and complete) for the period from October 1, 2014 (the beginning of the prior calendar quarter) through June 30, 2015 (the end of the subsequent calendar quarter). The next report that corresponds to the quarter ending March 31, 2015 would be required to be submitted by April 30, 2015. As discussed in more detail below, Rule 1003(a)(2) requires an SCI entity to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). 1009 At the same time, because systems changes utilizing the waterfall methodology are often planned well in advance, these systems changes would generally be included in the quarterly report, as Rule 1003(a) requires the quarterly report to describe, among other things, planned material systems changes during the subsequent calendar quarter. However, this requirement of Rule 1003(a) is not limited to planned material systems changes utilizing the waterfall methodology, but also would apply to planned material systems changes utilizing other development methodologies, including the agile methodology. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 notifying the Commission in order to implement a material systems change. Therefore, the adopted rule is responsive to commenters who stated that the proposed rule would stifle innovation, interfere with an entity’s planning and development process, and expose SCI entities’ systems to risk. Moreover, the Commission believes that elimination of the proposed 30-day advance notification requirement is responsive to commenters’ concern that ATSs are already required to report material changes to the operation of the ATSs at least 20 calendar days prior to implementation, and that proposed Regulation SCI would extend the advance notification period to 30 calendar days.1010 The Commission also believes that adopting the quarterly reporting requirement instead of the 30-day advance notification requirement lessens SCI entities’ burden of compliance as compared to the proposal.1011 For example, rather than submitting a Form SCI for each material systems change, an SCI entity is now required to submit four reports each year pursuant to Rule 1003(a)(1) and, as applicable, supplemental reports pursuant to Rule 1003(a)(2). To the extent certain material systems changes are related or similar, an SCI entity will not be required to separately notify the Commission of each change. Instead, the SCI entity can describe such related changes within the single quarterly report. The Commission also believes that this quarterly report process will provide the Commission and its staff with a more efficient framework to review material systems changes that are described in the larger context afforded by such periodic reports, rather than parsing every submission that reports a material systems change.1012 1010 The Commission notes that the adoption of Rule 1003(a) does not affect an SCI ATS’s existing obligation under Rule 301(b)(2)(ii) of Regulation ATS to file amendments on Form ATS at least 20 calendar days prior to implementing material change to the operation of the ATS. Therefore, with respect to a material systems change, an SCI ATS may be required to describe such change in a quarterly report under Rule 1003(a) and submit an amendment to Form ATS. 1011 See supra notes 996–997 and accompanying text. 1012 The Commission acknowledges that some systems changes deployed by an SCI entity may not by themselves be considered material by the SCI entity, but that, in the aggregate, can be considered material by the SCI entity (e.g., making a series of small systems changes over time in order to implement a broad systems change). The Commission believes that the adopted quarterly reporting requirement is better suited to capture such changes than the proposed 30-day advance notification requirement (i.e., 30-day advance notification for each single systems change that is by itself considered material by the SCI entity). PO 00000 Frm 00088 Fmt 4701 Sfmt 4700 One commenter expressed concern that the proposed exception for exigent circumstances was too narrow.1013 Because adopted Rule 1003(a)(1) requires quarterly reports of material systems changes rather than 30-day advance notification of each material systems change, the Commission is not adopting the proposed ‘‘exigent circumstances’’ exception. Specifically, the Commission notes that the purpose of the exception was to accommodate situations where it would not be prudent or desirable for an SCI entity to delay a systems change simply to provide 30-day advance notification of the change. At the same time, the Commission notes that, because Rule 1003(a)(1) requires in part a description of completed, ongoing, and planned material systems changes during the prior and current calendar quarters, an SCI entity’s quarterly report will be required to include a description of all material changes to its SCI systems or the security of its indirect SCI systems, including those that have been implemented in response to exigent circumstances during the prior and current calendar quarters. Several commenters suggested possible alternatives to the proposed requirements related to material systems changes. Some commenters suggested eliminating the proposed advance notification requirement for material systems changes.1014 One of these commenters explained that information regarding material systems changes would be available to the Commission during an inspection, but stated that, if an advance notification requirement is adopted, it should be folded into the proposed semi-annual reporting requirement.1015 Another commenter similarly urged that the Commission require only semi-annual reporting of material systems changes, as proposed in Rule 1000(b)(8).1016 One commenter supported the reporting of material systems changes in the annual SCI review report.1017 One commenter believed that information related to systems changes should be reported periodically.1018 Another commenter noted that if the Commission retains the 30-day advance notification requirement, it should be limited to material systems changes of only higher priority SCI systems and that 1013 See BATS Letter at 15. MFA Letter at 7 and ITG Letter at 13–14. See also Joint SROs Letter at 8 (stating that material systems changes should be reported in a periodic, post-hoc basis, as was required under ARP). 1015 See MFA Letter at 7. 1016 See Direct Edge Letter at 8. 1017 See CME Letter at 11. 1018 See NYSE Letter at 27. 1014 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations notifications of changes to lower criticality systems could be provided at the time of the change or periodically.1019 Some commenters suggested that the Commission provide more flexibility and allow SCI entities more time to report material systems changes.1020 One commenter supported giving SCI entities discretion to determine the appropriate timing and format for reporting changes to the Commission, and stated that the current practice under ARP to submit quarterly reports that cover changes for the previous and upcoming quarters has proven effective in keeping the Commission staff apprised of planned and completed systems changes.1021 One commenter suggested that SCI entities be required to keep records of all systems changes and technical issues, and make that information available to the Commission upon request.1022 If the Commission decides to retain the notification requirement, this commenter recommended that it be satisfied through periodic (ideally, quarterly) reporting of material systems changes.1023 One commenter believed the Commission should allow all 30-day advance notifications regarding pending material systems changes to be communicated orally, and only submitted in writing after development and testing is completed and the feature is finalized.1024 The Commission believes that the adopted quarterly reporting requirement is responsive to commenters who requested additional flexibility or time for material systems change notifications, as well as to commenters who suggested that such notices be submitted on a periodic or quarterly basis.1025 The Commission does not 1019 See SIFMA Letter at 15. NYSE Letter at 27; FINRA Letter at 27; and MSRB Letter at 22. See also CME Letter at 11 (stating ‘‘instead of setting firm time limits under which an entity is required to submit notifications of material systems changes under Rule 1000(b)(6), the Commission should instead simply require ‘timely advance notice of all material planned changes to SCI systems that may impact the reliability, security, or adequate scalable capacity of such systems’’’). 1021 See FINRA Letter at 27. 1022 See OTC Markets Letter at 20. 1023 See id. This commenter also noted that this would allow for the elimination of proposed Rule 1000(b)(6)(ii), which required notices for material inaccuracies in prior notifications. See OTC Markets Letter at 20–22. According to this commenter, quarterly updates would disclose material deviations from plans described in a previous report, whether stemming from inaccuracies in prior reports or new information that prompts beneficial deviations from a systems implementation plan. See id. 1024 See Omgeo Letter at 22. 1025 Because the Commission is only adopting a quarterly reporting requirement for material mstockstill on DSK4VPTVN1PROD with RULES2 1020 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 agree with the commenters who suggested that the Commission completely eliminate the advance notification requirements. The Commission believes that advance notifications of planned material systems changes will help ensure that the Commission has up-to-date information regarding important future systems changes at an SCI entity, to aid in its understanding of the operations and functionality of the systems postchange.1026 As adopted, Rule 1003(a)(1) requires an SCI entity to provide the Commission with advance notification of planned material systems changes in the current and subsequent quarters through the quarterly reports. As noted above, after considering the views of commenters, the Commission is not adopting the proposed 30-day advance notification requirement for each material systems change. The Commission is also not adopting commenters’ suggestion that material systems changes be reported semiannually or annually.1027 As noted in the SCI Proposal, proposed Rule 1000(b)(8)(ii) required semi-annual reports because the proposal would have separately required information relating to each planned material systems change to be submitted at least 30 calendar days before its implementation.1028 Thus, in the SCI Proposal, the Commission stated its preliminary view that requiring ongoing summary reports more frequently would not be necessary.1029 At the same time, the Commission expressed the concern that a longer period of time would permit significant updates and milestones relating to systems changes to occur without notice to the Commission.1030 Because the Commission is not adopting the 30-day advance notification requirement, the Commission believes that it is appropriate to require more frequent reports of material systems changes than on a semi-annual basis. Further, as noted above, some commenters suggested quarterly reports, which is systems changes, the adopted approach is responsive to a commenter’s suggestion that notifications of changes to lower criticality systems could be provided at the time of the change or periodically. See supra note 1019 and accompanying text. 1026 The Commission acknowledges that there may occasionally be unexpected material systems changes that are not reported to the Commission in advance, but expects that material systems changes generally will be planned well in advance and reported in the quarterly report accordingly. 1027 See supra notes 1015–1017 and accompanying text. 1028 See Proposing Release, supra note 13, at 18124. 1029 See id. 1030 See id. PO 00000 Frm 00089 Fmt 4701 Sfmt 4700 72339 consistent with the practice of some entities under the ARP Inspection Program.1031 The Commission does not agree with the commenter who suggested that Regulation SCI should only require SCI entities to keep records of all systems changes and make that information available to the Commission upon request.1032 Similarly, the Commission does not agree with commenters who suggested that SCI entities be given discretion to determine the timing of the reports.1033 The Commission believes that quarterly reporting of material systems changes will help ensure that the Commission has, on an ongoing basis, a comprehensive view and up-todate information regarding material systems changes at an SCI entity. With respect to the commenter who suggested that all 30-day advance material systems change notifications should be provided orally, and submitted in writing only after the changes are fully tested and implemented,1034 the Commission notes that it is not adopting the proposed 30day advance notification requirement for material systems changes. With respect to the commenter who suggested giving SCI entities discretion to determine the format for reporting changes to the Commission,1035 the Commission notes that Rule 1003(a) does not prescribe a specific style that the quarterly reports should take. The Commission intends for the quarterly report to allow the Commission and its staff to gain a sufficient level of understanding of the material systems changes that have been implemented, are on-going, and are planned for the future, which would aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and any changes to such systems. In particular, the Commission notes that Rule 1003(a)(1) only specifically requires the quarterly reports to ‘‘describe’’ the material systems changes and the dates or expected dates of their commencement and completion. Therefore, Rule 1003(a)(1) gives each 1031 See supra notes 1021, 1023 and accompanying text. 1032 See supra note 1022 and accompanying text. As discussed above, this commenter also stated that, if the Commission decides to retain the notification requirement for material systems changes, the Commission should require periodic (ideally, quarterly) reporting. See supra note 1023 and accompanying text. Adopted Rule 1003(a)(1) is consistent with this commenter’s alternative suggestion. 1033 See supra note 1021 and accompanying text. See also supra note 1020. 1034 See supra note 1024 and accompanying text. 1035 See supra note 1021 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72340 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 SCI entity reasonable flexibility in determining precisely how to describe its material systems changes in the report in a manner that best suits the needs of that SCI entity as well as the needs of the Commission and its staff.1036 In addition, to the extent the Commission seeks additional information about a given change noted in a quarterly report, an SCI entity would be required to provide Commission staff with such information in accordance with Rule 1005 (Recordkeeping Requirements Related to Compliance with Regulation SCI).1037 The Commission also notes that the quarterly reports are required to include descriptions of material systems changes during the prior calendar quarter that were completed, ongoing, or planned. Therefore, if a report for the first quarter of a given year discusses the SCI entity’s plan to implement a particular series of material changes to an SCI system, Rule 1003(a)(1) requires that, in the report for the second quarter of that year, the SCI entity describe the material systems changes that were completed, ongoing, and planned in the first quarter, including the planned changes discussed in the prior quarter’s report, as applicable. Several commenters expressed concern that the proposed 30-day advance notification requirement would potentially give the Commission new authority to ‘‘reject’’ a Form SCI filing describing material systems changes, similar to the way the Commission may reject an improperly filed proposed rule change pursuant to Rule 19b–4 under the Exchange Act.1038 Three commenters requested that the Commission clarify how proposed Rule 1000(b)(6) would relate to Rule 19b–4, suggesting that there may be unnecessary redundancy between the two processes.1039 Another commenter suggested limiting the types of changes that would require 30-day advance notification to those changes that are already required to be filed with the Commission as proposed rule changes for immediate effectiveness under Section 19(b)(3)(A) of the Exchange Act (excluding those filings that would not become operative for 30 days after the date of the filing because those filings would already provide the Commission 1036 See also Omgeo Letter at 43 (requesting that the Commission specify in the final rule the required content for a planned material systems change notification). 1037 See infra Section IV.C. 1038 See Omgeo Letter at 23; and SIFMA Letter at 16. See Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b). 1039 See KCG Letter at 19; Joint SROs Letter at 8; and FIF Letter at 5. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 with 30 days’ advance notification of the material systems changes).1040 This commenter also noted that where a material systems change would be filed for approval under Section 19(b)(2) of the Exchange Act, the Section 19(b)(2) approval process provides the Commission sufficient notification of the systems change.1041 One commenter stated that proposed Rule 1000(b)(6) was improperly premised on the notion that the Commission should be responsible for a minutely-detailed understanding of the IT infrastructure of SCI entities and for assessing prospective changes in advance of their implementation.1042 The Commission disagrees with commenters who believed that material systems change reports are redundant given the rule filing requirements of Rule 19b–4 under the Exchange Act, or that material systems change reports should not be required if the SCI entity submitted certain types of rule filings regarding the same change.1043 The Commission acknowledges that some systems changes require proposed rule changes under Rule 19b–4, and some Rule 19b–4 proposed rule changes result in systems changes. However, based on Commission staff’s experience with the ARP Inspection Program and the rule filing process, the Commission believes that the type of information regarding systems changes included in rule filings is different from the type of information that will be included in reports on material systems changes. In particular, the technical details or specifications of SCI systems and indirect SCI systems are generally not specifically set forth in 1040 See MSRB Letter at 22. MSRB Letter at 22. This commenter also suggested that material systems changes (other than those filed pursuant to Rule 19b–4 under the Exchange Act) be reported semi-annually, or that de minimis changes be excepted from the notice requirement altogether if the Commission continues to require 30-day advance notification. See MSRB Letter at 22–23. As discussed above, the Commission is adopting a quarterly reporting requirement for systems changes that an SCI entity determines to be material. 1042 See Direct Edge Letter at 1, 8. See also ITG Letter at 13–14 (stating that the Exchange Act does not enable the Commission to ‘‘bootstrap its SRO rule review authority or its national market system authority to force regulated entities to submit upcoming material systems changes for agency approval’’ and that ‘‘the Commission need only receive notifications when they are a significant part of proposed rule changes by SROs or amendments to Form ATS of material changes to the operation of the ATS’’). 1043 See supra notes 1039–1041 and accompanying text. The Commission notes that the requirement under Regulation SCI to submit reports of material systems changes does not alter an SRO’s obligation to file proposed rule changes, the obligation of participants of an SCI Plan to file a proposed amendment to such SCI Plan, or any other obligation any SCI entity may have under the Exchange Act or rules thereunder. 1041 See PO 00000 Frm 00090 Fmt 4701 Sfmt 4700 the rules of an SCI SRO. Therefore, technical information regarding systems changes is usually not set forth in rule filings. In addition, the Commission notes that the rule filing process and the material systems change reports serve different purposes. In particular, the material systems change reports are intended to inform the Commission and its staff of important technical changes to an SCI entity’s systems. On the other hand, the rule filing process provides notice of changes to an SCI entity’s rules, including, for example, the statutory basis for such changes, and in some cases seeks approval by the Commission of the rule changes. Therefore, if an SCI SRO submits a rule filing regarding a particular systems change and the change is also included in a material systems change report, the information included in the rule filing may not necessarily further the goal of the material systems change reporting requirement, and the information included in the material systems change report may not necessarily assist in the Commission’s review of the rule filing. Moreover, commenters’ concern regarding the redundancy between the rule filing process and the material systems change reports stemmed from concerns regarding the 30-day advance notification requirement. As discussed above, the Commission is not adopting a 30-day advance notification requirement. The Commission also reiterates that the material systems change reports are intended to inform the Commission and its staff of such changes and help the Commission in its oversight of U.S. securities market infrastructure. Regulation SCI does not provide for a new approval process for SCI entities’ material systems changes. As such, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI,1044 or to delay implementation of material systems changes pursuant to any provision of Regulation SCI.1045 Three commenters questioned the Commission’s legal authority to adopt the proposed material systems change notification requirements, including, in particular, those set forth in proposed Rule 1000(b)(6).1046 For the reasons 1044 See supra note 1042 and accompanying text. supra note 1038 and accompanying text. 1046 See NYSE Letter at 4 (stating the belief that ‘‘[a]uthority to facilitate a national market or assure economically efficient execution of securities transaction is remote from close, minute regulation of computer systems and computer security’’); ITG Letter at 13 (stating the belief that the proposed notification requirement for material systems 1045 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations discussed above in Section IV.B.3.c, the Commission disagrees with these comments and believes that adopted Rule 1003(a) will assist the Commission in its oversight of U.S. securities market infrastructure consistent with its legal authority under the Exchange Act. In light of the 30-day advance notification requirement in proposed Rule 1000(b)(6), some commenters suggested eliminating the semi-annual reporting requirement in proposed Rule 1000(b)(8)(ii) because they considered it duplicative and unnecessary.1047 One commenter believed that the required semi-annual reporting requirement was excessive and should instead be incorporated into the annual reporting obligations in proposed Rule 1000(b)(8)(i).1048 As discussed above, the Commission is adopting a quarterly reporting requirement under Rule 1003(a)(1) and is not adopting the proposed 30-day advance notification requirement. Therefore, the Commission is not adopting the requirement in proposed Rule 1000(b)(8)(ii) for semiannual progress reports. mstockstill on DSK4VPTVN1PROD with RULES2 ii. Definition of Material Systems Change Commenters generally opposed the proposed definition of material systems change. Many commenters stated their belief that the term was too broad and would therefore necessitate an excessive number of notifications of material systems changes.1049 Some commenters believed that the definition should be revised and offered a variety of suggestions.1050 Several commenters changes ‘‘would extend the SEC’s reach far beyond that of a securities regulator and instead enable it to regulate the IT process of marketplace participants’’ and that the Exchange Act does not enable the Commission to ‘‘bootstrap its SRO rule review authority or its national market system authority to force regulated entities to submit upcoming material systems changes for agency approval’’); and KCG Letter at 19 (stating the belief that ‘‘[t]he Commission does not have authority to stop implementation of systems changes by ATSs or systems changes that exchanges are not required to submit under Section 19(b) of the Exchange Act’’). 1047 See Omgeo Letter at 24–25; and OCC Letter at 16. 1048 See CME Letter at 11. 1049 See, e.g., BATS Letter at 14; MFA Letter at 6; ICI Letter at 4; BIDS Letter at 14; Liquidnet Letter at 3; FINRA Letter at 24–26; MSRB Letter at 22; NYSE Letter at 26–27; Joint SROs Letter at 7; CME Letter at 5; Oppenheimer Letter at 3; OTC Markets Letter at 20–21; and Direct Edge Letter at 3. 1050 See, e.g., BATS Letter at 14–15 (recommending that only those material systems changes that are reported to an SCI entity’s board of directors or similar body should be required to be reported to the Commission, which BATS stated is the standard it uses currently for the ARP Inspection Program); OCC Letter at 15 (stating that the reporting of systems changes to the board of directors, or to a similar governing body, is a more appropriate standard for determining materiality VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 advocated for creating a risk-based definition whereby, for example, notifications are only required for those material systems changes that pose a risk to critical operations of an entity.1051 One commenter suggested that the requirement focus on SCI systems only.1052 One commenter stated that SCI entities should be afforded flexibility to establish reasonable standards for defining material systems changes for their systems.1053 Several commenters sought guidance from the Commission on the materiality threshold, which commenters believed was unclear, explaining, for example, that the term ‘‘material’’ appears both in the term ‘‘material systems change’’ and in the definition of that term.1054 Similarly, several commenters requested that the Commission provide more guidance on the meaning of ‘‘material’’ in the context of systems changes because, although the wording of the proposed definition contained the concept of ‘‘materiality,’’ the commenters believed some of the examples provided in the SCI Proposal to be non-material.1055 One commenter asked that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid receiving notices of all systems changes, material or otherwise.1056 One commenter asked that the Commission clarify the meaning of ‘‘material’’ and confirm that prior notification would not be required for changes that do not pertain to the production environment.1057 Rather than adopting a detailed definition of material systems change as proposed, Rule 1003(a)(1) requires an SCI entity to establish reasonable written criteria for identifying a change than reporting to ‘‘senior management’’); BIDS Letter at 14–15 (stating its belief that the Commission should define a ‘‘material systems change’’ to be a large-scale architectural upgrade, the implementation of industry-wide rules or other market structure changes, or other technology changes that may be required because of changes in trading rules defined in the exchange’s or the ATS’s trading rule book); and FIF Letter at 5 (recommending that the term be defined to include significant functional enhancements, major technology infrastructure changes, or changes requiring member/participant notifications). 1051 See, e.g., OCC Letter at 15; DTCC Letter at 16; Liquidnet Letter at 3; MFA Letter at 6; ICI Letter at 4; CME Letter at 5; and Direct Edge at 4. 1052 See NYSE Letter at 27. 1053 See FINRA Letter at 27. 1054 See Direct Edge Letter at 3–4; OCC Letter at 15; and NYSE Letter at 26. 1055 See, e.g., Joint SROs Letter at 7; DTCC Letter at 15–16; Omgeo Letter at 23; OCC Letter at 15; FINRA Letter at 27; OTC Markets Letter at 20–21; BIDS Letter at 14; Direct Edge Letter at 3–4; and ISE Letter at 8. See also supra note 1050. 1056 See KCG Letter at 20. 1057 See SIFMA Letter at 15–16. PO 00000 Frm 00091 Fmt 4701 Sfmt 4700 72341 to its SCI systems and the security of indirect SCI systems as material and to report to the Commission those changes the SCI entity identified as material in accordance with such criteria. This change is responsive to a commenter’s suggestion that SCI entities should be granted flexibility to establish reasonable standards for determining whether a systems change is material. In addition, the Commission does not believe that it is appropriate to adopt a precise definition for the term ‘‘material systems change’’ because SCI entities differ in nature, size, technology, business model, and other aspects of their businesses. The Commission notes that there currently is no industry definition of ‘‘material systems change’’ that is applicable to all SCI entities that can serve as the basis for a precise definition of the term ‘‘material systems change’’ in Regulation SCI, and believes that whether a systems change is material is dependent on the facts and circumstances, such as the reason for the change and how it may impact operations. Moreover, requiring SCI entities to establish their own reasonable criteria for identifying material systems changes reflects the Commission’s view that an SCI entity is in the best position to determine, in the first instance, whether a change, or series of changes, is material in the context of its systems. Because adopted Rule 1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to commenters’ concern that the proposed definition was too broad and would result in an excessive number of notifications, and to commenters’ suggestion that the definition should be revised. Further, the Commission’s determination to not adopt the proposed definition of material systems change mitigates commenters’ concern that the proposed definition was unclear. In particular, by eliminating the proposed definition of material systems change, the Commission seeks to eliminate the confusion caused by the proposed definition of this term, which contained the word ‘‘material.’’ Moreover, some commenters requested additional clarity on the definition of material systems change because they believed that some of the examples the Commission provided in the SCI Proposal were not material systems changes. Because adopted Rule 1003(a)(1) requires SCI entities to establish reasonable written criteria for identifying material systems changes, SCI entities will not be required to identify material systems changes in accordance with the detailed definition and examples from the SCI E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72342 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Proposal. Rather, an SCI entity will have reasonable discretion in establishing the written criteria in order to capture the systems changes that it believes are material. Specifically, the Commission believes that adopted Rule 1003(a) is sufficiently flexible to allow each SCI entity to identify changes that it believes are material, which may include some of the suggestions identified by the commenters if an SCI entity determines such changes to be appropriate to include in its criteria for identifying material systems changes. For example, if an SCI entity reasonably believes that its systems changes are material if they involve significant functional enhancements, major technology infrastructure changes, or changes requiring member/participant notifications, and such criteria is set forth in the SCI entity’s reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria. Likewise, if an SCI entity reasonably believes that some of the examples of material systems changes identified in the SCI Proposal can appropriately serve as criteria for identifying material systems changes, and such criteria is set forth in the SCI entity’s reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria. In response to a commenter’s suggestion that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid notification of all systems changes, material or otherwise, the Commission notes that Rule 1003(a)(1) specifically requires SCI entities to identify material systems changes and report only material systems changes. With respect to a commenter’s question regarding whether prior notification would be required for changes that do not pertain to the production environment, the Commission notes that SCI systems do not include development and testing systems, although indirect SCI systems could include development and testing systems if they are not walled-off from SCI systems. Therefore, Rule 1003(a) could apply to material changes to the security of development and testing systems that are not walled-off from SCI systems. Finally, with respect to a commenter’s suggestion that Rule 1003(a) focus only on SCI systems, the Commission believes that notifications of material systems changes regarding the security of indirect SCI systems is important to the Commission’s oversight of U.S. securities market infrastructure. At the same time, the Commission notes VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that Rule 1003(a)(1) provides that each SCI entity establish its own reasonable criteria for identifying a change to the security of its indirect SCI systems as material. Therefore, to the extent that an SCI entity determines that certain changes to the security of its indirect SCI systems are not material in accordance with its reasonable written criteria, such changes are not required to be reported to the Commission. As with an SCI entity’s other policies and procedures under Regulation SCI, Commission staff may review an SCI entity’s established criteria relating to the materiality of a systems change (e.g., in the course of an examination) to determine whether it agrees with the SCI entity’s assessment that such criteria is reasonable and in compliance with the requirements of Rule 1003(a). The Commission believes that, by providing SCI entities flexibility in establishing the criteria and reviewing SCI entities’ established criteria, it strikes the proper balance between granting discretion to SCI entities and ensuring that SCI entities carry out their obligations under Regulation SCI. iii. Adopted Rule 1003(a)(2): Supplemental Material Systems Change Reports A commenter who advocated for a quarterly reporting requirement noted that quarterly updates would disclose material deviations from plans described in a previous report, including those stemming from inaccuracies in prior reports.1058 Another commenter similarly noted that periodic reporting of any inaccuracies is sufficient for oversight purposes.1059 The Commission believes that there may be circumstances in which an SCI entity realizes that information previously provided to the Commission in a quarterly report was materially inaccurate or that the quarterly report omitted material information. The Commission believes that it should, on an ongoing basis, have complete and correct information regarding material systems changes at an SCI entity, rather than waiting until the next quarterly report to receive corrected information, as suggested by these commenters. The Commission is therefore adopting Rule 1003(a)(2), which requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). The Commission notes that the supplemental report 1058 See 1059 See PO 00000 OTC Markets Letter at 22. NYSE Letter at 28. Frm 00092 Fmt 4701 Sfmt 4700 requirement applies only if the error or omission in a prior report is material. 5. SCI Review—Rule 1003(b) Proposed Rule 1000(b)(7) required an SCI entity to conduct an SCI review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review.1060 Further, proposed Rule 1000(b)(8)(i) required an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity.1061 Proposed Rule 1000(a) defined the term ‘‘SCI review’’ to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.1062 In addition, the proposed definition provided that such review must include penetration test reviews of the SCI entity’s network, firewalls, and production systems at a frequency of not less than once every three years.1063 The Commission is adopting the provisions relating to SCI reviews with modifications in response to comment. In addition, the Commission is adopting a definition of ‘‘senior management’’ in Rule 1000 for purposes of the SCI review requirement. Some commenters expressed support for the proposed requirements for SCI reviews,1064 with a few advocating that the SCI review be conducted by an independent third party, rather than ‘‘objective personnel.’’ 1065 One commenter noted that it agreed that annual SCI reviews and reports can have a meaningful impact on improving 1060 See proposed Rule 1000(b)(7) and Proposing Release, supra note 13, at Section III.C.5. 1061 See proposed Rule 1000(b)(8)(i) and Proposing Release, supra note 13, at Section III.C.6. 1062 See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.C.5. 1063 See id. 1064 See, e.g., MSRB Letter at 23; Lauer Letter at 5; Better Markets Letter at 5; and Direct Edge Letter at 9. 1065 See Lauer Letter at 5; Better Markets Letter at 5; and BlackRock Letter at 4. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 technology and business practices.1066 Another commenter expressed support for proposed Rule 1000(b)(7), but asked for clarification that any review of a processor under an NMS plan be performed independently of reviews of the same entity in other capacities (e.g., as an exchange or other SCI entity).1067 With regard to the suggestion that the Commission adopt a requirement that SCI reviews be conducted by an independent third party rather than ‘‘objective personnel’’ as proposed,1068 the Commission continues to believe that it is appropriate to permit SCI reviews to be performed by personnel of the SCI entity or an external firm, provided that such personnel are, in fact, objective and, as required by rule, have the appropriate experience to conduct reviews of SCI systems and indirect SCI systems. Experienced personnel should have the knowledge and skills necessary to conduct such reviews. In the SCI Proposal, the Commission noted that to satisfy the criterion that an SCI review be conducted by ‘‘objective personnel,’’ it should be performed by persons who have not been involved in the development, testing, or implementation of such systems being reviewed.1069 The Commission continues to believe that persons who were not involved in the process for development, testing, and implementation of the systems being reviewed would generally be in a better position to identify weaknesses and deficiencies that were not identified in the development, testing, and implementation stages. The Commission believes that, given the requirement that such personnel be ‘‘objective,’’ any personnel with conflicts of interest that have not been adequately mitigated to allow for objectivity should be excluded from serving in this role. In particular, the Commission believes that a person or persons conducting an SCI review should not have a conflict of interest that interferes with their ability to exercise judgment, express opinions, and present recommendations with impartiality. While the Commission recognizes that, as one commenter asserted, all personnel of an SCI entity could be viewed as having some level of conflict of interest,1070 the Commission believes that SCI entities can have appropriate policies and procedures in 1066 See FIF Letter at 6 (expressing support for the SCI review requirement while also providing suggestions for modifications to the rule). 1067 See Direct Edge Letter at 9. 1068 See supra note 1065 and accompanying text. 1069 See Proposing Release, supra note 13, at 18123. 1070 See Better Markets Letter at 5. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 place to mitigate such conflicts or to help ensure that certain departments and/or specified personnel (such as internal audit departments) are appropriately insulated from such conflicts so as to be able to objectively conduct SCI reviews.1071 Accordingly, the Commission believes that the goals of Regulation SCI can be achieved through reviews by either internal objective personnel or external objective personnel. Taking into consideration the advantages and disadvantages associated with each approach, each SCI entity should make its own determination regarding the levels of review or assurance that can be provided by different personnel, the best means to ensure their objectivity, and whether it is appropriate to incur the additional costs of an independent third party review. An SCI entity may, for example, determine that it is appropriate to utilize personnel not employed by the SCI entity (i.e., third parties) to conduct such review each year or only on a less frequent, periodic basis (e.g., every three years), or only with regard to certain of its systems. In addition, with regard to one commenter’s suggestion that an SCI review should be performed independently for each capacity in which an SCI entity acts, the Commission notes that the definition of SCI review and provisions of Rule 1003(b) require that an SCI entity perform a review, following established procedures and standards, for compliance with Regulation SCI that includes a risk assessment of the SCI entity’s SCI systems and indirect SCI systems and an assessment of internal control design and effectiveness of such systems and does not require an SCI entity that serves in two different capacities with respect to Regulation SCI to conduct two independent SCI reviews. The Commission believes that, 1071 For example, the Commission believes that many entities implement a reporting structure pursuant to which internal audit employees or departments report directly to the board of directors or an audit committee of the board. The Commission notes that, while utilizing external personnel (i.e., third parties) to conduct an SCI entity’s SCI review generally would not raise the same concerns regarding objectivity, the SCI entity would likewise need to mitigate any conflicts of interest that would prevent such personnel from meeting the objectivity standard required for an SCI review. For example, among the factors an SCI entity may consider in evaluating the objectivity of a third party review could be who within the SCI entity is managing the third party review, is setting the scope of review, is authorizing payment for such review, and has the authority to review and comment on the third party report, among others. Further, an SCI entity may consider the third party’s ability to remain objective in light of any other services provided by the third party to the SCI entity. PO 00000 Frm 00093 Fmt 4701 Sfmt 4700 72343 as a practical matter, an SCI entity may determine that, to comply with these requirements, it is necessary to conduct separate assessments and analysis for each capacity of the SCI entity, because the standards used, risk assessments, applicable policies and procedures, and assessment of internal control design and effectiveness are different with regard to the distinct and differing functions of the SCI entity in each capacity. For example, an entity that meets both the definition of an SCI SRO and a plan processor may determine that it is necessary to conduct separate reviews for each function performed, because, for instance, the findings of a risk assessment determine that certain SCI systems fall into the category of ‘‘critical SCI systems’’ with regard to the functions of the plan processor, but not with regard to the functions of the SRO. At the same time, the Commission notes that, even where separate reviews are conducted, there may be certain overlap in conducting such reviews (for example, the entity may use the same objective reviewer for each function performed), such reviews may be conducted at the same time, and a single SCI review report may contain findings for each capacity. While other commenters also supported some form of review, many of these commenters stated that the term SCI review is defined too broadly and/ or that the SCI review requirements should allow more flexibility.1072 Some commenters expressed concerns about the need to review all systems on an annual basis, which they argued could be costly, burdensome, and unnecessary.1073 Several commenters suggested the adoption of a risk-based approach for determining the scope of the review, which would entail conducting a risk assessment to determine which systems should be reviewed and how often.1074 Under such an approach, the highest risk systems would be reviewed more frequently than other, less critical systems, which could be reviewed less frequently than annually or on a rotational basis. Similarly, one 1072 See, e.g., FINRA Letter at 39–41; Omgeo Letter at 23–24; OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter at 16–17. 1073 See, e.g., FINRA Letter at 39–41; Omgeo Letter at 23–24; OCC Letter at 19; NYSE Letter at 35; DTCC Letter at 16–17; and BIDS Letter at 11. 1074 See, e.g., FINRA Letter at 39–41; OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter at 16–17; LiquidPoint Letter at 3; and Omgeo Letter at 24. One commenter noted that the proposed SCI review requirement essentially eliminated the ability to utilize its current risk assessment approach to determine the frequency of review for each system (ranging from annually to once every four years). See FINRA Letter at 40. E:\FR\FM\05DER2.SGM 05DER2 72344 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations commenter recommended that SCI reviews should be focused only on those core systems capable of having a material impact on members or participants, and ‘‘adjacent’’ systems should not be subject to the review process.1075 After considering the views of commenters, the Commission has determined to adopt the provisions relating to SCI reviews with modifications in response to comment.1076 Thus, adopted Rule 1003(b) requires an SCI entity to conduct an SCI review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year.1077 However, the Commission notes that, because it has revised the scope of the definition of ‘‘SCI systems’’ as described above, fewer systems of each SCI entity will be subject to the SCI review, thereby focusing the overall scope of the SCI review requirement.1078 Further, to address some commenters’ concerns about the burdens and 1075 See FIF Letter at 6. adopted Rule 1003(b). However, the Commission is moving the clause regarding penetration test reviews from the definition of SCI review into Rule 1003(b), which addresses the timing of reviews. Further, the adopted definition of SCI review will require that the objective reviewer have ‘‘appropriate experience to conduct reviews’’ rather than ‘‘appropriate experience in conducting reviews’’ as proposed. The Commission believes this revision is appropriate given that, prior to the adoption of Regulation SCI today, no individual or entity would have experience in conducting the specific SCI reviews required by Rule 1003(b). Rather, the Commission believes that there are individuals or entities that have experience in conducting reviews, audits, and/or testing similar to the functions that would be necessary to address certain aspects of the SCI review requirement, and thus, the objective reviewer should have this type of appropriate experience that would allow them to conduct SCI reviews in accordance with the requirements of Regulation SCI. Thus, as adopted, the term ‘‘SCI review’’ means ‘‘a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.’’ See Rule 1000. Further, the Commission is moving the requirement relating to reports to the Commission on SCI reviews from proposed Rule 1000(b)(8) into Rule 1003(b) so that all provisions regarding SCI reviews are in the same rule. 1077 See adopted Rule 1003(b)(1). 1078 The Commission also notes that it has clarified that the definition of ‘‘indirect SCI systems’’ includes only those systems that have not been effectively logically or physically separated from SCI systems. Thus, the scope of the SCI review is also more focused than what some commenters may have believed. It is also further focused by the elimination of references to development and test systems from the penetration test requirement in adopted in Rule 1003(b)(1)(i). mstockstill on DSK4VPTVN1PROD with RULES2 1076 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 inflexibility of the proposed rule and the recommendation that the proposed rule utilize a more risk-based approach, the adopted rule is being revised to allow assessments of SCI systems directly supporting market regulation or market surveillance to be conducted, based upon a risk-assessment, at least once every three years, rather than annually.1079 SCI entities would be required to determine the specific frequency with which to conduct assessments of these systems depending on the risk assessment that they conduct as part of the annual SCI review, provided that these systems are assessed at least once every three years. The Commission believes that market regulation and market surveillance systems have the potential to pose less risk to an entity or the market than other SCI systems. While the Commission believes that these systems are essential to investor protection and market integrity and that they can pose a significant risk to the markets in the event of a systems issue, the Commission also believes that certain market regulation and market surveillance systems may not have as immediate or widespread of an impact on the maintenance of fair and orderly markets or an entity’s operational capability as the other categories of systems included within the definition of SCI systems. While a systems issue affecting a trading system could result in the immediate inability of a market, and thus market participants, to continue trading on such system and potentially impact trading on other markets as well, the Commission believes that the temporary disruption or failure of a SCI entity’s market regulation and/or market surveillance systems in the wake of a wide-scale disruption would likely not have as direct an impact on market participants’ ability to continue to trade. Thus, after considering commenters’ views regarding the costs and burdens of the proposed SCI review requirements, as well as the suggestion that the Commission incorporate more of a riskbased approach in Regulation SCI, the Commission believes that a longer frequency of review of these systems may be appropriate in cases where the risk assessment conducted as part of the SCI review results in such a determination. The Commission also notes that, as originally proposed the rule would have required penetration test reviews of the SCI entity’s network, firewalls and development, testing, and production systems at a frequency of not less than once every three years in 1079 See PO 00000 adopted Rule 1003(b)(1)(ii). Frm 00094 Fmt 4701 Sfmt 4700 recognition of the potentially significant costs that may be associated with the performance of such tests.1080 However, consistent with modifications to the definition of SCI systems, references to development and test systems have been deleted in adopted Rule 1003(b)(1)(i).1081 The Commission notes that SCI entities may, however, determine that based on its risk assessment, it is appropriate and/or necessary to conduct such penetration test reviews more frequently than once every three years. The Commission is not, however, adopting a broader risk-based approach to determine the required frequency of an SCI review (i.e., for SCI systems other than market regulation and market surveillance systems), as suggested by some commenters.1082 The Commission believes that a critical element to ensuring the capacity, integrity, resiliency, and availability of SCI systems and indirect SCI systems is conducting an annual objective review to assess the risks of an SCI entity’s systems and the effectiveness of its internal information technology controls and procedures. Such reviews will not only assist the Commission in improving its oversight of the technology infrastructure of SCI entities, but also each SCI entity in assessing the effectiveness of its information technology practices, helping to ensure compliance with the safeguards provided by the requirements of Regulation SCI, identifying potential areas of weakness that require additional or modified controls, and determining where to best devote resources. Further, the Commission believes that the competitive environment of today’s securities markets drives SCI entities to continually update, modify, and introduce new technology and systems, often in an effort to meet specific business needs and achieve ‘‘quick-tomarket’’ results, potentially without 1080 As noted by some commenters, penetration tests are highly technical and would require special expertise, and thus the Commission believes such testing could potentially require substantial costs. See, e.g., DTCC Letter at 17; and Omgeo Letter at 44. See also infra Sections V.D.2.d and VI.C.2.b.vi (discussing estimated costs associated with the SCI review requirement, which takes into consideration the costs of penetration testing) and Proposing Release, supra note 13, at 18123 (stating that the Commission seeks to balance the frequency of such tests with the costs associated with performing the tests). As noted in the SCI Proposal, the Commission believes that the penetration test reviews should help an SCI entity evaluate the system’s security and resiliency in the face of attempted and successful intrusions. See id. 1081 See supra Section IV.A.2.b (discussing elimination of development and test systems from the definition of SCI systems). 1082 See supra note 1074 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 adequate focus on ensuring the continuous integrity of its systems. In addition, given today’s fast-paced nature of technological advancement, existing controls can quickly become obsolete or ineffective and the relative criticality or risk nature of a system can change over time as well.1083 Further, as one commenter noted, it is not uncommon for entities to experience repeated unsuccessful attempts to gain access to their systems,1084 which the Commission believes can expose certain vulnerabilities not identified previously and, if successful, also create new vulnerabilities and risk. For these reasons, the Commission believes that it is appropriate to require an SCI entity to conduct an SCI review of its applicable systems not less than once every 12 months.1085 Further, the Commission notes that, as described in detail above, Regulation SCI is consistent with a risk-based approach in several areas, and thus, a risk assessment is appropriate in order to determine the standards and requirements applicable to a given SCI system. As such, the Commission believes that it is appropriate to require SCI entities to conduct a risk-based assessment with regard to its SCI systems and indirect SCI systems as part of its SCI review at least annually to help ensure that SCI entities are meeting the requirements of Regulation SCI.1086 For the reasons noted above, the Commission believes it is appropriate to require that SCI reviews be conducted at least annually, rather than utilizing a risk-based approach to determine the frequency of the required SCI review.1087 At the same time, the Commission notes that this provision is consistent with a risk-based approach in that SCI entities may design the scope and rigor of the SCI review for a particular system based on its risk assessment of such system, provided that the review meets the requirements of the rule, such as including an 1083 In addition, the Commission believes changes in personnel with access to SCI systems throughout the year can create additional risk that should be considered in evaluating the risks of any particular system. 1084 See SIFMA Letter at 11. 1085 The Commission notes that, while the rule requires that an SCI review be conducted ‘‘not less than once each calendar year,’’ an SCI entity may determine that it is appropriate to conduct an assessment of an SCI system more frequently, particularly for critical SCI systems. See adopted Rule 1003(b)(1). 1086 See adopted Rule 1003(b) and Rule 1000 (definition of ‘‘SCI review’’). 1087 However, as discussed above, an SCI entity may conduct an SCI review of its market regulation and market surveillance systems based upon its risk assessment of such systems, but not less than once every three years. See adopted Rule 1003(b)(1)(ii). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards 1088 and performing penetration test reviews at least once every three years.1089 Some commenters sought clarification on various aspects of the SCI review requirement. One commenter stated that the term SCI review, as proposed, expanded significantly on what is required under ARP and asked for greater specificity as to the objectives and intended scope of the SCI review.1090 This commenter suggested, as an alternative, that the Commission establish an ‘‘agreed upon procedures’’ approach, which would involve outlining specific SCI review objectives and procedures that would be performed by an objective reviewer.1091 One commenter also requested that the Commission clarify whether there is a distinction between the existing ARP report and the SCI review and whether the ARP practice of on-site inspections would be eliminated.1092 With regard to the comment seeking clarity on the scope of the review as compared to what is done under the current ARP Inspection Program,1093 as noted in the SCI Proposal, the requirement for an annual SCI review was intended to formalize a practice in place under the current ARP Inspection Program in which SROs conduct annual systems reviews following established audit procedures and standards that result in the presentation of a report to senior SRO management on the recommendations and conclusions of the review.1094 Specifically, the ARP Policy Statements called for each SRO to have its automated systems reviewed annually by an ‘‘independent reviewer’’ 1095 and stated that independent reviews and analysis should: ‘‘(1) Cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development 1088 See adopted Rule 1000 (definition of ‘‘SCI review’’). 1089 See adopted Rule 1003(b)(1)(i). 1090 See FINRA Letter at 39–40. 1091 See id. at 40. 1092 See OCC Letter at 19. 1093 See supra note 1092 and accompanying text. See also supra note 1090 and accompanying text. 1094 See Proposing Release, supra note 13, at 18123. 1095 See ARP I, supra note 1, at 48706–07. ARP I provided that an ‘‘independent reviewer’’ could be either an internal auditor group or an external audit firm so long as the independent reviewer had the competence, knowledge, consistency, and independence sufficient to perform the role. PO 00000 Frm 00095 Fmt 4701 Sfmt 4700 72345 methodology and vulnerability assessment; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.’’ 1096 Similar to (1) above, the definition of SCI review requires the review to contain an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. Consistent with element (2), an SCI review must be performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems and must be performed following established procedures and standards. Finally, like item (3), Rule 1003(b)(2)–(3) requires SCI entities to submit a report of the SCI review to senior management after completion of the review, and following submission to senior management, to submit a report of the SCI review to the Commission, along with any response by senior management. Senior management, after reviewing the report, should note, in addition to any other response that may be made, any material inaccuracy or omission that, to their knowledge, is in the report. In this regard, the Commission recognizes that senior managers, by virtue of their positions and experience, may have differing levels of knowledge regarding their entity’s SCI systems and indirect SCI systems and compliance with Regulation SCI. While the SCI review requirement in Rule 1003 is based on the ARP review and report, a greater number of automated systems meeting the definition of SCI system or indirect SCI system would be subject to the SCI review requirements because the scope of Regulation SCI expands upon the current ARP Inspection Program. The Commission notes that the SCI review is not a substitute for inspections and 1096 See ARP II, supra note 1, at 22491. In ARP II, the Commission also explained that, in its view, ‘‘a critical element to the success of the capacity planning and testing, security assessment and contingency planning processes for [automated] systems is obtaining an objective review of those planning processes by persons independent of the planning process to ensure that adequate controls and procedures have been developed and implemented.’’ Id. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72346 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations examinations conducted by Commission staff, and therefore SCI entities should expect that technology systems inspections and examinations will continue following the adoption of Regulation SCI. Along with notifications of material systems changes under adopted Rule 1003(a) and SCI event notifications pursuant to adopted Rule 1002(b), one purpose of SCI reviews will be to aid the Commission and its staff in understanding the operations and risks associated with the applicable systems of an SCI entity. In addition, as noted above, one commenter, in seeking further clarity on the scope of the SCI review requirement, suggested that the Commission take an ‘‘agreed upon approach’’ which would outline more specific review objectives and procedures that would be performed by the objective reviewer. The Commission believes that an SCI entity should have the ability to design the specific parameters of an SCI review within the confines of the general framework of the rule, including identifying its own review objectives and procedures, given the SCI entity’s in-depth knowledge of, and familiarity with, its own systems and their attendant risks. As such, the adopted rule is designed to provide a general framework for the scope of the SCI review by specifying that the review must include a risk assessment of SCI systems and indirect SCI systems and an assessment of the internal control design and effectiveness of its systems in certain areas.1097 At the same time, the rule provides flexibility by permitting the review to be conducted ‘‘following established procedures and standards,’’ which would be identified and established by the SCI entity itself.1098 Some commenters expressed views on the provisions requiring SCI entities to submit reports of the SCI review to senior management of the SCI entity and to the Commission. Specifically, two commenters supported the proposed requirement that reports of the SCI review be submitted to senior management of the SCI entity no later than 30 days after completion of the SCI review.1099 One commenter urged that senior management of an SCI entity certify the report before it is submitted to the Commission in order to promote accountability at the highest ranks of the SCI entity.1100 Another commenter believed that 45 days for submission of 1097 See adopted Rule 1000 (defining ‘‘SCI review’’). 1098 See id. 1099 See MSRB Letter at 23; and FIF Letter at 6. 1100 See Better Markets Letter at 6. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 such reports to senior management would be more appropriate as a target timeframe given the complexity of the issues addressed in an SCI review, and that should this target fail to be met, the Board of Directors Audit Committee (or similar governing body) should be informed of the reason therefor.1101 Two commenters recommended that the distribution cycle within proposed Rule 1000(b)(8)(i) be modified so that individual, focused audit reports resulting from rotational reviews could be bundled and distributed to the Commission on a regular basis (semiannually or quarterly).1102 The Commission does not believe that it is necessary to require senior management certification of the report of the SCI review, as suggested by one commenter.1103 Adopted Rules 1003(b)(2)–(3) require that the SCI entity submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review, and that the SCI entity submit a report of the SCI review, together with any response by senior management, to the Commission and the board of directors of the SCI entity or the equivalent of such board within 60 calendar days after its submission to senior management. Because reports of SCI reviews and any responses by senior management are required to be filed using Form SCI under the Exchange Act and Regulation SCI, it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in such reports or responses.1104 The Commission recognizes that senior management certifications are used in other regulatory contexts, including in some Commission rules and regulations.1105 However, at this time, the Commission believes that, in light of the other requirements for an SCI entity, the goals of Regulation SCI can be achieved without the imposition of an additional requirement on SCI entities for senior management certification. Specifically, the Commission believes that the adopted requirements promote the responsibility and accountability of senior management of an SCI entity by helping 1101 See DTCC Letter at 17. OCC Letter at 19; and DTCC Letter at 17. 1103 See supra note 1100 and accompanying text. 1104 See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 78ff(a). 1105 See, e.g., 17 CFR 240.15c3–5(e)(2) (chief executive officer certification under the Market Access Rule); and 17 CFR 240.13a–14 (principal executive and principal financial officer certification of disclosure in annual and quarterly reports). 1102 See PO 00000 Frm 00096 Fmt 4701 Sfmt 4700 to ensure that senior management receives and reviews reports of SCI reviews, is made aware of issues relating to compliance with Regulation SCI, and is encouraged to promptly establish plans for resolving such issues. The Commission is also adopting a definition of ‘‘senior management’’ in Rule 1000 to make clear which individuals at an SCI entity must receive and review the report of the SCI review. The Commission believes that, in the context of the SCI review requirement, senior management should not be limited to a single individual or officer of an SCI entity. Thus, ‘‘senior management,’’ for purposes of adopted Rule 1003(b) is defined as an SCI entity’s Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel, and Chief Compliance Officer, or the equivalent of such employees or officers of an SCI entity. The Commission believes that, in order to achieve the goals of the rule to promote increased awareness and oversight of the technology infrastructure at an SCI entity by its most senior employees and officers, it is important that the SCI entity’s senior management team receive and carefully review reports of SCI reviews. The Commission believes that these employees and officers, or their functional equivalent, represent the executive, technology, legal, and compliance functions that are necessary to effectively review the reports of SCI reviews. The Commission also believes that awareness by an SCI entity’s senior management of SCI reviews and issues with Regulation SCI compliance should help to promote a focus by senior management on such reviews and issues, enhance communication and coordination regarding such reviews and issues among business, technology, legal, and compliance personnel, and, in turn, strengthen the capacity, integrity, resiliency, and availability of the systems of SCI entities. To help ensure that persons at the highest levels of an SCI entity are made aware of any issues raised in the SCI review, the Commission is also adopting a requirement for each SCI entity to submit to its board of directors or the equivalent of such board a report of the SCI review and any response by senior management within 60 calendar days after the submission of the report to senior management of the SCI entity. With regard to one commenter’s suggestion that SCI entities should be given 45 days rather than 30 days to submit the report of the SCI review to senior management (and that it should be only a target timeframe rather than a E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations requirement),1106 the Commission notes that the 30-day timeframe is based on the Commission’s experience with the current ARP Inspection Program that an ARP entity is able to consider the review and prepare a report for senior management consideration prior to the submission to the Commission.1107 The Commission acknowledges that a greater number of systems will be subject to the SCI review requirement than the current ARP Inspection Program given the definitions of SCI system and indirect SCI system,1108 and that the issues addressed in an SCI review may be complex. However, the Commission notes that the adopted timeframe, while based on experience with the current ARP Inspection Program, also takes into account these factors.1109 Further, the Commission believes that the complexity of the issues presented during an SCI review would more likely affect the timing of conducting and completing the SCI review, rather than the timing for submitting a report of the review to senior management. The Commission, therefore, continues to believe that this requirement is appropriate. The Commission also notes that the requirement to submit the annual report to the Commission within 60 calendar days after its submission to senior management is similarly based on the Commission’s experience with the ARP Inspection Program that this time period is a sufficient period to enable senior management to consider such review or report before submitting it to the Commission.1110 Because an SCI entity will already have prepared the report and any response by senior management for filing with the Commission, the Commission believes that an SCI entity will not need significant additional time to submit the same report and response to its board of directors or the equivalent of such board. mstockstill on DSK4VPTVN1PROD with RULES2 1106 See supra note 1101 and accompanying text. 1107 See Proposing Release, supra note 13, at 18123. 1108 The Commission also notes, however, that as discussed above, the scope of systems subject to Regulation SCI has been refined from what was proposed. 1109 The Commission notes that, while the ARP II Release recommended that an SRO’s independent review should result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent review and such report should be made available to Commission staff, it did not provide recommended time periods for the submission of such reports. See ARP II Release, supra note 1. The adopted 30-day time period is based on experience with the ARP Inspection Program, as well as a consideration of the scope of the review required under Regulation SCI. 1110 See Proposing Release, supra note 13, at 18124. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Contrary to the suggestion of some commenters, the Commission does not believe it is appropriate to allow an SCI entity to delay the submission of SCI review reports to the Commission in order to bundle several reports together and submit them on a quarterly or semiannual basis. Rather, the Commission believes that it is important to receive such reports in a timely manner after completion of the SCI review, so that the Commission is made aware of potential areas of weakness in an SCI entity’s systems that may pose risk to the entity or the market as a whole, as well as areas of non-compliance with the provisions of Regulation SCI, without undue delay. With respect to clearing agencies, two commenters noted that the SCI review requirement potentially might overlap with staff guidance for clearing agencies that calls for an annual report on internal controls and recommended that the Commission consider further coordination on potential redundancies.1111 The Commission notes that the section in the guidance provided in the Announcement for Standards for the Registration of Clearing Agencies referenced by commenters is distinct from the adopted SCI review requirement, as such section in the guidance relates to the review and evaluation of clearing agencies’ accounting controls.1112 In contrast, the SCI review requirement involves a risk assessment and assessment of internal control design and effectiveness of all of an SCI entity’s SCI systems and indirect SCI systems. Finally, it should be noted that the required review and timely reporting to the Commission will enable the Commission and Commission staff to monitor the quality of compliance with Regulation SCI, thoroughness and robustness of SCI reviews, and the responses of senior management to such reviews. Accordingly, the Commission will be in a position to consider enhancing these regulatory requirements in the future, if necessary. 6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants—Rule 1004 Adopted Rule 1004 addresses testing of SCI entity business continuity and disaster recovery plans, including backup systems, by SCI entity members or participants. Rule 1004 corresponds 1111 See OCC Letter at 19–20; and DTCC Letter at 18 (citing Securities Exchange Act Release No. 16900, 45 FR 41920, available at: https://sec.gov/ rules/other/34-16900.pdf). 1112 See Securities Exchange Act Release No. 16900 (June 17, 1980), 45 FR 41920 (June 23, 1980). PO 00000 Frm 00097 Fmt 4701 Sfmt 4700 72347 to proposed Rule 1000(b)(9), and is adopted with certain modifications in response to comment, as discussed below. a. Proposed Rule 1000(b)(9) Proposed Rule 1000(b)(9)(i) required each SCI entity, with respect to its BC/ DR plans, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) further required each SCI entity to coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would have additionally required each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans, to participate in the testing of such plans, and notify the Commission of such designations and its standards for such designation on Form SCI. b. Comments and Commission Response The Commission received significant comment on proposed Rule 1000(b)(9) and is adopting it with revisions, as Rule 1004. As more fully discussed below, the adopted rule requires designation of a more limited set of SCI entity members and participants for mandatory participation in BC/DR testing than the proposed rule. Further, the adopted rule does not require an SCI entity to file designation standards or member/participant designations with the Commission on Form SCI, as was proposed, but instead an SCI entity must keep records of its standards and designations. The scope, frequency, and coordination aspects of the proposed rule are adopted as proposed. i. Mandatory BC/DR Testing Generally Some commenters expressed general support for the goals of proposed Rule 1000(b)(9).1113 One commenter in particular stated that ‘‘[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible.’’ 1114 According to this commenter, broader mandatory participation in testing would be ‘‘one of the most valuable parts of Regulation SCI and will do the most to ensure improved market network reliability.’’1115 Another commenter 1113 See, e.g., Angel Letter at 9; UBS Letter at 4– 5; and FIF Letter at 6–7. 1114 See Angel Letter at 9. 1115 See id. at 10. E:\FR\FM\05DER2.SGM 05DER2 72348 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations expressed support for broad participation in BC/DR testing, but also expressed concern that the testing requirement would put SCI entities at a competitive disadvantage versus nonSCI entities.1116 Several commenters objected to the proposed mandatory testing requirement for SCI ATSs.1117 For example, two commenters suggested that few ATSs are critical enough to warrant inclusion in the proposed mandatory testing requirement.1118 One commenter urged that only SCI entities that provide market functions on which other market participants depend be subject to the requirements for separate backup and recovery capabilities.1119 Another commenter stated that the added benefit of requiring fully redundant backup systems is almost impossible to measure while the cost of implementation is significant, and added further that fully redundant systems and increased testing do not guarantee a flawless backup plan.1120 Two commenters stated that the current voluntary coordinated testing organized by SIFMA 1121 already attracts significant participation without any mandate in place.1122 However, a different commenter noted the difficulties it has encountered in fostering participation in its voluntary disaster recovery exercises, and stated that, despite encouraging users to participate in its disaster recovery exercises, participation levels were only 20 percent of its targeted high volume client base.1123 One commenter sought clarification on whether the requirements of proposed Rule 1000(b)(9) would apply only to trading and clearance systems, or would extend to other SCI systems as well.1124 Two commenters asked whether third parties that perform critical market functions for an SCI entity, such as data vendors and service bureaus, would be subject to the proposed requirement.1125 One commenter stated that testing by an SCI 1116 See FIF Letter at 7. SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter at 15. 1118 See BIDS Letter at 5, 8; and ITG Letter at 15. 1119 See KCG Letter at 8. 1120 See Group One Letter at 3. 1121 SIFMA organizes an annual industry-wide testing exercise for firms and exchanges to submit and process test orders using their backup facilities. Participation is voluntary. See https:// www.sifma.org/services/bcp/industry-testing/. 1122 See CME Letter at 13; and Tellefsen Letter at 7–8. 1123 See Omgeo Letter at 26 (noting also that it lacks the ability to require participation by its clients). 1124 See FINRA Letter at 37. 1125 See FINRA Letter at 39; and MSRB Letter at 25. mstockstill on DSK4VPTVN1PROD with RULES2 1117 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 entity of its business continuity capabilities should not be required to be coordinated with members.1126 According to this commenter, ‘‘[t]he entire point of [business continuity plan testing] would be to not coordinate it with customers, and assess whether operations out of [backup] facilities was seamless to members and other market participants.’’ 1127 One commenter stated that it would be more appropriate for SCI entities’ members and participants to be responsible for their own business continuity plans and testing.1128 The Commission has carefully considered commenters’ views on the need for all SCI entities to be subject to the proposed mandatory testing requirement. The Commission continues to believe that adopted Rule 1004 should apply to all SCI entities. Whereas adopted Rule 1001(a)(2)(v) requires that each SCI entity’s policies and procedures include BC/DR plans and specifies recovery goals and geographic diversity requirements for such plans,1129 adopted Rule 1004 sets forth certain minimum requirements for SCI entity testing of its BC/DR plans. Adopted Rule 1004, like proposed Rule 1000(b)(9), aims to reduce the risks associated with an SCI entity’s decision to activate its BC/DR plans and help to ensure that such plans operate as intended, if activated, by requiring that an SCI entity include participation by certain members and participants in testing of the SCI entity’s BC/DR plans. Although some commenters, including several ATSs, argued that ATSs should be excluded from requiring members or participants to test because, according to these commenters, ATSs are less critical to the orderly functioning of the markets than other SCI entities,1130 the Commission believes that eliminating any category of SCI entity—including SCI ATSs—from the testing requirement would undermine the goal of maintaining fair and orderly markets in the wake of a wide-scale disruption, and 1126 See Direct Edge Letter at 9. id. 1128 See SIFMA Letter at 17. In addition, some commenters believed that ATSs should be excluded from requiring members or participants to test, given that ATSs and their broker-dealer participants are already subject to FINRA Rule 4370, which relates to BC/DR plans. See FIA PTG Letter at 5; and BIDS Letter at 9. 1129 See supra Section IV.B.1.b (discussing the requirement that an SCI entity have reasonable policies and procedures that include business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption). 1130 See supra note 1118 and accompanying text. 1127 See PO 00000 Frm 00098 Fmt 4701 Sfmt 4700 assuring the smooth and effective implementation of an SCI entity’s BC/ DR plans.1131 The Commission continues to believe that a testing participation requirement will help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a lack of participation by members or participants that the SCI entity believes are necessary to the successful activation of such plans.1132 As stated in the SCI Proposal, the Commission believes that a factor in the shutdown of the equities and options markets in the wake of Superstorm Sandy was the exchanges’ belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers.1133 And, although testing protocols were in place and the chance to participate in such testing was available, the member participation rate was low.1134 The Commission does not agree with comments that seamless operation of backup facilities should not require coordination of testing, or that the fact that members and participants have their own BC/DR plans and testing means that they should not be required, if designated, to participate in the testing of an SCI entity’s BC/DR plans.1135 The Commission continues to believe that testing of the effectiveness of back-up arrangements in recovering from a wide-scale disruption is a sound principle, and that, without the participation of significant members or participants of SCI entities, the effectiveness of such testing could be 1131 See supra Section IV.A.1 (discussing the Commission’s rationale for adopting the definition of SCI entity as proposed). See supra Section IV.B.1.b (discussing the BC/DR requirements in Rule 1001(a)(2)(v) for SCI entities). See also infra Sections VI.C.1.c and VI.C.2.b.vii (discussing competitive concerns raised by requiring SCI entities to require members or participants to participate in the SCI entities’ BC/DR testing). 1132 See Proposing Release, supra note 13, at 18125. 1133 See id. at 18158. See also id. at 18091. The Commission notes that its basis for adopting a mandatory testing rule is independent of whether the market closures in the wake of Superstorm Sandy were appropriate to protect the health and safety of exchange personnel. 1134 See id. at 18158 and text accompanying n. 83 at 18091. In addition, based on the discussions of Commission staff with market participants in the months following Superstorm Sandy, the Commission understands that many market participants had previously engaged in connectivity testing with backup facilities, and yet remained uncomfortable about switching over to the use of backup facilities in advance of the storm. 1135 Nor does the Commission agree that Rule 1004 would be duplicative of FINRA Rule 4370, as Rule 1004 relates to participation by members or participants in the testing of an SCI entity’s business continuity plans, whereas FINRA Rule 4370 relates to the testing of the member’s or participant’s own business continuity plan. See supra note 539 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 undermined. Based on its experience with the ARP Inspection Program, the Commission understands that many SCI entities have already made significant investments in their backup facilities.1136 The Commission believes that the requirements of Rule 1004 will help to ensure that such facilities will be effective in the event they are needed.1137 In response to commenters who questioned the need for mandatory participation by SCI entity members and participants,1138 the Commission believes that current voluntary industryled testing has been useful because it annually brings together a wide variety of market participants, including many SCI entities, and involves a range of asset classes.1139 The current industryled testing program coordinated by SIFMA therefore could provide a foundation for the development of the testing required by Rule 1004. However, because participation rates by members and participants in voluntary testing generally has been low, the Commission believes that a mandatory participation requirement is the best means to achieve effective and coordinated BC/DR testing with assured participation by the more significant SCI entity members and participants.1140 In addition, although the Commission generally agrees with the comment that ‘‘[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible,’’ 1141 because of the burden and costs of requiring participation by all SCI entity members 1136 See infra Section VI.B.2 (stating that nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility). 1137 See 2003 BCP Policy Statement, supra note 512, at 56658 (stating: ‘‘The effectiveness of backup arrangements in recovering from a wide-scale disruption should be confirmed through testing.’’). See also Interagency White Paper, supra note 512, at 17811 (identifying ‘‘a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible’’ as one of three important business continuity objectives). See also supra Section IV.B.1.b (discussing adopted Rule 1001(a)(2)(v)). 1138 See supra notes 1117–1122 and accompanying text. 1139 See https://www.sifma.org/services/bcp/ industry-testing/ (in which SIFMA describes its annual BC/DR test held annually in October, which includes assets classes such as commercial paper, equities, options, futures, fixed-income, settlement, payments, Treasury auctions and market data). 1140 See supra note 1123 (noting Omgeo’s comment that voluntary participation levels are low). See also Proposing Release, supra note 13, at 18091, n. 83 and accompanying text (noting that press reports indicated that a large number of NYSE members did not participate in NYSE’s contingency plan testing that occurred seven months prior to Superstorm Sandy). 1141 See supra note 1114 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and participants, regardless of their market significance, the Commission believes it is appropriate to adopt a more measured approach to mandatory participation in BC/DR testing.1142 The Commission is therefore adopting a BC/ DR testing designation requirement that applies to all SCI entities, but does not apply to all members and participants of SCI entities, as discussed below.1143 ii. SCI Entity Designation of Members or Participants for Participation in BC/DR Testing—Rules 1004(a)–(c) Several commenters raised concerns about the proposed requirement that SCI entities exercise discretion to designate members or participants for participation in coordinated BC/DR testing under proposed Rule 1000(b)(9).1144 After careful consideration of the views of commenters, the Commission is adopting the requirement that SCI entities designate certain members or participants to participate in testing BC/ DR plans with certain modifications from the proposal. As proposed, the rule would have required each SCI entity to designate those members or participants it ‘‘deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans . . .’’ The Commission has determined instead to require that each SCI entity designate those members or participants ‘‘that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.’’ This change is broadly consistent with the suggestion of one commenter to revise the criteria for designation to those firms ‘‘critical to the operation of the SCI entity.’’ 1145 However, the Commission believes that the adopted standard is more appropriate in that it focuses on the ability of the SCI entity to maintain fair 1142 In addition, because the Commission recognizes that the coordination of such testing is complex and time-consuming, it has provided for a compliance date for the coordination requirement of Rule 1004(d) that is 12 months after the compliance date required for other provisions of Regulation SCI. See Section IV.F. 1143 In response to commenters seeking clarification on the types of systems that would be subject to the mandatory testing requirement (see supra notes 1124–1125 and accompanying text), because the required testing is BC/DR testing, all systems necessary for an SCI entity to successfully activate it BC/DR plan would be included. 1144 See NYSE Letter at 33; FIF Letter at 6–7; Omgeo Letter at 26; Fidelity Letter at 6; and Angel Letter at 10. 1145 See ISE Letter at 9. PO 00000 Frm 00099 Fmt 4701 Sfmt 4700 72349 and orderly markets under its BC/DR plan.1146 Several commenters suggested eliminating SCI entity discretion and setting forth in the rule clear, objective criteria (such as trading volume) for which members or participants would be required to participate in testing.1147 One commenter suggested that the Commission require that all members or participants that represent a meaningful percentage of the volume in the marketplace participate in the testing in order to capture the more significant market participants, while recognizing the financial burden such testing may pose for smaller entities.1148 This commenter believed that giving discretion to SCI entities in this area might lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing.1149 On the other hand, another commenter commented that the discretion contemplated by the proposal keeps the rule flexible enough to accommodate SCI entities conducting a diverse range of business activities.1150 This commenter also suggested that SCI entities should not be required to report to the Commission who they have designated to test, and instead should only be required to keep a record of who they have designated.1151 In response to commenters who were concerned about the discretionary aspect of the designation requirement,1152 the Commission believes the SCI entity is in the best position to determine which of its members or participants collectively represent sufficient liquidity for the SCI entity to maintain fair and orderly markets in a BC/DR scenario following a wide-scale disruption. The Commission believes such determinations require the exercise of reasonable judgment by each SCI entity, and are not well-suited for a ‘‘one-sizefits-all’’ objective measure determined by the Commission. For example, if the Commission were to establish an objective measure (e.g., based on a specified percentage of trading volume), 1146 As discussed more fully in Section IV.B.6.b.iv infra, the Commission also believes that the adopted standard could, but would be unlikely to, cause members or participants to elect to withdraw from participation in an SCI entity (particularly a smaller SCI entity) to save on the cost of connectivity fees. 1147 See NYSE Letter at 33; Omgeo Letter at 26; Angel Letter at 10; and FIF Letter at 6. 1148 See NYSE Letter at 33. 1149 See NYSE Letter at 33. 1150 See CME Letter at 12. 1151 See id. at 13. 1152 See supra notes 1144, 1147–1149 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72350 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations it might represent a meaningful percentage for some SCI entities, but not for others. Thus, the rule requires that each SCI entity establish standards for the designation of those members or participants that the SCI entity ‘‘reasonably’’ determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of its BC/ DR plans. This adopted provision is in lieu of the proposed requirement, which would have required an SCI entity to designate those members or participants it ‘‘deems necessary’’ for the maintenance of fair and orderly markets in the event of the activation of its BC/ DR plans. Because the adopted rule requires an SCI entity’s determination to be reasonable, it provides some degree of flexibility to SCI entities but also imposes a check on SCI entity discretion, which the Commission believes should help prevent an SCI entity’s designations from being overly limited. In response to concerns that a discretionary designation requirement would lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing, the Commission believes that this is unlikely to occur because each SCI entity will be subject to the same requirement and will be required to make a reasonable determination that the designated members or participants are those that are the minimum necessary for it to maintain fair and orderly markets in the event of activation of its BC/DR plans. Further, the Commission believes that broad participation in BC/DR testing will enhance the utility of the testing, and that allowing non-designated members or participants the opportunity to participate in such testing generally will further this goal. Therefore, the Commission encourages SCI entities to permit non-designated members or participants to participate in the testing of the SCI entity’s BC/DR plans if they request to do so. Consistent with the recommendation of one commenter, however, the Commission has determined not to require that each SCI entity notify the Commission of its designations and its standards for designation on Form SCI as proposed. Instead, an SCI entity’s standards, designations, and updates, if applicable, would be part of its records and therefore available to the Commission and its staff upon request.1153 Unlike de minimis systems disruptions and de minimis systems 1153 See infra Section IV.C.1 (discussing SCI entity recordkeeping requirements). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 intrusions, which may occur with regularity (and for which a quarterly summary report would aid Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets), the establishment of standards for designation, the designations themselves, and updates to such standards or designations are likely to occur less frequently. Thus, the Commission believes it is sufficient for the Commission to review records relating to such designations when the Commission determines that it is necessary to do so to fulfill its oversight role, such as during its examination of an SCI entity.1154 More broadly, the Commission believes this revision is generally consistent with modifications that the Commission has made in response to comment that proposed Regulation SCI would have required unnecessary and burdensome notice and reporting submissions. Some commenters questioned whether many SCI entities, particularly non-SROs and ATSs, have the authority to require their members or participants to participate in such testing.1155 Another commenter more generally stated that it was unclear how an SCI entity could enforce a requirement that its customers engage in BC/DR testing.1156 In response to these comments, the Commission believes that SCI SRO rulemaking authority and non-SRO contractual arrangements would enable SCI entities to implement this requirement.1157 Specifically, SROs have the authority, and legal responsibility, under Section 6 of the Exchange Act, to adopt and enforce rules (including rules to comply with Regulation SCI’s requirements relating to BC/DR testing) applicable to their members or participants that are 1154 See supra Sections IV.A.3 and IV.B.3.c (discussing the rationale for quarterly reporting of de minimis systems disruptions and de minimis systems intrusions). 1155 See Omgeo Letter at 26; MSRB Letter at 24; BIDS Letter at 8; LiquidNet Letter at 4; and SIFMA Letter at 17. See also ITG Letter at 15–16. 1156 See SIFMA Letter at 17–18 (suggesting that the Commission instead adopt a ‘‘BCP testing requirement more akin to the ‘best practices’ described in the Interagency White Paper’’). 1157 While some designated members or participants of SCI entities might choose to withdraw from membership or participation in an SCI entity if they assess the cost of participating in BC/DR testing to be too great, the Commission believes that other aspects of their involvement with the SCI entity, including an interest in maintaining a profitable business relationship, will factor significantly into any decision regarding their continued membership or participation in the SCI entity. See also infra Sections VI.C.1.c and VI.C.2.b.vii (discussing competition between SCI entities and non-SCI entities in relation to the requirements under Rule 1004). PO 00000 Frm 00100 Fmt 4701 Sfmt 4700 designed to, among other things, foster cooperation and coordination with persons engaged in regulating, clearing, settling, processing information with respect to, and facilitating transactions in securities, to remove impediments to and perfect the mechanism of a free and open market and a national market system, and, in general, to protect investors and the public interest.1158 Further, SCI entities that are not SROs have the ability to include provisions in their contractual agreements with their participants (such as their subscriber or participant agreements) requiring such parties to engage in BC/DR testing. Other commenters focused on the potential impact of the rule on the members or participants designated to participate in testing. One commenter pointed out that, without clearly defined industry level coordination, some members or participants may be overburdened by being subject to multiple individual tests with various SCI entities.1159 Another commenter asked the Commission to clarify what the obligation is for firms that are members or participants at multiple SCI entities.1160 Several commenters expressed concern that the Commission underestimated the costs and burdens of the proposed testing.1161 According to some of these commenters, under the proposal, certain firms, such as market makers and other firms performing important market functions, could be required to maintain connections to the backup sites of a number of SCI entities, at significant cost.1162 A group of commenters requested that the scope be targeted to only cover those instances in which an SCI entity determines to enact its disaster recovery plans.1163 One commenter agreed that the designation requirement could be relaxed and still achieve the provision’s aim, because the bulk of the liquidity at a market center is provided by a small number of firms.1164 Another commenter asked the Commission to give designated firms the 1158 See Section 6 of the Exchange Act, 15 U.S.C. 78f. 1159 See OCC Letter at 18. DTCC Letter at 13. 1161 See FINRA Letter at 37–39; OCC Letter at 18; Fidelity Letter at 6; Joint SROs Letter at 15–16; ISE Letter at 9; and Group One Letter at 3. See also infra Section VI (discussing the costs and burdens of the requirement, including the costs for members or participants to participate in BC/DR testing). 1162 See FINRA Letter at 37–39; OCC Letter at 18; and Fidelity Letter at 6 (expressing concern an SCI entity might cast a wide net with its designation powers to include more firms than necessary). 1163 See Joint SROs Letter at 16 (noting the complexity of testing a scenario in which a market participant may have enacted its business continuity plan but can still access an SCI entity through the primary facility). 1164 See Tellefsen Letter at 9. 1160 See E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations ability to opt-out if they have a good reason.1165 The Commission believes that adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion to identify those members or participants that, taken as a whole, are the ‘‘minimum necessary’’ for the maintenance of fair and orderly markets in the event of the activation of such plans is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal. Because the Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. On balance, the Commission believes that adopted rule will incentivize SCI entities to designate those members and participants that are in fact the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of their BC/DR plans, and that this should reduce the number of designations to which any particular member or participant would be subject, as compared to the SCI Proposal, and would potentially simplify efforts for SCI entities to coordinate BC/DR testing, as required by adopted Rule 1004(d). Despite the modifications from the proposal, it remains possible, as some commenters noted, that firms that are members of multiple SCI entities will be the subject of multiple designations, and that multiple designations could require certain firms to maintain connections to and participate in testing of the backup sites of multiple SCI entities. The Commission believes this possibility, though real, may be mitigated by the fact that multiple designations are likely to be made to firms that are already connected to one or more SCI entity backup facilities, since they represent significant members or participants of the applicable SCI entities; and that, because some SCI entity backup facilities are located in close proximity to each other, multiple connections to such backup facilities may be less costly than if SCI entity backup facilities were not so located. The Commission recognizes that there will be greater costs to a firm being designated by multiple SCI entities to participate in the testing of their BC/DR plans than to a firm designated by only one SCI entity. However, the Commission believes that these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such SCI entity’s BC/DR plans is necessary to evaluate whether such plans are reliable and effective. The designation of a firm to participate in the BC/DR testing of an SCI entity means that such firm is significant, as the SCI entity has reasonably determined it to be included in the set of its members or participants that is, ‘‘taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.’’ Nonetheless, the Commission acknowledges that there may be instances in which an SCI entity has reasonably designated a firm to participate in BC/DR testing, and the firm is unwilling to bear the cost of participation in BC/DR testing with a given SCI entity. In such instances, there may be firms that opt out of such testing by withdrawing as a member or subscriber of one or more SCI entities, but the Commission believes that is unlikely. In particular, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI’s BC/DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test.1166 Moreover, the Commission does not agree with the suggestion made by one commenter that the Commission give designated firms the ability to ‘‘opt-out’’ if they have a good reason,1167 because the ability to opt-out in this manner would render participation in BC/DR testing voluntary which, as discussed above, is unlikely to result in adequate BC/DR testing.1168 The Commission continues to believe, as stated in the SCI Proposal, that ‘‘unless there is effective participation by certain of its members or participants in the testing of [BC/DR] plans, the objective of ensuring resilient and available markets in general, and the maintenance of fair and orderly markets in particular, would not be 1166 See infra Section IV.B.6.b.iv. Fidelity Letter at 6. 1168 See supra note 1140 and accompanying text. 1167 See 1165 See Fidelity Letter at 6. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4700 72351 achieved.’’ 1169 Although the Commission recognizes that testing of a BC/DR plan does not guarantee flawless execution of that plan, the Commission believes that a tested plan is likely to be more reliable and effective than an inadequately tested plan.1170 iii. Scope, Timing, and Frequency of BC/DR Testing—Rule 1004(b) The SCI Proposal specified that the type of testing for which designees would be required to participate was ‘‘scheduled functional and performance testing of the operation of [BC/DR] plans, in the manner and frequency specified by the SCI entity, at least once every 12 months.’’ 1171 After careful consideration of the views of commenters, the Commission is adopting the scope, frequency, and timing requirements in the rule as proposed. Specifically, adopted Rule 1004(b) requires that an SCI entity’s designees participate in ‘‘scheduled functional and performance testing of the operation of [BC/DR] plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months.’’ In the SCI Proposal, the Commission noted that functional testing is commonly understood to examine whether a system operates in accordance with its specifications, whereas performance testing examines whether a system is able to perform under a particular workload.1172 The Commission added that functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity’s systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.1173 With regard to the proposed scope of testing, several commenters expressed specific concerns about the requirement for ‘‘functional and performance’’ testing of BC/DR 1169 See Proposing Release, supra note 13, at 18091, 18125. 1170 Further, because the Commission believes that increased participation in BC/DR testing is likely to enhance the utility of the testing, the Commission encourages SCI entities to permit members or participants that do not meet the SCI entity’s reasonable designation standards to participate in such testing if they request to do so. 1171 See proposed Rule 1000(b)(9)(i). 1172 See Proposing Release, supra note 13, at 18125, n. 267. 1173 See id. at 18126. E:\FR\FM\05DER2.SGM 05DER2 72352 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 plans.1174 Specifically, one commenter expressed concern about the logistical challenges of conducting functional and performance testing at the same time.1175 Two commenters expressed concern that requiring firms to perform industry-wide, end-to-end testing by processing transactions in their disaster recovery systems would introduce risk to the markets because such testing would increase the chance that test transactions could inadvertently be introduced into production systems.1176 Another commenter stated that a full functional test across all primary and recovery data centers for any significant number of members or participants would require substantial time to conduct and may require market downtime, as would a full performance test.1177 One group of commenters suggested that the scope of the requirement should be revised to only cover ‘‘functional and operational testing’’ of disaster recovery plans, but requested additional guidance with regard to the scope of testing required to establish the effectiveness of disaster recovery plans.1178 This group of commenters expressed concern about the ‘‘complexity and cost associated with establishing an effective 1174 See, e.g., FINRA Letter at 37; OCC Letter at 18; and DTCC Letter at 12. 1175 See FINRA Letter at 37 (stating that combining performance testing with functional testing on weekends would be difficult and possibly not feasible because an end-to-end functional test combined with a stress test would require much more time to accommodate processing volumes than would be afforded in an abbreviated nonbusiness day session). 1176 See OCC Letter at 17–18 (stating that its systems and systems of many member firms are configured to prevent test activity from being processed by production or disaster recovery systems); and DTCC Letter at 12 (stating similarly that the testing proposed by Rule 1000(b)(9) (as opposed to communication and connectivity testing) would not be supported by most SCI entities’ current systems configurations, and encouraging the Commission to consider this in adopting testing requirements). 1177 See Omgeo Letter at 26–27. This commenter urged a more limited scope of testing. Specifically, this commenter urged the Commission to focus on ‘‘smoke testing,’’ which it characterized as a more limited form of testing to validate that system functionality is fully deployed and operational in the new recovered or resumed production environment, and with respect to the goals of performance testing, a more limited set of system operations to assure that the recovery system would perform those operations at roughly comparable speeds as those performed on the main production systems. This commenter further stated that, in both cases, the purpose of these tests would be to validate that the backup or recovery systems have the necessary functionality to perform the service required of the SCI systems, and have sufficient capacity to process the production workloads at roughly comparable levels of performance, rather than to test the actual functional or performance characteristics of the backup or alternate recovery systems in their own right. See Omgeo Letter at 27. 1178 See Joint SROs Letter at 15–16. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 coordinated test script that captures the significant number of possibilities that may occur to each significant market participant or SCI entity’’ and recommended that the scope of the coordinated functional and operational testing requirements be revised to cover those instances in which an SCI entity determines to enact its disaster recovery plan.1179 Two commenters believed the tests should be ‘‘scenario-based’’ to recreate as closely as possible the actual conditions that would trigger widespread use of BC/DR plans.1180 Adopted Rule 1004(b) provides that the scope of required testing is ‘‘functional and performance testing of the operation of BC/DR plans.’’ As stated in the SCI Proposal, such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity’s systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/ or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.1181 In response to commenters expressing concern about the breadth of the requirement, the Commission notes that the rule requires functional and performance testing of the ‘‘operation of [BC/DR] plans.’’ While the type of testing required by adopted Rule 1004(b) is more rigorous than some types of testing urged by some commenters, the Commission does not believe that the requirement for ‘‘functional and performance testing of the operation of such plans’’ requires additional testing that is as burdensome as that feared by some of those commenters. Importantly, ‘‘functional and performance testing of the operation of [BC/DR] plans’’ entails testing that goes beyond communication and connectivity testing, and beyond validation testing, which are more limited types of testing urged by some commenters. But the requirement to conduct ‘‘functional and performance testing of the operation of [BC/DR] plans’’ does not mean that a full test of the functional and performance characteristics of each backup facility is required to be conducted all at once and in coordination with other SCI entities all at the same time, as some commenters characterized the proposed requirement.1182 Specifically, the 1179 See id. at 16. FIF Letter at 7; and UBS Letter at 4. 1181 See Proposing Release, supra note 13, at 18126. 1182 Conducting the required testing is not intended to require market downtime, but permits 1180 See PO 00000 Frm 00102 Fmt 4701 Sfmt 4700 Commission notes that the testing of BC/DR plans, which is required by Rule 1004, is different from testing of the function and performance of backup facilities generally.1183 What Rule 1004 requires is coordinated testing to evaluate annually whether such backup facilities of SCI entities can function and perform in accordance with the operation of BC/DR plans in the event of wide-scale disruption. In addition, the Commission notes that performance testing, which examines whether a system is able to perform under a particular workload, is not synonymous with ‘‘stress testing,’’ in which capacity limits are tested, and therefore should not require as much time to conduct as one commenter suggested. In response to commenters concerned that the required testing would necessitate system reconfigurations,1184 the Commission understands that the requirement to test backup facilities may require technology adjustments to permit testing activity to be processed by BC/DR systems, and believes that such adjustments to permit testing are warranted to achieve the goal, as discussed above, of achieving reliable and effective BC/DR plans at SCI entities. The Commission also believes that such system reconfigurations would be less burdensome than a Commission rule requiring the establishment of a dedicated environment for safe end-toend testing that accurately simulates the trading environment, which some commenters suggested might be appropriate. One group of commenters noted the ‘‘complexity and cost associated with establishing an effective coordinated test script,’’ and urged that the scope of the coordinated testing be ‘‘narrowed to cover those instances in which an SCI entity determines to enact its disaster recovery plan.’’ The Commission acknowledges that establishment of an effective coordinated test script will involve a range of possibilities, as SCI entities determine to be appropriate, including weekend testing, as well as testing in segments over the course of a year, if SCI entities determine that, to meet the requirements of the rule, a single annual test cannot be properly conducted within a single period of time (e.g., over the course of a weekend). 1183 Testing of the function and performance of backup facilities generally would occur before such facilities are launched into production (such as pursuant to Rule 1001(a)), and Regulation SCI does not impose a requirement for coordinating such testing with other SCI entities. 1184 See supra note 1176 and accompanying text. See also Tradebook Letter at 2–3 (stating its view that ‘‘the only way to test integration from order generation to allocation and then through to final settlement, is in the production environment’’ and ‘‘test tickers that operate in the production environment are the only way to reliably simulate exactly what will happen in the production environment with a live order’’). E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 some costs and complexity, but believes that this is an important first step in establishing robust and effective testing under the rule. The Commission encourages SCI entities to develop one or more test scripts contemplating a wide-scale disruption and the enactment by SCI entities in the region of the wide-scale disruption of their BC/ DR plans. Further, the Commission notes that nothing in Rule 1001(a) nor Rule 1004 requires that an SCI entity’s BC/DR plan specify that its backup site must fully replicate the capacity, speed, and other features of the primary site. Similarly, SCI entity members and participants are not required by Regulation SCI to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites.1185 In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that an SCI entity and its members or participants may not be able to provide the same level of liquidity as on a normal trading day. In addition, the Commission recognizes that the concept of ‘‘fair and orderly markets’’ does not require that trading on a day when business continuity and disaster recovery plans are in effect will reflect the same levels of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. Nevertheless, the Commission believes it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities’ backup systems in the event of a widescale disruption. Therefore, Rule 1004 requires that an SCI entity’s BC/DR plan that meets the requirements of Rule 1001(a)(2)(v) be tested for both its functionality and performance as specified by the SCI entity’s BC/DR plan. In addition, several commenters addressed testing more generally.1186 For example, some commenters urged that comprehensive, industry-wide, end-to-end testing could be enhanced if there were uniform test tickers supported by the testing infrastructure at all SCI entities.1187 Two commenters urged the establishment of principles for end-to-end, integrated testing.1188 Specifically, one of these commenters suggested that SCI entities, the Commission, and relevant third-parties 1185 See infra Section VI.C.2.b.vii (discussing the estimated costs of adopted Rule 1004). 1186 See Tradebook Letter at 1–3; CAST Letter at 9; FIA PTG Letter at 2; and CoreOne Letter at 3– 7. 1187 See Tradebook Letter at 2–3; CAST Letter at 9; and FIA PTG Letter at 2. 1188 See CoreOne Letter at 3; and Tradebook Letter at 1–3. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 think about how to establish a dedicated environment where end-to-end testing could be done safely, and where it could accurately simulate the trading environment.1189 This commenter also suggested that testing plans concentrate on high volume periods, stress testing common order types, and focusing on securities that generally experience low liquidity.1190 This commenter believed that industry-wide testing should include derivatives and cross-asset scenarios, and possibly include some involvement by foreign regulators and markets as well.1191 While the suggestions of these commenters are not inconsistent with the rule’s requirement for functional and performance testing of BC/DR plans, the Commission has determined not to require them because the Commission does not believe, at this time, that these suggestions are necessary in every instance to achieve reliable and effective BC/DR plans at SCI entities. However, to the extent an SCI entity believes them to be appropriate for its systems, these suggestions could be utilized in its BC/ DR plans testing. Importantly, the adopted rule does not prescribe how SCI entities are to develop plans for functional and performance testing of order entry, execution, clearance and settlement, order routing, and the transmission and/ or receipt of market data, as applicable, to determine if these functions can operate as contemplated by SCI entity BC/DR plans. Thus, as with the proposed requirement, the adopted rule provides an SCI entity with discretion to determine the precise manner and content of the BC/DR testing required pursuant to Rule 1004, and SCI entities have discretion to determine, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test. Therefore, while comments urging the creation of uniform test tickers, establishment of principles for end-toend testing, mandatory types of test scripts, and cross-asset and crossjurisdictional coordination are matters that SCI entities may wish to consider in implementing the testing required by the rule, the Commission does not believe it is appropriate to mandate such details in Regulation SCI. To do so would be more prescriptive than the Commission believes is appropriate, as this requirement is designed to provide SCI entities flexibility and discretion in determining how to meet it. The Commission believes that the adopted 1189 See CoreOne Letter at 3. id. at 3–4. 1191 See id. at 7. 1190 See PO 00000 Frm 00103 Fmt 4701 Sfmt 4700 72353 testing requirement will help to improve securities market infrastructure resilience by helping to ensure not only that an SCI entity can operate following an event that triggers its BC/DR plans, but also that it can do so with a greater level of confidence that its core members or participants are also ready based on experience during testing. The Commission is adopting Rule 1004(b) substantively as proposed because it gives SCI entities discretion to develop a test that meets the requirements of the rule. One commenter recommended requiring that each entity be run entirely under its backup plan at least one day a year for a full trading day, and that the entire market run off of the backup sites at least once a year.1192 While adopted Rule 1004 would not preclude this approach, the Commission notes that other commenters disagreed with the wisdom of it.1193 Specifically, one group of commenters stated that the risks of testing in a ‘‘live production environment on a periodic basis’’ outweigh the benefits.1194 Another commenter stated that requiring SCI entities to operate using their backup facilities would increase the risk of erroneous quotes and orders entering the marketplace.1195 After careful consideration of these comments, the Commission has determined not to prescribe the time of day or week during which testing shall occur. In addition, the adopted rule does not require an SCI entity to test its BC/DR plan in live production, but also does not prohibit an SCI entity from testing its BC/DR plans in live production, either, if an SCI entity determines such a method of testing to be appropriate. The Commission continues to believe that SCI entities are in the best position to structure the details of the test in a way that would maximize its utility. With respect to testing frequency, one commenter agreed with the proposal that an SCI entity’s BC/DR plans, including its backup systems, be tested ‘‘at least once every 12 months.’’ 1196 One commenter stated that the rule should explicitly set forth the required frequency of testing.1197 One commenter believed that two coordinated industry tests per year would be more appropriate.1198 One commenter 1192 See Angel Letter at 10. Joint SROs Letter at 15; and Group One Letter at 2. 1194 See Joint SROs Letter at 15. 1195 See Group One Letter at 2. 1196 See DTCC Letter at 13 1197 See NYSE Letter at 33. 1198 See FIF Letter at 6. 1193 See E:\FR\FM\05DER2.SGM 05DER2 72354 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 believed that testing once per year is arbitrary, and suggested that a riskbased approach might justify testing certain systems with more or less frequency.1199 The Commission is adopting as proposed the requirement that testing occur not less than once every 12 months. Although commenters offered differing views on the appropriate frequency for the required testing,1200 the Commission continues to believe that a testing frequency of once every 12 months is an appropriate minimum frequency that encourages regular and focused attention on the establishment of meaningful and effective testing. In the context of coordinated BC/DR testing, the Commission believes the key is for testing to occur regularly enough to offer practical utility in the event of a wide-scale disruption without imposing undue cost, and that a minimum frequency of one year achieves this balance. This requirement does not prevent SCI entities from testing more frequently, but rather is intended to give SCI entities the flexibility to test their BC/DR plans, including their backup systems, at more frequent intervals if they find it appropriate to do so. iv. Industry- or Sector-Wide Coordination—Rule 1004(d) Proposed Rule 1000(b)(9)(a)(ii) specified that an SCI entity would be required to coordinate the testing of BC/ DR plans on an industry- or sector-wide basis with other SCI entities. The Commission received significant comment on this aspect of the proposal. Two commenters supported the coordinated testing requirement.1201 Specifically, one of these commenters stated that a coordination requirement targets an area where technology risks have left the markets more vulnerable, namely, the complex ways that firms interact.1202 This commenter favored market-wide testing as a way to better manage that risk.1203 This commenter also stated that coordination is vital because the more SCI entities and member firms that participate in testing, the more realistic that testing will be.1204 Another commenter noted that one of the most important steps in validating and maintaining systems integrity is an effective BC/DR model and urged the Commission to promptly advance a program to introduce a new 1199 See MSRB Letter at 24. supra notes 1196–1199. 1201 See Angel Letter at 9; and UBS Letter at 4. 1202 See Angel Letter at 9. 1203 See id. 1204 See id. 1200 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and more comprehensive BC/DR testing paradigm.1205 In contrast, some commenters opposed the proposed comprehensive, coordinated testing structure.1206 Some commenters stated that coordinating testing presents significant technological and logistical challenges that need to be weighed carefully.1207 One commenter stated that coordinated testing is a good aspirational goal, but expressed concern that too much is outside of the control of an individual SCI entity, and therefore the rule should, at most, require SCI entities to attempt to coordinate such testing.1208 Another commenter stated that the fixed-income market is so fragmented that coordinated testing is difficult to conduct and much less imperative.1209 Some commenters offered suggestions on how to improve the proposed coordination requirement. One commenter urged that coordination only be required among providers of singular services in the market (i.e., exchanges that list securities, exclusive processors under NMS plans, and clearing and settlement agencies).1210 Some commenters believed that coordination would work best if it was organized by an entity with regulatory authority over SCI entities, or by an organization designated by the Commission to fulfill that role.1211 One such commenter supported coordinating testing through a Commission-approved plan, provided SCI entities have the right to maintain the confidentiality of certain critical information.1212 Another commenter recommended that the Commission work with the CFTC to adopt a coordinated approach to dealing with technology issues across financial markets, including through participation by derivatives exchanges in testing alongside their equity markets counterparts.1213 After careful consideration of the comments, the Commission has determined to adopt the coordination requirement as proposed. Specifically, Rule 1004(d) requires that an SCI entity ‘‘coordinate the testing of [BC/DR] plans 1205 See UBS Letter at 4–5. This commenter also stated that improved BC/DR testing should not be delayed until Regulation SCI is adopted. See UBS Letter at 5. 1206 See DTCC Letter at 12–13; FINRA Letter at 37–39; OCC Letter at 17–18; and ISE Letter at 8. 1207 See LiquidPoint Letter at 4; and SIFMA Letter at 17–18. See also supra notes 1175–1177 and accompanying text. 1208 See CME Letter at 13. 1209 See TMC Letter at 3. 1210 See Direct Edge Letter at 9. 1211 See DTCC Letter at 13; OCC Letter at 18; and NYSE Letter at 33. 1212 See NYSE Letter at 33. 1213 See Angel Letter at 12. PO 00000 Frm 00104 Fmt 4701 Sfmt 4700 on an industry- or sector-wide basis with other SCI entities.’’ The Commission recognizes that coordinating industry- or sector-wide testing among SCI entities and their designated members or participants may present logistical challenges. Because of these challenges, the Commission does not believe that a more prescriptive approach is warranted. Instead, the coordination requirement provides discretion to SCI entities to determine how to meet it. The Commission does not agree with commenters suggesting that the Commission should assume leadership on the organization of coordinated testing, designate an organization to fulfill that role, or require a ‘‘Commission-approved plan’’ for testing, because it believes at this time that SCI entities can achieve coordination more quickly and efficiently without the imposition of a formal procedural framework that these suggestions would entail.1214 In response to comment suggesting that coordination should be aspirational rather than required, the Commission believes that, because trading in the U.S. securities markets today is dispersed among a wide variety of exchanges, ATSs, and other trading venues, and is often conducted through sophisticated trading strategies that access many trading platforms simultaneously, requiring SCI entities to coordinate testing would result in testing under more realistic market conditions.1215 The Commission also continues to believe that it would be more costeffective for SCI entity members and participants to participate in testing of SCI entity BC/DR plans on an industryor sector-wide basis than to test with each SCI entity on an individual basis because such coordination would likely reduce duplicative testing efforts.1216 In 1214 With respect to the suggestion that there be a Commission approved plan, the Commission notes that Rule 608 of Regulation NMS is designed to facilitate participation in NMS plans by selfregulatory organizations, which does not include SCI entities that are not SCI SROs, including SCI ATSs. The Commission notes that at least one commenter suggested that the Commission work with the CFTC to adopt a coordinated approach to testing. But, as discussed above, the Commission believes that Regulation SCI is an important step to reduce the risks associated with a decision to activate BC/DR plans. And, although the Commission may in the future consider additional initiatives to promote further coordination with the CFTC, in the Commission’s view, this initial step of adopting Regulation SCI should not be delayed. 1215 See Proposing Release, supra note 13, at 18126. 1216 In response to comment that coordinated BC/ DR testing is not needed in the current fixedincome market, the Commission notes that it has determined to exclude ATSs trading only municipal securities or corporate debt securities from the E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations addition, if SCI entities that are ‘‘providers of singular services’’ in the markets (i.e., which the Commission believes would be synonymous with SCI entities that are providers of ‘‘critical SCI systems’’) lead coordination efforts on behalf of all SCI entities, such an approach would not be impermissible under Rule 1004(d), provided all SCI entities agreed to such an approach. In response to commenters who more generally expressed concern about the rule subjecting SCI entity members and participants to multiple duplicative and costly testing requirements,1217 the Commission notes that the flexibility provided in the adopted coordination requirement, in tandem with the more focused adopted mandatory designation requirement should mitigate these concerns. As discussed above, adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion is likely to reduce the extent to which SCI entity member or participant designations overlap and possibly result in a smaller number of SCI entity members or participants being designated for participation in testing than as contemplated by the SCI Proposal, and a fewer number of members or participants designated to participate in testing should simplify efforts to coordinate testing. However, as some commenters noted, it remains possible that, despite coordination, some firms that are members of multiple SCI entities may be designated to participate in testing with multiple SCI entities at greater cost than if they had been designated by only one SCI entity, and may be required to test more than once annually, as this may be necessary for each SCI entity to meet its obligations under the rule. Though the Commission recognizes that the possibility of being designated by multiple SCI entities to participate in the testing of their BC/DR plans may be costly, the Commission ultimately believes that such a cost is appropriate to help ensure that the BC/ DR plan of each SCI entity is useful and effective. If, for example, a firm is designated for mandatory testing by multiple SCI entities, it would be so designated because each such SCI entity determines that such firm is necessary to the successful activation of its BC/DR plan. The Commission recognizes that it is conceivable that a firm that is required to participate in testing with multiple SCI entities assesses the costs scope of Regulation SCI. See supra notes 189–192 and accompanying text (discussing the exclusion of ATSs trading only fixed-income securities from the definition of SCI ATS). 1217 See supra notes 1159–1160 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and burdens of participating in every such test to be too great, and makes its own business decision to withdraw its membership or participation in one or more such SCI entities so as to avoid the costs and burdens of such testing, but believes such scenario to be unlikely. Specifically, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity (even a smaller SCI entity) would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI’s BC/DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test. The Commission continues to believe that SCI entities are best suited to find the most efficient and effective manner in which to test its BC/DR plans.1218 Furthermore, the Commission is also adopting a longer compliance period with regard to the industry- or sectorwide coordinated testing requirement in adopted Rule 1004(d).1219 Specifically, SCI entities will have 21 months from the Effective Date to coordinate the testing of an SCI entity’s business continuity and disaster recovery plans on an industry- or sector-wide basis with other SCI entities pursuant to adopted Rule 1004(d). In sum, the Commission believes that Rule 1004, as adopted, will enhance the resilience of the infrastructure of the U.S. securities markets. C. Recordkeeping, Electronic Filing on Form SCI, and Access—Rules 1005– 1007 Adopted Rules 1005 through 1007 specify several additional requirements of Regulation SCI relating to recordkeeping and electronic filing and submission. As discussed below, the Commission has determined not to adopt the proposed provision regarding Commission access to the systems of an SCI entity because the Commission can adequately assess an SCI entity’s compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. 1218 See Proposing Release, supra note 13, at 18126. 1219 See infra Section IV.F (discussing the delayed implementation time for adopted Rule 1004(d)). PO 00000 Frm 00105 Fmt 4701 Sfmt 4700 72355 1. Recordkeeping—Rules 1005–1007 a. Recordkeeping Related to Compliance With Regulation SCI—Rule 1005 Proposed Rule 1000(c) required SCI SROs to make, keep, and preserve all documents relating to their compliance with Regulation SCI, as prescribed in Rule 17a–1 under the Exchange Act. Proposed Rule 1000(c) required SCI entities other than SCI SROs to: Make, keep, and preserve at least one copy of all documents relating to their compliance with Regulation SCI; keep these documents for not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and promptly furnish to Commission representatives 1220 copies of any of these documents upon request. Further, proposed Rule 1000(c) provided that, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity must ensure that the required records are accessible to the Commission and its representatives in a manner required by Rule 1000(c) for the remainder of the period required by Rule 1000(c). The Commission received one comment letter supporting proposed Rule 1000(c).1221 The Commission is adopting Rule 1000(c) as proposed, but re-designated as Rule 1005.1222 As noted in the SCI Proposal, SCI entities are already subject to recordkeeping requirements,1223 but records relating to Regulation SCI may not be specifically addressed in certain 1220 As discussed above, the Commission has renamed the ARP Inspection Program the Technology Controls Program. See supra note 6. 1221 See MSRB Letter at 25. As discussed above, some commenters suggested recordkeeping in lieu of certain Commission reporting requirements. See, e.g., supra note 881 and accompanying text. 1222 The Commission notes that adopted Rule 1005 replaces the term ‘‘SCI security systems’’ with ‘‘indirect SCI systems’’ as described in more detail in Section IV.A.2.d. Furthermore, internal cross references to Rules 1000(c)(2)(i) and (c)(2)(ii) in Rule 1000(c)(2)(iii) were updated to paragraphs (b)(1) and (b)(2) of Rule 1005 in accordance with the renumbering of the rule. 1223 See, e.g., 17 CFR 240.17a–1, applicable to SCI SROs; 17 CFR 240.17a–3 and 17a–4, applicable to broker-dealers; and 17 CFR 242.301–303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a–1(a)) do generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nevertheless, the Commission continues to believe that Regulation SCI’s codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. E:\FR\FM\05DER2.SGM 05DER2 72356 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 current recordkeeping rules.1224 As adopted, Rule 1005 specifically addresses recordkeeping requirements for SCI entities with respect to records relating to Regulation SCI compliance. With respect to SCI SROs, Rule 17a– 1(a) under the Exchange Act requires every national securities exchange, national securities association, registered clearing agency, and the MSRB to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made and received by it in the course of its business as such and in the conduct of its self-regulatory activity.1225 In addition, Rule 17a–1(b) requires these entities to keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a–6.1226 Rule 17a–1(c) requires these entities, upon request of any representative of the Commission, to promptly furnish to the possession of Commission representatives copies of any documents required to be kept and preserved by it pursuant to Rules 17a– 1(a) and (b).1227 Therefore, as noted in the SCI Proposal, the breadth of Rule 17a–1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI.1228 The Commission continues to believe that it is appropriate to crossreference Rule 17a–1 in Rule 1005 to be clear that all SCI entities are subject to the same recordkeeping requirements regarding compliance with Regulation SCI. The Commission also continues to believe that it is appropriate to adopt recordkeeping requirements for SCI entities other than SCI SROs that are consistent with the recordkeeping 1224 See Proposing Release, supra note 13, at 18128. 1225 See 17 CFR 240.17a–1(a). Such records would, for example, include copies of incident reports and the results of systems testing. 1226 See 17 CFR 240.17a–1(b). Rule 17a–6(a) under the Exchange Act states: ‘‘Any document kept by or on file with a national securities exchange, national securities association, registered clearing agency or the Municipal Securities Rulemaking Board pursuant to the Act or any rule or regulation thereunder may be destroyed or otherwise disposed of by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board at the end of five years or at such earlier date as is specified in a plan for the destruction or disposition of any such documents if such plan has been filed with the Commission by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board and has been declared effective by the Commission.’’ 17 CFR 240.17a–6(a). 1227 See 17 CFR 240.17a–1(c). 1228 See Proposing Release, supra note 13, at 18128. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 requirements applicable to SROs under Rule 17a–1 under the Exchange Act. The Commission believes it is important to require such records be kept at both SCI SROs and SCI entities other than SCI SROs because such records are essential to understanding whether an SCI entity is meeting its obligations under Regulation SCI, to assess whether an SCI entity has appropriate policies and procedures with respect to its technology systems, to help identify the causes and consequences of an SCI event, and to understand the types of material systems changes occurring at an SCI entity.1229 Further, as noted above, the definitions of SCI system and indirect SCI system include systems operated ‘‘on behalf of’’ an SCI entity by third parties. An SCI entity retains legal responsibility for systems operated on its behalf and, as such, is responsible for producing to Commission representatives records required to be made, kept, and preserved under Regulation SCI, even if those records are maintained by third parties, and the SCI entity is responsible for ensuring that such third parties produce those requested documents, upon examination or other request. Accordingly, the Commission believes that an SCI entity should have processes and requirements in place, such as contractual provisions with a third party, to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on its behalf by a third party, including the recordkeeping requirements in Rule 1005.1230 The Commission believes that if an SCI entity is unable to ensure compliance with Regulation SCI with regard to third party systems or recordkeeping, it should reassess its decision to outsource its systems or recordkeeping. The Commission believes that Rule 1005 will facilitate its inspections and examinations of SCI entities and assist it in evaluating an SCI entity’s compliance with Regulation SCI. In 1229 To achieve the goals for which the recordkeeping requirements are designed, and to comply with the recordkeeping requirements of Rule 17a–1 and Rule 1005 of Regulation SCI, SCI entities must ensure that the records that they make, keep, and maintain are complete and accurate. 1230 See also Rule 1007, which states that, if records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. PO 00000 Frm 00106 Fmt 4701 Sfmt 4700 particular, Rule 1005 should facilitate Commission examination of SCI entities by helping to reduce delays in obtaining relevant records during an examination. Therefore, as noted in the SCI Proposal, the Commission’s ability to examine for, and enforce compliance with, Regulation SCI could be hampered if an SCI entity were not required to adequately provide accessibility to its records for the full proposed retention period. Further, while many SCI events may occur, be discovered, and be resolved in a short time frame, there may be other SCI events that may not be discovered until months or years after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity’s records available even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Because SCI events have the potential to negatively impact trade execution, price discovery, liquidity, and investor participation, the Commission believes that its ability to oversee the securities markets could be undermined if it is unable to review records to determine the causes and consequences of one or more SCI events experienced by an SCI entity that deregisters or ceases to do business. This information should provide an additional tool to help the Commission reconstruct important market events and better understand how such events impacted trade execution, price discovery, liquidity, and investor participation. b. Service Bureau—Rule 1007 Proposed Rule 1000(e) required that, if the records required to be filed or kept by an SCI entity under Regulation SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a duly authorized person at such service bureau or other recordkeeping service. Further, the written undertaking was required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. Proposed Rule 1000(e) also provided that the preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records. The Commission did not receive any comments on proposed Rule 1000(e) and is adopting Rule 1000(e) as proposed, but re-designated as Rule 1007. As noted in the SCI Proposal, Rule 1007 is substantively the same as the requirement applicable to broker-dealers under Rule 17a–4(i) of the Exchange Act.1231 The Commission continues to believe that this requirement will help ensure the Commission’s ability to obtain required records that are held by a third party who may not otherwise have an obligation to make such records available to the Commission. In addition, the Commission continues to believe that the requirement that SCI entities obtain from such third parties a written undertaking will also help ensure that such service bureau or other recordkeeping service is aware of its obligation with respect to records relating to Regulation SCI. The Commission believes that this requirement will help ensure that the Commission has prompt and efficient access to all required records, including those housed at a service bureau or any other recordkeeping service.1232 2. Electronic Filing and Submission of Reports, Notifications, and Other Communications—Rule 1006 Proposed Rule 1000(d) required that, except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis, or report to the Commission required under Regulation SCI be submitted electronically on Form SCI and include an electronic signature. Proposed Rule 1000(d) also required that the signatory to an electronically submitted Form SCI manually sign a signature page or document, in the manner prescribed by Form SCI, 1231 17 CFR 240.17a–4(i). See Proposing Release, supra note 13, at 18129. 1232 See 17 CFR 240.17a–4(i) (records preserved or maintained by a service bureau). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. This document would be required to be executed before or at the time Form SCI is electronically submitted and would be required to be retained by the SCI entity in accordance with the recordkeeping requirements of Regulation SCI. The Commission is adopting Rule 1000(d) substantially as proposed, as discussed below, but redesignated as Rule 1006. One commenter supported the electronic submission of Form SCI.1233 One commenter suggested that the Commission should make clear that Regulation SCI filings do not need to be made in a tagged data format such as XBRL, which could be costly.1234 Another commenter stated that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.1235 According to this commenter, the requirement that there be an electronic signature and a manual signature could put SCI entity personnel at risk if it is later determined that there were factual errors, omissions, or other flaws in the initial filing.1236 After consideration of the comments, the Commission is adopting Rule 1000(d) substantially as proposed, and with updated internal cross references to reflect revisions to other aspects of Regulation SCI, as adopted. Specifically, Rule 1006 provides that notifications made pursuant to Rule 1002(b)(1) (immediate Commission notification of SCI events) and updates made pursuant to Rule 1002(b)(3) (updates regarding SCI events) are not required to be filed on Form SCI.1237 As noted in the SCI Proposal, Rule 1006 is intended to provide a uniform manner in which the Commission would receive—and SCI entities would provide—written notifications, reviews, descriptions, analyses, or reports made pursuant to 1233 See MSRB Letter at 25. OTC Markets Letter at 4. See also FINRA Letter at 28. 1235 See Omgeo Letter at 20. 1236 See id. 1237 See supra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). Adopted Rule 1006 refers to an electronically ‘‘filed’’ Form SCI, rather than an electronically ‘‘submitted’’ Form SCI as proposed in Rule 1000(d)(1). This change clarifies that notices and reports required to be submitted under Regulation SCI are filings under the Exchange Act and Regulation SCI. See proposed and adopted 17 CFR 249.1900 (stating that Form SCI shall be used to ‘‘file’’ notices and reports as required by Regulation SCI). See also amended Rule 24b–2 (referring to material ‘‘filed’’ in electronic format on Form SCI). 1234 See PO 00000 Frm 00107 Fmt 4701 Sfmt 4700 72357 Regulation SCI.1238 Rule 1006 should therefore allow SCI entities to efficiently draft and submit the required reports, and for the Commission to efficiently review, analyze, and respond to the information provided.1239 In addition, the Commission believes that filing Form SCI in an electronic format would be less burdensome and more efficient for SCI entities and the Commission than mailing and filing paper forms.1240 Further, after considering comments regarding the burden of submitting Form SCI in a tagged data format such as XBRL, the Commission is not requiring the use of XBRL formatting for Form SCI. Rather, certain fields in Sections I–III of Form SCI will require information to be provided by SCI entities in a format that will allow the Commission to gather information in a structured manner (e.g., the submission type and SCI event type in Section I), whereas the exhibits to Form SCI will allow SCI entities to provide narrative responses, such as through a text format. Further, the Commission also is specifying that documents filed through the EFFS system must be in a textsearchable format without the use of optical character recognition. If, however, a portion of a Form SCI submission (e.g., an image or diagram) cannot be made available in a textsearchable format, such portion may be submitted in a non-text-searchable format.1241 The Commission believes that requiring documents to be submitted in a text-searchable format (with the limited exception noted) is necessary to allow Commission staff to efficiently review and analyze information provided by SCI entities. In particular, a text-searchable format allows Commission staff to better gather, analyze and use data submitted as exhibits, whereas a non-text-searchable format submission would require significantly more steps and labor to review and analyze data. The Commission notes that word processing and spreadsheet applications that are widely used by many businesses, including SCI entities, generate documents in this format. As noted above, one commenter stated that the electronic signature requirement was appropriate only if the 1238 See Proposing Release, supra note 13, at 18129–30. 1239 See id. at 18130. 1240 The Commission will implement Form SCI through the electronic form filing system (‘‘EFFS’’) currently used by SCI SROs to file Form 19b–4 filings. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in filing Form 19b–4). See also Proposing Release, supra note 13, at 18130. 1241 See General Instructions to Form SCI, Item A. E:\FR\FM\05DER2.SGM 05DER2 72358 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations final rule included a safe harbor for good faith reporting of SCI events. The Commission is adopting the electronic signature requirement as proposed. The Commission notes that, as discussed above in Section IV.B.3.c, immediate Commission notification following an SCI event and updates regarding the SCI event may be given orally; the 24-hour Commission notification is required to be made on a good faith, best efforts basis; and the final Commission notification is not required until the resolution of the SCI event and the completion of the SCI entity’s investigation of the SCI event. The Commission also notes that the purpose of the electronic signature requirement on Form SCI is to ensure that the person submitting the form to the Commission has been properly authorized by the SCI entity to submit the form on its behalf.1242 Therefore, the electronic signature requirement would not put SCI entity personnel at risk if the SCI entity later determines that there were factual errors, omissions, or other flaws in the initial filing. As such, the Commission does not agree with the comment that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.1243 mstockstill on DSK4VPTVN1PROD with RULES2 Amendment To Facilitate Electronic Filing Requirements In addition, to permit implementation of Rule 1006,1244 the Commission is adopting an amendment to Rule 24b–2 under the Exchange Act.1245 Rule 24b– 2 currently provides confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only.1246 The Commission is amending Rule 24b–2 by amending the rule’s preliminary note, and paragraph (b) of the rule to clarify that under Rule 24b–2, confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only, unless Rule 24b–2 provides otherwise. The Commission also is adding a new paragraph (g) to Rule 24b–2 to provide 1242 Additionally, similar to use of the EFFS in the context of electronic filing of Form 19b–4, by using a digital ID for each duly authorized signatory providing an electronic signature, both the Commission and an SCI entity may be assured of the authenticity and integrity of the electronic filing of Form SCI. See infra Section V.D.2.e (noting the necessity of completing a form to gain access to EFFS). 1243 The same rationale also applies to the requirement for manual signature in Rule 1006. 1244 See Rule 1006, 17 CFR 242.1006; see also General Instruction E to Form SCI (requiring Form SCI and exhibits to be filed electronically under Rule 1006). 1245 17 CFR 240.24b–2. 1246 See 17 CFR 240.24b–2. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 an electronic means by which an SCI entity may request confidential treatment of its filings on Form SCI. New paragraph (g) will provide that an SCI entity’s electronic filings on Form SCI pursuant to Regulation SCI must include any information with respect to which confidential treatment is requested (‘‘confidential portion’’), and provide that, in lieu of the procedures described in Rule 24b–2b, an SCI entity may request confidential treatment of all information submitted on Form SCI by completing Section IV of Form SCI. The Commission’s amendment provides an exception from Rule 24b–2’s paper-only request for confidential treatment for all Form SCI filings, and specifically permits an SCI entity to electronically request confidential treatment of all information filed on Form SCI in accordance with Regulation SCI. The Commission believes that allowing for electronic submission of confidential treatment requests will reduce the burden on SCI entities by not requiring a separate paper submission, and provided the confidential treatment request is properly made, will expedite Commission review of the requests for confidential treatment, as all information submitted on Form SCI will be deemed to be the subject of the request for confidential treatment. If such a confidential treatment request is properly made, the Commission will keep the information collected pursuant to Form SCI confidential to the extent permitted by law.1247 3. Access to the Systems of an SCI Entity Proposed Rule 1000(f) would have required each SCI entity to provide Commission representatives reasonable access to its SCI systems and SCI security systems to assess the SCI entity’s compliance with Regulation SCI.1248 In the SCI Proposal, the Commission noted that the proposed rule would facilitate the access of representatives of the Commission to such systems of an SCI entity either remotely or on site, noting, for example, that with such access, Commission 1247 The Freedom of Information Act (‘‘FOIA’’) provides at least two pertinent exemptions under which the Commission has authority to withhold certain information. FOIA Exemption 4 provides an exemption for ‘‘trade secrets and commercial or financial information obtained from a person and privileged or confidential.’’ 5 U.S.C. 552(b)(4). FOIA Exemption 8 provides an exemption for matters that are ‘‘contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.’’ 5 U.S.C. 552(b)(8). 1248 See proposed Rule 1000(f) and Proposing Release, supra note 13, at Section III.D.3. PO 00000 Frm 00108 Fmt 4701 Sfmt 4700 representatives could test an SCI entity’s firewalls and vulnerability to intrusions.1249 Further, the Commission noted that the proposed rule was intended to be consistent with the Commission’s current authority with respect to access to records generally 1250 and could help ensure that Commission representatives have ready access to the SCI systems and SCI security systems of SCI entities in order to evaluate an SCI entity’s practices with regard to the requirements of Regulation SCI.1251 As discussed below, the Commission has determined not to adopt the proposed requirement because it believes it can achieve the goal of the proposed rule through its existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. Many commenters criticized the SCI Proposal’s discussion of the proposed access requirement as permitting unfettered access by third parties that could pose significant security risks to an SCI entity’s systems.1252 Potential issues identified by commenters included unauthorized access to confidential information,1253 risk and damage to systems,1254 and contractual issues with third party vendors.1255 One commenter stated that the Commission should bear in mind that access to such highly sensitive environments of SCI entities carries a duty of care commensurate with the sensitivity of the access and information involved.1256 While several commenters advocated for the elimination of the proposed access provision,1257 some commenters recommended ways to refine the proposed requirement while still achieving its goals.1258 These 1249 See Proposing Release, supra note 13, at 18130. 1250 See Proposing Release, supra note 13, at 18130 (citing Section 17(b) of the Exchange Act, as well as Sections 11A, 6(b)(1), 15A(b)(2), and 17A(b)(3)(A) of the Exchange Act). 1251 See Proposing Release, supra note 13, at 18130. 1252 See, e.g., NYSE Letter at 34; BATS Letter at 15; ISE Letter at 10; MSRB Letter at 25–26; Omgeo Letter at 28–29; SIFMA Letter at 18–19; FIF Letter at 7; Fidelity Letter at 5–6; LiquidPoint Letter at 4; ITG Letter at 16; KCG Letter at 20–21; Joint SROs Letter at 17–18; OCC Letter at 20; UBS Letter at 5; Tellefsen Letter at 10; and FINRA Letter at 41. 1253 See, e.g., FINRA Letter at 41; and Omgeo Letter at 29. 1254 See, e.g., Omgeo Letter at 29; and ITG Letter at 16. 1255 See, e.g., SIFMA Letter at 19. 1256 See OCC Letter at 20. 1257 See, e.g., ITG Letter at 16; and CME Letter at 11. 1258 See, e.g., NYSE Letter at 34; OCC Letter at 20; ISE Letter at 10; DTCC Letter at 14; CME Letter at E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 suggestions included: Limiting the category of Commission staff to whom access could be provided; 1259 providing the Commission with access to ‘‘configuration and information flows of the system, instead of direct access;’’ 1260 providing the Commission with reports and metrics on systems vulnerabilities rather than direct access; 1261 requiring only that SCI entities demonstrate for Commission staff their controls and safeguards and compliance with the rule; 1262 mandating training of Commission staff and supervision of Commission staff access by SCI entity personnel; 1263 and requiring that an SCI entity’s staff conduct any tests while Commission staff observed, rather than providing Commission staff with direct access.1264 One commenter also noted that the concept of reasonable access was vague.1265 Other commenters asked that the Commission more clearly prescribe what would constitute ‘‘reasonable access.’’ 1266 One commenter also recommended that SCI entities provide an individual contact for a designated Commission representative to communicate and meet with regarding an SCI entity’s systems.1267 A few commenters also questioned whether the proposed access requirement is authorized by Section 17(b) or Section 11A of the Exchange Act, as stated in the SCI Proposal.1268 Other commenters considered the proposed access requirement unnecessary and questioned the Commission’s justification for needing this authority.1269 Another commenter pointed out that this type of access is authorized by other sections of the Exchange Act and an additional provision in Regulation SCI is redundant.1270 After consideration of the views of commenters, the Commission has determined not to adopt the proposed reasonable access provision because it believes it can achieve its goals through 11; Omgeo Letter at 29; Joint SROs Letter at 18; and MSRB Letter at 26. 1259 See, e.g., NYSE Letter at 34. 1260 See NYSE Letter at 34. 1261 See, e.g., ISE Letter at 10; DTCC Letter at 14; OCC Letter at 20; and CME Letter at 11. 1262 See, e.g., Omgeo Letter at 28–29; and DTCC Letter at 14. 1263 See MSRB Letter at 26. 1264 See OCC Letter at 20. 1265 See, e.g., ITG Letter at 16. 1266 See, e.g., MSRB Letter at 26; Joint SROs Letter at 18; and FINRA Letter at 41. 1267 See SIFMA Letter at 19. 1268 See NYSE Letter at 34; BATS Letter at 15; and CME Letter at 11. 1269 See FINRA Letter at 41; BATS Letter at 15; Omgeo Letter at 28–29; and Fidelity Letter at 5. 1270 See Angel Letter at 18. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 existing recordkeeping requirements and its examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. As discussed in the SCI Proposal, the reasonable access provision was designed to help ensure that the Commission was able to evaluate an SCI entity’s practices with regard to the requirements of proposed Regulation SCI.1271 The Commission believes that it can adequately assess an SCI entity’s compliance with Regulation SCI through its authority provided by existing provisions of the Exchange Act and rules thereunder, as well as through the additional recordkeeping provisions being adopted today in Rule 1005 of Regulation SCI, as described above. In this regard, as discussed above, Section 17(a) of the Exchange Act provides the Commission with the authority to adopt recordkeeping rules, and the breadth of Rule 17a–1 thereunder is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI, including records produced by SCI systems and indirect SCI systems.1272 Further, adopted Rule 1005 specifically imposes requirements on each SCI entity (other than SCI SROs) to, among other things: Make, keep, and preserve at least one copy of all documents relating to its compliance with Regulation SCI; keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to Rules 1005(b)(1) and (2).1273 The Commission also notes that Section 17(b) of the Exchange Act authorizes the Commission to conduct reasonable periodic, special, or other examinations of all records maintained by the entities described in Section 17(a).1274 These examinations can be conducted ‘‘at any 1271 See Proposing Release, supra note 13, at 18130. 1272 See supra note 1251 and accompanying text. 1273 See supra Section IV.C.1 (discussing recordkeeping requirements of adopted Rule 1005). As noted above, the recordkeeping requirements also extend to records of third parties. Specifically, an SCI entity is responsible for producing to Commission representatives records required to be made, kept, and preserved under Regulation SCI, even if those records are maintained by third parties, and the SCI entity is responsible for ensuring that such third parties produce those requested documents, upon examination or other request. See id. 1274 See Section 17(b) of the Exchange Act, 15 U.S.C. 78q(b). PO 00000 Frm 00109 Fmt 4701 Sfmt 4700 72359 time, or from time to time,’’ as the Commission ‘‘deems necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of [the Exchange Act].’’ 1275 Taken together, the Commission believes that these provisions afford the Commission the authority and ability to assess SCI entities’ compliance with the requirements of Regulation SCI, rendering the adoption of a reasonable access provision unnecessary. Pursuant to this authority, in some circumstances, the Commission’s assessment of an SCI entity’s compliance may require appropriate access to certain SCI systems in coordination with the relevant SCI entity. In particular, the Commission’s ability to assess the accuracy and completeness of an SCI entity’s records with regard to Regulation SCI, including the written policies and procedures established and maintained pursuant to Rule 1001 and the report of the SCI review prepared in accordance with Rule 1003(b), and to evaluate whether SCI entities are otherwise complying with Regulation SCI, may necessitate the observation of SCI systems and indirect SCI systems by Commission representatives.1276 The Commission believes that such access would not require an SCI entity to agree to remote or direct access by Commission personnel to an SCI entity’s systems, such as by permitting Commission staff to run tests or use system scanning tools on its SCI systems or indirect SCI systems. Rather, as suggested by some commenters, access would entail allowing Commission staff to observe the SCI entity’s SCI systems and indirect SCI systems with appropriate safeguards, including through systems demonstrations for Commission staff performed by the SCI entity and running tests on an SCI system with Commission staff onsite to observe.1277 The Commission believes that such access does not raise the potential security risks posed by unrestricted third party access to SCI systems.1278 D. Form SCI Pursuant to proposed Rule 1000(d), subject to certain exceptions, notices, reports, and other information required 1275 Id. 1276 The Commission notes that, under the ARP Inspection Program, such access has been routinely requested by Commission staff and provided by ARP entities. 1277 See supra notes 1262 and 1264 and accompanying text. 1278 The Commission believes that the elimination of the proposed reasonable access provision addresses the other comments on this provision. E:\FR\FM\05DER2.SGM 05DER2 72360 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 to be provided to the Commission under Regulation SCI would have been required to be submitted electronically through the EFFS on proposed Form SCI.1279 Proposed Form SCI included detailed instructions regarding the specific information that SCI entities would have been required to submit to the Commission. After careful consideration of comments, the Commission is adopting Form SCI with certain modifications, as further discussed below. These modifications to proposed Form SCI correspond to the changes to the Commission notification and reporting requirements as adopted, each of which is discussed in greater detail above.1280 Adopted Rule 1006 provides that, except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), all notifications, reviews, descriptions, analyses, or reports to the Commission required to be submitted under Regulation SCI must be filed electronically on Form SCI. Form SCI solicits information through a series of questions designed to elicit short-form answers, but also requires SCI entities to provide information and/or reports in narrative form by attaching specified exhibits. All filings on Form SCI require that an SCI entity identify itself and indicate the basis for submitting the form. Specifically, an SCI entity would indicate on the form the specific type of submission it is making: A notification regarding an SCI event pursuant to Rule 1002(b)(2); a final report or interim status report regarding an SCI event pursuant to Rule 1002(b)(4); a quarterly report on de minimis systems disruptions and de minimis systems intrusions pursuant to Rule 1002(b)(5)(ii); a quarterly report of material systems changes pursuant to Rule 1003(a)(1); a supplemental report of material system changes pursuant to Rule 1003(a)(2); or a submission of the report of an SCI review, together with any response by senior management, pursuant to Rule 1003(b)(3). In addition, Form SCI permits, but does not require, SCI entities to utilize the form to submit initial notifications of SCI events pursuant to Rule 1002(b)(1), as well as 1279 Proposed Rule 1000(d) provided exceptions for notifications under proposed Rule 1000(b)(4)(i) and oral notifications pursuant to proposed Rule 1000(b)(6)(ii). 1280 See supra Sections IV.B.3.c, IV.B.4, and IV.B.5 (discussing the reporting requirements of the adopted regulation). See also supra Section IV.B.6 (discussing the business continuity and disaster recovery plans testing requirement for SCI entity members or participants, and elimination of the proposed Commission notification requirement related to member or participation designations). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 updates regarding SCI events pursuant to Rule 1002(b)(3). Moreover, if an SCI entity decides to withdraw a previously submitted Form SCI, it would complete page 1 of Form SCI and select the appropriate check box to indicate the withdrawal. A filing on Form SCI also requires that an SCI entity provide additional information on attached exhibits, as discussed below. Because Form SCI is a report that is required to be filed under the Exchange Act and Regulation SCI, it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in Form SCI.1281 Several commenters addressed the information required by Form SCI as well as the submission process for the form. One commenter asked a number of questions on how the submission process would work in practice, including: (i) Whether the form would be rejected by the Commission if information was missing; (ii) whether the Commission would deem it a failure to comply with Regulation SCI if a Form SCI is rejected for incompleteness and the SCI entity is unable to resubmit within the applicable reporting time frame; (iii) how SCI entities would update or correct information previously submitted on Form SCI; (iv) will the EFFS system be available for Form SCI submissions during nonbusiness hours and whether there is an alternative means to submit notifications if the EFFS system is down or unavailable; (v) who at the Commission would be reviewing submissions and whether they would be familiar with technical jargon; and (vi) whether the SCI entities will be expected to attach documentation supporting the descriptions provided in the exhibits.1282 The commenter also expressed several concerns, including: (i) The amount of time it would take SCI entities to master the new submission process for proposed Form SCI and suggested a delayed implementation or transition period; (ii) that the form could encourage SCI entities to guess where they are missing information if a form could be rejected for incomplete information; (iii) that a submission that needs to be updated or corrected would not be considered timely filed; (iv) that the updating procedure could become burdensome if the SCI entity needed to explain the reason for any changes to information previously provided; and (v) that submissions would be more burdensome if technical notifications 1281 See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 78ff(a). 1282 See FINRA Letter at 28–30. PO 00000 Frm 00110 Fmt 4701 Sfmt 4700 and reports needed to be translated into plain English.1283 Another commenter requested that the electronic filing system that the Commission puts in place to receive Form SCI submissions be made available on weekends and outside normal business hours.1284 This commenter also suggested that the Commission remain open to changes to Form SCI as it and SCI entities gain experience with the use of Form SCI and that the Commission should work with SCI entities to test the electronic submission system to ensure its operational capability.1285 The Commission has considered these comments and has addressed many of the issues raised by commenters by revising the substantive requirements of adopted Rules 1002 and 1003, as well as making certain changes to the adopted form. With respect to a commenter’s question regarding whether a Form SCI would be rejected if information was missing,1286 as stated in the General Instructions for Form SCI, an SCI entity must provide all information required by the form, including the exhibits. The General Instructions for Form SCI also state that a filing that is incomplete or similarly deficient may be returned to the SCI entity, and any filing so returned will be deemed not to have been filed with the Commission.1287 In response to the commenter who expressed concern that a submission that needed to be updated or corrected would not be considered timely filed, the Commission notes that an SCI entity is responsible for submitting a complete and correct Form SCI within the time period specified in the relevant provisions under Regulation SCI.1288 At the same time, the Commission notes 1283 See id. MSRB Letter at 19, 25. See also FINRA Letter at 29 (questioning whether the EFFS system would be available during non-business hours for Form SCI submissions). 1285 See MSRB Letter at 25–26. 1286 See supra note 1282 and accompanying text. 1287 While the Commission has the ability to reject a Form SCI filing, the Commission notes that the Form SCI submission process is different from the Form 19b–4 filing process. Specifically, SCI entities file Form SCI to provide notification to the Commission regarding SCI events and material systems changes, and reports of SCI reviews. On the other hand, SROs file Form 19b–4 for immediately effective rule changes or to seek Commission approval of rule changes. Therefore, the process for rejecting a Form 19b–4 filing does not apply to Form SCI submissions. 1288 With respect to a commenter’s concern that SCI entities may have to guess where information is missing if a form could be rejected for incomplete information, the Commission intends there to be communication between Commission staff and SCI entity personnel in instances where a Form SCI is rejected to discuss the information missing in the submission and anything else necessary to comply with the form requirements. See supra note 1283 and accompanying text. 1284 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 that, while the SCI event notification under Rule 1002(b)(2) is required to be provided within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event occurred, information for such notifications is only required to be provided on a good faith, best efforts basis. For other types of notifications and reports required to be submitted on Form SCI, SCI entities have more time to prepare such submission, and to ensure that the information provided is complete and correct. With respect to a commenter’s question regarding how SCI entities would update or correct information previously submitted on Form SCI, the Commission notes that the rules under Regulation SCI already provide for updates for many of the Form SCI submissions. Specifically, Rule 1002(b)(2) requires certain information to be submitted on a good faith, best efforts basis within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(b)(3) requires SCI entities to provide updates regarding SCI events until the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed.1289 As such, SCI entities may use the updates under Rule 1002(b)(3) to correct or update previously submitted information. Also, Rule 1003(a)(2) requires SCI entities to submit supplemental reports to notify the Commission of any material error in or material omission from a previously submitted material systems change report. With respect to the Form SCI submissions where the rules do not specifically provide for updates (i.e., SCI event notifications under Rule 1002(b)(4), quarterly SCI event notifications under Rule 1002(b)(5), report of SCI reviews under Rule 1003(b)(3)), if an SCI entity discovers that a previously submitted Form SCI must be corrected or updated, the SCI entity should contact Commission staff as it corrects or updates the prior submission. In addition, an SCI entity will be able to withdraw and re-submit a previously submitted Form SCI.1290 However, as noted above, an SCI entity is responsible for submitting a complete 1289 As discussed in detail in Section IV.B.3.c above, Rule 1002(b)(3) allows SCI entities to discuss the update with Commission staff orally, rather than by completing the form, although an SCI entity may use Form SCI if it chooses to do so. To the extent an SCI entity chooses to utilize the form for such updates, the written updates can facilitate the Commission’s tracking and assessment of SCI events. 1290 See General Instructions to Form SCI, Item F. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and correct Form SCI within the time period specified in the relevant provisions under Regulation SCI.1291 In addition, in response to comments,1292 the Commission notes that Form SCI does not require SCI entities to attach documentation supporting the descriptions in the exhibits, although SCI entities will be able to do so if they so choose by attaching the documentation as part of the relevant exhibit. Moreover, in response to the commenter who asked who at the Commission would be reviewing submissions and whether they would be familiar with technical jargon, the Commission notes that appropriate Commission staff from different offices or divisions with the necessary expertise to understand the Form SCI submission will review it depending on the nature of the submission (i.e., legal or technical), and thus, it is not necessary for SCI entities to translate technical jargon into plain English. In response to the commenter who expressed concern as to the amount of time it would take SCI entities to master the Form SCI submission process and suggested delayed implementation, the Commission believes that, by utilizing the EFFS system currently used by many SROs for Rule 19b–4 and Rule 19b–7 filings, it will allow for a quicker and smoother implementation of the Form SCI submission process for certain SCI entities, and allow the Commission to apply its experience with EFFS to facilitate the submissions of notifications and reports required by Regulation SCI. Nevertheless, the Commission notes that it is delaying the date for compliance with Regulation SCI, as discussed in Section IV.F below. The Commission does not expect that the Form SCI submission process will require substantial time for SCI entities to master and the delayed date for compliance with Regulation SCI provides SCI entities with more time to learn and adopt it. With respect to commenters’ question regarding whether the EFFS system will 1291 As noted above, one commenter expressed concern that an updating procedure could become burdensome if the SCI entity needs to explain the reason for any changes to information previously provided. See supra note 1283 and accompanying text. The Commission notes that, with respect to rules under Regulation SCI that require updates, those rules specify the information that is required to be contained in an update, and do not require an explanation of the reason for the update. With respect to the Form SCI submissions where the rules do not specifically provide for updates, as noted above, the SCI entity can contact Commission staff as the SCI entity corrects or updates the prior submission. 1292 See supra notes 1282–1283 and accompanying text. PO 00000 Frm 00111 Fmt 4701 Sfmt 4700 72361 be available during non-business hours and whether there is an alternative means to submit notifications if the EFFS system is down or unavailable,1293 the Commission notes that, as is the case with Rule 19b–4 and Rule 19b–7 filings, EFFS is available 24 hours a day. If EFFS becomes unavailable for a period of time, the Commission recognizes that SCI entities will not be able to submit any required notifications during that time period, and the Commission would expect the SCI entities to file any required notifications promptly once it becomes available. In response to the commenter who suggested that the Commission remain open to changes to Form SCI and that the Commission work with SCI entities to test the electronic submission system to ensure its operational capability, the Commission expects, as it has done with the SRO rule filing process, to periodically evaluate the effectiveness of the submission process for Form SCI, as well as the form itself, and may consider improvements in the future as appropriate.1294 The Commission also notes that it expects, prior to the compliance date, that its staff will provide materials to SCI entities regarding the operation of the electronic filing system to submit Forms SCI. Furthermore, the Commission will perform internal testing to help ensure the operational capability of EFFS prior to the compliance date. 1. Notice of SCI Events Pursuant to Rule 1002(b) Proposed Rule 1000(b)(4) would have required each SCI entity to submit certain information regarding SCI events to the Commission using proposed Form SCI.1295 The Commission is adopting proposed Rule 1000(b)(4) as Rule 1002(b) with certain modifications, which are discussed above in Section IV.B.3.c. With respect to Commission notifications under Rule 1002, adopted Form SCI requires an SCI entity to provide the following information in a short, standardized format: (i) Whether the Commission has previously been notified of the SCI event pursuant to Rule 1002(b)(1); (ii) the type of submission (i.e., an initial notification pursuant to Rule 1002(b)(1), a notification pursuant to Rule 1002(b)(2), an update pursuant to Rule 1002(b)(3), a final report pursuant to Rule 1002(b)(4), or an interim status report 1293 See supra notes 1282, 1284 and accompanying text. 1294 See supra note 1285 and accompanying text. 1295 Proposed Rule 1000(d) provided an exception for notifications under proposed Rule 1000(b)(4)(i). E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72362 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations pursuant to Rule 1002(b)(4)); (iii) the type(s) of SCI event (i.e., systems compliance issue, systems disruption, or systems intrusion); 1296 (iv) the date/ time the SCI event occurred; (v) the duration of the SCI event; (vi) when responsible SCI personnel had a reasonable basis to conclude that an SCI event occurred; (vii) whether the SCI event has been resolved and, if so, the date/time of resolution; (viii) whether the SCI entity’s investigation of the SCI event is closed and, if so, the date of closure; (ix) the estimated number of market participants potentially impacted by the SCI event; (x) whether the SCI event is a major SCI event; (xi) the types of systems impacted (i.e., trading, clearance and settlement, order routing, market data, market regulation, market surveillance, or indirect SCI systems) and the name of such system(s); and (xii) whether any critical SCI system(s) are impacted by the SCI event and, if so, the types of such critical SCI systems (i.e., systems that directly support functionality relating to: Clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing market; trading halts; initial public offerings; the provision of consolidated market data; exclusively listed securities; or systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets) and a description of such systems. If an SCI entity chooses to utilize Form SCI to submit an initial notification required by Rule 1002(b)(1), an SCI entity will be able to submit a short description of the SCI event, and be allowed to attach documents regarding such SCI event as part of Exhibit 6 of Form SCI if the SCI entity chooses to do so. For a notification required by Rule 1002(b)(2), in addition to providing the applicable standardized information on Form SCI as discussed above, an SCI entity is required to submit an Exhibit 1. An SCI entity is required to provide the following information on a good faith, best efforts basis in the Exhibit 1: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of notification, the SCI entity’s current assessment of the types and number of market participants potentially affected 1296 Some SCI events may meet the definition of more than a single SCI event type, and the form permits SCI entities to check one, two, or all three SCI event types. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. If an SCI entity chooses to utilize Form SCI to submit an update required by Rule 1002(b)(3), an SCI entity will be able to submit a short description of the update, and be allowed to attach documents regarding such update as part of Exhibit 6 of Form SCI if the SCI entity chooses to do so. For a submission required by Rule 1002(b)(4), in addition to providing the applicable standardized information on Form SCI as discussed above, adopted Form SCI also requires an SCI entity to indicate if it is a final report or an interim status report and submit an Exhibit 2. If an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file a final report under Rule 1002(b)(4)(i)(A) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. However, if an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of the SCI event. For SCI events in which an interim status report is required to be filed, an SCI entity must file a final report under Rule 1002(b)(4)(i)(B)(2) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. For any submission required by Rule 1002(b)(4), an SCI entity is required to provide the following information in the Exhibit 2: (i) A detailed description of: The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the PO 00000 Frm 00112 Fmt 4701 Sfmt 4700 SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. As noted above, if an SCI entity submits an interim written notification under Rule 1000(b)(4)(i)(B), the SCI entity is required to provide the information specified in Exhibit 2, but only to the extent known at the time. The SCI entity is also required to subsequently submit a final report under Rule 1000(b)(4)(i)(B) and provide all the information specified in Exhibit 2. Rule 1002(b)(5) states that the Commission notification requirements under Rules 1002(b)(1)–(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. Rule 1002(b)(5)(i) instead requires that an SCI entity make, keep, and preserve records relating to all such SCI events and Rule 1002(b)(5)(ii) requires an SCI entity to submit to the Commission quarterly reports containing a summary description of such de minimis systems disruptions and de minimis systems intrusions. For a quarterly report required by Rule 1002(b)(5), an SCI entity is required to indicate the end date of the applicable calendar quarter for which the report is being submitted. The SCI entity is also required to submit an Exhibit 3, containing a summary description of such de minimis systems disruptions and de minimis systems intrusions, including the SCI systems and, for systems intrusions, the indirect SCI systems, affected by such de minimis systems disruptions and de minimis systems intrusions during the applicable calendar quarter. 2. Notices of Material Systems Changes Pursuant to Rule 1003(a) Proposed Rule 1000(b)(6) would have required an SCI entity to provide advance Commission notifications of material systems changes. Proposed Rule 1000(b)(8)(ii) would have required an SCI entity to submit to the Commission semi-annual reports on material systems changes. As discussed in detail in Section IV.B.4 above, many commenters were critical of the proposed reporting framework with respect to material systems changes, including the 30-day advance notification procedure. After considering the views of commenters, the Commission is not adopting the 30day advance notification requirement or the semi-annual reporting requirement E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations for material systems changes. Rather, an SCI entity is required to submit quarterly reports for material systems changes under Rule 1003(a)(1). An SCI entity is also required under Rule 1003(a)(2) to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). One commenter raised a concern that an advance notification could be rejected by the Commission for inadequate description and result in a delay to a planned systems change.1297 As noted above in Section IV.B.4, the Commission is adopting a quarterly reporting system that does not require the advanced notification of individual planned material systems changes required by proposed Rule 1000(b)(6). The adopted framework is intended to keep the Commission and its staff apprised of systems changes at SCI entities while reducing the burdens related to notifying the Commission of such changes and allowing for the various types of development processes used by SCI entities (including agile development processes). Also, as noted above in Section IV.B.4, Regulation SCI does not provide for a new review or approval process for SCI entities’ material systems changes. As such, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI.1298 For a notification required by Rule 1003(a) (including supplemental reports under Rule 1003(a)(2)), an SCI entity is required to indicate the end date of the applicable calendar quarter for which the report is being submitted and submit an Exhibit 4. For a notification required by Rule 1003(a)(1), Exhibit 4, is required to contain a description of completed, ongoing, and planned material changes to its SCI systems and the security of its indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. For a notification required by Rule 1003(a)(2), Exhibit 4 is required to contain the supplemental report of a material error in or material omission 1297 See SIFMA Letter at 16. the same time, the Commission notes that the General Instructions for Form SCI state that a filing that is incomplete or similarly deficient may be returned to the SCI entity, and any filing so returned will be deemed not to have been filed with the Commission. 1298 At VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 from a report previously submitted under Rule 1003(a)(1).1299 3. Reports of SCI Reviews Pursuant to 1003(b) Proposed Rule 1000(b)(8)(i) would have required an SCI entity to submit to the Commission a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. As discussed above in Section IV.B.5, the Commission is adopting this Commission reporting requirement as proposed. There were no comments on proposed Form SCI with respect to reports of SCI reviews. For a notification required by Rule 1003(b), an SCI entity is required to indicate on Form SCI the date of completion of the SCI review and the date of submission of the SCI review to the SCI entity’s senior management. An SCI entity is also required to submit an Exhibit 5, containing the report of the SCI review that was submitted to the SCI entity’s senior management, along with any response to the report by senior management.1300 4. Notification of Member or Participant Designation Standards and List of Designees Proposed Rule 1000(b)(9) would have required an SCI entity to notify the Commission of its members or participants that have been designated for business continuity and disaster recovery plans testing, as well as the standards for such designation. Proposed Rule 1000(b)(9) would have also required SCI entities to promptly update such notification after any changes to its list of designees or standards for designation. As discussed above in Section IV.B.6, the Commission is not adopting these Commission notification requirements. 5. Other Information and Electronic Signature Proposed Form SCI would have required an SCI entity to provide the Commission with contact information for the systems personnel, regulatory personnel, and senior officer responsible for addressing an SCI event, including the name, title, telephone 1299 See General Instructions to Form SCI, Item C. discussed in Section IV.B.5, the SCI review would contain: (1) A risk assessment with respect to SCI systems and indirect SCI systems of an SCI entity; and (2) an assessment of internal control design and effectiveness of SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. 1300 As PO 00000 Frm 00113 Fmt 4701 Sfmt 4700 72363 number, and email address of such persons. Proposed Form SCI would also have given the SCI entity an option to provide contact information for an additional systems personnel and regulatory personnel. Finally, proposed Form SCI would have required an electronic signature to help ensure the authenticity of the Form SCI submission. Adopted Form SCI more generally requires an SCI entity to provide contact information for a person who is prepared to respond to questions for a particular submission. Form SCI continues to require an electronic signature to help ensure the authenticity of the Form SCI submission. The Commission believes that these requirements will expedite communications between Commission staff and SCI entities, because they will help identify the person or persons responsible for communicating with Commission staff about an SCI event even though one or more other persons may be responsible for addressing and resolving the SCI event, and also help ensure that only authorized personnel at each SCI entity submit filings required by adopted Regulation SCI. E. Other Comments Received 1. Applying Regulation SCI to SecurityBased Swap Data Repositories and Security-Based Swap Execution Facilities As noted in the SCI Proposal, on July 21, 2010, the President signed the DoddFrank Act into law.1301 The Dodd-Frank Act was enacted, among other things, to promote the financial stability of the United States by improving the accountability and transparency of the nation’s financial system.1302 Title VII of the Dodd-Frank Act provides the Commission and the CFTC with the authority to regulate over-the-counter derivatives. In particular, as noted in the SCI Proposal, Section 763 of the Dodd-Frank Act amends the Exchange Act by adding new statutory provisions to govern the regulation of various entities, including security-based swap data repositories (‘‘SB SDRs’’) and security-based swap execution facilities (‘‘SB SEFs’’).1303 1301 The Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111–203, H.R. 4173) (‘‘Dodd-Frank Act’’). 1302 See Dodd-Frank Act Preamble. 1303 See Dodd-Frank Act, Section 763 (adding Sections 13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the Commission to harmonize to the extent possible Commission regulation of SB SDRs and SB SEFs with CFTC regulation of swap data repositories (‘‘SDRs’’) and swap execution facilities (‘‘SEFs’’) under the E:\FR\FM\05DER2.SGM Continued 05DER2 72364 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Under the authorities of Section 13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB SEFs, the Commission proposed rules for these entities with regard to their automated systems’ capacity, resiliency, and security.1304 In the SB SDR Proposing Release and the SB SEF Proposing Release, respectively, the Commission proposed Rule 13n–6 and Rule 822 under the Exchange Act, which would set forth the requirements for these entities with regard to their automated systems’ capacity, resiliency, and security. In each release, the Commission stated that it was proposing standards comparable to the standards applicable to SROs, including exchanges and clearing agencies, and other registrants, pursuant to the Commission’s ARP standards.1305 The SCI Proposal described in detail the SB SDR and SB SEF proposals relating to systems’ capacity, resiliency, and security; the comments received on those proposals; and the differences between proposed Regulation SCI and those proposals.1306 In the SCI Proposal, the Commission recognized that there could be differences between Regulation SCI, as adopted, and Rules 13n–6 and 822, if adopted. Therefore, the Commission sought comment on whether it should propose to apply the requirements of Regulation SCI, in whole or in part, to SB SDRs and/or SB SEFs.1307 In addition, the Commission sought comment on what—if the Commission were to propose to apply some or all of the requirements of Regulation SCI to SB SDRs or SB SEFs—would be the most appropriate way to implement CFTC’s jurisdiction, an endeavor that Commission staff is undertaking as it seeks to move the SB SDR and SB SEF proposals toward adoption. See DoddFrank Act, Section 712 (directing the Commission, before commencing any rulemaking with regard to SB SDRs or SB SEFs, to consult and coordinate with the CFTC for purposes of assuring regulatory consistency and comparability to the extent possible). 1304 See Securities Exchange Act Release Nos. 63347 (November 19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n–6 under the Exchange Act applicable to SB SDRs) (‘‘SB SDR Proposing Release’’); 63825 (February 2, 2011), 76 FR 10948 (February 28, 2011) (proposing new Rule 822 under the Exchange Act applicable to SB SEFs) (‘‘SB SEF Proposing Release’’). See also Dodd-Frank Act, Section 761(a) (adding Section 3(a)(75) of the Exchange Act) (defining the term ‘‘security-based swap data repository’’), and Section 761(a) (adding Section 3(a)(77) of the Exchange Act) (defining the term ‘‘security-based swap execution facility’’). 1305 See SB SDR Proposing Release, supra note 1304, at 77332 and SB SEF Proposing Release, supra note 1304, at 10987. 1306 See Proposing Release, supra note 13, at 18133–34. 1307 See id. at 18134–37. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 such requirements for SB SDRs and SB SEFs.1308 However, the Commission also noted that, should the Commission decide to propose to apply the requirements of Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a separate release discussing such a proposal.1309 One commenter supported the inclusion of SB SEFs and possibly SB SDRs under proposed Regulation SCI.1310 Several commenters supported some form of harmonization, but were cognizant of the practical differences between options and equities, on the one hand, and derivatives, on the other.1311 In the context of considering whether Regulation SCI should apply to SB SDRs or SB SEFs, one commenter supported principles-based rules relating to systems compliance and integrity, and generally believed that principles applicable to one type of system should be applicable to all types of systems.1312 This commenter noted that the Commission should not promulgate principles-based rules that would apply different principles to different systems, unless such difference is clearly warranted by the facts and circumstances relating to and the purpose of a particular system.1313 This commenter also commented that, because technology continues to evolve at a rapid pace and because specific and technical rules may create conflicting standards, any attempt to provide specific and technical rules should be avoided, unless the context clearly warrants such specific and technical rules.1314 This commenter concluded that the similarities between certain SCI entities and SB SDRs and SB SEFs do not provide a clear justification for a different set of rules.1315 1308 See id. at 18137–38. As noted in the SCI Proposal, although the Commission has issued a policy statement regarding the anticipated sequencing of the compliance dates of final rules to be adopted by the Commission for certain provisions of Title VII of the Dodd-Frank Act, the precise timing for adoption of or compliance with any final rules relating to SB SDRs or SB SEFs is not known at this time. See Securities Exchange Act Release No. 67177 (June 11, 2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on the Sequencing of the Compliance Dates for Final Rules Applicable to Security-Based Swaps Adopted Pursuant to the Securities Exchange Act of 1934 and the Dodd-Frank Wall Street Reform and Consumer Protection Act). 1309 See Proposing Release, supra note 13, at 18134. 1310 See Tellefsen Letter at 5. 1311 See DTCC Letter at 18–19; and NYC Bar Letter at 2–5. See also CoreOne Letter at 5–7. 1312 See NYC Bar Letter at 3. 1313 See id. at 3–4. 1314 See id. at 4. 1315 See id. This commenter also specifically noted that important market systems should not PO 00000 Frm 00114 Fmt 4701 Sfmt 4700 One commenter noted that SB SDRs should have standards that are consistent with, but not identical to, those of SCI entities.1316 According to this commenter, the functions that SB SDRs perform are significantly different from those performed by SCI entities.1317 However, this commenter supported applying to SB SDRs: Proposed Rule 1000(b)(1)(i)(A)–(E); 1318 requirements relating to Commission notification of SCI events (by adopting the notification provisions described in proposed Rule 13n–6(3)); and requirements for business continuity planning and testing (but SB SDRs should not be required to test with other SB SDRs given the structure of the proposed SB SDR Regulations).1319 Finally, rather than making Regulation SCI applicable to SB SDRs, this commenter recommended that these provisions be incorporated into Rule 13n–6.1320 The Commission appreciates the comments received on the potential application of Regulation SCI to SB SDRs and SB SEFs. As noted above, should the Commission decide to propose to apply the requirements of Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a separate release discussing such a proposal and would take these comments into account. 2. Applying Regulation SCI to BrokerDealers Other Than SCI ATSs and Other Types of Entities Regulation SCI, as proposed and as adopted, would apply to national securities exchanges, registered securities associations, registered clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt clearing agencies subject to ARP. It would not apply to other types of market participants, such as market makers or other broker-dealers. As noted in the SCI Proposal, recent events have highlighted the significance of systems integrity of a broader set of market participants than those included in the definition of SCI entity.1321 Also, as have differing recovery requirements without a clear justification, particularly in light of a Congressional mandate in the Dodd-Frank Act to ensure regulatory consistency and comparability, to the extent possible. See NYC Bar Letter at 5. 1316 See DTCC Letter at 18. 1317 See id. 1318 However, this commenter noted that specific industry standards should be adopted for SB SDRs, rather than adopting existing standards that were largely developed before repositories were developed and were not intended to cover these types of entities. See id. 1319 See id. at 18–19. 1320 See id. at 19. 1321 See Proposing Release, supra note 13, at 18138, n. 334. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations noted in the SCI Proposal, some brokerdealers have grown in size and importance to the market in recent years.1322 As such, the Commission recognized that systems disruptions, systems compliance issues, and systems intrusions at broker-dealers could pose a significant risk to the market.1323 The Commission also noted that Rule 15c3– 5 under the Exchange Act,1324 which requires brokers or dealers with market access to implement risk management controls and supervisory procedures to limit risk, already seeks to address certain risks posed to the markets by broker-dealer systems.1325 The Commission did not propose to apply Regulation SCI to registered broker-dealers (other than SCI ATSs) or to other types of entities not covered by the definition of SCI entity. As noted in the SCI Proposal, if the Commission were to decide to propose to apply the requirements of Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal.1326 Nevertheless, in the SCI Proposal, the Commission sought comment on whether such entities should be subject to Regulation SCI in whole or in part.1327 Some commenters stated that the Commission should expand the definition of SCI entity to include broker-dealers.1328 One commenter stated that the goals of Regulation SCI could not be met without expanding the definition of SCI entity to include the following types of broker-dealers: Exchange market maker, OTC market maker, and any other broker or dealer that executes orders internally by trading as a principal or crossing orders as an agent.1329 This commenter stated that these entities should be included because they play a critical role in the markets, handle market share that exceeds that of certain SCI ATSs, and, like exchanges and ATSs, rely heavily 1322 See id. at 18138, n. 335. id. at 18138. 1324 17 CFR 240.15c3–5. 1325 See supra note 114 and Proposing Release, supra note 13, at 18138–39. 1326 See id. at 18139. 1327 See id. at 18139–41. 1328 See NYSE Letter at 8–10; and Liquidnet Letter at 2–3. Another commenter expressed its view that inclusion of order routing systems within the definition of ‘‘SCI systems’’ puts SCI entities at a competitive disadvantage against broker-dealers that are not covered by Regulation SCI. See BATS Letter at 4. See also supra notes 48–50, 94–96, and 152 and accompanying text (discussing comments regarding broadening the coverage of ‘‘SCI entity’’ and ‘‘SCI ATS’’ and the effect of the adopted ATS thresholds on barriers to entry), and infra Section VI.C.1.c (discussing the effect of Regulation SCI on competition between SCI entities and non-SCI entities). 1329 See NYSE Letter at 9. on sophisticated automated systems.1330 Another commenter also believed that the objectives of Regulation SCI could more readily be achieved if the regulation also applied to market makers, high-frequency trading firms, and other broker-dealers because the activities of these types of entities could present systemic risks to the market.1331 In connection with questions in the SCI Proposal regarding the application of Regulation SCI to broker-dealers other than SCI ATSs, one commenter urged the Commission to broaden the definition of SCI entity to include any entity with direct electronic access to equity markets because the equity markets can be disrupted by a single server.1332 Another commenter stated that all direct access proprietary trading market participants (including high frequency market participants) should be included as SCI entities because of their significant footprint in the markets, past incidents like Knight Capital Group’s massive trading losses from a systems malfunction in August 2012,1333 and flaws in the existing compliance controls and practices of such firms.1334 One commenter stated that Regulation SCI should be extended to any trading platforms that transact significant volume, including systems that are not required to register as an ATS, because all executions are against the bids and offers of a single dealer.1335 A few commenters further argued that Rule 15c3–5 under the Exchange Act is not sufficient by itself and therefore some broker-dealers should be treated as SCI entities.1336 One of these commenters stated that non-ATS brokerdealers should be treated as SCI entities because Rule 15c3–5, concerning the implementation of risk management and supervisory controls to limit risk associated with routing orders to exchanges or ATSs, does not address reliability or integrity of the systems that implement such controls.1337 mstockstill on DSK4VPTVN1PROD with RULES2 1323 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 1330 See id. Liquidnet Letter at 2. 1332 See Lauer Letter at 3. See also supra notes 212–213 (explaining that the Commission believes that many systems with direct market access are captured by the adopted definition but the Commission is not expanding the scope of Regulation SCI to include other broker-dealer entities and their systems at this time). 1333 See Proposing Release, supra note 13, at 18090, n. 70 (discussing Knight’s systems malfunction in August 2012). 1334 See Leuchtkafer Letter at 1–7. See supra notes 124–126 and accompanying text (discussing the Commission’s determination to not apply Regulation SCI to non-ATS broker-dealers at this time). 1335 See BlackRock Letter at 4. 1336 See Lauer Letter at 3 and NYSE Letter at 9. 1337 See NYSE Letter at 9. 1331 See PO 00000 Frm 00115 Fmt 4701 Sfmt 4700 72365 Many other commenters stated more generally that broker-dealers should not be captured by the definition of SCI entity.1338 Several commenters stated that they do not support the expansion of Regulation SCI to all broker-dealers because broker-dealers generally perform functions that do not have any systemic impact on the operation of the national market system and are presently subject to numerous regulations that require the establishment of controls (such as the Market Access Rule, Rule 17a–3, and Rule 17a–4), making Regulation SCI duplicative and unduly burdensome.1339 One commenter stated that brokerdealers are currently subject to high standards of systems compliance and integrity by FINRA and state laws, and disciplinary actions for failure to maintain sufficient protection of customer data and supervisory policies.1340 Moreover, this commenter noted that, if potential systems issues could be addressed by Regulation SCI as applied to SCI entities, there would be no need to apply Regulation SCI to broker-dealers conducting activities on behalf of retail clients.1341 This commenter stated that additional regulation would only be warranted after a meticulous cost-benefit analysis and implementation of the additional regulation at the lowest cost to firms and investors.1342 This commenter concluded that the inclusion of brokerdealers would raise investors’ costs and is unnecessary.1343 Another commenter believed that non-SCI ATS broker-dealers should not be included in the definition of SCI entity because, despite the longstanding practice of retail brokers routing their customers’ orders to market markers for execution, those market makers are not critical.1344 Moreover, this commenter believed that FINRA’s rules with respect to broker-dealers are more appropriate than the SCI Proposal, and FINRA rules hold broker-dealers accountable and do not shield them from liability.1345 This commenter stated that the combination of Commission and FINRA rules on 1338 See SIFMA Letter at 3; MFA Letter at 4–5; FIA PTG Letter at 5; FSI Letter at 3; WF Letter at 2; Fidelity Letter at 4; KCG Letter at 14–17; LiquidPoint Letter at 4; and FSR Letter at 2–3, n. 5. 1339 See SIFMA Letter at 3; MFA Letter at 4–5; FIA PTG Letter at 5; WF Letter at 2; KCG Letter at 15–17; LiquidPoint Letter at 4; and FSR Letter at 2– 3, n. 5. 1340 See FSI Letter at 3. 1341 See id. 1342 See id. 1343 See id. 1344 See KCG Letter at 14. 1345 See id. at 14–15. E:\FR\FM\05DER2.SGM 05DER2 72366 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 broker-dealers ensures that brokerdealers are sufficiently regulated, although this commenter stated that FINRA could provide additional guidance on its rules in light of the weaknesses revealed by Superstorm Sandy.1346 Similarly, another commenter stated that broker-dealers should not be regulated under Regulation SCI because broker-dealer operational regulation has been overseen almost entirely by FINRA.1347 Specifically, FINRA member brokerdealers are required to create and implement written supervisory procedures covering the operation of their business.1348 According to this commenter, this process allows brokerdealers to devise procedures that keep them in-line with FINRA and Commission regulations, and allows FINRA to focus on bigger picture issues impacting the broker-dealer industry.1349 In addition, one commenter stated that the Commission should not propose a requirement that SCI SROs require their members to institute policies and procedures similar to those required under Regulation SCI.1350 According to this commenter, SCI SROs already impose regulatory requirements addressing similar concerns as those that Regulation SCI is designed to address.1351 One commenter stated that the term SCI entity should not encompass clearing broker-dealers or transfer agents because they are not involved in ‘‘realtime’’ trading activities and therefore there would not be any material impact on critical market functions should their systems fail.1352 Additionally, this commenter stated that because Regulation SCI ‘‘is designed to formalize the Commission’s existing ARP Program,’’ and clearing broker-dealers and transfer agents do not participate in ARP, those entities should not be included within the scope of Regulation SCI.1353 Another commenter echoed these positions with respect to transfer agents, and also stated that transfer agents should not be included within the definition of SCI entity because the majority of transfer agents do not have electronic connectivity to SCI entities.1354 Additionally, this commenter stated that larger transfer agents are already required to have 1346 See id. at 14–17. OTC Markets Letter at 11. 1348 See id. 1349 See id. 1350 See WF Letter at 2. 1351 See id. at 2–3. 1352 See Fidelity Letter at 4. 1353 See id. 1354 See STA Letter at 2. 1347 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 business continuity plans and written policies and procedures to ensure that their systems are robust and will function as intended.1355 In determining whether to expand the scope of SCI entities, one commenter commented that the Commission should consider the role of an entity in the securities markets and the risks presented by that entity, and stated that transfer agents should not be covered because they raise fewer risks to the markets than the proposed SCI entities, as their systems do not directly support the functions intended to be targeted by the SCI Proposal.1356 Another commenter similarly stated that transfer agents should not be covered because there is little chance that a problem with a transfer agent’s operations would impact market activity.1357 The Commission appreciates the comments received on the potential application of Regulation SCI to brokerdealers other than SCI ATSs and other types of entities. As noted above, should the Commission decide to propose to apply the requirements of Regulation SCI to these entities, the Commission would issue a separate release discussing such a proposal and would take these comments into account. F. Effective Date and Compliance Dates Several commenters provided recommendations for when the requirements of Regulation SCI should go into effect and/or when SCI entities should be required to comply with the various requirements of the regulation.1358 Each commenter recommended allowing what they believed to be sufficient time for SCI entities to prepare for what they perceived as complex or substantial regulatory responsibilities.1359 Several commenters suggested that the implementation period should vary between those entities and/or systems currently subject to the ARP Inspection Program and those that are not.1360 For example, one commenter suggested an implementation period of no less than two years for SCI systems that are subject to the ARP Inspection Program and three years for all other systems.1361 1355 See id. ICI Letter at 3. 1357 See Oppenheimer Letter at 2. 1358 See e.g., FINRA Letter at 41–42; DTCC Letter at 3; OCC Letter at 2; MSRB Letter at 39–40; KCG Letter at 19; SIFMA Letter at 7; and OTC Markets Letter at 4, 22–23. 1359 See e.g., FINRA Letter at 41–42; DTCC Letter at 3; OCC Letter at 2; MSRB Letter at 39–40; KCG Letter at 19; SIFMA Letter at 7; and OTC Markets Letter at 4, 22–23. 1360 See, e.g., FINRA Letter at 41–42; DTCC Letter at 3; and OTC Markets Letter at 4, 22–23. 1361 See FINRA Letter at 41–42. 1356 See PO 00000 Frm 00116 Fmt 4701 Sfmt 4700 Similarly, another commenter recommended that certain systems of non-ARP participants should be provided at least an additional one year transition period, after a six-month delayed effectiveness after final approval of Regulation SCI for SCI systems of current ARP participants that are trading, clearance and settlement, and order routing systems.1362 Another commenter stated that systems currently covered by the ARP Inspection Program should be granted two years to phase-in the rule and that non-ARP systems would need a phase-in period of at least four years.1363 One commenter also noted more generally that the time needed to meet the new requirements of Regulation SCI will vary by the type of SCI entity and the level of its current participation in the ARP Inspection Program.1364 Some commenters requested a special phase-in period for ATSs. Specifically, two commenters suggested that ATSs should be given six months after meeting the given threshold in the definition of SCI ATS to come into compliance with Regulation SCI.1365 Other commenters provided detailed suggestions for a phase-in compliance timeline for the requirements of Regulation SCI.1366 For example, one commenter suggested implementing the rule in three phases so that it would apply: (1) After initial six-month delayed effectiveness, to SCI systems of current ARP participants that are trading, clearance and settlement, and order routing systems, and after one additional year, to such systems of nonARP participants (for at least one annual cycle); (2) to indirect SCI systems relating to the systems in phase one (for at least one annual cycle); and (3) to SCI systems that are market data, regulation and surveillance systems and related indirect SCI systems.1367 Another commenter believed the rule should be phased-in over four stages, where each SCI entity would: (1) Review its SCI systems risk-based assessment with Commission staff; (2) review and update its policies and procedures to reasonably ensure compliance with Regulation SCI; (3) implement such policies and procedures; and (4) conduct an annual review.1368 1362 See MSRB Letter at 39–40. OTC Markets Letter at 4, 22–23. 1364 See DTCC Letter at 3. 1365 See KCG Letter at 19; and SIFMA Letter at 7. See also adopted Rule 1000 (definition of ‘‘SCI ATS’’) and supra Section IV.A.1.b (discussing definition of ‘‘SCI ATS’’). 1366 See MSRB Letter at 39–40; and OCC Letter at 2–3. 1367 See MSRB Letter at 40. 1368 See OCC Letter at 3. 1363 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Other commenters recommended individual compliance deadlines for certain requirements of Regulation SCI.1369 Specifically, two commenters suggested that phased-in compliance should be permitted for proposed Rule 1000(b)(9) addressing testing of SCI entity business continuity and disaster recovery plans by SCI entity members or participants.1370 Specifically, one commenter believed that, if end-to-end business continuity and disaster recovery plans testing were to be required, it should be phased-in to allow SCI entities to conduct testing of specific SCI systems over time, rather than be required to conduct a full endto-end test, which it stated cannot be done within a reasonable timeframe.1371 The other commenter recommended a phased-in approach to implementation of broader BC/DR testing over a period of years.1372 One commenter recommended that the Commission institute an implementation period for the Commission notification requirement under proposed Rule 1000(b)(4) to allow SCI entities to prepare for what the commenter believed to be an increase in the number of notifications that would be required.1373 This commenter also noted generally that business continuity and end-to-end testing requirements,1374 the two-hour recovery time objective,1375 and adopting the required policies and procedures may take longer to comply 1369 See OCC Letter at 2–3, 11, and 18; and SIFMA Letter at 18. 1370 See adopted Rule 1004 and supra Section IV.B.6 (discussing business continuity and disaster recovery plans testing requirements). 1371 See OCC Letter at 18. 1372 See SIFMA Letter at 18. 1373 See OCC Letter at 11; see also adopted Rule 1002(b) and supra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). One commenter also expressed concern about SCI entities being able to effectively make submissions on Form SCI upon Regulation SCI becoming effective, and urged Commission staff to work with the SCI entities in the development, testing, and implementation of the Form SCI electronic submission system, including provision of any systems requirements (e.g., supported browsers, required certificates, or authentication protocols). See MSRB Letter at 25. Another commenter requested that the Commission provide SCI entities sufficient time to learn the new Form SCI submission process, and recommended that the Commission delay implementation of Form SCI until SCI entities and Commission staff have gained experience with the Regulation SCI reporting requirements. See FINRA Letter at 28. In the alternative, this commenter recommended that the Commission provide a transition period for SCI entities to establish their processes for submission of Form SCI. See FINRA Letter at 28. 1374 See adopted Rule 1004 and supra Section IV.B.6 (discussing business continuity and disaster recovery plans testing requirements). 1375 See adopted Rule 1001(a)(2)(v) and supra Section IV.B.1.b (discussing the policies and procedures requirement and the two-hour recovery time objective). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 with than other provisions of Regulation SCI.1376 Regulation SCI will become effective 60 days after publication of the rules in the Federal Register (‘‘Effective Date’’). As proposed, SCI entities would have been required to meet the requirements of Regulation SCI on the Effective Date. However, after consideration of the views of commenters, the Commission has determined to adopt a compliance date for Regulation SCI of nine months after the Effective Date, except as described below with regard to: (1) ATSs newly meeting the thresholds in the definition of ‘‘SCI ATS;’’ and (2) the industry- or sector-wide coordinated testing requirement, which will have different compliance periods. The Commission believes that the importance of strengthening the technology infrastructure of key market participants, the potential significant risks posed by systems issues to the U.S. securities markets, and the significant number of recent systems issues at various trading venues, necessitates as prompt an implementation of the requirements of Regulation SCI by SCI entities as possible. At the same time, the Commission understands that SCI entities will need time to prepare for the obligations imposed by Regulation SCI and, accordingly, believes that this ninemonth time frame provides SCI entities adequate time to meet the requirements of Regulation SCI. While certain commenters suggested longer compliance periods or phased-in compliance periods, the Commission understands that entities currently subject to the ARP Inspection Program may already comply with certain requirements of Regulation SCI. In addition, the Commission also believes that SCI entities that have not previously participated in the ARP Inspection Program may also currently operate in accordance with certain of the adopted requirements. For example, the Commission believes that most SCI entities generally have in place policies and procedures designed to ensure its systems’ capacity, integrity, resiliency, availability, and security and that most SCI entities already take corrective actions in response to systems issues. Further, the Commission notes that, as described above, it has further focused the scope of the requirements of Regulation SCI from the SCI Proposal and, thus, has lessened the potential burdens on SCI entities.1377 Therefore, 1376 See OCC Letter at 2–3; see also adopted Rule 1001 and supra Sections IV.B.1–2 (discussing the policies and procedures requirement for operational capability and systems compliance). 1377 See supra Section III (providing a summary of the key modifications from the SCI Proposal) and PO 00000 Frm 00117 Fmt 4701 Sfmt 4700 72367 the Commission believes that many of the concerns expressed by commenters regarding the time that would be needed to prepare for the responsibilities imposed by Regulation SCI have been significantly mitigated or addressed by this overall refinement of the rules and obligations of SCI entities. For example, as discussed above, the Commission has further focused the definition of ‘‘SCI systems’’ and clarified the scope of ‘‘indirect SCI systems,’’ which will result in fewer systems being subject to the requirements of Regulation SCI.1378 In addition, the Commission notification provision will require immediate Commission notice of fewer SCI events than as proposed as a result of the refining of several definitions and the adoption of an exception from the immediate reporting requirements for de minimis SCI events, which will instead be subject to recordkeeping requirements and/or a quarterly reporting obligation, as applicable.1379 Further, the Commission has clarified that an SCI entity’s policies and procedures relating to the capacity, integrity, resiliency, availability, and security of its SCI systems and indirect SCI systems can to be tailored to a particular SCI system’s criticality and risk, contrary to the belief of some commenters that the rule required all systems to be held to the same standards.1380 The Commission also notes that it expects, prior to the compliance date, that its staff will provide information to SCI entities regarding the operation of the electronic filing system to submit Forms SCI. With regard to some commenters’ suggestions that there should be different compliance periods for SCI entities currently subject to the ARP Inspection Program and those that do not currently participate in the ARP Inspection Program (or phased-in compliance based, in part, on this Section IV (providing a detailed discussion of changes from the SCI Proposal). 1378 See supra Sections IV.A.2.b and IV.A.2.d (discussing the definitions of ‘‘SCI systems’’ and ‘‘indirect SCI systems’’). The Commission notes that the refining of these definitions also reduces the need to phase-in compliance based on type of system as suggested by one commenter, because fewer systems overall will be subject to the regulation than proposed and many systems for which the commenter urged a delay in compliance will not be covered by the regulation, as adopted. 1379 See supra Section IV.B.3.c (discussing the Commission notification requirement). As discussed above, SCI entities will be required to make, keep, and preserve records relating to all de minimis SCI events and to report de minimis systems disruptions and de minimis systems intrusions quarterly. 1380 See supra Section IV.B.1 (discussing the requirement for policies and procedures to achieve capacity, integrity, resiliency, availability, and security). E:\FR\FM\05DER2.SGM 05DER2 72368 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 distinction), as noted above, the Commission believes that both categories of entities already have some level of processes or procedures in place that are in compliance with the requirements of Regulation SCI. Further, given the voluntary nature of the current ARP Inspection Program, the Commission believes that the extent of current compliance with the requirements of adopted Regulation SCI by entities subject to the ARP Inspection Program varies for different entities. In addition, as noted above, Regulation SCI has a broader scope than the current ARP Inspection Program and imposes mandatory requirements on entities subject to the rules, and accordingly will require all SCI entities (both ARP entities and non-ARP entities) to take steps, including implementing necessary systems changes, to meet the requirements of Regulation SCI. For these reasons, the Commission believes that it is appropriate to provide all SCI entities nine months to become compliant with the requirements of Regulation SCI. With regard to two commenters’ suggestions that the Commission should adopt specific phased-in compliance periods based on type of entity (i.e., ARP or non-ARP), type of system, or other factors, the Commission believes that such an approach is not necessary for the reasons stated above. Further, the Commission believes that having multiple phases of compliance would create unnecessary complexity and raise practical difficulties for implementation. At the same time, the Commission believes that it is appropriate to provide additional compliance periods for limited aspects of Regulation SCI, as requested by some commenters. Specifically, the Commission believes that ATSs meeting the volume thresholds in the definition of ‘‘SCI ATS’’ for the first time should be provided an additional six months from the time that the ATS first meets the applicable thresholds to comply with the requirements of Regulation SCI.1381 The Commission believes that this additional six-month period is appropriate and necessary to allow an SCI ATS the time needed to take steps to meet the requirements of the rules, 1381 See supra note 1365 and accompanying text. See also supra Section IV.A.1.b (discussing the definition of ‘‘SCI ATS,’’ including the applicable volume thresholds and the inclusion of a six-month compliance period within the definition). For example, if a new ATS begins operations in January 2016 and subsequently meets the volume thresholds in the definition of ‘‘SCI ATS’’ for four out of the six months ending December 31, 2016, it would have until June 30, 2017 to become compliant with the requirements of Regulation SCI. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 rather than requiring compliance immediately upon meeting the volume thresholds. The Commission also believes that this additional compliance period should give a new ATS entrant the opportunity to initiate and develop its business by allowing additional time before a new ATS must incur the costs associated with compliance with Regulation SCI.1382 The Commission is also adopting a longer compliance period with regard to the industry- or sector-wide coordinated testing requirement in adopted Rule 1004(d).1383 Specifically, SCI entities will have 21 months from the Effective Date to coordinate the testing of an SCI entity’s business continuity and disaster recovery plans on an industry- or sectorwide basis with other SCI entities pursuant to adopted Rule 1004(d). Given that the compliance date for the other requirements of Regulation SCI is nine months from the Effective Date, this will provide SCI entities an additional year (12 months) beyond the compliance date for the other requirements of Regulation SCI (for a total of 21 months) to comply with Rule 1004(d). The Commission believes that this additional time period is appropriate in light of commenters’ concerns regarding the complexity and logistical challenges posed by the requirement.1384 The Commission expects SCI entities to work cooperatively to address these logistical hurdles and to carefully plan such testing, and believes that the additional time for compliance should help to ensure that such testing is implemented effectively. If any provision of Regulation SCI, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application. CFR 1320.11, the Commission submitted these collections of information to the Office of Management and Budget (‘‘OMB’’) for review. The title for the collection of information requirement is ‘‘Regulation Systems Compliance and Integrity.’’ The collection of information was assigned OMB Control No. 3235–0703. In the SCI Proposal, the Commission solicited comments on the collection of information burdens associated with Regulation SCI. In particular, the Commission asked whether commenters agree with the Commission’s estimate of the number of respondents and the burden associated with compliance with Regulation SCI.1386 In addition, the Commission asked whether SCI entities would outsource the work associated with compliance with Regulation SCI.1387 Some commenters noted that the Commission underestimated the burdens that would be imposed by proposed Regulation SCI.1388 As discussed above, the Commission received 60 comment letters on the proposal. Some of these comments relate directly or indirectly to the PRA. These comments are addressed below. V. Paperwork Reduction Act Certain rules under Regulation SCI impose new ‘‘collection of information’’ requirements within the meaning of the Paperwork Reduction Act of 1995 (‘‘PRA’’).1385 An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. In accordance with 44 U.S.C. 3507 and 5 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing Rule 1001 requires SCI entities to establish policies and procedures with respect to various matters. Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, supra note 152 and accompanying text. supra Section IV.B.6.b.iv (discussing the coordinated testing requirement of adopted Rule 1004(d)). 1384 See id. 1385 44 U.S.C. 3501 et seq. A. Summary of Collection of Information Regulation SCI includes four categories of obligations that require a collection of information within the meaning of the PRA. Specifically, an SCI entity is required to: (1) Establish specified written policies and procedures, and mandate participation by designated members or participants in certain testing of the SCI entity’s business continuity and disaster recovery plans; (2) provide certain notifications, disseminate certain information, and create reports; (3) take corrective actions, and identify critical SCI systems, major SCI events, de minimis SCI events, and material systems changes; and (4) comply with recordkeeping requirements. 1382 See 1383 See PO 00000 Frm 00118 Fmt 4701 Sfmt 4700 1386 See Proposing Release, supra note 13, at 18155. 1387 See id. at 18154–55. 1388 See, e.g., Joint SRO Letter at 18–19; CME Letter at 4–5; OCC Letter at 11–12. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Rule 1001(a)(2) specifies that such policies and procedures are required to include, at a minimum: (i) The establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology for such systems; (iv) regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; (vi) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (vii) monitoring of such systems to identify potential SCI events. Rule 1001(a)(3) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(a), and take prompt action to remedy deficiencies in such policies and procedures. Rule 1001(a)(4) states that an SCI entity’s policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which are required to be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization, though compliance with current SCI industry standards is not the exclusive means to comply with the requirements of Rule 1001(a). Rule 1001(b)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 SCI systems operate in a manner that complies with the Act and rules and regulations thereunder and the entity’s rules and governing documents, as applicable. Rule 1001(b)(2) specifies that such policies and procedures are required to include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Rule 1001(b)(3) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(b), and take prompt action to remedy deficiencies in such policies and procedures. Further, pursuant to Rule 1001(b)(4), personnel of an SCI entity is deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if the person: (i) Has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures; and (ii) was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Rule 1001(c)(1) requires each SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Rule 1001(c)(2) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(c)(1), and take prompt action to remedy deficiencies in such policies and procedures. Rule 1004 requires an SCI entity, with respect to its business continuity and disaster recovery plans, including its PO 00000 Frm 00119 Fmt 4701 Sfmt 4700 72369 backup systems, to: (a) Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; and (b) designate members or participants pursuant to such standards and require participation by such members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures). Rule 1004(c) requires an SCI entity to coordinate such required testing on an industry- or sector-wide basis with other SCI entities. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities Certain rules under Regulation SCI require SCI entities to notify or report information to the Commission, or disseminate information to their members or participants. Rules 1002 and 1003 each contain notification, dissemination, or reporting requirements.1389 Rule 1002(b) requires Commission notification of SCI events. Rule 1002(b)(1) requires an SCI entity to immediately notify the Commission upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. These notifications may be made orally or in writing. Rule 1002(b)(2) requires an SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to submit a written notification to the Commission on Form SCI pertaining to such SCI event.1390 1389 To access EFFS, the secure Commission Web site for filing of Form SCI, an SCI entity will submit to the Commission an External Application User Authentication Form (‘‘EAUF’’) to register each individual at the SCI entity who will access the EFFS system on behalf of the SCI entity. Upon receipt and verification of the information in the EAUF process, the Commission will issue each such person a User ID and Password to permit access to the Commission’s secure Web site. 1390 This notification is required to be submitted on a good faith, best efforts basis. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72370 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Rule 1002(b)(2) requires that this notification include: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of the notification, the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event, the potential impact of the SCI event on the market, a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event, the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved, and any other pertinent information known by the SCI entity about the SCI event. Rule 1002(b)(3) requires an SCI entity, until an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed, to provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new information is discovered (including but not limited to any of the information listed in Rule 1002(b)(2)(ii)). The updates under Rule 1002(b)(3) may be made orally or in writing. Rule 1002(b)(4) states that, if an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 calendar days of the occurrence of the event, then within 5 business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, the SCI entity is required to submit a final written notification to the Commission pertaining to the SCI event. This notification is required to include: (i) A detailed description of the SCI entity’s assessment of the types and number of market participants affected by the SCI event, the SCI entity’s assessment of the impact of the SCI event on the market, the steps that the SCI entity has taken, is taking, or plans to take with respect to the SCI event, the time the SCI event was resolved, the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event, and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Rule 1002(b)(4)(iv) further states that, if VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, then the SCI entity is required to submit an interim written notification pertaining to such event within 30 calendar days after the occurrence of the event, containing the information required by Rule 1002(b)(4)(ii) to the extent known at that time. Within 5 business days after the resolution of such event and closure of the investigation, the SCI entity is required to submit a final written notification to the Commission, containing the information required by Rule 1002(b)(4)(ii). Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)–(4) do not apply to de minimis SCI events. Instead, for these types of SCI events, an SCI entity is required to make, keep, and preserve records relating to these events, and submit to the Commission quarterly reports containing a summary description of de minimis systems disruptions and de minimis systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. Rule 1002(c) requires the dissemination of information regarding certain SCI events and specifies the nature and timing of such dissemination. Rule 1002(c)(1)(i) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that a systems disruption or systems compliance issue has occurred, to disseminate the following information about such SCI event: (A) The system(s) affected by the SCI event; and (B) a summary description of the SCI event. In addition, Rule 1002(c)(1)(ii) requires an SCI entity, when known, to further disseminate the following information: (A) A detailed description of the SCI event; (B) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (C) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) requires that an SCI entity provide regular updates of the information required to be disseminated under Rule 1002(c)(1)(i) and (ii). With respect to systems intrusions, Rule 1002(c)(2) states that, promptly after any responsible SCI personnel has a reasonable basis to conclude that a systems intrusion has occurred, an SCI entity is required to disseminate a summary description of the systems PO 00000 Frm 00120 Fmt 4701 Sfmt 4700 intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination.1391 Rule 1002(c)(4) provides that the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems, or to any de minimis SCI events. Rule 1003(a)(1) requires an SCI entity, within 30 calendar days after the end of each calendar quarter, to submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. Rule 1003(a)(2) further requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). Rules 1003(b)(1) and (2) require an SCI entity to conduct periodic SCI reviews of its compliance with Regulation SCI,1392 and to submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Rule 1003(b)(3) also requires an SCI entity to submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review, together with any response by senior management, within 1391 Rule 1002(c)(3) provides that the information specified in Rules 1002(c)(1) and (2) is required to be disseminated to members or participants of the SCI entity that a responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event. However, information regarding major SCI events must be disseminated to all members or participants of an SCI entity. 1392 SCI entities are required to conduct an SCI review not less than once each calendar year. However, under Rule 1003(b)(1)(i), penetration test reviews of the network, firewalls, and production systems are required to be conducted not less than once every three years. Under Rule 1003(b)(1)(ii), assessments of SCI systems directly supporting market regulation or market surveillance are required to be conducted at a frequency based on risk assessment, but not less than once every three years. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 60 calendar days after its submission to senior management of the SCI entity. Rule 1006 requires any notifications to the Commission required to be submitted under Regulation SCI, except notifications pursuant to Rule 1002(b)(1) or 1002(b)(3), to be filed electronically on Form SCI, include all information as prescribed in Form SCI and the instructions thereto, and contain an electronic signature. In addition, pursuant to Rule 1006(b), the signatory to an electronically filed Form SCI is required to manually sign a signature page or document authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document is required to be retained by the SCI entity in accordance with Rule 1005. 3. Requirements To Take Corrective Action and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes Rule 1002(a) requires an SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action, which is required to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission believes that SCI entities are likely to work to develop a written process for ensuring that they are prepared to comply with the corrective action requirement and are likely to also periodically review this process. In connection with the reporting of material systems changes, Rule 1003(a)(1) requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. In addition, because the Commission notification and information dissemination requirements under Rules 1002(b) and (c), respectively, apply differently to SCI events depending on whether an event is a ‘‘major SCI event’’ or whether the event has no or a de minimis impact on the SCI entity’s operations or on market participants, when an SCI event occurs, an SCI entity must determine whether an SCI event is a major SCI event or a de minimis SCI event. Moreover, because the business continuity and disaster recovery policies and procedures requirement under Rule 1001(a)(2)(v) imposes different resumption goals for critical SCI VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 systems as compared to other SCI systems, an SCI entity must determine whether an SCI system is a critical SCI system.1393 As such, SCI entities would likely work to develop a written process for ensuring that they are able to make timely and accurate determinations regarding the nature of an SCI system or SCI event, and periodically review this process. 4. Recordkeeping Requirements Rule 1005 sets forth recordkeeping requirements for SCI entities. Under Rule 1005(a), SCI SROs are required to make, keep, and preserve all documents relating to their compliance with Regulation SCI as prescribed in Rule 17a–1 under the Exchange Act. Under Rule 1005(b), each SCI entity that is not an SCI SRO is required to make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems. Each SCI entity that is not an SCI SRO is required to keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Upon request of any representative of the Commission, such SCI entities would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it under Rules 1005(b)(1) and (2). Under Rule 1005(c), upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity is required to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 will be accessible to the Commission and its representatives in the manner required by Rule 1005 and for the remainder of the period required by Rule 1005. In addition, Rule 1007 provides that, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a 1393 Also, pursuant to the definition of ‘‘major SCI event,’’ in determining whether an SCI event is a major SCI event, an SCI entity is required to consider whether an SCI event can have any impact on a critical SCI system. See Rule 1000. PO 00000 Frm 00121 Fmt 4701 Sfmt 4700 72371 form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a duly authorized person at such service bureau or other recordkeeping service. B. Use of Information 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The requirement that SCI entities establish policies and procedures under adopted Rule 1001(a) should advance the goal of improving Commission review and oversight of U.S. securities market infrastructure by requiring an SCI entity’s policies and procedures to be reasonably designed to ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities. Because an SCI entity’s own operational capability can have the potential to impact investors, the overall market, or the trading of individual securities, the Commission believes that these policies and procedures will help promote the maintenance of fair and orderly markets. The Commission believes that Rule 1001(b), which requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable, will help to prevent the occurrence of systems compliance issues. In addition, the Commission believes Rule 1001(b) will help to: Ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; reinforce existing SRO rule filing processes to assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate; and assist SCI SROs in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS. It should similarly help other SCI entities to achieve operational compliance with the Exchange Act, the rules and regulations thereunder, and their governing documents. The requirement to establish policies and procedures pursuant to Rule 1001(c) that include the designation and documentation of responsible SCI personnel should help make it clear to all employees of the SCI entity who the designated responsible SCI personnel are for purposes of the escalation procedures and so that Commission staff E:\FR\FM\05DER2.SGM 05DER2 72372 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 can easily identify such responsible SCI personnel in the course of its inspections and examinations and other interactions with SCI entities. The Commission also believes that escalation procedures to quickly inform responsible SCI personnel of potential SCI events will help ensure that the appropriate person(s) are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. The Commission believes that the requirement that SCI entities establish standards that require designated members or participants to participate in the testing of their business continuity and disaster recovery plans will help reduce the risks associated with an SCI entity’s decision to activate its BC/DR plans and help to ensure that such plans operate as intended, if activated. The testing participation requirement should help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a lack of participation by members or participants that the SCI entity believes are necessary to the successful activation of such plans. This requirement should also assist the Commission in maintaining fair and orderly markets in a BC/DR scenario following a wide-scale disruption. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities Adopted Rule 1002(b), including adopted Rules 1002(b)(1)–(3), will foster a system for comprehensive reporting of SCI events, which should enhance the Commission’s review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. The Commission also believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. The information in the final report required under Rule 1002(b)(4) should provide the Commission with a comprehensive analysis to more fully understand and assess the impact caused by the SCI event. The Commission expects that the quarterly reporting required by Rule 1002(b)(5) will better achieve the goal of keeping Commission staff informed regarding the nature and frequency of systems disruptions and systems intrusions that arise but are reasonably estimated by the SCI entity to have a de VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 minimis impact on the entity’s operations or on market participants. Further, submission and review of regular reports should facilitate Commission staff comparisons among SCI entities and thereby permit the Commission and its staff to have a more holistic view of the types of systems operations challenges that were posed to SCI entities in the aggregate. Adopted Rule 1002(c) advances the Commission’s goal of promoting fair and orderly markets by disseminating information about an SCI event to some or all of the SCI entity’s members or participants, who can use such information to evaluate the event’s impact on their trading and other activities and develop an appropriate response. The quarterly material systems change reports required by Rule 1003(a) should permit the Commission and its staff to have up-to-date information regarding an SCI entity’s systems development progress and plans, and help the Commission with its oversight of U.S. securities market infrastructure. The SCI reviews under Rule 1003(b) should not only assist the Commission in improving its oversight of the technology infrastructure of SCI entities, but also each SCI entity in assessing the effectiveness of its information technology practices, helping to ensure compliance with the safeguards provided by the requirements of Regulation SCI, identifying potential areas of weakness that require additional or modified controls, and determining where to best devote resources. Rule 1006 provides a uniform manner in which the Commission would receive—and SCI entities would provide—written notifications, reviews, descriptions, analyses, or reports made pursuant to Regulation SCI. The Commission believes that Rule 1006 therefore allows SCI entities to efficiently draft and submit the required reports, and for the Commission to efficiently review, analyze, and respond to the information provided. As noted above, in order to access EFFS, an SCI entity will submit to the Commission an EAUF to register each individual at the SCI entity who access the EFFS system on behalf of the SCI entity. The information provided via EAUF will be used by the Commission to verify the identity of the individual submitting Form SCI on behalf of the SCI entity and provide such individual access to the EFFS. PO 00000 Frm 00122 Fmt 4701 Sfmt 4700 3. Requirements To Take Corrective Action and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes The requirement that SCI entities begin to take appropriate corrective action upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, and the policies and procedures SCI entities would likely use to implement this requirement, should help facilitate SCI entities’ responses to SCI events, including taking appropriate steps necessary to remedy the problem or problems causing such SCI event and mitigate the negative effects of the SCI event, if any, on market participants and the securities markets more broadly. The requirement that each SCI entity establish written criteria for identifying material systems changes should help the Commission ensure that it is kept apprised of the systems changes that SCI entities believe to be material and aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and any changes to such systems. The Commission expects that the application of different requirements (e.g., Commission notification requirements and information dissemination requirements) to critical SCI systems, major SCI events, and de minimis SCI events, and the policies and procedures required by SCI entities to make these determinations, will help to ensure that the Commission is kept apprised of SCI events, and that relevant market participants have basic information about SCI events so that those notified can better develop an appropriate response. These policies and procedures should also assist SCI entities in complying with the notification, dissemination and reporting requirements of Regulation SCI. 4. Recordkeeping Requirements Rule 1005 requires each SCI entity to make, keep, and preserve records relating to its compliance with Regulation SCI because such records should assist the Commission in understanding whether an SCI entity is meeting its obligations under Regulation SCI, assessing whether an SCI entity has appropriate policies and procedures with respect to its technology systems, helping to identify the causes and consequences of an SCI event, and understanding the types of material systems changes occurring at an SCI entity. The Commission expects that Rule 1005 will also facilitate the E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Commission’s inspections and examinations of SCI entities and assist it in evaluating an SCI entity’s compliance with Regulation SCI. Moreover, having an SCI entity’s records available even after it has ceased to do business or to be registered under the Exchange Act should provide an additional tool to help the Commission to reconstruct important market events and better understand the impact of such events. Rule 1007 should help ensure the Commission’s ability to obtain required records that are held by a third party who may not otherwise have an obligation to make such records available to the Commission. C. Respondents The ‘‘collection of information’’ requirements contained in Regulation SCI apply to SCI entities, as described below. Currently, there are 27 entities that would satisfy the definition of SCI SRO,1394 14 entities that would satisfy the definition of SCI ATS,1395 2 entities that would satisfy the definition of plan processor,1396 and 1 entity that would meet the definition of exempt clearing agency subject to ARP.1397 Accordingly, the Commission estimates that there are currently 44 entities that meet the definition of SCI entity and are subject to the collection of information requirements of Regulation SCI. D. Total Initial and Annual Reporting and Recordkeeping Burdens mstockstill on DSK4VPTVN1PROD with RULES2 The Commission notes that national securities exchanges, national securities associations, registered clearing agencies, plan processors, one ATS, and one exempt clearing agency currently participate in the ARP Inspection Program. Under the ARP Inspection Program, Commission staff conducts inspections of these entities, attends periodic technology briefings by staff of these entities, monitors planned significant systems changes, and responds to reports of systems failures, disruptions, and other systems problems of these entities.1398 Under Regulation SCI, many of the principles of the ARP policy statements with which some SCI entities are familiar are codified. As such, current practices of these SCI entities already 1394 See supra notes 74–77 and accompanying text (listing 18 registered national securities exchanges, 7 registered clearing agencies, FINRA, and the MSRB). See also supra note 80 and accompanying text. 1395 See supra notes 150 and 175 and accompanying text. 1396 See supra note 202 and accompanying text. 1397 See supra note 203 and accompanying text. 1398 See supra Section II.A. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 comply with certain requirements of Regulation SCI.1399 However, because Regulation SCI has a broader scope than the current ARP Inspection Program and imposes mandatory recordkeeping obligations on SCI entities,1400 the Commission believes Regulation SCI will impose paperwork burdens on all SCI entities. The Commission’s total burden estimates in this Paperwork Reduction Act section reflect the total burdens on all SCI entities, taking into account the extent to which some SCI entities already comply with some of the requirements of Regulation SCI. The Commission also notes that the burden estimates per SCI entity are intended to reflect the average paperwork burden for each SCI entity to comply with Regulation SCI. Therefore, some SCI entities may experience more burden than the Commission’s estimates, while others may experience less. The Commission notes that the burden figures set forth in this section are the Commission’s estimate of the paperwork burden for compliance with Regulation SCI based on a variety of sources, including Commission staff’s experience with the current ARP Inspection Program, other similar estimated burdens for analogous rulemakings, and comments received on the burden estimates in the SCI Proposal.1401 1399 In addition, some SCI entities already comply with certain requirements of Regulation SCI to some extent as a matter of prudent business practice or pursuant to other rules. For example, as noted above, FINRA Rule 4370 includes requirements for FINRA members related to business continuity plans. See supra note 115. In addition, NASD Rule 3010 and FINRA Rule 3130 include requirements for FINRA members related to procedures to achieve compliance with applicable securities laws and regulations and certain SRO rules. See supra note 115. Further, FINRA Rule 4530 includes reporting requirements related to certain compliance issues. See supra note 115. Compliance with existing requirements under FINRA rules could help SCI ATSs to comply with Regulation SCI. Therefore, the Commission acknowledges that SCI ATSs may experience a lower paperwork burden in complying with certain provisions of Regulation SCI than some other SCI entities. However, unlike SCI entities that participate in the ARP Inspection Program (where in many instances the Commission has estimated a 50% reduction in SCI entity staff compliance burden as compared to other SCI entities when estimating paperwork costs with regard to Regulation SCI requirements due to participation in the ARP inspection program), the Commission believes that any reduction in burden resulting from compliance with these FINRA and NASD rules is unlikely to be significant. 1400 As discussed more fully in supra Section IV.C.1, SCI SROs are already subject to existing recordkeeping and retention requirements under Rule 17a–1. 1401 The Commission also notes that the allocation of burden hours between staff and managers of an SCI entity that are identified in this section is intended to reflect the Commission’s estimate of the broad categories of SCI entity personnel who will be involved in compliance with PO 00000 Frm 00123 Fmt 4701 Sfmt 4700 72373 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The rules under Regulation SCI that would require an SCI entity to establish policies and procedures and to mandate member or participant participation in business continuity and disaster recovery plan testing are discussed more fully in Sections IV.B.1, IV.B.2, and IV.B.6 above. a. Policies and Procedures In the SCI Proposal, the Commission estimated that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 210 burden hours initially to develop and draft the policies and procedures required by proposed Rule 1000(b)(1) (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) 1402 and 60 hours annually to review and update such policies and procedures.1403 The Commission estimated that an SCI entity that currently participates in the ARP Inspection Program would require an average of 105 burden hours initially to develop and draft such policies and procedures 1404 and 30 hours annually Regulation SCI. The Commission recognizes that some SCI entities may have additional subcategories of staff or managers who will be involved in compliance with Regulation SCI (e.g., information security staff may be a subcategory of systems analysts), whereas other SCI entities may not have the specific categories of staff or managers that are identified in this section. 1402 See Proposing Release, supra note 13, at 18145. The 210 burden hours included 80 hours by a Compliance Manager (including senior management review), 80 hours by an Attorney, 25 hours by a Senior Systems Analyst, and 25 hours by an Operations Specialist. See id. at 18146. This estimate was based on Commission staff’s experience with the ARP Inspection Program and the Commission’s preliminary estimate in the SB SDR Proposing Release for a similar requirement. See id. at 18145, n. 365. 1403 See Proposing Release, supra note 13, at 18146. The 60 burden hours included 30 hours by a Compliance Manager and 30 hours by an Attorney. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program and the Commission’s preliminary estimate in the SB SDR Proposing Release for a similar requirement. See id. at 18146, n. 377. 1404 See Proposing Release, supra note 13, at 18145. The 105 burden hours included 40 hours by a Compliance Manager (including senior management review), 40 hours by an Attorney, 12.5 hours by a Senior Systems Analyst, and 12.5 hours by an Operations Specialist. See id. at 18146. The Commission stated its belief that a fifty percent baseline for SCI entities that participate in the ARP Inspection Program is appropriate because, although these entities already have substantial E:\FR\FM\05DER2.SGM Continued 05DER2 72374 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 to review and update such policies and procedures.1405 With respect to the requirement in proposed Rule 1000(b)(1) for policies and procedures that provide for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, the Commission estimated that each SCI entity would spend 130 hours annually.1406 In the SCI Proposal, the Commission also estimated that all SCI entities would conduct most of the work associated with proposed Rule 1000(b)(1) internally.1407 However, the Commission estimated that SCI entities would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at an average cost of $20,000 per SCI entity.1408 With respect to proposed Rule 1000(b)(2), the Commission estimated that each SCI entity would elect to comply with the proposed safe harbor provisions.1409 The Commission estimated that each SCI entity would spend 180 hours initially to design the policies and procedures accordingly.1410 The Commission estimated that each SCI SRO would spend approximately 120 hours annually to review and update such policies and procedures,1411 and that each SCI entity policies and procedures in place, the rule would require these entities to devote substantial time to review and revise their existing policies and procedures to ensure that they are sufficiently robust. See id. at 18145. 1405 See Proposing Release, supra note 13, at 18146. The 30 burden hours included 15 hours by a Compliance Manager and 15 hours by an Attorney. See id. 1406 See Proposing Release, supra note 13, at 18145. The 130 burden hours included 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See id. at 18146. This estimate was based on Commission staff’s experience with the ARP Inspection Program. See id. at 18145, n. 371. The Commission noted in the SCI Proposal that this proposed requirement was not addressed by the ARP Inspection Program. See id. at 18145. 1407 See Proposing Release, supra note 13, at 18145. 1408 See id. 1409 See id. at 18146, and proposed Rules 1000(b)(2)(ii) and (iii). 1410 See id. at 18146. The 180 burden hours included 30 hours by a Compliance Attorney and 150 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program and OCIE examinations, which review policies and procedures of registered entities in conjunction with examinations of such entities for compliance with the federal securities laws. See id. at 18146, n. 383. 1411 See id. at 18146. The 120 burden hours included 20 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. See id. at 18146, n. 384. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that is not an SRO would spend approximately 60 hours to review and update such policies and procedures.1412 In the SCI Proposal, the Commission also estimated that all SCI entities would conduct most of the work associated with proposed Rule 1000(b)(2) internally.1413 However, the Commission estimated that SCI entities would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at an average cost of $20,000 per SCI entity.1414 Several commenters noted that the Commission underestimated the paperwork burden of proposed Rules 1000(b)(1) and (b)(2). One commenter noted that the systems covered by proposed Rules 1000(b)(1) and (b)(2) are very complex and a first draft of the required policies and procedures would take far more than the estimated number of hours to complete and keep up-todate.1415 With respect to proposed Rule 1000(b)(2), this commenter stated that the breadth of the rule is extremely comprehensive because it requires policies and procedures that are designed to ensure that SCI systems ‘‘comply with the federal securities laws and rules and regulations thereunder’’ and operate ‘‘in the manner intended.’’ 1416 Another commenter noted that the hour burdens did not take into account the appropriate level of management review in connection with the development of the policies and procedures.1417 This commenter also 1412 See id. at 18146. The 60 burden hours included 10 hours by a Compliance Attorney and 50 hours by a Senior Systems Analyst. See id. 1413 See id. at 18145. 1414 See id. 1415 See Omgeo Letter at 31–32, 34. According to this commenter, the implementation of its current information security policy framework and related standards took approximately 18 months and over 1600 work hours to put in place. See id. This commenter noted that proposed Rule 1000(b)(1) would be far more labor and resource intensive because security is just one of the proposed seven areas of policy and standards development this new rule would require. See id. 1416 See id. at 34. 1417 See MSRB Letter at 28–29. This commenter stated that the Commission placed too much reliance on its experience with the ARP Inspection Program, which was ‘‘a voluntary program that did not create potential legal liabilities for noncompliance, and may not take into account the heightened need for high-level supervision that a rule-based requirement would entail.’’ See id. at 29. See also infra Sections IV.B.3.c and VI.C.2.b (discussing the Commission’s view on the potential for liability resulting from requirements under Regulation SCI). See also Omgeo Letter at 32 (noting that the estimate of 210 hours for proposed Rule 1000(b)(1) is unrealistic because the estimate should include not only the drafting of the required policies and procedures, but also their review and approval by senior management) and 35 (noting that the burden estimate of proposed Rule 1000(b)(2) PO 00000 Frm 00124 Fmt 4701 Sfmt 4700 noted that policies and procedures developed to achieve compliance with Regulation SCI can potentially impact other areas of the SCI entity and other SCI entities, and therefore an SCI entity would broadly review the policies and procedures to ensure that they do not conflict with other policies, procedures, practices, and processes and revise the policies and procedures accordingly.1418 Therefore, this commenter argued that the Commission did not include adequate estimates for the substantial amount of time required by senior management and others in the organization, as well as the persons identified in the SCI Proposal, in: Understanding the breadth and depth of the requirements established by proposed Regulation SCI; determining which systems of the SCI entity fall into the various categories of systems described in proposed Regulation SCI; assessing, growing and potentially reorganizing large portions of the SCI entity’s workforce to align with the requirements of proposed Regulation SCI; and establishing and conducting extensive training curriculum to ensure appropriate personnel fully understand their new or changed duties; and any number of other collateral effects of the new requirements.1419 This commenter suggested that a more accurate estimate of the paperwork burden from proposed Rule 1000(b)(1) would be three to four times the estimate in the SCI Proposal, and the allocation of the burden hours should be weighted more heavily toward more senior staff of the organization.1420 One commenter stated that the 50% baseline for SCI entities that are currently under the ARP Inspection Program does not account for the significant expansion of the requirements if the definition of SCI system is construed broadly, and as a result, the burden estimates may be too low.1421 One commenter agreed with the Commission that ongoing paperwork burdens for compliance with proposed Rules 1000(b)(1) and (b)(2) should be lower than the initial burden.1422 However, this commenter stated that the estimated ongoing burden is understated, but likely to a lesser extent than with respect to the initial burden.1423 Another commenter also noted that, given the complexity of the does not reflect the review and direction of senior managers); and CME Letter at 3, n. 5. 1418 See MSRB Letter at 29. 1419 See id. at 30. 1420 See id. 1421 See FINRA Letter at 7. 1422 See MSRB Letter at 31. 1423 See id. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations underlying systems and the requirements of proposed Rule 1000(b)(1), significantly more effort and time will be required on an ongoing basis to comply with that rule.1424 One commenter noted that the establishment of the policies and procedures under proposed Rules 1000(b)(1) and (b)(2) would not be conducive to outsourcing, although an SCI entity might incur some cost for outside counsel for consultation purposes.1425 On the other hand, another commenter argued that the Commission’s burden estimate for proposed Rule 1000(b)(1) ‘‘is inaccurate because of its mistaken assumption that SCI entities would not seek guidance from outside consultants and attorneys.’’ 1426 This commenter noted that, given the rates charged by large law firms and consulting firms, an estimate of approximately $100,000 for each exempt clearing agency subject to ARP is more realistic than the $20,000 estimated in the SCI Proposal.1427 This commenter similarly noted that the burden estimate for proposed Rule 1000(b)(2) failed to account for the costs associated with using outside counsel or an outside consulting firm to help draft the policies and procedure.1428 As discussed in detail above in Sections IV.B.1 and IV.B.2, the Commission is adopting proposed Rules 1000(b)(1) and (b)(2) as Rules 1001(a) and (b), respectively, with certain modifications. As adopted, Rule 1001(a)(1), consistent with the proposal, requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Adopted Rule 1001(a)(2), consistent with the proposal, provides the minimum required elements of such policies and procedures. Some of these elements were modified from the proposal,1429 mstockstill on DSK4VPTVN1PROD with RULES2 1424 See Omgeo Letter at 32, n. 63. 1425 See MSRB Letter at 31. 1426 See Omgeo Letter at 32. 1427 See id. at 32, n. 64. 1428 See id. at 35. 1429 See, e.g., Rules 1001(a)(2)(i) (requiring policies and procedures with respect to the establishment of reasonable current and future ‘‘technological infrastructure capacity planning estimates’’ rather than simply ‘‘capacity planning estimates’’); 1001(a)(2)(iv) (requiring policies and procedures with respect to ‘‘regular reviews and testing, as applicable,’’ of systems to identify vulnerabilities rather than ‘‘regular reviews and testing’’ of systems); and 1001(a)(2)(v) (requiring VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 and one adopted element was not included in the proposal.1430 As compared to proposed Rule 1000(b)(2), which required written policies and procedures reasonably designed to ensure that SCI systems operate ‘‘in the manner intended, including in a manner that complies with the federal securities laws,’’ adopted Rule 1001(b)(1) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder, and the entity’s rules and governing documents, as applicable.1431 Further, rather than adopting the proposed safe harbor for SCI entities, Rule 1001(b)(2) provides the minimum required elements of such policies and procedures. Some of these elements were modified from the proposed safe harbor elements,1432 and one element of the proposed safe harbor is not included in Rule 1001(b)(2).1433 With respect to the view of a commenter that the systems covered by proposed Rules 1000(b)(1) and (2) are very complex and that the Commission underestimated the burdens associated with completing and updating the required policies and procedures,1434 policies and procedures with respect to business continuity and disaster recovery plans that are ‘‘reasonably designed to achieve’’ next business day resumption of trading and two-hour resumption of ‘‘critical SCI systems’’ rather than ‘‘to ensure’’ next business day resumption of trading and two-hour resumption of ‘‘clearance and settlement services’’). See also supra Section IV.B.1.b.ii (discussing modifications from the SCI Proposal in adopted Rule 1001(a)(2)). 1430 See Rule 1001(a)(2)(vii) (requiring policies and procedures with respect to monitoring of systems to identify potential SCI events). 1431 See supra Section IV.B.2.a. 1432 See Rules 1001(b)(2)(iii) (requiring policies and procedures with respect to ‘‘a plan for assessments’’ of systems compliance rather than both ‘‘ongoing monitoring’’ and ‘‘assessments’’ of systems compliance) and 1001(b)(2)(iv) (requiring policies and procedures with respect to ‘‘a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel’’ regarding SCI systems rather than ‘‘review by regulatory personnel of SCI systems’’). See also supra Section IV.B.2.c (discussing modifications from the SCI Proposal in adopted Rule 1001(b)(2)). 1433 See proposed Rule 1000(b)(2)(ii)(A)(2) (periodic testing of all SCI systems and any changes to such systems after their implementation). 1434 See supra note 1415 and accompanying text. As noted above, one commenter stated that its current information security policy framework and related standards took over 1,600 hours to put in place, and that security is just one of the seven areas of policies and standards proposed to be required. See supra note 1415. The Commission notes that, to the extent an SCI entity already has adequate policies and procedures in place with respect to systems capacity, integrity, resiliency, availability, security, and compliance, Rules 1001(a) and (b) will PO 00000 Frm 00125 Fmt 4701 Sfmt 4700 72375 the Commission believes that most, if not all, SCI entities already have some policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance, although such policies and procedures differ in a variety of respects from the requirements under Regulation SCI. Also, in adopting Regulation SCI, the Commission has reduced the burdens for proposed Rules 1000(b)(1) and (2) from the SCI Proposal in a variety of ways, including by, for example: Refining the definition of SCI systems; more explicitly recognizing that some systems pose greater risk than others to the maintenance of fair and orderly markets and imposing obligations that allow for risk-based considerations; and providing that staff guidance on current SCI industry standards be characterized as providing examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing industry standards. At the same time, the Commission acknowledges commenters’ feedback with respect to the burden of the rules and thus is doubling the burden estimates for the policies and procedures under Rules 1000(b)(1) and (2).1435 The Commission notes that, as part of this approach, it doubled the ongoing burden estimates in part in response to comment stating that significantly more effort and time will be required on an ongoing basis to comply with proposed Rule 1000(b)(1).1436 As noted above, some commenters noted that the policies and procedures could potentially impact other areas of the SCI entity and other SCI entities, and therefore would result in more burden hours to ensure that the policies and procedures do not conflict with other policies, procedures, practices, and processes, and would require greater involvement of senior management and others in an SCI not impose significant additional paperwork burden on the entity. 1435 In response to the commenter that suggested the initial burden for proposed Rule 1000(b)(1) would be three to four times that estimated in the SCI Proposal, the Commission believes that because it further focused the requirements associated with proposed Rules 1000(b)(1) and (2) in a variety of ways described above, resulting in reduced burden estimates as compared to the SCI Proposal, the commenter’s estimate based on the proposal is too high. See supra note 1420. Based on Commission staff experience, the Commission believes it is more appropriate to double the estimated initial SCI entity staff burden and also add senior management time. 1436 See supra note 1424. E:\FR\FM\05DER2.SGM 05DER2 72376 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 entity.1437 Similarly, some commenters noted that the establishment, maintenance, and enforcement of the policies and procedures would involve senior management review.1438 The Commission agrees with these comments and is adjusting the estimated paperwork burden. Specifically, in the SCI Proposal, the Commission included senior management review as part of its estimated burden hours for Compliance Managers in connection with the policies and procedures requirements under Rules 1001(a) and (b).1439 However, in response to comments and based on Commission staff experience, the Commission is additionally including burden estimates for a Director of Compliance (10 hours initially, 5 hours annually) and Chief Compliance Officer 1440 (20 hours initially, 10 hours annually) with respect to both Rules 1001(a) and (b).1441 The Commission reiterates that these estimates are averages across all SCI entities—some SCI entities may spend more hours in connection with the establishment, maintenance, and enforcement of the policies and procedures than the Commission’s estimates, while others may spend 1437 See supra notes 1418–1419 and accompanying text. 1438 See supra notes 1417, 1419, and 1420 and accompanying text. According to one commenter, the Commission’s burden estimates for the policies and procedures did not account for the time required to determine which systems would fall into the various categories of systems. See supra note 1419 and accompanying text. The Commission disagrees with this view and notes that the burden of identifying various types of systems and events are discussed below in Section V.D.3. In addition, this commenter expressed concern that the Commission’s estimates did not account for assessing, growing, and reorganizing an SCI entity’s workforce; establishing and conducting training; and other collateral effects of the new requirements. See supra note 1419 and accompanying text. As discussed throughout this section, the Commission has increased the burden estimates for Rules 1001(a) and (b) in response to comments. 1439 See supra note 1402. 1440 The Chief Compliance Officer burden estimates include the time spent by other senior officers, including Chief Information Officers and Chief Information Security Officers, as appropriate for a particular requirement under Regulation SCI. 1441 In estimating the number of burden hours to be spent by senior management, the Commission is not making a distinction between SCI entities that currently participate in the ARP Inspection Program and SCI entities that do not. In contrast to the Commission’s estimate with regard to non-senior staff of SCI entities that currently participate in the ARP Inspection Program, who the Commission believes could be subject to less burden in drafting the policies and procedures because these SCI entities already have certain policies and procedures in place, the Commission believes that all senior management, regardless of whether an SCI entity participates in the ARP Inspection Program, would require a similar number of hours to review such policies and procedures to ensure compliance with Regulation SCI. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 less.1442 Each SCI entity is required to determine for itself what is required for its staff and senior managers to do in order for the SCI entity to comply with Rules 1001(a) and (b). After considering the views of commenters, and because Rule 1001(a) requires an additional element to be included in the policies and procedures (i.e., monitoring of systems to identify SCI events), the Commission estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 534 burden hours initially to develop and draft the policies and procedures required by that rule (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, which is discussed below),1443 or 7,476 hours for all such SCI entities.1444 The Commission estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 159 hours annually to review and update such 1442 For example, some SCI entities have more complex systems than others, and current practices of some SCI entities already comply with certain requirements of Regulation SCI to some extent. 1443 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 210 hours × 2 = 420 hours. 420 hours ÷ 5 × 6 = 504 hours to establish policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 504 burden hours include 192 hours by a Compliance Manager, 192 hours by an Attorney, 60 hours by a Senior Systems Analyst, and 60 hours by an Operations Specialist. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 504 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 534 hours. 1444 As noted above, all of the national securities exchanges (18), national securities associations (1), registered clearing agencies (7), and plan processors (2) currently participate on a voluntary basis in the ARP Inspection Program. In addition, 1 ATS and 1 exempt clearing agency subject to ARP participate in the ARP Inspection Program, for a total of 30 SCI entities that currently participate in the ARP Inspection Program. Therefore, 14 SCI entities do not participate in the ARP Inspection Program. 534 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 7,476 hours. PO 00000 Frm 00126 Fmt 4701 Sfmt 4700 policies and procedures,1445 or 2,226 hours for all such SCI entities.1446 With respect to SCI entities that currently participate in the ARP Inspection Program, the Commission continues to believe that a 50% percent baseline for these SCI entities in terms of staff burden hours is appropriate because although these entities already have substantial policies and procedures in place, the rule would require these entities to devote substantial time to review and revise their existing policies and procedures to ensure that they meet all of the rule requirements.1447 However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review of the policies and procedures. Specifically, as noted above, Commission believes that, although these entities already have substantial policies and procedures in place, senior management of all SCI entities, regardless of whether an SCI entity currently participates in the ARP Inspection Program, would require a similar number of hours to review the SCI entity’s policies and procedures to ensure compliance with the new requirements under Regulation SCI.1448 1445 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 60 hours × 2 = 120 hours. 120 hours ÷ 5 × 6 = 144 hours annually to review and update policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 144 burden hours include 57 hours by a Compliance Manager, 57 hours by an Attorney, 15 hours by a Senior Systems Analyst, and 15 hours by an Operations Specialist. As compared to the proposal, the Commission is additionally allocating burden hours to Senior Systems Analysts and Operations Specialists. Also, as noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 144 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 159 hours. 1446 159 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 2,226 hours. The Commission believes that the increases in the ongoing burden estimates for Rules 1001(a) and (b) are consistent with the comment that the Commission underestimated the ongoing burdens associated with proposed Rules 1000(b)(1) and (2), but to a lesser extent than with respect to the initial burden. See supra notes 1423–1424 and accompanying text. 1447 With respect to a commenter’s view that the 50% baseline does not account for the significant expansion of the requirements, the Commission notes that the 50% baseline merely indicates the difference between the level of burden imposed on SCI entities that participate in the ARP Inspection Program and SCI entities that do not. See supra note 1421 and accompanying text. As discussed above, the Commission has increased its burden estimates in response to comments. 1448 See supra note 1441. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 The Commission estimates that an SCI entity that currently participates in the ARP Inspection Program would require an average of 282 burden hours initially to develop and draft the policies and procedures required by Rule 1001(a) (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data),1449 or 8,460 hours for all such SCI entities.1450 The Commission estimates that an SCI entity that currently participates in the ARP Inspection Program would require an average of 87 hours annually to review and update such policies and procedures,1451 or 2,610 hours for all such SCI entities.1452 With respect to the requirement in Rule 1001(a)(2)(vi) for policies and procedures that provide for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market 1449 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 105 hours × 2 = 210 hours. 210 hours ÷ 5 × 6 = 252 hours to establish policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 252 burden hours include 96 hours by a Compliance Manager, 96 hours by an Attorney, 30 hours by a Senior Systems Analyst, and 30 hours by an Operations Specialist. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 252 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 282 hours. 1450 282 hours × 30 SCI entities that participate in the ARP Inspection Program = 8,460 hours. 1451 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 30 hours × 2 = 60 hours. 60 hours ÷ 5 × 6 = 72 hours to review and update policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 72 burden hours include 28 hours by a Compliance Manager, 28 hours by an Attorney, 8 hours by a Senior Systems Analyst, and 8 hours by an Operations Specialist. As compared to the proposal, the Commission is additionally allocating burden hours to Senior Systems Analysts and Operations Specialists. Also, as noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 72 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 87 hours. 1452 87 hours × 30 SCI entities that participate in the ARP Inspection Program = 2,610 hours. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 data, the Commission estimates that each SCI entity would spend 160 hours initially,1453 or 7,040 hours for all SCI entities.1454 The Commission estimates that each SCI entity would spend 145 hours annually,1455 or 6,380 hours annually for all SCI entities.1456 As noted above, one commenter argued that, given the rates charged by large law firms and consulting firms, an estimate of $100,000 is more appropriate for the cost of outsourcing under proposed Rule 1000(b)(1).1457 After considering the view of this commenter and because the Commission is increasing its estimated burden hours for compliance with Rule 1001(a), the Commission is similarly increasing its estimate of the outsourcing cost for complying with Rule 1001(a). In particular, because the Commission doubled the non-senior staff burden estimate for Rule 1001(a) in 1453 This estimate includes 130 hours by staff of an SCI entity, as estimated in the SCI Proposal, and 30 hours by senior management. The 130 burden hours include 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See Proposing Release, supra note 13, at 18146. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 130 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 160 hours. Unlike the burden estimates for complying with the rest of Rule 1001(a), the Commission does not believe it would be appropriate to double its proposed 130 hour staff burden estimate for Rule 1001(a)(2)(vi). Based on Commission staff experience, the Commission believes that these policies and procedures would not be so complex as to result in doubling the proposed burden estimate. The Commission also notes that the burden estimate for Rule 1001(a)(2)(vi) is already significantly higher than the estimated burden for the other individual policies and procedures required under Rule 1001(a)(2). In particular, the Commission estimates 160 hours for this one provision and 534 hours in total for the six other provisions of Rule 1001(a)(2) for non-ARP participants (which results in approximately 89 hours for each of those six other provisions). 1454 160 hours × 44 SCI entities = 7,040 hours. 1455 This estimate includes 130 hours by staff of an SCI entity, as estimated in the SCI Proposal, and 15 hours by senior management. The 130 burden hours include 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See Proposing Release, supra note 13, at 18146. 130 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 145 hours. 1456 145 hours × 44 SCI entities = 6,380 hours. 1457 See supra note 1427 and accompanying text. This commenter also argued that the Commission mistakenly assumed that SCI entities would not seek guidance from outside consultants or attorneys. See supra note 1426 and accompanying text. However, the Commission did account for outsourcing cost in the SCI Proposal and does so here, as well. PO 00000 Frm 00127 Fmt 4701 Sfmt 4700 72377 response to comments that the Commission underestimated the burden in the proposal, the Commission believes it is appropriate to similarly double its estimate of the outsourcing cost for complying with Rule 1001(a). As noted above in the context of the burden estimate for Rule 1001(a), the Commission believes that, by doubling its outsourcing cost estimate, the Commission has incorporated the views of commenters that the Commission underestimated the burden, and at the same time accounted for changes to the proposal that reduce the burden from the SCI Proposal. Further, the Commission acknowledges that some SCI entities may have more complex systems and policies and procedures, may outsource more of the work associated with the policies and procedures,1458 or may outsource the work to more expensive law firms and consulting firms than others. Therefore, the Commission believes that while some SCI entities may incur more outsourcing cost than the Commission’s estimate, other SCI entities may incur less than the Commission’s estimate. The Commission does not believe that a commenter’s $100,000 estimate is more appropriate given that there will be differences among SCI entities in the extent of outsourcing and in the rates of outside firms. Because Rule 1001(a) requires an additional element to be included in the policies and procedures as compared to proposed Rule 1000(b)(1) (i.e., monitoring of systems to identify SCI events), the Commission now estimates that on average, each SCI entity would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at a cost of approximately $47,000,1459 or $2,068,000 for all SCI entities.1460 With respect to the view of a commenter that the Commission underestimated the paperwork burden under proposed Rule 1000(b)(2) because that rule is extremely extensive,1461 the Commission notes that, as adopted, Rule 1001(b) requires policies and procedures to be reasonably designed to ensure, in part, that SCI systems ‘‘operate in a manner that complies with 1458 For example, smaller SCI entities may not have the same level of in-house expertise as larger SCI entities. 1459 As noted above, the Commission is doubling its estimate of the outsourcing cost for SCI entities. $20,000 × 2 = $40,000. The Commission is also revising this cost estimate to reflect that Rule 1001(a) requires seven specific elements to be included in the policies and procedures, as opposed to the six in the proposed rule. $40,000 ÷ 6 × 7 = $46,667. 1460 $47,000 × 44 SCI entities = $2,068,000. 1461 See supra note 1416. E:\FR\FM\05DER2.SGM 05DER2 72378 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 the Act and the rules and regulations thereunder.’’ As adopted, this rule no longer refers to compliance with ‘‘the federal securities laws and rules and regulations thereunder’’ and operation ‘‘in the manner intended.’’ Nevertheless, as noted above, after considering the views of commenters that the Commission underestimated the paperwork burden under proposed Rule 1000(b)(2), the Commission is doubling its estimates from the proposal (which were focused on the burden for SCI entity staff), and is increasing its estimates to account for senior management review of the policies and procedures. The Commission now estimates that each SCI entity would spend 270 hours initially to design the systems compliance policies and procedures,1462 or 11,880 hours for all SCI entities.1463 The Commission estimates that each SCI SRO would spend approximately 175 hours annually to review and update such policies and procedures,1464 or 4,725 hours for all SCI SROs.1465 The Commission estimates that each SCI entity that is not an SRO would spend approximately 95 hours to review and update such policies and 1462 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 180 hours × 2 = 360 hours. 360 hours ÷ 6 × 4 = 240 hours to establish policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 240 burden hours include 40 hours by a Compliance Attorney and 200 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 240 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 270 hours. 1463 270 hours × 44 SCI entities = 11,880 hours. 1464 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 120 hours × 2 = 240 hours. 240 hours ÷ 6 × 4 = 160 hours to review and update policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 160 burden hours include 26 hours by a Compliance Attorney and 134 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440–1441 and accompanying text. 160 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 175 hours. 1465 175 hours × 27 SCI SROs = 4,725 hours. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 procedures,1466 or 1,615 hours for all such SCI entities.1467 As noted above, similar to the burden estimates for proposed Rule 1000(b)(1), one commenter argued that the Commission underestimated the outsourcing cost under proposed Rule 1000(b)(2).1468 Similar to the discussion above related to Rule 1001(a),1469 after considering the view of this commenter and because the Commission is increasing its estimated burden hours for compliance with Rule 1001(b), the Commission is doubling its estimate of the outsourcing cost for complying with Rule 1001(b). The Commission now estimates that on average, each SCI entity would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at a cost of approximately $27,000,1470 or $1,188,000 for all SCI entities.1471 Adopted Rules 1001(a)(3) and (b)(3) explicitly require each SCI entity to periodically review the effectiveness of the policies and procedures required by Rules 1001(a) and (b), respectively, and to take prompt action to remedy deficiencies in such policies and procedures. The Commission notes that the paperwork burden related to the review of the policies and procedures, and remedying deficiencies in policies and procedures, is included in the estimated annual ongoing burden of Rules 1001(a) and (b). Rule 1001(c)(1), which was not included in the proposal, requires each SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI 1466 As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 60 hours × 2 = 120 hours. 120 hours ÷ 6 × 4 = 80 hours to review and update policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 80 burden hours include 14 hours by a Compliance Attorney and 66 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. 80 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 95 hours. 1467 95 hours × 17 non-SRO SCI entities = 1,615 hours. 1468 See supra note 1428 and accompanying text. 1469 See supra notes 1457–1458 and accompanying text. 1470 As noted above, the Commission is doubling its estimate of the outsourcing cost for SCI entities. $20,000 × 2 = $40,000. The Commission is also revising this cost estimate to reflect that Rule 1001(b) will result in the inclusion of at least four elements in the policies and procedures, as opposed to the six in the proposed rule. $40,000 ÷ 6 × 4 = $26,667. 1471 $27,000 × 44 SCI entities = $1,188,000. PO 00000 Frm 00128 Fmt 4701 Sfmt 4700 personnel,1472 and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Like adopted Rules 1001(a)(3) and (b)(3), Rule 1001(c) requires each SCI entity periodically to review the effectiveness of these policies and procedures and to take prompt action to remedy deficiencies in policies and procedures. The Commission estimates that each SCI entity would require 114 hours initially to establish the criteria for identifying responsible SCI personnel and the escalation procedures,1473 or 5,016 hours for all SCI entities.1474 The Commission also estimates that each SCI entities would require 39 hours annually to review and update the criteria and the escalation procedures,1475 or 1,716 hours for all 1472 The paperwork burden associated with the documentation of responsible SCI personnel is included in the Commission’s estimate of the recordkeeping burden, as discussed in Section V.D.4 below. 1473 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1001(c) both require policies and procedures or processes. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1001(c) requires the establishment of two policies and procedures, the Commission estimates that the initial burden to draft the policies and procedures required by Rule 1001(c) is one-third of the initial burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). Further, the Commission believes that, even though Rule 1001(c) will impose paperwork burdens on SCI entities, most, if not all, SCI entities, regardless of whether they participate in the ARP Inspection Program, already have some processes in place for the designation of persons responsible for particular systems and escalation procedures. Therefore, the Commission believes it is appropriate to assume a 50% baseline for all SCI entities (as compared to the burden estimate for Rule 1001(a) for SCI entities that do not participate in the ARP Inspection Program) in terms of the staff burden for compliance with Rule 1001(c). 252 hours ÷ 3 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1001(c). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. The Commission notes that, in the SCI Proposal, it also estimated the burden hours for other policies and procedures based on its burden estimate under proposed Rule 1000(b)(1). See, e.g., Proposing Release, supra note 13, at 18152, n. 442. One commenter stated that it was appropriate to base the burden estimate for proposed Rule 1000(b)(3), which would likely result in SCI entities revising their policies, on the burden estimate under proposed Rule 1000(b)(1). See infra note 1700 and accompanying text. 1474 114 hours × 44 SCI entities = 5,016 hours. 1475 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations SCI entities.1476 The Commission believes that SCI entities will internally establish and maintain the policies and procedures required by Rule 1001(c) because these policies and procedures relate to internal personnel designations and internal processes. b. Mandate Participation in Certain Testing mstockstill on DSK4VPTVN1PROD with RULES2 In the SCI Proposal, the Commission estimated that each SCI entity (other than plan processors) would spend approximately 130 hours initially to meet the requirements of proposed Rules 1000(b)(9)(i) and (ii) (i.e., the requirement to mandate participation by designated members or participants in testing and the requirement that an SCI entity coordinate required testing with other SCI entities).1477 The 130-hour estimate included 35 hours to write a proposed rule, or revise a membership/ subscriber agreement or participant agreement to establish the participation requirement for designated members or participants.1478 It also included 95 hours of follow-up work (e.g., notice and schedule coordination) to ensure implementation.1479 The Commission estimated that each SCI entity (other than plan processors) would spend approximately 95 hours annually to 1001(a) and Rule 1001(c) both require policies and procedures or processes. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and Rule 1001(c) requires the maintenance of two policies and procedures, the Commission estimates that the ongoing staff burden under Rule 1001(c) is one-third of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). As noted above, the Commission believes it is appropriate to assume a 50% baseline for all SCI entities in terms of the staff burden for compliance with Rule 1001(c). 72 hours ÷ 3 = 24 hours. The 24 burden hours include 9.5 hours by a Compliance Manager, 9.5 hours by an Attorney, 2.5 hours by a Senior Systems Analyst, and 2.5 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1001(c). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. 1476 39 hours × 44 SCI entities = 1,716 hours. 1477 See Proposing Release, supra note 13, at 18147. 1478 See id. The 35 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 10 hours by a Compliance Clerk. See id. In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change under Rule 19b–4. See id. at 18147, n. 389. 1479 See Proposing Release, supra note 13, at 18147. The 95 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 70 hours by an Operations Specialist. See id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 comply with proposed Rules 1000(b)(9)(i) and (ii).1480 In the SCI Proposal, the Commission estimated that each SCI entity (other than plan processors) would spend approximately 35 hours initially to meet the requirements of proposed Rule 1000(b)(9)(iii) (i.e., establishing standards for designating members or participants and filing such standards with the Commission, and determining, compiling, and submitting the list of designated members or participants).1481 The Commission estimated that each SCI entity (other than plan processors) would spend approximately 3 hours annually to comply with proposed Rule 1000(b)(9)(iii) (i.e., to review the designation standards to ensure that they remain up-to-date and to prepare any necessary amendments, to review the list of designated members or participants, and to update prior Commission notifications with respect to standards for designation and the list of designees).1482 The Commission also estimated that all SCI entities, other than plan processors, would conduct the work associated with proposed Rule 1000(b)(9) internally.1483 For plan processors, the Commission estimated that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial cost of $52,000 per plan processor 1484 and an annual cost of $38,000 per plan processor.1485 The Commission also estimated that proposed Rule 1000(b)(9)(iii) would carry an initial cost of $14,000 per plan 1480 See id. The 95 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 70 hours by an Operations Specialist. See id. The Commission noted that, although the initial burden included 35 hours to write a proposed rule, revise an agreement, or amend an SCI Plan, the Commission did not believe the 35hour burden would be applicable on an ongoing basis. See id. at 18147, n. 393. 1481 See Proposing Release, supra note 13, at 18148. The 35 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 10 hours by a Compliance Clerk. See id. In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule filing under Rule 19b–4. See id. at 18148, n. 397. 1482 See Proposing Release, supra note 13, at 18148. The 3 burden hours included 1.5 hours by a Compliance Manager and 1.5 hours by an Attorney. See id. In establishing this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b–4 rule filing. See id. at 18148, n. 401. 1483 See id. at 18145. 1484 130 hours × $400 per hour for outside legal service = $52,000. See Proposing Release, supra note 13, at 18147. 1485 95 hours × $400 per hour for outside legal service = $38,000. See id. PO 00000 Frm 00129 Fmt 4701 Sfmt 4700 72379 processor 1486 and an annual cost of $1,200 per plan processor.1487 With respect to the Commission’s estimate of the burdens under proposed Rule 1000(b)(9), one commenter noted that the estimate was effectively limited to ministerial tasks of producing a rule filing and of undertaking follow-up work in connection with implementation and does not take into account significant activities relating to the SRO rule change process (e.g., board or directors briefing and deliberation, potential notice for comment, responses to comment letters received on such notice, responses to comment letters received by the Commission on a rule filing, etc.) and understates the activities necessary to implement testing with industry participants.1488 Another commenter argued that it has contractual relationships with thousands of clients, and contract negotiations always require a great deal of time and commitment from its legal personnel.1489 This commenter also noted that while a certain significant percentage of its clients may sign the contracts without any negotiation, many do not.1490 According to this commenter, the requirements under proposed Rule 1000(b)(9) would create for it many thousands of burden hours because it would require the commenter to re-negotiate contracts with ‘‘the many thousands of clients it has already signed up.’’ 1491 One commenter noted that the requirements under proposed Rule 1000(b)(9) would not be conducive to outsourcing.1492 As discussed in detail above in Section IV.B.6, the Commission is adopting proposed Rule 1000(b)(9) as Rule 1004, with certain modifications. Rule 1004 requires each SCI entity to establish standards for the designation of certain members or participants for business continuity and disaster recovery plan testing, to designate members or participants in accordance with these standards, to require participation by designated members or participants in such testing at least annually, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. However, 1486 35 hours × $400 per hour for outside legal service = $14,000. See id. at 18148. 1487 3 hours × $400 per hour for outside legal service = $1,200. See id. 1488 See MSRB Letter at 38. 1489 See Omgeo Letter at 46. This commenter noted that its relationships with clients are often based on negotiated agreements and that clients do not automatically agree to all terms stated in the standard contract. See id. at 45. 1490 See id. at 46. 1491 See id. 1492 See MSRB Letter at 38. E:\FR\FM\05DER2.SGM 05DER2 72380 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 adopted Rule 1004 does not require an SCI entity to notify and update the Commission of its designated members or participants and its standards for designation on Form SCI, as proposed. Considering commenters’ view that the Commission had underestimated the burden hours associated with proposed Rule 1000(b)(9), the Commission now estimates that the requirements under Rules 1004(a) (i.e., establishment of standards for the designation of members and participants) and (c) (i.e., coordination of testing on an industryor sector-wide basis) will initially require 360 hours for each SCI entity that is not a plan processor (e.g., establishing designation criteria by writing a proposed rule; revising a membership/subscriber agreement or participant agreement; providing notice to members or participants; scheduling the coordinated testing),1493 or 15,120 hours for all such SCI entities.1494 Further, the Commission estimates that the requirements under Rules 1004(a) and (c) will require 135 hours annually for each SCI entity that is not a plan processor,1495 or 5,670 hours for all 1493 This estimate includes 90 hours to comply with Rule 1004(a) and 270 hours to comply with Rule 1004(c). The 90 hours include 30 hours by an Attorney, 20 hours by a Compliance Manager, 10 hours by an Assistant General Counsel, 6 hours by a Chief Compliance Officer, 4 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager. The Commission is substantially increasing the estimated burden over that estimated for proposed Rule 1000(b)(9)(i), and is estimating an additional 10 hours by an Assistant General Counsel, 6 hours by a Chief Compliance Officer, 4 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager to reflect senior management review of the standards for designation. With respect to the comment that the estimates in the proposal did not take into account significant activities relating to the SRO rule change process, the Commission notes that the paperwork burden associated with SRO rule filings are included as part of the burden associated with Rule 19b–4. See supra note 1488 and accompanying text. The 270 hours include 30 hours by an Attorney, 20 hours by a Compliance Manager, 10 hours by an Assistant General Counsel, 20 hours by a Chief Compliance Officer, 10 hours by a Director of Compliance, 140 hours by an Operations Specialist, and 40 hours by a Senior Operations Manager. The Commission is substantially increasing the estimated burden over that estimated for proposed Rule 1000(b)(9)(ii), and is estimating an additional 10 hours by an Assistant General Counsel, 20 hours by a Chief Compliance Officer, 10 hours by a Director of Compliance, and 40 hours by a Senior Operations Manager, in response to the view of a commenter that the estimates in the SCI Proposal underestimated the activities necessary to implement testing with industry participants. See supra note 1488 and accompanying text. The estimate of 360 hours includes the burden for designating members or participants for testing, as required by Rule 1004(b). 1494 360 hours × 42 SCI entities other than plan processors = 15,120 hours. 1495 As noted in the SCI Proposal, the Commission does not believe that there would be significant annual burden under Rule 1004(a), as the Commission believes that the designation VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 such SCI entities.1496 The Commission continues to believe that SCI entities (other than plan processors) would handle internally the work associated with the requirements of Rule 1004.1497 With respect to a commenter’s statement that it has contractual relationships with thousands of clients and that proposed Rule 1000(b)(9) would create many thousands of burden hours,1498 the Commission notes that adoption of a more focused designation requirement is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal. Specifically, as adopted, Rule 1004(a) requires an SCI entity to designate ‘‘members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets’’ in the event of the activation of the business continuity and disaster recovery plans. On the other hand, proposed Rule 1000(b)(9) required participation by members or participants the SCI entity deemed necessary ‘‘for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans.’’ 1499 The Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, and it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate few members or participants to participate in testing, than to designate more. Thus, even if an SCI entity individually negotiates contract modifications with certain designated members or participants, the Commission believes that the burden would be substantially less than suggested by the commenter.1500 Moreover, as noted above, taking into account commenters’ view that the Commission underestimated the burden for proposed Rule 1000(b)(9), the Commission increased its estimate for initial burden hours from 130 hours for the proposed rule to 360 hours for adopted Rule 1004. The average burden estimate associated with Rule 1004 applies to SCI entities that would need to negotiate contract modifications with members or participants. Based on its experience with plan processors, the Commission continues to believe that plan processors will outsource the work related to compliance with Rule 1004. The Commission estimates that Rule 1004 will carry an initial cost of $144,000 per plan processor,1501 or $288,000 for all plan processors.1502 The Commission estimates that Rule 1004 will carry an annual cost of $54,000 per plan processor,1503 or $108,000 for all plan processors.1504 standards will likely not change substantially on an annual basis. See Proposing Release, supra note 13, at 18147, n. 393. The 135 hours include 15 hours by an Attorney, 10 hours by a Compliance Manager, 5 hours by an Assistant General Counsel, 10 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, 70 hours by an Operations Specialist, and 20 hours by a Senior Operations Manager. As compared to the estimated ongoing burden for proposed Rule 1000(b)(9)(ii), the Commission is estimating an additional 5 hours by an Assistant General Counsel, 10 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager, consistent with the Commission’s estimate for the initial burden for Rule 1004. 1496 135 hours × 42 SCI entities other than plan processors = 5,670 hours. 1497 See supra note 1492 (discussing a commenter’s view that the requirements under proposed Rule 1000(b)(9) would not be conducive to outsourcing). 1498 See supra notes 1489–1491 and accompanying text. 1499 The Commission notes that, because Rule 1004 would not require all members or participants of an SCI entity to participate in business continuity and disaster recovery plan testing, Rule 1004 will not affect all of an SCI entity’s contractual relationships with clients or members or participants. Further, the Commission notes that its estimated burden for compliance with Rule 1004 is intended to reflect the average burden for all SCI entities (other than plan processors). 1500 As discussed in the Economic Analysis, the Commission estimates that each SCI entity would designate an average of 40 members or participants to participate in the necessary testing. See infra note 2065. Therefore, an SCI entity will not be required to re-negotiate contracts with ‘‘the many thousands of clients it has already signed up.’’ See supra note 1491 and accompanying text. Moreover, this commenter recognized that a significant percentage of its clients may sign the contracts without any negotiation. See supra note 1491 and accompanying text. As a result, the Commission does not expect that an SCI entity will need to negotiate with all of the estimated 40 members or participants. 1501 360 hours × $400 per hour for outside legal service = $144,000. This is based on an estimated $400 per hour cost for outside legal services. This is the same estimate used by the Commission for these services in the ‘‘Exemptions for Advisers to Venture Capital Funds, Private Fund Advisers with Less Than $150 Million Under Management, and Foreign Private Advisers’’ final rule: SEC Release No. IA–3222 (June 22, 2011); 76 FR 39646 (July 6, 2011). 1502 $144,000 × 2 plan processors = $288,000. 1503 135 hours × $400 per hour for outside legal service = $54,000. The Commission increased from its estimate in the proposal the estimated hours for the outsourced work for plan processors to be equivalent to the number of burden hours it estimated for an SCI entity that is not a plan processor (i.e., increasing the initial burden estimate from 130 hours to 360 hours and the annual burden estimate from 95 to 135 hours). 1504 $54,000 × 2 plan processors = $108,000. PO 00000 Frm 00130 Fmt 4701 Sfmt 4700 2. Notification, Dissemination, and Reporting Requirements for SCI Entities The rules under Regulation SCI that would require an SCI entity to notify the E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Commission of SCI events, disseminate information regarding certain SCI events, and notify the Commission of certain systems changes are discussed more fully in Sections IV.B.3.c, IV.B.3.d, and IV.B.4 above. mstockstill on DSK4VPTVN1PROD with RULES2 a. Commission Notification of SCI Events In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 40 immediate notification SCI events 1505 per year (i.e., 40 notifications under proposed Rule 1000(b)(4)(i)), and that one-fourth of the notifications under proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written notifications and 30 oral notifications).1506 The Commission estimated that each written notification would require 0.5 hours to prepare and submit to the Commission.1507 The Commission also estimated that each SCI entity would experience an average of 65 SCI events each year and therefore would submit 65 Commission notifications each year under proposed Rule 1000(b)(4)(ii).1508 The Commission estimated that each such notification would require an average of 20 burden hours.1509 In addition, the Commission estimated that on average, each SCI entity would submit 5 updates per year under proposed Rule 1000(b)(4)(iii), and that each update would require an average of 3 burden hours.1510 Finally, the Commission estimated that SCI entities would handle internally the work associated with the notification requirement under proposed Rule 1000(b)(4).1511 Several commenters stated that the Commission underestimated the 1505 Immediate notification SCI events included systems disruptions that an SCI entity reasonably estimated would have a material impact on its operations or on market participants, all systems compliance issues, and all systems intrusions. 1506 See Proposing Release, supra note 13, at 18148. 1507 See id. The 0.5 burden hour would be spent by an Attorney. See id. at 18149. 1508 See id. at 18148–49. 1509 See id. at 18149. The 20 burden hours included 10 hours by an Attorney and 10 hours by a Compliance Manager. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its estimate of the burden to complete a Form 19b–4 filing, although the Commission noted that, unlike a Form 19b–4 filing, the information contained in Form SCI would only be factual. See id. at 18149, n. 410. 1510 See id. at 18149. The 3 burden hours included 1.5 hours by an Attorney and 1.5 hours by a Compliance Manager. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its estimate of the burden for an SRO to amend a Form 19b–4. See id. at 18149, n. 410. 1511 See id. at 18148–49, n. 408, n. 411, and n. 413. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 number of SCI events.1512 One commenter stated that, because the proposed definition of SCI event was broad and would include minor or immaterial events, it is likely that each SCI entity could have hundreds if not thousands of SCI events on an annual basis.1513 Similarly, another commenter stated that each SCI entity could be required to report hundreds of systems disruption events each year, although the vast majority of such events would be virtually unnoticed by market participants.1514 Another commenter stated that, based on its best reading of the more expansive definitions of disruptions and intrusions, a more accurate estimate could be between 200 to 500 events per year per exchange.1515 Several commenters noted that the Commission significantly underestimated the number of updates that would be required under Rule 1000(b)(4)(iii).1516 With respect to the Commission’s estimate of the burden for Commission notification generally, one commenter noted that preparation of Form SCI will take a fair amount of time, not just to compile information about the SCI event, but also to review and edit the submission.1517 According to this commenter, further impediments to 1512 See Omgeo Letter at 35; BATS Letter at 11; Joint SRO Letter at 18; OTC Markets Letter at 6; and NYSE Letter at 18. However, commenters did not specify estimates for the number of systems compliance issues an SCI entity would experience each year. 1513 See Omgeo Letter at 35. According to this commenter, many of these SCI events would require written notification even though the vast majority of them would be minor and immaterial. See id. 1514 See BATS Letter at 11. This commenter also noted that the Commission did not break down the anticipated reportable events into systems disruptions, systems intrusions, and systems compliance issues. See id. 1515 See NYSE Letter at 18. See also FINRA Letter at 18, n. 32 (stating that depending on the interpretation of what constitutes a systems intrusion, it would be required to notify the Commission either: Several times a day under the broadest interpretation; three or four times per month under a narrower interpretation; or one or two times per year if limited to intrusions where there is a material impact). 1516 See Joint SRO Letter at 19; NYSE Letter at 24 (noting that it is not realistic, with respect to over 90% of SCI events, that all required activity is complete and reportable on Form SCI within 24 hours). See also FINRA Letter at 19 (noting that some complex outages can take up to several days to triage, isolate, and begin to resolve, and that based on its experience with ARP outage reporting, it can take several days to confirm the root cause of an outage and even longer to determine the appropriate resolution and how long it will take to complete). 1517 See FINRA Letter at 19. Similarly, another commenter noted that notifications to the Commission for SCI events and material systems changes would be considered a serious matter, and a diligent and properly considered notification would require the time and effort of numerous staff in different departments. See UBS Letter at 6. PO 00000 Frm 00131 Fmt 4701 Sfmt 4700 72381 timely reporting may arise where an issue requires cross-department coordination or coordination with a joint facility or RSA client.1518 This commenter stated that the Commission notification process will take even more time where a third party’s technical and data personnel are relied on to provide initial drafts or where an RSA client requests that it have the opportunity to review all written notices before they are submitted.1519 Another commenter noted that senior management of SCI entities would want an SCI event to be investigated before it is reported to the Commission.1520 This commenter also noted that any responsible Chief Administrative Officer, Chief Financial Officer, Chief Operations Officer, Chief Compliance Officer, Chief Information Security Officer, General Counsel, and compliance attorneys and officers would want to review any report on an SCI event prior to submission to the Commission.1521 In addition, this commenter noted that the SCI entity would need to engage outside counsel and possibly other parties to review such reports.1522 With respect to the Commission’s estimate of the burden for written Commission notification under proposed Rule 1000(b)(4)(i), one commenter noted that considerable amounts of activities may be necessary to gather the information needed, to have appropriate confirmations from persons with knowledge and authority with respect to the applicable SCI system, to provide for senior management review where appropriate, and to otherwise be in a position to draft the notification.1523 Another commenter noted that Commission notification required by proposed Rule 1000(b)(4)(i) would require substantive input from personnel outside of the legal and compliance departments, including IT analysts and managers as well as impacted business analysts and managers.1524 This commenter estimated that each notification under proposed Rule 1000(b)(4)(i) would require 12 hours.1525 This commenter also noted that the Commission erroneously assumed that verbal notifications under proposed Rule 1518 See FINRA Letter at 19. id. 1520 See Omgeo Letter at 35. 1521 See id. 1522 See id. at 35–36. This commenter also noted that the Commission’s estimated cost for consulting outside experts is too low. See id. at 35, n. 69. 1523 See MSRB Letter at 33. 1524 See UBS Letter at 6. This commenter expressed the same concern with respect to proposed Rule 1000(b)(4)(ii). See id. 1525 See id. 1519 See E:\FR\FM\05DER2.SGM 05DER2 72382 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 1000(b)(4)(i) would not consume the time of any employee.1526 With respect to the estimated burden under proposed Rule 1000(b)(4)(ii), one commenter noted that the estimate did not take into account the considerable amounts of activities to be undertaken by other personnel, including persons with knowledge and authority with respect to the applicable SCI system and the SCI event as well as senior management where appropriate, in order to collect and assess the appropriate information and to properly inform the attorney and compliance manager of such information in order to allow them to produce an accurate notification in compliance with proposed Rule 1000(b)(4)(ii).1527 This commenter had similar concerns with the burden estimates for proposed Rule 1000(b)(4)(iii).1528 Another commenter noted that, with respect to proposed Rule 1000(b)(4)(ii), no provision was made for the time burden that would be placed on technology personnel in the notification process.1529 Similarly, one commenter noted that the 20-hour burden estimate failed to take into account technology staff and business operations personnel who spend considerable time gathering facts and circumstances of a systems issue.1530 Another commenter estimated that each report under proposed Rule 1000(b)(4)(ii) will require approximately 5 hours of senior management time (including review and discussions between the Chief Administrative Officer, the Chief Compliance Officer, the Chief Information Officer, the Chief Operating Officer, and the General Counsel).1531 In addition, this commenter estimated that middle managers from its Compliance, Legal, Technology, Product, and Information Security functions would spend on average approximately 31 hours per report.1532 Further, this commenter estimated that associates from Compliance, Legal, Technology, Product, and Information Security 1526 See id. MSRB Letter at 33. 1528 See id. at 33–34. 1529 See Joint SRO Letter at 18. This commenter also opined that, in other sections, the Commission either incorrectly assumes that no legal or outside counsel would be used, or significantly underestimates the amount of legal or outside counsel expenses. See id. at 18–19. 1530 See OCC Letter at 12. See also NYSE Letter at 18 and 34 (stating that a significant number of full time staff, including legal, compliance, technical, and operations staff, would be required to comply with the Commission notification process under proposed Rule 1000(b)(4), and that no estimate is provided for a technology staff member under Rule 1000(b)(4)(ii)). 1531 See Omgeo Letter at 36. 1532 See id. mstockstill on DSK4VPTVN1PROD with RULES2 1527 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 functions would spend approximately 53.5 hours per report.1533 With respect to the burden estimates for proposed Rule 1000(b)(4)(iii), this commenter believed that proposed Rule 1000(b)(4)(iii) could conceivably require it to update the Commission approximately half of the time it files Form SCI.1534 According to this commenter, each update would result in 1 hour of senior management time, 17 hours of middle management time, and 9 hours of associate time.1535 One commenter stated its belief that none of the activities arising under proposed Rule 1000(b)(4) would be conducive to outsourcing.1536 As discussed above in Section IV.B.3.c, the Commission is adopting the Commission notification requirements in Rule 1002(b), with certain modifications from the proposal. As adopted, the Commission notification requirements under Rules 1002(b)(1)–(4) do not apply to SCI events that had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants.1537 Rather, each SCI entity is required to make, keep, and preserve records relating to all such SCI events, and submit quarterly reports to the Commission regarding such de minimis systems disruptions and de minimis systems intrusions.1538 Rule 1002(b)(1), similar to the proposal, requires immediate Commission notification upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(b)(2), similar to the proposal, requires a written Commission notification within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred. Rule 1002(b)(2) also specifically states that the 24-hour report is required to be made on a good faith, best efforts basis. In addition, the information required to be disclosed to the Commission under Rule 1002(b)(2) is less comprehensive than as proposed.1539 Rule 1002(b)(3), similar to the proposal, requires SCI entities to 1533 See id. id. 1535 See id. 1536 See MSRB Letter at 34–35. 1537 See Rule 1002(b)(5). 1538 See id. 1539 For example, an SCI entity is not required to provide the Commission a detailed description of the SCI event; a discussion of whether the SCI event is a dissemination SCI event; a description of the SCI entity’s rules and/or governing documents, as applicable, which relate to the SCI event; or an analysis of parties that may have experienced a loss due to the SCI event. 1534 See PO 00000 Frm 00132 Fmt 4701 Sfmt 4700 provide updates pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the event is resolved and the SCI entity’s investigation of the event is closed. However, Rule 1002(b)(3), unlike the proposal, does not require these updates to be in writing. Finally, Rule 1002(b)(4) includes requirements for SCI entities to submit interim written notifications, as necessary, and final written notifications regarding SCI events.1540 Specifically, if an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, the SCI entity is required to submit a final written notification. If an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then the SCI entity is required to submit an interim written notification within 30 calendar days after the occurrence of the SCI event. Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, the SCI entity is required to submit a final written notification. As noted above, some commenters expressed their view that the Commission underestimated the number of SCI events because they considered the definition of SCI event to be broad and would include minor or immaterial events.1541 These commenters estimated hundreds and even thousands of SCI events annually for each SCI entity, but noted that the majority of such events would have no 1540 The written notification is required to include (i) a detailed description of: The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. The information required to be included in the Rule 1002(b)(4) notifications is similar to the information required under proposed Rule 1000(b)(4)(iv)(A), which was related to the proposed 24-hour Commission notification. 1541 See supra notes 1513–1515 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations effect on market participants.1542 As discussed above in Section IV.B.3.c, the Commission notification requirements under adopted Rule 1002(b)(1)–(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants.1543 Rather, each SCI entity would be required to keep records related to such events and submit quarterly reports that only contain a summary description of such de minimis systems disruptions and de minimis systems intrusions.1544 Further, as noted above in Section IV.A, the Commission has refined the definition of SCI systems and SCI events in various respects.1545 Therefore, the Commission does not believe that the number of SCI events subject to Rules 1002(b)(1)–(4) would be substantially higher than the Commission’s estimate in the SCI Proposal. After considering the views of commenters and in light of the more focused scope of the immediate Commission notification requirement, the Commission now estimates that each SCI entity will experience an average of 45 SCI events each year that are not de minimis SCI events, resulting in 45 written notifications under Rule 1002(b)(2) and 45 written notifications under Rule 1002(b)(4). The estimated 45 SCI events comprise 24 systems disruptions, 20 systems compliance issues, and one systems intrusion. These estimates are derived in part from the number of systems incidents reported to the Commission under the ARP Inspection Program and the number of compliance-related issues reported to the Commission by SROs.1546 In particular, the Commission notes that approximately 360 ARP incidents were reported to the Commission in 2013 by 29 entities that participated in the ARP Inspection Program.1547 Thus, 1542 See id. Rule 1002(b)(5). 1544 See id. 1545 See Rule 1000 (defining ‘‘SCI systems’’ and ‘‘SCI event’’). 1546 The Commission notes that only one ATS currently participates in the ARP Inspection Program and other ATSs generally do not self-report system incidents to the Commission. At the same time, the Commission acknowledges that, to the extent that some ATSs have less complex systems or perform fewer functions than other SCI entities, it is possible that these ATSs will experience fewer SCI events per year than other SCI entities. Also, as discussed more fully below, many ATSs do not have rulebooks and thus may experience fewer systems compliance issues than other SCI entities. Nevertheless, the Commission believes that an average of 45 SCI events per year (excluding de minimis SCI events) is an appropriate average across all SCI entities, including ATSs. 1547 In the SCI Proposal, the Commission noted that each entity reported an average of mstockstill on DSK4VPTVN1PROD with RULES2 1543 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 on average, each entity reported approximately 12 incidents in 2013, although some entities reported fewer than 12 incidents, and some entities reported significantly more than 12 incidents (i.e., over 100). By defining ‘‘systems disruption’’ for purposes of Regulation SCI and requiring Commission notification of systems disruptions, the Commission expects that more incidents will be reported pursuant to Regulation SCI than pursuant to the voluntary ARP Inspection Program. Therefore, the Commission estimates that each SCI entity will report an average of 24 systems disruptions each year that are not de minimis systems disruptions, which is double the average number of systems incidents reported by each participant under the ARP Inspection Program in 2013. Further, based on notifications received by Commission staff regarding certain SROs, each of these SROs experienced an average of 17 systems compliance-related issues in 2013. The notifications received by Commission staff indicate that some SROs experienced fewer than 17 systems compliance-related issues, and others experienced more than 17. The Commission believes that very few, if any, of the notifications received in 2013 would qualify as de minimis systems compliance issues under Regulation SCI. By defining ‘‘systems compliance issue’’ for purposes of Regulation SCI and requiring Commission notification of systems compliance issues, the Commission expects that more issues will be reported pursuant to Regulation SCI than pursuant to self-reporting. Therefore, the Commission estimates that each SCI entity will experience an average of 20 systems compliance issues each year that are not de minimis systems compliance issues.1548 Based on the Commission’s experience with the ARP Inspection Program, the Commission believes each SCI entity will experience on average less than one non-de minimis systems intrusion per year. However, for purposes of the PRA, the Commission approximately 6 incidents under the ARP Inspection Program in 2011, and estimated that there would be an average of 65 SCI event notices per year for each SCI entity. See Proposing Release, supra note 13, at 18148. 1548 The Commission acknowledges that SCI entities other than SCI SROs may experience fewer systems compliance issues than SCI SROs because they may not have rulebooks, and thus, one aspect of the definition of systems compliance issue would not apply to such SCI entities (i.e., operating in a manner that does not comply with the entity’s rules). PO 00000 Frm 00133 Fmt 4701 Sfmt 4700 72383 estimates one non-de minimis systems intrusion per SCI entity per year.1549 With respect to the notification requirement under Rule 1002(b)(1), the Commission notes that the notification can be made orally or in writing. As with the SCI Proposal, the Commission estimates that one-fourth of the notifications under Rule 1002(b)(1) will be submitted in writing (i.e., approximately 11 events per year for each SCI entity),1550 and three-fourths will be provided orally (i.e., approximately 34 events per year for each SCI entity).1551 The Commission also estimates that each written notification under Rule 1002(b)(1) will require 2 hours 1552 for each SCI entity.1553 The Commission is not 1549 This estimate is lower than those provided by commenters (see supra note 1515 and accompanying text) because the adopted definitions of SCI systems and indirect SCI systems have been refined from the proposal, and because de minimis systems intrusions are required to be reported in summary format on a quarterly basis. 1550 45 SCI events ÷ 4 = 11.25 SCI events reported in writing. One commenter noted that most SCI entities would submit a writing to document that they had satisfied the notice requirement of proposed Rule 1000(b)(4)(i). See Omgeo Letter at 16. However, the Commission continues to estimate that one-fourth of the notifications under Rule 1002(b)(1) will be submitted in writing and that the rest will be provided orally. The Commission believes that it is less burdensome for an SCI entity to provide oral notification than to provide written notification and, given the requirement of Rule 1002(b)(2) to provide a written notification to the Commission within 24 hours, the Commission believes it is likely that most initial notifications submitted under Rule 1002(b)(1) would be done orally. Moreover, based on Commission staff experience, ARP participants generally provide initial notifications of systems issues orally. 1551 45 SCI events¥11 SCI events reported in writing = 34 SCI events reported orally. 1552 The burden estimates for each rule under Regulation SCI that involves the filing of Form SCI include the burden associated with completing and electronically submitting Form SCI, and for manually signing a signature page or document, pursuant to the requirements of Rule 1006. 1553 The 2 hours include 0.5 hours by an Attorney, 0.5 hours by a Compliance Manager, 0.5 hours by a Senior Systems Analyst, and 0.5 hours by a Senior Business Analyst. As compared to the estimated burden for proposed Rule 1000(b)(4)(i), the Commission is estimating an additional 0.5 hours by Compliance Managers, 0.5 hours by Senior Systems Analysts, and 0.5 hours by Senior Business Analysts to reflect that legal personnel may need to confer with technology and business personnel before contacting the Commission regarding an SCI event, in response to the views of commenters. See supra notes 1523–1525 and accompanying text. The Commission notes that the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers of certain SCI entities may review Commission notifications under Rule 1002(b)(1) before they are submitted (orally or in writing) to the Commission. However, the Commission estimates that on average, the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers may spend a small amount of time reviewing each Rule 1002(b)(1) notification. Rather, they will spend more time reviewing the other notifications required by Rule 1002(b). E:\FR\FM\05DER2.SGM 05DER2 72384 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 significantly increasing its burden estimate for proposed Rule 1000(b)(4)(i) because Rule 1002(b)(1) requires the immediate notification of SCI events and does not specify the minimum information that must be submitted to the Commission. The Commission believes that, for many SCI events, an SCI entity will simply notify the Commission that an SCI event has occurred, often in a single phone call, and may not provide the Commission with additional information because it is not yet available to the SCI entity. For these reasons, contrary to the view of some commenters,1554 the Commission does not expect that the SCI entity will need to gather a considerable amount of information or significantly confer with interested parties across the entity. In particular, while the Commission estimates some burden for legal and technology personnel of SCI entities in complying with Rule 1002(b)(1), it does not believe that Rule 1002(b)(1) will result in significant burden for such personnel.1555 The Commission agrees with the view of a commenter that oral notifications would also result in burdens on an SCI entity,1556 although it expects the burden for legal and compliance personnel to be lower than in the case of written notifications because they would not need to draft and review a written document for submission to the Commission. The Commission estimates that the burden for systems and business analysts would remain the same as for written notifications because the SCI entity will still need to gather the same type of information in order to prepare an oral notification. The Commission therefore estimates that each oral notification under Rule 1002(b)(1) will require 1.5 hours for each SCI entity.1557 The Commission estimates that each SCI entity would require an average of 73 hours annually to comply with Rule 1002(b)(1),1558 or 3,212 hours for all SCI entities.1559 The Commission estimates that each written notification under Rule 1554 See supra notes 1523–1526 and accompanying text. 1555 Given that there is not a minimum amount of information that must be submitted to the Commission, the Commission believes its estimated burden hours is more appropriate than the 12 hours suggested by a commenter. See supra note 1525 and accompanying text. 1556 See supra note 1526 and accompanying text. 1557 The 1.5 hours include 0.25 hours by an Attorney, 0.25 hours by a Compliance Manager, 0.5 hours by a Senior Systems Analyst, and 0.5 hours by a Senior Business Analyst. 1558 11 written notifications each year × 2 hours per notification + 34 oral notifications each year × 1.5 hours per notification = 73 hours. 1559 73 hours × 44 SCI entities = 3,212 hours. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 1002(b)(2) will require 24 hours for each SCI entity.1560 Contrary to the views of a commenter that each notification under proposed Rule 1000(b)(4)(ii) would require approximately 90 burden hours between senior management, middle managers, and associates from various functions (e.g., legal, compliance, technology),1561 the Commission is not significantly increasing its estimate of the burden hours from its estimate for proposed Rule 1000(b)(4)(ii) because Rule 1002(b)(2) requires less information than proposed Rule 1000(b)(4)(ii), although the Commission has revised its estimated burden hours to account for the various functions and multiple levels of review suggested by the commenter.1562 Also, because Rule 1002(b)(2) explicitly permits information to be submitted on a good faith, best efforts basis, the Commission believes that SCI entities will be able to expend less resources in reviewing each notification. Therefore, the Commission estimates that each SCI entity would require an average of 1,080 hours annually to comply with Rule 1002(b)(2),1563 or 47,520 hours for all SCI entities.1564 With respect to the number of updates required under Rule 1002(b)(3), the Commission estimates that each SCI entity will submit 6 written updates and 18 oral updates each year under that rule. These estimates are based on Commission staff’s experience with the ARP Inspection Program, systems compliance-related issues at SROs, and views of commenters. Specifically, most of the systems incidents reported to the 1560 The 24 hours include 5 hours by an Attorney, 5 hours by a Compliance Manager, 6 hours by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a Chief Compliance Officer, and 6 hours by a Senior Business Analyst. Given the modifications from proposed Rule 1000(b)(4)(ii) identified below, the Commission estimates that legal and compliance personnel will have less work in drafting the written notifications under Rule 1002(b)(2), and accordingly reduced the burden hours for Attorneys and Compliance Managers from 10 to 5. Further, as compared to the estimated burden for proposed Rule 1000(b)(4)(ii), the Commission is estimating an additional 6 hours by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a Chief Compliance Officer, and 6 hours by a Senior Business Analyst to reflect that legal personnel may need to confer with technology and business personnel and senior management, as well as the multiple levels of review (e.g., attorney, compliance manager, chief compliance officer), before submitting a report regarding an SCI event, in response to the views of commenters. See supra notes 1520–1521, 1527, and 1529–1533 and accompanying text. 1561 See supra notes 1531–1533 and accompanying text. 1562 See supra notes 1539 and 1560. 1563 45 written notifications each year × 24 hours per notification = 1,080 hours. 1564 1,080 hours × 44 SCI entities = 47,520 hours. PO 00000 Frm 00134 Fmt 4701 Sfmt 4700 Commission in 2013 were reported as resolved within 24 hours. Further, as discussed above, de minimis SCI events are not subject to the update requirement under Rule 1002(b)(3). Moreover, the Commission believes that, for some SCI events, an SCI entity will not need to provide an update under Rule 1002(b)(3), because the SCI entity will be able to quickly submit a final report under Rule 1002(b)(4). However, after considering the views of a commenter that some complex outages can take up to several days to triage, isolate, and begin to resolve,1565 and the views of another commenter that proposed Rule 1000(b)(4)(iii) could conceivably require it to update the Commission approximately half the time it files Form SCI,1566 the Commission is increasing its estimate of the number of updates from 5 to 24.1567 Because Rule 1002(b)(3) does not require SCI entities to submit updates in writing or on Form SCI, the Commission estimates that one-fourth of the updates will be submitted in writing, and threefourths will be provided orally.1568 Because the SCI entity will still need to gather the same type of information in order to prepare an oral or a written update, the Commission expects that the burden for systems and business analysts will be the same for either type of update. The Commission, however, expects that the burden for legal and compliance personnel would be less in the case of oral updates because in that case, an SCI entity would not need to draft and review a written document for submission to the Commission. The Commission estimates that each written update under Rule 1002(b)(3) will require 6 hours 1569 and each oral 1565 See 1566 See supra note 1516. also supra note 1534 and accompanying text. 1567 The Commission’s estimate of 24 updates is slightly above half of the 45 written notifications estimated for Rule 1002(b)(2). See supra note 1534 (stating that the rule could conceivably require the commenter to update the Commission approximately half of the time it files Form SCI). 1568 The Commission similarly estimated onefourth written notifications and three-fourths oral notifications in the SCI Proposal for proposed Rule 1000(b)(4)(i). See Proposing Release, supra note 13, at 18148; see also supra note 1550 and accompanying text. 1569 The 6 hours include 1.5 hours by an Attorney, 1.5 hours by a Compliance Manager, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by a Senior Business Analyst. As compared to the estimated burden for proposed Rule 1000(b)(4)(iii), the Commission is estimating an additional 1.5 hours by a Senior Systems Analyst and 1.5 hours by a Senior Business Analyst to reflect that legal personnel may need to confer with technology and business personnel before contacting the Commission regarding an SCI event, in response to the view of a commenter. See supra note 1528 and accompanying text. The Commission notes that the General Counsel, Director of Compliance, Chief E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 update will require 4.5 hours.1570 The Commission is not significantly increasing its burden estimate from proposed Rule 1000(b)(4)(iii). The Commission believes that each update will likely only reflect some of the information listed under Rules 1002(b)(1) and (2) because certain information about SCI events may not yet be available at the time the SCI entity submits such update or may not need to be updated. Therefore, contrary to one commenter’s view that each update would require 27 hours,1571 the Commission does not believe that a Rule 1002(b)(3) update will require significantly more time than as estimated in the SCI Proposal. The Commission estimates that each SCI entity would require an average of 117 hours annually to comply with Rule 1002(b)(3),1572 or 5,148 hours for all SCI entities.1573 The Commission estimates that compliance with Rule 1002(b)(4) for a particular SCI event (which includes a final report under Rule 1002(b)(4)(i)(A) and, as applicable, an interim report under Rule 1002(b)(4)(i)(B)) will require 35 hours.1574 The Commission notes Compliance Officer, or other senior employees or officers of certain SCI entities may review the updates under Rule 1002(b)(3) before they are submitted (orally or in writing) to the Commission. However, the Commission estimates that on average, the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers may spend a small amount of time reviewing each Rule 1002(b)(3) notification because it is not the final report to the Commission on an SCI event, and the SCI entity can subsequently submit additional updates. See supra note 1535 and accompanying text (noting a commenter’s burden estimate for proposed Rule 1000(b)(4)(iii), which includes estimates for senior management review). 1570 The 4.5 hours include 0.75 hours by an Attorney, 0.75 hours by a Compliance Manager, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by a Senior Business Analyst. 1571 See supra note 1535 and accompanying text. 1572 6 written updates each year × 6 hours per notification + 18 oral updates each year × 4.5 hours per notification = 117 hours. 1573 117 hours × 44 SCI entities = 5,148 hours. 1574 The 35 hours include 8 hours by an Attorney, 8 hours by a Compliance Manager, 7 hours by a Senior Systems Analyst, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 2 hours by a Chief Compliance Officer, and 7 hours by a Senior Business Analyst. As compared to proposed Rule 1000(b)(4)(ii), the Commission expects the legal and compliance personnel to have less work in drafting the written notifications under Rule 1002(b)(4) because some of the information required by Rule 1002(b)(4) may already have been provided in a prior notification to the Commission, and accordingly reduced the burden hours for Attorneys and Compliance Managers from 10 to 8. Further, as compared to the estimated burden for proposed Rule 1000(b)(4)(ii), the Commission is estimating an additional 7 hours by a Senior Systems Analyst, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 2 hours by a Chief Compliance Officer, and 7 hours by a Senior Business Analyst to reflect that legal personnel may VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that the information required to be provided under Rule 1002(b)(4) is similar to the information required to be provided in a notification submitted under proposed Rule 1000(b)(4)(ii). As noted above, in the SCI Proposal, the Commission estimated that each notification under proposed Rule 1000(b)(4)(ii) would require an average of 20 burden hours,1575 and some commenters argued that the Commission underestimated this burden.1576 The Commission is estimating a higher burden for Rule 1002(b)(4) as compared to proposed Rule 1000(b)(4)(ii) (i.e., 35 hours as compared to 20 hours) because the reports under Rule 1002(b)(4) constitute final reports regarding SCI events, and SCI entities will likely confer with technology and business personnel and senior management to ensure that the information provided is accurate. For the same reason, and because Rule 1002(b)(4) (final report) requires more information than Rule 1002(b)(2), the Commission’s burden estimate for Rule 1002(b)(4) is higher than the burden estimate for Rule 1002(b)(2) (i.e., 35 hours as compared to 24 hours).1577 Nevertheless, the Commission is not substantially increasing the burden estimate as compared to proposed Rule 1000(b)(4)(ii) or adopted Rule 1002(b)(2) because it recognizes that some of the information required by Rule 1002(b)(4) may already have been provided in a prior notification to the Commission and, thus, its burden has been included in the burden estimate for Rule 1002(b)(2). Therefore, the Commission estimates that each SCI entity would require an average of 1,575 hours annually to comply with Rule 1002(b)(4),1578 or 69,300 hours for all SCI entities.1579 need to confer with technology and business personnel and senior management before submitting a final report regarding an SCI event. 1575 See supra note 1509 and accompanying text. 1576 See supra notes 1527, 1529–1533 and accompanying text. 1577 As compared to the Commission’s burden estimate for Rule 1002(b)(2), the Commission is estimating an additional 3 hours by an Attorney, 3 hours by a Compliance Manager, 1 hour by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a General Counsel, 1 hour by a Chief Compliance Officer, and 1 hour by a Senior Business Analyst. The type of personnel involved in compliance with Rule 1002(b)(4) is the same as those involved in compliance with Rule 1002(b)(2), except for the addition of the General Counsel. 1578 45 written notifications each year × 35 hours per notification = 1,575 hours. 1579 1,575 hours × 44 SCI entities = 69,300 hours. The Commission notes that this burden estimate includes the burden for submitting the one interim Commission notification required under Rule 1002(b)(4)(i)(B) (if necessary). In particular, the Commission notes that the interim notification requires SCI entities to include the same PO 00000 Frm 00135 Fmt 4701 Sfmt 4700 72385 Finally, the quarterly notification under Rule 1002(b)(5) is required only to include ‘‘a summary description’’ of the SCI events. The Commission’s estimated burden reflects the Commission’s belief that most, if not all, SCI entities already have some internal documentation of de minimis SCI events. Rule 1002(b)(5) would impose more burden on SCI entities if they do not already have such internal documentation. The Commission estimates that the initial and ongoing burden to comply with the quarterly report requirement would be 40 hours per report per SCI entity,1580 or 160 hours annually per SCI entity,1581 and 7,040 hours annually for all SCI entities.1582 The Commission estimates that while SCI entities would handle internally most of the work associated with Rule 1002(b), SCI entities would seek outside legal advice in the preparation of certain Commission notifications, at an average annual cost of $45,000 per SCI entity,1583 or $1,980,000 for all SCI entities.1584 b. Dissemination of Information Regarding SCI Events In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 14 information as required to be included in a final notification under Rule 1002(b)(4)(i)(A), except that SCI entities are only required to provide the information to the extent known at the time of the interim notification. If an SCI entity submits an interim notification, it would also be required to submit a final notification, which is required to include all of the remaining information that was not provided in the interim notification. Because all SCI entities are required to provide the same amount of information in total for a particular SCI event under Rule 1002(b)(4), regardless of whether they submit an interim notification, the estimated burden for Rule 1002(b)(4) includes the burden for both the interim notification and the final notification related to a particular SCI event. 1580 The 40 burdens hours include 7.5 hours by an Attorney, 7.5 hours by a Compliance Manager, 2 hours by a Chief Compliance Officer, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 10 hours by a Senior Business Analyst, and 10 hours by a Senior Systems Analyst. 1581 40 hours × 4 reports each year = 160 hours. 1582 160 hours × 44 SCI entities = 7,040 hours. 1583 See supra note 1522 and accompanying text (discussing the view of a commenter that SCI entities would need to engage outside parties to review the Commission notifications). But see supra note 1536 and accompanying text (discussing the view of a commenter that none of the activities arising under proposed Rule 1000(b)(4) would be conducive to outsourcing). The Commission’s estimate represents an average of $1,000 of outsourced cost for each SCI event that is not a de minimis SCI event. The $1,000 estimate is consistent with the Commission’s estimated outsourcing cost for each SCI event that is subject to the dissemination requirements under Rule 1002(c). 45 SCI events × $1,000 = $45,000. 1584 $45,000 × 44 SCI entities = $1,980,000. E:\FR\FM\05DER2.SGM 05DER2 72386 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 dissemination SCI events 1585 each year that are not systems intrusions, resulting in an average of 14 information disseminations per year for each SCI entity under proposed Rule 1000(b)(5)(i).1586 The Commission estimated that each information dissemination under proposed Rule 1000(b)(5)(i)(A) would require an average of 3 hours to prepare and make available to members or participants.1587 The Commission estimated that each information update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants.1588 The Commission also estimated that, on average, each SCI entity would provide one regular update per year per dissemination SCI event under proposed Rule 1000(b)(5)(i)(C).1589 The Commission estimated that each regular update would require an average of 1 hour to prepare and make available to members or participants.1590 In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 1 dissemination SCI event that is a systems intrusion each year, resulting in 1 information dissemination per year under proposed Rule 1000(b)(5)(ii). The Commission estimated that each information dissemination would require an average of 3 hours to prepare and make available to members or participants.1591 This burden estimate 1585 Dissemination SCI events included systems compliance issues, systems intrusions, and systems disruptions that resulted, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. 1586 See Proposing Release, supra note 13, at 18149. 1587 See id. The 3 burden hours included 2.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. See id. at 18149, n. 416. 1588 See id. at 18150. The 5 burden hours included 4.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. See id. at 18150, n. 420. 1589 See id. at 18150. 1590 See id. The 1 burden hour included 0.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on the estimated burden to complete and submit a written update for an SCI event on Form SCI and on Commission staff’s experience with the ARP Inspection Program. See id. at 18150, n. 422 and n. 423. 1591 See id. at 18150. The 3 burden hours included 2.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program, and the Commission’s burden estimate for proposed Rule 1000(b)(5)(i)(A). See id. at 18150, n. 426. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 included any burden for an SCI entity to document its reason for determining that dissemination of information regarding a systems intrusion would likely compromise the security of the SCI entity’s SCI systems or SCI security systems, or an investigation of the systems intrusion.1592 In the SCI Proposal, the Commission estimated that while SCI entities would internally handle most of work associated with compliance with proposed Rule 1000(b)(5), SCI entities would seek outside legal advice in the preparation of the disseminations at an average annual cost of $15,000 per SCI entity.1593 With respect to the estimated burden under proposed Rule 1000(b)(5), one commenter noted that since most of the work entailed in producing a notification relating to a dissemination SCI event would occur in connection with the Commission notification requirements under proposed Rule 1000(b)(4), the Commission’s estimate of the burden of proposed Rule 1000(b)(5) is fairly accurate.1594 Another commenter stated that the Commission underestimated the burden associated with information dissemination.1595 In connection with expressing its concern that almost any minor or immaterial systems issue would fall under the proposed definition of SCI event, this commenter estimated that there would be at a minimum a ten-fold increase in reportable events from the 175 incidents in 2011 under the ARP Inspection Program.1596 With respect to the estimated burden associated with information dissemination, this commenter argued that the Commission incorrectly assumed that such communications would be drafted only by a single attorney and a webmaster.1597 This commenter believed that properly drafting such communications will require a concerted effort by a number of individuals, including subject matter experts and mid-level and senior managers.1598 This commenter also 1592 See id. id. at 18150–51. 1594 See MSRB Letter at 35. 1595 See Omgeo Letter at 37. This commenter argued that the Commission mistakenly relied upon experience with the ARP Inspection Program as a basis for the estimates. See id. 1596 See id. at 37–38. 1597 See id. at 38. 1598 See id. According to this commenter, subject matter experts would include associates from functions such as Technology, Client Support, 1593 See PO 00000 Frm 00136 Fmt 4701 Sfmt 4700 noted that SCI entities would draft different dissemination notices designed to address the particular concerns of the different client segments it services (e.g., broker-dealers, custodian banks, investment managers, hedge funds).1599 As such, this commenter estimated that proposed Rule 1000(b)(5)(i)(A) would result in a burden of approximately 30 hours to create the dissemination 1600 and 100 hours to review.1601 Further, this commenter disagreed that SCI entities are likely to handle internally most of the work associated with information dissemination.1602 This commenter believed that, to the extent a dissemination SCI event raises the possibility of litigation or reputational damage for an SCI entity, the SCI entity will likely engage outside counsel to review the facts and prepare the required materials.1603 This commenter also argued that the Commission’s estimate did not take into account the burden associated with addressing responses from an SCI entity’s participants, members, or clients, which, according to this commenter, would be hundreds of hours of SCI entity associate and management time.1604 This commenter expressed similar concerns respect to the burden estimates for proposed Rules 1000(b)(5)(i)(B) and (C) and noted that each follow-up notice would impose a burden far greater than 5 hours.1605 This commenter also noted that the Commission underestimated that each SCI entity would only have to provide one update each year under proposed Rule 1000(b)(5)(i)(C), and that each dissemination would only be prepared by an attorney and a webmaster.1606 Information Security, Legal, Compliance, Product Management, and Sales and Relationship Management. See id. at 38, n. 75. 1599 See Omgeo Letter at 38. 1600 This commenter noted that major incidents would require far more resources. See id. 1601 See id. This commenter noted that the 100hour estimate does not include any follow up communications. See id. at 38, n. 76. 1602 See id. at 39. However, another commenter stated its belief that none of the activities arising under proposed Rule 1000(b)(5) would be conducive to outsourcing. See MSRB Letter at 34– 35. 1603 See Omgeo Letter at 39. This commenter also expressed concern that SCI entities would be forced to send their clients and participants a constant stream of communications detailing minor, inconsequential events that have no impact on them, which would cause reputational damage to SCI entities. See id. 1604 See id. 1605 See id. at 40–41. 1606 See id. at 41. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 With respect to the burden estimates for proposed Rule 1000(b)(5)(ii), this commenter expressed similar concern, and noted that each dissemination under proposed Rule 1000(b)(5)(ii) would require hundreds of burden hours.1607 As discussed above in Section IV.B.3.d, the Commission is adopting the information dissemination requirements in Rule 1002(c), with certain modifications from the proposal. As adopted, an SCI entity is required to disseminate certain information to its members or participants that may have been affected by an SCI event.1608 However, for major SCI events, an SCI entity must disseminate the required information to all of its member or participants.1609 Rule 1002(c)(4) further provides that the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems, or any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. Similar to proposed Rule 1000(b)(5), adopted Rule 1002(c)(1) requires SCI entities to promptly disseminate certain information regarding systems disruptions and systems compliance issues, to further disseminate certain information when such information becomes known,1610 and to provide regular updates of such information until the SCI event is resolved. In addition, similar to proposed Rule 1000(b)(5), adopted Rule 1002(c)(2) requires SCI entities to promptly disseminate certain information regarding systems intrusions,1611 and provides an exception when the SCI entity determines that dissemination of such information would likely compromise the security of its SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. With respect to a commenter’s concern that because almost any minor or immaterial systems issue would fall under the proposed definition of SCI event, there would be at a minimum a ten-fold increase in reportable events as compared to the reported incidents 1607 See id. at 41–42. Rule 1002(c)(3). 1609 See id. 1610 The information required to be disseminated under Rule 1002(c)(1) remains unchanged from the proposal. 1611 The information required to be disseminated under Rule 1002(c)(2) remains unchanged from the proposal. 1608 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 under the ARP Inspection Program,1612 as noted above, Rule 1002(c)(4) provides exceptions to certain SCI events from the information dissemination requirement. Specifically, SCI events that relate to market regulation or market surveillance systems and de minimis SCI events would not be subject to the information dissemination requirement.1613 Further, as noted above in Section IV.A, the Commission has refined the definition of SCI systems and SCI event in various respects.1614 Given these changes, the Commission believes that the commenter’s suggestion that there would be at a minimum a ten-fold increase in reportable events as compared to the reported incidents under the ARP Inspection Program is not an appropriate estimate. The Commission now estimates that each SCI entity would disseminate information regarding 36 SCI events each year under Rule 1002(c),1615 including 1 non-de minimis systems intrusion each year.1616 Therefore, the Commission now estimates that each SCI entity would disseminate information regarding 35 SCI events each year under Rule 1002(c)(1)(i). The Commission estimates that each SCI entity would disseminate 3 updates for each such SCI event under Rules 1002(c)(1)(ii) and 1612 See supra note 1596 and accompanying text. exceptions should address a commenter’s concern that proposed Rule 1000(b)(5) would result in SCI entities being forced to send their clients and participants a constant stream of communications detailing minor, inconsequential events that have no impact on them. See id. 1614 See Rule 1000 (defining ‘‘SCI systems’’ and ‘‘SCI event’’). 1615 As discussed above, the Commission estimates that each SCI entity will experience an average of 45 SCI events each year that are not de minimis SCI events. The Commission estimates that approximately one-fifth of these SCI events relate to market regulation and market surveillance systems. Therefore, the Commission estimates that the number of SCI events subject to the requirements of Rule 1002(c) would be 36 per year for each SCI entity (45 SCI events ÷ 5 × 4 = 36 SCI events). 1616 Based on Commission’s experience with the ARP Inspection Program, the Commission believes each SCI entity will experience on average less than one non-de minimis systems intrusion per year. However, for purposes of the PRA, the Commission estimates one non-de minimis systems intrusion per SCI entity per year. 1613 These PO 00000 Frm 00137 Fmt 4701 Sfmt 4700 72387 (iii),1617 or 105 updates each year.1618 Further, the Commission estimates that each SCI entity would disseminate information regarding 1 systems intrusion each year under Rule 1002(c)(2). The Commission estimates that each information dissemination under Rule 1002(c)(1)(i) will require 7 hours.1619 The Commission is not significantly increasing its burden estimate from the proposal because the Commission believes that the information required to be disseminated under Rule 1002(c)(1)(i) would likely already be collected for Commission notification under Rule 1002(b)(1) or (2).1620 Therefore, contrary to the view of a commenter,1621 the Commission does not believe that Rule 1002(c)(1)(i) will result in significantly higher burden for 1617 The Commission notes that Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly further disseminate for each SCI event three types of information: (A) A detailed description of the SCI event; (B) the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (C) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. The Commission believes that one or more of these types of information may become known to an SCI entity at different times, and therefore the Commission estimates that each SCI entity will submit two updates per SCI event under Rule 1002(c)(1)(ii). Rule 1002(c)(1)(iii) requires each SCI entity to provide regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii). The Commission estimates that each SCI entity will submit one regular update under Rule 1002(c)(1)(iii) before the SCI event is resolved. The Commission believes that the number of updates under Rules 1002(c)(1)(ii) and (iii) will vary depending on how quickly information is discovered and how quickly the SCI event is resolved, but believes that a total of three updates for the two provisions is an appropriate estimate. 1618 35 SCI events × 3 updates per SCI event = 105 updates. 1619 The 7 hours include 2.67 hours by an Attorney, 1 hour by a Compliance Manager, 0.5 hours by a Chief Compliance Officer, 0.5 hours by a General Counsel, 0.5 hours by a Director of Compliance, 1 hour by a Senior Systems Analyst, 0.5 hours by a Corporate Communications Manager, and 0.33 hours by a Webmaster. As compared to the estimated burden for proposed Rule 1000(b)(5)(i)(A), the Commission is estimating an additional 1 hour by a Compliance Manager, 0.5 hours by a General Counsel, 0.5 hours by a Chief Compliance Officer, 0.5 hours by a Director of Compliance, 1 hour by a Senior Systems Analyst, and 0.5 hours by a Corporate Communications Manager to reflect the view of commenters that the preparation for information dissemination would require the involvement of subject matter experts and mid-level and senior managers. See supra notes 1597–1598 and accompanying text. 1620 See also supra note 1594 and accompanying text (discussing the view of a commenter that since most of the work entailed in producing a notification relating to a dissemination SCI event would occur in connection with the Commission notification requirements under proposed Rule 1000(b)(4), the Commission’s estimate of the burden of proposed Rule 1000(b)(5) is fairly accurate). 1621 See supra notes 1600–1601 and 1607 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72388 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 SCI entities than as estimated in the proposal. With respect to the view of a commenter that SCI entities would create different dissemination notices designed to address the concerns of different client segments,1622 the Commission notes that Rule 1002(c) only specifies the general information that must be disseminated and does not require that SCI entities provide different information to different clients, even though SCI entities can decide to tailor the information dissemination for their clients.1623 Based on the foregoing, the Commission estimates that each SCI entity would require an average of 245 hours annually to comply with Rule 1002(c)(1)(i),1624 or 10,780 hours for all SCI entities.1625 The Commission estimates that each update under Rules 1002(c)(1)(ii) and (iii) will require 13 hours.1626 The Commission is not significantly increasing its burden estimate for proposed Rules 1000(b)(5)(i)(B) and (C) because the Commission believes that the information required to be disseminated under Rules 1002(c)(1)(ii) and (iii) would likely already be collected for Commission notification under Rules 1002(b)(2)–(4).1627 1622 See supra notes 1599–1601 and accompanying text. 1623 This commenter also noted that the Commission did not take into account the burden associated with addressing responses from an SCI entity’s participants, members, or clients. See supra note 1604 and accompanying text. The Commission believes that currently, SCI entities already notify affected members or participants of certain systems issues. The Commission also believes that information regarding many systems issues that fall under the definition of major SCI event is already made available to members or participants of an SCI entity, and often to the public through the press or otherwise. Therefore, the Commission does not believe that the burden to respond to members or participants will be significantly higher than SCI entities’ current practices in the absence of Regulation SCI. The Commission also notes that Rule 1002(c) does not impose any requirements related to responding to inquiries about the information dissemination. 1624 35 information dissemination each year × 7 hours per dissemination = 245 hours. 1625 245 hours × 44 SCI entities = 10,780 hours. 1626 The 13 hours include 4.67 hours by an Attorney, 2 hours by a Compliance Manager, 1 hour by a Chief Compliance Officer, 1 hour by a General Counsel, 1 hour by a Director of Compliance, 2 hours by a Senior Systems Analyst, 1 hour by a Corporate Communications Manager, and 0.33 hours by a Webmaster. As compared to the estimated burden for proposed Rule 1000(b)(5)(i)(B), the Commission is estimating an additional 2 hours by a Compliance Manager, 1 hour by a General Counsel, 1 hour by a Chief Compliance Officer, 1 hour by a Director of Compliance, 2 hours by a Senior Systems Analyst, and 1 hour by a Corporate Communications Manager to reflect the view of commenters that the preparation for information dissemination would require the involvement of subject matter experts and mid-level and senior managers. See supra notes 1597–1598 and accompanying text. 1627 See supra notes 1594 and 1620 accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Therefore, contrary to the view of a commenter,1628 the Commission does not believe that Rules 1002(c)(1)(ii) and (iii) will result in significantly higher burden for SCI entities than as estimated in the SCI Proposal. Based on the foregoing, the Commission estimates that each SCI entity would require an average of 1,365 hours annually to comply with Rules 1002(c)(1)(ii) and (iii),1629 or 60,060 hours for all SCI entities.1630 The information required to be disseminated under Rule 1002(c)(2) for systems intrusions is similar to the information required to be disseminated under Rule 1002(c)(1)(i) in that both provisions require the dissemination of a summary description of an SCI event. Therefore, the Commission is using the burden estimate for Rule 1002(c)(1)(i) as the basis for its estimate for Rule 1002(c)(2). However, the Commission believes that Rule 1002(c)(2) will impose more burden than Rule 1002(c)(1)(i) because it also requires that the SCI entity determine whether dissemination of information regarding a particular systems intrusion would compromise the security of its SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and if the SCI entity determines that it would, to document the reason for such determination.1631 Therefore, the Commission estimates that each SCI entity will spend an average of 10 hours to comply with Rule 1002(c)(2),1632 or 440 hours for all SCI entities.1633 The Commission estimates that while SCI entities would handle internally some or most the work associated with compliance with Rule 1002(c),1634 SCI entities would seek outside legal advice in the preparation of the information dissemination, at an average annual cost 1628 See supra notes 1605–1606 and accompanying text. 1629 105 updates each year × 13 hours per update = 1,365 hours. 1630 1,365 hours × 44 SCI entities = 60,060 hours. 1631 See Rule 1002(c)(2). 1632 The 10 hours include 3.67 hours by an Attorney, 1.5 hours by a Compliance Manager, 0.75 hours by a Chief Compliance Officer, 0.75 hours by a General Counsel, 0.75 hours by a Director of Compliance, 1.5 hour by a Senior Systems Analyst, 0.75 hours by a Corporate Communications Manager, and 0.33 hours by a Webmaster. See supra note 1619. The burden estimate for Rule 1002(c)(2) is approximately one and a half times the Commission’s burden estimate for Rule 1002(c)(1)(i). (7 hours × 1.5 = 10.5 hours.) 1633 10 hours × 44 SCI entities = 440 hours. 1634 The Commission recognizes that some SCI entities, such as certain SCI SROs, may have the inhouse expertise to complete the work associated with compliance with Rule 1002(c), while other SCI entities may not and would therefore need to outsource some of the work associated with compliance with Rule 1002(c). PO 00000 Frm 00138 Fmt 4701 Sfmt 4700 of $36,000 per SCI entity,1635 or $1,584,000 for all SCI entities.1636 c. Commission Notification of Material Systems Changes In the SCI Proposal, the Commission estimated that each SCI entity would have an average of 60 planned material systems changes each year, resulting in 60 advance notifications per year.1637 The Commission estimated that each notification would require 2 hours to prepare and submit.1638 For SCI entities that currently participate in the ARP Inspection Program, the Commission estimated that these entities would start from a baseline of fifty percent.1639 The Commission also estimated that the initial and ongoing burden to submit semi-annual reports to the Commission pursuant to proposed Rule 1000(b)(8)(ii) would be 60 hours per report for each SCI entity.1640 With respect to the estimated burden under proposed Rule 1000(b)(6), some commenters noted that the Commission underestimated the number of material systems changes.1641 For example, one 1635 The Commission is increasing its estimate of the outsourcing cost for compliance with Rule 1002(c) from its estimate in the proposal because its estimate of the number of information dissemination is higher than the estimated number in the proposal (i.e., from 15 to 36). In the SCI Proposal, the Commission estimated an outsourcing cost of $15,000 for 15 SCI events, which results in an average cost of $1,000 per SCI event. The Commission is continuing to estimate an average cost of $1,000 per SCI event subject to information dissemination, but is increasing the total outsourcing cost to $36,000 based on the increase in the number of estimated SCI events to 36. See also supra notes 1602–1603 and accompanying text (discussing the view of a commenter that SCI entities will likely engage outside counsel to review the facts and prepare the required documents to the extent an SCI event raises the possibility of litigation or reputational damage). But see supra note 1602 and accompanying text (discussing the view of a commenter that none of the activities arising under proposed Rule 1000(b)(5) would be conducive to outsourcing). 1636 $36,000 × 44 SCI entities = $1,584,000. 1637 See Proposing Release, supra note 13, at 18151. This estimate included instances where the information previously provided to the Commission regarding any planned material systems change becomes inaccurate. See id. at 18151, n. 431. 1638 See id. at 18151. The 2 burden hours included 0.33 hours by an Attorney and 1.67 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its burden estimate for the same reporting requirement that was proposed for SB SEFs. See id. at 18151, n. 432. 1639 See id. at 18151. 1640 See id. at 18152. The 60 burden hours included 10 hours by an Attorney and 50 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff’s experience with the ARP Inspection Program. See id. at 18152, n. 440. 1641 See BATS Letter at 14. See also NYSE Letter at 26 (stating that if ‘‘material’’ were interpreted broadly to cover any functional change to an SCI system, the number of material systems changes E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 commenter stated that, based on the proposed definition of material systems changes, each SCI entity could be reporting 60 material systems changes each week.1642 One commenter noted that the burden estimate was effectively limited to ministerial tasks of producing material systems change notifications and did not take into account activities necessary to gather the information needed, to have appropriate confirmations from persons with knowledge of the material systems change, to provide for senior management review where appropriate, and to otherwise be in a position to draft the notification.1643 One commenter stated that the Commission’s estimate of 2 hours for each material systems change notice is too low because describing systems changes ‘‘involves the work of a tech-writer, who needs to collaborate with multiple groups on a project team, including the project manager, application development team and the testing and implementation teams.’’ 1644 Similarly, one commenter noted that material systems change notifications would require substantial review by IT management, relevant business supervisors, as well as compliance staff, which would increase the burden estimate at least threefold.1645 One commenter noted that, based on its experience under the ARP Inspection Program, each notice under proposed Rule 1000(b)(6) would require at least 62 hours.1646 This commenter also opined that the Commission mistakenly assumed that only a senior could measure in the thousands); and OTC Markets Letter at 21 (stating that it estimated it had a minimum of 430 reportable changes to its production systems over a ten-month time frame based on the proposed notification standards for material systems changes). 1642 See BATS Letter at 14. 1643 See MSRB Letter at 35. 1644 See OCC Letter at 15. This commenter stated that a large amount of information needs to be assembled from different groups and consolidated into a single report, which would include, for example: (i) A high-level description of the functionality and configuration of the affected systems; (ii) a description of the systems development process; (iii) the relationship to other systems; (iv) changes to production schedules due to the planned system change; (v) any effects on capacity; (vi) a description of test results; (vii) a summary of test results; (viii) contingency protocols (i.e., fallback options and disaster recovery measures); (ix) vulnerability assessments and security measures; and (x) whether an SEC rule filing under Rule 19b–4 has been made in connection with the system change notification. See id. at 15–16. According to this commenter, unless the Commission intends for the scope of information provided with these notices to be limited to high level descriptions and generally less detailed, the preparation of material systems change notices generally requires considerably more time than estimated. See id. at 16. 1645 See UBS Letter at 6. 1646 See Omgeo Letter at 42. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 systems analyst and an attorney would be involved in the drafting of the notice.1647 According to this commenter, a number of subject matter experts would need to be involved in drafting and reviewing these notices (i.e., Project Management, Developments, Quality Assurance, Performance Testing, Systems Engineering, Systems Architecture, Capacity Planning, Information Security, Business Continuity, Disaster Recovery, Legal, and Compliance).1648 On the other hand, one commenter stated that the Commission’s estimate of the burden of proposed rule 1000(b)(8)(ii) is fairly accurate.1649 One commenter stated its belief that none of the activities arising under proposed Rules 1000(b)(6) and (b)(8) would be conducive to outsourcing.1650 As discussed in detail above in Section IV.B.4, the Commission is not adopting the requirement for SCI entities to provide 30-day advance notifications or semi-annual reports of material systems changes. Also as discussed in detail above in Section IV.B.4, the Commission is not adopting the proposed definition of material systems change. Adopted Rule 1003(a) requires each SCI entity to submit quarterly reports describing completed, ongoing, and planned material changes to its SCI systems and security of indirect SCI systems during the prior, current, and subsequent calendar quarters. Adopted Rule 1003(b) additionally requires each SCI entity to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). With respect to the comment that, based on the proposed definition of material systems change, each SCI entity could be reporting 60 material systems changes each week (rather than each year), the Commission notes that it has not adopted the proposed definition of material systems change.1651 Rather, as discussed above in Section IV.B.4, Rule 1003(a)(1) requires each SCI entity to establish reasonable criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. Because Rule 1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to commenters’ concern that the proposed definition was too broad 1647 See id. id. at 42–43. 1649 See MSRB Letter at 37. 1650 See id. at 36–37. 1651 See supra notes 1641–1642 and accompanying text. 1648 See PO 00000 Frm 00139 Fmt 4701 Sfmt 4700 72389 and would result in an excessive number of notifications, and to commenters’ suggestion that the definition should be revised. In particular, an SCI entity will have reasonable discretion in establishing the written criteria in order to capture the systems changes that it believes are material. Relatedly, with respect to commenters who specifically discussed the 30-day advance Commission notification requirement for material systems changes,1652 the Commission notes that it is not adopting a 30-day advance notification requirement for each material systems change and is instead adopting a quarterly reporting requirement. Therefore, the Commission does not believe that it is necessary to estimate the number of material systems changes that each SCI entity will experience each year in order to estimate the burden associated with Rule 1003(a). As discussed above in Section IV.B.4, Rule 1003(a) requires quarterly reports on material systems changes and supplemental reports under certain circumstances. Specifically, the quarterly reports are required to include a description of the completed, ongoing, and planned material changes to SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion.1653 The Commission notes that the quarterly reports under Rule 1003(a) are required to include similar information as the information required under proposed Rule 1000(b)(8)(ii).1654 1652 See supra notes 1643–1648 and accompanying text. 1653 Contrary to the views of a commenter, these quarterly reports are limited in scope and do not require a detailed description of each systems change that the SCI entity determines to be material. See supra note 1644 (discussing the concerns of a commenter that a large amount of information would need to be assembled and consolidated into a single report, and that unless the Commission intends for the scope of the information provided to be limited to high level descriptions and generally less detailed, the preparation of material systems change notices will require considerably more time than estimated). The Commission notes that it intends for the quarterly report to only require the information necessary to allow the Commission and its staff to gain a sufficient understanding of the relevant material systems changes, which would aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and changes to such systems. Specifically, Rule 1003(a)(1) requires the quarterly report to ‘‘describe’’ the material systems changes and gives each SCI entity reasonable flexibility in how to describe it. 1654 Proposed Rule 1000(b)(8)(ii) required semiannual reports that include a summary description of the progress of any material systems changes during the six-month period ending on June 30 or Continued E:\FR\FM\05DER2.SGM 05DER2 72390 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 However, because the Commission is not requiring 30-day advance notification of each material systems change, SCI entities may need to spend more time to gather the information required to be included in the quarterly reports and to prepare the quarterly reports than the burden estimated for proposed Rule 1000(b)(8)(ii).1655 Therefore, the Commission estimates that the initial and ongoing burden to comply with the quarterly reporting requirement would be 125 hours per report per SCI entity,1656 or 500 hours annually per SCI entity 1657 and 22,000 hours annually for all SCI entities.1658 December 31, and the date, or expected date, of completion of implementation of such changes. 1655 At the same time, the Commission believes that most, if not all, SCI entities already have some internal procedures for documenting all systems changes. 1656 In the SCI Proposal, the Commission preliminarily estimated 60 hours per semi-annual report. See Proposing Release, supra note 13, at 18152. The Commission believes that, although Rule 1003(a)(1) requires quarterly reports rather than semi-annual reports, the reporting burden should not be reduced because the quarterly reports would cover material systems changes during the prior, current, and subsequent calendar quarters. On the other hand, the proposed semi-annual reports would have only covered material systems changes during the previous 6 months. In addition, because the Commission is not requiring 30-day advance notification of each material systems change, SCI entities may need more time to gather the information required to be included in the quarterly reports and to prepare the quarterly reports. Therefore, the Commission believes that it is appropriate to increase by fifty percent its estimate for the proposed semi-annual reporting requirement and to add additional personnel in response to comment. But see supra note 1649 and accompanying text (discussing a commenter’s view that the Commission’s estimate of the burden under proposed Rule 1000(b)(8)(ii) is fairly accurate). The 125 burdens hours include 7.5 hours by an Attorney, 7.5 hours by a Compliance Manager, 5 hours by a Chief Compliance Officer, 30 hours by a Senior Business Analyst, and 75 hours by a Senior Systems Analyst. In addition to adding fifty percent to the estimated burden for proposed Rule 1000(b)(8)(ii), the Commission is estimating an additional 7.5 hours by a Compliance Manager (and decreasing the proposed burden estimate for Attorney from 10 hours to 7.5 hours), 5 hours by a Chief Compliance Officer, and 30 hours by a Senior Business Analyst to address commenters’ view that the estimates in the SCI Proposal did not take into account the activities to gather the information needed, to have appropriate confirmations from persons with knowledge of the material systems change, and to provide for senior management review where appropriate (even though some of these commenters commented on the burden estimate for proposed Rule 1000(b)(6) only). See supra notes 1643, 1645, 1647, and 1648 and accompanying text. The Commission notes that the inclusion of Senior Business Analyst and Senior Systems Analyst is intended to cover subject matter experts for material systems changes, as suggested by a commenter. See supra note 1648 and accompanying text. 1657 125 hours × 4 reports each year = 500 hours. The Commission recognizes that, to the extent an SCI entity develops a template for quarterly material systems change reports, the burden associated with creating future quarterly reports may be reduced. 1658 500 hours × 44 SCI entities = 22,000 hours. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 With respect to the requirement under Rule 1003(a)(2) for supplemental material systems change reports, for purposes of this PRA analysis, the Commission estimates that most quarterly reports will not contain material errors or material omissions. Therefore, the Commission estimates that each SCI entity will submit 2 supplemental reports each year under Rule 1003(a)(2), in order to account for the few instances where a quarterly report must be corrected. The Commission estimates that the initial and ongoing burden to comply with the supplemental reporting requirement would be 15 hours per report per SCI entity,1659 or 30 hours annually per SCI entity 1660 and 1,320 hours annually for all SCI entities.1661 The Commission believes that SCI entities would handle internally the work associated with reports required under Rule 1003(a).1662 d. SCI Review In the SCI Proposal, the Commission estimated that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management for review would be approximately 625 hours for each SCI entity.1663 The Commission also estimated that each SCI entity would spend 1 hour to submit the SCI review to the Commission pursuant to proposed Rule 1000(b)(8)(i).1664 With respect to the burden associated with SCI reviews, one commenter stated that the Commission’s estimate of the burden of proposed Rule 1000(b)(7) is fairly accurate.1665 According to this commenter, although the burden estimate of proposed Rule 1000(b)(7) did not require the inclusion of senior management’s response, the 1659 The 15 burdens hours include 2 hours by an Attorney, 2 hours by a Compliance Manager, 1 hour by a Chief Compliance Officer, 3 hours by a Senior Business Analyst, and 7 hours by a Senior Systems Analyst. The Commission believes that the burden associated with supplemental material systems change reports will be substantially lower than the burden associated with quarterly material systems change reports, but the same type of personnel will be involved the supplemental report as the quarterly report. 1660 15 hours × 2 reports each year = 30 hours. 1661 30 hours × 44 SCI entities = 1,320 hours. 1662 See supra note 1650 and accompanying text, 1663 See Proposing Release, supra note 13, at 18151. The 625 burden hours included 80 hours by an Attorney, 170 hours by a Manager Internal Auditor, and 375 hours by a Senior Systems Analyst. See id. This estimate was the Commission’s preliminary best estimate and was based on Commission staff’s experience with the ARP Inspection Program. This estimate was also the same as the Commission’s burden estimate for internal audits of SB SEFs. See id. at 18151, n. 437. 1664 See id. at 18151. The 1 burden hour would be spent by an Attorney. See id. 1665 See MSRB Letter at 36. PO 00000 Frm 00140 Fmt 4701 Sfmt 4700 Commission’s estimate is sufficient to cover the burden on senior management to produce such response.1666 Another commenter noted that the Commission’s estimate of the burden associated with SCI review is too low and that the SCI review will require over 1,200 burden hours.1667 In connection with advocating for a riskbased approach for SCI reviews, one commenter noted that if it were to attempt to conduct all of the marketrelated technology application reviews that it currently conducts over four years during one year (excluding regulatory technology applications such as those related to member regulation), it would require approximately 6,400 to 8,320 hours.1668 According to this commenter, significantly more resources would be required to conduct SCI reviews if the definition of SCI systems includes non-market regulatory and surveillance systems, and development and testing systems.1669 One commenter noted that significant portions of the SCI review could be outsourced and that the Commission’s estimate for the overall cost of outsourcing is reasonable, although some of the assumed hourly rates used in the SCI Proposal appear to be too low in the context of the current market environment.1670 One commenter noted that the Commission’s estimate did not take into account the additional work that would be required by many different SCI entity associates, including managers and subject matter experts, in order to satisfy the requirements of proposed Rule 1000(b)(7).1671 This commenter stated that the Commission incorrectly assumed that only an attorney, manager internal audit, and systems analyst would be required to work on the SCI review.1672 According to this commenter, subject matter expertise that would be needed to perform such a review includes Product Managers, Project Managers, Developers, Quality Assurance staff, Systems Engineers, Systems Architects, Capacity Planners, Information Security experts, Business Continuity and Disaster Recovery staff, Compliance staff, and management.1673 This commenter estimated that the 1666 See id. at 37. ISE Letter at 12. 1668 See FINRA Letter at 40. According to this commenter, it currently spends approximately 160 hours for each review of a technology application in connection with its regulatory audits, and currently it reviews between 10 and 13 marketrelated technology applications annually. See id. 1669 See id. 1670 See MSRB Letter at 36. 1671 See Omgeo Letter at 44. 1672 See id. 1673 See id. 1667 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations annual burden under proposed Rule 1000(b)(7) would be 4,670 hours.1674 According to this commenter, if the Commission intended SCI entities to conduct a broader scope review beyond those now required by the ARP Inspection Program, then the annual burden would be 11,199 hours.1675 With respect to the burden estimate for proposed Rule 1000(b)(8)(i), one commenter stated that the estimate did not address the burden on senior management for reading, analyzing, and perhaps responding to the SCI review.1676 As discussed above in Section IV.B.5, the Commission is adopting SCI reviewrelated requirements in Rule 1003(b), with some modifications from the proposal. Specifically, Rule 1003(b)(1) requires each SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, with an exception for penetration test reviews, which are required to be conducted not less than once every three years.1677 As adopted, Rule 1003(b)(1)(ii) provides an exception for assessments of SCI systems directly supporting market regulation or market surveillance, which are required to be reviewed at a frequency based on the risk assessment conducted as part of the SCI review, but in no case less than once every three years.1678 Rules 1003(b)(2) and (3) require each SCI entity to submit a report of the SCI review to senior management no more than 30 calendar days after completion of the review, and to submit the report to the Commission and to the board of directors of the SCI entity or the equivalent of such board, together with any response by senior management, within 60 calendar days after its submission to senior management. After considering the views of commenters, the Commission is not significantly increasing the burden estimate for compliance with Rules 1003(b)(1) and (2) from its estimates in the SCI Proposal. In particular, one 1674 See id. id. 1676 See id. 1677 As proposed, the rule would have required penetration test reviews of the SCI entity’s network, firewalls and development, testing, and production systems. However, consistent with modifications to the definition of SCI systems, references to development and test systems have been deleted in adopted Rule 1003(b)(1)(i). 1678 These exceptions, along with the exclusion of development and testing systems from the definition of SCI systems, would address, at least in part, some commenters’ concern regarding the scope of the definition of SCI systems and consequently the burden of the SCI review requirement. See supra notes 1669 and 1675 and accompanying text. mstockstill on DSK4VPTVN1PROD with RULES2 1675 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 commenter noted that the Commission’s burden estimate for proposed Rule 1000(b)(7) was fairly accurate.1679 Further, while other commenters advocated higher burden estimates for the SCI review requirement,1680 the Commission notes that it has refined the definition of SCI systems (e.g., by eliminating development and testing systems, and focusing on market regulation and market surveillance systems) and has incorporated a riskbased approach to the frequency of testing for market regulation and market surveillance systems. The Commission estimates that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management of the SCI entity for review would be approximately 690 hours for each SCI entity,1681 and 30,360 hours annually for all SCI entities.1682 The Commission estimates that while SCI entities would handle internally some or most of the work associated with compliance with Rule 1003(b),1683 SCI 1679 See supra note 1665 and accompanying text. supra notes 1667–1668 and 1675 and accompanying text. These commenters estimated a range of 1,200 to 8,320 burden hours. In response to the commenter that stated that it currently spends approximately 160 hours for each review of a technology application and it reviews between 10 and 13 market-related technology applications annually, the Commission notes that the burden estimates in this section only include the incremental burden associated with the rule above what the Commission estimates that SCI entities are already performing. To the extent an SCI entity already reviews certain of its systems, the additional burden imposed by Rule 1003(b) will be lower than for other SCI entities. 1681 The 690 hours include 80 hours by an Attorney, 35 hours by a Compliance Manager, 5 hours by a General Counsel, 20 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, 170 hours by a Manager Internal Audit, and 375 hours by a Senior Systems Analyst. As compared to the estimated burden for proposed Rule 1000(b)(7), the Commission is estimating an additional 35 hours by a Compliance Manager, 5 hours by a General Counsel, 20 hours by a Chief Compliance Officer, and 5 hours by a Director of Compliance, to reflect the view of commenters that managers would be involved in satisfying the requirements related to SCI review. See supra notes 1671–1675 and accompanying text. The Commission notes that the 20-hour burden estimate for the Chief Compliance Officer includes the time spent by other members of the senior management team (other than the General Counsel, who has a separate burden estimate). See supra Section IV.B.5 (discussing senior management involvement in compliance with Rule 1003(b)). The Commission notes that the inclusion of Manager Internal Audit and Senior Systems Analyst is intended to cover subject matter experts related to systems review (e.g., information security experts, systems engineers, quality assurance staff). See supra notes 1671–1675 and accompanying text. The Commission also believes that some SCI entities already conduct annual reviews of its systems, and therefore may incur less burden than other SCI entities in complying with Rule 1003(b). 1682 690 hours × 44 SCI entities = 30,360 hours. 1683 As noted above, one commenter suggested that significant portions of the SCI review may be 1680 See PO 00000 Frm 00141 Fmt 4701 Sfmt 4700 72391 entities would outsource some of the work associated with an SCI review, at an average annual cost of $50,000 per SCI entity,1684 or $2,200,000 for all SCI entities.1685 With respect to the comment that the burden estimate for proposed Rule 1000(b)(8)(i) failed to account for the burden on senior management for reviewing and responding to the report of the SCI review,1686 the Commission notes that proposed Rule 1000(b)(8)(i) and adopted Rule 1003(b)(3) do not require senior management to respond to the report of the SCI review. Rather, Rule 1003(b)(3) only requires an SCI entity to submit the already prepared report of the SCI review, and response by senior management if there was any, to the Commission and to the board of directors of the SCI entity or the equivalent of such board. Moreover, the Commission is including in its burden estimate for Rules 1003(b)(1) and (2) the burden for senior management review of the report for the SCI review. Therefore, with respect to Rule 1003(b)(3), the Commission estimates that each SCI entity would require 1 hour per year to submit the report of the SCI review and any response by senior management to the Commission and to the board of directors of the SCI entity or the equivalent of such board,1687 for a outsourced. This commenter also noted that the Commission’s estimate of the overall cost of outsourcing is reasonable, although it believed some of the assumed hourly rates appear to be too low in the context of current market environment. See supra note 1670 and accompanying text. The Commission acknowledges that some SCI entities may outsource work related to SCI review to more expensive outside firms than others. On average, the Commission believes its hourly rate of $400 for outsourcing continues to be appropriate. 1684 125 hours × $400 = $50,000. The Commission believes that SCI entities may outsource some of the legal and audit work associated with an SCI review. In particular, the Commission estimates that, on average, an SCI entity will outsource 40 hours of legal work and 85 hours of audit work (or half of the hour burden estimates for Attorney and Manager Internal Audit). See supra note 1681. 1685 $50,000 × 44 SCI entities = $2,200,000. 1686 See supra notes 1666 and 1676 and accompanying text. One of these commenters, however, noted that the Commission’s estimated burden for proposed Rule 1000(b)(7) is fairly accurate, even though it did not include senior management’s response. See supra notes 1665–1666 and accompanying text. 1687 The 1 hour would be spent by an Attorney. This estimate is unchanged from the burden estimate for proposed Rule 1000(b)(8)(i), which only required submission of the report and any response by senior management to the Commission. The Commission believes that the additional burden for submitting the same report and response to the SCI entity’s board of directors or the equivalent of such board would be modest, and thus the estimate of one hour remains unchanged from the burden estimate for proposed Rule 1000(b)(8)(i), which required submission of the report and response by senior management only to the Commission. E:\FR\FM\05DER2.SGM 05DER2 72392 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations burden of 44 hours for all SCI entities.1688 e. Access to EFFS As noted above, to access EFFS, an SCI entity will submit to the Commission an EAUF to register each individual at the SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission is including in its burden estimates the burden for completing the EAUF for each individual at an SCI entity that will request access to EFFS. The Commission estimates that initially, on average, two individuals at each SCI entity will request access to EFFS through the EAUF, and each EAUF would require 0.15 hours to complete and submit. Therefore, each SCI entity would initially require 0.3 hours to complete the requisite EAUFs,1689 or approximately 13 hours for all SCI entities.1690 The Commission also estimates that annually, on average, one individual at each SCI entity will request access to EFFS through EAUF.1691 Therefore, the ongoing burden to complete the EAUF would be 0.15 hours annually for each SCI entity,1692 or approximately 7 hours annually for all SCI entities.1693 In addition, the Commission estimates that each SCI entity will designate two individuals to sign Form SCI each year. An individual signing a Form SCI must obtain a digital ID, at the cost of approximately $25 each year. Therefore, each SCI entity would require approximately $50 annually to obtain digital IDs for the individuals with access to EFFS for purposes of signing Form SCI,1694 or approximately $2,200 for all SCI entities.1695 hour × 44 SCI entities = 44 hours. hours per EAUF × 2 individuals = 0.3 hours per SCI entity. These estimates are based on Commission staff’s experience with EFFS and EAUFs pursuant to Rule 19b–4 under the Exchange Act. The 0.15 hours would be spent by an Attorney. The Commission acknowledges that an SCI SRO may initially submit fewer than two EAUFs because certain individuals at SCI SROs currently already have access to EFFS, whereas an SCI entity other than an SCI SRO may submit more than two EAUFs initially because it has not previously submitted filings through EFFS. Therefore, the Commission believes it is appropriate to estimate that, on average, each SCI entity will submit two EAUFs initially. 1690 0.30 hours × 44 SCI entities = 13.2 hours. 1691 The Commission estimates that annually, on average, one individual at each SCI entity will request access to EFFS through EAUF to account for the possibility that an individual who previously had access to EFFS may no longer be designated as needing such access. 1692 0.15 hours per EAUF × 1 individual = 0.15 hours. 1693 0.15 hours × 44 entities = 6.6 hours. 1694 $25 per digital ID × 2 individuals = $50 per SCI entity. 1695 $50 × 44 SCI entities = $2,200. 1688 1 mstockstill on DSK4VPTVN1PROD with RULES2 1689 0.15 VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 3. Requirements To Take Corrective Actions and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes The rules under Regulation SCI that would result in SCI entities establishing additional processes for compliance are discussed more fully in Sections IV.A, IV.B.3.b, and IV.B.4 above. a. Corrective Actions In the SCI Proposal, the Commission noted that, although SCI entities already take corrective action in response to systems issues, proposed Rule 1000(b)(3) would likely result in SCI entities revising their policies regarding taking corrective actions.1696 The Commission estimated that the initial burden would be 42 hours per SCI entity,1697 and the ongoing burden would be 12 hours annually per SCI entity.1698 The Commission estimated that SCI entities would establish the process for compliance with proposed Rule 1000(b)(3) internally.1699 One commenter stated its belief that basing the estimate for proposed Rule 1000(b)(3) on the percentage of the burden estimate under proposed Rule 1000(b)(1) is appropriate.1700 This commenter also noted that while the taking of corrective action might be wholly or partially outsourced with regard to systems development activities, the establishment of policies and procedures with respect to corrective action would not be conducive to outsourcing.1701 As discussed in detail above in Section IV.B.3.b, the Commission continues to require each SCI entity to begin to take appropriate corrective action in Rule 1002(a), but the corrective action requirement is triggered when any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred.1702 The Commission continues to believe that all SCI entities, regardless of whether they participate in 1696 See Proposing Release, supra note 13, at 18152. 1697 See id. The 42 burden hours included 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. See id. This estimate was based on the Commission’s burden estimate for proposed Rule 1000(b)(1). See id. at 18152, n. 442. 1698 See id. at 18152. The 12 burden hours included 6 hours by a Compliance Manager and 6 hours by an Attorney. See id. This estimate was based on the Commission’s burden estimate for proposed Rule 1000(b)(1). See id. at 18152, n. 443. 1699 See id. at 18152, n. 442. 1700 See MSRB Letter at 31–32. 1701 See id. at 32. 1702 See Rule 1002(a). PO 00000 Frm 00142 Fmt 4701 Sfmt 4700 the ARP Inspection Program, already take corrective action in response to systems issues and have some internal processes with respect to corrective action.1703 The Commission also continues to believe that Rule 1002(a) will likely result in SCI entities revising their policies, which will help to ensure that their information technology staff has the ability to access systems in order to take appropriate corrective actions.1704 The Commission therefore believes that Rule 1002(a) may impose a one-time implementation burden on SCI entities associated with developing such a process, and periodic burdens in reviewing that process. The Commission estimates that the initial burden to implement such a process would be 114 hours per SCI entity,1705 or 5,016 hours for all SCI entities.1706 The Commission also estimates that the ongoing burden to review such a process would be 39 hours annually per SCI entity,1707 or 1703 See Proposing Release, supra note 13, at 18152. 1704 See id. 1705 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1002(a) both would result in policies and procedures or processes. As noted above, one commenter stated that basing the burden estimate for proposed Rule 1000(b)(3) on the burden estimate under proposed Rule 1000(b)(1) is appropriate. See supra note 1700 and accompanying text. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1002(a) would result in the establishment of one set of policies and procedures, the Commission estimates that the initial staff burden to draft the policies and procedures for Rule 1002(a) is one-sixth of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours ÷ 6 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1002(a). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. 1706 114 hours × 44 SCI entities = 5,016 hours. 1707 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and 1002(a) both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating that basing the burden estimate for proposed Rule 1000(b)(3) on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and 1002(a) would result in the maintenance of one set of policies and procedures, the Commission estimates that the ongoing staff burden under 1002(a) is onesixth of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours ÷ 6 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. This burden hour E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 1,716 hours annually for all SCI entities.1708 The Commission continues to believe that SCI entities will conduct internally most of the work related to their corrective action procedures. As noted by a commenter, the establishment of policies and procedures with respect to corrective action would not be conducive to outsourcing.1709 b. Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes mstockstill on DSK4VPTVN1PROD with RULES2 In the SCI Proposal, the Commission estimated that requirements under the proposal with respect to immediate notification SCI events and dissemination SCI events may impose burdens on SCI entities in developing and reviewing a process to ensure that they are able to quickly and correctly make a determination regarding the nature of an SCI event.1710 For SCI entities that do not participate in the ARP Inspection Program, the Commission estimated that the initial burden would be 42 hours per SCI entity 1711 and the ongoing burden would be 12 hours annually per SCI entity.1712 For SCI entities that currently participate in the ARP Inspection Program, the Commission estimated that the initial burden would be 21 hours per SCI entity 1713 and the ongoing burden would be 6 hours annually per SCI entity.1714 The Commission believed that SCI entities would internally establish the process for determining whether an SCI event is an immediate allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1002(a). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. 1708 39 hours × 44 SCI entities = 1,716 hours. 1709 See supra note 1701 and accompanying text. 1710 See Proposing Release, supra note 13, at 18152. 1711 See id. at 18153. The 42 burden hours included 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. See id. This estimate was based on the Commission’s burden estimate for proposed Rule 1000(b)(1). See id. at 18153, n. 448. 1712 See id. at 18153. The 12 burden hours included 6 hours by a Compliance Manager and 6 hours by an Attorney. See id. This estimate was based on the Commission’s burden estimate for proposed Rule 1000(b)(1). See id. at 18153, n. 452. 1713 See id. at 18153. The 21 burden hours included 8 hours by a Compliance Manager, 8 hours by an Attorney, 2.5 hours by a Senior Systems Analyst, and 2.5 hours by an Operations Specialist. See id. 1714 See id. The 6 burden hours included 3 hours by a Compliance Manager and 3 hours by an Attorney. See id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 notification SCI event or dissemination SCI event.1715 One commenter stated its belief that the Commission’s burden estimate for policies and procedures to identify an SCI event as an immediate notification SCI event or dissemination SCI event was effectively limited to ministerial tasks of producing such policies and procedures in isolation from other organizational activities and needs, and took into account only minimal supervisory or decision-making activities, therefore significantly underestimated the total burden of compliance with this provision.1716 This commenter urged the Commission to adjust the estimate in a manner similar to this commenter’s suggestion with regard to proposed Rules 1000(b)(1) and (2).1717 As discussed above in Section IV.B.4, Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. As noted in the SCI Proposal, because the ARP Inspection Program already provides for the reporting ‘‘significant systems changes’’ to Commission staff, the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have some internal processes for determining the significance of a systems issue or systems change. Therefore, the Commission continues to estimate a 50% baseline for the staff burden estimates for SCI entities that currently participate in the ARP Inspection Program.1718 However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review. The Commission believes that, although these entities already have some internal processes for determining the significance of a systems change, their senior management would require the same number of hours as other SCI entities to review and ensure that the process is reasonable, as required by Rule 1003(a)(1). The Commission continues to believe that SCI entities will internally establish and maintain the policies and procedures required by Rule 1003(a)(1). The Commission estimates that each SCI entity that does not participate in 1715 See id. at 18153, n. 448, n. 450, n. 452, and n. 454. 1716 See MSRB Letter at 32. 1717 See id. 1718 The 50% baseline for ARP participants is consistent with the baseline for the Rule 1001(a) burden estimates. PO 00000 Frm 00143 Fmt 4701 Sfmt 4700 72393 the ARP Inspection Program would require 114 hours initially to establish the criteria for identifying material systems changes,1719 or 1,596 hours for all such SCI entities.1720 The Commission also estimates that each SCI entity that does not participate in the ARP Inspection Program would require 39 hours annually to review and update the criteria for identifying material systems changes,1721 or 546 hours for all such SCI entities.1722 The Commission estimates that each SCI entity that currently participates in the 1719 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) both require policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1003(a)(1) requires the establishment of one set of criteria, the Commission estimates that the initial staff burden to draft the criteria required by Rule 1003(a)(1) is one-sixth of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours ÷ 6 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1003(a)(1). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. 1720 114 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 1,596 hours. 1721 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) both require policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and Rule 1003(a)(1) requires the maintenance of one set of criteria, the Commission estimates that the ongoing staff burden under 1003(a)(1) is one-sixth of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours ÷ 6 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1003(a)(1). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. 1722 39 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 546 hours. E:\FR\FM\05DER2.SGM 05DER2 72394 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 ARP Inspection Program would require 72 hours initially to establish the criteria for identifying material systems changes,1723 or 2,160 hours for all such SCI entities.1724 The Commission also estimates that each SCI entity that currently participates in the ARP Inspection Program would require 27 hours annually to review and update the criteria,1725 or 810 hours for all such SCI entities.1726 As adopted, Regulation SCI requires SCI entities to identify certain types of events, systems, and changes. Specifically, Rule 1000 defines ‘‘critical SCI systems’’ as any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Rule 1000 defines ‘‘major SCI event’’ as an SCI event that has had, or the SCI entity reasonably estimates would have any impact on a critical SCI system or a significant impact on the SCI entity’s operations or on market participants. Because Rule 1001(a)(2)(v) requires business continuity and disaster recovery plans that are reasonably designed to achieve two-hour resumption of critical SCI systems following a wide-scale disruption, each SCI entity needs to identify its critical SCI systems. In addition, each SCI entity needs to 1723 84 hours ÷ 2 = 42 hours. The 42 burden hours include 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1003(a)(1). 42 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 72 hours. 1724 72 hours × 30 SCI entities that participate in the ARP Inspection Program = 2,160 hours. 1725 24 hours ÷ 2 = 12 hours. The 12 burden hours include 4.5 hours by a Compliance Manager, 4.5 hours by an Attorney, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1003(a)(1). 12 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 27 hours. 1726 27 hours × 30 SCI entities that participate in the ARP Inspection Program = 810 hours. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 identify its critical SCI systems because the definition of major SCI event includes an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system. Further, when an SCI event occurs, an SCI entity needs to determine whether the event is a major SCI event, because Rule 1002(c)(3) requires an SCI entity to disseminate information regarding major SCI events to all of its member or participants. In addition, Rules 1002(b) and (c) provide certain exceptions from the Commission notification and information dissemination requirements for any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. Therefore, when SCI events occur, an SCI entity needs to determine whether they are de minimis SCI events. The Commission believes that the identification of critical SCI systems, major SCI events, and de minimis SCI events will impose an initial one-time implementation burden on SCI entities in developing processes to quickly and correctly identify the nature of a system or event.1727 The identification of these systems and events may also impose periodic burdens on SCI entities in reviewing and updating the processes. As noted in the SCI Proposal, because the ARP Inspection Program already provides for the reporting ‘‘significant systems changes’’ and ‘‘significant systems outages’’ to Commission staff, the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have some internal processes for determining the significance of a systems issue or systems change. Therefore, the Commission estimates a 50% baseline for the staff burden for SCI entities that currently participate in the ARP Inspection Program.1728 However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review. The Commission believes that SCI entities will internally establish and maintain the policies and procedures regarding the identification 1727 The Commission’s approach with respect to SCI events and SCI systems is responsive to some commenters’ suggestion for a risk-based regime. See, e.g., supra notes 784–789 and accompanying text (discussing commenters’ suggestions for revising the Commission reporting requirement). 1728 The 50% baseline for ARP participants is consistent with the baseline for the Rule 1001(a) burden estimates. PO 00000 Frm 00144 Fmt 4701 Sfmt 4700 of critical SCI systems, major SCI events, and de minimis SCI events. The Commission estimates that each SCI entity that does not participate in the ARP Inspection Program would require 198 hours initially to establish the criteria for identifying certain systems and events,1729 or 2,772 hours for all such SCI entities.1730 The Commission also estimates that each SCI entity that does not participate in the ARP Inspection Program would require 63 hours annually to review and update such criteria,1731 or 882 hours 1729 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and the identification of certain systems and events both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and the identification of certain systems and events could result in the establishment of two policies and procedures (i.e., one for systems and one for events), the Commission estimates that the initial staff burden to draft the policies and procedures to identify certain systems and events is one-third of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours ÷ 3 = 168 hours. The 168 burden hours include 64 hours by a Compliance Manager, 64 hours by an Attorney, 20 hours by a Senior Systems Analyst, and 20 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures to identify certain systems and events. 168 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 198 hours. 1730 198 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 2,772 hours. 1731 This estimate is based on the Commission’s burden estimate for Rule 1001(a), because Rule 1001(a) and the identification of certain systems and events both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and the identification of certain systems and events could result in the maintenance of two policies and procedures, the Commission estimates that the ongoing staff burden to draft the policies and procedures to identify certain systems and events is one-third of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours ÷ 3 = 48 hours. The 48 burden hours include 18 hours by a Compliance Manager, 18 hours by an Attorney, 6 hours by a Senior Systems Analyst, and 6 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures for identifying certain E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 for all such SCI entities.1732 The Commission estimates that each SCI entity that currently participates in the ARP Inspection Program would require 114 hours initially to establish the criteria for identifying certain systems and events,1733 or 3,420 hours for all such SCI entities.1734 The Commission also estimates that each SCI entity that currently participates in the ARP Inspection Program would require 39 hours annually to review and update such criteria,1735 or 1,170 hours for all such SCI entities.1736 The Commission believes that the revised burden estimates for establishing policies and procedures to identify certain systems and events are responsive to a commenter’s concern that the estimate in the SCI Proposal only included ministerial tasks and minimal supervisory activities.1737 Specifically, the Commission increased from the proposal the estimated burden hours for the personnel involved in establishing such policies and procedures, and included senior level review by adding burden estimates for the Chief Compliance Officer and Director of Compliance. Moreover, because these revised burden estimates are based on the revised burden estimates for Rule 1001(a), these estimates are responsive to a commenter’s suggestion that they be revised in a manner similar to its suggestions with respect to proposed Rules 1000(b)(1) and (2).1738 systems and events. 48 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 63 hours. 1732 63 hours × 14 SCI entities that do not participate in the ARP Inspection Program = 882 hours. 1733 168 hours ÷ 2 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures for identifying certain systems and events. 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. 1734 114 hours × 30 SCI entities that participate in the ARP Inspection Program = 3,420 hours. 1735 48 hours ÷ 2 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures for identifying certain systems and events. 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. 1736 39 hours × 30 SCI entities that participate in the ARP Inspection Program = 1,170 hours. 1737 See supra note 1716 and accompanying text. 1738 See supra note 1717 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 4. Recordkeeping Requirements In the SCI Proposal, the Commission noted that it is not proposing a new recordkeeping requirement for SCI SROs because the documents relating to compliance with proposed Regulation SCI are subject to their existing recordkeeping and retention requirements under Rule 17a–1 under the Act.1739 The Commission therefore noted its belief that the proposed recordkeeping requirements would not result in any burden that is not already accounted for in the Commission’s burden estimates for Rule 17a–1.1740 With respect to SCI entities other than SCI SROs, the Commission estimated that the initial and ongoing burdens to make, keep, and preserve records relating to compliance with proposed Regulation SCI would be approximately 25 hours annually per SCI entity.1741 The Commission also estimated that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with the proposed recordkeeping requirements.1742 Specifically, the Commission estimated that for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing recordkeeping software.1743 Further, the Commission noted its belief that proposed Rule 1000(c)(3), which would require an SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rules 1000(c)(1) and (2) remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1000(c), would not result in any additional paperwork burden that is not already accounted for in the Commission’s burden estimates 1739 See Proposing Release, supra note 13, at 18153. 1740 See id. 1741 See id. at 18154. The 25 burden hours would be spent by a Compliance Clerk. See id. This estimate was based on Commission staff’s experience with examinations of registered entities, the Commission’s estimated burden for an SRO to comply with Rule 17a–1, and the Commission’s estimated burden for a SB SEF to keep and preserve documents made or received in the conduct of its business. See id. at 18154, n. 458. 1742 See id. at 18154. 1743 See id. These estimates were based on the Commission’s experience with examinations of registered entities and the Commission’s estimated burden for an SB SEF to keep and preserve documents made or received in the conduct of its business. See id. at 18154, n. 460. PO 00000 Frm 00145 Fmt 4701 Sfmt 4700 72395 for proposed Rules 1000(c)(1) and (2).1744 One commenter noted that while proposed Rule 1000(c) does not create new recordkeeping requirements for SCI SROs, the number of records to be retained by an SRO would increase due to proposed Regulation SCI.1745 This commenter stated that such additional recordkeeping is not costless and should be considered by the Commission.1746 As discussed in detail above in Section IV.C.1.a, the Commission is adopting the recordkeeping requirements substantially as proposed. The Commission notes that the burden associated with creating such records, as required of all SCI entities, including SCI SROs, by Regulation SCI, are discussed and accounted for throughout this Section V. With respect to SCI SROs, the breadth of Rule 17a–1 under the Exchange Act 1747 is such that it requires SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI.1748 SCI entities that participate in the ARP Inspection Program (nearly all of whom are SCI SROs) do generally keep and preserve the types of records that are subject to the requirements of Rule 1005. However, because Regulation SCI imposes new requirements on SROs, as noted by a commenter, the number of records to be retained by an SRO may increase.1749 The Commission believes that existing recordkeeping systems and processes of SCI SROs will be used to retain the records required to be created pursuant to Regulation SCI. As a result, the Commission believes that the burden associated with retaining these additional records is an incrementally small increase in the burden currently incurred by SROs to retain records as required by Rule 17a–1 and that the burden associated with retaining records related to Regulation SCI is already accounted for in the 1744 See id. at 18154. MSRB Letter at 39. 1746 See id. 1747 ‘‘Every national securities exchange, national securities association, registered clearing agency and the Municipal Securities Rulemaking Board shall keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made or received by it in the course of its business as such and in the conduct of its self-regulatory activity.’’ Exchange Act Rule 17a–1(a), 17 CFR 240.17a–1(a). 1748 See also Rule 1005(a). 1749 See supra notes 1745–1746 and accompanying text. 1745 See E:\FR\FM\05DER2.SGM 05DER2 72396 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Commission’s burden estimates for Rule 17a–1.1750 The Commission continues to believe that for SCI entities other than SCI SROs, the initial and ongoing burden to make, keep, and preserve records relating to compliance with Regulation SCI, as required by Rule 1005(b), would be approximately 25 hours annually per SCI entity that is not an SCI SRO.1751 Therefore, the Commission estimates a total annual burden of 425 hours for all such SCI entities.1752 The Commission also continues to estimate that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with Rule 1005. Specifically, the Commission estimates that, for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing software.1753 Therefore, the Commission estimates a total initial burden of 3,315 hours 1754 and a total initial cost of $15,300 for all such SCI entities.1755 Finally, the Commission continues to believe that Rule 1005(c), which requires an SCI entity, upon or immediate prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1005, would not result in any additional paperwork burden that is not already accounted for in the 1750 See Supporting Statement for the Paperwork Reduction Act Information Collection Submissions for Rule 17a–1, available at: https://www.reginfo.gov. 1751 See Proposing Release, supra note 13, at 18154, n. 458. 1752 25 hours × 17 non-SRO SCI entities = 425 hours. 1753 See Proposing Release, supra note 13, at 18154, n. 460. The Commission believes that this burden estimate includes the burden imposed by Rule 1007. Specifically, Rule 1007 provides that, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, which is signed by a duly authorized person at such service bureau or other recordkeeping service. 1754 (170 hours + 25 hours) × 17 non-SRO SCI entities = 3,315 hours. 1755 $900 × 17 non-SRO SCI entities = $15,300. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission’s burden estimates for Rule 1005(b).1756 5. Total Paperwork Burden Under Regulation SCI Based on the foregoing, the Commission estimates that the total onetime initial burden for all SCI entities to comply with Regulation SCI would be 330,508 hours 1757 and the total onetime initial cost would be approximately $9.3 million.1758 The Commission estimates that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be 287,722 hours 1759 and the total annual ongoing cost would be approximately $5.9 million.1760 E. Collection of Information Is Mandatory All collections of information pursuant to Regulation SCI is a mandatory collection of information. F. Confidentiality The Commission expects that the written policies and procedures, processes, criteria, standards, or other written documents developed or revised by SCI entities pursuant to Regulation SCI will be retained by SCI entities in accordance with, and for the periods specified in Exchange Act Rule 17a–1 and Rule 1005, as applicable. Should 1756 The Commission believes that SCI entities will comply with Rule 1005(c) by, for example, a contractual arrangement with a recordkeeping service. 1757 330,508 hours = 54,992 hours (policies and procedures, mandate participation in certain testing) + 257,237 (notification, dissemination, reporting) + 14,964 hours (corrective action, identification of certain systems and events, identification of material systems changes) + 3,315 hours (recordkeeping). 1758 $9,325,500 = $3,544,000 (policies and procedures, mandate participation in certain testing) + $5,766,200 (notification, dissemination, reporting) + $15,300 (recordkeeping). 1759 287,722 hours = 24,942 hours (policies and procedures, mandate participation in certain testing) + 257,231 (notification, dissemination, reporting) + 5,124 hours (corrective action, identification of certain systems and events, identification of material systems changes) + 425 hours (recordkeeping). 1760 $5,874,200 = $108,000 (mandate participation in certain testing) + $5,766,200 (notification, dissemination, reporting). One commenter noted that majority of the estimated paperwork burden in the SCI Proposal relate to notifications of SCI events, rather than the writing and maintenance of the policies and procedures. See NYSE Letter at 18. This commenter noted that creating and maintaining reasonable policies and procedure to seek to ensure that important market systems have adequate levels of capacity, integrity, resiliency, availability, and security should be the main focus of the regulation, not the reporting provisions. See NYSE Letter at 18. The Commission notes that the burden estimates in this section relate solely to the paperwork burden of compliance with Regulation SCI. The Commission discusses other costs associated with compliance with Regulation SCI in the Economic Analysis section below. PO 00000 Frm 00146 Fmt 4701 Sfmt 4700 such documents be made available for examination or inspection by the Commission and its representatives, they would be kept confidential subject to the provisions of applicable law.1761 In addition, the information submitted to the Commission pursuant to Regulation SCI that is filed on Form SCI, as required by Rule 1006, will be treated as confidential, subject to applicable law, including amended Rule 24b–2.1762 The information disseminated by SCI entities pursuant to Rule 1002(c) under Regulation SCI to their members or participants will not be confidential. G. Reduced Burden From Amendment of Rule 301(b)(6) (OMB Control Number 3235–0509) Adopted Regulation SCI amends Rule 301(b)(6) of Regulation ATS.1763 Amendment of Rule 301(b)(6) would eliminate certain collection of information requirements within the meaning of the PRA, which the Commission had submitted to OMB in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11 and OMB had approved. The approved collection of information is titled ‘‘Rule 301: Requirements for Alternative Trading Systems and Form ATS; ATS–R,’’ and the OMB control number for this collection of information is 3235–0509.1764 Some of the information collection burdens imposed by Regulation ATS would be reduced by the amendment of Rule 301(b)(6). Specifically, the paperwork burdens that would be eliminated by the amendment of Rule 1761 See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the Commission); 5 U.S.C. 552 et seq. 1762 See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the Commission); 5 U.S.C. 552 et seq. See also supra Section IV.C.2 (discussing confidentiality treatment for Form SCI filings). 1763 See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (‘‘ATS Release’’). In the SCI Proposal, the Commission proposed that Regulation SCI would replace and supersede Rule 301(b)(6) in its entirety. As discussed above, the Commission is now amending Rule 301(b)(6) to remove paragraphs (i)(A) and (i)(B) so that Rule 301(b)(6) will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. However, as described above, the Commission has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI, and such ATSs will remain subject to the requirements of Rule 301(b)(6) if they meet the volume thresholds therein. The Commission estimates that no ATS that trade only municipal securities or corporate debt securities currently meet the thresholds of Rule 301(b)(6). 1764 See Rule 301: Requirements for Alternative Trading Systems and Form ATS; ATS–R, OMB Control No: 3235–0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. This approval has an expiration date of April 30, 2017. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 301(b)(6) would be: (i) Burdens on ATSs that trade NMS stocks and non-NMS stocks associated with the requirement to make records relating to any steps taken to comply with systems capacity, integrity and security requirements under Rule 301(b)(6) (estimated to be 20 hours); 1765 and (ii) burdens on ATSs that trade NMS stocks and non-NMS stocks associated with the requirement to provide notices to the Commission to report systems outages (estimated to be 2.5 hours).1766 The Commission received no comments regarding the reduced paperwork burdens from the proposal to repeal Rule 301(b)(6) of Regulation ATS. VI. Economic Analysis mstockstill on DSK4VPTVN1PROD with RULES2 A. Overview The Commission is sensitive to the economic effects, including the costs and benefits, of its rules. When engaging in rulemaking pursuant to the Exchange Act that requires the Commission to consider or determine whether an action is necessary or appropriate in the public interest, Section 3(f) of the Exchange Act requires the Commission to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation.1767 In addition, Section 23(a)(2) of the Exchange Act requires the Commission in making 1765 The Commission estimated that two alternative trading systems that register as brokerdealers and comply with Regulation ATS would trigger this requirement, and that the average compliance burden for each response would be 10 hours of in-house professional work at $379 per hour. Thus, the total compliance burden per year was estimated to be 20 hours (2 respondents × 10 hours = 20 hours). See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235–0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. As discussed above, the Commission is amending Rule 301(b)(6) so that it will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. ATSs that trade only municipal securities or corporate debt securities will remain subject to the requirements of Rule 301(b)(6), but the Commission estimates that no such ATS currently meets the thresholds of Rule 301(b)(6). 1766 The Commission estimated that two alternative trading systems that register as brokerdealers and comply with Regulation ATS would meet the volume thresholds that trigger systems outage notice obligations approximately 5 times a year, and that the average compliance burden for each response would be .25 hours of in-house professional work at $379 per hour. Thus, the total compliance burden per year was estimated to be 2.5 hours (2 respondents × 5 responses each × .25 hours = 2.5 hours). See id. As discussed above, the Commission is amending Rule 301(b)(6) so that it will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. ATSs that trade only municipal securities or corporate debt securities will remain subject to the requirements of Rule 301(b)(6), but the Commission estimates that no such ATS currently meets the thresholds of Rule 301(b)(6). 1767 15 U.S.C. 78c(f). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 rules pursuant to the Exchange Act to consider the impact any such rule would have on competition. The Exchange Act prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act.1768 In the SCI Proposal, the Commission solicited comment on the economic effects of the proposed rules, including any effects that the proposed rules may have on efficiency, competition, and capital formation. The Commission also solicited comment on its representation of current practices and its characterization of the relevant markets in which SCI entities participate. In addition, the Commission solicited comment on reasonable alternatives to the proposed rules and their economic effects. The Commission encouraged commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding any economic effects. The Commission received many comment letters that addressed the Commission’s economic analysis of the proposed rules.1769 As described further below, some commenters stated that the Commission underestimated the costs (including, for example, the proposed rules’ potential to impact innovation and create barriers to entry) of compliance with Regulation SCI.1770 Other commenters believed that the costs are justified by the benefits of the rules.1771 As discussed above in Section I, a confluence of factors has contributed to the Commission’s determination that it is necessary and appropriate at this time to address the technological vulnerabilities, and improve Commission oversight, of the core technology of key U.S. securities markets entities, including national securities exchanges and associations, significant ATSs, clearing agencies, and 1768 15 U.S.C. 78w(a)(2). e.g., Tellefsen Letter; Angel Letter; MSRB Letter; OCC Letter; BIDS Letter; ISE Letter; Leuchtkafer Letter; Better Markets Letter; CAST Letter; FINRA Letter; CISQ Letter; Fidelity Letter; CME Letter; Omgeo Letter; Lauer Letter; SIFMA Letter; SunGard Letter; NYSE Letter; BATS Letter; FIA PTG Letter; ITG Letter; KCG Letter; UBS Letter; Joint SROs Letter; and TMC Letter. 1770 See, e.g., BIDS Letter at 2–3; NYSE Letter at 2; UBS Letter at 5; and Omgeo Letter at 2. 1771 See, e.g., Lauer Letter at 7 (commenting that cost burden should not be an appropriate reason to omit an SCI entity and that, if the burden to ensure secure, stable systems is too high for an entity, that entity should not be allowed to be in a position to impact the market); and Better Markets Letter at 9–12 (commenting that the Commission’s preeminent duty when promulgating rules is to protect investors and the public interest, and these goals should not be subordinate to industry concerns over the cost of regulation). 1769 See, PO 00000 Frm 00147 Fmt 4701 Sfmt 4700 72397 plan processors. These considerations include: The evolution of the markets to become significantly more dependent on sophisticated, complex, and interconnected technology; the current successes and limitations of the ARP Inspection Program; the significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues,1772 including increased concerns over ‘‘single points of failure’’ in the securities markets; and the views of a wide variety of commenters received in response to the SCI Proposal. Regulation SCI codifies, updates, and expands the existing ARP Inspection Program in an effort to further the goals of the national market system. Regulation SCI is intended to help to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets. Regulation SCI is also intended to strengthen the U.S. securities market infrastructure and improve the resilience of the U.S. securities markets when technological issues arise. Moreover, Regulation SCI is intended to reinforce the requirement that SCI entities operate their systems in compliance with the Exchange Act and the rules and regulations thereunder. As adopted, Regulation SCI will apply to SCI SROs (including national securities exchanges,1773 national securities associations,1774 registered clearing agencies, and the MSRB), SCI ATSs, plan processors, and certain exempt clearing agencies.1775 As such, Regulation SCI covers the trading of NMS stocks, OTC equities, and listed options. As discussed below, Regulation SCI also will impact multiple markets for services, including the markets for trading services, listing services, regulation and surveillance services, clearance and settlement services, and market data. B. Economic Baseline The Commission recognizes that any economic effects, including costs and benefits and effects on efficiency, competition, and capital formation, 1772 See supra note 15 and accompanying text. SCI will not apply to an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, including security futures exchanges. See supra note 78 and accompanying text. 1774 Regulation SCI will not apply to limited purpose national securities associations registered with the Commission pursuant to Section 15A(k) of the Exchange Act. See supra note 78 and accompanying text. 1775 See supra Section IV.A.1 (discussing the definition of SCI entities). 1773 Regulation E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72398 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations should be compared to a baseline that accounts for current practices. The description of current practices below is based, among other things, on the Commission’s understanding of the current practices under the ARP Inspection Program (including current practices influenced by staff guidance related to the ARP Inspection Program), the requirements under Regulation ATS, rules of SROs, information provided by commenters, and current practices and staff guidance related to systems compliance-related issues. As noted above, all active registered clearing agencies, all registered national securities exchanges, FINRA, two plan processors, one ATS, and one exempt clearing agency currently participate in the ARP Inspection Program. Under the ARP Policy Statements and through the ARP Inspection Program, these entities, among other things, are expected to establish current and future capacity estimates; conduct capacity stress tests; and conduct annual reviews that cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology, and vulnerability assessments. When conducting an ARP inspection, Commission staff also evaluates whether an ARP entity’s controls over its information technology resources in nine general areas, or information technology ‘‘domains,’’ is consistent with ARP and industry guidelines.1776 The ARP Policy Statements and staff letters also address, among other things, the reporting of certain systems changes, intrusions, and outages, and the need to comply with relevant laws and rules.1777 Many participants in the ARP Inspection Program have developed current practices that to some extent overlap with the requirements of Regulation SCI. These practices are discussed in more detail throughout this economic analysis. The ARP Policy Statements and the ARP Inspection Program address systems that directly support trading, clearance and settlement, order routing, and market data, which are a subset of the systems covered by Regulation SCI.1778 Additionally, Commission staff currently inspects all the categories of systems that are included in the adopted definition of ‘‘SCI systems’’ to varying degrees.1779 In general, the Commission 1776 See supra Section II.A (discussing the ARP Policy Statements and Commission staff letters). 1777 See id. 1778 See infra note 1900 and accompanying text. 1779 Commission staff inspects systems that are not directly related to trading, clearance and VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 believes that, to varying degrees, entities participating in the ARP Inspection Program establish current and future capacity estimates, conduct periodic capacity stress tests, and conduct an annual independent assessment of whether their automated systems can perform adequately at their estimated capacity levels and whether these systems have adequate protection against threats.1780 Additionally, entities participating in the ARP Inspection Program provide to the Commission and its staff reports relating to system changes and reviews, as well as information regarding systems outages. In addition, as discussed above, pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP Policy Statements apply to ATSs that meet the thresholds set forth in that rule.1781 Currently, the Commission believes that only one ATS meets such thresholds and, thus, is required by Commission rule to implement systems safeguard measures. There is also one ATS that voluntarily participates in the ARP Inspection Program. Rule 301(b)(6) of Regulation ATS includes requirements that are similar to the requirements underlying the policies and procedures required by Rule 1001(a)(2) of Regulation SCI. Specifically, Rule 301(b)(6) under Regulation ATS requires relevant ATSs to establish certain capacity estimates, conduct periodic capacity stress tests of critical systems, develop and implement reasonable procedures to review and keep current systems development and testing methodology, review the vulnerability of their systems and data center computer operations to specified threats, establish adequate contingency and disaster recovery plans, conduct an independent review of its systems controls annually for ensuring that Rules 301(b)(6)(ii)(A)–(E) are met and conduct a review by senior management settlement, order routing, or market data if staff detects red flags. See Proposing Release, supra note 13, at 18158. 1780 See ARP I Release and ARP II Release, supra note 1. 1781 Specifically, Rule 301(b)(6) of Regulation ATS applies to ATSs that, during at least four of the preceding six months, had: (A) With respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (B) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (C) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (D) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See 17 CFR 242.301(b)(6)(i). PO 00000 Frm 00148 Fmt 4701 Sfmt 4700 of a report of the independent review, and promptly notify the Commission of certain systems outages and systems changes. Rule 301(b)(6) of Regulation ATS, however, applies only to systems that support order entry, order routing, order execution, transaction reporting, and trade comparison,1782 which is more targeted than the adopted definition of ‘‘SCI system.’’ The Commission recognizes that market participants that do not participate in the ARP Inspection Program and are not subject to Regulation ATS also take measures consistent with certain aspects of Regulation SCI to avoid systems disruptions, compliance issues, and intrusions. For example, the Commission believes that many market participants document systems events as prudent and standard business practice, even when the entity is not an ARP participant or does not report the incident as an ARP participant. Additionally, commenters provided information about their practices for maintaining suitable levels of systems capacity, integrity, resiliency, availability, and security. As discussed in Section IV.B.1, the Commission understands that some SCI entities are already following technology standards such as ISO 27000 and COBIT.1783 One commenter also stated that NFPA–1600 or BS 25999 was useful for contingency planning.1784 Commenters also provided less specific information on current practices that allow the Commission to gauge current practices. For example, one commenter stated that SCI entities commonly review a variety of different standards for frameworks or best practices, and then adopt a derivative of multiple standards, customizing them for the systems at issue.1785 In addition, another commenter stated that the financial services industry currently uses processes for software development that are more ‘‘nimble’’ than the frameworks listed in Table A, such as the NIST publication under the Systems Development Methodology domain.1786 FINRA members, including ATSs, are also subject to FINRA rules that are generally related to certain aspects of Regulation SCI.1787 For example, NASD 1782 See 17 CFR 242.301(b)(6)(ii). text accompanying supra note 606. 1784 See ISE Letter at 11. 1785 See NYSE Letter at 20. 1786 See BATS Letter at 6–7 (commenting that the NIST publication reflects a burdensome staged process to software development that favors the ‘‘waterfall methodology’’ over ‘‘agile’’ software development). 1787 See supra note 115. As noted above, although these rules have some broad relation to certain 1783 See E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Rule 3010(b)(1) requires a member to establish, maintain, and enforce written procedures to supervise the types of business in which it engages and to supervise the activities of registered representatives, registered principals, and other associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations. However, this NASD rule does not specifically address compliance of the systems of FINRA members and does not cover more broadly policies and procedures relating to operational capability. Additionally, FINRA Rule 3130 requires a member’s chief compliance officer to certify that the member has in place written policies and procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules, and federal securities laws and regulations. Again, this FINRA rule does not specifically address compliance of the systems of FINRA members and does not cover more broadly policies and procedures relating to operational capability. Further, FINRA Rule 4530 imposes a reporting regime for, among other things, compliance issues and other events where a member has concluded or should have reasonably concluded that a violation of securities or other enumerated law, rule, or regulation of any domestic or foreign regulatory body or SRO has occurred. However, the reporting requirements of FINRA Rule 4530 are different in several respects from the Commission notification requirements under Regulation SCI relating to systems compliance issues (e.g., scope, timing, content, the recipient of the reports) and would not cover reporting of systems disruptions or systems intrusions that did not also involve a violation of a securities law, rule, or regulation. In addition, FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption. However, as compared to adopted Rules 1001(a)(2)(v) and 1004, this FINRA rule does not include a requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a widescale disruption, nor does it require the functional and performance testing and aspects of Regulation SCI, the Commission is not persuaded that the rules, even when taken together, are an appropriate substitute for the comprehensive approach in Regulation SCI with respect to technology systems and system issues. See id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 coordination of industry or sectortesting of such plans. Commenters addressed the Commission’s consideration of current practices under the ARP Inspection Program as part of the baseline. According to a commenter, the ARP Inspection Program was implemented many years ago in a series of policy statements setting out guidance for voluntary compliance, and was supplemented with informal Commission staff guidance over the years, in many cases before the relevant systems existed.1788 This commenter also noted that Regulation SCI is a mandatory regulation with a more expansive nature, differentiating the proposed regulation from the voluntary, targeted scope of the ARP Inspection Program.1789 Some commenters believed that the Commission performed the economic analysis from a faulty premise by assuming that SCI entities that participate in the ARP Inspection Program have been in compliance with the voluntary standards and that the cost of compliance with Regulation SCI would merely be incremental as compared with the current baseline cost of voluntary compliance with the ARP regime.1790 One commenter noted that there is no publicly available information on voluntary compliance under the ARP Inspection Program, and the Commission should calculate the actual cost based on its knowledge of the extent to which SCI entities currently participating in the ARP Inspection Program are actually in compliance with ARP, rather than simply assuming full compliance.1791 In response to these comments, the Commission believes that current practices under the ARP Inspection Program continue to be relevant in an economic assessment of Regulation SCI and the current baseline. In particular, as described in more detail throughout the economic analysis, based on comments and staff experience, the Commission believes that ARP entities have developed practices that to some extent overlap with the requirements of Regulation SCI. Accordingly, the Commission believes that, for some 1788 See NYSE Letter at 2, 6–7. This commenter noted that the ARP Inspection Program was never subject to Commission rulemaking, including notice and public comment, and a cost-benefit analysis. See id. at 6. This commenter further stated that if the Commission were to move forward with Regulation SCI, it should first engage in a detailed public analysis of the costs and benefits of the existing ARP Inspection Program. See id. at 2. 1789 See id. at 6. 1790 See ISE Letter at 11; and Joint SROs Letter at 18. 1791 See ISE Letter at 11. PO 00000 Frm 00149 Fmt 4701 Sfmt 4700 72399 entities, the economic effects associated with compliance with Regulation SCI will be less significant as these entities will need to make incremental adjustments to their current practices to comply with many of the requirements. The Commission recognizes that there is no publicly available information on voluntary compliance under the ARP Inspection Program. At the same time, the Commission and its staff have overseen the ARP Inspection Program for over two decades and notes that participants in the ARP Inspection Program generally follow the ARP Policy Statements. The Commission also notes that, in the ARP II Release, it stated that Commission staff and the SROs have discussed the independent review process, ‘‘taking into account that the SROs already engage in testing and quality assurance reviews of new or modified systems, and that there are other significant controls in place to prevent, detect or correct problems in such areas as capacity planning, testing, systems development, vulnerability and contingency planning.’’ 1792 The Commission is not assuming in the economic analysis that each SCI entity is fully in compliance with the ARP Inspection Program. Rather, the Commission’s and its staff’s experience informs the Commission’s view regarding the range of existing practices of SCI entities. The Commission recognizes that some participants in the ARP Inspection Program may also have adopted practices that are not precisely in line with the standards articulated in the ARP Policy Statements and other Commission policy statements. As discussed throughout this economic analysis, the Commission has considered what the economic effects, including the costs and benefits of complying with Regulation SCI, will be for those entities that may not have practices consistent with the standards articulated in the ARP Policy Statements. For example, some SRO backup facilities may be less geographically dispersed from the primary facilities than articulated in the 2003 BCP Policy Statement.1793 Further, some SROs may report systems issues or changes to the Commission in a manner different from what is articulated in the ARP Policy Statements and Commission staff letters. Instead of assuming full compliance with the ARP Inspection Program, throughout the economic analysis the Commission notes that some SCI entities that participate in the ARP Inspection Program have current 1792 See ARP II, supra note 1, at 22491. 2003 BCP Policy Statement, supra note 504, at 56658. 1793 See E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72400 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations practices that already satisfy some of the requirements of Regulation SCI and considers the details of those current practices when assessing the economic effects of the rules. Finally, in using the ARP Inspection Program as a component of the baseline, the Commission also recognizes that Regulation SCI is more expansive than the ARP Inspection Program and has taken this fact into consideration throughout the economic analysis. For example, among other things, Regulation SCI includes more expansive requirements compared to the ARP Inspection Program for the establishment of policies and procedures regarding systems capacity, integrity, resiliency, availability, security, and compliance; and annual business continuity and disaster recovery plans testing. In addition, the Commission is aware that more entities will be subject to Regulation SCI than are currently participating in the ARP Inspection Program, including a higher number of ATSs. The Commission has considered these differences in the economic analysis. The sections below describe in more detail the Commission’s understanding of current practices related to areas covered by Regulation SCI, as informed by its experience with the ARP Inspection Program, the OCIE examination program, as well as by commenters. In particular, the sections below provide an overview of the frequency and the types of systems issues addressed by Regulation SCI (i.e., systems disruptions, systems intrusions, and systems compliance issues) and current practices related to these events, as well as current practices related to business continuity and disaster recovery, and material systems changes notifications. Additionally, the sections below include a summary of the current competitive landscape in various markets for services related to Regulation SCI and why the markets for these services do not provide an adequate competitive incentive to prevent the occurrence of these market events and reduce the duration and severity when they occur.1794 Details regarding the baseline for certain specific current practices relevant to specific provisions of Regulation SCI are discussed throughout the consideration of costs and benefits and the effect on efficiency, competition, and capital formation below. 1794 Throughout this Economic Analysis, the general concept of a reduction of SCI events may refer to fewer events, shorter duration of events, and/or less severe events. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 1. SCI Events a. Systems Disruptions and Intrusions Currently, market participants use an array of preventive and corrective measures to avoid systems disruptions and to restore systems when disruptions occur, including escalation procedures to notify management of disruptions. The range of preventive and corrective measures varies among market participants and SCI entities, and also differs among the systems employed by SCI entities. For instance, clearing systems and order matching engines generally are given higher priority by SCI entities than other SCI entity systems. Also, as noted by a commenter, exchanges, member firms, and ATSs conduct regular and ad hoc testing of mission critical systems for the introduction of new software releases, new features and functions, and systems upgrades, among other things.1795 This commenter also noted that the internal IT staff of exchanges, ATSs, trading platform providers, and clearing houses conduct regular systems testing, regression testing, stress testing, and failover testing to ensure the availability, capacity, resilience, and readiness of newly introduced systems, applications, products, and system functions.1796 However, industry practices are not codified as requirements for SCI entities and systems, except as may be the case in an entity’s rulebook or subscriber agreement. Market participants also employ a wide variety of measures to prevent and respond to systems intrusions, including escalation procedures to notify management of intrusions. Generally, market participants use measures such as firewalls to prevent systems intrusions, and use detection software to identify systems intrusions. Once an intrusion has been identified, the affected systems typically would be isolated and quarantined, and forensics would be performed. While there have been instances in which SCI entities revealed systems issues (including disruptions and intrusions) to their members or participants and to the public in the past,1797 there currently is no 1795 See Tellefsen Letter at 11. id. 1797 One instance of a publicly reported systems intrusion at an SCI entity occurred in February 2011, when NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of its computer networks, though Nasdaq reported that at no point did this intrusion compromise Nasdaq’s trading systems. See Proposing Release, supra note 13, at 18089. One commenter also stated that when systems issues arise that impact subscriber access, 1796 See PO 00000 Frm 00150 Fmt 4701 Sfmt 4700 requirement applicable to SCI entities that includes the level of specificity in Regulation SCI for dissemination of information regarding systems disruptions and systems intrusions, as those terms are defined in Regulation SCI, to affected members or participants or to all members or participants of an SCI entity. In 2013, entities that participated in the ARP Inspection Program, including at least one of each type of such participants (i.e., national securities exchange, national securities association, registered clearing agency, plan processor, ATS, and exempt clearing agency), reported a total of approximately 357 systems disruptions to the Commission.1798 These incidents had durations ranging from under one hour to well over several hours, with most incidents having a duration of less than three hours.1799 The Commission has also tracked the percentage of market outages at SROs and electronic communications networks, which were self-reported to the Commission or identified by Commission staff, that were corrected within targeted timeframes. Specifically, in fiscal year 2013, 80% of outages were resolved within 2 hours, 86% were resolved within 4 hours, and 98% were resolved within 24 hours.1800 b. Systems Compliance Issues Currently, systems compliance issues are not covered by the ARP Inspection Program. However, the Commission notes that all SROs are required to comply with the Exchange Act, the rules functionality, or security, each potential SCI entity informs its subscribers of the problem and the expected solution, and generally follows with a post mortem. According to this commenter, some entities provide this notice pursuant to a contract or general agreement with subscribers, while others do so in order to maintain and grow their subscriber base. See OTC Markets Letter at 19. See also supra Section II.B (describing recent events involving systems-related issues, which have been made public). 1798 One commenter believes that ATSs have not contributed to the recent major systems issues that have impacted the market. See ITG letter at 4. However, as the Commission has noted, FINRA halted trading for over 31⁄2 hours in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by OTC Markets Group Inc.’s OTC Link ATS. See supra note 33 and accompanying text. 1799 The Commission acknowledges that the number of systems incidents reported to the Commission by entities that participated in the ARP Inspection Program represents the lower end of expected SCI events under Regulation SCI because the definition of ‘‘SCI event’’ is broader than the types of events covered by the current ARP Inspection Program. See supra Section V.D.2.a. 1800 See U.S. Securities and Exchange Commission FY 2015 Annual Performance Plan, at 26 (March 7, 2014), available at: https:// www.sec.gov/about/reports/ secfy15congbudgjust.pdf. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 and regulations thereunder, and their own rules and governing documents, as applicable,1801 and securities information processors and ATSs are subject to similar requirements.1802 Further, SROs currently take steps to ensure that their systems’ operations are consistent with the federal securities laws and rules and their own rules, and some SROs notify Commission staff of certain systems compliance issues.1803 In particular, the Commission understands that SCI SROs generally have procedures to escalate a compliance issue upon discovery, to include legal and compliance personnel in the review of systems changes, and to periodically review rulebooks. However, although some SCI entities currently notify the Commission of certain systems compliance issues, the Commission does not receive comprehensive data regarding such issues. Similar to systems disruptions and systems intrusions, while there have been instances in which SCI entities revealed systems compliance-related issues to their members or participants and to the public in the past,1804 there currently is no requirement applicable to SCI entities that includes the level of specificity in Regulation SCI for dissemination of information regarding systems compliance issues, as that term is defined in Regulation SCI, to affected members or participants, or to all members or participants of an SCI entity. In the SCI Proposal, based on Commission staff’s experience with SROs and the rule filing process, the Commission estimated that there are likely approximately seven systems compliance issues per SCI entity per year. No commenter provided additional information regarding the frequency of systems compliance issues. However, Commission staff received notifications indicating that certain SROs experienced an average of 17 systems compliance-related issues in 2013. The Commission believes that its staff received notification of a larger 1801 See, e.g., 15 U.S.C. 78s(g) (requiring each SRO to comply with the Exchange Act, the rules and regulations thereunder, and its own rules). 1802 See, e.g., 15 U.S.C. 78k–1(b)(6); 15 U.S.C. 78k–1(c)(1); and FINRA Rule 3130. Moreover, ATSs are registered broker-dealers and may be subject to Commission sanctions if they fail to comply with relevant federal securities laws and rules and regulations thereunder. 1803 See Proposing Release, supra note 13, at 18087, n. 36. As part of the Commission’s oversight of SROs, OCIE reviews systems compliance issues reported to Commission staff. 1804 See supra Section II.B (describing recent events involving systems-related issues, which have been made public). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 number of systems compliance issues in 2013 for a variety of reasons, including the proposal of Regulation SCI, recent Commission enforcement actions relating to systems compliance issues, as well as related press reports, all of which the Commission believes increased attention on systems compliance issues.1805 2. Business Continuity and Disaster Recovery The Commission recognizes that SCI entities already have business continuity and disaster recovery plans. For example, nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility.1806 Additionally, most participants in the ARP Inspection Program have strived to adhere to the recovery timeframes in the Interagency White Paper and the 2003 BCP Policy Statement.1807 Some SCI entities also already require some of their members or participants to connect to their backup systems.1808 Further, some SCI entities already provide their members or participants with the opportunity to test the SCI entity’s business continuity and disaster recovery plans, including its backup systems.1809 However, because participation in BC/DR testing, including backup systems, is not always required by SCI entities, the Commission understands that not all market participants participate in testing.1810 In addition, based on the discussions between Commission staff and market participants in the months following Superstorm Sandy, the Commission understands that many market participants had previously engaged in connectivity testing with backup facilities, and yet remained uncomfortable about switching to the use of backup facilities in advance of the storm. Commenters also provided information regarding current practices surrounding business continuity and disaster recovery. One commenter noted that the major equity and options exchanges and numerous ATSs already 1805 See id. e.g., CBOE Regulatory Circular RG14– 001 (Back-Up Data Center Test on January 25, 2014). 1807 See supra note 504 and accompanying text. 1808 See, e.g., CBOE Regulatory Circular RG13– 110 (Connectivity to the CBOE Back-Up Data Center). See also Proposing Release, supra note 13, at n. 641. 1809 For example, SIFMA organizes industry-wide business continuity tests. See Industry Testing, https://www.sifma.org/services/bcp/industry-testing/ . 1810 See, e.g., Angel Letter at 9–10. 1806 See, PO 00000 Frm 00151 Fmt 4701 Sfmt 4700 72401 regularly augment IT testing with other business continuity management exercises (e.g., they conduct annual business continuity and disaster recovery plan updates, building evacuation drills, and business disruption scenario planning workshops).1811 This commenter also noted that all of the U.S. exchanges and clearinghouses have participated in the planning and execution of the annual disaster recovery test initiative conducted and coordinated by the FIA and SIFMA.1812 This commenter noted that, in 2012, for example, the annual FIA industry test involved 18 exchanges and clearinghouses, 68 futures commission merchants, and 46 trading participant firms.1813 This commenter also noted that the exchanges reported that the firms engaged in testing represented approximately 80% of their clearing members and that these firms reflected approximately 85% of the exchanges’ 2012 volumes.1814 3. Material Systems Changes Notifications Many entities that participate in the ARP Inspection Program already voluntarily provide material systems change notifications to the Commission on an annual and ad hoc basis. In particular, the ARP II Release stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems.1815 Moreover, in the 2001 Staff ARP Interpretive Letter, Commission staff provided guidance to ARP entities on how they should report planned systems changes to the Commission.1816 In addition, Rule 301(b)(6) under Regulation ATS requires that ATSs that meet the thresholds in that rule notify Commission staff of significant systems changes,1817 and Rule 301(b)(2) under Regulation ATS requires each ATS that is subject to Rule 301, regardless of activity level, to file an amendment on Form ATS at least 20 days prior to implementing a material change to the operation of the ATS.1818 1811 See Tellefsen Letter at 7. id. 1813 See id. at 8. 1814 See id. See also CME Letter at 12. 1815 See ARP II Release, supra note 1, at 22491. 1816 See supra note 21 and accompanying text. The 2001 Staff ARP Interpretive Letter provided guidance on what Commission staff considers significant systems changes to include. 1817 17 CFR 242.301(b)(6)(ii)(G). 1818 17 CFR 242.301(b)(2)(ii) (requiring an amendment to Form ATS not solely for material systems changes, but also for any material change to the operation of an ATS). 1812 See E:\FR\FM\05DER2.SGM 05DER2 72402 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 4. Potential for Market Solutions mstockstill on DSK4VPTVN1PROD with RULES2 The current competitive landscape in various markets for services related to Regulation SCI affect current incentives to prevent the occurrence of SCI events in these markets.1819 The Commission outlined and examined this competitive landscape and potential for market solutions to reduce SCI events and their shortcomings in the SCI Proposal.1820 In particular, the Commission evaluated current limitations to competition and potential market solutions in the markets for trading services, listing services, regulatory services, clearance and settlement services, and market data. The discussion below responds to comments received regarding the Commission’s discussion of the potential for market solutions in the markets for trading services and market data. The Commission did not receive specific comments regarding its analysis of the markets for listing services, regulatory services, and clearance and settlement services. Therefore, the Commission believes that its analysis of these markets in the SCI Proposal continues to apply. Specifically, the Commission believes that, while the market for listing services provides some discipline, it has limitations related to a disconnect between trading location and listing market (i.e., while a company can be listed on a certain exchange, trading does not necessarily occur on that exchange), to switching costs if an issuer wishes to change its listing exchange, and to market power deriving from the ‘‘prestige’’ of a listing exchange.1821 Further, the Commission believes that the market for regulatory and surveillance services is concentrated in a few competitors and that the market for clearance and settlement services is currently characterized by specialization and limited competition.1822 The Commission has considered the views of commenters and the Commission’s analysis of markets not addressed by commenters, and continues to believe that market forces alone are insufficient to significantly reduce SCI events in the markets that it evaluated and that a regulatory solution is needed. In particular, the Commission continues to believe that SCI entities do not fully internalize the costs associated 1819 This section evaluates competition as it currently exists. The Commission analyzes the economic effects of Regulation SCI, including potential effects on competition, in Section VI.C. 1820 See Proposing Release, supra note 13, at 18159–61. 1821 See id. at 18160. 1822 See id. at 18160–61. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 with systems issues, SCI events pose significant negative externalities on the market—i.e., systems issues have ramifications on the securities markets beyond the impact on the entity responsible for the systems issues—and, as discussed above, significant technology issues continue to occur in the absence of regulation. Some commenters broadly addressed the potential for market solutions evaluated in the SCI Proposal. According to one commenter, SCI entities (e.g., ATSs) are highly motivated to provide uninterrupted order matching services for economic reasons.1823 On the other hand, another commenter noted that, as indicated by the 2008 financial crisis and the technology incidents over the past few years, market participants do not have the right economic incentives to protect themselves.1824 Another commenter stated that, in the past, ‘‘disruptive or deviant behavior in the markets was disciplined not just by regulators but also by trading crowds,’’ but anonymity and fully automated price/time matching made it impossible for the trading crowd to attribute and sanction disruptive behavior.1825 This commenter also noted that market incentives can drive the industry in the opposite direction (i.e., short-term market incentives can drive the industry to minimize risk controls).1826 According to this commenter, the only practical source of discipline left is government regulation.1827 The Commission believes that all SCI entities have some incentives to maintain robust systems in order to maximize long-term revenue. However, as evidenced by the various systems issues that have occurred prior to and since publication of the SCI Proposal, economic motivations alone have not been sufficient to significantly reduce systems issues.1828 In addition, although SCI entities may suffer an economic and reputational burden if a systems issue becomes apparent to the trading community or the public, the Commission believes that SCI entities are not sufficiently incentivized to improve the robustness of these systems to prevent systems issues, as described in more detail below.1829 Further, SCI entities may fail to internalize the risk of catastrophic failure associated with systems issues. As noted above, systems issues have ramifications on the securities markets beyond the impact on the entity responsible for or experiencing the systems issues (an ‘‘economic externality’’). That is, a systems issue not only affects the entity responsible for the issue, but also directly affects other entities that use that entity. Often, when an SCI entity experiences a systems issue, all market participants that use that entity incur costs. For example, if market data systems fail, it affects anyone requiring such market data to make informed decisions. Also, when a matching engine fails, securities cannot be traded via that functionality. As discussed in greater detail below, the failure of a trading system not only forces the venue to forgo revenue, but also can diminish trading in financial instruments during the disruption. Additionally, the failure of a trading system can impose costs on market participants that have optimized their strategy so that trading costs are minimized. If the strategy of these market participants assumes that all trading venues are fully operational, then the failure of a trading system could impose additional transaction costs. The Commission believes that, in part because the costs of such externalities are not fully borne by SCI entities in the form of lost business, market forces alone are insufficient to significantly reduce SCI events. 1823 See ITG Letter at 4 (stating also that sponsors of ATSs have a ‘‘compelling business incentive to avoid systems issues’’). See also Angel Letter at 5– 6 (commenting that firms have sufficient motivation to take every precaution against catastrophic failures, although the interaction between firms may result in a catastrophic event). 1824 See Lauer Letter at 3–4. 1825 See Leuchtkafer Letter at 1–2. 1826 See id. at 6. This commenter stated that it is far cheaper for firms to implement new trading strategies ‘‘in a matter of minutes’’ than it is for them to rigorously test a new strategy before deployment, and that it is more profitable for firms to skimp on risk controls because controls take time. See id. Further, this commenter noted that the exchanges know, or should know, who ‘‘misbehaves,’’ but they are tangled in mixed incentives of their own, dependent on firms for the next quarter’s profits and, at the same time, expected to moderate the firms’ behavior. See id. 1827 See id. at 6–7. Market for Trading Services In the proposing release, the Commission identified many competitors in the market for trading services, including equities exchanges, options exchanges, ATSs, OTC market makers, and broker-dealers.1830 Competitors for listed-equity (NMS) PO 00000 Frm 00152 Fmt 4701 Sfmt 4700 1828 See supra Section II.B (discussing recent events involving systems-related issues). 1829 As noted above, the Commission acknowledges that the nature of technology and the level of sophistication and automation of current market systems prevent any measure, regulatory or otherwise, from completely eliminating all systems disruptions, intrusions, or other systems issues. See supra Section III. 1830 See Proposing Release, supra note 13, at 18159. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations trading services include 11 national securities exchanges, none having an overall market share of 20 percent,1831 44 ATSs, which account for 18% of dollar volume, and several hundred OTC market makers and broker-dealers, which account for 15.8% of dollar volume.1832 In the SCI Proposal, the Commission recognized that all providers of trading services compete and have incentives to avoid systems disruptions, systems compliance issues, and systems intrusions because, for example, brokers and other entities will be inclined to route orders away from trading venues that have frequent systems problems. However, the Commission noted several limitations on competition, including market participants misjudging the quality of trading services because of incomplete information regarding SCI events and the limited number of competitors (in some cases only one competitor) that may offer trading services in a particular product.1833 With respect to the market for trading services, one commenter stated that the current competitive market for trading services provides sufficient redundancies that make a disruption at any particular service provider minor.1834 Another commenter noted that exchanges compete vigorously with one another and against broker-dealer execution platforms and cannot afford to develop a reputation for technology problems.1835 This commenter also noted that the incidence of self-help declarations 1836 has been reduced, which reflects technology enhancements by exchanges that are a direct result of the competitive 1831 See supra note 106 and accompanying text. by Commission staff using market volume statistics reported by BATS and data from Form ATS–R for the second quarter of 2014. See supra notes 106 and 150. In 2012, 255 OTC market makers and broker-dealers accounted for 17% of volume. See DERA staff white papers, ‘‘Alternative Trading Systems: Description of ATS Trading in National Market System Stocks’’ by Laura Tuttle (https://www.sec.gov/marketstructure/research/ alternative-trading-systems-march-2014.pdf) and ‘‘OTC Trading: Description of Non-ATS OTC Trading in National Market System Stocks’’ by Laura Tuttle (https://www.sec.gov/marketstructure/ research/otc_trading_march_2014.pdf). 1833 For example, a number of listed options and NMS stocks trade on only one venue. 1834 See KCG Letter at 6–8. 1835 See BATS Letter at 2. 1836 Rule 611(b) under Regulation NMS provides a number of exceptions from the general requirement to prevent trade-throughs of protected quotations. In particular, Rule 611(b)(1) provides the ‘‘self-help’’ exception, which applies when the ‘‘transaction that constituted the trade-through was effected when the trading center displaying the protected quotation that was traded through was experiencing a failure, material delay, or malfunction of its systems or equipment.’’ See 17 CFR 242.611(b)(1). mstockstill on DSK4VPTVN1PROD with RULES2 1832 Calculated VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 environment in which exchanges operate.1837 Similarly, another commenter stated that, apart from any regulatory standards, no organization has a greater stake in assuring the effective operation of its systems than the owners and operators of the entities that participate in the market structure.1838 Moreover, one commenter stated that ATSs already have incentives to avoid any systems disruptions for competitive reasons and also perform numerous tests and employ best practices.1839 Again, the Commission acknowledges that all providers of trading services compete and have some incentives to avoid systems issues. However, the Commission continues to believe that there are limits to the extent to which competition mitigates systems problems associated with trading services because providers of trading services compete on a variety of measures—for example, providing the best prices, deep quotes, and fast executions—not just the quality of their systems. As a result, an issue with trading systems might not significantly harm the SCI entity that experienced the issue. Additionally, competition in the market for trading services may also not sufficiently mitigate the occurrence and effects of SCI events because market participants may lack information about SCI events. The Commission believes that it is important for affected SCI entity members or participants and, in some cases, all members or participants of an SCI entity, to know about SCI events at a particular service provider.1840 Moreover, even in markets where significant competition exists—such as the market for trading NMS securities, which has many competitors including exchanges and ATSs—entities that experience significant outages may temporarily lose market share, but may quickly regain the lost market share.1841 The Commission believes that this further suggests that competition alone will not significantly reduce systems issues. In addition, some entities that face little competition in one security may 1837 See BATS Letter at 2–3. BIDS Letter at 2. 1839 See ITG Letter at 4. 1840 See supra Section VI.B.1 (discussing current practices of SCI entities regarding dissemination of information on systems-related issues). 1841 For example, on November 12, 2012, the NYSE experienced a failure in a matching engine that forced it to stop trading 216 stocks. See NYSE Market Status Alert, https://markets.nyx.com/nyse/ market-status/view/11558. The NYSE lost market share on the day of the outage but regained its market share the next day. See generally https:// www.batstrading.com/market_summary/ (compiling data on market share). 1838 See PO 00000 Frm 00153 Fmt 4701 Sfmt 4700 72403 impose significant externalities on the market with little competitive recourse. For example, even though there may be multiple trading venues for the majority of securities, trading service providers may have limited means to transact in particular securities (e.g., certain index options exclusively traded on one options exchange) and thus, if systems issues persist at certain venues, brokers, investors, and other entities will not be able to trade the security until the venue that lists the security recovers. In this particular case, not only does the venue lose revenue from forgone volume, but market participants also incur costs because they are not able to trade the security. As a result, the Commission believes that competition alone in the market for trading services is not sufficient to reduce SCI events at entities providing these services. As mentioned by one commenter,1842 competitive forces among trading venues may also lead to ‘‘underinvestment and cutting corners.’’ For example, the incentive to migrate software from testing to the production environment to improve trading services (and thereby the entity’s profitability) may promote an environment where software that has not been adequately tested is launched into production, thus increasing the potential for systems issues to develop. Market for Market Data One commenter stated that Regulation SCI, as applied to market data, is unnecessary and will have ‘‘zero benefits’’ because the revenue from the sale of market data is an important revenue source for an SRO.1843 Therefore, according to this commenter, SROs already have the right incentives to successfully collect, process, and disseminate market data.1844 As noted above, the Commission has, on numerous occasions, emphasized the importance of market data, including the consolidated data feed.1845 The Commission believes that consolidated market data is an important part of the investment and trading process as it helps market participants to make wellinformed investment and trading decisions, and also helps investors to monitor the quality of execution of orders by their brokers. In addition, 1842 See Lauer Letter at 4 (stating that ‘‘[e]very firm in every industry is constantly balancing the cost of safety with scarcity of resources . . . [and t]he Commission’s job in this regard is to compel these firms to act in their own long-term interests, and the interests of the public at-large, rather than any short-term interests that may be better served by underinvestment and cutting corners’’). 1843 See Angel Letter at 18–19. 1844 See id. 1845 See supra note 249 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72404 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations exchanges rely on accurate consolidated market data for many of their real-time functions. Even though demand is great, a total of only two SIPs collect, process, and distribute consolidated market data in NMS securities, and only a single SIP collects, processes, and distributes consolidated market data for any given security. Further, other providers of market data in markets other than NMS securities (e.g., municipal securities) may also be the sole providers of their data. Therefore, the Commission believes that the market data consolidators are not subject to significant competitive market forces. Further, because the demand for market data from the SIPs is inelastic,1846 there is little incentive to improve reliability as few alternatives exist. Thus, the Commission believes that competition alone is not sufficient to reduce SCI events for market data consolidators. Because an SCI event in connection with market data can significantly disrupt markets, the Commission believes that regulation is needed and, as discussed below, will provide significant benefits.1847 expected to evolve and adapt to changes in technology and market developments. For example, in some cases, quantification depends heavily on factors outside of the control of the Commission, particularly because Regulation SCI provides flexibility to an SCI entity to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems. Additionally, in some cases, the Commission is unable to quantify the benefits and costs associated with Regulation SCI because the Commission lacks the information necessary to provide a reasonable estimate. For example, the Commission does not have sufficient information upon which to base an estimate of all costs associated with the various specific systems changes that may be required as the result of Regulation SCI. Accordingly, much of the discussion of economic effects is qualitative in nature but, again, where possible, the Commission has provided quantified information. C. Consideration of Costs and Benefits and the Effect on Efficiency, Competition, and Capital Formation The Commission believes that the adoption of, and compliance by SCI entities with Regulation SCI, will further the goals of the national market system as a result of each SCI entity establishing, maintaining, and enforcing written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. In this respect, Regulation SCI will promote the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving their resilience when technological issues arise. Regulation SCI also establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems. Although the Commission acknowledges that Regulation SCI likely will not eliminate all systems issues, the Commission believes that Regulation SCI will change and strengthen the practices of SCI entities, and should mstockstill on DSK4VPTVN1PROD with RULES2 1. Broad Economic Considerations The Commission has considered the economic effects of Regulation SCI as a whole as well as the specific effect of each rule. This section provides an overview of the broad economic considerations relevant to Regulation SCI and the economic effects, including the costs, benefits, and effects on efficiency, competition, and capital formation that are attributable to Regulation SCI as a whole. Additional economic effects, including benefits and costs, related to specific requirements in Regulation SCI and reasonable alternatives are discussed in Section VI.C.2 below. The Commission has attempted, where possible, to quantify the benefits and costs anticipated to flow from Regulation SCI. The Commission notes, however, that many of the costs and benefits of Regulation SCI are difficult to quantify with any degree of certainty, especially as the current practices of market participants vary and are 1846 Demand is inelastic when demand does not diminish as price increases. 1847 For example, as discussed above, on August 22, 2013, Nasdaq halted trading in all Nasdaq-listed securities for more than three hours after the Nasdaq SIP, the single source of consolidated market data for Nasdaq-listed securities, became unable to process quotes from exchanges for dissemination to the public. See supra note 32 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 a. Benefits PO 00000 Frm 00154 Fmt 4701 Sfmt 4700 result in a number of benefits, including those summarized below.1848 The Commission believes that adopting Regulation SCI will result in fewer market disruptions due to systems issues, which could lead to fewer interruptions in the price discovery process 1849 and liquidity flows and, thus, may result in fewer periods with pricing inefficiencies. Specifically, the Commission believes that Regulation SCI would improve systems up-time for SCI entities and also would promote more robust systems that directly support execution facilities, order matching, and the dissemination of market data. Systems issues that directly inhibit execution facilities, order matching, and dissemination of market data could cause slow executions and result in delaying the incorporation of information into prices, and thus could harm price efficiency and price discovery. System issues could also result in unfilled orders, depriving traders of an execution. The Commission believes that Regulation SCI would reduce the frequency, severity, and duration of such effects resulting from systems issues. Moreover, decreasing the number of trading interruptions could improve price discovery and liquidity because interruptions in trading interfere with the process in which relevant information gets incorporated into security prices and, thus, temporarily disrupt liquidity flows and lower the quality of the price discovery process. Further, because interruptions in liquidity flows and the price discovery process in one security can affect securities trading in other markets, reducing trading interruptions could have broad effects. For example, an interruption in the market for securities that underlie derivative securities (e.g., index options and futures) would harm the price discovery process for those products and potentially restrict liquidity flows between the stock market and the derivative markets. The Commission also believes that Regulation SCI has the potential to reduce widespread SCI events. Given 1848 As noted above, in the SCI Proposal, the Commission encouraged commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding benefits. The Commission notes that it is unable to quantify the benefits associated with Regulation SCI as a whole because quantitative data regarding each of the benefits is not readily available to the Commission, and commenters did not provide sufficient quantitative data to allow the Commission to do so. 1849 The price discovery process involves trading—buyers and sellers arriving at a transaction price for a specific asset at a given time. Thus, generally, any trading interruptions would interfere with the price discovery process. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations the speed and interconnected nature of the U.S. securities markets, a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors. By reducing systems issues, Regulation SCI also has the potential to decrease the risk of these catastrophic events. In addition, other benefits may derive from the additional information provided to the Commission and to members or participants of an SCI entity resulting from Regulation SCI. In particular, the information provided to the Commission should enhance the Commission’s review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. Also, as noted in Section IV.B.3.c, the Commission believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. Moreover, as discussed in Section IV.A.3, the Commission notification requirements for SCI events will help to focus the Commission’s and SCI entities’ resources on the more significant SCI events, as the Commission has determined to distinguish the timing of its receipt of information regarding SCI events based on their impact, with SCI events estimated to have a greater impact being subject to ‘‘immediate’’ Commission notification, and SCI events having no or a de minimis impact being subject to recordkeeping obligations, and for de minimis systems disruptions and de minimis systems intrusions, a quarterly summary notification. Moreover, the increased dissemination of information about SCI events to SCI entity members or participants could reduce search costs for market participants when they are gathering information to make a decision with respect to the use of an entity’s services. As discussed more thoroughly below, by lowering search costs, the information dissemination requirement could provide SCI entities additional competitive incentives to ensure and maintain robust policies and procedures to promote systems capacity, integrity, resiliency, availability, security and compliance. Some commenters addressed how the availability of Commission resources may affect the benefits and costs of Regulation SCI. One commenter argued VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that Regulation SCI would result in misallocation of Commission resources.1850 This commenter stated that it is likely that Regulation SCI would not reduce in a material manner the occurrence of systems issues at SCI entities, and Commission staff resources would be better devoted to working with the industry to develop best practices (not legal requirements) for all regulated entities in the areas of systems capacity, security, and integrity.1851 Similarly, one commenter noted that unless the Commission and Congress devote sufficient resources to hiring enough skilled technical staff, Regulation SCI will devolve into a paperwork exercise with little added benefit to the markets.1852 Another commenter stated that there is insufficient evidence regarding the resources and capacity of Commission staff to assess and analyze the data required to be provided under Regulation SCI.1853 This commenter urged the Commission to consider its resources as the Commission accommodates new initiatives.1854 As described throughout this release, the Commission believes that Regulation SCI will have significant benefits and that a regulatory solution is necessary because market forces alone are insufficient to significantly reduce SCI events in the relevant markets. The Commission has significant experience with the ARP Inspection Program, and thus has developed expertise in this area that it will apply to implementing and monitoring compliance with Regulation SCI. In light of this experience, the Commission believes that it can devote sufficient resources to carry out its obligations associated with Regulation SCI so that the benefits of Regulation SCI can be realized. b. Costs Some of the costs associated with Regulation SCI are compliance costs. Compliance costs include, for example, 1850 See ITG Letter at 6–7. This commenter noted that Commission staff resources used to oversee Regulation SCI compliance would dwarf those used for the ARP Inspection Program and that Commission staff would have to analyze and act upon notifications from SCI entities, including systems change notifications. See id. This commenter also noted that substantial examination resources from the Commission and FINRA would be assigned to Regulation SCI oversight. See id. Similarly, another commenter noted that proposed Regulation SCI would result in a dramatic increase in the number of Commission notifications and would require substantial resources for Commission staff to process them in a responsible fashion. See Omgeo Letter at 8, n. 14. 1851 See ITG Letter at 7. 1852 See Angel Letter at 2. 1853 See SunGard Letter at 2. 1854 See id. at 5. PO 00000 Frm 00155 Fmt 4701 Sfmt 4700 72405 documentation and mandatory reporting and dissemination of SCI events, and reports that include material systems changes. SCI entities will also incur costs in complying with the SCI review requirement, as well as in implementing the policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance. Moreover, SCI entities will incur costs related to recordkeeping. Additional costs will also result from member/ participant participation in the testing of SCI entity business continuity and disaster recovery plans. Also, market participants (including institutional and retail investors) in the securities markets may face increased transaction costs from SCI entities, to the extent that increased compliance costs are passed on to market participants. Many, but not all, of the quantifiable costs of Regulation SCI involve a collection of information, and these costs and burdens are discussed in the Paperwork Reduction Act section of this release.1855 When the PRA burdens are monetized, the estimated paperwork related compliance burdens for SCI entities as a result of Regulation SCI total approximately $117 million initially and approximately $100 million annually.1856 The Commission notes that the monetized PRA burdens have increased from those contained in the SCI Proposal. Although many of the adopted rules are more targeted and impose fewer requirements on SCI entities than the proposed rules, the monetized PRA burdens have changed in part due to modifications made to the PRA estimates as a result of recommendations from commenters, revisions to the rule text, and the revised estimate of the number of SCI events, which resulted from incorporating the Commission’s review of the number of systems compliancerelated issues and ARP incidents reported to Commission staff in 2013. In addition, the Commission has quantified non-paperwork related costs for SCI entities that total between approximately $14 million 1857 and $106 million 1858 in initial costs and between 1855 See supra Section V. The Commission provides below quantified estimates of other costs imposed by Regulation SCI beyond the PRA burdens, to the extent the Commission can quantify such costs. 1856 The monetized PRA cost reflects the paperwork cost estimated for all of Regulation SCI, as discussed in Section V. 1857 See infra note 1943 (estimating cost for complying with the policies and procedures required by Rules 1001(a) and (b)). 1858 See infra note 1944 (estimating cost for complying with the policies and procedures required by Rules 1001(a) and (b)). E:\FR\FM\05DER2.SGM 05DER2 72406 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 $9 million 1859 and $70 million 1860 in annual ongoing costs. In addition to the costs to SCI entities, the Commission also estimates the total connectivity costs to members or participants of SCI entities associated with the testing of business continuity and disaster recovery plans to be $18 million annually.1861 Thus, the Commission estimates total quantified costs for SCI entities and members or participants of SCI entities to be between approximately $149 million 1862 and $241 million 1863 in initial costs and between $127 million 1864 and $188 million 1865 in annual ongoing costs. Several commenters provided broad comments regarding the costs of proposed Regulation SCI.1866 According 1859 See infra note 1945 (estimating cost for complying with the policies and procedures required by Rule 1001(a) and (b)). 1860 See infra note 1946 (estimating cost for complying with the policies and procedures required by Rule 1001(a) and (b)). 1861 See infra note 2065. 1862 $149 million = $117 million (PRA cost) + $14 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). 1863 $241 million = $117 million (PRA cost) + $106 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). 1864 $127 million = $100 million (PRA cost) + $9 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). 1865 $188 million = $100 million (PRA cost) + $70 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). 1866 One commenter provided ‘‘conservative and preliminary’’ estimates for the cost of compliance with Regulation SCI. See FINRA Letter at 42–43. This commenter estimated that its one-time cost to comply with Regulation SCI would be between approximately $1.1 million and $1.3 million, and its ongoing annual costs would be between approximately $4.5 million and $5.5 million, if Regulation SCI is adopted as proposed (e.g., if SCI systems is defined to apply to non-market regulatory and surveillance systems, and development and testing environments). See id. at 42. As discussed above, the definition of SCI systems does not include non-market regulation and non-market surveillance systems, or development and testing systems. Therefore, the Commission believes these estimates are too high. This commenter estimated that, under a narrower Regulation SCI (e.g., if non-market systems and development and testing environments are excluded from the definition of SCI systems), its one-time compliance costs would be between approximately $675,000 and $825,000 and its annual costs would be between approximately $2.2 million and $2.6 million. See id. This commenter also stated that, monetizing its hour estimates for annual SCI reviews, its compliance costs would increase by between approximately $600,000 and $900,000, and higher if more systems than currently in scope under ARP would be subject to annual SCI reviews. See id. at 42. The Commission notes that, other than the costs for SCI reviews, these estimates do not distinguish paperwork costs from nonpaperwork costs. If the commenter’s estimates are intended to include all costs for compliance with Regulation SCI, these estimates are close to or within the Commission’s estimated total quantified VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 to one commenter, Regulation SCI as proposed is ‘‘too universal in its application, too ambitious in its scope and too costly in its implementation to achieve the hoped for reduction in risk to the markets without simultaneously diminishing other important SEC accomplishments, such as increased competition, improved innovation, increased consumer choice, lower barriers to entry into the industry and reduced transaction costs to the customer.’’ 1867 Another commenter noted that proposed Regulation SCI would impose an unreasonably burdensome technology and controls standard on automated systems of SCI entities, which could lead to allocative inefficiencies in the marketplace and therefore have a stifling effect on innovation in the U.S. equity markets.1868 Another commenter stated that the ultimate result of proposed Regulation SCI will be to limit or suppress the execution choice of buyside investors, meaning investors will have less ability to effectively manage their trading strategies and diminished opportunities to seek better execution, lower transaction costs, and achieve price improvement and investment performance.1869 As discussed throughout this release, the Commission believes that Regulation SCI will change and strengthen the practices of SCI entities, and should result in a number of benefits. Further, the Commission believes that these benefits should result without diminishing the Commission’s accomplishments in other areas, stifling innovation, or suppressing the execution choice of investors. In particular, although costs associated with Regulation SCI could adversely impact competition and increase barriers to entry, the Commission believes that the adverse effect on competition and heightened barriers for SCI entities that provide venues for trading, including ATSs and exchanges, would be mitigated and therefore the Commission does not expect that investor choice on trading venues would be significantly limited.1870 The Commission also believes that any such effects would be warranted in light of the expected benefits of Regulation SCI. Additionally, as discussed below, the dissemination of information regarding cost ranges for SCI entities. See supra notes 1862– 1865 and accompanying text. 1867 See BIDS Letter at 2–3. 1868 See ITG Letter at 2. 1869 See UBS Letter at 7–8. 1870 See infra Section VI.C.1.c (addressing potential effects on efficiency, competition, and capital formation, including effects on other SCI entities). PO 00000 Frm 00156 Fmt 4701 Sfmt 4700 certain major SCI events to all members or participants of an SCI entity can promote competitive incentives to prevent systems issues. The Commission also believes that the reduction in systems issues resulting from Regulation SCI could result in fewer interruptions in the price discovery process and liquidity flows and thus result in fewer periods with pricing inefficiencies. Furthermore, Regulation SCI could improve system uptime for SCI entities, and therefore reduce latency as market participants will not be forced to reroute orders or change execution strategies associated with situations in which an SCI entity is not operational. Moreover, the Commission notes that it has revised the proposed rules after considering the comments received. The Commission believes that many of the revisions to the proposed rules would reduce burdens on SCI entities and significantly address commenters’ concerns regarding potential negative effects on allocative inefficiency and innovation. For example, because the Commission is adopting a quarterly reporting requirement for material systems changes instead of the proposed 30-day advance notification requirement, adopted Regulation SCI would impose lower burdens on SCI entities compared to the proposal and allow SCI entities more flexibility when they implement material systems changes.1871 c. Effects on Efficiency, Competition, and Capital Formation Along with the effects on efficiency, competition, and capital formation discussed below with regard to specific provisions of Regulation SCI, the Commission believes that Regulation SCI as a whole could affect efficiency, competition, and capital formation in several ways. By increasing the robustness of SCI systems and indirect SCI systems of SCI entities, Regulation SCI may improve efficiency—in particular, price efficiency—and the improvement in pricing efficiency could promote capital formation. In particular, as discussed in VI.C.1, disruptions to SCI systems and the resulting trading interruptions can degrade pricing efficiency, price discovery, and liquidity. Regulation SCI may reduce the frequency, severity, and duration of market disruptions (e.g., trading interruptions) that may otherwise prevent market participants from impounding information into security prices through market activity (e.g., order submission) and, thus, 1871 See E:\FR\FM\05DER2.SGM supra Section IV.B.4.b.i. 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations improve price efficiency in the markets. Such disruptions also impose liquidity costs and harm the price discovery process. The quality of the price discovery process has important implications for efficiency and capital formation, as prices that accurately convey information about fundamental value improve the efficiency with which capital is allocated across projects and firms. The Commission also believes that Regulation SCI could affect competition in several ways. The Commission believes that the existing competition among the markets has not sufficiently mitigated the occurrence of SCI events.1872 Regulation SCI requires SCI entities to disseminate information regarding certain SCI events to affected members or participants or to all members or participants of an SCI entity. As discussed more thoroughly in Section VI.C.2.b.iv below, the Commission believes that requiring the dissemination of information regarding certain SCI events could further incentivize SCI entities to maintain more robust SCI systems and indirect SCI systems and would enhance competition among SCI entities with respect to the maintenance of robust SCI systems and indirect SCI systems. Additionally, the Commission believes that Regulation SCI may have an impact on competition among SCI entities, in part because the compliance costs of Regulation SCI will be different among SCI entities. Specifically, some SCI entities already satisfy some of the requirements of Regulation SCI because those provisions codify certain aspects of the ARP Policy Statements. The Commission believes that these current ARP participants will incur direct compliance costs that are incremental relative to the current cost of participating in the ARP Inspection Program and current practices outside of the scope of ARP. But Regulation SCI also applies to some entities that currently do not participate in the ARP Inspection Program such as the MSRB and most SCI ATSs. These SCI entities may incur higher initial compliance costs, compared to current ARP participants, in modifying their current practices to comply with Regulation SCI.1873 To the extent that SCI entities with different initial compliance costs compete, Regulation SCI could alter the competitive relationship and give SCI entities that are currently in compliance 1872 See supra Section VI.B.4. Commission notes that the SCI entities incurring the lower initial compliance costs previously incurred such costs to participate in the ARP Inspection Program. 1873 The VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 with certain provisions of Regulation SCI a competitive advantage.1874 In addition to competition among SCI entities, the compliance costs imposed by Regulation SCI could have an effect on competition between SCI entities and non-SCI entities in the markets for trading services. Specifically, in part because non-SCI entities do not have to incur the compliance costs associated with Regulation SCI, these entities may have a competitive advantage in the markets for trading services over SCI entities that they compete with. The adverse competitive effects, however, are likely to be minor when considering only ATSs because an SCI ATS is likely to be larger and have more of an established customer base than other ATSs. The Commission recognizes that broker-dealers also compete with SCI entities in the market for trading services and that some broker-dealers are larger than some ATSs and exchanges. However, broker-dealers cannot offer the same services as ATSs or exchanges without becoming ATSs or exchanges. The costs imposed by Regulation SCI could also affect barriers to entry for new ATSs and exchanges and, thus, could adversely affect competition.1875 Specifically, the Commission acknowledges that Regulation SCI will increase the costs for those that meet the definition of SCI entity. This will increase the expected costs of market entrants who expect to eventually be SCI entities. If an increase in these costs reduces the number of potential new entrants, the potential competition from new entrants will be lower. As noted above, however, the Commission believes that the heightened barriers to entry for ATSs would be mitigated to some degree because the compliance period would provide a new ATS entrant the opportunity to initiate and develop its business before the ATS would need to comply with Regulation SCI.1876 In particular, the Commission believes that few new ATSs would likely initially meet the threshold to be covered under Regulation SCI and a new ATS could 1874 However, given the voluntary nature of the current ARP Inspection Program, the extent of current compliance with the requirements of adopted Regulation SCI by entities subject to the ARP Inspection Program varies. 1875 While Regulation SCI could also increase start-up costs for SIPs and registered clearing agencies, SIPs provide exclusive services and registered clearing agencies are currently characterized by specialization and limited competition. Clearing and settlement services exhibit high barriers to entry and economies of scale. See Clearing Agency Standards Release, supra note 76, at 66263 and 66265. 1876 See supra note 152. PO 00000 Frm 00157 Fmt 4701 Sfmt 4700 72407 trade for at least three months (i.e., less than four of the preceding six months) and conduct such trading at any level without being subject to Regulation SCI. The Commission also notes that ATSs meeting the volume thresholds in the definition of ‘‘SCI ATS’’ for the first time will also be provided six months from the time that the ATS first meets the applicable thresholds to comply with the requirements of Regulation SCI.1877 This compliance period should also provide such ATSs with time to plan on how they would meet the requirements of Regulation SCI, and could also potentially allow SCI ATSs to become more equipped to bear the cost of Regulation SCI once compliance is required, and thus not significantly discourage new ATSs from entering the market and growing. For newly registered exchanges, the Commission believes the costs associated with Regulation SCI would not represent a significant increased barrier to entry, as the costs would represent a small portion of total costs associated with creating and registering an exchange. The compliance costs associated with participating in business continuity and disaster recovery plan testing may affect competition among members or participants of SCI entities and also could raise barriers to entry for new members or participants. In particular, Regulation SCI imposes compliance costs on certain members or participants of SCI entities that are designated to participate in business continuity and disaster recovery plans testing. Because some members or participants may incur compliance costs associated with Rule 1004 and others may not, it could negatively impact the ability for some to compete and could raise barriers to entry. As discussed more thoroughly in Section VI.C.2.b.vii below, the Commission expects the compliance costs associated with the business continuity and disaster recovery plans testing requirements in Rule 1004 to be limited for larger members or participants who already maintain connections to backup facilities, including for testing purposes, than for smaller members or participants. Furthermore, the Commission believes that new members or participants are less likely to be designated immediately to participate in business continuity and disaster recovery plan testing than existing significant members or participants because new members may not initially satisfy the SCI entity’s designation standards as they establish their businesses. Thus, the Commission 1877 See supra Section IV.F (discussing effective date and compliance dates for Regulation SCI). E:\FR\FM\05DER2.SGM 05DER2 72408 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations believes the adverse effect on competition may be mitigated to some extent as the most likely members or participants to be designated for testing are those comprising the largest market share as ranked by volume by the SCI entity, and that these firms will have more limited compliance costs.1878 2. Analysis of Final Rules mstockstill on DSK4VPTVN1PROD with RULES2 a. Definitions—Rule 1000 In general, the definitions in Rule 1000 either clarify a provision or circumscribe the scope of a provision in Regulation SCI. Therefore, many of the costs and benefits associated with the impacts of the definitions are incorporated in the discussion of the substantive requirements of Regulation SCI. This section contains a discussion of the economic effects of the scope of Regulation SCI resulting from the definitions adopted by the Commission. i. SCI Entities The Commission estimates that the definition of SCI entity in Rule 1000 currently covers 44 entities. This includes 30 current participants in the ARP Inspection Program (i.e., 18 registered national securities exchanges, seven registered clearing agencies, FINRA, two plan processors, one ATS trading NMS stocks, and one exempt clearing agency). The definition of SCI entity also includes one ATS that currently exceeds the relevant threshold in Rule 301(b)(6)(i) of Regulation ATS and is subject to the systems safeguard requirements of Regulation ATS. In addition to these entities, the definition of SCI entity includes the MSRB and an estimated 12 additional SCI ATSs. Generally, by including certain entities that do not currently participate in the ARP Inspection Program or meet the current threshold for the systems safeguard requirements of Regulation ATS in the definition of SCI entity, the Commission believes that Regulation SCI will not only enhance systems resiliency at such entities, but also reduce the potential for incidents at these entities to have broader, disruptive effects across the securities markets more generally on other SCI entities, and attendant costs to investors. Although the Commission believes that the requirements of Regulation SCI will reduce the impact of SCI events, the Commission is unable to 1878 The Commission also notes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with Rule 1004, and that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. See supra Section IV.B.6.b. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 quantify the economic effects of the reduction because the degree to which adherence to the requirements of Regulation SCI will reduce the impact of SCI events is unknown. As discussed throughout the economic analysis, the Commission also expects that SCI entities will incur costs for complying with the requirements of Regulation SCI and that these costs could affect the competitiveness of entities incurring such costs. For example, the section summarizing the effects of Regulation SCI on efficiency, competition, and capital formation, Section VI.C.1.c, discusses several ways that Regulation SCI might affect the competitiveness of SCI entities, including the competitiveness of SCI entities versus non-SCI entities, the relative initial competitiveness of SCI entities needing to make more changes to comply with Regulation SCI, and barriers to entry for SCI entities. As discussed in detail in Section IV.A.1, many commenters addressed the scope of the definition of SCI entity. Many of these comments related to the inclusion of certain ATSs in the definition.1879 Commenters presented mixed views on the inclusion of ATSs, with some commenters believing that all ATSs should be covered by Regulation SCI,1880 and other commenters arguing that no ATSs should be covered by Regulation SCI.1881 The commenters who supported including all ATSs in the scope of the definition of SCI entity argued that any ATS can impact the market and one of these commenters also stated that any participant on any ATS can have disproportionate impact on the market.1882 One of the main points of commenters that suggested no ATSs should be covered was that ATSs are redundant of exchanges and other ATSs and that, in case an ATS fails, other ATSs or exchanges can service investors and absorb trading volume.1883 Additionally, some commenters suggested applying higher thresholds in the definition of SCI ATS such that fewer ATSs would be covered under Regulation SCI.1884 Many of these commenters who advocated for applying higher thresholds in the definition of SCI ATS stated that the inclusion of smaller ATSs in the 1879 See supra Section IV.A.1.b. e.g., NYSE Letter at 8–10; and Lauer Letter at 4. 1881 See, e.g., BIDS Letter at 3; ITG Letter at 2– 4; and OTC Markets Letter at 9. 1882 See, e.g., NYSE Letter at 8–10; and Lauer Letter at 4. 1883 See, e.g., BIDS Letter at 7–8; and ITG Letter at 3. 1884 See, e.g., Direct Edge Letter at 2; ITG Letter at 10. 1880 See, PO 00000 Frm 00158 Fmt 4701 Sfmt 4700 definition of SCI ATS does not justify what they believed to be the significant compliance costs imposed by Regulation SCI.1885 The Commission believes that certain ATSs should be required to comply with rules regarding systems capacity, integrity, resiliency, availability, security, and compliance. ATSs now collectively represent a significant source of liquidity for NMS stocks.1886 Given this level of activity on ATSs, coupled with the increasingly interconnected and complex nature of the markets and heavy reliance on automated systems, the Commission recognizes that a systems issue even at one ATS could result in a market-wide impact. Further, some ATSs execute a larger portion of consolidated volume than smaller exchanges. In this respect, an outage at one or more of these ATSs, which serve as markets to bring buyers and sellers together in the national market system, could disrupt the entire market and could pose even greater risks to the market as a whole than certain smaller exchanges. Accordingly, the Commission believes that the exclusion of all ATSs from the definition of SCI entity would significantly reduce the benefits of Regulation SCI discussed in Section VI.C.1. On the other hand, the Commission believes that including all ATSs in the definition of SCI entity would heighten barriers to entry and restrict competition in the markets for trading services and, thus, could stifle innovations. As discussed in Section IV.A.1.b, the Commission believes that the adopted thresholds for SCI ATSs result in the inclusion of ATSs that can play a significant role in the securities markets and, given their heavy reliance on automated systems, have the potential to impact investors, the overall market, and the trading of individual securities should an SCI event occur. With respect to comments calling for higher or lower volume thresholds, the Commission believes that higher thresholds would increase the risk of significant market disruptions due to SCI events relative to the adopted thresholds and lower thresholds would serve to increase barriers to entry. In setting the levels in the thresholds for SCI ATS, the Commission has considered the trade-offs between barriers to entry and the risk of significant market disruptions. In adopting the thresholds in the definition of SCI ATS, the Commission also considered alternative thresholds, 1885 See, e.g., ITG Letter at 9–10. supra note 148 and accompanying text. See also text accompanying supra note 1832. 1886 See E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations including the threshold used in Regulation ATS. The adopted thresholds in the definition of SCI ATS differ from the thresholds that subject an ATS to the systems safeguard requirements under Rule 301(b)(6) of Regulation ATS in several ways.1887 First, for ATSs that trade NMS stocks or non-NMS stocks, the adopted thresholds are based on dollar trading volume instead of share trading volume. The Commission believes that the application of dollar trading volume thresholds better reflects the potential economic impact of a systems issue at a significant ATS as it more accurately measures the value of trading activity compared to a threshold based on share trading volume.1888 Second, the adopted volume thresholds for NMS stocks and non-NMS stocks are lower than the volume thresholds in Rule 301(b)(6) of Regulation ATS. As discussed in IV.A.1.b, securities trading has evolved significantly since the adoption of Regulation ATS; today, trading activity in stocks is more dispersed among a larger number of trading venues. Because trading activity in stocks is now dispersed among a larger number of trading venues and markets today are so inter-connected and complex, the Commission believes that the application of lower volume thresholds would more effectively capture multiple sources of potential systems issues that could significantly disrupt the market for a single security or for the market as a whole. Third, with respect to ATSs that trade NMS stocks, the Commission is adopting the two-fold dollar volume thresholds in the first prong—a single NMS stock threshold and an all NMS stocks threshold. The Commission believes that such thresholds would appropriately account for the significance of an ATS in both overall trading of NMS stocks and for a single NMS stock. With regard to commenters that stated no ATSs should be covered because ATSs are redundant of exchanges and other ATS, the Commission acknowledges that, to some extent, certain services provided by any trading venue, including exchanges and ATSs, are redundant in the sense that these facilities execute and process trades. However, the Commission notes that each ATS provides different services in terms of, among other things, order types, matching rules, and the speed of execution to meet investors’ specific 1887 See also supra Section IV.A.1.b. text accompanying supra note 161; see also Proposing Release, supra note 13, at 18094 (stating that the use of dollar thresholds may better reflect the economic impact of trading activity). 1888 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 needs. If an ATS outage interferes with the supply of certain services that investors demand, it would impose costs on investors. For example, market participants may program their routing algorithms assuming that all market centers are operational. If one of those venues is not available, rerouting order flow may increase costs to the market participant seeking execution as time required for executing orders may increase, order fill rates may decrease, and slippage 1889 may also increase, which would further increase transaction costs.1890 The Commission also received comments regarding the inclusion of fixed-income ATSs. One commenter suggested the use of par value traded rather than volume.1891 Further, in noting that fixed-income ATSs should not be subject to Regulation SCI, this commenter noted that retail fixedincome ATSs operate on a vastly different scale than institutional equity markets.1892 According to this commenter, the costs of compliance for a retail fixed-income ATS would be several orders of magnitude higher than for an exchange in the equity market, and would overwhelm revenues for retail fixed-income ATSs.1893 The Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.1894 Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.1895 Because no such ATS is subject to Regulation SCI at this time, it is possible that the municipal security and corporate debt markets may be affected by SCI events that otherwise may have been prevented with more robust systems that would result from Regulation SCI. However, the Commission believes that this loss in potential benefit relative to the 1889 Slippage refers to the difference between the expected price of a trade and the actual trade price due to the passage of time. 1890 See supra Section VI.B.4 for a discussion of why market incentives do not seem to reduce these costs. 1891 See TMC Letter at 1–3. 1892 See id. at 2. 1893 See id. 1894 See supra Section IV.A.1.b. 1895 See 17 CFR 242.301(b)(6). PO 00000 Frm 00159 Fmt 4701 Sfmt 4700 72409 proposed approach would be minimal as fixed-income securities trading is generally significantly less automated than trading in equities.1896 Further, as commenters pointed out, the cost of the requirements of Regulation SCI could be significant for fixed-income ATSs relative to their size, scope of operations, and more limited potential for systems risk. Therefore, lowering the current threshold applicable to fixedincome ATSs in Regulation ATS and subjecting such ATSs to the requirements of Regulation SCI could have potentially discouraged the growth of automation that could benefit investors in these markets. However, as the Commission monitors the evolution of automation in this market, the Commission may reconsider the benefits and costs of extending the requirements of Regulation SCI to fixed-income ATSs in the future. The adopted definition of SCI SRO includes all national securities exchanges regardless of their volume share. The Commission received one comment letter stating that the rule should also include volume thresholds for exchanges.1897 The Commission is not persuaded that applying a volume threshold is appropriate for SCI SROs that are exchanges, but instead believes that Regulation SCI should cover all exchanges. In particular, the Commission recognizes that all exchanges play an important role in the securities markets. As discussed above in Section IV.A.1.a, all stock exchanges are subject to a variety of specific public obligations under the Exchange Act, including the requirements of Regulation NMS which, among other things, designates the best bid or offer of such exchanges to be protected quotations. Accordingly, every exchange may have a protected quotation that can obligate market participants to send orders to that exchange if such exchange is displaying the best bid or offer. Among other reasons, given that market participants may be required to send orders to any one of the exchanges at any given time if such exchange is displaying the best bid or offer, the Commission believes that it is important that the safeguards of Regulation SCI apply equally to all exchanges irrespective of trading volume. As 1896 The Commission notes that the corporate debt and municipal securities markets are primarily voice markets with little automation. See also supra note 185 (discussing the view of commenters that the inclusion of fixed-income ATSs and/or the adoption of the proposed thresholds would impose unduly high costs on these entities given their size, scope of operations, lack of automation, low speed, and resulting low potential to pose risk to systems). 1897 See supra note 81 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72410 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations market participants may be required to send orders to the exchange displaying the best prices, systems issues at such exchange could force market participants to re-route their orders and, thus, could increase execution time and slippage, imposing additional transaction costs to investors. With respect to options exchanges, the Commission additionally believes that it would be inappropriate to exclude them from the definition of SCI SRO because technology risks are equally applicable to such exchanges, as evidenced by recent technology incidents affecting the options markets.1898 While there are many options that trade on multiple venues, systems issues resulting in trading disruptions at an options exchange could lower the quality of pricing efficiency and disrupt the price discovery process for singly-listed options (e.g., certain index options only trade on one options exchange). As such, systems issues at options exchanges can pose significant risks to the markets, and the Commission believes that the inclusion of options exchanges within the scope of Regulation SCI is necessary to achieve the goals of Regulation SCI. The definition of SCI entity also includes the MSRB. The Commission believes that the inclusion of the MSRB as an SCI entity will provide several significant benefits. In particular, the MSRB collects and consolidates municipal securities data and makes it available to market participants. The Commission believes that any event that could affect the market data collected and consolidated by the MSRB could significantly disrupt the municipal bond market. Also, the municipal securities data collected by the MSRB is provided to FINRA and made available to the Commission and the bank regulators, and serves as a key resource for monitoring the municipal bond market. Therefore, the inclusion of the MSRB will help ensure the robustness of the MSRB’s systems and reduce the likelihood of systems issues that could harm investors in the municipal bond market. As discussed above in Section IV.A.1, several commenters advocated the adoption of a ‘‘risk-based’’ approach in the definition of SCI entity based on the criticality of the functions performed.1899 In effect, these commenters suggested that the Commission apply provisions of Regulation SCI based on the entity’s risk 1898 See 1899 See supra note 84. supra notes 53–57 and accompanying text. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 to the operations of the U.S. securities markets based on the entity’s functional role in the market (e.g., a primary listing market, the sole venue of the security, a monopoly or utility type role with no redundancy). The Commission has considered these factors in developing the definition of SCI entity and believes that the adopted definition, in part, captures the intent of the commenters’ suggestions in that it includes entities in the definition that play a significant role in the securities markets. In particular, as discussed in Section IV.A.1.a in detail, the Commission included all exchanges in the definition of SCI SRO because exchanges play a significant role in the functioning of securities markets. With respect to the comments that suggested including only those entities that are essential to continuous market-wide operation, the Commission believes that the specific criteria suggested by commenters, in effect, could lead to the exclusion of significant ATSs. As discussed above, the Commission continues to believe that significant ATSs that trade NMS and non-NMS stocks should be included in Regulation SCI. ATSs collectively represent a significant source of liquidity for stocks. Furthermore, as today’s markets are increasingly inter-connected and complex with heavy reliance on automated systems, the Commission recognizes that a systems issue at an ATS could result in a market-wide impact. Consequently, the Commission believes that re-defining SCI entities according to commenters’ ‘‘risk-based’’ approach could exclude certain entities that the Commission believes have the potential to pose significant risks to the securities markets should an SCI event occur, and thus limit the potential benefits from Regulation SCI, which are discussed throughout this economic analysis. ii. SCI Systems Regulation SCI expands on current practice, and applies to a broader range of systems than the current ARP Inspection Program. In particular, the ARP Policy Statements are focused on specific types of automated systems.1900 1900 See supra Section II.A and Proposing Release, supra note 13, at Section I.A (discussing in more detail the ARP Policy Statements and the ARP Inspection Program). According to the ARP I Release, the term ‘‘automated systems’’ or ‘‘automated trading systems’’ means computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems. These terms also encompass systems that disseminate transaction and quotation information and conduct PO 00000 Frm 00160 Fmt 4701 Sfmt 4700 The ARP Policy Statements and the ARP Inspection Program address systems that directly support trading, clearance and settlement, order routing, and market data. The definition of ‘‘SCI systems’’ would include these systems, as well as those that directly support market regulation and market surveillance, systems that serve an essential function for investor protection and market integrity. The inclusion of market regulation and market surveillance systems under Regulation SCI could reduce systems compliance issues that result from disruptions in systems that support market regulation and market surveillance. The Commission believes that including market regulation and market surveillance systems under the definition of SCI systems should help ensure the robustness of the systems used by SCI entities to monitor compliance with relevant laws, rules, and their own rules, and detect any violations of such laws or rules by members or participants. The reduction in market regulation and market surveillance systems issues could help ensure investor protection and preserve market integrity. The Commission also believes that the inclusion of market data systems in the definition of SCI systems will benefit the market. Currently, SIAC, Nasdaq, and the MSRB 1901 process, collect, and disseminate market data on equities, options, and municipal securities to investors. While SIAC and Nasdaq are part of the ARP Inspection Program, the MSRB is not. The Commission believes that consolidated market data is an important part of the investing and trading process as it helps market participants to make well-informed investment and trading decisions, and also helps investors to monitor the quality of execution of orders by their brokers. Thus, any SCI events that affect market data processed, collected, and disseminated by the MSRB could reduce trade comparisons prior to settlement, including the associated communication networks. See ARP I Release, supra note 1, at 48706, n. 21. 1901 As discussed above, in 2008, the Commission amended Rule 15c2–12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established EMMA, which serves as the official repository of municipal securities disclosure and provides the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB’s RTRS, with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB’s EMMA Web site. See supra note 77. The MSRB is an SCI entity by virtue of being an SRO, rather than a plan processor. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations pricing efficiency and, consequently, could significantly disrupt the municipal bond market. Further, with respect to NMS securities, the Commission understands that many trading algorithms make trading decisions based primarily on market data and rely on that data being current and accurate. In addition, as noted in Section IV.A.2.b, market data as used in the definition of ‘‘SCI systems’’ does not refer exclusively to consolidated market data, but also includes proprietary market data generated by SCI entities as well. The Commission notes that proprietary market data is widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions. Therefore, if a proprietary market data feed became unavailable or otherwise unreliable, it could interfere with market participants making trading decisions and impose additional transaction costs on market participants. The Commission has limited information on the extent to which the ARP Policy Statements guide ARP participants’ practices with respect to their proprietary market data systems because this information is not reported to the Commission. To the extent that the ARP Policy Statements guide ARP participants with respect to certain of their proprietary market data systems, the potential benefits from including proprietary market data systems in Regulation SCI could be incremental given current practice. The Commission also notes that entities have competitive incentives to limit the number of systems issues with their proprietary market data systems, as those SCI entities with minimum latency and the most robust proprietary market data systems may attract more trading volume. While proprietary market data systems have experienced systems issues, because these issues are not reported to the Commission, the Commission has limited information on the frequency and severity of such systems issues and, in addition, does not have information about how proprietary market data systems issues affect the demand to subscribe to a particular proprietary market data feed. Although the Commission is unable to estimate the benefits and costs of subjecting proprietary market data systems to Regulation SCI, the Commission believes that if a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 maintenance of fair and orderly markets.1902 To the extent that proprietary market data systems and consolidated market data systems share common infrastructure, the compliance costs associated with proprietary market data systems could be incremental to those costs associated with consolidated market data systems. In addition, to the extent the ARP Policy Statements guide ARP participants with respect to their proprietary market data systems, the initial compliance costs associated with proprietary market data systems will be lower for these participants with respect to the relevant proprietary market data systems. As adopted, a subset of SCI systems are defined as critical SCI systems. Critical SCI systems are defined as SCI systems of, or operated by or on behalf of, an SCI entity that directly support functionality relating to clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing exchange; trading halts; initial public offerings; the provision of consolidated market data; and exclusively listed securities.1903 In addition, critical SCI systems include systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent, and without which there would be a material impact on fair and orderly markets.1904 Critical SCI systems include systems that represent potential ‘‘single points of failure’’ in the securities markets—if they were to experience systems issues, the Commission believes they would be the most likely to have a widespread and significant impact on the U.S. securities markets. Critical SCI systems are subject to certain heightened resilience and information dissemination requirements under Regulation SCI. In addition, because an SCI entity may tailor its policies and procedures based on the relative criticality of a given system to the SCI entity and to the securities markets generally, an SCI entity may subject its critical SCI systems to higher standards than other SCI systems. By adopting a defined term ‘‘critical SCI systems’’ (which is not defined for purposes of the ARP Inspection Program or Regulation ATS), along with the heightened requirements associated with critical SCI systems, the Commission expects fewer disruptions in critical SCI systems, and therefore fewer SCI events involving potential 1902 See supra Section IV.A.2.b. Rule 1000. 1904 See id. 1903 See PO 00000 Frm 00161 Fmt 4701 Sfmt 4700 72411 ‘‘single points of failure’’ that could cause wide-scale disruptions across the securities markets. As explained in Section VI.C.1, this could reduce the likelihood and duration of systems issues, thereby helping to avoid pricing inefficiencies and reduce interruptions in liquidity flow, which may occur during times when systems disruptions can make systems unavailable or unreliable. The Commission also notes that, by distinguishing critical SCI systems from other SCI systems, and because an SCI entity may tailor its policies and procedures based on the relative criticality of a given system to the SCI entity and to the securities markets generally, an SCI entity may subject its critical SCI systems to higher standards than other SCI systems. In addition, critical SCI systems are subject to a goal of two-hour recovery following a widescale disruption, and a requirement for information dissemination to all members or participants of an SCI entity in the case of an SCI event impacting critical SCI systems (unless the SCI event qualifies as a de minimis SCI event). As result, the designation of critical SCI systems may result in additional costs as compared to the proposal. However, by distinguishing critical systems, Regulation SCI is consistent with a risk-based approach that targets areas that would generate the most benefits. Regulation SCI defines ‘‘indirect SCI systems’’ 1905 to mean any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.1906 As discussed above in Section IV.A.2.d, the adopted definition excludes systems that are effectively physically or logically separated from SCI systems because the Commission believes that the benefit of including systems that can effectively be ‘‘walled off’’ may be limited, as ‘‘walled off’’ systems are less likely to serve as potential vulnerable entry points to SCI systems in the event of a security 1905 As discussed in Section IV.A.2.d, ‘‘SCI security systems’’ have been renamed ‘‘indirect SCI systems’’ and its definition has been revised in response to commenters who expressed concern about the breadth of the proposed definition. Because the definition of indirect SCI systems has been refined from the proposal, the compliance costs associated with indirect SCI systems (discussed below) would be lower relative to the compliance costs associated with the proposed rules. 1906 As proposed, ‘‘SCI security systems’’ means any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72412 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations breach.1907 Regulation SCI will expressly impose new requirements on systems that fall within the definition of ‘‘indirect SCI systems’’ (which is not defined for purposes of the ARP Inspection Program or Regulation ATS). These new requirements for indirect SCI systems should help ensure the robustness and resiliency of SCI systems by reducing the occurrence of securityrelated issues at SCI systems. Moreover, the application of Regulation SCI to indirect SCI systems could encourage SCI entities to isolate certain non-SCI systems from SCI systems (thereby removing these non-SCI systems from the scope of indirect SCI systems), which would decrease the risk that nonSCI systems provide vulnerable points of entry into SCI systems and cause security-related issues at SCI systems. The reduction in security-related SCI systems issues could lead to fewer interruptions in the price discovery process and liquidity flows and thus result in fewer periods with pricing inefficiencies as discussed in Section VI.C.1. Regulation SCI specifies the obligations SCI entities would have with respect to SCI systems and indirect SCI systems. As mentioned above, the definition of SCI systems includes more systems than the ARP Inspection Program traditionally covered, and ‘‘indirect SCI systems’’ is not defined for purposes of the ARP Inspection Program or Regulation ATS. Because Regulation SCI applies to SCI systems and indirect SCI systems, SCI entities will incur compliance costs, discussed in detail further below in Section VI.C.2, which include, among other things, costs associated with policies and procedures related to such systems. Furthermore, as mentioned above, the definition of SCI systems includes systems that directly support trading, clearance and settlement, order routing, and market data, which are covered by the ARP Inspection Program. Accordingly, the Commission believes that initial compliance costs associated with SCI systems will be higher for SCI entities that are not currently participating in the ARP Inspection Program (e.g., some SCI ATSs) as compared to ARP Inspection Program participants that have established practices consistent with the ARP Policy Statements. Although the Commission believes that some SCI ATSs will generally incur higher initial compliance costs associated with the requirements of Rule 1001 compared to other SCI 1907 Some SCI entities currently employ a wide variety of means to separate their systems, including logical and physical separation. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 entities that are current participants in the ARP Inspection Program, the difference in initial compliance costs could be limited because, as currently constituted, relative to the systems of SCI SROs, the systems of SCI ATSs generally would not fall within the category of critical SCI systems, and thus such SCI ATSs would not be subject to the more stringent requirements that would be applicable to the critical SCI systems of other SCI entities. Further, as discussed in Section VI.C.1, the Commission believes that Regulation SCI could have an impact on competition among SCI entities in part because the initial compliance costs associated with SCI systems and indirect SCI systems will vary across SCI entities. In the SCI Proposal, the Commission defined SCI systems more broadly than it has in the adopted rule. Specifically, the proposed definition of SCI systems would have included all regulation and surveillance systems, as well as development and testing systems. As discussed above in Section IV.A.2.b, after considering, among other things, the views of commenters that the definition of SCI systems was overbroad and, thus, could cover nearly all systems of an SCI entity, the Commission refined the definition of SCI systems.1908 Specifically, the scope of adopted Regulation SCI does not cover member regulation or member surveillance systems such as those, for example, relating to member registration, capital requirements, or dispute resolution, because issues relating to such systems are unlikely to have the same level of impact on the maintenance of fair and orderly markets or an SCI entity’s operational capability as those systems identified in the definition of SCI systems. Consequently, the Commission does not believe that the exclusion of member regulation and member surveillance systems will significantly reduce the benefits of Regulations SCI discussed in Section VI.C.1. Furthermore, the Commission believes that the exclusion of member regulation and member surveillance systems from the adopted definition of SCI systems will substantially reduce the costs of compliance with Regulation SCI relative to the proposal because it reduces the potential number of SCI events that would be subject to the Commission notification requirements compared to the proposal. As discussed above in Section IV.A.2.b, many commenters also opposed the inclusion of development 1908 See supra Section IV.A.2.b (discussing the definition of SCI systems). PO 00000 Frm 00162 Fmt 4701 Sfmt 4700 and testing systems in the definition of SCI system, stating that issues in development and testing systems would have little or no impact on the operations of SCI entities.1909 The Commission agrees that issues with development and testing systems generally have less of an impact on the SCI entity’s operations than production systems that directly support trading, clearance and settlements, order routing, market data, market regulation, and market surveillance. In response to comment letters, the adopted definition of SCI systems is limited to systems that directly support trading, clearance and settlement, order routing, market data, market regulation, and market surveillance, and does not include development and testing systems. Consequently, the requirements of Regulation SCI that are triggered by the definition of SCI systems do not apply to development and testing systems. However, the Commission recognizes that there would be benefits from maintaining robust development and testing systems because these systems are important in ensuring the reliability and resiliency of systems of SCI entities. As discussed in Section IV.A.2.b, in order to have policies and procedures reasonably designed to ensure capacity, integrity, resiliency, availability, and security for SCI systems (and indirect SCI systems, as applicable) in accordance with adopted Rule 1001(a), an SCI entity will be required to have policies and procedures that include a program to review and keep current systems development and testing methodology for such systems.1910 A few commenters advocated that SCI entities should be permitted to conduct their own risk-based assessment in determining the scope of SCI systems.1911 As discussed in Section IV.A.2.b, rather than limiting the definition of SCI systems to systems that pose a greater risk to the markets in the event of a systems issue or that are of paramount importance to the functioning of the U.S. securities market, the Commission is subjecting those systems that meet the definition of ‘‘critical SCI systems’’ to certain heightened requirements under 1909 See supra note 234 and accompanying text. as discussed above, the definition of SCI review and the corresponding requirement for an annual SCI review require an assessment of internal control design and effectiveness, which includes development processes. In addition, if development and testing systems are not appropriately walled off from production systems, such systems could be captured under the definition of indirect SCI systems and be subject to the requirements of Regulation SCI. 1911 See DTCC Letter at 3–5; Omgeo Letter at 5–6; and OCC Letter at 3–4. 1910 Further, E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Regulation SCI. The Commission continues to believe that any systems issues involving systems that directly support one of the six functions (trading, clearance and settlement, order routing, market data, market regulation, or market surveillance) listed in the definition of SCI systems could also cause significant market disruptions and, thus, including such systems and imposing heightened requirements on a subset of such systems—critical SCI systems—should help realize the benefits of Regulation SCI discussed in Section VI.C.1.a. As discussed above in Section IV.A.2.b, the definition of SCI systems includes any system that is operated by a third-party on behalf of an SCI entity and directly supports one of the six key functions (trading, clearance and settlement, order routing, market data, market regulation, or market surveillance) listed in the definition of SCI systems. The Commission understands that many SCI entities and many SROs, in particular, rely heavily on outsourcing to help test, operate, and run various systems in their daily operations and that they outsource networks, data center operations, and many of the products and systems that support their trading and/or clearing systems. The Commission also notes that its staff already discusses with ARP entities their use of certain third-party systems as necessary under the ARP Inspection Program. Because of this reliance on outsourcing to third party systems, the Commission believes that including any system that directly supports one of the six functions listed in the definition of SCI system, regardless of whether it is operated by the SCI entity directly or by a third party, is important in reducing systems issues and, thus, promoting pricing efficiency and price discovery process. Several commenters stated that the definition of SCI systems should not include systems operated on behalf of an SCI entity by a third-party.1912 These commenters expressed concerns about potential difficulties with meeting the requirements of Regulation SCI with regard to third-party systems.1913 Another commenter questioned whether the Commission considered the costs and benefits of including third-party systems within the definition.1914 This commenter also noted that the inclusion of third-party systems may force SCI entities to insource functions that are 1912 See, e.g., Omgeo Letter at 5–6; and BATS Letter at 4. 1913 See, e.g., Omgeo Letter at 5–6; and BATS Letter at 4. 1914 See BATS Letter at 4–5. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 more efficiently performed by vendors, and the cost of insourcing will be passed along to members and market participants and may degrade competition.1915 As discussed above, the Commission believes that, among other reasons, allowing systems operated on behalf of an SCI entity by a third-party to be excluded from the requirements of Regulation SCI would reduce the effectiveness of the regulation in promoting the national market system by ensuring the capacity, integrity, resiliency, availability, and security of those systems important to the functioning of the U.S. securities markets.1916 The Commission acknowledges that ensuring compliance of systems operated by a third-party with Regulation SCI may be more costly than ensuring compliance of internal systems with Regulation SCI because of search costs associated with employing adequate third-party systems or services and the additional communication needed with the third-party service provider. The Commission acknowledges that higher compliance costs associated with managing thirdparty systems could be passed on to market participants. Moreover, the Commission recognizes that the inclusion of systems operated by a third-party on behalf of an SCI entity in the scope of SCI systems may in certain cases make it more difficult for an SCI entity to utilize third parties because the SCI entity is required to ensure that SCI systems and indirect SCI systems operated on its behalf by a third party are operated in compliance with Regulation SCI. In particular, the SCI entity might not be able to ensure that systems operated by certain third parties are in compliance with Regulation SCI and therefore might not be able to utilize such third-party service providers. Limitations on the choice of third-party systems could lower the quality of employable third-party systems because the employable thirdparty systems may not be best suited for the SCI entity or be the best available of its type. At this time, however, it is difficult to estimate the extent to which inclusion of systems operated by third parties on behalf of an SCI entity in the definition of SCI systems will alter outsourcing arrangements in a manner that would result in reducing an SCI entity’s ability to maintain its operational capability and promote the maintenance of fair and orderly markets. While the Commission understands that 1915 See id. at 5. supra Section IV.A.2.b (discussing the definition of ‘‘SCI systems’’). 1916 See PO 00000 Frm 00163 Fmt 4701 Sfmt 4700 72413 SROs outsource some systems, the Commission lacks sufficient information regarding the specific contractual relationships between SCI entities and third-party service providers. Furthermore, if—due to limited options on employable third-parties—an SCI entity decides to insource systems that could be more cost-effectively provided by third parties with relevant expertise, the quality of such systems may be adversely affected, while the cost to the SCI entity may be increased. As such, Regulation SCI could impose higher costs on SCI entities that are currently more dependent on thirdparty systems for their operations than SCI entities that primarily employ their own systems and therefore could potentially have adverse effects on competition among SCI entities. In addition, the requirements of Regulation SCI could force some third-party vendors out of the market for SCI systems or indirect SCI systems. In this respect, Regulation SCI could negatively impact such vendors and reduce the ability for some third-party vendors to compete in the market for SCI systems and indirect SCI systems, with attendant costs to SCI entities. However, Regulation SCI, over time, could result in quality improvements for systems or services provided by such third-party vendors as vendors that primarily provide services to SCI entities may compete in part on the quality of their systems in light of the requirements of Regulation SCI. iii. SCI Events Rule 1000 defines SCI events to include systems disruptions, systems compliance issues, and systems intrusions. Further, for purposes of the information dissemination requirement under Rule 1002(c), the Commission defines the new term, major SCI event, to mean an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system, or a significant impact on the SCI entity’s operations or on market participants. As discussed further below, Regulation SCI requires SCI entities to take appropriate corrective actions in response to SCI events (Rule 1002(a)), notify the Commission of SCI events (Rule 1002(b)), and disseminate information regarding certain major SCI events to all members or participants of an SCI entity and certain other SCI events to affected members or participants (Rule 1002(c)). Prior to the adoption of Regulation SCI, ‘‘systems disruption’’ was not defined by Commission rule. Rather, in the 2001 Staff ARP Interpretive Letter, Commission staff provided guidance on E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72414 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations examples of significant systems outages that should be reported to Commission staff.1917 The Commission understands that ARP participants currently exercise a level of discretion in determining what systems issues constitute significant systems outages. As adopted, ‘‘systems disruption’’ is defined to mean an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. The Commission believes the revised definition sets forth a standard that SCI entities can apply in a wide variety of circumstances to determine in their discretion whether a systems issue should be appropriately categorized as a systems disruption. The adopted definition of systems disruption potentially covers types of events that were not articulated as part of Commission staff guidance regarding significant systems outages, and at the same time potentially excludes types of systems events that were articulated as part of such guidance. The Commission, however, believes that the adopted definition of systems disruptions would more appropriately capture material or significant systems issues than the 2001 Staff ARP Interpretive Letter. Accordingly, the inclusion of systems disruptions in the definition of SCI event, along with the requirements of taking timely corrective actions, Commission notification, information dissemination, and recordkeeping on these systems issues, should help effectively reduce the severity and duration of events that harm pricing efficiency, price discovery, and liquidity and help Commission oversight of the securities markets. The Commission also acknowledges that SCI entities will incur some costs to determine whether a systems disruption has occurred. The Commission notes that these costs should be lower compared to the proposed definition, in part, because the adopted definition of systems disruption sets forth a standard that permits SCI entities to more effectively identify such systems issues. As discussed in Section IV.A.3.a, after considering the views of commenters that the proposed definition of systems disruption was too prescriptive, insufficiently flexible, and should be limited to material systems disruptions, the Commission has taken a different approach. Instead of the proposed seven-prong prescriptive definition representing the effects caused by a disruption of an SCI entity’s systems, the adopted definition focuses on whether a system is halted or degraded in a manner that is outside of its normal operation. The proposed definition had the potential to incorporate certain types of minor events that should more appropriately fall outside the purview of the regulation. Similarly, the prescriptive approach of the proposed definition also had the potential to exclude certain types of events that were significant enough to warrant inclusion, but may otherwise have gone unreported because they were not one of the seven enumerated types of systems malfunctions. Currently, ‘‘systems intrusion’’ is not defined by Commission rule or Commission staff guidance. The Commission believes that regulated entities exercise a level of discretion in determining what systems intrusions to report to Commission staff. By adopting a definition of systems intrusion, the Commission is specifying the criteria for SCI entities to use to identify systems intrusions that would be subject to Regulation SCI. The definition of systems intrusion covers successful unauthorized entry to SCI systems and indirect SCI systems. Unauthorized access, destruction, and manipulation of SCI systems and indirect SCI systems could adversely affect the markets and market participants because intruders could force systems to operate in unintended ways that could create significant disruptions in securities markets. Therefore, the inclusion of systems intrusions in the definition of SCI events can help reduce the risk of such adverse effects. The Commission believes that the inclusion of systems intrusion in the definition of SCI event should help ensure consistent compliance with the requirements of taking timely corrective actions, Commission notification, information dissemination, and recordkeeping and, thus, should help realize the benefits of those requirements discussed in sections below. The Commission also acknowledges that SCI entities will incur some costs to determine whether a systems intrusion has occurred. Currently, ‘‘systems compliance issue’’ is also not defined by Commission rule or Commission staff guidance and the Commission believes that regulated entities exercise a level of discretion in determining what systems compliance-related issues to report to Commission staff. While the ARP Policy Statements do not address systems compliance issues, some SCI entities notify the Commission of certain systems compliance-related issues.1918 1917 See 2001 Staff ARP Interpretive Letter, supra note 21. 1918 See supra note 1803 and accompanying text. As part of the Commission’s oversight of SROs, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00164 Fmt 4701 Sfmt 4700 As noted above, however, the Commission does not receive comprehensive data regarding such issues. By adopting a definition of systems compliance issue, the Commission is specifying the criteria for SCI entities to use to identify systems compliance issues that would be subject to Regulation SCI. By defining SCI events to include systems compliance issues, the Commission believes Regulation SCI should further assist the Commission in its oversight of SCI entities and in the protection of investors. Specifically, the Commission believes that inclusion of systems compliance issues in the definition of SCI event and the resulting applicability of the Commission reporting, information dissemination, and recordkeeping requirements are important to help ensure that SCI systems are operated by SCI entities in compliance with the Exchange Act, rules thereunder, and their own rules and governing documents.1919 In addition, the Commission believes that, as part of its oversight of the securities markets, it should learn of a non-de minimis systems compliance issue immediately upon an SCI entity having a reasonable basis to conclude that such a systems compliance issue has occurred so that the Commission may consider whether there has been any resulting harm to investors or market participants. The Commission also acknowledges that SCI entities could incur some costs to determine whether a systems compliance issue has occurred. The Commission notes that it has refined the definition of systems compliance issue as compared to the proposal by replacing the phrase ‘‘federal securities laws’’ with ‘‘the Act.’’ 1920 Accordingly, the number of systems compliance issues subject to Regulation SCI could be no greater and possibly lower than if the Commission adopted the definition of systems compliance issue as proposed and there could be a corresponding reduction in benefits, compared to the proposal, as a result of adopting a targeted definition.1921 Regulation SCI also defines ‘‘major SCI event.’’ The addition of the definition of major SCI event allows the requirement for dissemination of OCIE reviews systems compliance issues reported to Commission staff. 1919 See supra Section IV.A.3.b. 1920 See id. 1921 For example, the adopted definition of systems compliance issue makes explicit that the requirements of Regulation SCI do not apply to any obligations that an SCI entity has under the Securities Act of 1933. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations information to all members or participants of an SCI entity to be consistent with a tiered, risk-based approach. As discussed in Section VI.C.2.b.iv below and in Section VI.C.1 above, dissemination of information regarding SCI events to all members or participants of an SCI entity can result in benefits and affect competitive incentives to prevent systems issues. The Commission acknowledges, however, that the benefits of information dissemination to all members or participants of an SCI entity would not be realized if SCI entities were required to disseminate too many events, creating confusion about which events are meaningful, or if SCI entities were required to disseminate too few events. The definition of major SCI events provides a targeted approach to determining which events are appropriately disseminated to all members or participants of an SCI entity. The Commission also acknowledges that, as discussed in Section VI.C.2.b.iv below, SCI entities would incur compliance costs associated with developing a process for determining major SCI events and de minimis SCI events. SCI entities will incur compliance costs with regard to the requirements of Regulation SCI. As noted above, the definition of SCI event includes systems disruptions and systems intrusions, terms that are not defined under the ARP Inspection Program, but which are contemplated by the ARP Inspection Program’s attention to systems failures, disruptions, and other systems problems, including systems vulnerability.1922 To this extent, the initial compliance costs associated with SCI events may be higher for SCI entities that are not currently participating in the ARP Inspection Program than for those currently participating in the ARP Inspection Program. Similarly, the initial compliance costs associated with SCI events will be higher for SCI entities that do not currently self-report systems compliance-related issues to the Commission than those that do. As discussed in Section VI.C.1, the Commission believes that Regulation SCI will have an impact on competition among SCI entities because the initial compliance costs stemming from the definition of SCI events will be different among SCI entities. However, all SCI entities, regardless of current participation in the ARP Inspection Program or self-reporting of systems compliance-related issues, could incur 1922 See supra Section II.A (discussing the ARP Inspection Program). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 costs associated with the inclusion of major SCI events as a definition. As an alternative to the adopted definitions of SCI event, several commenters suggested that the definition of SCI event include a materiality threshold such that certain Regulation SCI requirements would apply only to events that exceed the threshold, as determined by the SCI entity.1923 The Commission is not persuaded that incorporating a materiality threshold into the definition of SCI event would appropriately capture SCI events. Some systems issues, which may initially seem insignificant to an SCI entity, may later prove to be the source of significant systems issues at the SCI entity. Furthermore, there could be incidences in which systems issues cause minor disruptions for one particular SCI entity but result in significant disruptions for another SCI entity or market participant. Under the use of the suggested materiality threshold, such systems issues could be overlooked and timely corrective action may not be taken. b. Requirements for SCI Entities—Rules 1001–1004 i. Policies and Procedures—Rules 1001(a), (b), and (c) Rules 1001(a), (b), and (c) set forth requirements relating to the written policies and procedures that SCI entities are required to establish, maintain, and enforce. Rule 1001(a) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Rule 1001(b) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules regulations thereunder and the entity’s rules and governing documents, as applicable. Rule 1001(c) requires an SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. This 1923 See PO 00000 supra note 334 and accompanying text. Frm 00165 Fmt 4701 Sfmt 4700 72415 section discusses the economic effects of requiring these policies and procedures, both individually and as a whole. The Commission believes the policies and procedures requirements as a whole should reduce the risk and incidences of SCI events because they are requirements under Commission rules rather than voluntary guidelines, and require SCI entities to establish, maintain, and enforce written policies and procedures related to capacity, integrity, resiliency, availability, security, compliance, responsible SCI personnel, and escalation. Also, policies and procedures requirements as a whole should reduce the risk and incidences of SCI events by imposing requirements on entities that are not currently participating in the ARP Inspection Program, and by covering areas not currently within the scope of the ARP Inspection Program, such as policies and procedures regarding systems compliance.1924 The policies and procedures requirements in Regulation SCI should help ensure faster recoveries from systems disruptions, systems compliance issues, and systems intrusions. As discussed in Section VI.C.1, reducing the risk, incidence, and duration of SCI events could reduce interruptions in the price discovery process and liquidity flows and thus result in reduced periods with pricing inefficiencies. The Commission also recognizes that the policies and procedures requirements of Regulation SCI will impose certain costs. In general, the Commission believes that some SCI entities that participate in the ARP Inspection Program already comply with some of the requirements of Rule 1001 and thus would incur lower initial costs to comply with the requirements of Rule 1001 than SCI entities that do not participate in the ARP Inspection Program. Additionally, some SCI entities that currently participate in the ARP Inspection Program are large and have complex systems and, therefore, will incur more costs to comply with Rule 1001 than others. Furthermore, SCI entities that do not currently participate in the ARP Inspection Program will also face costs to comply with Rule 1001 if they do not already have policies and procedures similar to those required by 1924 With respect to NASD and FINRA rules identified by commenters, although they have some broad relation to certain aspects of the policies and procedures provisions under Regulation SCI, the Commission is not persuaded that these rules, even when taken together, are an appropriate substitute for the comprehensive approach in Regulation SCI with respect to technology systems and system issues. See NASD Rule 3010(b)(1) and FINRA Rule 3130. See also supra note 115. E:\FR\FM\05DER2.SGM 05DER2 72416 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Rule 1001. These costs are discussed further below. mstockstill on DSK4VPTVN1PROD with RULES2 Quantifiable Costs In the SCI Proposal, based on discussion with industry participants, the Commission estimated that, to comply with all requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2) other than paperwork burdens, on average, each SCI entity would incur an initial cost of between approximately $400,000 and $3 million.1925 Based on this estimated range in costs, the Commission estimated that in the aggregate SCI entities would incur a total initial cost of between approximately $17.6 million 1926 and $132 million 1927 to comply with proposed Rules 1000(b)(1) and (2). In addition, the Commission estimated that, to comply with the policies and procedures required by proposed Rules 1000(b)(1) and (2), on average, each SCI entity would incur an ongoing annual cost of between approximately $267,000 1928 and $2 million.1929 Based on this estimated range, the Commission estimated that in the aggregate SCI entities would incur a total annual ongoing cost of between approximately $11.7 million 1930 and $88 million.1931 One commenter noted that the Commission did not provide sufficient discussion of the basis for the cost estimates for complying with the policies and procedures required by proposed Rules 1000(b)(1) and (2).1932 However, this commenter was cautiously confident that its initial cost for full implementation of proposed Rules 1000(b)(1) and (2) would not exceed $3 million plus four times the estimated burden under the Paperwork Reduction Act analysis, although the 1925 See Proposing Release, supra note 13, at 18171. As explained in the SCI proposal, the Commission preliminarily estimated a range of cost for complying with the policies and procedures required by proposed Rules 1000(b)(1) and (2) because some SCI entities are already in compliance with some of these requirements and thus would likely need to incur less costs to comply with the rules. For example, the Commission believed that many SCI SROs (e.g., certain national securities exchanges and registered clearing agencies) already have or have begun implementation of business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. See id. at 18171, n. 633. 1926 See id. at 18171, n. 634. 1927 See id. at 18171, n. 635. 1928 See id. at 18172, n. 637. 1929 See id. at 18172, n. 638. 1930 See id. 1931 See id. at 18172, n. 640. 1932 See MSRB Letter at 30. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 commenter believed that such cost would not be less than half of such $3 million plus at least three times the Paperwork Reduction Act estimate.1933 This commenter further noted that the approach taken by the Commission in the proposal with regard to federal securities law liabilities and the safe harbors likely will result in increased insurance costs for SCI entities and higher salaries for employees.1934 Another commenter noted that, without further clarification, the broad scope of the policies and procedures requirement under Regulation SCI could be burdensome, in terms of the cost of developing and implementing new (or enhancing existing) policies and procedures, and in terms of complying and documenting compliance under such policies and procedures.1935 According to this commenter, these requirements could significantly increase technology project costs (e.g., for testing, monitoring, and compliance staff) and would significantly prolong the systems development lifecycle and time to market.1936 With respect to the Commission’s cost estimate for proposed Rules 1000(b)(1) and (2), 1933 See id. at 31. According to this commenter, if as a result of the restrictive listing of industry standards in Table A, it determines that it should adhere to one of the listed standards rather than the standards to which it currently adheres, its cost of compliance with proposed Rule 1000(b)(1) would be considerably increased and its total cost for compliance with proposed Rules 1000(b)(1) and (2) would likely be at or near $3 million plus four times the estimated burden under the Paperwork Reduction Act analysis. See id. As noted above in Section IV.B.1.b.iii, the Commission believes that staff guidance should be characterized as listing examples of publications describing processes, guidelines, frameworks, and/or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing examples of ‘‘standards.’’ As such, nothing that the staff may include in its guidance precludes an SCI entity from adhering to standards such as ISO 27000, COBIT, or others referenced by commenters to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a). 1934 See id. The commenter did not provide an estimate of the anticipated increased insurance costs for SCI entities and higher salaries for employees. The Commission acknowledges that SCI entities may incur increased insurance and personnel costs because of the potential additional liability associated with Regulation SCI, although the Commission is unable to estimate these costs given it lacks specific information regarding current personnel and insurance costs and the amount of any potential increases associated with changes in liability. The Commission also notes that many entities that fall within the definition of SCI entity could already be subject to liability for systems issues and thus may already largely be incurring these insurance and personnel costs. 1935 See FINRA Letter at 32. The estimated burden associated with the development and maintenance of policies and procedures is discussed in the Paperwork Reduction Act section above. See supra Section V.D.1.a. 1936 See FINRA Letter at 32. PO 00000 Frm 00166 Fmt 4701 Sfmt 4700 another commenter noted that the Commission’s estimates do not adequately account for the opportunity costs of delays in systems innovation.1937 This commenter stated that the Commission did not address the significant costs of complying with the requirements concerning the capacity, integrity, resiliency, availability, and security of systems.1938 After considering the views of these commenters and in light of the changes to the proposed rules, the Commission now estimates that, to comply with all requirements underlying the policies and procedures required by Rules 1001(a) and (b),1939 other than paperwork burdens, on average, each SCI entity will incur an initial cost of between approximately $320,000 and $2.4 million and an ongoing annual cost of between approximately $213,600 and $1.6 million.1940 The Commission notes that it has reduced the cost for complying with the policies and procedures required by Rules 1001(a) and (b) in a variety of ways, including by, for example: Refining the definition of SCI systems; more explicitly allowing SCI entities to tailor policies and procedures consistent with a risk-based approach; having separate staff guidance on current SCI industry standards rather than Commission guidance through proposed Table A, with staff guidance characterized as listing examples of publications describing processes, guidelines, frameworks, and/or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing examples of 1937 See ITG Letter at 7. This commenter also noted that the estimates do not adequately account for the monitoring and notification costs that would be engendered by the proposal. See id. 1938 See id. 1939 These include, for example, establishing current and future capacity planning estimates, capacity stress testing, reviewing and keeping current systems development and testing methodology, regular reviews and testing to detect vulnerabilities, testing of all SCI systems and changes to SCI systems prior to implementation, implementing a system of internal controls, implementing a plan for assessments of the functionality of SCI systems, implementing a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, designed to detect and prevent systems compliance issues, and hiring additional staff. 1940 The Commission estimates an average range of cost for complying with the policies and procedures required by Rules 1001(a) and (b) because some SCI entities are already in compliance with some of these requirements. The Commission recognizes that, for SCI entities that do not currently comply with the policies and procedures required by Rules 1001(a) and (b), their cost of compliance may, depending on their nature, size, technology, business model, and other aspects of their business, be at the upper end of the estimated average cost range. E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations ‘‘standards;’’ and focusing compliance on the Exchange Act rather than federal securities laws generally. At the same time, the Commission acknowledges that other aspects of the compliance costs could potentially be higher for the adopted rules than the proposed rules. For example, the requirement for a goal of two-hour resumption for all critical SCI systems (rather than only clearance and settlement systems) could increase compliance costs for SCI entities with critical SCI systems as compared to the proposal. However, as discussed above, the Commission has specified that the stated recovery timeframes in Regulation SCI are goals, rather than inflexible requirements.1941 In addition, for some SCI entities that would have chosen to not use the proposed SCI entity safe harbor, the Commission’s adoption of non-exhaustive, general minimum elements for systems compliance policies and procedures in Rule 1001(b)(2) could increase compliance costs as compared to the proposal. Based on the foregoing, the Commission believes that it is reasonable to revise the estimate to reflect the more targeted scope and increased flexibility of the adopted regulation, as compared to the proposal, in combination with potential increased costs associated with compliance with Rules 1001(a)(2)(v) and 1001(b)(2), and new costs associated with compliance with Rule 1001(a)(2)(vii).1942 Therefore, the Commission believes that on balance overall, the costs will be reduced, and in its best judgment, each SCI entity is likely to incur an initial cost of between approximately $320,000 and $2.4 million and an ongoing annual cost of between approximately $213,600 and $1.6 million for complying with the policies and procedures required by Rules 1001(a) and (b). However, the Commission acknowledges that its cost estimates reflect a high degree of uncertainty. As noted above, the compliance costs of Rule 1001 may depend on the complexity of SCI entities’ systems (e.g., the compliance costs will be higher for SCI entities with more complex systems). The initial compliance costs associated with Rule 1001 may also vary across SCI entities depending on the degree of current practices’ compliance with the requirements of Rule 1001. Because it is difficult to gauge the precise degree of current compliance for each SCI entity in estimating potential costs with respect to Rule 1001 at this time, the 1941 See supra note 504 and accompanying text. 1001s(a)(2)(v), 1001(a)(2)(vii), and 1001(b)(2) are discussed further below. 1942 Rule VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission is estimating a range of compliance costs above. The Commission estimates that, in the aggregate, SCI entities will incur a total initial cost of between approximately $14 million 1943 and $106 million 1944 to comply with the policies and procedures required by Rules 1001(a) and (b). In addition, the Commission estimates that, in the aggregate, SCI entities will incur total annual ongoing cost of between approximately $9 million 1945 and $70 million.1946 These cost estimates are intended to cover the cost of complying with all substantive requirements under Rules 1001(a) and (b) other than paperwork related burdens. The Commission acknowledges that, for SCI entities, the requirements of Rules 1001(a) and (b) could increase technology project costs, prolong the systems development lifecycle and time to market, and result in opportunity costs because of potential delays in systems innovation.1947 On the other hand, as discussed throughout this release, the Commission believes that entities that are important to the functioning of the U.S. securities markets should be required to have policies and procedures reasonably designed to ensure systems capacity, integrity, resiliency, availability, security, and compliance. Further, as discussed above in Sections IV.B.1 and IV.B.2, the Commission has focused the scope of Rules 1001(a) and (b) as compared to the SCI Proposal. Moreover, in tandem with the adoption of a definition of critical SCI systems, the Commission is making more clear that Rule 1001(a) permits SCI entities to tailor policies and procedures consistent with a risk-based approach. With respect to Rule 1001(b), the Commission is adopting non-exhaustive, general minimum elements that an SCI entity must include in its systems compliance policies and procedures.1948 Benefits and Qualitative Costs Capacity, Integrity, Resiliency, Availability, and Security Rule 1001(a)(1) requires that each SCI entity establish, maintain, and enforce × 44 SCI entities = $14.1 million. million × 44 SCI entities = $105.6 1943 $320,000 1944 $2.4 million. 1945 $213,600 × 44 SCI entities = $9.4 million. 1946 $1.6 million × 44 SCI entities = $70.4 million. 1947 See supra note 1936 and accompanying text (discussing a commenter’s view regarding the potential economic effects of the policies and procedures requirements). 1948 See supra note 1935 and accompanying text (discussing a commenter’s views that, without clarification, the policies and procedures requirement under Regulation SCI could be burdensome). PO 00000 Frm 00167 Fmt 4701 Sfmt 4700 72417 written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Rule 1001(a)(2)(i)–(iv) provides that an SCI entity’s policies and procedures under Rule 1001(a) must include, at a minimum: (i) The establishment of reasonable current and future technological infrastructure capacity planning estimates; (ii) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology of such systems; and (iv) regular reviews and testing, as applicable, of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.1949 Rules 1001(a)(1) and (2)(i)–(iv) codify and expand certain provisions of the ARP Policy Statements. They also expand on the requirements under Rule 301(b)(6) of Regulation ATS for ATSs that trade NMS stocks and non-NMS stocks. In particular, under the ARP Policy Statements and through the ARP Inspection Program, ARP participants, among other things, are expected to establish current and future capacity estimates; conduct capacity stress tests; and conduct annual reviews that cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology, and vulnerability assessments. Further, Rule 301(b)(6) requires certain ATSs, with respect to those systems that support order entry, order routing, order execution, transaction reporting, and trade comparison, to establish certain capacity estimates, conduct periodic capacity stress tests of critical systems, develop and implement reasonable procedures to review and keep current systems development and testing methodology, review the vulnerability of their systems and data center computer operations to specified threats, establish adequate contingency and disaster recovery plans, conduct an independent review of their systems controls annually for ensuring that Rule 301(b)(6)(ii)(A)–(E) are met and conduct a review by senior management of a report of the independent review, and 1949 See E:\FR\FM\05DER2.SGM Rule 1001(a)(2) and supra Section IV.B.1. 05DER2 72418 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations promptly notify the Commission of certain systems outages and systems changes.1950 As mentioned above, Rules 1001(a)(1) and (2)(i)–(iv) codify certain aspects of the ARP Policy Statements. For SCI entities that are current participants in the ARP Inspection Program, codifying these aspects into requirements to establish policies and procedures should help ensure more robust systems that help realize the benefits of Regulation SCI discussed in Section VI.C.1.1951 In addition to the effects of the codification of aspects of the ARP Inspection Program, the Commission believes that the rules would further reduce the risk and incidences of systems issues affecting the markets by imposing requirements on entities that are not currently participating in the ARP Inspection Program, and by covering systems and events not currently within the scope of the ARP Inspection Program. For example, Rules 1001(a)(2)(i)–(iv) will help maintain robust systems at SCI entities that currently do not have the policies and procedures in place required by the rule. In particular, the Commission believes that, taken together, Rules 1001(a)(2)(i)–(iv) will benefit the securities markets by leading to the establishment, maintenance, and enforcement of policies and procedures that will reduce the risks and incidences of systems disruptions and systems intrusions. As noted above in Section VI.C.1, a reduction in the risk and incidences of systems issues could reduce interruptions in the price discovery process and liquidity flows. Because current ARP participants will change their current practices to comply with Rules 1001(a)(2)(i)–(iv), the Commission recognizes that these entities will incur compliance costs that are incremental relative to the current compliance costs of the ARP Inspection Program.1952 Furthermore, SCI entities that are not currently participating in the ARP Inspection Program may incur higher initial compliance costs to meet the requirements of Rules 1001(a)(2)(i)– 1950 See 17 CFR 242.301(b)(6)(ii). the relocation and modification of certain requirements in Rule 301(b)(6) of Regulation ATS applicable to significant-volume ATSs that trade NMS stocks and non-NMS stocks will help ensure that SCI ATSs create and maintain policies and procedures to support robust systems. See supra note 2 and accompanying text (noting that Regulation SCI, in addition to codifying the ARP Policy Statements, also supersedes and replaces aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act for significantvolume ATSs that trade NMS stocks and non-NMS stocks). 1952 See supra Section VI.B (discussing current practices of SCI entities). (iv), compared to SCI entities that are current participants of the ARP Inspection Program. The paperwork burdens are discussed in Section V, and other costs are included as part of the quantified costs estimated above related to all requirements associated with Rules 1001(a) and (b) other than paperwork burdens.1953 A few commenters discussed in detail how setting forth policies and procedures with regard to systems development could yield benefits, such as efficient pricing of securities, to markets. One commenter noted that preventing defects from entering in software construction is the most cost effective approach to quality assurance.1954 This commenter stated that it is ten times cheaper to find a defect in development than it is during systems testing, and it is one hundred times cheaper to fix a defect in development than in production (and this is not accounting for the impact on business).1955 In addition, this commenter noted that software of higher quality is cheaper to maintain and easier to enhance, and that testing schedules for low quality, large software projects are two to three times longer and more than twice as costly as testing for high quality projects.1956 According to information submitted by this commenter of large, mission critical systems across several industries, improving overall structural quality by 10 percent reduces ‘‘ticket volume’’ by over 30 percent.1957 This commenter believed that this would be an inadvertent benefit of controlling integrity at the structural level that may even compensate for the cost of other aspects of Regulation SCI.1958 Another commenter noted that the cost of a serious operational problem can rise to eight digits, and in extreme cases nine digits.1959 This commenter noted that these costs are often shared with market participants beyond the owners of the disrupted systems.1960 This commenter believed that the proposed Rule 1000(b)(1) requirements are reasonable and their cost can be balanced against the losses associated with the operational risks they address.1961 mstockstill on DSK4VPTVN1PROD with RULES2 1951 Likewise, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 1953 See supra note 1940 and accompanying text. CAST Letter at 10. 1955 See id. 1956 See id. (quoting Capers Jones and Olivier Bonsignour, The Economics of Software Quality (2012)). 1957 See id. at 10–11. 1958 See id. at 11. 1959 See CISQ Letter at 2. 1960 See id. at 2. 1961 See id. at 2. See also CISQ2 Letter at 6 (stating, ‘‘[t]he cost of recent outages in SCI systems easily justifies the additional effort in quality 1954 See PO 00000 Frm 00168 Fmt 4701 Sfmt 4700 The Commission generally agrees with commenters that setting forth policies and procedures with regard to systems development could yield benefits to market participants and SCI entities, including a potential reduction in losses due to SCI events. Rule 1001(a)(2)(iii) requires SCI entities to establish a program to review and keep current systems development and testing methodology for SCI systems and, for purposes of security standards, indirect SCI systems. The Commission believes that development and testing systems are important in ensuring the reliability and resiliency of SCI systems. More reliable and resilient systems should help reduce the occurrences of SCI events and improve systems uptime for SCI entities, and thus possibly result in a reduction in losses due to SCI events. Furthermore, the Commission recognizes that the use of inadequately tested software in production could result in substantial losses to market participants if it does not function as intended. For instance, if software malfunctions, it may not route orders as intended and also could result in mispricing of securities. Additionally, if a system’s capacity thresholds are improperly estimated, it may become congested, resulting in higher indirect transaction costs due to lower execution quality (e.g., decrease in order fill rates). The Commission believes that costs associated with Rule 1001(a)(2)(iii) are appropriate in light of the reduction in losses due to SCI events and other benefits discussed throughout this Economic Analysis. Business Continuity and Disaster Recovery Plans Rule 1001(a)(2)(v) requires SCI entities’ policies and procedures to set forth business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a widescale disruption.1962 Therefore, as assurance. However, empirical evidence from software industry improvement programs demonstrates that the additional time added into quality assurance is more than compensated for by a reduction in rework to produce [return on investments] of 5:1 or greater’’). 1962 FINRA Rule 4370 generally requires that a FINRA member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption, which is akin to adopted Rule 1001(a)(2)(v) requiring policies and procedures for business continuity and disaster recovery plans. However, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 adopted, Rule 1001(a)(2)(v) puts an emphasis on trading and critical SCI systems with respect to resumption following a wide-scale disruption. As discussed above, the definition of critical SCI systems is intended to capture those systems that are critical to the operation of the securities markets, including systems that are potential single points of failure in the securities markets. The Commission understands that some SCI entities already have, to an extent, policies and procedures that are required by Rule 1001(a)(2)(v), while others would need to make more significant changes to their current practices.1963 Rule 1001(a), among other things, is expected to help ensure prompt resumption of all critical SCI systems, which in turn is expected to help minimize interruptions in trading and liquidity after a wide-scale disruption. In addition, in the case of a wide-scale disruption, multiple SCI entities may be affected by the same incident at the same time. Given that U.S. securities market infrastructure is concentrated in relatively few areas, such as New York City, New Jersey, and Chicago, maintaining backup and recovery capabilities that are geographically diverse could facilitate resumption in trading and critical SCI systems following wide-scale market disruptions. As discussed in detail in Section VI.C.1, the Commission expects the reduction in the occurrence of trading interruptions and the duration of trading interruptions would promote pricing efficiency, price discovery, and liquidity flows in markets. One commenter noted that the Commission’s cost-benefit analysis in the SCI Proposal did not take into consideration the already existing industry excess capacity as backup.1964 With respect to this commenter, the Commission understands, based on staff expertise, that systems are sized to adequately handle message traffic with excess capacity under normal conditions and in those situations that moderately exceed the norm. The Commission also understands, however, that exchanges periodically receive escalated levels of message traffic due to unanticipated events and must make real-time adjustments to manage the resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans. See supra note 115. 1963 See infra note 1973 and accompanying text (discussing the estimated range of cost per SCI entity to comply with the policies and procedures required by Rules 1001(a) and (b)). 1964 See Angel Letter at 14. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 capacity of their systems, such as queuing and/or throttling. Therefore, the Commission is not persuaded that excess capacity is a reasonable alternative to backup systems because systems may reach their capacity periodically. Also, as noted above, in the case of a wide-scale disruption, multiple SCI entities may be affected by the same incident at the same time. Given that U.S. securities market infrastructure is concentrated in relatively few areas, maintaining backup and recovery capabilities that are geographically diverse could facilitate resumption in trading and critical SCI systems following wide-scale market disruptions. The Commission also received comments regarding the costs of maintaining geographically diverse backup facilities under proposed Rule 1000(b)(1). One commenter stated that the Commission did not appropriately consider the costs and benefits of maintaining geographically diverse data centers to meet the next-day readiness requirement.1965 This commenter believed that the cost of establishing and maintaining geographically diverse data centers alone will dwarf the estimated overall compliance cost of $400,000 to $3 million.1966 This commenter estimated that the incremental all-in, five-year cost to it to relocate its backup site would be $17 million.1967 This commenter noted that the geographically diverse backup center requirement could also result in costs on members and users of the SCI entity.1968 Another commenter noted that it maintains robust redundant and backup systems that exceed regulatory requirements and provide adequate capacity, security, and resiliency for its trading operations; however, the manpower and financial capital required to maintain and staff a geographically diverse backup site would easily push its annual and recurring compliance cost beyond the higher estimates provided by the Commission.1969 The Commission notes that the potential cost for maintaining geographically diverse backup and recovery capabilities is likely less than those estimated by commenters given the scope of the adopted rule. Specifically, because Rule 1001(a)(2)(v) does not require an SCI entity to require 1965 See ISE Letter at 12. See also FIF Letter at 3. ISE Letter at 12. 1967 See id. 1968 See id. The cost to members or participants of SCI entities in connection with business continuity and disaster recovery plan testing is discussed in Section VI.C.2.b.vii below. 1969 See ITG Letter at 7–8. 1966 See PO 00000 Frm 00169 Fmt 4701 Sfmt 4700 72419 its members or participants to use an SCI entity’s backup facility in the same way they use the primary facility (i.e., does not require members or participants to co-locate their systems at backup sites to replicate the speed and efficiency of the primary site), the requirement for geographically diverse backup systems does not mean that the backup systems are required to be identical (e.g., same speed and efficiency) to the primary facility. Nevertheless, the Commission believes it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities’ backup systems in the event of a widescale disruption. In addition, the Commission notes that Rule 1001(a) does not specify any particular minimum distance or geographic location that would be necessary to achieve geographic diversity, although the Commission believes that backup sites should not rely on the same infrastructure components, such as for transportation, telecommunications, water supply, and electric power. Further, Regulation SCI does not require an SCI entity to have a geographically diverse backup facility so distant from the primary facility that the SCI entity may not rely primarily on the same labor pool to staff both facilities if it believed it to be appropriate. With respect to commenters who expressed concern regarding the potential cost for maintaining geographically diverse backup and recovery capabilities, the Commission cannot estimate with confidence the precise costs for the creation of a new, geographically diverse backup facility, given the wide range of message traffic that various exchanges, ATSs, and other entities receive and the reasonable flexibility in the design of the backup facility. Given that Rule 1001(a)(2)(v) does not require an SCI entity to require its members or participants to use an SCI entity’s backup facility in the same way they use the primary facility, however, the Commission believes that the upper bound of building a new backup facility is equal to the cost of building a new primary facility. Given the Commission’s response to commenters’ concerns regarding the requirement to maintain geographically diverse backup and recovery capabilities, and the degree of flexibility within Regulation SCI to determine the precise nature and location of its backup site,1970 the Commission believes that the commenter’s estimate of $17 million over five years (or $3.4 million per 1970 See supra notes 541–544 and accompanying text. E:\FR\FM\05DER2.SGM 05DER2 72420 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations year),1971 is high. Based on the Commission’s best judgment, including taking into account Commission staff experience with SCI entities that have invested in geographically diverse backup facilities in recent years, the Commission believes that the average cost is more likely to be approximately $1.5 million annually for an SCI entity (that does not already have geographically diverse backup facilities). Nevertheless, even were the costs to be at the upper amount suggested by the commenter, the Commission believes the costs are appropriate given that individual SCI entity resilience is fundamental to achieving the goal of improving U.S. securities market infrastructure resilience.1972 The Commission recognizes that SCI entities may encounter significantly different costs in complying with the geographic diversity requirement underlying Rule 1001(a)(2)(v). As noted in Section VI.B.2, nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility. For those national securities exchanges that do not have such backup facilities, the cost to build such backup facilities will result in higher initial compliance costs than for national securities exchanges that do. For other SCI entities (e.g., some SCI ATSs), the compliance costs to meet the geographic diversity requirement would depend on the nature, size, technology, business model, and other aspects of their business.1973 Because SCI entities may encounter significantly different costs in complying with the geographic diversity requirement, the Commission believes that the initial compliance costs could have impact on competition among SCI entities. The requirement to have policies and procedure to meet a goal of next day resumption in trading and two-hour resumption in critical SCI systems will impose compliance costs for SCI entities. The Interagency White Paper sets forth sound practices for core clearing and settlement organizations and firms that play significant roles in 1971 See 1972 See supra note 1967 and accompanying text. supra notes 499–544 and accompanying mstockstill on DSK4VPTVN1PROD with RULES2 text. 1973 The Commission notes that its average estimated range of initial cost of approximately $320,000 to $2.4 million per SCI entity to comply with Rules 1001(a) and (b), other than paperwork burdens, includes the cost to build and maintain a geographically diverse backup facility. The Commission estimates that the costs for SCI entities that do not currently have a geographically diverse backup facility would be at the higher end of this range. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 critical financial markets,1974 and the 2003 BCP Policy Statement discusses the resumption of certain trading markets following a wide-scale disruption.1975 As noted in Section VI.B.1, the Commission believes that SCI entities currently use an array of measures to restore systems when disruptions occur. However, the twohour resumption goal for all critical SCI systems differs from the goals set forth in the Interagency White Paper insofar as the goal for Regulation SCI applies to critical SCI systems generally.1976 To this extent, Rule 1001(a)(2)(v) would impose additional costs for SCI entities that currently have practices that are consistent with the Interagency White Paper for clearance and settlement systems but not all critical SCI systems. The next business day resumption goal for certain trading markets set forth in the 2003 BCP Policy Statement is consistent with the resumption goal for trading in Rule 1001(a)(2)(v). For some SCI entities that do not have policies and procedures with respect to critical SCI systems consistent with the Interagency White Paper and the 2003 BCP Policy Statement, the Commission believes that the initial compliance costs associated with establishing policies and procedures with respect to next day resumption in trading and twohour resumption in all critical SCI systems would be larger than those that do. The costs associated with designing and modifying policies and procedures with respect to systems resumption requirements are included in the costs related to paperwork burdens in Section V. Furthermore, as discussed in Section VI.C.1, the Commission believes that the systems resumption requirements of Rule 1001(a)(2)(v) will have an impact on competition among SCI entities in part because the associated initial compliance costs will be different among SCI entities. 1974 According to the Interagency White Paper, core clearing and settlement organizations should develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall goal of achieving recovery and resumption within two hours after an event. See Interagency White Paper, supra note 504, at 17812. 1975 The 2003 BCP Policy Statement states that each SRO market and ECN should have a business continuity plan that anticipates the resumption of trading, in the securities traded by that market, no later than the next business day following a widescale disruption. See 2003 BCP Policy Statement, supra note 504, at 56658. 1976 See supra Section IV.A.2.c (discussing the definition of critical SCI systems) and supra Section IV.B.1 (discussing the Commission’s rationale for applying the two hour recovery goal to critical SCI systems generally instead of clearance and settlement services specifically). PO 00000 Frm 00170 Fmt 4701 Sfmt 4700 Market Data Rule 1001(a)(2)(vi) provides that an SCI entity’s policies and procedures must include standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.1977 Unlike the other provisions of Rule 1001(a)(2) discussed above, Rule 1001(a)(2)(vi) is not addressed in Regulation ATS or the ARP Policy Statements. The Commission believes that Rule 1001(a)(2)(vi) should help ensure that timely and accurate market data is available to all market participants. Given that market participants rely on consolidated market data in a variety of ways, including making markets, formulating trading algorithms, and placing orders, the Commission believes that this is an important benefit of Regulation SCI, although the Commission recognizes that SCI entities currently already take measures to facilitate the successful collection, processing, and dissemination of market data. As discussed in Section VI.C.1, the Commission believes that the further improvements in timeliness and accuracy of market data would help further ensure pricing efficiencies and uninterrupted liquidity flows in markets. As Rule 1001(a)(2)(vi) will be a new requirement for SCI entities, it will impose incremental compliance costs on SCI entities in setting aside additional resources to satisfy the requirements of the rule. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens.1978 Monitoring Rule 1001(a)(2)(vii) provides that an SCI entity’s policies and procedures must include monitoring of systems to identify potential SCI events. Rule 1001(a)(2)(vii) imposes a new requirement that is not addressed in Regulation ATS or the ARP Policy Statements. The Commission believes that SCI entities, particularly those that participate in the ARP Inspection Program, already monitor their systems in order to identify potential systems issues. Nevertheless, by defining ‘‘SCI event’’ and requiring policies and procedures for monitoring systems to identify potential SCI events, the Commission believes that Rule 1977 See 1978 See E:\FR\FM\05DER2.SGM Rule 1001(a)(2) and supra Section IV.B.1. supra note 1940 and accompanying text. 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 1001(a)(2)(vii) should further help ensure that SCI entities identify potential SCI events, which could allow them to prevent some SCI events from occurring or to take timely appropriate corrective action after the occurrence of SCI events. As discussed above, the Commission believes the reduction in the occurrence of SCI events or the reduction in the duration of SCI events that disrupt markets would reduce pricing inefficiencies and promote price discovery and liquidity. Although the Commission believes that SCI entities already monitor their systems in order to identify potential systems issues, the Commission believes that SCI entities will have to allocate additional resources to comply with the requirements of Rule 1001(a)(2)(vii), including potentially hiring additional staff, and thus will incur costs. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens. Current SCI Industry Standards Rule 1001(a)(4) deems an SCI entity’s policies and procedures under Rule 1001(a) to be reasonably designed if they are consistent with current SCI industry standards.1979 However, Rule 1001(a)(4) specifically states that compliance with current SCI industry standards is not the exclusive means to comply with the requirements of Rule 1001(a). Therefore, as adopted, Rule 1001(a)(4) provides flexibility to allow each SCI entity to determine how to best meet the requirements in Rule 1001(a), taking into account, for example, its nature, size, technology, business model, and other aspects of its business. Thus, Rule 1001(a)(4) allows SCI entities to choose the technology standards that best fit with their business, promoting efficiency. Furthermore, as discussed in Section IV.B.1, staff guidance lists examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures under Rule 1001(a). The reference to the publications which the staff may include, and which the Commission believes should be general and flexible enough to be compatible with many widely-recognized 1979 Current SCI industry standards are required to be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. See Rule 1001(a)(4). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 technology standards, will help SCI entities to implement and comply with Regulation SCI.1980 Some commenters expressed concern that SCI entities would closely adhere to the publications listed in Table A rather than take advantage of the flexibility built into the proposed rule out of concern that, if they did not, they would expose themselves to potential regulatory action for failure to comply with Regulation SCI.1981 As discussed above in Section IV.B.1, Rule 1001(a) allows for flexibility in choosing standards or guidelines when an SCI entity is designing policies and procedures required by that rule. Moreover, the staff guidance lists examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures under Rule 1001(a). As noted in Section IV.B.1, the Commission understands that many SCI entities are already following other technology standards, such as ISO 27000 and COBIT. The staff guidance would not preclude SCI entities from adhering to standards such as ISO 27000, COBIT, or others, to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a).1982 Because there is no requirement for SCI entities to follow the publications listed as staff guidance, there is no separate compliance cost associated with the staff guidance in addition to the cost of complying with Rule 1001(a). As discussed throughout this section, the Commission recognizes that, in general, there will be costs associated with designing policies and procedures required by Rule 1001(a). Such costs to SCI entities that already set forth their policies and procedures based on industry standards, or that follow the publications listed in the staff guidance or comparable publications as a guide, would be minimal. On the other hand, other SCI entities that decide to modify their policies and procedures and those that do not have such policies and procedures in place may incur greater costs in designing policies and 1980 See supra Section IV.B.1.b (discussing the role of staff guidance on current SCI industry standards). 1981 See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 6; and NYSE Letter at 20–21. 1982 Likewise, the staff guidance would not preclude an SCI entity from adopting a derivative of multiple standards, and/or customizing one or more standards for the particular system at issue. In assessing whether an SCI entity’s use of such an approach in designing its policies and policies and procedures would be ‘‘deemed’’ to be reasonably designed, the Commission’s inquiry would be into whether its policies and procedures were consistent with standards meeting the criteria in adopted Rule 1001(a)(4). PO 00000 Frm 00171 Fmt 4701 Sfmt 4700 72421 procedures required by Rule 1001(a). The costs associated with modifying and designing policies and procedures are included in the costs related to paperwork burdens in Section V. Systems Compliance Rule 1001(b)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder, and the entity’s rules and governing documents, as applicable. Rule 1001(b)(2)(i)–(iv) provides that an SCI entity’s policies and procedures under Rule 1001(b)(1) must include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. The Commission recognizes that SCI entities currently take varying measures to ensure that their systems operate in a manner that complies with relevant laws and rules. These practices at SCI entities may include escalating a compliance issue upon discovery, including legal and compliance personnel in the review of systems changes, and periodically reviewing rulebooks. The Commission believes that Rule 1001(b) should help to ensure that SCI entities operate their SCI systems in compliance with the Exchange Act and relevant rules and should help to reduce the occurrence of systems compliance issues. For example, the tests under Rule 1001(b)(2)(i) should help SCI entities to identify potential compliance issues before new systems or systems changes are implemented; the internal controls under Rule 1001(b)(2)(ii) should help to ensure that SCI entities remain vigilant against compliance issues when changing their systems and resolve potential compliance issues before the changes are implemented; and the systems assessment plans under Rule 1001(b)(2)(iii) and the coordination E:\FR\FM\05DER2.SGM 05DER2 72422 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 and communication plans under Rule 1001(b)(2)(iv) should help technology, regulatory, and other relevant personnel (including responsible SCI personnel) of SCI entities to work together to prevent compliance issues, and to promptly identify and address compliance issues if they occur. To the extent that compliance with Rule 1001(b) reduces the occurrence of systems compliance issues, Rule 1001(b) should help ensure investor protection. Because SCI entities will need to allocate their resources towards establishing, maintaining, and enforcing policies and procedures with regard to systems compliance, Rule 1001(b) will impose compliance costs on SCI entities. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens.1983 One commenter suggested that the Commission follow the Federal Aviation Administration’s and NASA’s approach, where, according to this commenter, individuals are encouraged to report safety issues and penalties are waived where there is self-reporting.1984 As discussed above in Section IV.B.2.b, the Commission is not persuaded that it would be appropriate to provide a safe harbor for all problems that are selfreported by SCI entities and individuals because the Commission is not persuaded that the suggested self-report safe harbor will effectively further the intent of Regulation SCI.1985 The extent to which regulators’ reporting rules offer safe harbor protection is determined by particular circumstances and regulatory objectives. For purposes of Regulation SCI, a blanket safe harbor provision of 1983 See supra note 1940 and accompanying text. However, the costs associated with establishing and maintaining policies and procedures are included in the costs related to paperwork burdens in Section V. 1984 See Angel Letter at 3–4. This commenter also stated that, in the SCI Proposal, the Commission did not analyze how other government regulatory agencies in the U.S. and elsewhere address technology risks (e.g., in the aviation, nuclear power, electricity, telecommunications, medical, and banking sectors). See Angel Letter at 3 and 15. The Commission notes that, in considering the adoption of Regulation SCI, it has considered some of the current practices in other industries, such as those discussed by panelists at the Technology Roundtable (e.g., aviation, nuclear power). See supra note 15 and Transcript of the Technology Roundtable, at 42–45. 1985 The Commission notes that, in addition to dealing with a different problem in different industries, the ‘‘waiving of penalties’’ cited by the commenter has limitations (e.g., the ASRS system cited by the comment suspends safe harbor protection for repeat violators and does not offer safe harbor for certain types of violations). Safe harbor protection for self-reporters may be appropriate in some circumstances. However, the Commission believes that in the specific context of Regulation SCI, such safe harbor protections would not further the intent of the regulation. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 the type proposed by the commenter would reduce incentives for SCI entities to take the proactive actions required to ensure the compliance of their SCI systems and, thus, could undermine the benefits of Regulation SCI discussed in Section IV.C.1. Responsible SCI Personnel Rule 1001(c) requires an SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Rule 1001(c) imposes a requirement that is not addressed in Regulation ATS or the ARP Policy Statements. The Commission believes that requiring policies and procedures to identify and designate responsible SCI personnel and to establish escalation procedures to quickly inform responsible SCI personnel of potential SCI events should help to effectively alert responsible SCI personnel of potential SCI events, in order for such personnel to determine whether an SCI event has occurred so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. As such, Rule 1001(c) should help reduce the duration of SCI events as SCI entities should become aware of potential SCI events and take appropriate corrective actions more quickly. The reduction in the duration of SCI events would benefit markets as it would promote pricing efficiency and price discovery as discussed in Section VI.C.1. The Commission believes that the costs associated with Rule 1001(c) are attributed to paperwork burdens, which are discussed in Section V.D.1.a above.1986 The Commission does not believe that Rule 1001(c) will impose significant other costs on SCI entities because these entities already identify and designate responsible SCI personnel and have escalation procedures.1987 1986 When monetized, the paperwork burden would result in approximately $1.7 million initially and $611,000 annually for all SCI entities in the aggregate. 1987 As noted above, several commenters emphasized the importance of escalation procedures at SCI entities, pursuant to which technology staff or junior employees could assess a systems problem and escalate the issue up the chain of command to management as well as legal and/ or compliance personnel. See supra note 740 and accompanying text. PO 00000 Frm 00172 Fmt 4701 Sfmt 4700 Periodic Review Rules 1001(a)(3), (b)(3), and (c)(2) require each SCI entity to periodically review the effectiveness of the policies and procedures required under Rules 1001(a), (b), and (c), respectively, and to take prompt action to remedy deficiencies in such policies and procedures. Regulation ATS and the ARP Policy Statements do not explicitly address the periodic review of policies and procedures and remediation of deficient policies and procedures. The Commission believes that requiring periodic review of the policies and procedures and remedial actions to address any deficiencies in the policies and procedures will help to ensure that SCI entities maintain robust policies and procedures and update them when necessary so that the benefits of Rules 1001(a), (b), and (c) should continue to be realized. As such, the Commission believes that Rules 1001(a)(3), (b)(3), and (c)(2) will help realize the benefits of Regulation SCI, and would facilitate price discovery and liquidity flow, as discussed in Section VI.C.1. These requirements, however, will impose costs on SCI entities because they will have to use resources to review the policies and procedures required by Rules 1001(a), (b), and (c) beyond the resources currently expended for this purpose or will have to take more prompt remedial action to remedy any identified deficiencies. The Commission expects that these costs generally will arise following an SCI entity’s periodic review of the effectiveness of its policies and procedures and as a result of SCI events. The Commission believes that the costs associated with the review and update requirements are attributed to paperwork burdens, which are discussed in Section V.D.1.a above.1988 However, the Commission recognizes that, if an SCI entity takes prompt or unplanned remedial action following the discovery of deficiencies in its policies and procedures, this may result in indirect costs (i.e., opportunity costs) to SCI entities because they may need to delay or shift their resources away from profitable projects and reallocate their resources towards taking prompt or unplanned remedial actions required by the rules. However, it is difficult to assess such indirect costs imposed on SCI entities because the Commission lacks information necessary to provide a reasonable estimate. For example, the Commission does not have 1988 As noted in Section V.D.1.a above, the paperwork burden related to the review of the policies and procedures is included in the estimated annual ongoing burden of Rules 1001(a), (b), and (c). E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations comprehensive and detailed information on the value of the potential forgone projects of SCI entities. mstockstill on DSK4VPTVN1PROD with RULES2 ii. Corrective Action—Rule 1002(a) Rule 1002(a) requires an SCI entity to begin to take appropriate corrective action upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(a) also requires corrective action to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Thus, it would not be appropriate for an SCI entity to unnecessarily delay the start of corrective action once its responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, and the SCI entity would be required to focus on mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission believes that SCI entities already have a variety of procedures in place to take corrective actions when system issues occur. However, Rule 1002(a) will likely require modifications to those existing practices in part because the rule specifies the timing and enumerates certain goals for corrective action.1989 The Commission believes that the corrective action requirement will reduce the length of systems disruptions, systems compliance issues, and systems intrusions, and thus, as noted in Section VI.C.1, reduce the negative effects of those interruptions on the SCI entity and market participants. Additionally, to the extent that corrective action could involve wide-scale systems upgrades, some SCI entities may potentially seek to accelerate capital expenditures, for example, by updating their systems with newer technology earlier than they might have otherwise to comply with Regulation SCI. As such, Rule 1002(a) could further help ensure that SCI entities invest sufficient resources as soon as reasonably practicable to address systems issues. The Commission recognizes that Rule 1002(a) may require SCI entities to 1989 For example, although the Commission believes that market participants already take corrective actions when system issues occur, currently, when taking corrective action, market participants may not always focus on mitigating potential harm to investors and market integrity or devoting adequate resources to remedy the issues as soon as reasonably practicable, as SCI entities are required to do under Rule 1002(a). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 undertake corrective action sooner and/ or to increase investments in newer and more updated systems earlier than they might have otherwise. The Commission thus believes that Rule 1002(a) could impose modestly higher costs for SCI entities in responding to SCI events relative to their current practice.1990 But, given the wide variety of current practices, the Commission is unable to estimate the incremental costs associated with the required changes. Furthermore, if Regulation SCI reduces the frequency and severity of SCI events in the future, the cost of corrective action could similarly decline over time. However, the Commission cannot estimate these costs because the degree to which Regulation SCI will reduce the frequency and severity of SCI events is unknown. The Commission also believes that, if an SCI entity takes corrective action sooner than they might have without the requirements of Regulation SCI, this may impose indirect costs (i.e., opportunity costs) to SCI entities because they may have to delay or reallocate their resources away from profitable projects and direct their resources toward taking corrective action required by the rule. However, the Commission acknowledges that it is difficult to assess such indirect costs imposed on SCI entities. For instance, the Commission does not have comprehensive and detailed information on the value of the potential foregone projects of SCI entities. Consequently, the Commission is, at this time, unable to estimate the costs of Rule 1002(a) of Regulation SCI because the Commission lacks information necessary to provide a reasonable cost estimate. Several commenters stated that the requirements of proposed Rule 1000(b)(3) put too great an emphasis on immediate corrective action at the expense of thoroughly analyzing the SCI event and its cause, considering potential remedies, and/or acting in accordance with internal policies and procedures before committing to a plan to take corrective action.1991 Partly in response to this concern, the Commission has modified the rule as adopted from the proposal. The Commission agrees that an SCI entity should be given appropriate time to perform an initial analysis and preliminary investigation into a potential systems issue before the 1990 See also MSRB Letter at 32 (commenting that under most circumstances, any increased cost due to proposed Rule 1000(b)(3) would be modest since corrective action normally would already be taken). 1991 See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge Letter at 7. PO 00000 Frm 00173 Fmt 4701 Sfmt 4700 72423 corrective obligations are triggered. If a corrective action were to be applied without such analysis or investigation, then the impact of an SCI event could persist, exacerbating or prolonging its negative effects on markets and market participants. The Commission notes that Rule 1002(a) does not use the term ‘‘immediate.’’ Rather, Rule 1002(a) requires that corrective action be taken ‘‘as soon as reasonably practicable’’ once the triggering standard has been met. The Commission believes that, because the facts and circumstances of each specific SCI event will be different, this standard would help ensure that an SCI entity takes necessary corrective action soon after an SCI event, but not without sufficient time to first consider what is the appropriate action to remedy the SCI event in a particular situation and how such corrective action should be implemented.1992 iii. Commission Notification—Rule 1002(b) As discussed above in Section IV.B.3.c, Rule 1002(b) requires SCI entities to provide notifications to the Commission regarding SCI events. Specifically, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to notify the Commission of the SCI event immediately. Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to submit a more detailed written notification, on a good faith, best efforts basis, pertaining to the SCI event. Until such time as the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed, the SCI entity is required to provide updates regularly, or at such frequency as requested by a representative of the Commission. The SCI entity is also required to submit a detailed final written notification after the SCI event is resolved and the SCI entity’s investigation of the event is closed (and an additional interim written notification, if the SCI event is not resolved or the investigation is not closed within a specified period of time). Finally, SCI entities are required to notify the Commission of information regarding de minimis systems disruptions and de minimis systems intrusions on a quarterly basis. The Commission believes that most, if not all, major systems incidents are 1992 See also supra Section IV.B.3.a (discussing in more detail the triggering standard for corrective action, Commission notification, and information dissemination) and Section IV.B.3.b (discussing the corrective action requirement). E:\FR\FM\05DER2.SGM 05DER2 72424 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 reported by ARP entities to the Commission and that many ‘‘de minimis’’ systems issues are documented internally by SCI entities as part of their incident management systems. For those entities that do not participate in the ARP Inspection Program, the Commission also believes that some internal documentation of systems incidents exists. In addition, the Commission notes that some SCI entities currently notify the Commission of certain systems compliance issues. Rule 1002(b) will apply to more entities (e.g., some SCI ATSs), more systems (e.g., market regulation and market surveillance systems, additional market data systems), and more types of systems issues (e.g., systems compliance issues) than the ARP Policy Statements, and also require more detailed reporting to the Commission.1993 The Commission believes that Rule 1002(b) will enhance the effectiveness of Commission oversight of the operation of SCI entities. For example, one commenter suggested that SCI events notification results in greater transparency for the Commission, with multiple benefits, including ensuring that the Commission has a view into problems at particular SCI entities for regulatory purposes as well as perspective on the effect of a single problem to the market atlarge.1994 Further, the Commission believes that providing written notifications to the Commission could help prevent systems failures from being dismissed as momentary issues, because notification would help focus the SCI entity’s attention on the issue and encourage allocation of SCI entity resources to resolve the issue as soon as reasonably practicable. As noted in Section IV.B.3.c, the Commission received comment letters that discuss the resource and efficiency demands of the Commission notification requirement.1995 Some commenters expressed concern that SCI entities may feel compelled to characterize and report a greater number of systems anomalies as disruptions to comply with Regulation SCI,1996 and that the proposal would result in SCI entities having ‘‘shadow staff’’ on hand solely for reporting SCI events so as to not divert staff away from working to resolve SCI events.1997 While the Commission is adopting the definitions of systems disruptions, systems 1993 See supra Section IV.B.3.c (discussing in detail the requirements of Rule 1002(b)). 1994 See Lauer Letter at 8. 1995 See, e.g., UBS Letter at 3; Omgeo Letter at 16; MSRB Letter at 19; OCC Letter at 14; SunGard Letter at 5; Joint SROs Letter at 7; and NYSE Letter at 22. 1996 See Joint SROs Letter at 9–10. 1997 See FINRA Letter at 19. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 compliance issues, and systems intrusions, and providing discussions of these definitions in this release, the Commission acknowledges that some SCI entities could be overly cautious in seeking to be in compliance with Regulation SCI and therefore over-report systems issues to the Commission. Furthermore, the Commission notes that some SCI entities currently notify the Commission of systems related issues under the ARP Inspection Program or as part of their current business practice, but the Commission believes that SCI entities will have to allocate additional resources to meet the Commission notification requirement. Although the estimated cost to comply with the adopted notification provisions is greater than the estimate in the SCI Proposal, the Commission is not persuaded that the adopted rule, with its more targeted scope, will require SCI entities to have a ‘‘shadow staff’’ on hand solely for reporting SCI events. As discussed in Section IV.B.3.c, the Commission believes that concerns with respect to resource demands regarding the Commission notification requirements have been substantially mitigated by the numerous changes from the proposal, such as the adoption of a quarterly reporting framework for de minimis systems disruptions and de minimis systems intrusions; the adoption of an exception from the Commission notification requirements for de minimis systems compliance issues; the revised definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue; and the reduction in the obligations SCI entities have with respect to reporting requirements. In addition, the Commission is not persuaded that the burden of the Commission notification requirement will significantly reduce SCI entities’ ability to adequately respond to SCI events. It is the Commission’s experience that the staff engaging in corrective action to resolve an SCI event is generally distinct from the staff that has been charged with notifying the Commission of systems issues. The compliance costs associated with Rule 1002(b) are attributed to the paperwork burden of Commission notifications of SCI events, including recordkeeping and submission of quarterly reports with respect to de minimis SCI events, as applicable.1998 As discussed in the PRA, with respect to SCI events that are not de minimis, 1998 When monetized, the paperwork burden would result in approximately $42 million, in addition to approximately $2 million in outsourcing cost, annually for all SCI entities in the aggregate. PO 00000 Frm 00174 Fmt 4701 Sfmt 4700 the Commission has estimated the total annual hourly burden to comply with Rules 1002(b)(1)–(4) to be 125,180 hours for all SCI entities (monetized to be approximately $40 million), or 2,845 hours per SCI entity.1999 This estimate is greater than that estimated in the SCI Proposal (which estimate was 58,080 hours for all SCI entities, or 1,320 hour per SCI entity to comply with proposed Rules 1000(b)(4)(i)–(iii)). As more fully explained in the PRA, the Commission has increased its estimate to comply with the Commission notification provisions in Rules 1002(b)(1)–(4), notwithstanding the more targeted scope of the adopted rule, as compared to the proposed rule. These increased estimates are in response to comment that the estimates in the SCI Proposal were too low, particularly with respect to the time necessary for an SCI entity to prepare, review, and submit the required notifications.2000 In addition, for Rule 1002(b)(5), which requires recordkeeping of all de minimis SCI events and quarterly reporting of de minimis systems disruptions and de minimis systems intrusions, the Commission has estimated a total of 7,040 hours for all SCI entities (monetized to be approximately $2 million), or 160 hours per SCI entity, for Commission notification. The number of SCI events (de minimis and otherwise), and the burdens to comply with notification requirements will likely vary among individual SCI entities, based on the nature of their business, technology, and the relative criticality of each of their SCI systems. In addition, the Commission believes that most, if not all, SCI entities already have some internal procedures for determining the severity of a systems issue. Nevertheless, to the extent that an SCI entity must determine whether an SCI event is a de minimis SCI event, Rule 1002(b) may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as ongoing costs in reviewing the adopted process. The initial and ongoing burden associated with identifying certain systems and SCI events is discussed in Section V.D.3.b.2001 1999 See supra Section V.D.2.a (discussing the Commission’s estimate of the hours required to comply with Rule 1002(b)). 2000 See id. 2001 When monetized, the paperwork burden would result in approximately $1.1 million initially and $413,000 annually for all ARP entities in the aggregate, and approximately $885,000 initially and $292,000 annually for all non-ARP entities in the aggregate. These estimates include the E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Proposed Rule 1000(b)(4) did not distinguish de minimis SCI events from other SCI events in terms of the timing or type of Commission notifications. The Commission believes that the adopted quarterly Commission reporting requirement for de minimis systems disruptions and de minimis systems intrusions, and the exception from the Commission reporting requirement for de minimis systems compliance issues, will reduce costs related to Commission reporting (as compared to the costs of complying with the proposed Commission notification requirements) for SCI entities, and could facilitate more efficient allocation of SCI entities’ resources toward more significant systems issues because de minimis SCI events would be subject to a recordkeeping requirement and de minimis systems disruptions and de minimis systems intrusions would be subject to a quarterly reporting requirement, rather than a requirement to report such events to the Commission more immediately. As de minimis SCI events are defined to have no or a de minimis impact on the SCI entity’s operations or on market participants, the Commission believes that the recordkeeping requirement and quarterly reporting requirement, as applicable, will allow both the SCI entity and its personnel, as well as the Commission and its staff, to focus more of their attention and resources on other, more significant SCI events. Moreover, the quarterly Commission notification requirement for de minimis systems disruptions and de minimis systems intrusions will help SCI entities and the Commission to gather information on the nature, types, and frequency of de minimis SCI events and, thus, help identify potential weaknesses in systems across SCI entities and Commission’s ability to monitor market events. The Commission believes that the quarterly reporting requirement for de minimis systems disruptions and de minimis systems intrusions balances the interest of SCI entities in having a limited reporting burden for de minimis systems disruptions and de minimis systems intrusions with the Commission’s interest in oversight of the information technology programs of SCI entities. Furthermore, proposed Rule 1000(b)(4)(iii) would have required an SCI entity to submit written updates pertaining to an SCI event until the SCI event is resolved. The Commission has revised the update requirement from the proposal in adopted Rule 1002(b)(3) so identification of critical SCI systems, major SCI events, and de minimis SCI events. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 that the submission of updates may be provided either orally or in written form.2002 This revision should reduce costs as compared to proposed Rule 1000(b)(4) by providing flexibility to SCI entities and because oral notifications will likely result in a lower burden than written notifications. The Commission has also modified the 24-hour written notification requirement in adopted Rule 1002(b) to make clear that the written notification provided within 24 hours be submitted on a good faith, best effort basis. Compared to the proposed rule, the Commission believes the adopted rules will help provide certainty to SCI entities that they will not be accountable for unintentional inaccuracies or omissions contained in these submissions. The ‘‘best efforts’’ standard will also help to ensure that SCI entities will make a diligent and timely attempt to provide all the information required by the written notification requirement, thus permitting the Commission to effectively monitor SCI events. As discussed in Section IV.B.3.c, with respect to submitting final written notifications, proposed Rule 1000(b)(4)(ii) would have required the submission of the information required to be included in the final written notification within a shorter time frame. By requiring that the final written notification be submitted after resolution of an SCI event, the Commission believes that the adopted rule will encourage SCI entities to allocate their resources efficiently in resolving the SCI event. One commenter expressed concern that, without a safe harbor and a guarantee of immunity, the disclosures to the Commission required under Regulation SCI would provide a roadmap for litigation against non-SRO entities.2003 As discussed in Section IV.B.2.b, the occurrence of a systems compliance issue does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. Moreover, the Commission recognizes that compliance with 2002 See supra Section IV.B.3.c. OTC Markets Letter at 15–16 (stating that ‘‘entities that do not have SRO immunity, such as ATSs, may be subject to liability based on information reported under Reg. SCI’s Rule 1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of immunity, this kind of disclosure provides a roadmap for litigation against non-SRO SCI entities’’). See also FIF Letter at 5. 2003 See PO 00000 Frm 00175 Fmt 4701 Sfmt 4700 72425 Regulation SCI will increase the amount of information about SCI events available to the Commission and SCI entities’ members and participants, and that the greater availability of this information has some potential to increase litigation risks for SCI entities, including the risk of private civil litigation. Commenters did not provide estimates of potential litigation costs and Commission staff were unable to find readily-available public information from which to estimate specific costs of possible litigation associated with the increased information available about SCI events, but based on staff experience, depending on the complexity, scope, and length of the litigation, the costs to defend an individual case could be quite significant. The Commission notes, however, that it is not clear that the incremental increase in costs due to Regulation SCI will be significant in the aggregate. Regulation SCI does not alter the elements of any available private cause of action, and the elements of such actions are likely to limit the potential for recovery. Moreover, to the extent members and participants suffer damages when SCI events occur, SCI entities are already subject to litigation risk. As an alternative to the adopted rule, some commenters suggested that nonmaterial systems intrusions not be reported to the Commission at all, and only be recorded by the SCI entity to reduce the instances in which notice of systems intrusions would be required.2004 The Commission continues to believe that reporting intrusions in SCI systems and indirect SCI systems will help the Commission and its staff to detect patterns or understand trends over time and the nature of systems intrusions that may be occurring at multiple SCI entities and, thus, help ensure effective Commission oversight. As discussed in Section IV.B.3.c in detail, to reduce the burden associated with the Commission notification requirement, the Commission established separate reporting requirements (e.g., quarterly reporting) for de minimis systems disruptions and de minimis systems intrusions and provided an exception from the Commission reporting requirement for de minimis systems compliance issues. iv. Information Dissemination—Rule 1002(c) Rule 1002(c) requires an SCI entity to disseminate information regarding 2004 See Omgeo Letter at 12; and DTCC Letter at 8. E:\FR\FM\05DER2.SGM 05DER2 72426 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 certain major SCI events to all of its members or participants and certain other SCI events to affected members or participants. Specifically, promptly after any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to disseminate certain information regarding the SCI event. When certain additional information becomes known, the SCI entity is required to promptly disseminate such information. Until the SCI event is resolved, the SCI entity is required to provide regular updates on the required information.2005 As adopted, the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems and de minimis SCI events. Rule 1002(c) imposes new requirements that are not currently part of the ARP Inspection Program. However, some entities currently provide their members or participants and, in some cases, market participants or the public more generally, with notices of systems issues. As discussed in Section IV.B.3.d, a major SCI event is defined to mean an SCI event that has any impact on a critical SCI system or a significant impact on the SCI entity’s operations or on market participants. The Commission believes that, in the context of a major SCI event, where the impact of the SCI event is most likely to be felt by many market participants, the goal of aiding market participants in evaluating the impact of the event would be efficiently served by dissemination of information to all members or participants of the SCI entity.2006 The Commission believes that Rule 1002(c) will help market participants— specifically the members or participants of SCI entities estimated to be affected by an SCI event and any additional members or participants subsequently estimated to be affected by an SCI event and, in some cases, all members or participants of an SCI entity—to better evaluate the operations of SCI entities by requiring certain information to be 2005 Rule 1002(c)(2) provides an exception to the information dissemination requirement for systems intrusions when an SCI entity determines that dissemination of information would likely compromise the security of the SCI entity’s systems, or an investigation of the systems intrusion, and documents the reasons for such determination. 2006 At the same time, the Commission recognizes that some SCI events that meet the definition of ‘‘major SCI event’’ could also qualify as de minimis SCI events. Like other de minimis SCI events, they are excepted from the information dissemination requirement. In particular, because major SCI events are a subset of SCI events, the exception under Rule 1002(c)(4)(ii) applies to major SCI events that meet the requirements of that rule. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 disclosed. Furthermore, increased awareness of SCI events through information disseminated to members or participants should provide SCI entities additional incentives to maintain robust systems and minimize the occurrence of SCI events. More robust SCI systems and the reduction in the occurrence of SCI events could reduce interruptions in price discovery process and liquidity flows as discussed above in Section VI.C.1. One commenter provided information about the benefits of the proposed information dissemination requirements. Specifically, according to this commenter, one of the major benefits of Regulation SCI could be better sharing of information about technology problems.2007 According to this commenter, sharing information about hardware failures, systems intrusions, and software glitches will alert others in the industry about such problems and help reduce system-wide costs of diagnosing problems, as well as result in improved responses to technology problems.2008 This commenter also believed that the information will serve as warnings to other SCI entities to stay vigilant to prevent similar problems.2009 The Commission believes that benefits identified by the commenter could be benefits of Rule 1002(c). As discussed above, while some entities currently provide their members or participants and, in some cases, market participants or the public more generally, with notices of certain systems issues (e.g., system outages), Rule 1002(c) imposes new requirements that are not currently part of the ARP Inspection Program. As such, the requirements of Rule 1002(c) will impose costs—which are attributed to paperwork burdens—on SCI entities with respect to preparing, drafting, reviewing, and making the information available to members or participants. These costs are discussed in more detail in Section V.D.2.b.2010 In the SCI Proposal, the Commission recognized that SCI entities incur costs to determine whether an event needs to be disseminated. While the SCI events 2007 See Angel Letter at 5. id. 2009 See id. However, this commenter also disagreed with the Commission that SCI entities may be reluctant to admit publicly to their glitches. See id. at 14. According to this commenter, market participants interact repeatedly with each other on a real-time basis and are acutely aware of glitches when they occur. See id. 2010 When monetized, the paperwork burden would result in approximately $26 million, in addition to approximately $1.6 million in outsourcing cost, annually for all SCI entities in the aggregate. 2008 See PO 00000 Frm 00176 Fmt 4701 Sfmt 4700 subject to the adopted information dissemination requirements are different from those that would have been subject to the proposed requirements, the Commission continues to recognize that the determination imposes costs. Specifically, identifying major SCI events may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as periodic costs in reviewing the adopted process. These costs are discussed in more detail in Section V.D.3.b.2011 One commenter expressed concern that SCI entities may over-report issues out of an abundance of caution if SCI entities are not given clear guidelines as to what and to whom they are required to provide information.2012 This commenter believed that a flood of notifications, taken out of context, may create investor impression based on the quantity, not the quality, of the notifications disseminated, that certain counterparties pose serious risks to the market, when that is not the case.2013 For the reasons discussed in Section IV.B.3.d, the Commission believes that information about SCI events (other than major SCI events and de minimis SCI events) should be disseminated to affected members or participants, and information about major SCI events (other than those that qualify as de minimis SCI events) should be disseminated to all members or participants of an SCI entity. At the same time, as compared to proposed Rule 1000(b)(5), the Commission is limiting the requirement for information dissemination to all members or participants of an SCI entity to major SCI events; limiting other information dissemination to members or participants affected by the SCI event; and excluding de minimis SCI events and SCI events related to market regulation or market surveillance systems from the information dissemination requirement. These changes would limit the compliance cost for Rule 1002(c), and are responsive to the commenter’s concern that SCI entities may over-disclose systems issues. As an alternative to the adopted rule, one commenter suggested broadening the proposed rule to require an SCI entity to disseminate information on SCI events to the public, and not just to its 2011 See also supra note 2001. Fidelity Letter at 5. 2013 See id. 2012 See E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 members or participants.2014 This commenter believed that public dissemination of the facts of an SCI event would help enhance investor confidence by preventing speculation and misinformation, and would provide important learning opportunities for the industry and other SCI entities.2015 The Commission acknowledges that there can be additional benefits from disseminating major SCI events to the public as noted by the commenter. Under the adopted rule, an SCI entity is required to disseminate information on major SCI events (other than those that qualify as de minimis SCI events) to all of its members and participants. The Commission believes that these market participants are the most likely to act on this information and, thus, induce additional competitive incentives for SCI entities to avoid systems issues. As such, the Commission believes that it can achieve the purposes of the rule without requiring public dissemination, and also believes any additional gain in benefits from public dissemination would be minimal. v. Material Systems Changes—Rule 1003(a) Rule 1003(a)(1) requires an SCI entity to provide quarterly reports to the Commission, describing completed, ongoing, and planned material systems changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters. Rule 1003(a)(1) also requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of its indirect SCI systems as material. Rule 1003(a)(2) requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a previously submitted report. Entities that participate in the ARP Inspection Program currently provide some material systems change notifications to the Commission and the Commission believes that all SCI entities have some internal processes for documenting systems changes as a matter of prudent business practice. For example, consistent with the ARP Policy Statements, certain entities provide annual reports on significant systems changes and notify the Commission on an as-needed basis regarding certain significant systems changes. In addition, ATSs are required notify the Commission of certain systems changes pursuant to Rule 2014 See 2015 See MFA Letter at 7. id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 301(b)(2)(ii) and Rule 301(b)(6)(ii)(G) of Regulation ATS, as applicable. Rule 1003(a) changes some of the current practices and sets forth more detailed requirements for these notifications. For example, Rule 1003(a) covers material changes on a broader set of systems than the ARP Inspection Program or Regulation ATS. Rule 1003(a) also requires an SCI entity to submit quarterly reports on Form SCI regarding material systems changes, but does not require separate notification for each material systems change. Further, Rule 1003(a) requires an SCI entity to promptly notify the Commission (by submitting Form SCI) of a material error in or material omission from a previously submitted report. To the extent that Rule 1003(a) requires SCI entities to notify the Commission of material systems changes for more types of systems and to the extent that it requires notification at a higher frequency than current practice (quarterly reports vs. annual reports), the Commission believes that Rule 1003(a) should enhance the Commission’s oversight of the operation of SCI entities. The compliance costs of Rule 1003(a) primarily entail costs associated with preparing and submitting Form SCI in accordance with the instructions thereto. The initial and ongoing cost estimates associated with preparing and submitting Form SCI with regard to material systems changes under Rules 1003(a)(1) and (2) are discussed in detail in Section V.D.2.c.2016 The Commission does not expect Rule 1003(a) will impose significant costs on SCI entities other than those discussed in Section V.D.2.c. According to one commenter, ‘‘[t]he larger market participants [that will be subject to Regulation SCI] are generally experienced and circumspect with regards to significant infrastructure changes, such as data center migrations and major platform upgrades.’’ 2017 This commenter expected that, for these larger entities, integrating Regulation SCI compliance into their existing programs can occur without crippling disruption or exorbitant cost, and expected that insight from the implementation of Regulation SCI would contribute to overall stability and resiliency of the markets over time.2018 However, this commenter expressed concern that compliance with the Commission notification requirement 2016 When monetized, the paperwork burden would result in approximately $6.8 million annually for all SCI entities in the aggregate. 2017 See SunGard Letter at 3. 2018 See id. PO 00000 Frm 00177 Fmt 4701 Sfmt 4700 72427 will result in incremental costs that may in some cases delay or discourage innovation.2019 Another commenter similarly expressed concern about the compliance burden and the resulting impact on competition and innovation associated with the 30-day advance Commission notification requirement for material systems changes.2020 In addition, one commenter noted that the Commission underestimated the cost of lost business opportunities and the inability to swiftly deploy corrective solutions that would result from the 30day advance systems change notification requirements.2021 This commenter noted that most ATS operators with advanced systems purposefully implement frequent agile modifications instead of major episodic changes in order to continuously improve their systems and minimize the impact of the changes.2022 This commenter expressed concern that a built-in 30-day delay in implementing changes would encourage the deployment of larger, riskier changes more infrequently, thereby creating longer periods of time during which a systems issue and/or erroneous configuration would continue without correction.2023 This commenter also stated that the 30-day advance notification process has the potential to delay the deployment of corrective solutions that are necessary to ensure the provision of uninterrupted and efficient order matching services at the best available prices.2024 As noted above, as adopted, Regulation SCI does not include the proposed 30-day advance Commission notification requirement for material systems changes. Rather, Rule 1003(a)(1) requires quarterly reports of material systems changes. Elimination of the proposed 30-day advance Commission notification requirement addresses the concern of some commenters that the rule would impede agile development methodology and favor the waterfall development methodology, or delay the implementation of systems changes or innovations, particularly for smaller SCI entities. The quarterly reports will also provide the Commission and its staff with a more efficient framework to review material systems changes, 2019 See id.. BATS Letter at 15. See also, e.g., supra notes 999–1000 (discussing the views of commenters that the proposed 30-day advance notification requirement would stifle innovation and interfere with an SCI entity’s natural planning and development process). 2021 See ITG Letter at 8. 2022 See id. 2023 See id. 2024 See id. 2020 See E:\FR\FM\05DER2.SGM 05DER2 72428 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations because including all relevant material systems changes in a single report will allow the Commission to more easily and clearly understand an SCI entity’s framework for systems changes, including how certain material systems changes are related.2025 mstockstill on DSK4VPTVN1PROD with RULES2 vi. SCI Review—Rule 1003(b) Rule 1003(b) requires an SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each year,2026 and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Rule 1003(b) also requires an SCI entity to submit a report of the SCI review to the Commission and to the board of directors of the SCI entity or the equivalent of such board, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Systems reviews have been part of the ARP Inspection Program, and through this program, the Commission understands that many SCI entities currently undertake annual systems reviews and that senior management and/or the board of directors or a committee thereof reviews reports of such reviews. However, the Commission believes that the scope of the systems reviews, and the level of senior management and/or board involvement in such reviews, varies among ARP entities. The Commission expects that the SCI review requirement would produce greater consistency in the approach that SCI entities take in systems reviews, which would help improve the efficiency of the Commission’s oversight (e.g., inspection) of SCI entities’ systems. In addition, the Commission believes that the SCI review requirement would result in SCI entities having an improved awareness of the relative strengths and weaknesses of their systems independent of the assessment of Commission staff, which should, in 2025 As discussed above, Commission staff will not use material systems change reports to require any approval of planned systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI. See supra Section IV.B.4.b. 2026 However, penetration test reviews of the network, firewalls, and production systems are required to be conducted not less than once every three years. See Rule 1003(b)(i). Assessments of SCI systems directly supporting market regulation or market surveillance are required to be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but also not less than once every three years. See Rule 1003(b)(1)(ii). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 turn, improve systems and reduce the number of SCI events. As discussed in Section VI.C.1, the reduction in occurrence of SCI events could reduce interruptions in the price discovery process and liquidity flows. The initial and ongoing paperwork burden associated with conducting an SCI review, submitting a report of the SCI review to senior management of the SCI entity for review, and submitting a report of the SCI review and any response by senior management to the Commission and to the board of directors of the SCI entity or the equivalent of such board is discussed in Section V.D.2.d.2027 SCI entities will also incur costs in addition to the paperwork burden to comply with the SCI review requirement. Although the Commission understands that most SCI entities currently undertake annual systems reviews, Rule 1003(b) sets forth specific requirements related to the SCI review. In particular, an SCI review is required to include a risk assessment with respect to SCI systems and indirect SCI systems of an SCI entity, an assessment of internal control design and effectiveness of SCI systems and indirect SCI systems, and penetration testing reviews. Moreover, Rule 1003(b) specifies that the SCI review is to determine the SCI entity’s compliance with Regulation SCI. Rule 1003(b) also requires a report of the SCI review and any senior management response to be submitted to the board of directors of the SCI entity or the equivalent of such board and thus SCI entities may incur an additional cost as a result of additional time the board allocates to evaluate the review. The Commission cannot estimate costs other than paperwork burdens because the Commission does not have the information necessary to provide a reasonable estimate. In particular, the Commission lacks information on how SCI entities will structure their reviews. As discussed above in Section IV.B.5, the Commission is not adopting a requirement that SCI reviews be conducted by an independent third party because the Commission believes that the goals of Regulation SCI can be achieved through reviews by either internal objective personnel or external objective personnel. The Commission acknowledges that, in some cases, there could be potential benefits from requiring third party reviews. However, as noted in Section IV.B.5, third parties can also have conflicts of interest that 2027 When monetized, the paperwork burden would result in approximately $9.7 million, in addition to approximately $2.2 million in outsourcing cost, annually for all SCI entities in the aggregate. PO 00000 Frm 00178 Fmt 4701 Sfmt 4700 prevent a particular entity or personnel from meeting the objectivity standard required for an SCI review. In addition, during the Technology Roundtable in which participants discussed third party review, some panelists suggested that the use of an external third party is unnecessary because, for example, the training for a third party as well as the costs involved with third party evaluations would be large with little additional benefit.2028 The Commission agrees that SCI entities would likely need to provide significant guidance to third-party reviewers on the specific features of the entity’s systems. The Commission recognizes that a thirdparty review requirement could impose additional costs on SCI entities, and believes that it is appropriate at this time to allow SCI entities to decide whether to incur such costs instead of mandating third-party review. vii. Business Continuity and Disaster Recovery Plan Testing—Rule 1004 Rule 1004(b) requires the testing of an SCI entity’s business continuity and disaster recovery plans at least once every 12 months. Rules 1004(a) and (b) require participation in such testing by those members or participants that an SCI entity reasonably determines are, taken as a whole, the minimum number necessary for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans. Rule 1004(c) requires an SCI entity to coordinate such testing on an industry- or sectorwide basis with other SCI entities. The requirements under Rule 1004 are not a part of the ARP Inspection Program. As discussed above in Section VI.B.2, the securities industry generally has a voluntary system for testing business continuity and disaster recovery plans and market participants, including exchanges, members of exchanges, clearing agencies, clearing members, and ATSs, already coordinate certain business continuity and disaster recovery plan testing to some extent. For example, some SCI entities already require some of their members or participants to connect to their backup systems. Further, although participation is not always mandatory, some SCI entities already provide their members or participants with the opportunity to test the SCI entity’s business continuity and disaster recovery plans. However, because not all SCI entities require member or participant participation in business continuity and disaster recovery plans testing, the Commission 2028 See Transcript of the Technology Roundtable, at 86–91. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 understands that not all market participants participate in such testing. Moreover, the Commission understands that, to the extent such participation occurs, it may in many cases be limited in nature (e.g., testing for connectivity to backup systems).2029 The Commission believes that, for SCI entities, voluntary testing is insufficient, and that business continuity and disaster recovery planning for market centers and certain members or participants must be an integral component of business continuity and disaster recovery preparedness. The Commission further believes that the requirements under Rule 1004 should help ensure that the securities markets will have improved backup infrastructure and fewer market-wide shutdowns. As discussed in detail in Section VI.C.1, fewer market-wide shutdowns should help facilitate continuous liquidity flows in markets, reduce pricing errors, and thus improve the quality of the price discovery process. With respect to these benefits, one commenter suggested measuring benefits of reducing outages and technical issues by looking at, for example, loss of trading commissions due to outages.2030 This commenter estimated that the potential loss of equity commissions by broker-dealers over the two-day market closure from Superstorm Sandy may have been approximately $374 million.2031 The 2029 See Proposing Release, supra note 13, at 18164. 2030 See Angel Letter at 15–16. The Commission also notes that this commenter and others expressed the view that enhanced BC/DR testing would have substantial benefits. See, e.g., id. at 9–10 (stating that the ‘‘ability of SROs to require their members to participate in testing is an important step forward in making sure that testing is as realistic as possible . . . [and] is one of the most valuable parts of Regulation SCI and will do the most to ensure improved market network reliability’’); and UBS Letter at 5 (stating that the ‘‘critical task of BCP testing should not be undertaken in isolated silos by individual firms. Individual BCP testing that does not involve realistic scenarios with connected participants may mask gaps and/or be insufficient from a systems integrity standpoint’’ and that the benefits of a ‘‘new and more comprehensive BCP testing paradigm’’ would be ‘‘broad and considerable’’). 2031 This commenter based this estimate on FINRA member equity commissions in 2010 obtained from SIFMA. See Angel Letter at 16. In addition, this commenter referred to the losses and legal and administrative costs associated with the Facebook IPO, as well as the losses associated with the May 6, 2010 incident. See id. at 15–16. This commenter also more generally stated that the benefits of reducing outages and major technical issues are pretty straightforward—catastrophic failures in exchange systems are extremely costly, both in terms of direct losses to participants and in reduced investor confidence in the markets. See id. at 15. According to this commenter, even a modest reduction in the overall risk of a meltdown is quite cost effective to the economy as a whole. See id. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission believes that measuring potential benefits in terms of transaction costs (commission revenue) does not fully account for other benefits, such as uninterrupted liquidity flows and price discovery.2032 Furthermore, the Commission believes that the estimated commission loss noted by the commenter likely overstates the actual losses in commissions because some of the ‘‘lost’’ trading may have only been delayed until the markets re-opened after Superstorm Sandy. Accordingly, the Commission is not persuaded that the estimate provided by the commenter represents the quantified benefit associated with this component of Regulation SCI. The Commission is unable to estimate the benefit of this component of Regulation SCI because the Commission does not have quantified information on the extent that a reduction in SCI events will help facilitate liquidity flows in markets, reduce pricing errors, and thus improve the quality of the price discovery process. Furthermore, the Commission is unable to quantify the impact of ‘‘delayed’’ trading because it lacks the information necessary to provide a reasonable estimate. In particular, data on the trading activity lost as opposed to ‘‘delayed’’ due to the two-day market closure would be extremely difficult to piece together in a meaningful way. Costs to SCI Entities The mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems, as required under Rule 1004, will result in additional costs to SCI entities. The Commission notes that some SCI entities already offer availability for their members or participants to test business continuity and disaster recovery plans. Furthermore, as mentioned above, market participants, including SCI entities, already coordinate certain business continuity plan testing to an extent. However, Rule 1004 mandates participation in testing for some entities that do not currently participate, requires more rigorous testing than currently required, and requires greater coordination than SCI entities and market participants currently engage in. In particular, Rule 1004 requires SCI entities to designate their members or participants to participate in business continuity and disaster recovery plan testing and to coordinate such testing with other SCI entities on an industry2032 As noted by this commenter, the $374 million loss does not include lost trading profits to investors, or loss of utility from being able to hedge risk, monetize holdings, or otherwise trade. See id. at 16. PO 00000 Frm 00179 Fmt 4701 Sfmt 4700 72429 or sector-wide basis. The requirement of member or participant designation in business continuity and disaster recovery plan testing under Rule 1004 imposes additional costs as an SCI would have to allocate resources towards initially establishing and later updating standards for the designation of its members and participants for testing. Furthermore, the requirement to coordinate industry- or sector-wide testing will impose additional administrative costs because an SCI entity would be required to notify its members or participants and also organize, schedule, and manage the coordinated testing.2033 Some commenters stated that the scope of the proposed testing requirement would impose costs on SCI entities that the Commission did not account for, including the cost to reconfigure their systems to engage in functional and performance testing, the cost of establishing effective coordinated test scripts for the testing, and time necessary to conduct the required testing.2034 Another commenter stated that testing will be costly to ATSs and their subscribers, and that the aggregate cost for all would be higher than the $66 million estimated in the SCI Proposal.2035 This commenter noted that the cost includes the time, resources, and professional staff that would be devoted to the testing process, and the resulting lost business opportunities associated with the ability to focus on revenue generating projects.2036 In addition, this commenter stated that, while connectivity between an ATS and its subscribers may already be established, additional configurations and build out of systems may be required to create a testing environment that simulates live market conditions.2037 Another commenter stated that there are dozens of man-days of pre-test planning, preparation, pre-testing testing, testing, and post-mortem reviews for SCI entities associated with the industry test initiatives.2038 According to this commenter, there are anywhere from tens to hundreds of business and technology staff engaged 2033 Administrative costs associated with coordinating testing are included as part of the PRA burden of Rule 1004. See supra Section V.D.1.b. As discussed in Section V.D.1.b, the Commission continues to believe that plan processors will outsource the work related to compliance with Rule 1004. 2034 See supra Section IV.B.6.b (discussing comments on proposed Rule 1000(b)(9)). 2035 See ITG Letter at 15–16. 2036 See id. 2037 See id. 2038 See Tellefsen Letter at 11. E:\FR\FM\05DER2.SGM 05DER2 72430 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations in this initiative.2039 This commenter estimated the following staff levels required to support testing: Exchanges— 175–200+ man-days; member firms— 80–85 man-days; and ATSs—12–25 man-days.2040 Based on the commenter’s upper estimates measured in man-days, the Commission estimated monetary values by allocating hours among the traders, technologists, programmers/system administrators, exchange personnel, and analysts necessary for implementation of disaster recovery testing. This estimation yields implied annual average total cost estimates of $500,000 and $60,000 for exchanges and ATSs, respectively.2041 For the reasons discussed below, the Commission believes that this commenter’s cost estimate does not accurately reflect the costs to SCI entities. The Commission recognizes that the factors described by commenters will contribute to costs for SCI entities associated with business continuity and disaster recovery plans testing. For example, as discussed in Section IV.B.6.b, the Commission acknowledges that systems reconfiguration for functional and performance testing and establishing an effective coordinated test script could be a complex process and result in costs. At the same time, the Commission believes that systems reconfiguration and the establishment of an effective coordinated test script is an important first step in establishing robust and effective business continuity and disaster continuity plans testing. The Commission also notes that costs of Rule 1004 are likely to be lower than 2039 See id. id. 2041 The allocations are based on Commission staff experience that exchanges would divide their personnel as 85% technologists, 5% exchange rule enforcement personnel, and 10% business analysts, and ATSs are assumed to divide their personnel as 90% technologists and 10% business analysts based on staff experience. The hourly rates are from SIFMA’s Management & Professional Earnings in the Securities Industry 2012, modified by Commission staff to account for an 1800-hour workyear and multiplied by 5.35 to account for bonuses, firm size, employee benefits and overhead. The calculation for ATSs was as follows: 25 days × (10% time required by analysts × $245/hour + 90% time required by technologists × $282/hour) = $55,660 per ATS. For each exchange: 200 days × (85% time required by technologists × $282/hour + 10% time required by analysts × $245/hour + 5% time required by supervisors × $446/hour) = $458,400 per exchange. The Commission has rounded up because the breakdown between analysts, supervisors, and technologists may vary between ATSs and Exchanges. In the absence of a specific estimate provided by the commenter for plan processors or clearing agencies, the estimate for exchanges is assumed to apply to these types of SCI entities. Estimates for members and participants are discussed separately below. mstockstill on DSK4VPTVN1PROD with RULES2 2040 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 those estimated by commenters because of changes made to the proposed rule. For example, although Rule 1004 would require testing of BC/DR plans that is more rigorous than some types of testing urged by some commenters, the adopted rule includes a more targeted member and participant designation provision than the proposed rule. As discussed above in Section IV.B.6.b, compared to proposed Rule 1000(b)(9), the Commission believes that the adoption of a more targeted designation requirement is likely to result in a smaller number of SCI entity members or participants being designated to participate in business continuity and disaster recovery plans testing and thus should result in lower costs for SCI entities to coordinate testing.2042 The Commission is unable to provide a quantified estimate of the specific costs for SCI entities associated with the mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems. Although several commenters provided general estimates as to the costs of compliance with Rule 1004, these commenters did not provide their assumptions or a description of the quantified costs associated with each potential source of costs. Given the lack of information provided by commenters and that these costs could vary significantly based on the specific systems of each SCI entity, the Commission is unable to determine whether the costs provided by commenters are representative. Additionally, the Commission notes that commenters appeared to focus on costs as if assuming there is no testing today. Because SCI entities currently engage in some coordinated BC/DR testing, the Commission believes that the average incremental cost to SCI entities, in addition to the burden estimated in the PRA, would be lower than these commenters’ cost estimates. The Commission also believes that costs would be significantly lower in the year following the initial year of testing. Because the Commission does not have detailed information regarding the current level of BC/DR testing and coordination of such testing by each SCI entity, and the cost associated with such testing and coordination, however, the Commission cannot at this time provide a quantified estimate of the cost for SCI entities to comply with Rule 1004. Costs to SCI Entity Members and Participants The Commission believes that Rule 1004 will also impose costs on SCI 2042 See supra Section IV.B.6.b (discussing the designation requirement in adopted Rule 1004). PO 00000 Frm 00180 Fmt 4701 Sfmt 4700 entity designated members and participants. In the SCI Proposal, based on discussions with market participants, the Commission estimated that the cost of business continuity and disaster recovery plan testing would range from immaterial administrative costs (for SCI entity members and participants that currently maintain connections to SCI entity backup systems) to a range of $24,000 to $60,000 per year per member or participant in connection with each SCI entity.2043 As noted in the SCI Proposal and also above, the Commission understood that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities and, thus, the additional connectivity costs imposed by proposed Rule 1000(b)(9) to these larger members or participants may be minimal.2044 However, among smaller members or participants of SCI entities, the number of members or participants who maintain such connectivity is lower.2045 Therefore, costs at the higher end of the estimated range would accrue for members or participants who would need to invest in additional infrastructure and to maintain connectivity with an SCI entity’s backup systems in order to participate in testing. Furthermore, in the SCI Proposal, the Commission acknowledged that it is difficult to provide an estimate for the total aggregate cost to SCI entity members or participants under proposed Rule 1000(b)(9).2046 Because each SCI entity had discretion in determining its standards for designating members or participants for the testing required by proposed Rule 1000(b)(9)(i), the Commission did not have enough information to estimate the number of members or participants at each SCI entity that would be designated as required to participate in testing and to determine whether such designated members or participants are those that already maintain connections to SCI entity backup systems. With limited information, the Commission provided a total aggregate annual cost estimate in the SCI Proposal of approximately $66 million for designated members and participants to participate in business continuity and disaster recovery plans testing.2047 Several commenters stated that the Commission underestimated the cost of 2043 See Proposing Release, supra note 13, at 18172. 2044 See id. at 18172 and n. 642. 2045 See id. at 18172. 2046 See id. 2047 See id. at 18172 and n.643. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations business continuity and disaster recovery plan testing under proposed Rule 1000(b)(9). One commenter noted that the Commission failed to take into account those SCI entities that engage in systems-specific testing upon implementation or initial connection by a market participant, but do not engage in business continuity and disaster recovery testing with the participation of market participants.2048 One commenter noted that the average cost for a broker-dealer to maintain fully redundant systems at all relevant exchange backup facilities would be approximately $3 million annually, according to one of its informal surveys.2049 Further, this cost would not include the initial capital costs related to the infrastructure or the labor/ employment necessary for the maintenance and monitoring of backup connection and facilities.2050 Other commenters stated that the Commission underestimated other aspects of the cost of business continuity and disaster recovery plan testing under proposed Rule 1000(b)(9). One commenter believed that the requirement for members to connect to an SCI entity’s backup site could pose significant economic burden and provide little benefit to the market.2051 This commenter believed that the cost of such connections would be well over the $10,000 per connection that the Commission estimated.2052 According to this commenter, establishing and maintaining a connection with comparable trading capability and latency could cost a broker-dealer that co-locates at an SCI entity’s data center between $15,000 and $20,000 monthly simply for the necessary communication lines.2053 In addition, this commenter noted that such members would need additional hardware (estimated to be up to $500,000) to establish an appropriate presence at the backup site to ensure that they could trade in an efficient manner with low latency.2054 This commenter believed that compliance with the Rule 1000(b)(9) requirements could cause broker-dealers to reduce the number of SCI entities through which they trade.2055 This commenter 2048 See MSRB Letter at 38. FIA PTG Letter at 3. See also BIDS Letter at 8 (commenting that testing and backup connections are expensive, and the expense of the connections could outweigh the value or the utilization of the value that certain venues provide). 2050 See FIA PTG Letter at 3. This commenter noted that the costs vary widely among members and exchanges but are not insubstantial. See id. 2051 See ISE Letter at 9. 2052 See id. 2053 See id. 2054 See id. 2055 See id. mstockstill on DSK4VPTVN1PROD with RULES2 2049 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 suggested that the standard for designating members should be those members ‘‘critical to the operation of the SCI entity.’’ 2056 Another commenter estimated that the costs to a market making firm to support fully redundant exchange and ATS backup facilities would be approximately $7 million to $10 million in initial capital, with annual costs of between $5 million and $9 million.2057 According to this commenter, this cost is not justified by the benefits because backup facilities would not be used in the event of an outage at the primary site,2058 and would lead firms to reconsider their ability to make markets on as many trading platforms and potentially reduce price competition.2059 The same commenter who provided an estimate of burdens for SCI entities expressed the view that there are also dozens of man-days of pre-test planning, preparation, pre-testing testing, testing, and post-mortem reviews for members and participants that would be associated with industry test initiatives.2060 Based on the commenter’s upper estimates for member firms, measured in man-days, the Commission assigned monetary values using appropriate hours allocation among the traders, technologists, programmers/system administrators, exchange personnel, and analysts necessary for implementation of disaster recovery testing. This procedure yields an annual average total cost estimate of about $200,000 for each member firm.2061 For the reasons 2056 See id. According to this commenter, under the suggested standard, its focus would be on its seven Primary Market Makers who provide continuous liquidity, and these members would provide a baseline of liquidity for trading. See id. However, this commenter believed that, in order to satisfy the standard to provide ‘‘fair and orderly trading,’’ it may need to require some or all of its 145 Electronic Access Members who access liquidity. See id. 2057 See KCG Letter at 4, 12. This commenter stated that the cost of supporting a backup facility of an SCI entity would be reduced, if the backup facility of an SCI entity were at the primary site of another SCI entity where the market maker traded. See id. at 12. 2058 See id. at 4. 2059 See id. at 12. 2060 See also supra note 2038 and accompanying text (discussing this commenter’s cost estimate for SCI entities). 2061 The allocations are based on the staff experience that member firms divide their personnel as 45% traders, 45% technologists, and 10% business analysts. The hourly rates are from SIFMA’s Management & Professional Earnings in the Securities Industry 2012, modified by Commission staff to account for an 1800-hour workyear and multiplied by 5.35 to account for bonuses, firm size, employee benefits and overhead. The calculation for member firms was as follows: 85 days × (10% time required by analysts × $245/hour PO 00000 Frm 00181 Fmt 4701 Sfmt 4700 72431 discussed below, the Commission believes that this commenter’s cost estimate does not accurately reflect the costs to members or participants. The Commission acknowledges that members or participants will incur costs as a result of Rule 1004. However, the Commission believes that the members or participants likely to be designated to participate in such testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers), and who are more likely to have already established connections to the SCI entity’s backup site. The Commission believes that many of these members or participants already have established connectivity with the SCI entity’s backup site and already monitor and maintain such connectivity, and thus the additional connectivity costs imposed by Rule 1004 would be modest to these members or participants. For members or participants that currently do not have connectivity, the Commission recognizes the requirements of Rule 1004 will impose costs on members or participants in establishing, maintaining, and monitoring backup connection and facilities. The Commission believes that a few commenters who stated that the Commission underestimated these costs may have based their cost estimates for proposed Rule 1000(b)(9) on the assumption that member connections to SCI entities’ backup systems need to be the same as those at the primary site.2062 However, as discussed above in Section IV.B.6, Rule 1004 does not require SCI entity members or participants to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites. In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that an SCI entity and its members or participants may not be able to provide the same level of liquidity as on a normal trading day. In addition, the Commission recognizes that the concept of ‘‘fair and orderly markets’’ does not require that trading on a day when business continuity and disaster recovery plans are in effect reflect the same level of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. The Commission, however, is unable to provide a quantified estimate of the + 45% time required by technologists × $282/hour + 45% time required by traders × $312/hour) = $198,424 per member firm. 2062 See supra notes 2049, 2050, 2052–2054, and 2057 and accompanying text (discussing commenters’ estimates of the cost to maintain fully redundant systems at relevant SCI entity backup facilities). E:\FR\FM\05DER2.SGM 05DER2 72432 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 specific costs for SCI entity members or participants associated with the mandatory testing required by Rule 1004. Although several commenters provided general estimates as to the costs of compliance with Rule 1004, these commenters did not provide their assumptions or a description of the quantified costs associated with each potential source of costs. Given the lack of information provided by commenters and that these costs could vary significantly based on the specific systems of each SCI entity and member or participant, the Commission is unable to determine whether the costs provided by commenters are representative. Additionally, the Commission notes that some commenters appeared to focus on costs as if assuming there is no testing today. Because some members and participants of SCI entities currently participate in SCI entities’ BC/DR testing, these members and participants would not incur the full costs estimated by the commenters. Thus the Commission believes that the average incremental cost to members or participants would be lower than these commenter’s estimates because the estimates do not account for current practices. The Commission also believes that costs will be highly variable among member firms, and will be significantly lower in the year following the initial year of testing. Because the Commission does not have detailed information regarding the current level of engagement by members or participants in BC/DR testing and the associated costs, or the details of the BC/DR testing that SCI entities will implement pursuant to Rule 1004, the Commission cannot at this time provide a precise quantified estimate of the cost for SCI entities’ designated members or participants to comply with Rule 1004.2063 The Commission also notes that it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities’ backup systems in the 2063 Although the Commission cannot at this time precisely estimate the total cost of compliance with Rule 1004, the Commission believes that $10,000 on average per SCI entity is a reasonable estimate solely for the incremental cost of connectivity associated with the requirements of Rule 1004. As noted above, the Commission continues to believe that it is reasonable to estimate that the members or participants of SCI entities that are most likely to be designated as required to participate in testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers), and that such members or participants are likely to already maintain connectivity with an SCI entity’s backup systems. Therefore, the Commission is not persuaded that its estimate of the average connectivity cost for each member or participant of an SCI entity should be modified from $10,000. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 event of a wide-scale disruption, and believes that the costs that would be incurred by essential market participants are appropriate in light of the benefits discussed above.2064 Although the Commission generally believes that the aggregate cost to SCI entity members or participants under Rule 1004 will be lower than the cost estimated for proposed Rule 1000(b)(9), the Commission continues to believe it is difficult to provide an estimate for the aggregate cost to SCI entity members or participants because under Rule 1004, each SCI entity has reasonable discretion in designating its members or participants for the required testing, and, as noted above, the Commission does not possess necessary information to estimate the number of designated members or participants and to determine whether such designated members or participants are those that already have established and maintained connectivity to the SCI entity’s backup systems. Accordingly, the Commission cannot at this time provide a quantified estimate of the total aggregate cost to SCI entity members or participants under Rule 1004.2065 Moreover, as noted above in Section IV.B.6.b, the Commission believes that adoption of a designation requirement that requires SCI entities to exercise 2064 Further, in response to comment that the added benefit of requiring fully redundant backup systems is almost impossible to measure while the cost of implementation is significant, the Commission acknowledges that testing of a BC/DR plan does not guarantee flawless execution of that plan, but still believes testing is warranted because a tested plan is likely to be more reliable and effective than an inadequately tested plan. 2065 The Commission believes that it can reasonably estimate connectivity costs but not all costs associated with BC/DR testing. With respect to connectivity, the Commission now estimates that Rule 1004 will impose a total aggregate annual cost of approximately $18 million for designated members and participants. This estimate assumes that each of the 44 SCI entities will designate between 10 and 20 percent of its members or participants to participate in the necessary testing. This 10–20 percent estimate is based on staff experience and takes into consideration comment that typically 20 percent of an SCI entity’s members might provide 80 percent of the order flow or liquidity (see Tellefsen Letter at 9), and balances it against another commenter’s view that if the standard for designation was to identify those firms ‘‘critical to the operation of the SCI entity’’ (which is more targeted than the adopted standard), this commenter would designate approximately five percent of its members to participate in testing (see ISE Letter at 9). The Commission understands that many SCI entities have between 200 and 400 members or participants, although some have more and some have fewer. Therefore, the Commission estimates that on average, each SCI entity will designate approximately 40 members or participants in such testing. Based on these assumptions, the Commission estimates the total aggregate cost for connectivity to all designated members or participants of all SCI entities to be approximately $17.6 million (44 SCI entities × 40 members or participants × $10,000 = $17.6 million). PO 00000 Frm 00182 Fmt 4701 Sfmt 4700 reasonable discretion to identify those members or participants that, taken as a whole, are the ‘‘minimum necessary’’ for the maintenance of fair and orderly markets in the event of the activation of such plans is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal, thus reducing total costs to all members or participants combined. Because the Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. On balance, the Commission believes that the adopted rule will incentivize SCI entities to designate those members and participants that are in fact the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of their BC/DR plans, and that this should reduce the number of designations to which any particular member or participant would be subject, compared to the SCI Proposal. It remains possible, as some commenters noted, that firms that are members of multiple SCI entities will be the subject of multiple designations, and that multiple designations could require certain firms to maintain connections to backup sites and participate in testing of the BC/DR plans of multiple SCI entities. As discussed in Section IV.B.6.b, the Commission believes this possibility, though real, may be mitigated by the fact that designations are likely to be made to firms that are already connected to one or more SCI entity backup facilities, because they are more likely to be significant members or participants of the applicable SCI entities; and that, because some SCI entity backup facilities are located in close proximity to each other, multiple connections to such backup facilities may be less costly than if SCI entity backup facilities were not so located. The Commission recognizes that there would be greater costs to a firm being designated by multiple SCI entities to participate in the testing of their business continuity and disaster recovery plans, but believes that these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations SCI entity’s business continuity and disaster recovery plans is necessary to evaluate whether such plans are reliable and effective. The Commission recognizes that a firm that is designated to participate in testing with multiple SCI entities may assess the costs and burdens of participating in every test to be too great, and make business decisions to withdraw its membership or participation from one or more such SCI entities so as to avoid the costs and burdens of such testing. The Commission believes such a scenario is unlikely because such firm is likely to be a larger firm with a significant level of participation in such SCI entity and is likely to already have connections to backup facilities of the SCI entity. The Commission believes that the cost associated with Rule 1004 is unlikely to induce the designated members or participants to reduce the number of SCI entities through which they trade and adversely affect price competitiveness in markets.2066 As noted above, the Commission also recognizes that costs to some SCI entity members or participants associated with Rule 1004 could be significant, and also highly variable depending on the business continuity and disaster recovery plans being tested. Based on industry sources, the Commission understands that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities. However, the Commission understands that there is a lower incidence of smaller members or participants maintaining connectivity with the backup sites of SCI entities.2067 As such, the Commission believes that the compliance costs associated with Rule 1004 would be higher for those members or participants that are designated for testing by SCI entities who would need to invest in additional infrastructure to maintain connectivity with an SCI entity’s backup systems to participate in testing, which the Commission believes is more likely to be the case for smaller members or participants designated for testing. The Commission acknowledges that the compliance costs associated with Rule 1004 could raise barriers to entry and affect competition among members or participants of SCI entities. Specifically, to the extent that members or participants could be subject to designation in business continuity and disaster recovery plan testing and could incur additional compliance costs, the supra notes 2055 and 2059 and accompanying text. 2067 See Proposing Release, supra note 13, at 18172, n. 642. member or participant designation requirement of Rule 1004 could raise barriers to entry. Also, as discussed above, the compliance costs of the rule will likely be higher for smaller members or participants of SCI entities compared to larger members or participants of SCI entities. However, the Commission believes the adverse effect on competition may be mitigated to some extent as the most likely members or participants to be designated for testing are larger members or participants who already maintain connectivity with an SCI entity’s backup systems. Further, the adverse effect on competition could be partially mitigated to the extent that larger firms, which are members of multiple SCI entities, could incur additional compliance costs as these larger member firms could be subject to multiple designations for business continuity and disaster recovery plan testing. One commenter noted that mere network connectivity to an exchange or ATS would be insufficient for a market maker to provide meaningful liquidity on an SCI entity.2068 This commenter noted that, if the Commission does not intend for SCI entities to be able to trade in the same way from a backup facility as it trades from the primary site, then market makers could maintain a more limited remote connectivity to the backup site and incur less cost, although this commenter believed that such an approach would not facilitate the posting of competitive quotes.2069 This commenter believed that this alternative approach would result in unusually wide markets, and would not result in any benefits.2070 As discussed in Section IV.B.6, Rule 1001(a) does not require that backup facilities of SCI entities fully duplicate the features of primary facilities. Further as discussed in Section IV.B.6, SCI entity members or participants are not required by Regulation SCI to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites. In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that SCI entities and their members or participants may not be able to provide the same level of liquidity as on a normal trading day. However, the Commission expects that, on a day when business continuity and disaster recovery plans are in effect due to a wide-scale disruption in the securities markets, the requirements of Rule 1004 2066 See VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 2068 See KCG Letter at 12. id. at 13. 2070 See id. at 13. 2069 See PO 00000 Frm 00183 Fmt 4701 Sfmt 4700 72433 will help ensure adequate levels of liquidity and pricing efficiency to facilitate trading and maintain fair and orderly markets without imposing excessive costs on SCI entities and market participants by requiring them to maintain the same connectivity with the backup systems as with the primary sites. Alternatives Several commenters suggested alternatives to the proposed BC/DR testing requirements.2071 Two commenters suggested that few ATSs are critical enough to warrant inclusion in the BC/DR testing requirement.2072 One commenter suggested that only SCI entities that provide market functions on which other market participants depend be subject to the requirements for separate backup and recovery capabilities.2073 Furthermore, one commenter urged that BC/DR testing coordination only be required among providers of singular services in the market (i.e., exchange that lists securities, exclusive processors under NMS plans, and clearing and settlement agencies).2074 The Commission is not persuaded that SCI ATSs should be excluded from the requirements of BC/DR testing plans. In today’s market, as discussed in Section IV.A.1.b, ATSs collectively represent a significant source of liquidity for stock trading. Although the concept of ‘‘fair and orderly markets’’ when BC/DR plans are in effect does not require the same level of liquidity, depth, volatility, and other characteristics of trading on a normal trading day, the Commission believes that excluding significant ATSs from BC/DR testing could harm liquidity, depth, and volatility when BC/DR plans are in effect and, thus, could significantly reduce the benefits of Rule 1004. Furthermore, with respect to the commenter that urged the Commission only to include providers of singular services in BC/DR testing coordination, as mentioned in Section IV.A.1.b, because trading in the U.S. securities markets today is dispersed among exchanges, ATSs, and other trading venues, and often involves trading strategies that require access to multiple trading venues, including ATSs, simultaneously, including all SCI entities, the Commission believes that requiring SCI entities to coordinate testing would result in testing under 2071 See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter at 15. 2072 See BIDS Letter at 8; and ITG Letter at 15. 2073 See KCG Letter at 8. 2074 See Direct Edge Letter at 9. E:\FR\FM\05DER2.SGM 05DER2 72434 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations more realistic market conditions and help ensure that securities markets have improved backup infrastructure, fewer market shutdowns, and fair and orderly markets in the event of the activation of BC/DR plans. Furthermore, one commenter stated that coordinated BC/DR testing is a good aspirational goal, but expressed concern that too much is outside of the control of an individual SCI entity, and therefore the rule should, at most, require SCI entities to attempt to coordinate such testing.2075 With respect to the comment suggesting that BC/DR testing coordination should be an aspirational goal rather than a requirement, the Commission believes that voluntary BC/DR testing is insufficient and will not further the goal of Regulation SCI as evidenced by Superstorm Sandy discussed in Section IV.B.6. As discussed above, the Commission acknowledges that there could be potential difficulties, including communicating with other SCI entities, in coordinating BC/DR testing on an industry- or sector-wide basis. c. Recordkeeping and Electronic Filing—Rules 1005–1007 Entities that participate in the ARP Inspection Program currently keep records related to the ARP Inspection Program. However, the recordkeeping requirements of Rules 1005–1007 would apply to more entities, systems, and types of systems issues than the ARP Inspection Program. In addition, SCI entities are already subject to certain Commission recordkeeping requirements.2076 However, records relating to Regulation SCI may not be specifically addressed in the recordkeeping requirements of certain rules.2077 The Commission believes that the recordkeeping requirements specifically related to Regulation SCI would enhance the ability of the 2075 See CME Letter at 13. e.g., 17 CFR 240.17a–1, applicable to SCI SROs; 17 CFR 240.17a–3 and 17a–4, applicable to broker-dealers; and 17 CFR 242.301–303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a–1(a)) do generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nevertheless, the Commission continues to believe that Regulation SCI’s codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. 2077 See Proposing Release, supra note 13, at 18128. mstockstill on DSK4VPTVN1PROD with RULES2 2076 See, VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission to evaluate SCI entities’ compliance with Regulation SCI. With respect to SCI SROs in particular, the Commission notes that they are subject to the recordkeeping requirements of Rule 17a–1 under the Exchange Act, and the breadth of Rule 17a–1 is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI. Therefore, Rule 1005(a) requires each SCI SRO to make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in Rule 17a–1 under the Exchange Act.2078 Rule 1005(b) requires each SCI entity that is not an SCI SRO to make, keep, and preserve at least one copy of all documents relating to its compliance with Regulation SCI. Each such SCI entity is required to keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Each such SCI entity is also required to promptly furnish copies of such documents to Commission representatives upon request. Rule 1005(c) requires each such SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 shall be accessible to the Commission and its representatives in the manner required by Rule 1005 and for the remainder of the period required by Rule 1005. According to Rule 1007, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that such records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service to that effect. For SCI entities other than SCI SROs, Rule 1005 specifically addresses recordkeeping requirements with respect to records relating to Regulation SCI compliance. The Commission believes that Rules 1005 and 1007 would allow Commission staff to perform efficient inspections and examinations of SCI entities for their compliance with Regulation SCI, and would increase the likelihood that 2078 See supra Section IV.C.1.a (discussing recordkeeping requirements for SROs under Rule 17a–1). PO 00000 Frm 00184 Fmt 4701 Sfmt 4700 Commission staff can identify conduct inconsistent with Regulation SCI at earlier stages in the inspection and examination process. Furthermore, as discussed in Section IV.C.1.a, although many SCI events may be resolved in a short time frame, there may be other SCI events that may not be discovered for an extended period of time after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity’s records available for a longer period of time or even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Preserved information should provide the Commission with an additional source to help determine the causes and consequences of one or more SCI events and better understand how such events may have impacted trade execution, price discovery, liquidity, and investor participation. Consequently, the Commission believes that the requirements of Rules 1005 and 1007 would help ensure compliance with Regulation SCI and help realize the potential benefits (e.g., better pricing efficiency, price discovery, and liquidity flows) of the regulation. As noted above, the breadth of Rule 17a–1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI. Therefore, for SCI SROs, the incremental compliance costs associated with Rules 1005 and 1007 will be modest.2079 On the other hand, for SCI entities that are not SCI SROs, the recordkeeping requirements of Rules 1005 and 1007 will impose additional costs, including one-time cost to set up or modify an existing recordkeeping system to comply with Rules 1005 and 1007. The initial and ongoing compliance costs associated with the recordkeeping requirements are attributed to paperwork burdens, which are discussed in Section V.D.4 above.2080 Rule 1006 requires SCI entities to electronically file all written information to the Commission on Form SCI (except for notifications submitted pursuant to Rules 1002(b)(1) and (b)(3)). 2079 As noted above, it has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nearly all of these ARP participants are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a–1. 2080 When monetized, the paperwork burden associated with all recordkeeping requirements would result in approximately $857,000 initially for all non-SRO SCI entities in the aggregate, and $27,000 annually for all non-SRO SCI entities in the aggregate. E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 Rule 1006 should provide a uniform manner in which the Commission would receive—and SCI entities would provide—written notifications, reviews, descriptions, analyses, or reports required by Regulation SCI.2081 Rule 1006 should add efficiency for SCI entities in drafting and submitting the required reports, and for the Commission in reviewing, analyzing, and responding to the information provided.2082 All costs associated with Form SCI are attributed to paperwork burdens discussed in Section V. Every SCI entity will be required to have the ability to electronically submit Form SCI through the EFFS system, and every person designated to sign Form SCI will be required to have an electronic signature and a digital ID. Each SCI entity will also be required to submit documents attached as exhibits through the EFFS system in a textsearchable format, subject to a limited exception.2083 The Commission believes that requiring documents to be submitted in a text-searchable format, subject to a limited exception, is necessary to allow Commission staff to efficiently review and analyze information provided by SCI entities. Additionally, the Commission believes that this requirement will not impose an additional burden on SCI entities, as SCI entities likely already prepare documents in an electronic format that is text searchable or can readily be converted into a format that is text searchable. The Commission also believes that many SCI entities currently have the ability to access the EFFS system and electronically submit Form SCI such that the requirement to submit Form SCI electronically will not impose significant new implementation or ongoing costs.2084 The Commission also believes that some of the persons who will be designated to sign Form SCI already have digital IDs and the ability to provide an electronic signature. To the extent that some persons do not have digital IDs, the additional cost to obtain and maintain digital IDs is 2081 See Proposing Release, supra note 13, at 18129–30. 2082 See id. at 18130. 2083 As noted in Section IV.C.2, the General Instructions to Form SCI, Item A. specify that documents filed through the EFFS system must be in a text-searchable format without the use of optical character recognition, with a limited exception to allow for a portion of a Form SCI submission (e.g., an image or diagram) that cannot be made available in a text-searchable format to be submitted in a non-text-searchable format. 2084 The initial and ongoing costs associated with various electronic submissions of Form SCI are discussed in the Paperwork Reduction Act section above. See supra Section V. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 accounted for in the paperwork burden.2085 As an alternative to the adopted electronic submission requirement, the Commission considered requiring data to be submitted in a tagged data format such as XBRL. Requiring reports to be filed in a tagged data format such as XBRL would likely permit faster and more efficient analysis of information disclosed in reports but would also likely impose additional compliance costs associated with tagging information in the narrative responses. Rather than requiring the use of XBRL formatting for Form SCI, the Commission notes that certain fields in Sections I–III of Form SCI will require information provided by SCI entities to be in a format that will allow the Commission to gather information in a structured manner (e.g., the submission type and SCI event type in Section I). By collecting information on Form SCI in a way that allows the Commission to gather key information in a structured manner, the Commission believes it will be able to more efficiently review and process filings made on Form SCI. Moreover, gathering certain information in Sections I–III of Form SCI in a structured format should not result in an additional cost to SCI entities. VII. Regulatory Flexibility Act Certification The Regulatory Flexibility Act (‘‘RFA’’) 2086 requires Federal agencies, in promulgating rules, to consider the impact of those rules on small entities. The Commission certified in the SCI Proposal, pursuant to Section 605(b) of the Regulatory Flexibility Act of 1980 (‘‘RFA’’),2087 that proposed Regulation SCI would not, if adopted, have a significant impact on a substantial number of small entities. The Commission received no comments on this certification. A. SCI Entities Paragraph (a) of Rule 0–10 provides that for purposes of the RFA, a small entity when used with reference to a ‘‘person’’ other than an investment company means a person that, on the last day of its most recent fiscal year, had total assets of $5 million or less.2088 With regard to broker-dealers, small entity means a broker or dealer that had total capital of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were prepared pursuant to Rule 17a–5(d) 2085 See supra Section V.D.2.e. U.S.C. 601 et seq. 2087 5 U.S.C. 605(b). 2088 See 17 CFR 240.0–10(a). 2086 5 PO 00000 Frm 00185 Fmt 4701 Sfmt 4700 72435 under the Exchange Act, or, if not required to file such statements, had total capital of less than $500,000 on the last business day of the preceding fiscal year (or in the time that it has been in business, if shorter), and that is not affiliated with any person (other than a natural person) that is not a small business or small organization.2089 With regard to clearing agencies, small entity means a clearing agency that compared, cleared, and settled less than $500 million in securities transactions during the preceding fiscal year (or in the time that it has been in business, if shorter), had less than $200 million of funds and securities in its custody or control at all times during the preceding fiscal year (or in the time that it has been in business, if shorter), and is not affiliated with any person (other than a natural person) that is not a small business or small organization.2090 With regard to exchanges, small entity means an exchange that has been exempt from the reporting requirements of Rule 601 under Regulation NMS, and is not affiliated with any person (other than a natural person) that is not a small business or small organization.2091 With regard to securities information processors, small entity means a securities information processor that had gross revenue of less than $10 million during the preceding fiscal year (or in the time it has been in business, if shorter), provided service to fewer than 100 interrogation devices or moving tickers at all times during the preceding fiscal year (or in the time it has been in business, if shorter), and is not affiliated with any person (that is not a natural person) that is not a small business or small organization.2092 Under the standards adopted by the Small Business Administration (‘‘SBA’’), entities engaged in financial investments and related activities are considered small entities if they have $35.5 million or less in average annual receipts.2093 Based on the Commission’s existing information about the entities that will be subject to Regulation SCI, the Commission believes that SCI entities that are self-regulatory organizations 2089 See 17 CFR 240.0–10(c). 17 CFR 240.0–10(d). 2091 See 17 CFR 240.0–10(e). 2092 See 17 CFR 240.0–10(g). 2093 See SBA’s Table of Small Business Size Standards, Subsector 523 and 13 CFR 121.201. Such entities include firms engaged in investment banking and securities dealing, securities brokerage, commodity contracts dealing, commodity contracts brokerage, securities and commodity exchanges, miscellaneous intermediation, portfolio management, investment advice, trust, fiduciary and custody activities, and miscellaneous financial investment activities. 2090 See E:\FR\FM\05DER2.SGM 05DER2 72436 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations (national securities exchanges, national securities associations, registered clearing agencies, and the MSRB) or exempt clearing agencies subject to ARP would not fall within the Commission’s definition of small entity as described above. With regard to plan processors, which are defined under Rule 600(b)(55) of Regulation NMS to mean a selfregulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/ or operation of any facility contemplated by an effective NMS plan,2094 the Commission’s definition of small entity as it relates to selfregulatory organizations and securities information processors would apply. The Commission does not believe that any plan processor would be a small entity as defined above. With regard to SCI ATSs, because they are registered as broker-dealers, the Commission’s definition of small entity as it relates to broker-dealers would apply. The Commission does not believe that any of the SCI ATSs would be a small entity as defined above. PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934 B. Certification § 240.24b–2. Nondisclosure of information filed with the Commission and with any exchange. For the foregoing reasons, the Commission again certifies that Regulation SCI will not have a significant economic impact on a substantial number of small entities. Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, 23(a), and 24 thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k–1, 78o, 78o–3, 78q, 78q–1, 78x, and 78w(a), the Commission adopts Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and amends Regulation ATS and Rule 24b–2 under the Exchange Act. mstockstill on DSK4VPTVN1PROD with RULES2 Brokers; Confidential business information; Reporting and recordkeeping requirements; and Securities. In accordance with the foregoing, Title 17, Chapter II of the Code of Federal Regulations is amended as follows: 2094 See 17 CFR 242.600(b)(55). VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z–2, 77z–3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c–3, 78c–5, 78d, 78e, 78f, 78g, 78i, 78j, 78j–1, 78k, 78k–1, 78l, 78m, 78n, 78n–1, 78o, 78o–4, 78o–10, 78p, 78q, 78q–1, 78s, 78u–5, 78w, 78x, 78ll, 78mm, 80a–20, 80a–23, 80a–29, 80a–37, 80b–3, 80b– 4, 80b–11, 7201 et seq., and 8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350, unless otherwise noted. * * * * * 2. Amend § 240.24b–2 by: a. After the words PRELIMINARY NOTE: Adding the words ‘‘Except as otherwise provided in this rule,’’ and revising the word ‘‘Confidential’’ to read ‘‘confidential’’. ■ b. Adding at the beginning of paragraph (b) introductory text the words ‘‘Except as otherwise provided in paragraph (g) of this section,’’ and revising the word ‘‘The’’ to read ‘‘the’’. ■ c. Adding paragraph (g). The addition reads as follows: ■ ■ * VIII. Statutory Authority and Text of Amendments List of Subjects in 17 CFR Parts 240, 242, and 249 1. The authority citation for part 240 continues to read in part as follows: ■ * * * * (g) An SCI entity (as defined in § 242.1000 of this chapter) shall not omit the confidential portion from the material filed in electronic format on Form SCI pursuant to Regulation SCI, § 242.1000 et. seq., and, in lieu of the procedures described in paragraph (b) of this section, may request confidential treatment of all information provided on Form SCI by completing Section IV of Form SCI. PART 242—REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER MARGIN REQUIREMENTS FOR SECURITY FUTURES 3. The authority citation for part 242 continues to read as follows: ■ Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 78i(a), 78j, 78k–1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78q(a), 78q(b), 78q(h), 78w(a), 78dd–1, 78mm, 80a23, 80a–29, and 80a–37. * * * * * 4. The heading of part 242 is revised to read as set forth above. ■ § 242.301 [Amended] 5. Amend § 242.301 by removing paragraphs (b)(6)(i)(A) and (B) and redesignating paragraphs (b)(6)(i)(C) and (D) as paragraphs (b)(6)(i)(A) and (B), respectively. ■ PO 00000 Frm 00186 Fmt 4701 Sfmt 4700 6. Add §§ 242.1000 through 242.1007 to read as follows: ■ Sec. Regulation SCI—Systems Compliance and Integrity 242.1000 Definitions. 242.1001 Obligations related to policies and procedures of SCI entities. 242.1002 Obligations related to SCI events. 242.1003 Obligations related to systems changes; SCI review. 242.1004 SCI entity business continuity and disaster recovery plans testing requirements for members or participants. 242.1005 Recordkeeping requirements related to compliance with Regulation SCI. 242.1006 Electronic filing and submission. 242.1007 Requirements for service bureaus. § 242.1000 Definitions. For purposes of Regulation SCI (§§ 242.1000 through 242.1007), the following definitions shall apply: Critical SCI systems means any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; (ii) Openings, reopenings, and closings on the primary listing market; (iii) Trading halts; (iv) Initial public offerings; (v) The provision of consolidated market data; or (vi) Exclusively-listed securities; or (2) Provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Electronic signature has the meaning set forth in § 240.19b–4(j) of this chapter. Exempt clearing agency subject to ARP means an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies (ARP), or any Commission regulation that supersedes or replaces such policies. Indirect SCI systems means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems. Major SCI event means an SCI event that has had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations (2) A significant impact on the SCI entity’s operations or on market participants. Plan processor has the meaning set forth in § 242.600(b)(55). Responsible SCI personnel means, for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s). SCI alternative trading system or SCI ATS means an alternative trading system, as defined in § 242.300(a), which during at least four of the preceding six calendar months: (1) Had with respect to NMS stocks: (i) Five percent (5%) or more in any single NMS stock, and one-quarter percent (0.25%) or more in all NMS stocks, of the average daily dollar volume reported by applicable transaction reporting plans; or (ii) One percent (1%) or more in all NMS stocks of the average daily dollar volume reported by applicable transaction reporting plans; or (2) Had with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent (5%) or more of the average daily dollar volume as calculated by the selfregulatory organization to which such transactions are reported; (3) Provided, however, that such SCI ATS shall not be required to comply with the requirements of Regulation SCI until six months after satisfying any of paragraphs (a) or (b) of this section, as applicable, for the first time. SCI entity means an SCI selfregulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) A systems compliance issue; or (3) A systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. SCI self-regulatory organization or SCI SRO means any national securities exchange, registered securities VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 association, or registered clearing agency, or the Municipal Securities Rulemaking Board; provided however, that for purposes of this section, the term SCI self-regulatory organization shall not include an exchange that is notice registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o–3(k). SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. Senior management means, for purposes of Rule 1003(b), an SCI entity’s Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel, and Chief Compliance Officer, or the equivalent of such employees or officers of an SCI entity. Systems compliance issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity’s rules or governing documents, as applicable. Systems disruption means an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. Systems intrusion means any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity. § 242.1001 Obligations related to policies and procedures of SCI entities. (a) Capacity, integrity, resiliency, availability, and security. (1) Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. (2) Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: (i) The establishment of reasonable current and future technological infrastructure capacity planning estimates; (ii) Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; PO 00000 Frm 00187 Fmt 4701 Sfmt 4700 72437 (iii) A program to review and keep current systems development and testing methodology for such systems; (iv) Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (v) Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a widescale disruption; (vi) Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (vii) Monitoring of such systems to identify potential SCI events. (3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. (4) For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). (b) Systems compliance. (1) Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable. (2) Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) A system of internal controls over changes to SCI systems; (iii) A plan for assessments of the functionality of SCI systems designed to E:\FR\FM\05DER2.SGM 05DER2 72438 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. (3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. (4) Safe harbor from liability for individuals. Personnel of an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of this paragraph (b) if the person: (i) Has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures; and (ii) Was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with this paragraph (b) in any material respect. (c) Responsible SCI personnel. (1) Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. (2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. mstockstill on DSK4VPTVN1PROD with RULES2 § 242.1002 events. Obligations related to SCI (a) Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 adequate resources to remedy the SCI event as soon as reasonably practicable. (b) Commission notification and recordkeeping of SCI events. Each SCI entity shall: (1) Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; (2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (i) A description of the SCI event, including the system(s) affected; and (ii) To the extent available as of the time of the notification: The SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; (3) Until such time as the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; (4)(i)(A) If an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. (B)(1) If an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information PO 00000 Frm 00188 Fmt 4701 Sfmt 4700 required in paragraph (b)(4)(ii) of this section, to the extent known at the time. (2) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. (ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: (A) A detailed description of: The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (B) A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and (C) An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. (5) The requirements of paragraphs (b)(1) through (4) of this section shall not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. For such events, each SCI entity shall: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. (c) Dissemination of SCI events. (1) Each SCI entity shall: (i) Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: (A) The system(s) affected by the SCI event; and E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations (B) A summary description of the SCI event; and (ii) When known, promptly further disseminate the following information about such SCI event: (A) A detailed description of the SCI event; (B) The SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; and (C) A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and (iii) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. (2) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. (3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. (4) The requirements of paragraphs (c)(1) through (3) of this section shall not apply to: (i) SCI events to the extent they relate to market regulation or market surveillance systems; or (ii) Any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 § 242.1003 Obligations related to systems changes; SCI review. (a) Systems changes. Each SCI entity shall: (1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. (2) Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). (b) SCI review. Each SCI entity shall: (1) Conduct an SCI review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year; provided, however, that: (i) Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and (ii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and (2) Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and (3) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. § 242.1004 SCI entity business continuity and disaster recovery plans testing requirements for members or participants. With respect to an SCI entity’s business continuity and disaster recovery plans, including its backup systems, each SCI entity shall: (a) Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the PO 00000 Frm 00189 Fmt 4701 Sfmt 4700 72439 maintenance of fair and orderly markets in the event of the activation of such plans; (b) Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and (c) Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. § 242.1005 Recordkeeping requirements related to compliance with Regulation SCI. (a) An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in § 240.17a–1 of this chapter. (b) An SCI entity that is not an SCI SRO shall: (1) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; (2) Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and (3) Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to paragraphs (b)(1) and (2) of this section. (c) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. § 242.1006 Electronic filing and submission. (a) Except with respect to notifications to the Commission made pursuant to § 242.1002(b)(1) or updates to the Commission made pursuant to paragraph § 242.1002(b)(3), any notification, review, description, analysis, or report to the Commission E:\FR\FM\05DER2.SGM 05DER2 72440 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations required to be submitted under Regulation SCI shall be filed electronically on Form SCI (§ 249.1900 of this chapter), include all information as prescribed in Form SCI and the instructions thereto, and contain an electronic signature; and (b) The signatory to an electronically filed Form SCI shall manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document shall be executed before or at the time Form SCI is electronically filed and shall be retained by the SCI entity in accordance with § 242.1005. § 242.1007 bureaus. Requirements for service mstockstill on DSK4VPTVN1PROD with RULES2 If records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity shall ensure that the records are VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. Such a written undertaking shall include an agreement by the service bureau to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any or all or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service shall not relieve an SCI entity from its obligation to prepare, maintain, and provide the PO 00000 Frm 00190 Fmt 4701 Sfmt 4700 Commission and its representatives access to such records. PART 249—FORMS, SECURITIES EXCHANGE ACT OF 1934 7. The general authority citation for part 249 continues to read in part as follows: ■ Authority: 15 U.S.C. 78a et seq. and 7201; and 18 U.S.C. 1350 unless otherwise noted. * * * * * 8. Add subpart T, consisting of § 249.1900 to read as follows: ■ Subpart T—Form SCI, for filing notices and reports as required by Regulation SCI. § 249.1900. Form SCI, for filing notices and reports as required by Regulation SCI. Form SCI shall be used to file notices and reports as required by Regulation SCI (§§ 242.1000 through 242.1007). Note: The text of Form SCI does not, and the amendments will not, appear in the Code of Federal Regulations. BILLING CODE P E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 72441 OMBNumber: Eicplratlon Date: Securities and Exchange Commission Washington, DC 20549 Form SCI Page1of _ __ Estimated Average burden hours per response-"., ..._ File No. SCI-{name}-YYYY-### SCI Notification and Reporting by: {SCI entity name} Pursuant to Rules 1002 and 1003 of Regulation SCI under the Securities Exchange Act of 1934 D Initial D Withdrawal SECTION I: Rule 1002- Commission Notification of SCI Event A. Submission Type (select one only) 0 Rule 1002(b)(1) Initial Notification of SCI event 0 Rule 1002(b)(2) Notification of SCI event 0 Rule 1002(b)(3) Update of SCI event: 0 Rule 1002(b)( 4) Final Report of SCI Event #### Rule 1002(b)( 4) Interim Status Report of SCI event If filing a Rule 1002(b)(1) or Rule 1002(b)(3) submission, please provide a brief description: 0 B. SCI Event Type(s) (select all that apply) 0 Systems compliance issue 0 Systems disruption 0 Systems intrusion C. General Information Required for (b)(2) filings. 1) Has the Commission previously been notified of the SCI event pursuant to 1002(b)(1)? yesjno 2) Date/time SCI event occurred: mmjddjyyyy hh:mm amjpm 3) Duration of SCI event: hh:mm, or days 4) Please provide the date and time when a responsible SCI personnel had reasonable basis to conclude the SCI event occurred: mmjddjyyyy hh:mmamjpm 5) Has the SCI event been resolved? yes/no a) If yes, provide date and time of resolution: mmjddjyyyy hh:mmamjpm 6) Is the investigation of the SCI event closed? yesjno 7) Estimated number of market participants potentially affected by the SCI event: #### 8) Is the SCI event a major SCI event (as defined in Rule 1000)? yes/no VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00191 Fmt 4701 Sfmt 4725 E:\FR\FM\05DER2.SGM 05DER2 ER05DE14.000</GPH> mstockstill on DSK4VPTVN1PROD with RULES2 a) If yes, provide date of closure: mm/ddjyyyy 72442 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations D. Information about impacted systems: Name(s) of system(s): Type(s) of system(s) impacted by the SCI event (check all that apply): 0 Trading 0 Clearance and settlement 0 Order routing 0 Market data 0 Market regulation 0 Market surveillance 0 Indirect SCI systems (please describe): Are any critical SCI systems impacted by the SCI event (check all that apply)? Yes/No 1) Systems that directly support functionality relating to: 0 Clearance and settlement systems of clearing agencies 0 Openings, reopenings, and closings on the primary listing market 0 Trading halts 0 The provision of consolidated market data 2) 0 Initial public offerings 0 Exclusively-listed securities 0 Systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets (please describe): SECTION II: Periodic Reporting (select one only) A. Quarterly Reports: For the quarter ended: mm/dd/yyyy 0 Rule 1002(b)(5)(ii): Quarterly report of systems disruptions and systems intrusions with no or a de minimis impact. 0 Rule 1003(a)(1): Quarterly report of material systems changes 0 Rule 1003(a)(2): Supplemental report of material systems changes B. SCI Review Reports 0 Rule 1003(b)(3): Report of SCI review, together with any response by senior management Date of completion of SCI review: mmjddjyyyy VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00192 Fmt 4701 Sfmt 4725 E:\FR\FM\05DER2.SGM 05DER2 ER05DE14.001</GPH> mstockstill on DSK4VPTVN1PROD with RULES2 Date of submission of SCI review to senior management: mmjddjyyyy Exhibit 1: Rule 1002(b)(2) Notification of SCI Event. Add/Remove/View mstockstill on DSK4VPTVN1PROD with RULES2 Exhibit 2: Rule 1002(b)(4) Final or Interim Report of SCI Event. Add/Remove/View Exhibit 3: Rule 1002(b)(5)(ii) Quarterly Report of De Minimis SCI Events. Add/Remove/View VerDate Sep<11>2014 72443 Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, the SCI entity shall submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (a) a description of the SCI event, including the system(s) affected; and (b) to the extent available as of the time of the notification: The SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. When submitting a final report pursuant to either Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall include: (a) a detailed description of: The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (b) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (c) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. When submitting an interim report pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI entity shall include such information to the extent known at the time. The SCI entity shall submit a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of systems disruptions and systems intrusions that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such SCI events during the applicable calendar quarter. 20:27 Dec 04, 2014 Jkt 235001 PO 00000 Frm 00193 Fmt 4701 Sfmt 4700 E:\FR\FM\05DER2.SGM 05DER2 ER05DE14.002</GPH> Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations 72444 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Exhibit 4: Rule 1003 (a) Quarterly Report of Systems Changes. Add/Remove/View Exhibit 5: Rule 1003(b)(3) Report of SCI review. Add/Remove/View Exhibit 6: Optional Attachments. Add/Remove/View When submitting a report pursuant to Rule 1003(a)(1), the SCI entity shall provide a report, within 30 calendar days after the end of each calendar quarter, describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. When submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall provide a supplemental report of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). The SCI entity shall provide a report of the SCI review, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. This exhibit may be used in order to attach other documents that the SCI entity may wish to submit as part of a Rule 1002(b)(1) initial notification submission or Rule 1002(b)(3) update submission. General Instructions for Form SCI mstockstill on DSK4VPTVN1PROD with RULES2 A. Use of the Form Except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), any notification, review, description, analysis, or report required to be submitted pursuant to Regulation SCI under the Securities Exchange Act of 1934 (‘‘Act’’) shall be filed in an electronic format through an electronic form filing system (‘‘EFFS’’), a secure Web site operated by the Securities and Exchange Commission (‘‘Commission’’). Documents attached as exhibits filed through the EFFS system must be in a text-searchable format without the use of optical character recognition. If, however, a portion of a Form SCI submission (e.g., an image or diagram) cannot be made available in a textsearchable format, such portion may be submitted in a non-text searchable format. B. Need for Careful Preparation of the Completed Form, Including Exhibits This form, including the exhibits, is intended to elicit information necessary for Commission staff to work with SCI self-regulatory organizations, SCI alternative trading systems, plan processors, and exempt clearing agencies subject to ARP (collectively, ‘‘SCI entities’’) to ensure the capacity, integrity, resiliency, availability, security, and compliance of their automated systems. An SCI entity must provide all the information required by the form, including the exhibits, and must present the information in a clear and comprehensible manner. A filing that is incomplete or similarly deficient may be returned to the SCI entity. Any filing so returned shall for all purposes be deemed not to have been filed with the Commission. See also Rule 0–3 under the Act (17 CFR 240.0–3). C. When To Use the Form Form SCI is comprised of six types of required submissions to the VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Commission pursuant to Rules 1002 and 1003. In addition, Form SCI permits SCI entities to submit to the Commission two additional types of submissions pursuant to Rules 1002(b)(1) and 1002(b)(3); however, SCI entities are not required to use Form SCI for these two types of submissions to the Commission. In filling out Form SCI, an SCI entity shall select the type of filing and provide all information required by Regulation SCI specific to that type of filing. The first two types of required submissions relate to Commission notification of certain SCI events: (1) ‘‘Rule 1002(b)(2) Notification of SCI Event’’ submissions for notifications regarding systems disruptions, systems compliance issues, or systems intrusions (collectively, ‘‘SCI events’’), other than any systems disruption or systems intrusion that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants; and (2) ‘‘Rule 1002(b)(4) Final or Interim Report of SCI Event’’ submissions, of which there are two kinds (a final report under Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or an interim status report under Rule 1002(b)(4)(i)(B)(1)). The other four types of required submissions are periodic reports, and include: (1) ‘‘Rule 1002(b)(5)(ii)’’ submissions for quarterly reports of systems disruptions and systems intrusions which have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants (‘‘de minimis SCI events’’); (2) ‘‘Rule 1003(a)(1)’’ submissions for quarterly reports of material systems changes; (3) ‘‘Rule 1003(a)(2)’’ submissions for supplemental reports of material systems changes; and (4) ‘‘Rule 1003(b)(3)’’ submissions for reports of SCI reviews. PO 00000 Frm 00194 Fmt 4701 Sfmt 4700 Required Submissions for SCI Events For 1002(b)(2) submissions, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section I and filling out all information required by the form, including Exhibit 1. 1002(b)(2) submissions must be submitted within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. For 1002(b)(4) submissions, if an SCI event is resolved and the SCI entity’s investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file a final report under Rule 1002(b)(4)(i)(A) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. However, if an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of the SCI event. For SCI events in which an interim status report is required to be filed, an SCI entity must file a final report under Rule 1002(b)(4)(i)(B)(2) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. For 1002(b)(4) submissions, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section I and filling out all information required by the form, including Exhibit 2. Required Submissions for Periodic Reporting For 1002(b)(5)(ii) submissions, an SCI entity must submit quarterly reports of systems disruptions and systems intrusions which have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. The SCI entity must select E:\FR\FM\05DER2.SGM 05DER2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations mstockstill on DSK4VPTVN1PROD with RULES2 the appropriate box in Section II and fill out all information required by the form, including Exhibit 3. For 1003(a)(1) submissions, an SCI entity must submit its quarterly report of material systems changes to the Commission using Form SCI. The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 4. Filings made pursuant to Rule 1002(b)(5)(ii) and Rule 1003(a)(1) must be submitted to the Commission within 30 calendar days after the end of each calendar quarter (i.e., March 31st, June 30th, September 30th and December 31st) of each year. For 1003(a)(2) submissions, an SCI entity must submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 4. For 1003(b)(3) submissions, an SCI entity must submit its report of its SCI review, together with any response by senior management, to the Commission using Form SCI. A 1003(b)(3) submission is required within 60 calendar days after the report of the SCI review has been submitted to senior management of the SCI entity. The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 5. Optional Submissions An SCI entity may, but is not required to, use Form SCI to submit a notification pursuant to Rule 1002(b)(1). If the SCI entity uses Form SCI to submit a notification pursuant to Rule 1002(b)(1), it must select the appropriate box in Section I and provide a short description of the SCI event. Documents may also be attached as Exhibit 6 if the SCI entity chooses to do so. An SCI entity may, but is not required to, use Form SCI to submit an update pursuant to Rule 1002(b)(3). Rule 1002(b)(3) requires an SCI entity to, until such time as the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in Rule 1002(b)(2)(ii). If the SCI entity uses Form SCI to VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 submit an update pursuant to Rule 1002(b)(3), it must select the appropriate box in Section I and provide a short description of the SCI event. Documents may also be attached as Exhibit 6 if the SCI entity chooses to do so. D. Documents Comprising the Completed Form The completed form filed with the Commission shall consist of Form SCI, responses to all applicable items, and any exhibits required in connection with the filing. Each filing shall be marked on Form SCI with the initials of the SCI entity, the four-digit year, and the number of the filing for the year (e.g., SCI Name-YYYY–XXX). E. Contact Information; Signature; and Filing of the Completed Form Each time an SCI entity submits a filing to the Commission on Form SCI, the SCI entity must provide the contact information required by Section III of Form SCI. Space for additional contact information, if appropriate, is also provided. All notifications and reports required to be submitted through Form SCI shall be filed through the EFFS. In order to file Form SCI through the EFFS, SCI entities must request access to the Commission’s External Application Server by completing a request for an external account user ID and password. Initial requests will be received by contacting (202) 551–5777. An email will be sent to the requestor that will provide a link to a secure Web site where basic profile information will be requested. A duly authorized individual of the SCI entity shall electronically sign the completed Form SCI as indicated in Section IV of the form. In addition, a duly authorized individual of the SCI entity shall manually sign one copy of the completed Form SCI, and the manually signed signature page shall be preserved pursuant to the requirements of Rule 1005. F. Withdrawals of Commission Notifications and Periodic Reports If an SCI entity determines to withdraw a Form SCI, it must complete Page 1 of the Form SCI and indicate by selecting the appropriate check box to withdraw the submission. G. Paperwork Reduction Act Disclosure This collection of information will be reviewed by the Office of Management and Budget in accordance with the clearance requirements of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid PO 00000 Frm 00195 Fmt 4701 Sfmt 4700 72445 control number. The Commission estimates that the average burden to respond to Form SCI will be between one and 125 hours, depending upon the purpose for which the form is being filed. Any member of the public may direct to the Commission any comments concerning the accuracy of this burden estimate and any suggestions for reducing this burden. Except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), it is mandatory that an SCI entity file all notifications, reviews, descriptions, analyses, and reports required by Regulation SCI using Form SCI. The Commission will keep the information collected pursuant to Form SCI confidential to the extent permitted by law. Subject to the provisions of the Freedom of Information Act, 5 U.S.C. 522 (‘‘FOIA’’), and the Commission’s rules thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not generally publish or make available information contained in any reports, summaries, analyses, letters, or memoranda arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation. H. Exhibits List of exhibits to be filed, as applicable: Exhibit 1: Rule 1002(b)(2)— Notification of SCI Event. Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, the SCI entity shall submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (a) A description of the SCI event, including the system(s) affected; and (b) to the extent available as of the time of the notification: the SCI entity’s current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Exhibit 2: Rule 1002(b)(4)—Final or Interim Report of SCI Event. When submitting a final report pursuant to either Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall include: (a) A detailed description of: E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 72446 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations The SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (b) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (c) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. When submitting an interim report pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI entity shall include such information to the extent known at the time. Exhibit 3: Rule 1002(b)(5)(ii)— Quarterly Report of De Minimis SCI Events. The SCI entity shall submit a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of systems disruptions and systems intrusions that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such SCI events during the applicable calendar quarter. Exhibit 4: Rule 1003(a)—Quarterly Report of Systems Changes. When submitting a report pursuant to Rule 1003(a)(1), the SCI entity shall provide a report, within 30 calendar days after the end of each calendar quarter, describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. When submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall provide a supplemental report of a material error in or material omission from a report previously submitted under Rule 1003(a); provided, however, that a supplemental report is not required if information regarding a material systems change is or will be VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 provided as part of a notification made pursuant to Rule 1002(b). Exhibit 5: Rule 1003(b)(3)—Report of SCI Review. The SCI entity shall provide a report of the SCI review, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Exhibit 6: Optional Attachments. This exhibit may be used in order to attach other documents that the SCI entity may wish to submit as part of a Rule 1002(b)(1) initial notification submission or Rule 1002(b)(3) update submission. I. Explanation of Terms Critical SCI systems means any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) directly support functionality relating to: (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Indirect SCI systems means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems. Major SCI event means an SCI event that has had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or (2) a significant impact on the SCI entity’s operations or on market participants. Responsible SCI personnel means, for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s). SCI entity means an SCI selfregulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; PO 00000 Frm 00196 Fmt 4701 Sfmt 4700 and (2) an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. Systems Compliance Issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity’s rules or governing documents, as applicable. Systems Disruption means an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. Systems Intrusion means any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity. By the Commission. Dated: November 19, 2014. Brent J. Fields, Secretary. Exhibit A Key to Comment Letters Cited in Regulation SCI Adopting Release (File No. S7–01–13) Letter from Charles V. Rossi, President, The Securities Transfer Association, Inc. to Elizabeth Murphy, Secretary, Commission, dated April 3, 2013 (‘‘STA Letter’’) Letter from John J. Rapa, President/Chief Executive Officer, Tellefsen and Company, L.L.C., Northborough, Massachusetts to Elizabeth Murphy, Commission, dated April 19, 2013 (‘‘Tellefsen Letter’’) Letter from Cynthia Fuller, Executive Director, on behalf of Accredited Standards Committee X9, Inc. Financial Industry Standards to the Commission, dated May 23, 2013 (‘‘X9 Letter’’) Letter from Scott Cooper, Vice President, Government Relations and Public Policy, American National Standards Institute to the Commission, dated May 23, 2013 (‘‘ANSI Letter’’) Letter from James J. Angel, Ph.D., CFA, Visiting Associate Professor, The Wharton School, University of Pennsylvania to the Commission, dated June 3, 2013 (‘‘Angel Letter’’) Letter from Raymond M. Tierney III, President and Chief Executive Officer, Bloomberg Tradebook LLC to Elizabeth Murphy, Secretary, Commission, dated June 19, 2013 (‘‘Tradebook Letter’’) Letter from Jay M. Goldstone, Chairman, Municipal Securities Rulemaking Board, Alexandria, Virginia to Elizabeth Murphy, Secretary, Commission, dated June 28, 2013 (‘‘MSRB Letter’’) E:\FR\FM\05DER2.SGM 05DER2 mstockstill on DSK4VPTVN1PROD with RULES2 Federal Register / Vol. 79, No. 234 / Friday, December 5, 2014 / Rules and Regulations Letter from Thomas V. D’Ambrosio, Chairman, Committee on Futures and Derivatives, New York City Bar Association to Elizabeth Murphy, Secretary, Commission, dated July 1, 2013 (‘‘NYC Bar Letter’’) Letter from Richard M. Whiting, Executive Director and General Counsel, The Financial Services Roundtable to Elizabeth Murphy, Secretary, Commission, dated July 5, 2013 (‘‘FSR Letter’’) Letter from Rob Flatley, Chief Executive Officer and President, CoreOne Technologies to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘CoreOne Letter’’) Letter from Manisha Kimmel, Executive Director, Financial Information Forum to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘FIF Letter’’) Letter from Larry E. Thompson, Managing Director and General Counsel, The Depository Trust Clearing Corporation to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘DTCC Letter’’) Letter from Raymond Tamayo, Chief Information Officer, Options Clearing Corporation to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘OCC Letter’’) Letter from Timothy J. Mahoney, CEO, BIDS Trading, L.P., New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘BIDS Letter’’) Letter from Michael Simon, Secretary, International Securities Exchange, LLC to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘ISE Letter’’) Letter from Courtney D. McGuinn, Operations Director, FIX Protocol Ltd., New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘FIX Letter’’) Letter from R.T. Leuchtkafer to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Leuchtkafer Letter ’’) Letter from Dennis M. Kelleher, President & CEO; Stephen W. Hall, Securities Specialist; Katelynn O. Bradley, Attorney; and David Frenk, Director of Research; Better Markets, Inc. to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Better Markets Letter’’) Letter from Lev Lesokhin, Executive Vice President, Strategy and Markets, CAST, Inc., New York, New York to the Commission, dated July 8, 2013 (‘‘CAST Letter’’) Letter from Robert J. McCarthy, Director of Regulatory Policy, Wells Fargo Advisors to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Wells Fargo Letter’’) Letter from Marcia E. Asquith, Senior Vice President and Corporate Secretary, FINRA to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘FINRA Letter’’) Letter from Dr. Bill Curtis, Director, Consortium for IT Software Quality to VerDate Sep<11>2014 20:27 Dec 04, 2014 Jkt 235001 Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘CISQ Letter’’) Letter from Howard Meyerson, General Counsel, Liquidnet, Inc., New York, New York to the Commission, dated July 8, 2013 (‘‘Liquidnet Letter’’) Letter from David T. Bellaire, Esq., Executive Vice President and General Counsel, Financial Services Institute, Washington, District of Columbia to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘FSI Letter’’) Letter from Scott C. Goebel, General Counsel, Fidelity Management and Research Co., Boston, Massachusetts to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Fidelity Letter’’) Letter from Joseph Adamczyk, Executive Director, Associate General Counsel, CME Group Inc. to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘CME Letter’’) Letter from Norman M. Reed, Omgeo LLC, New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Omgeo Letter’’) Letter from David Lauer, Market Structure and Technology Architecture Consultant, Step Ahead Technologies, LLC to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘Lauer Letter’’) Letter from Theodore R. Lazo, Managing Director and Associate General Counsel, SIFMA to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘SIFMA Letter’’) Letter from Jeffrey Wallis, Managing Partner, SunGard Consulting Services, New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (‘‘SunGard Letter’’) Letter from Janet McGinness, EVP & Corporate Secretary, NYSE Euronext to Elizabeth Murphy, Secretary, Commission, dated July 9, 2013 (‘‘NYSE Letter’’) Letter from Eric J. Swanson, Secretary, BATS Global Markets to Elizabeth Murphy, Secretary, Commission, dated July 10, 2013 (‘‘BATS Letter’’) Letter from Mary Ann Burns, Futures Industry Association Principal Traders Group, Washington, District of Columbia to Elizabeth Murphy, Secretary, Commission, dated July 11, 2013 (‘‘FIA PTG Letter’’) Letter from James P. Selway, III, P. Mats Goebels and Sudhanshu Arya, ITG Inc. to Elizabeth Murphy, Secretary, Commission, dated July 11, 2013 (‘‘ITG Letter’’) Letter from Karrie McMillan, General Counsel, Investment Company Institute to Elizabeth Murphy, Secretary, Commission, dated July 12, 2013 (‘‘ICI Letter’’) Letter from Stuart J. Kaswell, Executive Vice President & Managing Director, Managed ´ ´ Funds Association, and Jirı Krol, Deputy CEO, Head of Government and Regulatory Affairs, Alternative Investment Management Association to Elizabeth PO 00000 Frm 00197 Fmt 4701 Sfmt 9990 72447 Murphy, Secretary, Commission, dated July 17, 2013 (‘‘MFA Letter’’) Letter from Anthony J. Saliba, Chief Executive Officer, LiquidPoint, LLC to Elizabeth Murphy, Secretary, Commission, dated July 22, 2013 (‘‘LiquidPoint Letter’’) Letter from Elizabeth K. King, Global Head of Regulatory Affairs, KCG Holdings, Inc., Jersey City, New Jersey to Elizabeth Murphy, Secretary, Commission, dated July 25, 2013 (‘‘KCG Letter’’) Letter from Roger Anerella, Managing Director, Global Head of Securities Execution Services, UBS Investment Bank to Elizabeth Murphy, Secretary, Commission, dated July 26, 2013 (‘‘UBS Letter’’) Letter from Eric Swanson, SVP, General Counsel and Secretary, BATS Global Markets, Inc., et al. to Elizabeth Murphy, Secretary, Commission, dated July 30, 2013 (‘‘Joint SROs Letter’’) Letter from Thomas S. Vales, Chief Executive Officer, TMC Bonds LLC to Elizabeth Murphy, Secretary, Commission, dated August 6, 2013 (‘‘TMC Bonds Letter’’) Letter from James J. Angel, Ph.D., CFA, Visiting Associate Professor, The Wharton School, University of Pennsylvania to the Commission, dated September 3, 2013 (‘‘Angel2 Letter’’) Letter from Benjamin R. Londergan, Chief Executive Officer, Group One Trading L.P. to Elizabeth Murphy, Secretary, Commission, dated September 3, 2013 (‘‘Group One Letter’’) Letter from Ari Gabinet, Executive Vice President and General Counsel, OFI Global Asset Management to Elizabeth Murphy, Secretary, Commission, dated September 9, 2013 (‘‘Oppenheimer Letter’’) Letter from Daniel Zinn, General Counsel, OTC Markets Group Inc. to Elizabeth Murphy, Secretary, Commission, dated September 12, 2013 (‘‘OTC Markets Letter’’) Letter from Dr. Bill Curtis, Director, Consortium for IT Software Quality to Elizabeth Murphy, Secretary, Commission, dated September 17, 2013 (‘‘CISQ2 Letter’’) Letter from William O’Brien, Chief Executive Officer, Direct Edge Holdings to Elizabeth M. Murphy, Secretary, Commission, dated September 25, 2013 (‘‘Direct Edge Letter’’) Letter from Richie Prager, Managing Director, Head of Trading & Liquidity Strategies, Hubert De Jesus, Managing Director, CoHead of Market Structure & Electronic Trading, Supurna Vedbrat, Managing Director, Co-Head of Market Structure & Electronic Trading, and Joanne Medero, Managing Director, Government Relations & Public Policy, BlackRock, Inc. to Mary Jo White, Chair, Commission, dated September 12, 2014 (‘‘BlackRock Letter’’). [FR Doc. 2014–27767 Filed 12–4–14; 8:45 am] BILLING CODE P E:\FR\FM\05DER2.SGM 05DER2

Agencies

[Federal Register Volume 79, Number 234 (Friday, December 5, 2014)]
[Rules and Regulations]
[Pages 72251-72447]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-27767]



[[Page 72251]]

Vol. 79

Friday,

No. 234

December 5, 2014

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------





17 CFR Parts 240, 242, and 249





Regulation Systems Compliance and Integrity; Final Rule

Federal Register / Vol. 79 , No. 234 / Friday, December 5, 2014 / 
Rules and Regulations

[[Page 72252]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 240, 242, and 249

[Release No. 34-73639; File No. S7-01-13]
RIN 3235-AL43


Regulation Systems Compliance and Integrity

AGENCY: Securities and Exchange Commission.

ACTION: Final rule and form; final rule amendment; technical amendment.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
adopting new Regulation Systems Compliance and Integrity (``Regulation 
SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and 
conforming amendments to Regulation ATS under the Exchange Act. 
Regulation SCI will apply to certain self-regulatory organizations 
(including registered clearing agencies), alternative trading systems 
(``ATSs''), plan processors, and exempt clearing agencies 
(collectively, ``SCI entities''), and will require these SCI entities 
to comply with requirements with respect to the automated systems 
central to the performance of their regulated activities.

DATES: Effective date: February 3, 2015.
    Compliance date: The applicable compliance dates are discussed in 
Section IV.F of this release.

FOR FURTHER INFORMATION CONTACT: David Liu, Senior Special Counsel, 
Office of Market Supervision, at (312) 353-6265, Heidi Pilpel, Senior 
Special Counsel, Office of Market Supervision, at (202) 551-5666, Sara 
Hawkins, Special Counsel, Office of Market Supervision, at (202) 551-
5523, Yue Ding, Special Counsel, Office of Market Supervision, at (202) 
551-5842, David Garcia, Special Counsel, Office of Market Supervision, 
at (202) 551-5681, and Elizabeth C. Badawy, Senior Accountant, Office 
of Market Supervision, at (202) 551-5612, Division of Trading and 
Markets, Securities and Exchange Commission, 100 F Street NE., 
Washington, DC 20549-7010.

SUPPLEMENTARY INFORMATION: Regulation SCI will, with regard to SCI 
entities, supersede and replace the Commission's current Automation 
Review Policy (``ARP''), established by the Commission's two policy 
statements, each titled ``Automated Systems of Self-Regulatory 
Organizations,'' issued in 1989 and 1991.\1\ Regulation SCI also will 
supersede and replace aspects of those policy statements codified in 
Rule 301(b)(6) under the Exchange Act, applicable to significant-volume 
ATSs that trade NMS stocks and non-NMS stocks.\2\ Regulation SCI will 
require SCI entities to establish written policies and procedures 
reasonably designed to ensure that their systems have levels of 
capacity, integrity, resiliency, availability, and security adequate to 
maintain their operational capability and promote the maintenance of 
fair and orderly markets, and that they operate in a manner that 
complies with the Exchange Act. It will also require SCI entities to 
mandate participation by designated members or participants in 
scheduled testing of the operation of their business continuity and 
disaster recovery plans, including backup systems, and to coordinate 
such testing on an industry- or sector-wide basis with other SCI 
entities. In addition, Regulation SCI will require SCI entities to take 
corrective action with respect to SCI events (defined to include 
systems disruptions, systems compliance issues, and systems 
intrusions), and notify the Commission of such events. Regulation SCI 
will further require SCI entities to disseminate information about 
certain SCI events to affected members or participants and, for certain 
major SCI events, to all members or participants of the SCI entity. In 
addition, Regulation SCI will require SCI entities to conduct a review 
of their systems by objective, qualified personnel at least annually, 
submit quarterly reports regarding completed, ongoing, and planned 
material changes to their SCI systems to the Commission, and maintain 
certain books and records. Finally, the Commission also is adopting 
modifications to the volume thresholds in Regulation ATS \3\ for 
significant-volume ATSs that trade NMS stocks and non-NMS stocks, 
applying them to SCI ATSs (as defined below), and moving this standard 
from Regulation ATS to adopted Regulation SCI for these asset classes.
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Release Nos. 27445 (November 16, 
1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP 
I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II 
Release'' or ``ARP II'' and, together with ARP I, the ``ARP Policy 
Statements'').
    \2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act 
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 
1998) (``ATS Release'').
    \3\ 17 CFR 242.300-303 (``Regulation ATS'').
---------------------------------------------------------------------------

Table of Contents

I. Introduction
II. Background
    A. Automation Review Policy Inspection Program
    B. Recent Events
III. Overview
IV. Description of Adopted Regulation SCI and Form SCI
    A. Definitions Establishing the Scope of Regulation SCI--Rule 
1000
    1. SCI Entities
    a. SCI Self-Regulatory Organization or SCI SRO
    b. SCI Alternative Trading System
    c. Plan Processor
    d. Exempt Clearing Agency Subject to ARP
    2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems
    a. Overview
    b. SCI Systems
    c. Critical SCI Systems
    d. Indirect SCI Systems (Proposed as ``SCI Security Systems'')
    3. SCI Events
    a. Systems Disruption
    b. Systems Compliance Issue
    c. Systems Intrusion
    B. Obligations of SCI Entities--Rules 1001-1004
    1. Policies and Procedures to Achieve Capacity, Integrity, 
Resiliency, Availability and Security--Rule 1001(a)
    2. Policies and Procedures to Achieve Systems Compliance--Rule 
1001(b)
    3. SCI Events: Corrective Action; Commission Notification; 
Dissemination of Information--Rule 1002
    a. Triggering Standard
    b. Corrective Action--Rule 1002(a)
    c. Commission Notification--Rule 1002(b)
    d. Dissemination of Information--Rule 1002(c)
    4. Notification of Systems Changes--Rule 1003(a)
    5. SCI Review--Rule 1003(b)
    6. SCI Entity Business Continuity and Disaster Recovery Plans 
Testing Requirements for Members or Participants--Rule 1004
    C. Recordkeeping, Electronic Filing on Form SCI, and Access--
Rules 1005-1007
    1. Recordkeeping--Rules 1005-1007
    2. Electronic Filing and Submission of Reports, Notifications, 
and Other Communications--Rule 1006
    3. Access to the Systems of an SCI Entity
    D. Form SCI
    E. Other Comments Received
    F. Effective Date and Compliance Dates
V. Paperwork Reduction Act
VI. Economic Analysis
VII. Regulatory Flexibility Act Certification
VIII. Statutory Authority and Text of Amendments

I. Introduction

    The U.S. securities markets attract a wide variety of issuers and 
broad investor participation, and are essential for capital formation, 
job creation, and economic growth, both domestically and across the 
globe. The U.S. securities markets have been transformed by regulatory 
and related technological developments in recent years. They have, 
among other things, substantially enhanced the speed, capacity, 
efficiency, and sophistication of the trading functions that are 
available to

[[Page 72253]]

market participants.\4\ At the same time, these technological advances 
have generated an increasing risk of operational problems with 
automated systems, including failures, disruptions, delays, and 
intrusions. Given the speed and interconnected nature of the U.S. 
securities markets, a seemingly minor systems problem at a single 
entity can quickly create losses and liability for market participants, 
and spread rapidly across the national market system, potentially 
creating widespread damage and harm to market participants, including 
investors.
---------------------------------------------------------------------------

    \4\ See Securities Exchange Act Release No. 61358 (January 14, 
2010), 75 FR 3594, 3598 (January 21, 2010) (Concept Release on 
Equity Market Structure).
---------------------------------------------------------------------------

    This transformation of the U.S. securities markets has occurred in 
the absence of a formal regulatory structure governing the automated 
systems of key market participants. Instead, for over two decades, 
Commission oversight of the technology of the U.S. securities markets 
has been conducted primarily pursuant to a voluntary set of principles 
articulated in the Commission's ARP Policy Statements,\5\ applied 
through the Commission's Automation Review Policy inspection program 
(``ARP Inspection Program'').\6\
---------------------------------------------------------------------------

    \5\ While participation in the ARP Inspection Program is 
voluntary, the underpinnings of ARP I and ARP II are rooted in 
Exchange Act requirements. See infra notes 7-12 and accompanying 
text.
    \6\ See infra Section II.A (discussing the ARP Inspection 
Program). See also supra note 1. The ARP Inspection Program has 
historically been administered by the Commission's Division of 
Trading and Markets. In February 2014, to consolidate the inspection 
function of the group with the Commission's Office of Compliance 
Inspections and Examinations (``OCIE''), the ARP Inspection Program 
was transitioned to OCIE and has been renamed the Technology 
Controls Program (``TCP''). However, for ease of reference to the 
historical ARP Inspection Program, relevant portions of the SCI 
Proposal, and references in comment letters, this Release will 
continue to use the terms ARP, ARP Inspection Program, and ARP 
staff, unless the context otherwise requires.
---------------------------------------------------------------------------

    Section 11A(a)(2) of the Exchange Act,\7\ enacted as part of the 
Securities Acts Amendments of 1975 (``1975 Amendments''),\8\ directs 
the Commission, having due regard for the public interest, the 
protection of investors, and the maintenance of fair and orderly 
markets, to use its authority under the Exchange Act to facilitate the 
establishment of a national market system for securities in accordance 
with the Congressional findings and objectives set forth in Section 
11A(a)(1) of the Exchange Act.\9\ Among the findings and objectives in 
Section 11A(a)(1) is that ``[n]ew data processing and communications 
techniques create the opportunity for more efficient and effective 
market operations'' \10\ and ``[i]t is in the public interest and 
appropriate for the protection of investors and the maintenance of fair 
and orderly markets to assure . . . the economically efficient 
execution of securities transactions.'' \11\ In addition, Sections 
6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on 
national securities exchanges, national securities associations, and 
clearing agencies, respectively, to be ``so organized'' and ``[have] 
the capacity to . . . carry out the purposes of [the Exchange Act].'' 
\12\
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 78k-1(a)(2).
    \8\ Pub. L. 94-29, 89 Stat. 97 (1975).
    \9\ 15 U.S.C. 78k-1(a)(1).
    \10\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(B).
    \11\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(C)(i).
    \12\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the 
Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), 
respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, 
and Section 19 of the Exchange Act, 15 U.S.C. 78s.
---------------------------------------------------------------------------

    In March 2013, the Commission proposed Regulation Systems 
Compliance and Integrity (``Regulation SCI'') \13\ to require certain 
key market participants to, among other things: (1) Have comprehensive 
policies and procedures in place to help ensure the robustness and 
resiliency of their technological systems, and also that their 
technological systems operate in compliance with the federal securities 
laws and with their own rules; and (2) provide certain notices and 
reports to the Commission to improve Commission oversight of securities 
market infrastructure. As discussed in further detail below and in the 
SCI Proposal, Regulation SCI was proposed to update, formalize, and 
expand the Commission's ARP Inspection Program, and, with respect to 
SCI entities, to supersede and replace the Commission's ARP Policy 
Statements and rules regarding systems capacity, integrity and security 
in Rule 301(b)(6) of Regulation ATS.\14\
---------------------------------------------------------------------------

    \13\ Securities Exchange Act Release No. 69077 (March 8, 2013), 
78 FR 18083 (March 25, 2013) (``Proposing Release'' or ``SCI 
Proposal'').
    \14\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2.
---------------------------------------------------------------------------

    A confluence of factors contributed to the Commission's proposal of 
Regulation SCI and to the Commission's current determination that it is 
necessary and appropriate at this time to address the technological 
vulnerabilities, and improve Commission oversight, of the core 
technology of key U.S. securities markets entities, including national 
securities exchanges and associations, significant alternative trading 
systems, clearing agencies, and plan processors. These considerations 
include: the evolution of the markets to become significantly more 
dependent upon sophisticated, complex and interconnected technology; 
the current successes and limitations of the ARP Inspection Program; a 
significant number of, and lessons learned from, recent systems issues 
at exchanges and other trading venues,\15\ increased concerns over 
``single points of failure'' in the securities markets; \16\ and the 
views of a wide variety of commenters received in response to the SCI 
Proposal.
---------------------------------------------------------------------------

    \15\ See Proposing Release, supra note 13, at 18085-91 for a 
further discussion of these developments and infra Section II.B 
(discussing recent events related to technology issues). In 
addition, prior to issuing the Proposing Release, in October 2012 
the Commission convened a roundtable entitled ``Technology and 
Trading: Promoting Stability in Today's Markets'' (``Technology 
Roundtable''). The Technology Roundtable examined the relationship 
between the operational stability and integrity of the securities 
market and the ways in which market participants design, implement, 
and manage complex and interconnected trading technologies. See 
Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 
56697 (September 13, 2012) (File No. 4-652) and Technology 
Roundtable Transcript, available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. A webcast of the 
Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. As noted in the Proposing Release, the Commission 
believes that the information presented at the Technology Roundtable 
further highlighted that quality standards, testing, and improved 
response mechanisms are among the issues needing very thoughtful and 
focused attention in today's securities markets. See Proposing 
Release, supra note 13, at 18090-91 for further discussion of the 
Technology Roundtable.
    \16\ See infra Section IV.A.2.c (discussing single points of 
failure in the securities markets in conjunction with the adopted 
term ``critical SCI system'').
---------------------------------------------------------------------------

    The Commission received 60 comment letters on the proposal from 
national securities exchanges, registered securities associations, 
registered clearing agencies, ATSs, broker-dealers, institutional and 
individual investors, industry trade groups, software and technology 
vendors, and academics.\17\ Commenters generally supported the goals of 
the proposal, but as further discussed below, some expressed concern 
about various specific elements of the proposal, and recommended 
certain modifications or clarifications.
---------------------------------------------------------------------------

    \17\ Comments received on the proposal are available on the 
Commission's Web site, available at: https://www.sec.gov/comments/s7-01-13/s70113.shtml. See Exhibit A for a citation key to the comment 
letters cited in this release.
     Upon request from some commenters, the Commission extended the 
comment period for an additional 45 days in order to give the public 
additional time to comment on the matters addressed by the SCI 
Proposal. See Securities Exchange Act Release No. 69606 (May 20, 
2013), 78 FR 30803 (May 23, 2013).
---------------------------------------------------------------------------

    After careful review and consideration of the comment letters,

[[Page 72254]]

the Commission is adopting Regulation SCI (``Rule'') and Form SCI 
(``Form'') with certain modifications from the SCI Proposal, as 
discussed below, to respond to concerns expressed by commenters and 
upon further consideration by the Commission of the more appropriate 
approach to further the goals of the national market system by 
strengthening the technology infrastructure of the U.S. securities 
markets.

II. Background

A. Automation Review Policy Inspection Program

    For over two decades, the Commission's ARP Inspection Program has 
helped the Commission oversee the technology infrastructure of the U.S. 
securities markets. This voluntary information technology review 
program was developed by staff of the Commission to implement the 
Commission's ARP Policy Statements issued in 1989 and 1991.\18\ Through 
these Policy Statements, the Commission articulated its views on the 
steps that SROs should take with regard to their automated systems, set 
forth recommendations for how SROs should conduct independent reviews, 
and provided that SROs should notify the Commission of material systems 
changes and significant systems problems.\19\ In 1998, the Commission 
adopted Regulation ATS which, among other things, imposed by rule 
certain aspects of the ARP Policy Statements on significant-volume 
ATSs.\20\ Further, Commission staff subsequently provided additional 
guidance regarding various aspects of the ARP Inspection Program 
through letters to ARP entities, including recommendations regarding 
reporting planned systems changes and systems issues to the 
Commission.\21\
---------------------------------------------------------------------------

    \18\ See ARP Policy Statements, supra note 1. For a detailed 
discussion of the ARP Policy Statements, see Proposing Release, 
supra note 13, at 18085-86.
    \19\ See ARP Policy Statements, supra note 1.
    \20\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2.
    \21\ In June 2001, staff from the Division of Market Regulation 
sent a letter to the SROs and other participants in the ARP 
Inspection Program regarding Guidance for Systems Outage and System 
Change Notifications (``2001 Staff ARP Interpretive Letter''). See 
Proposing Release, supra note 13, at 18087, n. 35. The 2001 Staff 
ARP Interpretive Letter is available at: https://www.sec.gov/divisions/marketreg/sroautomation.shtml.
---------------------------------------------------------------------------

    Under the ARP Inspection Program, Commission staff (``ARP staff'') 
conducts inspections of the trading and related systems of national 
securities exchanges and associations, certain ATSs, clearing agencies, 
and plan processors (collectively ``ARP entities''), attends periodic 
technology briefings by ARP entities, monitors planned significant 
system changes, and responds to reports of system failures, 
disruptions, and other systems problems of ARP entities. The goal of 
the ARP inspections is to evaluate whether an ARP entity's controls 
over its information technology resources in nine general areas, or 
information technology ``domains,'' \22\ is consistent with ARP and 
industry guidelines. Such guidelines are identified by ARP staff from a 
variety of information technology publications that ARP staff believes 
reflects industry standards for securities market participants.\23\ At 
the conclusion of an ARP inspection, ARP staff typically issues a 
report to the ARP entity with an assessment of the ARP entity's 
information technology program for its key systems, including any 
recommendations for improvement.\24\
---------------------------------------------------------------------------

    \22\ These information technology ``domains'' include: 
application controls; capacity planning; computer operations and 
production environment controls; contingency planning; information 
security and networking; audit; outsourcing; physical security; and 
systems development methodology. Each domain itself contains 
subcategories. For example, ``contingency planning'' includes 
business continuity, disaster recovery, and pandemic planning, among 
other things. See id. at 18086.
    \23\ See id. at 18086-87.
    \24\ In addition, Commission staff conducts inspections of SROs, 
as part of the Commission's oversight of them. Unlike ARP 
inspections, however, which focus on information technology 
controls, such Commission staff primarily conducts risk-based 
examinations of securities exchanges, FINRA, and other SROs to 
evaluate whether they and their member firms are complying with the 
Exchange Act, the rules thereunder, and SRO rules, as applicable. As 
part of the Commission's oversight of the SROs, Commission staff 
also reviews systems compliance issues reported to Commission staff. 
The information gained from the Commission staff review of reported 
systems compliance issues helps to inform its examination risk-
assessments for SROs. See id. at 18087.
---------------------------------------------------------------------------

    Because the ARP Inspection Program was established pursuant to 
Commission policy statements rather than Commission rules, 
participation in and compliance with the ARP Inspection Program by ARP 
entities is voluntary. As such, despite its general success in working 
with SROs to improve their automated systems, there are certain 
limitations with the ARP Inspection Program. In particular, because of 
the voluntary nature of the ARP Inspection Program, the Commission is 
constrained in its ability to assure compliance with ARP standards. The 
Government Accountability Office (``GAO'') has identified the voluntary 
nature of the ARP Inspection Program as a limitation and recommended 
that the Commission make compliance with ARP guidelines mandatory.\25\ 
In addition, as more fully discussed in the SCI Proposal, the evolution 
of the U.S. securities markets in recent years to become almost 
entirely electronic and highly dependent on sophisticated trading and 
other technology, including complex and interconnected routing, market 
data, regulatory, surveillance and other systems, has posed challenges 
for the ARP Inspection Program.\26\
---------------------------------------------------------------------------

    \25\ See GAO, Financial Market Preparedness: Improvements Made, 
but More Action Needed to Prepare for Wide-Scale Disasters, Report 
No. GAO-04-984 (September 27, 2004). GAO cited instances in which 
the GAO believed that entities participating in the ARP Inspection 
Program failed to adequately address or implement ARP staff 
recommendations as the reasoning behind its recommendation to make 
compliance with ARP guidelines mandatory.
    \26\ See Proposing Release, supra note 13, at 18087-89.
---------------------------------------------------------------------------

B. Recent Events

    A series of high-profile recent events involving systems-related 
issues further highlights the need for market participants to bolster 
the operational integrity of their automated systems in this area. In 
the SCI Proposal, the Commission identified several systems problems 
experienced by SROs and ATSs that garnered significant public attention 
and illustrated the types and risks of systems issues affecting today's 
markets.\27\ Since Regulation SCI's proposal in March 2013, additional 
systems problems among market participants have occurred, further 
underscoring the importance of bolstering the robustness of U.S. market 
infrastructure to help ensure its stability, integrity, and resiliency.
---------------------------------------------------------------------------

    \27\ See id. at 18089-90. The Proposing Release also discussed 
the effects of Superstorm Sandy on the U.S. securities exchanges, 
noting certain weaknesses in business continuity and disaster 
recovery planning that were highlighted by the event. See id. at 
18091.
---------------------------------------------------------------------------

    In particular, since Regulation SCI's proposal, disruptions have 
continued to occur across a variety of market participants. For 
example, with respect to the options markets, some exchanges have 
delayed the opening of trading,\28\

[[Page 72255]]

halted trading,\29\ or experienced other errors as a result of systems 
issues,\30\ and trading in options was halted due to a systems issue 
with the securities information processor for options market 
information.\31\ Systems issues have also impacted consolidated market 
data in the equities markets, including one incident that led to a 
trading halt in all securities listed on a particular exchange.\32\ 
Systems issues have also affected trading off of national securities 
exchanges, including an incident where FINRA halted trading in all OTC 
equity securities due to a lack of availability of quotation 
information resulting from a connectivity issue experienced by an 
ATS.\33\ Systems issues during this time have not been limited to 
systems disruptions, but have also included allegations of systems 
compliance issues.\34\
---------------------------------------------------------------------------

    \28\ On April 25, 2013, the Chicago Board Options Exchange, Inc. 
(``CBOE'') delayed the opening of trading on its exchange for over 
three hours due to what CBOE described as an internal ``software 
bug.'' See CBOE Information Circular IC13-036, April 29, 2013, 
available at: https://www.cboe.com/publish/InfoCir/IC13-036.pdf. 
During this time, while trading in many products was able to 
continue on the other options exchanges, trading was completely 
halted for those products that are singly-listed on CBOE, including 
options on the S&P 500 Index and the CBOE Volatility Index 
(``VIX''). Trading was able to resume by approximately 1:00 p.m. ET, 
though some residual systems problems continued. Specifically, 
certain auction mechanisms were unavailable for the remainder of the 
day and some of the trade data from April 25 was erroneously re-
transmitted to OCC on April 26. See id. and CBOE System Status 
notifications for April 25, 2013, available at: https://www.cboe.com/aboutcboe/systemstatus/search.aspx. CBOE subsequently reported that 
preliminary staging work related to a planned reconfiguration of 
CBOE's systems in preparation for extended trading hours on the CBOE 
Futures Exchange and CBOE options exchange ``exposed and triggered a 
design flaw in the existing messaging infrastructure 
configuration.'' See CBOE Information Circular IC13-036, April 29, 
2013, available at: https://www.cboe.com/publish/InfoCir/IC13-036.pdf.
    \29\ On November 1, 2013, Nasdaq halted trading on the Nasdaq 
Options Market (``NOM'') for more than five hours through the close 
of the trading day. Nasdaq stated that the halt was a result of ``a 
significant increase in order entries which inhibited the system's 
ability to accept orders and disseminate quotes on a subset of 
symbols.'' As Nasdaq stated, Nasdaq determined that it was in the 
best interest of market participants and investors to cancel all 
orders on the NOM book and continue the market halt through the 
close. See Nasdaq Market System Status Updates for November 1, 2013, 
available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch.
    \30\ On April 29, 2014, NYSE Arca and NYSE Amex Options 
experienced a systems issue that resulted in numerous complex orders 
booking at incorrect prices. In some cases, this resulted in 
erroneous fill reports, all of which were subsequently nullified. 
See Trader Update to All NYSE Amex Options and NYSE Arca Options 
Participants, ``Erroneous Complex Order Executions,'' dated April 
29, 2014, available at: https://www1.nyse.com/pdfs/2014_04_29_NYSE_Amex_and_Arca_Options_Erroneous_Complex_Order_Executions.pdf.
    \31\ On September 16, 2013, options market trading was halted 
for approximately 20 minutes due to a systems issue with the Options 
Price Reporting Authority (``OPRA''), the securities information 
processor for options market information that disseminates option 
quotation and last sale information to market data vendors. OPRA 
reported that it experienced problems processing quotes as a result 
of a software issue originating from a limited rollout of certain 
software upgrades. See Notice to All OPRA Market Data Recipients 
from OPRA, LLC, dated September 18, 2013, available at: https://www.opradata.com/specs/16-sept-2013-opra-outage.pdf.
    \32\ On August 22, 2013, the NASDAQ Stock Market LLC 
(``Nasdaq'') halted trading in all Nasdaq-listed securities for more 
than three hours after the Nasdaq UTP Securities Information 
Processor (``SIP''), the single source of consolidated market data 
for Nasdaq-listed securities, was unable to process quotes from 
exchanges for dissemination to the public. According to Nasdaq, a 
sequence of events created a spike in message traffic volume into 
the SIP exceeding the SIP's capacity and causing the system to fail. 
Nasdaq cited ``more than 20 connect and disconnect sequences from 
NYSE Arca'' and a ``stream of quotes for inaccurate symbols from 
NYSE Arca'' as events contributing to the systems problem. Nasdaq 
noted that the stream of messages, which was 26 times greater than 
usual activity, degraded the system and exceeded its capacity, 
ultimately resulting in the failure. Nasdaq stated that these events 
exposed a flaw in the SIP's software code which prevented a 
successful failover to the backup system. See ``NASDAQ OMX Provides 
Updates on Events of August 22, 2013,'' by NASDAQ OMX (August 29, 
2013), available at: https://www.nasdaqomx.com/newsroom/pressreleases/pressrelease?messageId=1204807&displayLanguage=en; and 
Nasdaq Market System Status notifications for August 22, 2013, 
available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch.
    Nasdaq experienced another outage related to the SIP on 
September 4, 2013. This incident lasted only several minutes and 
affected only a subset of Nasdaq-listed securities. See ``NASDAQ OMX 
Issues Statement on the Securities Information Processor,'' by 
NASDAQ OMX (September 4, 2013), available at: https://ir.nasdaqomx.com/releasedetail.cfm?ReleaseID=788700.
    The SIP consolidates quotation information and transaction 
reports from market centers and disseminates such consolidated 
information to market participants pursuant to the Commission-
approved Joint Self-Regulatory Organization Plan Governing the 
Collection, Consolidation and Dissemination of Quotation and 
Transaction Information for Nasdaq-Listed Securities Traded on 
Exchanges on an Unlisted Trading Privilege Basis, available at: 
https://www.utpplan.com/. See generally Rule 608 of Regulation NMS, 
17 CFR 242.608 (``Filing and amendment of national market system 
plans'').
     More recently, on October 30, 2014, according to the NYSE, a 
network hardware failure impacted the Consolidated Tape System, 
Consolidated Quote System, and Options Price Reporting Authority 
data feeds at the primary data center. Exchanges experienced issues 
publishing and receiving trades and quotes as a result. After 
investigation of the issue, the Securities Industry Automation 
Corporation (``SIAC'') (the processor for the affected data feeds) 
switched over to the secondary data center for these data feeds and 
normal processing subsequently resumed. The exchanges then connected 
to the secondary data center as provided for in SIAC's business 
continuity plan. See ``Service Advisory--CTA Update,'' by NYSE 
(October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13467 and ``NMS SIP market wide issue,'' by NYSE 
(October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13465.
    \33\ On November 7, 2013, FINRA halted trading for over 3\1/2\ 
hours in all OTC equity securities due to a lack of availability of 
quotation information resulting from a connectivity issue 
experienced by OTC Markets Group Inc.'s OTC Link ATS. See ``Market-
Wide Quotation and Trading Halt for all OTC Equity Securities,'' 
FINRA Uniform Practice Advisory, UPC #47-13, November 7, 2013, 
available at: https://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381590.pdf; ``Quotation and Trading Halt 
for OTC Equity Securities,'' FINRA Uniform Practice Advisory, UPC 
#48-13, November 7, 2013, available at: https://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381593.pdf; 
``OTC Markets Group Issues Statement on OTC Link[supreg] ATS Trading 
on November 7, 2013,'' OTC Disclosure & News Service, November 7, 
2013, available at: https://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144. OTC Markets Group subsequently reported 
that a network outage at one of its core network providers caused 
the lack of connectivity to its primary data center in New Jersey. 
See ``OTC Markets Group Issues Statement on OTC Link[supreg] ATS 
Trading on November 7, 2013,'' OTC Disclosure & News Service, 
November 7, 2013, available at: https://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144.
    \34\ For example, in June 2013, the Commission charged CBOE and 
its affiliate (C2 Options Exchange, Incorporated (``C2'')) for 
various systemic breakdowns in their regulatory and compliance 
responsibilities as self-regulatory organizations, including failure 
to enforce the federal securities laws and Commission rules. See 
Securities Exchange Act Release No. 69726, In the Matter of Chicago 
Board Options Exchange, Incorporated and C2 Options Exchange, 
Incorporated (settled action: June 11, 2013), available at: https://www.sec.gov/litigation/admin/2013/34-69726.pdf (``CBOE Order''). 
CBOE and C2 consented to an Order Instituting Administrative and 
Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of 
the Securities Exchange Act of 1934, Making Findings, and Imposing 
Sanctions and a Cease-and-Desist Order. In the CBOE Order, among 
other charges, the Commission stated that ``CBOE's automated 
surveillance programs for manually handled trades were ineffective'' 
and that ``CBOE failed to maintain a reliable or accurate audit 
trail of orders'' on its trading facility. See id. at 11, 13.
    In addition, in May 2014, the Commission sanctioned the New York 
Stock Exchange LLC (``NYSE'') and two of its affiliated exchanges 
(NYSE Arca, Inc. (``NYSE Arca''), NYSE MKT LLC (``NYSE MKT'')) for 
alleged failure to comply with their responsibilities as self-
regulatory organizations to conduct their business operations in 
accordance with Commission-approved exchange rules and the federal 
securities laws. See Securities Exchange Act Release No. 72065, In 
the Matter of New York Stock Exchange LLC, NYSE Arca, Inc., NYSE MKT 
LLC, and Archipelago Securities, L.L.C. (settled action: May 1, 
2014), available at: https://www.sec.gov/litigation/admin/2014/34-72065.pdf (``NYSE Order''). NYSE, NYSE Arca, NYSE MKT, and 
Archipelago Securities consented to an Order Instituting 
Administrative and Cease-and-Desist Proceedings Pursuant to Sections 
19(h) and 21C of the Securities Exchange Act of 1934, Making 
Findings, and Imposing Sanctions and a Cease-and-Desist Order. In 
the NYSE Order, the Commission cited various instances of NYSE 
systems not operating in compliance with their effective rules, such 
as NYSE's block trading facility not functioning in accordance with 
applicable rules; NYSE distributing an automated feed of closing 
order imbalance information to its floor brokers at an earlier time 
than specified in NYSE rules; and NYSE failing to execute certain 
orders in locked markets contrary to exchange rules. See id. In the 
NYSE Order, the Commission stated that the exchanges ``lacked 
comprehensive and consistently-applied policies and procedures for . 
. . evaluating whether business operations were being conducted 
fully in accordance with existing exchange rules and the federal 
securities laws.'' Id. at 3.
---------------------------------------------------------------------------

    Systems issues are not unique to the U.S. securities markets, with 
similar incidents occurring in the U.S. commodities markets as well as 
foreign markets.\35\ However, the Commission

[[Page 72256]]

believes that it is critical that key U.S. securities market 
participants bolster their operational integrity to prevent, to the 
extent reasonably possible, these types of events, which can not only 
lead to tangible monetary losses,\36\ but which commenters believe to 
have the potential to reduce investor confidence in the U.S. 
markets.\37\
---------------------------------------------------------------------------

    \35\ See, e.g., Jacob Bunge, Bradley Hope, and Leslie Josephs, 
``Technical Glitch Hits CME Trading,'' Wall St. J., April 8, 2014; 
Jeremy Grant, ``Glitch Delays Singapore Derivative Trade,'' Fin. 
Times, April 9, 2013; Tamsyn Parker, ``NZX Trading Resumes After 
Technical Glitch,'' The New Zealand Herald, July 1, 2013; Matt 
Clinch, ``Flash Crash: Israel Stocks Hit by Typo,'' CNBC.com, 
available at: https://www.cnbc.com/id/100986999; and Ksenia 
Galouchko, ``Moscow Exchange Halts Derivatives Trading for Almost an 
Hour,'' Bloomberg, November 13, 2013.
    \36\ See, e.g., Proposing Release, supra note 13 (discussing 
systems issues affecting the initial public offerings (``IPO'') of 
BATS Global Markets, Inc. and Facebook, Inc.). In a rule change 
approved by the Commission in March 2013, Nasdaq implemented a $62 
million accommodation program to compensate certain members for 
their losses in connection with the Facebook IPO. Securities 
Exchange Act Release No. 69216 (March 22, 2013), 78 FR 19040 (March 
28, 2013). In its quarterly earnings announcement for the second 
quarter of 2013, UBS reported a $356 million loss tied to Facebook's 
IPO, while The Knight Capital Group and Citadel Investment Group 
claimed losses of $30 million to $35 million and Citigroup cited 
losses close to $20 million. See Michael J. De La Merced, ``Behind 
the Huge Facebook Loss at UBS,'' N.Y. Times, July 21, 2012. See also 
Angel Letter at 15 (stating that catastrophic failures in exchange 
systems are extremely costly in terms of direct losses to 
participants and result in reduced investor confidence in markets); 
and Better Markets Letter at 2 (citing to the systems related 
problems at Knight Capital, Direct Edge, BATS, and during the 
Facebook IPO that resulted in investor or company losses).
    \37\ See, e.g., Angel2 Letter at 2; Sungard Letter at 2; Better 
Markets Letter at 2; Leuchtkafer Letter at 3; FSI Letter at 3; and 
Angel Letter at 10, 15.
---------------------------------------------------------------------------

    The SCI Proposal also noted that the risks associated with 
cybersecurity, and how to protect against systems intrusions, are 
increasingly of concern to all types of entities.\38\ On March 27, 
2014, the Commission conducted a Cybersecurity Roundtable 
(``Cybersecurity Roundtable'').\39\ The Cybersecurity Roundtable 
addressed the cybersecurity landscape and cybersecurity issues faced by 
participants in the financial markets today, including exchanges, 
broker-dealers, investment advisers, transfer agents and public 
companies.\40\ Panelists discussed, among other topics, the scope and 
nature of cybersecurity threats to the financial industry; how market 
participants can effectively manage cybersecurity threats, including 
public and private sector coordination efforts and information sharing; 
the role that government should play to promote cybersecurity in the 
financial markets and market infrastructure; cybersecurity disclosure 
issues faced by public companies; and the identification of appropriate 
best practices and standards with regard to cybersecurity. Although the 
views of panelists varied, many emphasized the significant risk that 
cybersecurity attacks pose to the financial markets and market 
infrastructure today and the need to effectively manage that risk 
through measures such as testing, risk assessments, adoption of 
consistent best practices and standards, and information sharing.
---------------------------------------------------------------------------

    \38\ See Proposing Release, supra note 13, at 18089-90.
    \39\ See Securities Exchange Act Release No. 71742 (March 19, 
2014), 79 FR 16071 (March 24, 2014) (File No. 4-673). A webcast of 
the Cybersecurity Roundtable is available at: https://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml.
    \40\ The first panel discussed the cybersecurity landscape, and 
panelists included: Cyrus Amir-Mokri, Assistant Secretary for 
Financial Institutions, Department of the Treasury; Mary E. 
Galligan, Director, Cyber Risk Services, Deloitte and Touche LLP; 
Craig Mundie, Member, President's Council of Advisors on Science and 
Technology; Senior Advisor to the Chief Executive Officer, Microsoft 
Corporation; Javier Ortiz, Vice President, Strategy and Global Head 
of Government Affairs, TaaSera, Inc.; Andy Roth, Partner and Co-
Chair, Global Privacy and Security Group, Dentons US LLP; Ari 
Schwartz, Acting Senior Director for Cybersecurity Programs, 
National Security Council, The White House; Adam Sedgewick, Senior 
Information Technology Policy Advisor, national Institute of 
Standards and Technology; and Larry Zelvin, Director, National 
Cybersecurity and Communications Integration Center, U.S. Department 
of Homeland Security.
     The second panel discussed public company disclosure of 
cybersecurity risks and incidents, and panelists included: Peter 
Beshar, Executive Vice President and General Counsel, Marsh & 
McLennan Companies, Inc.; David Burg, Global and U.S. Advisor Cyber 
Security Leader, PricewaterhouseCoopers LLP; Roberta Karmel, 
Centennial Professor of Law, Brooklyn Law School; Jonas Kron, Senior 
Vice President, Director of Shareholder Advocacy, Trillum Asset 
Management LLC; Douglas Meal, Partner, Ropes & Gray LLP; and Leslie 
T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. 
and Washington Gas Light Company.
     The third panel addressed cybersecurity issues faced by the 
securities markets, and panelists included: Mark G. Clancy, Managing 
Director and Corporate Information Security Officer, The Depository 
Trust and Clearing Corporation; Mark Graff, Chief Information 
Security Officer, Nasdaq OMX; Todd Furney, Vice President, Systems 
Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy 
Assistant Secretary, Office of Financial Institutions Policy, 
Department of the Treasury; Thomas Sinnott, Managing Director, 
Global Information Security, CME Group; and Aaron Weissenfluh, Chief 
Information Security Officer, BATS Global Markets, Inc.
     The final panel discussed how broker-dealers, investment 
advisers, and transfer agents address cybersecurity issues, and 
panelists included: John Denning, Senior Vice President, Operational 
Policy Integration, Development and Strategy, Bank of America/
Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and 
Credit Officer, Wells Fargo Advisors LLC; Mark R. Manley, Senior 
Vice President, Deputy General Counsel and Chief Compliance Officer, 
AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate 
Information Security Officer, ITG; Karl Schimmeck, Managing 
Director, Financial Services Operations, Securities Industry and 
Financial Markets Association; Daniel M. Sibears, Executive Vice 
President, Regulatory Operations/Shared Services, FINRA; John Reed 
Stark, Managing Director, Stroz Friedberg; Craig Thomas, Chief 
Information Security Officer, Computershare; and David G. 
Tittsworth, Executive Director and Executive Vice President, 
Investment Adviser Association.
---------------------------------------------------------------------------

III. Overview

    The Commission acknowledges that the nature of technology and the 
level of sophistication and automation of current market systems 
prevent any measure, regulatory or otherwise, from completely 
eliminating all systems disruptions, intrusions, or other systems 
issues.\41\ However, given the issues outlined above, the Commission 
believes that the adoption of, and compliance by SCI entities with 
Regulation SCI, with the modifications from the SCI Proposal as 
discussed below, will advance the goals of the national market system 
by enhancing the capacity, integrity, resiliency, availability, and 
security of the automated systems of entities important to the 
functioning of the U.S. securities markets, as well as reinforce the 
requirement that such systems operate in compliance with the Exchange 
Act and rules and regulations thereunder, thus strengthening the 
infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In this respect, Regulation 
SCI establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of such systems.
---------------------------------------------------------------------------

    \41\ See, e.g., October 2, 2012 remarks by Dr. Nancy Leveson, 
Professor of Aeronautics and Astronautics and Professor of 
Engineering Systems, MIT, Technology Roundtable (stating, for 
example, that ``it is impossible to build totally secure software 
systems'' and ``we've learned that we cannot build an unsinkable 
ship and cannot build unfailable software''), available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf.
---------------------------------------------------------------------------

    As proposed, Regulation SCI would have applied to ``SCI entities'' 
(estimated in the SCI Proposal to be 44 entities), a term which would 
have included all self-regulatory organizations (excluding security 
futures exchanges), ATSs that exceed specified volume thresholds, plan 
processors for market data NMS plans, and certain exempt clearing 
agencies. The most significant elements of the SCI Proposal \42\ would 
have required each SCI entity to:
---------------------------------------------------------------------------

    \42\ Each provision of the SCI Proposal is described in further 
detail below in Section IV. See also Proposing Release, supra note 
13, at Section III.
---------------------------------------------------------------------------

     Implement policies and procedures reasonably designed to 
ensure that its ``SCI systems'' and ``SCI security systems'' have 
levels of capacity, integrity, resiliency, availability, and security, 
adequate to maintain the SCI entity's operational capability and

[[Page 72257]]

promote the maintenance of fair and orderly markets, with deemed 
compliance for policies and procedures that are consistent with current 
SCI industry standards, including identified information technology 
publications listed on proposed Table A;
     Implement policies and procedures reasonably designed to 
ensure that its systems operate in the manner intended, including in 
compliance with the federal securities laws and rules, and the entity's 
rules and governing documents, with safe harbors from liability for SCI 
entities and individuals;
     Upon any ``responsible SCI personnel'' becoming aware of 
the occurrence of an ``SCI event'' (defined to include systems 
disruptions, systems compliance issues, and systems intrusions), begin 
to take appropriate corrective action, including mitigating potential 
harm to investors and market integrity and devoting adequate resources 
to remedy the SCI event as soon as practicable;
     Report to the Commission the occurrence of any SCI event; 
and notify its members or participants of certain types of SCI events;
     Notify the Commission 30 days in advance of ``material 
systems changes'' (subject to an exception for exigent circumstances) 
and provide semi-annual summary progress reports on such material 
systems changes;
     Conduct an annual review, to be performed by objective, 
qualified personnel, of its compliance with Regulation SCI and submit a 
report of such annual review to its senior management and to the 
Commission;
     Designate those of its members or participants that would 
be required to participate in the testing (to occur at least annually) 
of its business continuity and disaster recovery plans, and coordinate 
such testing with other SCI entities on an industry- or sector-wide 
basis; and
     Meet certain other requirements, including maintaining 
records related to compliance with Regulation SCI and providing 
Commission representatives reasonable access to its systems to assess 
compliance with the rule.
    The Commission received substantial comment on the SCI Proposal 
from a wide range of entities. Commenters generally expressed support 
for the goals of the rule, but many suggested that the SCI Proposal's 
scope was unnecessarily broad and could be more tailored to lower 
compliance costs and still achieve the goal of reducing significant 
technology risk in the markets. Broadly speaking, the areas of concern 
garnering the greatest comment included the: (i) Breadth of certain key 
proposed definitions; (ii) costs associated with the scope of the 
proposed rule, including its reporting obligations; (iii) publications 
designated on Table A as proposed examples of ``current SCI industry 
standards;'' (iv) proposed entity safe harbor for systems compliance 
policies and procedures; (v) breadth of the proposed mandatory testing 
requirements; and (vi) proposed access provision.\43\
---------------------------------------------------------------------------

    \43\ A more detailed discussion of commenters' views can be 
found below in Section IV.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters in 
crafting Regulation SCI to meet its goals to strengthen the technology 
infrastructure of the securities markets and improve its resilience 
when technology falls short. Many of these modifications are intended 
to further focus the scope of the requirements from the proposal and to 
lessen the costs and burdens on SCI entities, while still allowing the 
Commission to achieve its goals. While Section IV below provides a 
detailed discussion of the changes the Commission has made to the SCI 
Proposal in adopting Regulation SCI today,\44\ broadly speaking, the 
key changes include:
---------------------------------------------------------------------------

    \44\ The Economic Analysis, infra Section VI, discusses the 
economic effects, including the costs and benefits, of the 
provisions of Regulation SCI, as adopted.
---------------------------------------------------------------------------

     Refining the scope of the proposal by, among other things, 
revising certain key definitions (including the definition of SCI 
systems and the definition of SCI ATS to exclude ATSs that trade only 
municipal securities or corporate debt securities (together, ``fixed-
income ATSs'')), refining the reporting framework for SCI events, and 
replacing the proposed 30-day advanced reporting requirement for 
material systems changes with a quarterly reporting requirement;
     Modifying the proposal to differentiate certain 
obligations and requirements, including tailoring certain obligations 
based on the criticality of a system (by, for example, adopting a new 
defined term ``critical SCI system'' for which heightened requirements 
will apply), and based on the significance of an event (such as 
adopting a new defined term ``major SCI event'' for purposes of the 
dissemination requirements, and establishing differing reporting 
obligations for SCI events that have had no or a de minimis impact on 
the SCI entity's operations or on market participants);
     Modifying the proposed policies and procedures 
requirements relating to both operational capability and the 
maintenance of fair and orderly markets, as well as systems compliance;
     Refining the scope of SCI entity members and participants 
that would be required to participate in mandatory business continuity/
disaster recovery plan testing; and
     Eliminating the proposed requirement that SCI entities 
provide Commission representatives reasonable access to their systems 
because the Commission can adequately assess an SCI entity's compliance 
with Regulation SCI through existing recordkeeping requirements and 
examination authority, as well as through the new recordkeeping 
requirement in Rule 1005 of Regulation SCI.
    In addition, the Commission notes that proposed Regulation SCI 
consisted of a single rule (Rule 1000) that included subparagraphs ((a) 
through (f)) addressing the various obligations of the rule. However, 
for clarity and simplification, adopted Regulation SCI is renumbered as 
Rules 1000 through 1007, as follows:
     Adopted Rule 1000 (which corresponds to proposed Rule 
1000(a)) contains definitions for terms used in Regulation SCI;
     Adopted Rule 1001 (proposed Rules 1000(b)(1)-(2)) contains 
the policies and procedures requirements for SCI entities relating to 
both operational capability and the maintenance of fair and orderly 
markets, as well as systems compliance;
     Adopted Rule 1002 (proposed Rules 1000(b)(3)-(5)) contains 
the obligations of SCI entities with respect to SCI events, which 
include corrective action, Commission notification, and information 
dissemination;
     Adopted Rule 1003 (proposed Rules 1000(b)(6)-(8)) contains 
requirements relating to material systems changes and SCI reviews;
     Adopted Rule 1004 (proposed Rule 1000(b)(9)) contains 
requirements relating to business continuity and disaster recovery 
testing;
     Adopted Rule 1005 (proposed Rule 1000(c)) contains 
requirements relating to recordkeeping;
     Adopted Rule 1006 (proposed Rule 1000(d)) contains 
requirements relating to electronic filing and submission;
     Adopted Rule 1007 (proposed Rule 1000(e)) contains 
requirements for service bureaus.

IV. Description of Adopted Regulation SCI and Form SCI

A. Definitions Establishing the Scope of Regulation SCI--Rule 1000

    A series of definitions set forth in Rule 1000 relate to the scope 
of Regulation SCI. These include the definitions for ``SCI entity'' (as 
well as the types of entities that are SCI entities,

[[Page 72258]]

namely ``SCI SRO,'' SCI ATS,'' ``plan processor,'' and ``exempt 
clearing agency subject to ARP''), ``SCI systems'' (and related 
definitions for ``indirect SCI systems'' and ``critical SCI systems''), 
and ``SCI event'' (as well as the types of events that constitute SCI 
events, namely ``systems disruption,'' ``systems compliance issue,'' 
and ``systems intrusion'').\45\
---------------------------------------------------------------------------

    \45\ Rule 1000 contains additional defined terms that are 
discussed in subsequent sections below. See infra Section IV.B.3 
(discussing the definition of ``responsible SCI personnel''), 
Section IV.B.3.d (discussing ``major SCI event'' and deletion of the 
proposed definition of ``dissemination SCI event''), Section IV.B.4 
(discussing deletion of the proposed definition for ``material 
systems change''), Section IV.B.5 (discussing ``SCI review'' and 
``senior management''), and Section IV.C.2 (discussing ``electronic 
signature'').
---------------------------------------------------------------------------

1. SCI Entities
    Regulation SCI imposes requirements on entities meeting the 
definition of ``SCI entity'' under the rule. Proposed Rule 1000(a) 
defined ``SCI entity'' as an ``SCI self-regulatory organization, SCI 
alternative trading system, plan processor, or exempt clearing agency 
subject to ARP.'' \46\ The Commission is adopting the definition of 
``SCI entity'' in Rule 1000 as proposed.\47\
---------------------------------------------------------------------------

    \46\ See proposed Rule 1000(a) and Proposing Release supra note 
13, at Section III.B.1.
    \47\ Proposed Rule 1000(a) also defined each of the terms within 
the definition of SCI entity for the purpose of designating 
specifically the entities that would be subject to Regulation SCI. 
As described in the Sections IV.A.1.a-d below, the Commission is 
also adopting these terms as proposed and without modification, with 
the exception of the definition of ``SCI ATS,'' which is being 
revised to exclude ATSs that trade only municipal securities or 
corporate debt securities.
---------------------------------------------------------------------------

    Some commenters discussed the definition of SCI entity generally 
and advocated for an expansion of the proposed definition, asserting 
that additional categories of market participants may have the 
potential to impact the market in the event of a systems issue.\48\ For 
example, one commenter suggested that the definition of ``SCI entity'' 
be extended to include the ATS and broker-dealer entities covered by 
the Regulation NMS definition of a ``trading center.'' \49\ Another 
commenter stated that the Commission should potentially expand the 
definition of SCI entity to also include dark pools if they met the 
volume thresholds of ATSs.\50\
---------------------------------------------------------------------------

    \48\ See, e.g., NYSE Letter at 8-9 and Liquidnet Letter at 2-3. 
See also BlackRock Letter at 4 (stating, among other things, that 
Regulation SCI should extend to any trading platforms that transact 
significant volume because these venues have a meaningful role and 
impact on the equity market). See also infra Section IV.E 
(discussing comments regarding the potential inclusion of other 
types of entities, such as broker-dealers generally, within the 
scope of Regulation SCI).
    \49\ Specifically, Section 600(b)(78) of Regulation NMS includes 
within the definition of a ``trading center'' ``an ATS, an exchange 
market maker, an OTC market maker, or any other broker or dealer 
that executes orders internally by trading as principal or crossing 
orders as agent.'' 17 CFR 242.600(b)(68). See NYSE Letter at 8-9.
    \50\ See CoreOne Letter at 7-9. CoreOne recommended that the 
Commission require dark pools to publicly disclose their aggregate 
volume in a manner similar to disclosures made by exchanges and 
ATSs. CoreOne stated that, once dark pools publicly disclose their 
volumes, it would be easier to evaluate whether dark pools should be 
included as SCI entities. Id.
---------------------------------------------------------------------------

    Other commenters believed that the scope of the definition should 
be more limited.\51\ For example, one commenter suggested that the 
definition should only include those entities that are systemically 
important to the functioning of the U.S. securities markets and should 
utilize volume thresholds for exchanges and ATSs to make this 
determination.\52\
---------------------------------------------------------------------------

    \51\ See, e.g., KCG Letter at 6-8; ITG Letter at 2-4; and CME 
Letter at 2-5.
    \52\ See ITG Letter at 2-4, 7. This commenter argued that, 
alternatively, the Commission could impose a lower set of 
obligations on ``lesser'' SCI entities. See id., at 9-11. See also 
infra notes 81-82 (discussing this commenter's suggested thresholds 
for exchanges) and note 131 (discussing this commenter's recommended 
thresholds for ATSs). See discussion in Sections IV.A.1.a and 
IV.A.1.b (relating to SCI SROs and SCI ATSs, respectively).
---------------------------------------------------------------------------

    Several commenters advocated the adoption of a ``risk-based'' 
approach, which would entail categorizing market participants based on 
the criticality of the functions performed rather than applying 
Regulation SCI to all ``SCI entities'' equally.\53\ Some commenters 
suggested replacing the term ``SCI entity'' with categories of 
participants based on potential market impact or including in the 
definition only those participants that are essential to continuous 
market-wide operation or that are the sole providers of a service in 
the securities markets.\54\ Other commenters agreed with the proposed 
scope of the term ``SCI entity,'' but believed that the various 
requirements under the rule should be tiered based on risk 
profiles.\55\ Several commenters identified various factors that should 
be considered in conducting a risk-assessment such as whether an entity 
is a primary listing market, is the sole market where the security is 
traded, or performs a monopoly or utility type role where there is no 
redundancy built into the marketplace, among others.\56\ Some 
commenters identified specific functions that they believed to be 
highly critical to the functioning of the securities markets and thus 
pose the greatest risk to the markets in the event of a systems issue, 
including securities information processing, clearance and settlement 
systems, and trading of exclusively listed securities, among 
others.\57\
---------------------------------------------------------------------------

    \53\ See, e.g., BIDS Letter at 5-6; SIFMA Letter at 4-5; KCG 
Letter at 2-3, 6-8; Fidelity Letter at 2-4; UBS Letter at 2-4; and 
LiquidPoint Letter at 2-3.
    \54\ See, e.g., BIDS Letter at 3-6; Direct Edge Letter at 1-2; 
and KCG Letter at 2-3, 6-8. Specifically, Direct Edge stated that 
SCI entities should include Commission-registered exchanges, 
securities information processors under approved NMS plans for 
market data, and clearance and settlement systems.
    \55\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4.
    \56\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4.
    \57\ See, e.g., SIFMA Letter at 4; Direct Edge Letter at 1-2; 
and KCG Letter at 2-3.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission has 
determined to adopt the overall scope of entities covered by Regulation 
SCI as proposed.\58\ As discussed below, the Commission continues to 
believe that it is appropriate and would further the goals of the 
national market system to subject all SROs (excluding securities 
futures exchanges), ATSs meeting certain volume thresholds with respect 
to NMS stocks and non-NMS stocks (discussed further below), plan 
processors, and certain exempt clearing agencies to the requirements of 
Regulation SCI. The Commission believes that this definition 
appropriately includes those entities that play a significant role in 
the U.S. securities markets and/or have the potential to impact 
investors, the overall market, or the trading of individual 
securities.\59\
---------------------------------------------------------------------------

    \58\ But see infra Section IV.A.1.b (discussing revisions to the 
definition of ``SCI ATS'').
    \59\ See infra Sections IV.A.1.a-d (discussing more specifically 
each category of entity included within the definition of ``SCI 
entity'').
---------------------------------------------------------------------------

    While some commenters supported expanding the definition of SCI 
entity to encompass various other types of entities, the Commission has 
determined not to expand the scope of entities subject to Regulation 
SCI at this time. As noted in the SCI Proposal, Regulation SCI is 
based, in part, on the ARP Inspection Program, which has included the 
voluntary participation of all active registered clearing agencies, all 
registered national securities exchanges, the only registered national 
securities association--Financial Industry Regulatory Authority 
(``FINRA''), one exempt clearing agency, and one ATS.\60\ The ARP 
Inspection Program has also included the systems of entities that 
process and disseminate quotation and transaction data on behalf of the 
Consolidated Tape Association System (``CTA Plan''), Consolidated 
Quotation System (``CQS Plan''), Joint Self-Regulatory Organization 
Plan

[[Page 72259]]

Governing the Collection, Consolidation, and Dissemination of Quotation 
and Transaction Information for Nasdaq-Listed Securities Traded on 
Exchanges on an Unlisted Trading Privileges Basis (``Nasdaq UTP 
Plan''), and Options Price Reporting Authority (``OPRA Plan'').\61\ 
Significant-volume ATSs have also been subject to certain aspects of 
the ARP Policy Statements pursuant to Regulation ATS.\62\ In addition, 
one entity that has been granted an exemption from registration as a 
clearing agency has been subject to the ARP Inspection Program pursuant 
to the conditions of the exemption order issued by the Commission.\63\ 
The scope of the definition of SCI entity is intended to largely 
reflect the historical reach of the ARP Inspection Program and existing 
Rule 301 of Regulation ATS, while also expanding the coverage to 
certain additional entities that the Commission believes play a 
significant role in the U.S. securities markets and/or have the 
potential to impact investors, the overall market, or the trading of 
individual securities. The Commission acknowledged in the SCI Proposal 
that there may be other categories of entities not included within the 
definition of SCI entity that, given their increasing size and 
importance, could pose risks to the market should an SCI event 
occur.\64\ However, as discussed in further detail below,\65\ the 
Commission believes that, at this time, the entities included within 
the definition of SCI entity, because of their current role in the U.S. 
securities markets and/or their level of trading activity, have the 
potential to pose the most significant risk in the event of a systems 
issue. Although some commenters suggested that Regulation SCI should 
cover a greater range of market participants,\66\ the Commission 
believes that it is important to move forward now on rules that will 
meaningfully enhance the technology standards and oversight of key 
markets and market infrastructure. Further, the Commission believes 
that a measured approach that takes an incremental expansion from the 
entities covered under the ARP Inspection Program is an appropriate 
method for imposing the mandatory requirements of Regulation SCI at 
this time given the potential costs of compliance. This approach will 
enable the Commission to monitor and evaluate the implementation of 
Regulation SCI, the risks posed by the systems of other market 
participants, and the continued evolution of the securities markets, 
such that it may consider, in the future, extending the types of 
requirements in Regulation SCI to additional categories of market 
participants, such as non-ATS broker-dealers, security-based swap 
dealers, investment advisers, investment companies, transfer agents, 
and other key market participants. As noted in the SCI Proposal, should 
the Commission decide to propose to apply some or all of the 
requirements of Regulation SCI to additional types of entities, the 
Commission will issue a separate release discussing such a proposal and 
seeking public comment.\67\
---------------------------------------------------------------------------

    \60\ See Proposing Release, supra note 13, at 18086.
    \61\ See infra note 196 and accompanying text.
    \62\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6).
    \63\ See Proposing Release, supra note 13, at 18096-97. See also 
infra Section IV.A.1.d (discussing the inclusion in Regulation SCI 
of exempt clearing agencies subject to ARP).
    \64\ See Proposing Release, supra note 13, at 18138-39.
    \65\ See infra Sections IV.A.1.a-d (discussing more specifically 
each category of entity included within the definition of ``SCI 
entity'').
    \66\ See supra notes 48-50 and accompanying text.
    \67\ See Proposing Release, supra note 13, at 18138.
---------------------------------------------------------------------------

    With respect to another commenter's recommendation regarding dark 
pools, to the extent that this commenter intended its comment to refer 
to ATSs, ATSs would be included within the scope of Regulation SCI if 
they met the applicable volume thresholds discussed below.\68\ To the 
extent that this commenter intended its comment to refer to other types 
of non-ATS dark venues where broker-dealers internalize order flow, the 
Commission notes that it has determined not to extend the scope of 
Regulation SCI to other types of broker-dealers at this time for the 
reasons discussed below.\69\
---------------------------------------------------------------------------

    \68\ See infra Section IV.A.1.b (discussing definition of ``SCI 
ATS''). This commenter also recommended that the Commission require 
dark pools to publicly disclose their aggregate volume to make it 
easier to evaluate whether dark pools should be included as SCI 
entities, and supported FINRA's plans to require such trading volume 
disclosures. The Commission notes that FINRA recently adopted new 
Rule 4552, which requires each ATS to report to FINRA weekly volume 
information regarding transactions in NMS stocks and OTC equity 
securities, and FINRA makes such information publicly available on 
its Web site. See Securities Exchange Act Release No. 71341 (January 
17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 
requiring each ATS to report to FINRA weekly volume information and 
number of securities transactions). The Commission also notes that 
all ATSs (including dark pool ATSs) are required under Regulation 
ATS to provide the Commission with quarterly trading volume 
information. See Rule 301(b)(9) of Regulation ATS, 17 CFR 
242.301(b)(9).
    \69\ See infra text accompanying notes 121-125.
---------------------------------------------------------------------------

    The Commission has also determined not to further limit the scope 
of entities subject to Regulation SCI as suggested by some commenters. 
As discussed in more detail below, the Commission continues to believe 
that each of the identified categories of entities plays a significant 
role in the U.S. securities markets and/or has the potential to impact 
investors, the overall market, or the trading of individual securities, 
and thus should be subject to the requirements of Regulation SCI. 
Accordingly, the Commission does not agree that it should adopt a 
``risk-based'' approach to further limit the categories of market 
participants subject to Regulation SCI. The Commission believes that 
limiting the applicability of Regulation SCI to only the most 
systemically important entities posing the highest risk to the markets 
is too limited of a category of market participants, as it would 
exclude certain entities that, in the Commission's view, have the 
potential to pose significant risks to the securities markets should an 
SCI event occur. However, the Commission believes it is appropriate to 
incorporate risk-based considerations in various other aspects of 
Regulation SCI. Consistent with the views of some commenters advocating 
that the requirements of Regulation SCI should be tailored to the 
specific risk-profile of a particular entity or particular system,\70\ 
the Commission notes that Regulation SCI, as proposed, was intended to 
incorporate a consideration of risk within its requirements and 
believes it is appropriate to more explicitly incorporate risk 
considerations in various provisions of adopted Regulation SCI. For 
example, as discussed in further detail below, the requirement to have 
reasonably designed policies and procedures relating to operational 
capability was designed to permit SCI entities to take a risk-based 
approach in developing their policies and procedures based on the 
criticality of a particular system.\71\ In addition, the Commission 
believes that it is appropriate to further incorporate a risk-based 
approach into other aspects of the regulation, and thus, as discussed 
below, is adopting a new term--``critical SCI systems''--to identify 
systems that the Commission believes should be subject to heightened 
requirements in certain areas.\72\ Further, the Commission has 
determined that certain other definitions (such as the definition of 
``SCI systems''), and certain requirements of the rule (such as 
Commission notification for SCI events and material systems changes), 
should be scaled back and refined consistent with a risk-based 
approach, as discussed

[[Page 72260]]

below. The Commission believes that these modifications, further 
incorporating risk-based considerations in the requirements and scaling 
back certain requirements, provide the proper balance between requiring 
that the appropriate entities are subject to baseline standards for 
systems capacity, integrity, resiliency, availability, security, and 
compliance, while reducing the overall burden of the rule for all SCI 
entities, which is consistent with, and responsive to, the views of 
those commenters that the Commission take a more risk-based approach to 
SCI entities.
---------------------------------------------------------------------------

    \70\ See supra note 55 and accompanying text.
    \71\ See infra Section IV.B.1 (discussing the policies and 
procedures requirement under adopted Rule 1001(a)).
    \72\ See infra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

a. SCI Self-Regulatory Organization or SCI SRO
    Proposed Rule 1000(a) defined ``SCI self-regulatory organization,'' 
or ``SCI SRO,'' to be consistent with the definition of ``self-
regulatory organization'' set forth in Section 3(a)(26) of the Exchange 
Act.\73\ This definition covered all national securities exchanges 
registered under Section 6(b) of the Exchange Act,\74\ registered 
securities associations,\75\ registered clearing agencies,\76\ and the 
Municipal Securities Rulemaking Board (``MSRB'').\77\ The definition, 
however, excluded an exchange that lists or trades security futures 
products that is notice-registered with the Commission as a national 
securities exchange pursuant to Section 6(g) of the Exchange Act, as 
well as any limited purpose national securities association registered 
with the Commission pursuant to Exchange Act Section 15A(k).\78\ 
Accordingly, the proposed definition of SCI SRO in Rule 1000(a) 
included all national securities exchanges registered under Section 
6(b) of the Exchange Act, all registered securities associations, all 
registered clearing agencies, and the MSRB.\79\ The definition of ``SCI 
self-regulatory organization'' or ``SCI SRO'' is being adopted in Rule 
1000 as proposed.\80\
---------------------------------------------------------------------------

    \73\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory 
organization' means any national securities exchange, registered 
securities association, or registered clearing agency, or (solely 
for purposes of sections 19(b), 19(c), and 23(b) of this title) the 
Municipal Securities Rulemaking Board established by section 15B of 
this title.''
    \74\ Currently, these registered national securities exchanges 
are: (1) BATS Exchange, Inc. (``BATS''); (2) BATS Y-Exchange, Inc. 
(``BATS-Y''); (3) Boston Options Exchange LLC (``BOX''); (4) CBOE; 
(5) C2; (6) Chicago Stock Exchange, Inc. (``CHX''); (7) EDGA 
Exchange, Inc. (``EDGA''); (8) EDGX Exchange, Inc. (``EDGX''); (9) 
International Securities Exchange, LLC (``ISE''); (10) Miami 
International Securities Exchange, LLC (``MIAX''); (11) NASDAQ OMX 
BX, Inc. (``Nasdaq OMX BX''); (12) NASDAQ OMX PHLX LLC (``Nasdaq OMX 
Phlx''); (13) Nasdaq; (14) National Stock Exchange, Inc. (``NSX''); 
(15) NYSE; (16) NYSE MKT; (17) NYSE Arca; and (18) ISE Gemini, LLC 
(``ISE Gemini'').
    \75\ FINRA is the only registered national securities 
association.
    \76\ Currently, there are seven clearing agencies (Depository 
Trust Company (``DTC''); Fixed Income Clearing Corporation 
(``FICC''); National Securities Clearing Corporation (``NSCC''); 
Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear 
Europe; and CME) with active operations that are registered with the 
Commission. The Commission notes that in 2012 it adopted Rule 17Ad-
22, which requires registered clearing agencies to have effective 
risk management policies and procedures in place. See Securities 
Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 
(November 2, 2012) (``Clearing Agency Standards Release''). The 
Commission believes that Regulation SCI, to the extent it addresses 
areas of risk management similar to those addressed by Rule 17Ad-
22(d)(4), complements Rule 17Ad-22(d)(4).
     Additionally, on March 12, 2014, the Commission proposed rules 
that would apply to SEC-registered clearing agencies that have been 
designated as systemically important by the Financial Stability 
Oversight Council or that are involved in activities with a more 
complex risk profile, such as clearing security-based swaps. See 
Securities Exchange Act Release No. 71699 (Mar. 12, 2014), 79 FR 
16865 (March 26, 2014) (``Covered Clearing Agencies Proposal''). 
Regulation SCI and proposed Rule 17Ad-22(e)(17) are intended to be 
consistent and complementary. See also Covered Clearing Agencies 
Proposal, 79 FR at 16866, n.1 and accompanying text (discussing the 
Commission's consideration of the relevant international standards).
    \77\ 15 U.S.C. 78c(a)(26). As noted in the Proposing Release, 
historically, the ARP Inspection Program did not include the MSRB, 
but instead focused on entities having trading, quotation and 
transaction reporting, and clearance and settlement systems more 
closely connected to the equities and options markets. The 
Commission believes that it is appropriate to apply Regulation SCI 
to the MSRB, particularly given the fact that the MSRB is the only 
SRO relating to municipal securities and is a key provider of 
consolidated market data for the municipal securities market. 
Accordingly, as proposed, the term ``SCI SRO'' included the MSRB. In 
2008, the Commission amended Rule 15c2-12 to designate the MSRB as 
the single centralized disclosure repository for continuing 
municipal securities disclosure. In 2009, the MSRB established the 
Electronic Municipal Market Access system (``EMMA''). EMMA now 
serves as the official repository of municipal securities 
disclosure, providing the public with free access to relevant 
municipal securities data, and is the central database for 
information about municipal securities offerings, issuers, and 
obligors. Additionally, the MSRB's Real-Time Transaction Reporting 
System (``RTRS''), with limited exceptions, requires municipal bond 
dealers to submit transaction data to the MSRB within 15 minutes of 
trade execution, and such near real-time post-trade transaction data 
can be accessed through the MSRB's EMMA Web site. While pre-trade 
price information is not as readily available in the municipal 
securities market, the Commission's Report on the Municipal 
Securities Market also recommended that the Commission and MSRB 
explore the feasibility of enhancing EMMA to collect best bids and 
offers from material ATSs and make them publicly available on fair 
and reasonable terms. See Report on the Municipal Securities Market 
(July 31, 2012), available at: https://www.sec.gov/news/studies/2012/munireport073112.pdf. The Commission believes that the MSRB's SCI 
systems currently are limited to those operated by or on behalf of 
the MSRB that directly support market data (i.e., currently limited 
to the EMMA, RTRS, and SHORT systems). As discussed more fully 
below, the EMMA, RTRS, and SHORT systems referenced by the MSRB in 
its comment letter would be market data systems within the 
definition of SCI systems because they provide or directly support 
price transparency. See infra note 253 and accompanying text.
    \78\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities 
are security futures exchanges and the National Futures Association, 
for which the CFTC serves as their primary regulator. See generally 
CFTC Concept Release on Risk Controls and System Safeguards for 
Automated Trading Environments, 78 FR 56542 (September 12, 2013) 
(``CFTC Concept Release'') (describing the CFTC's regulatory scheme 
for addressing risk controls relating to automated systems).
    \79\ For any SCI SRO that is a national securities exchange, any 
facility of such national securities exchange, as defined in Section 
3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also is covered 
because such facilities are included within the definition of 
``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 
78c(a)(1).
    \80\ The Commission notes that NSX ceased trading as of the 
close of business on May 30, 2014. See Securities Exchange Act 
Release No. 72107 (May 2, 2014), 79 FR 27017 (May 12, 2014) (Notice 
of Filing and Immediate Effectiveness of Proposed Rule Change To 
Cease Trading on Its Trading System) (``NSX Trading Cessation 
Notice''). In the NSX Trading Cessation Notice, NSX stated: ``[T]he 
Exchange will continue to be registered as a national securities 
exchange and will continue to retain its status as a self-regulatory 
organization[;]'' and further, that it ``shall file a proposed rule 
change pursuant to Rule 19b-4 of the Exchange Act prior to any 
resumption of trading on the Exchange pursuant to Chapter XI 
(Trading Rules).'' Because NSX remains a national securities 
exchange registered under Section 6(b) of the Exchange Act, it 
continues to meet the definition of SCI entity, and is counted as an 
SCI entity for purposes of this release.
---------------------------------------------------------------------------

    One commenter suggested that the rule should include volume 
thresholds for exchanges.\81\ Specifically, this commenter recommended 
that, with regard to exchanges, the definition should include only 
those exchanges that have five percent or more of average daily dollar 
volume in at least five NMS stocks for four of the previous six 
months.\82\ Another commenter asked the Commission to adopt certain 
specific exceptions to the definition of SCI SRO and SCI entity for 
entities that are dually registered with the CFTC and Commission where 
the CFTC is the entity's ``primary regulator'' and for any entity that 
does not play a ``significant role'' in the markets subject to the 
Commission's jurisdiction and that cannot have a ``significant impact'' 
on the markets subject to the Commission's jurisdiction.\83\
---------------------------------------------------------------------------

    \81\ See ITG Letter at 10. This commenter also suggested similar 
revised thresholds for SCI ATSs. See also infra note 131 and 
accompanying text. Although only one commenter specifically 
commented on the proposed inclusion of SCI SROs within the scope of 
Regulation SCI, as discussed above, some commenters believed that 
Regulation SCI should generally take a more risk-based or tiered 
approach generally which, in some cases, would affect which entities 
(including SCI SROs) would be subject to Regulation SCI. See supra 
notes 53-56 and accompanying text.
    \82\ See ITG Letter at 10.
    \83\ See CME Letter at 2.
---------------------------------------------------------------------------

    The Commission does not believe that a trading volume threshold is

[[Page 72261]]

appropriate for SCI SROs that are exchanges, but instead believes that 
Regulation SCI should apply to all SCI SROs. The threshold suggested by 
the commenter would exclude from Regulation SCI those exchanges with 
volumes below the suggested threshold; however, the Commission believes 
that all exchanges play a significant role in our securities markets. 
For example, all stock exchanges are subject to a variety of specific 
public obligations under the Exchange Act, including the requirements 
of Regulation NMS which, among other things, designates the best bid or 
offer of such exchanges to be protected quotations.\84\ Accordingly, 
every exchange may have a protected quotation that can obligate market 
participants to send orders to that exchange. Among other reasons, 
given that market participants may be required to send orders to any 
one of the exchanges at any given time if such exchange is displaying 
the best bid or offer, the Commission believes that it is important 
that the safeguards of Regulation SCI apply equally to all exchanges 
irrespective of trading volume.
---------------------------------------------------------------------------

    \84\ See generally 17 CFR 242.600-612. In addition, as the 
commenter's suggested thresholds would apply only with respect to 
exchanges that trade NMS stocks, national securities exchanges that 
do not trade NMS stocks (i.e., options exchanges) would also be 
excluded from Regulation SCI under the commenter's suggestion. The 
Commission believes that it would be inappropriate to exclude 
options exchanges from the requirements of Regulation SCI, because 
technology risks are equally applicable to such exchanges, as 
evidenced by recent significant technology incidents affecting the 
options markets. See supra notes 28-31 and accompanying text. As 
such, systems issues at options exchanges can pose significant risks 
to the markets, and the Commission believes that the inclusion of 
options exchanges within the scope of Regulation SCI is necessary to 
achieve the goals of Regulation SCI.
---------------------------------------------------------------------------

    With regard to one commenter's suggestion to except from the 
definition of SCI SRO those entities dually registered with the CFTC 
and Commission where the CFTC is the entity's ``primary 
regulator,''\85\ the Commission disagrees that such entities should be 
relieved from the requirements of Regulation SCI solely because they 
are dually registered.\86\ While the CFTC is responsible for overseeing 
such an entity with regard to its futures activities, it does not have 
oversight responsibility for the entity's securities-related activities 
and systems. While the commenter stated that it (as a dual registrant) 
is already subject to similar requirements to adopt controls and 
procedures with regard to operational risk and reliability, security, 
and capacity of its systems pursuant to CFTC regulations, the 
Commission again notes that such requirements do not apply to such an 
entity's securities-related systems as such systems are outside of the 
CFTC's jurisdiction and, as such, such systems would not be subject to 
inspection and examination by the CFTC for compliance with such 
requirements.\87\ Further, Regulation SCI imposes a notification 
framework to inform the Commission of SCI events and material systems 
changes, as well as other requirements unique to Regulation SCI. 
Accordingly, the Commission believes that such entities should be 
subject to the requirements of Regulation SCI. In addition, as noted 
above, this commenter also asked the Commission to create an exception 
for any entity that does not play a ``significant role'' in the markets 
subject to the Commission's jurisdiction and that cannot have a 
``significant impact'' on the markets subject to the Commission's 
jurisdiction.\88\ While the Commission disagrees with excluding SROs 
from coverage as discussed above, the Commission notes that it is 
revising the proposed definition of SCI systems to clarify that the 
term SCI systems encompasses only those systems that, with respect to 
securities, directly support trading, clearance and settlement, order 
routing, market data, market regulation, or market surveillance, as 
discussed below.\89\ Accordingly, the Commission believes this change 
should address the commenter's concerns about the requirements applying 
to entities whose systems cannot affect the markets subject to the 
Commission's jurisdiction, i.e., the U.S. securities markets.
---------------------------------------------------------------------------

    \85\ See supra note 83 and accompanying text.
    \86\ The commenter notes that the Commission has proposed to 
exclude from the definition of SCI SRO those exchanges that list or 
trade security futures products that are notice-registered with the 
Commission pursuant to Section 6(g), as well as limited purpose 
national securities associations registered with the Commission 
pursuant to Exchange Act Section 15A(k). See Proposing Release, 
supra note 13, at 18093, n. 97 and accompanying text. The Commission 
notes that such entities are subject to the joint jurisdiction of 
the Commission and the CFTC. To avoid duplicative regulation, 
however, the CFMA established a system of notice registration under 
which trading facilities and intermediaries that are already 
registered with either the Commission or the CFTC may register with 
the other agency on an expedited basis for the limited purpose of 
trading security futures products. A ``notice registrant'' is then 
subject to primary oversight by one agency, and is exempted under 
the CFMA from all but certain specified provisions of the laws 
administered by the other agency. See Section 6(g)(4) and Section 
15A(k)(3)-(4) (enumerating the provisions of the Exchange Act from 
which a notice-registered exchange and limited purpose national 
securities association, respectively, are exempted). Given this, the 
Commission believes that it is appropriate to defer to the CFTC 
regarding the systems integrity of these entities). See also 
generally CFTC Concept Release, supra note 78. This regulatory 
scheme does not apply outside of the specific contexts of security 
futures exchanges and associations. In contrast, entities that are 
registered with both the Commission and the CFTC in other 
capacities, such as clearing agencies, are subject to a full set of 
regulations by each regulator. The Exchange Act and Commodity 
Exchange Act do not exempt these entities, due to any dual 
regulatory scheme, from any provisions of the laws administered by 
the Commission and, as discussed further below, the Commission 
believes they should not be afforded an exclusion from Regulation 
SCI.
    \87\ The Commission notes that, to the extent that such an 
entity's systems for its functions that fall in the purview of the 
Commission (relating to securities and securities-based swaps) and 
that fall in the purview of the CFTC (relating to futures and swaps) 
are integrated, it believes that the focus of the CFTC's exams and 
inspections of such systems would be on such systems' functionality 
related to non-securities-related activities, such as swaps or 
futures, and not those related to securities activities. Thus, the 
Commission believes that the potential examination and inspection of 
such integrated systems by both the CFTC and SEC does not support 
the exclusion of the SCI entities operating such systems, or the 
systems themselves, from the scope of Regulation SCI.
    \88\ See supra note 83 and accompanying text.
    \89\ See adopted Rule 1000 (emphasis added). See also infra 
Section IV.A.2.b (discussing the definition of ``SCI systems'').
---------------------------------------------------------------------------

b. SCI Alternative Trading System
    Proposed Rule 1000(a) defined the term ``SCI alternative trading 
system,'' or ``SCI ATS,'' as an alternative trading system, as defined 
in Sec.  242.300(a), which during at least four of the preceding six 
calendar months, had: (1) With respect to NMS stocks--(i) five percent 
or more in any single NMS stock, and 0.25 percent or more in all NMS 
stocks, of the average daily dollar volume reported by an effective 
transaction reporting plan, or (ii) one percent or more, in all NMS 
stocks, of the average daily dollar volume reported by an effective 
transaction reporting plan; (2) with respect to equity securities that 
are not NMS stocks and for which transactions are reported to a self-
regulatory organization, five percent or more of the average daily 
dollar volume as calculated by the self-regulatory organization to 
which such transactions are reported; or (3) with respect to municipal 
securities or corporate debt securities, five percent or more of 
either--(i) the average daily dollar volume traded in the United 
States, or (ii) the average daily transaction volume traded in the 
United States.\90\
---------------------------------------------------------------------------

    \90\ See proposed Rule 1000(a) and Proposing Release, supra note 
13, at Section III.B.1.
---------------------------------------------------------------------------

    The proposed definition would have modified the thresholds 
currently appearing in Rule 301(b)(6) of Regulation ATS that apply to 
significant-volume ATSs.\91\ Specifically,

[[Page 72262]]

the proposed definition would have: Used average daily dollar volume 
thresholds, instead of an average daily share volume threshold, for 
ATSs that trade NMS stocks or equity securities that are not NMS stocks 
(``non-NMS stocks''); used alternative average daily dollar and 
transaction volume-based tests for ATSs that trade municipal securities 
or corporate debt securities; lowered the volume thresholds applicable 
to ATSs for each category of asset class; and moved the proposed 
thresholds to Regulation SCI. In particular, with respect to NMS 
stocks, the Commission proposed to change the volume threshold from 20 
percent of average daily volume in any NMS stock such that an ATS that 
traded NMS stocks that met either of the following two alternative 
threshold tests would be subject to the requirements of proposed 
Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 
percent or more in all NMS stocks, of the average daily dollar volume 
reported by an effective transaction reporting plan; or (ii) one 
percent or more, in all NMS stocks, of the average daily dollar volume 
reported by an effective transaction reporting plan. With respect to 
non-NMS stocks, municipal securities, and corporate debt securities, 
the Commission proposed to reduce the standard from 20 percent to five 
percent for these types of securities,\92\ the same percentage 
threshold for such types of securities that triggers the fair access 
provisions of Rule 301(b)(5) of Regulation ATS.\93\
---------------------------------------------------------------------------

    \91\ 17 CFR 242.301(b)(6).
    \92\ See proposed Rule 1000(a).
    \93\ See Rule 301(b)(5) of Regulation ATS under the Exchange 
Act. 17 CFR 242.301(b)(5). In addition, as noted above, the proposed 
rule used alternative average daily dollar and transaction volume-
based tests for ATSs that trade municipal securities or corporate 
debt securities.
---------------------------------------------------------------------------

    The proposed definition of ``SCI ATS'' is being adopted 
substantially as proposed with regard to ATSs trading NMS stocks and 
ATSs trading non-NMS stocks, with the addition of a six-month 
compliance period for entities satisfying the thresholds in the 
definition for the first time, as discussed in more detail below. 
However, for the reasons discussed below, the Commission has determined 
to exclude from the definition of ``SCI ATS'' ATSs that trade only 
municipal securities or corporate debt securities and accordingly, such 
ATSs will not be subject to the requirements of Regulation SCI.
Inclusion of ATSs Generally
    Many commenters provided comment on the inclusion of ATSs within 
the scope of Regulation SCI. Some commenters believed that more ATSs 
should be covered by Regulation SCI.\94\ For example, some commenters 
suggested that the term ``SCI ATS'' should include all ATSs, because 
these commenters believed that they have the potential to negatively 
impact the market in the event of a systems issue.\95\ Moreover, one 
commenter stated that the Commission should not distinguish between 
ATSs based on calculated thresholds because an ATS might limit trading 
on its system so as to avoid being subject to the requirements of 
Regulation SCI.\96\
---------------------------------------------------------------------------

    \94\ See, e.g., NYSE Letter at 9-10; Lauer Letter at 4; and 
CoreOne Letter at 7-8.
    \95\ See, e.g., NYSE Letter at 9-10; and Lauer Letter at 4.
    \96\ See, e.g., NYSE Letter at 9-10.
---------------------------------------------------------------------------

    Conversely, other commenters stated that fewer, or even no, ATSs 
should be covered.\97\ Such commenters generally argued that there are 
key differences between ATSs and exchanges, and thus, ATSs should be 
regulated differently from exchanges and not be included in Regulation 
SCI with exchanges.\98\ The differences identified by commenters 
included: ATSs' relative market shares and sizes; the fact that ATSs 
are already subject to various regulations as broker-dealers (including 
Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation 
ATS); and certain fundamental economic differences between the two 
types of entities (including that exchanges can gain revenue from 
listing and market data, have self-clearing, and have a protected 
quote).\99\ One commenter argued that, if the Commission were to 
include ATSs in Regulation SCI, it should treat ATSs and SROs equally 
by allowing ATSs to have the same benefits of SROs, including allowing 
ATSs to derive an income stream from contributions to the SIP, have 
access to clearing, and have immunity from lawsuits.\100\ Other 
commenters also noted that, although ATSs have an increasingly large, 
collective market share, ATSs have not contributed to any of the recent 
major systems issues that have impacted the market.\101\
---------------------------------------------------------------------------

    \97\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 
8; and OTC Markets Letter at 9.
    \98\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 
9, 14-17; TMC Letter at 2; and OTC Markets Letter at 9.
    \99\ Id.
    \100\ See OTC Markets Letter at 9.
    \101\ See ITG Letter at 4; and BIDS Letter at 3.
---------------------------------------------------------------------------

    Another commenter stated that the SCI Proposal unfairly 
discriminated against ATSs by including them within the definition of 
SCI entity.\102\ Specifically, although this commenter did not believe 
that Regulation SCI should be expanded to include more entities, it 
stated that the SCI Proposal's failure to capture certain entities 
(such as clearing firms, market makers, block positioners, and order 
routing firms) that it believed could have a greater impact on market 
stability in the event of a systems issue, while including ATSs, 
demonstrates that the proposal is arbitrary, capricious, and unfairly 
discriminatory in nature.\103\
---------------------------------------------------------------------------

    \102\ See ITG Letter at 9.
    \103\ See id.
---------------------------------------------------------------------------

    After careful consideration of the comment letters, the Commission 
continues to believe that the inclusion of ATSs that trade NMS stocks 
and non-NMS stocks in Regulation SCI is appropriate.\104\ The 
Commission believes that certain of those ATSs play an important role 
in today's securities markets, and thus should be subject to the 
safeguards and obligations of Regulation SCI. As noted in the SCI 
Proposal, the equity markets have evolved significantly over recent 
years, resulting in an increase in the number of trading centers and a 
reduction in the concentration of trading activity.\105\ As such, even 
smaller trading centers, such as certain higher-volume ATSs, now 
collectively represent a significant source of liquidity for NMS stocks 
and some ATSs have similar and, in some cases, greater trading volume 
than some national securities exchanges, with no single national 
securities exchange executing more than approximately 19 percent of 
volume in NMS stocks in today's securities markets.\106\ Accordingly, 
the Commission believes that ATSs meeting certain volume thresholds can 
play a significant role in the securities markets and, given their 
heavy reliance on automated systems, have the potential to 
significantly impact investors, the overall market,

[[Page 72263]]

and the trading of individual securities should an SCI event occur.
---------------------------------------------------------------------------

    \104\ Given the inclusion of ATSs that trade NMS stocks and non-
NMS stocks within the scope of Regulation SCI, Regulation ATS is 
also being amended to remove paragraphs (b)(6)(i)(A) and 
(b)(6)(i)(B) of Rule 301 so that Rule 301(b)(6) will no longer apply 
to ATSs trading NMS stocks and non-NMS stocks. However, as described 
below, the Commission has determined to exclude ATSs that trade only 
municipal securities or corporate debt securities from the scope of 
Regulation SCI, and such ATSs will remain subject to the 
requirements of Rule 301(b)(6) if they meet the volume thresholds 
therein. 17 CFR 242.301(b)(6). See supra notes 14 and 20 and 
accompanying text.
    \105\ See Proposing Release, supra note 13, at 18094.
    \106\ See market volume statistics reported by BATS, available 
at: https://www.batstrading.com/market_summary/ (no single stock 
exchange executed more than approximately 19 percent during the 
second quarter of 2014, with Nasdaq having the highest market share 
of 18.6 percent). In comparison, according to data from Form ATS-R 
for the second quarter of 2014, approximately 18 percent of 
consolidated NMS stocks dollar volume took place on ATSs.
---------------------------------------------------------------------------

    Commenters identified certain differences between exchanges and 
ATSs, which commenters argued justified different treatment under 
Regulation SCI for ATSs or exclusion of ATSs from the regulation 
completely.\107\ While the Commission recognizes that there are some 
fundamental differences between ATSs and exchanges, including certain 
of those identified by commenters, the Commission does not agree that 
all ATSs should be excluded from Regulation SCI because, as discussed 
above, it believes that there are certain significant-volume ATSs that 
have the potential to significantly impact investors, the overall 
market, or the trading of individual securities should an SCI event 
occur. At the same time, the risk-based considerations permitted in 
adopted Regulation SCI may result in the systems of those ATSs that are 
subject to Regulation SCI (i.e., SCI ATSs) being subject to less 
stringent requirements than the systems of SROs or other SCI entities 
in certain areas. For example, as discussed in further detail below, 
the Commission is adopting a definition of ``critical SCI systems,'' 
which are a subset of SCI systems that are subject to certain 
heightened requirements under Regulation SCI. This definition is 
intended to capture those systems that are core to the functioning of 
the securities markets or that represent ``single points of failure'' 
and thus, pose the greatest risk to the markets. The Commission 
believes that, as currently constituted, relative to the systems of SCI 
SROs, the systems of SCI ATSs generally would not fall within this 
category of critical SCI systems, and thus such SCI ATSs would not be 
subject to the more stringent requirements that would be applicable to 
the critical SCI systems of other SCI entities. The Commission also 
notes that other requirements under Regulation SCI are designed to be 
consistent with a risk-based approach. The Commission believes that 
this approach recognizes the different roles played by different SCI 
systems at various SCI entities and, where permitted, allows each SCI 
entity, including SCI ATSs, to tailor the applicable requirements 
accordingly.
---------------------------------------------------------------------------

    \107\ See supra notes 98-99 and accompanying text.
---------------------------------------------------------------------------

    While some commenters noted that ATSs have not contributed to any 
of the recent high-profile systems issues,\108\ the Commission does not 
believe that the relative lack of high-profile systems issues at ATSs 
to date is an indication that ATSs do not have the potential to have a 
significant impact on the market in the event of a future systems 
issue.\109\
---------------------------------------------------------------------------

    \108\ See supra note 101 and accompanying text.
    \109\ The Commission also notes that, as discussed above, in 
November 2013, a systems issue at OTC Link ATS led FINRA to halt 
trading in all OTC securities for over three hours. See supra note 
33 and accompanying text.
---------------------------------------------------------------------------

    Other commenters noted the competitive environment of ATSs and 
argued that, if one ATS experiences a systems issue and becomes 
temporarily unavailable, trading can be easily rerouted to other 
venues.\110\ The Commission acknowledges that a temporary outage at an 
ATS (or at a SCI SRO, for that matter) may not lead to a widespread 
systemic disruption. However, the Commission notes that Regulation SCI 
is not designed to solely address system issues that cause widespread 
systemic disruption, but also to address more limited systems 
malfunctions and other issues that can harm market participants or 
create compliance issues.\111\
---------------------------------------------------------------------------

    \110\ See ITG Letter at 3; and KCG Letter at 9.
    \111\ The Commission notes that each ATS provides different 
services in terms of, among other things, pricing, latency, and 
order fills to meet investors' specific needs. Thus, for example, an 
ATS outage could interfere with the supply of certain services that 
investors demand and, thus, could impose costs on investors.
---------------------------------------------------------------------------

    Some commenters also stated that inclusion of ATSs is not necessary 
because ATSs are already subject to sufficient regulations as broker-
dealers, citing Rule 15c3-5 under the Exchange Act, various FINRA 
rules, and Regulation ATS.\112\ While the Commission acknowledges that 
these rules similarly impose requirements related to the capacity, 
integrity and/or security of a broker-dealer's systems and are designed 
to address some of the same concerns that Regulation SCI is intended to 
address, the Commission notes that these rules generally take a 
different approach than Regulation SCI. For example, the obligations of 
an ATS under Rule 15c3-5 address vulnerability in the national market 
system that relate specifically to market access,\113\ whereas 
Regulation SCI is designed to further the goals of the national market 
system more broadly by helping to ensure the capacity, integrity, 
resiliency, availability, and security of the automated systems of 
entities important to the functioning of the U.S. securities 
markets.\114\ Thus, the Commission has determined to include ATSs 
within the scope of Regulation SCI because of their role as markets and 
a potential significant source of liquidity. With regard to the FINRA 
rules identified by commenters, the Commission does not believe that 
these rules, even when considered in combination with Rule 15c3-5, are 
an appropriate substitute for the comprehensive approach in Regulation 
SCI for ATSs in their role as markets.\115\ Finally, as noted above,

[[Page 72264]]

Rule 301(b)(6) of Regulation ATS imposed by rule certain aspects of the 
ARP Policy Statements on significant-volume ATSs. As described in 
detail herein, Regulation SCI seeks to expand upon, update, and 
modernize the requirements of the ARP Policy Statements and Rule 
301(b)(6), by, for example, expanding the requirements to a broader set 
of systems, imposing new requirements for information dissemination 
regarding SCI events, and requiring Commission notification for 
additional types of events, among others. Accordingly, the Commission 
believes that, for SCI ATSs, the existing broker-dealer rules and 
regulations identified by commenters are complemented by the 
requirements of Regulation SCI (other than Rule 301(b)(6), which will 
no longer apply to ATSs that trade NMS stocks and non-NMS stocks), and 
do not serve as substitutes for the regulatory framework being adopted 
today.
---------------------------------------------------------------------------

    \112\ See supra notes 98-99 and accompanying text.
    \113\ See Securities Exchange Act Release No. 63241 (November 3, 
2010), 75 FR 69792 (November 15, 2010) (``Market Access Release'').
    \114\ The Commission notes that Rule 15c3-5 focuses on 
addressing the particular risks that arise when broker-dealers 
provide electronic access to exchanges or ATSs and therefore does 
not address the same range of technology-related issues as 
Regulation SCI is designed to address. Both Rule 15c3-5 and 
Regulation SCI are policies and procedures-based rules that are 
designed to address the risks presented by the pervasive use of 
technology in today's markets.The policies and procedures required 
by Regulation SCI apply broadly to technology that supports trading, 
clearance and settlement, order routing, market data, market 
regulation, and market surveillance and, among other things, address 
their overall capacity, integrity, resilience, availability, and 
security. Rule 15c3-5, by contrast, is more narrowly focused on 
those technology and other errors that can create some of the more 
significant risks to broker-dealers and the markets, namely those 
that arise when a broker-dealer enters orders into an exchange or 
ATS, including when it provides sponsored or direct market access to 
customers or other persons, where the consequences of such an error 
can rapidly magnify and spread throughout the markets. See also 
infra note 115 (discussing FINRA rules applicable to broker-
dealers). The Commission will continue to monitor and evaluate the 
risks posed by broker-dealer systems to the market and the 
implementation of the Market Access Rule, and may consider extending 
the types of requirements in Regulation SCI to additional market 
participants in the future.
    \115\ For example, NASD Rule 3010(b)(1) requires a member to 
establish, maintain, and enforce written procedures to supervise the 
types of business in which it engages and to supervise the 
activities of registered representatives, registered principals, and 
other associated persons that are reasonably designed to achieve 
compliance with applicable securities laws and regulations. This 
rule relates to policies and procedures to achieve compliance with 
applicable securities laws and regulations, and thus the Commission 
believes that this requirement is broadly related to adopted Rule 
1001(b) regarding policies and procedures to ensure systems 
compliance. However, the Commission notes that, unlike adopted Rule 
1001(b), which focuses on ensuring that an entity's systems operate 
in compliance with the Exchange Act, the rules and regulations 
thereunder and the entity's rules and governing documents, this NASD 
rule does not specifically address compliance of the systems of 
FINRA members. Further, the Commission does not believe this 
provision covers more broadly policies and procedures akin to those 
in adopted Rule 1001(a) that are designed to ensure that SCI systems 
have levels of capacity, integrity, resiliency, availability, and 
security adequate to maintain the SCI entity's operation capability 
and promote fair and orderly markets. Similarly, while FINRA Rule 
3130 relates to adopted Rule 1001(b) regarding policies and 
procedures to ensure systems compliance in that it requires a 
member's chief compliance officer to certify that the member has in 
place written policies and procedures reasonably designed to achieve 
compliance with applicable FINRA rules, MSRB rules, and federal 
securities laws and regulations, it does not specifically address 
compliance of the systems of FINRA members, and does not require 
similar policies and procedures to those in adopted Rule 1001(a) 
regarding operational capability of SCI entities. Further, while 
FINRA Rule 4530 imposes a reporting regime for, among other things, 
compliance issues and other events where a member has concluded or 
should have reasonably concluded that a violation of securities or 
other enumerated law, rule, or regulation of any domestic or foreign 
regulatory body or SRO has occurred, the Commission notes that these 
reporting requirements are different in several respects from the 
Commission notification requirements relating to systems compliance 
issues (e.g., scope, timing, content, the recipient of the reports) 
and, importantly, would not cover reporting of systems disruptions 
or systems intrusions that did not also involve a violation of a 
securities law, rule, or regulation. In addition, FINRA Rule 4370 
generally requires that a member maintain a written continuity plan 
identifying procedures relating to an emergency or significant 
business disruption, which is akin to adopted Rule 1001(a)(2)(v) 
requiring policies and procedures for business continuity and 
disaster recovery plans. Unlike Regulation SCI, however, the FINRA 
rule does not include the requirement that the business continuity 
and disaster recovery plans be reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of 
critical SCI systems following a wide-scale disruption, nor does it 
require the functional and performance testing and coordination of 
industry or sector-testing of such plans, which the Commission 
believes to be instrumental in achieving the goals of Regulation SCI 
with respect to SCI entities.
---------------------------------------------------------------------------

    The Commission also believes that, unlike with respect to 
exchanges, it is appropriate that Regulation SCI not apply to all ATSs. 
Exchanges, as self-regulatory organizations, play a special role in the 
U.S. securities markets, and as such, are subject to certain 
requirements under the Exchange Act and are able to enjoy certain 
unique benefits.\116\ Accordingly, as discussed above, the Commission 
believes it is appropriate to subject all national securities exchanges 
to the requirements of Regulation SCI regardless of trading 
volume.\117\ In contrast, in recognition of the more limited role that 
certain ATSs may play in the securities markets and the costs that will 
result from compliance with the requirements of the regulation, the 
Commission believes that it is appropriate to adopt volume thresholds, 
as discussed below, to identify those ATSs that have the potential to 
significantly impact the market should an SCI event occur, therefore 
warranting inclusion within the scope of the regulation. One commenter, 
in advocating for the application of the regulation to all ATSs, stated 
that the Commission should not adopt volume thresholds because ATSs may 
limit trading so as to avoid being subject to the requirements of 
Regulation SCI.\118\ The Commission does not believe that the 
possibility of some ATSs structuring their business to fall below the 
thresholds of the rule is a sufficient justification for applying the 
rule to all ATSs. The Commission notes that, to the extent that an ATS 
limits its trading so as not to reach the volume thresholds for SCI 
ATSs, it would have less potential to impact investors and the market 
and may appropriately not be subject to the requirements of the rules. 
As discussed further below, the Commission believes that the dual 
dollar volume threshold for NMS stocks being adopted today is 
appropriately designed to ensure that ATSs that have either the 
potential to significantly impact the market as a whole or the 
potential to significantly impact the market for a single NMS stock 
(and have some impact on the market as a whole at the same time) will 
be subject to the requirements of Regulation SCI. Thus, only those ATSs 
that limit their trading so as to fall below both the single NMS stock 
threshold and the broad NMS stocks threshold will not be subject to the 
requirements of Regulation SCI.
---------------------------------------------------------------------------

    \116\ See supra Section IV.A.1.a (discussing the definition of 
``SCI SRO'') and infra notes 120-121 and accompanying text. As 
identified by one commenter, benefits afforded to SROs include, 
among others, the ability to receive market data revenue and 
immunity from private liability for regulatory activities. See supra 
note 100. See also ATS Release, supra note 2, at 70902-03 
(discussing generally some of the obligations and benefits to be 
considered when determining whether to register as a national 
securities exchange or as a broker-dealer acting as an ATS).
    \117\ See supra notes 81-83 and accompanying text.
    \118\ See supra notes 95-96 and accompanying text.
---------------------------------------------------------------------------

    As noted above, one commenter asserted that, if ATSs are subject to 
the same requirements of Regulation SCI as exchanges, they similarly 
should be entitled to the benefits afforded to SROs.\119\ The 
Commission notes that, as discussed above, SROs are subject to a 
variety of obligations as self-regulatory organizations under the 
Exchange Act--including filing proposed rules with the Commission and 
enforcing those rules and the federal securities laws with respect to 
their members--that do not apply to other market participants, 
including ATSs.\120\ Although SRO and non-SRO markets are subject to 
different regulatory regimes, with a different mix of benefits and 
obligations, the Commission believes it is appropriate to subject them 
to comparable requirements for purposes of Regulation SCI given the 
importance of assuring that the technology of key trading centers, 
regardless of regulatory status, is reliable, secure, and functions in 
compliance with the law.\121\ At the same time, while questions have 
been raised as to whether the broader regulatory regimes for exchanges 
and ATSs should be harmonized, the Commission does not believe it 
appropriate to delay implementing Regulation SCI or necessary to 
resolve these issues before proceeding with Regulation SCI. The 
Commission notes that ATSs have the ability to apply for registration 
as a SRO should they so wish and, if such application were to be 
approved by the Commission, such entities could assume the additional 
responsibilities that are imposed on SROs, as well as avail themselves 
of the same benefits.
---------------------------------------------------------------------------

    \119\ See supra note 100 and accompanying text.
    \120\ See supra Section IV.A.1.a (discussing the definition of 
``SCI SRO''); see also Section 19(b) of the Exchange Act, 15 U.S.C. 
78s(b)(1), and Section 6(b) of the Exchange Act, 15 U.S.C. 78f(b). 
Because these important regulatory responsibilities are imposed upon 
SROs, SROs also are afforded certain unique benefits, such as 
immunity from private liability with respect to their regulatory 
functions and the ability to receive market data revenue. See supra 
note 116 and accompanying text.
    \121\ But see discussion supra regarding potentially different 
requirements for ATSs and exchanges, including those relating to SCI 
ATSs and critical SCI systems.
---------------------------------------------------------------------------

    As noted above, one commenter objected to the regulation's 
inclusion of ATSs while excluding certain other entities that the 
commenter believed similarly had the potential to impact the market, 
concluding that the proposal was therefore arbitrary, capricious, and 
unfairly discriminatory in nature.\122\ At the same time, this 
commenter stated that it did not recommend that additional entities be 
included within the scope of the regulation.\123\ First, as noted 
above, the Commission has determined to include ATSs meeting the 
adopted volume thresholds within the scope of Regulation SCI because of 
their unique role as markets rather than because of their role as 
traditional broker-dealers. All broker-dealers are subject to Rule 
15c3-5 and other FINRA rules as noted by some commenters, which impose 
certain requirements

[[Page 72265]]

related to the capacity, integrity and/or security of a broker-dealer's 
systems appropriately tailored to their role as broker-dealers. 
Further, as noted above, the scope of Regulation SCI is rooted in the 
historical reach of the ARP Inspection Program and Rule 301 of 
Regulation ATS (which applies to significant-volume ATSs).\124\ The 
Commission acknowledged in the SCI Proposal that there may be other 
categories of broker-dealers not included within the definition of SCI 
entity that, given their increasing size and importance, could pose a 
significant risk to the market should an SCI event occur.\125\ The 
Commission solicited comment on whether there are additional categories 
of market participants that should be subject to all or some of the 
requirements of Regulation SCI and noted that, were the Commission to 
decide to apply the requirements of Regulation SCI to such additional 
entities, it would issue a separate release outlining such a proposal 
and the rationale therefor.\126\ As discussed above, the Commission 
believes that, at this time, the entities included within the scope of 
Regulation SCI, because of their current role in the U.S. securities 
markets and/or their level of trading activity, have the potential to 
pose the most significant risk in the event of a systems issue. 
Further, the Commission believes that a measured approach that takes an 
incremental expansion from the entities covered under the ARP 
Inspection Program is an appropriate method for imposing the mandatory 
requirements of Regulation SCI at this time. As such, while the 
Commission believes that the types of entities subject to Regulation 
SCI as adopted are appropriate, the Commission may consider extending 
the types of requirements in Regulation SCI to additional market 
participants in the future.
---------------------------------------------------------------------------

    \122\ See supra note 103 and accompanying text.
    \123\ See supra note 103 and accompanying text.
    \124\ See supra notes 60-67 and accompanying text.
    \125\ See Proposing Release, supra note 13, at 18138-39.
    \126\ See id.
---------------------------------------------------------------------------

SCI ATS Thresholds
    Several commenters discussed the specific proposed volume 
thresholds for SCI ATSs, and many offered what they believed to be more 
appropriate alternative methods for including ATSs within Regulation 
SCI.\127\ For example, some commenters urged the Commission to retain 
the existing 20 percent threshold under Regulation ATS for purposes of 
Regulation SCI or asked the Commission to provide further explanation 
as to why the current threshold under Regulation ATS should be 
altered.\128\ One commenter agreed with the Commission that the 20 
percent threshold currently in Regulation ATS might be too high, and 
suggested using a threshold for ATSs trading NMS stocks of five percent 
or more of the volume in all NMS stocks during a 12-month period, to be 
determined once a year in the same given month.\129\ Another commenter 
suggested that the Commission apply its ATS threshold for NMS stocks to 
only the 500 most active securities.\130\ An additional recommendation 
by one commenter with regard to NMS stocks was to include only those 
ATSs with five percent or more of at least five NMS stocks with an 
aggregate average daily share volume greater than 500,000 shares and 
0.25 percent or more of all NMS stocks for four of the previous six 
months, or those ATSs that have three percent or more of all NMS stocks 
in four of the previous six months.\131\ Another commenter suggested 
retaining Rule 301(b)(6) as part of Regulation ATS, but amending the 
rule by lowering the average daily volume threshold to 2.5 
percent.\132\
---------------------------------------------------------------------------

    \127\ See, e.g., Direct Edge Letter at 2; SIFMA Letter at 6-7; 
BIDS Letter at 6; ITG Letter at 10; and OTC Markets Letter at 11. 
But see BlackRock Letter at 4 (agreeing with the Commission's 
approach in the SCI Proposal of lowering the thresholds for SCI ATSs 
from the thresholds in Rule 301(b)(6) of Regulation ATS).
    \128\ See, e.g., Direct Edge Letter at 2; and KCG Letter at 10-
11.
    \129\ See SIFMA Letter at 6.
    \130\ See BIDS Letter at 6.
    \131\ See ITG Letter at 10.
    \132\ See OTC Markets Letter at 11. This commenter also 
suggested leaving in place the existing five percent average daily 
share volume threshold for the display requirement of Rule 301(b)(3) 
under Regulation ATS.
---------------------------------------------------------------------------

    One commenter requested clarification on the phrase ``0.25 percent 
or more in all NMS stocks, of the average daily dollar volume reported 
by an effective transaction reporting plan.'' \133\ Because there is 
more than one transaction reporting plan, this commenter asked whether 
the proposed volume thresholds would be calculated per plan or 
calculated based on all NMS volume.\134\
---------------------------------------------------------------------------

    \133\ See SIFMA Letter at 6-7.
    \134\ See SIFMA Letter at 6-7.
---------------------------------------------------------------------------

    Some commenters provided suggestions with regard to the proposed 
measurement methodology for the thresholds.\135\ A few commenters 
argued that the proposed time period measurement of ``at least four of 
the preceding six calendar months'' is cumbersome to apply in practice 
and believed that the time period should be over a longer term.\136\ 
For example, two commenters stated that the rule should utilize a 12-
month measurement period.\137\ Conversely, another commenter generally 
opposed the thresholds stating that all ATSs should be subject to the 
rule, but noted that if the rule includes a trading volume metric, the 
measurement period should be much shorter (such as two to four 
weeks).\138\ In addition, one commenter stated that the measurement 
should be based on number of shares traded rather than dollar 
value.\139\
---------------------------------------------------------------------------

    \135\ See, e.g., BIDS Letter at 6; KCG Letter at 19; SIFMA 
Letter at 7; and Lauer Letter at 4-5.
    \136\ See, e.g., BIDS Letter at 6; and KCG Letter at 19.
    \137\ See BIDS Letter at 6; and KCG Letter at 19.
    \138\ See Lauer Letter at 4-5.
    \139\ See BIDS Letter at 6.
---------------------------------------------------------------------------

    Two commenters also suggested that ATSs should be given six months 
after meeting the given threshold in the definition of SCI ATS to come 
into compliance with Regulation SCI.\140\
---------------------------------------------------------------------------

    \140\ See KCG Letter at 19; and SIFMA Letter at 7.
---------------------------------------------------------------------------

    The Commission is adopting the thresholds for ATSs that trade NMS 
stocks and non-NMSs stock as proposed. In setting the thresholds for 
Regulation SCI, the Commission believes it is establishing an 
appropriate and reasonable scope for the application of the regulation. 
Although commenters provided various suggestions for different 
thresholds, nothing persuaded the Commission that these suggestions 
would better accomplish the goals of Regulation SCI than the thresholds 
the Commission is adopting. As discussed below, the Commission has 
analyzed the number of entities it believes are likely to be covered by 
the thresholds it is establishing. The Commission recognizes that these 
thresholds ultimately represent a matter of judgment by the Commission 
as it takes the step of promulgating Regulation SCI, and the Commission 
intends to monitor these thresholds to determine whether they continue 
to be appropriate.
    With regard to the threshold for ATSs trading NMS stocks, the 
Commission has determined to adopt this threshold as proposed. After 
careful consideration of the comments, the Commission continues to 
believe that this threshold is an appropriate measure of when a market 
is of sufficient significance so as to warrant the protections and 
requirements of Regulation SCI.\141\ The

[[Page 72266]]

Commission is, however, making one technical modification in response 
to a commenter to clarify that the threshold will be calculated based 
on all NMS volume, rather than on a per plan basis.\142\ The Commission 
agrees with the commenter that the proposed language should be 
clarified and, as such, the threshold language within the definition of 
``SCI ATS'' in Rule 1000 is being revised to refer to ``applicable 
effective transaction reporting plans,'' rather than ``an effective 
transaction reporting plan.'' \143\
---------------------------------------------------------------------------

    \141\ The numerical thresholds in the definition of SCI ATS 
reflect an informed assessment by the Commission, based on 
qualitative and quantitative analysis, of the likely economic 
consequences of the specific numerical thresholds included in the 
definition. In making such assessment and, in turn, selecting the 
numerical thresholds, in addition to considering the views of 
commenters, the Commission has reviewed relevant data. See infra 
notes 150 and 175 and accompanying text.
    \142\ See supra note 134 and accompanying text. As noted above, 
this commenter asked the Commission for clarification on this aspect 
of the rule.
    \143\ Because the threshold has two prongs, one of which is 
based on all NMS volume, it is necessary to specify that there is 
more than one transaction reporting plan that would be applicable in 
calculating all NMS stock trading volume. At the same time, since 
the other prong of the threshold is based on the trading volume of 
single NMS stocks, it is necessary to also add the term 
``applicable'' before the term ``transaction reporting plans'' as 
only one transaction reporting plan would be applicable per 
security. The definition of ``eligible securities'' in each of the 
transaction reporting plans are mutually exclusive, ensuring that 
each security is subject to only one transaction reporting plan. See 
CTA Plan, available at: https://www.nyxdata.com/cta; and Nasdaq UTP 
Plan, available at: https://www.utpplan.com.
---------------------------------------------------------------------------

    Under the adopted definition of SCI ATS, with regard to NMS stocks, 
an ATS will be subject to Regulation SCI if, during at least four of 
the preceding six calendar months, it had: (i) Five percent or more in 
any single NMS stock, and 0.25 percent or more in all NMS stocks, of 
the average daily dollar volume reported by applicable effective 
transaction reporting plans, or (ii) one percent or more, in all NMS 
stocks, of the average daily dollar volume reported by applicable 
effective transaction reporting plans.\144\ The Commission continues to 
believe that this threshold will identify those ATSs that could have a 
significant impact on the overall market or that could have a 
significant impact on a single NMS stock and some impact on the market 
as a whole at the same time.\145\
---------------------------------------------------------------------------

    \144\ But see infra notes 169-170 and accompanying text 
(discussing a six-month compliance period for SCI entities 
satisfying the thresholds for the first time).
    \145\ Under the adopted thresholds, because of the requirement 
to meet the threshold for at least four of the preceding six 
calendar months, inactive and newly operating ATSs would not be 
included in the definition of SCI ATS. See infra note 152.
---------------------------------------------------------------------------

    While some commenters advocated for thresholds higher than those 
proposed and/or retaining the 20 percent threshold in Regulation 
ATS,\146\ as the Commission discussed in the SCI Proposal, the 
securities markets have significantly evolved since the time of the 
adoption of Regulation ATS, resulting in trading activity in stocks 
being more dispersed among a variety of trading centers. For example, 
in today's markets, national securities exchanges, once the predominant 
type of venue for trading stocks, each account for no more than 
approximately 19 percent of volume in NMS stocks.\147\ By way of 
contrast, based on data collected from ATSs pursuant to FINRA Rule 4552 
for 18 weeks of trading in 2014, the trading volume of ATSs accounted 
for approximately 18 percent of the total dollar volume in NMS stocks, 
with no individual ATS executing more than five percent.\148\ Given 
this dispersal of trading volume among an increasing number of trading 
venues, the increasingly interconnected nature of the markets, and the 
increasing reliance on a variety of automated systems, the Commission 
believes that there is a heightened potential for systems issues 
originating from a number of sources to significantly affect the 
market. Due to these developments, the Commission believes that the 20 
percent threshold as adopted in Regulation ATS is no longer an 
appropriate measure for determining those entities that can have a 
significant impact on the market and thus should be subject to the 
protections of Regulation SCI. Rather, the Commission believes that 
lower volume thresholds are appropriate, and as noted in the SCI 
Proposal, the Commission believes that the adopted thresholds would 
include ATSs having NMS stock dollar volume comparable to or in excess 
of the NMS stock dollar volume of certain national securities exchanges 
subject to Regulation SCI.\149\
---------------------------------------------------------------------------

    \146\ See supra note 128 and accompanying text.
    \147\ See supra note 106.
    \148\ See infra note 150.
    \149\ See Proposing Release, supra note 13, at 18094.
---------------------------------------------------------------------------

    Based on data collected from ATSs pursuant to FINRA Rule 4552 for 
18 weeks of trading in 2014,\150\ the Commission believes that 
approximately 12 ATSs trading NMS stocks would exceed the adopted 
thresholds and fall within the definition of SCI entity, accounting for 
approximately 66 percent of the dollar volume market share of all ATSs 
trading NMS stocks.\151\ The Commission acknowledges that its analysis 
of the FINRA ATS data did not reveal an obvious threshold level above 
which a particular subset of ATSs may be considered to have a 
significant impact on individual NMS stocks or the overall market, as 
compared to another subset of ATSs. However, for the following reasons, 
the Commission continues to believe that the adopted thresholds for 
ATSs trading NMS stock are an appropriate measure to identify those 
ATSs that should be subject to the requirements of Regulations SCI. 
First, by imposing both a single NMS stock threshold and an all NMS 
stocks threshold in the first prong of the definition, the thresholds 
will help to ensure that Regulation SCI will not apply to an ATS that 
has a large volume in a small NMS stock and little volume in all other 
NMS stocks. At the same time, the Commission believes that inclusion of 
the dual-prong dollar volume thresholds is appropriate. Specifically, 
it will require not only that ATSs that have significant trading volume 
in all NMS stocks are subject to the requirements of Regulation SCI, 
but also that ATSs that have large trading volume in a single NMS stock 
and could significantly affect the market for that stock are also 
covered by the safeguards of Regulation SCI provided they have levels 
of trading in all NMS stocks that could allow such ATSs to also have 
some impact on the market as a whole. The Commission also believes 
that, as discussed further below, the adopted thresholds will also 
appropriately capture not only ATSs that have significant trading 
volume in active stocks, but also those that have significant trading 
volume in less active stocks. The Commission believes that a systems 
issue at an ATS that is a significant market for the trading of a less 
actively traded stock could similarly impose significant risks to the 
market for such securities, because a systems outage at such a venue 
could significantly impede the ability to trade

[[Page 72267]]

such securities, thereby having a significant impact on the market for 
such less-actively traded securities. In addition, the Commission 
continues to believe that thresholds that account for 66 percent of the 
dollar volume market share of all ATSs trading NMS stocks is a 
reasonable level that would not exclude new entrants to the ATS 
market.\152\ Further, as noted above, the thresholds would include ATSs 
having NMS stock dollar value comparable to the NMS stock dollar volume 
of the equity exchanges subject to Regulation SCI. Finally, the 
Commission believes that the adopted thresholds are appropriate to help 
ensure that entities that have determined to participate (in more than 
a limited manner) in the national market system as markets that bring 
buyers and sellers together, are subject to the requirements of 
Regulation SCI.
---------------------------------------------------------------------------

    \150\ See Securities Exchange Act Release No. 71341 (January 17, 
2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 
requiring each ATS to report to FINRA weekly volume information and 
number of securities transactions). Commission staff analyzed FINRA 
ATS data for the period of May 19, 2014 through September 19, 2014. 
The recently available FINRA ATS data is consistent with the OATS 
data used in the SCI Proposal. In addition, the analysis of FINRA 
ATS data examines a threshold of trading volume over four out of six 
time periods, each period defined as a period of three consecutive 
weeks as a rough approximation of the threshold test on four out of 
the preceding six calendar months as prescribed in the definition of 
SCI ATS. The Commission noted in the SCI Proposal that the staff 
analysis of OATS data may overestimate the number of ATSs that may 
meet the proposed thresholds. While the calculation based on FINRA 
ATS data may not overestimate the number of ATSs as much as the data 
analysis in the proposal, it could still overestimate the number of 
ATSs that would meet the thresholds. Nevertheless, the Commission 
believes the analysis of FINRA ATS data offers useful insights. See 
Proposing Release, supra note 13, at 18094.
    \151\ According to the FINRA ATS data, during this time period, 
a total of 44 ATSs traded NMS stocks. The Commission notes that the 
number of ATSs exceeding the adopted thresholds, and the percentage 
of volume of trading in NMS stocks that they represent, may change 
over time in response to market and competitive forces.
    \152\ Consistent with the Commission's statement in the SCI 
Proposal, the Commission has considered barriers to entry and the 
promotion of competition in setting the threshold such that new ATSs 
trading NMS stocks would be able to commence operations without, at 
least initially, being required to comply with--and thereby not 
incurring the costs associated with--Regulation SCI. See Proposing 
Release, supra note 13, at n. 102. In particular, a new ATS could 
engage in limited trading in any one NMS stock or all NMS stocks, 
until it reached an average daily dollar volume of five percent or 
more in any one NMS stock and 0.25 percent or more in all NMS 
stocks, or one percent in all NMS stocks, over four of the preceding 
six months. Because a new ATS could begin trading in NMS stocks for 
at least three months (i.e., less than four of the preceding six 
months), and conduct such trading at any dollar volume level without 
being subject to Regulation SCI, and would have to exceed the 
specified volume levels for the requisite period to become so 
subject, the Commission believes that these thresholds should not 
prevent a new ATS entrant from having the opportunity to initiate 
and develop its business. Further, the Commission notes that, as 
discussed below, it is adopting an additional six-month compliance 
period (in addition to the general nine-month compliance period from 
the Effective Date of Regulation SCI afforded to all SCI entities) 
for ATSs newly meeting the thresholds, so that once an ATS meets the 
threshold, it will have six months from that time to become fully 
compliant with Regulation SCI. See infra Section IV.F (discussing 
effective dates and compliance periods). The Commission believes 
that, for ATSs that have newly entered the market, this additional 
compliance period will give such ATSs additional opportunity to 
develop and grow their business without incurring the costs of 
compliance with Regulation SCI during this time. This additional 
compliance period should also provide such ATSs with time to plan on 
how they would meet the requirements of Regulation SCI, and could 
also potentially allow SCI ATSs to become more equipped to bear the 
cost of Regulation SCI once compliance is required, and thus not 
significantly discourage new ATSs from entering the market and 
growing. See infra Section VI.C.1.c (discussing further barriers to 
entry and the potential effects on competition of the adopted 
thresholds).
---------------------------------------------------------------------------

    As noted above, several commenters provided specific suggestions 
for alternative standards for determining which ATSs should be included 
within the scope of Regulation SCI.\153\ While the Commission 
recognizes that some of the suggested alternatives could have certain 
benefits, it also believes that each recommended standard also has 
corresponding limitations, and thus believes that the adopted 
thresholds are an appropriate measure for identifying those ATSs that 
should be subject to Regulation SCI. First, as described above, the 
Commission believes that adopting a two-prong standard is necessary to 
identify those ATSs that, in the event of a systems issue, could have a 
significant impact on the overall market or that could have a 
significant impact on a single NMS stock and some impact on the market 
as a whole at the same time. The Commission notes that several of the 
thresholds suggested by commenters lacked such a dual-prong standard 
(and, in particular, the prong relating to individual NMS stocks) and 
thus do not provide the advantages associated with the adopted 
threshold in protecting the trading venues for a single NMS stock. With 
regard to one commenter's suggestion that the first prong of the 
threshold should, among other things, consider five NMS stocks, rather 
than a single stock, the Commission does not believe the commenter has 
provided any clear rationale for this standard.\154\ As discussed, the 
purpose of the first prong is to identify significant trading venues 
(or markets) for a single security where a systems disruption could 
have a significant effect on the market for that security, and setting 
the threshold to consider five NMS securities could potentially exclude 
trading venues that host large trading activity for a single NMS 
security. Additionally, the Commission notes that the suggested 
alternative approach would be unlikely to have any significant 
practical effect when used in conjunction with the second prong of the 
threshold, which looks at trading across all NMS stocks, because the 
second prong would likely capture an ATS with five percent or more 
volume in five NMS stocks. With regard to one commenter's suggestion to 
apply the threshold to only the 500 most active NMS stocks \155\ and 
another commenter's suggestion to include only stocks with an aggregate 
average daily share volume greater than 500,000,\156\ the Commission 
disagrees that the threshold should be structured to capture only ATSs 
that have significant trading volume in active stocks. Rather, the 
first prong of the adopted threshold is designed to capture any ATS 
that has five percent or more of the trading volume of any NMS stock, 
irrespective of how actively traded it is, so that Regulation SCI can 
effectively address risks relating to the trading of all NMS stocks, 
and not only the most active of NMS stocks. If the Commission were to 
apply the threshold only to the 500 most active NMS stocks or stocks 
only with average daily share volumes greater than 500,000, an ATS 
that, for example, served as the primary venue for the trading of less 
actively traded NMS stocks, but had negligible market share for more 
actively traded NMS stocks, would not be subject to Regulation SCI. 
However, an SCI event that resulted in an outage of such an ATS could 
have a significant impact on the market for such less actively traded 
NMS stocks. As such, failure to include such an ATS within the scope of 
Regulation SCI would be contrary to the goals of the regulation. 
Finally, with regard to one commenter's suggestion to retain Rule 
301(b)(6) as part of Regulation ATS and amend the threshold to 2.5 
percent,\157\ as discussed throughout this release, Regulation SCI is 
intended to expand upon the requirements of Rule 301(b)(6) and to 
supersede and replace such requirements for ATSs that trade NMS 
stocks.\158\ For the reasons noted above, the Commission believes it is 
appropriate to include ATSs meeting the adopted volume thresholds 
within the scope of Regulation SCI, and the Commission does not believe 
it is appropriate to retain Rule 301(b)(6) as part of Regulation ATS, 
thereby subjecting ATSs to a separate and differing set of regulatory 
requirements than other SCI entities with regard to systems capacity, 
integrity, resiliency, availability, security, and compliance.\159\ For 
all of the reasons discussed above, the Commission does not believe 
that any of the alternative standards suggested by commenters would 
better capture those entities that

[[Page 72268]]

have the potential to pose significant risk to the market.
---------------------------------------------------------------------------

    \153\ See supra notes 127-132 and accompanying text.
    \154\ See supra note 131 and accompanying text. This commenter 
argued generally that the thresholds should be revised so as to only 
include those entities that would have an ``immediate and 
substantial impairment of a functioning marketplace.'' However, the 
commenter did not explain why it advocated the use of five NMS 
stocks, rather than a single NMS stock. See ITG Letter at 9.
    \155\ See supra note 130 and accompanying text.
    \156\ See supra note 131 and accompanying text.
    \157\ See supra note 132 and accompanying text.
    \158\ But see infra notes 189-192 and accompanying text 
(discussing the Commission's determination to retain the 
applicability of Rule 301(b)(6) to fixed-income ATSs).
    \159\ The Commission notes that, with regard to the specific 
threshold level suggested by this commenter (2.5%), the Commission 
believes the adopted thresholds to be an appropriate measure to 
identify those ATSs that should be subject to the requirements of 
Regulations SCI for the reasons discussed above. See supra note 141.
---------------------------------------------------------------------------

    One commenter urged the Commission to utilize number of shares 
traded rather than dollar value, stating that while most of the world 
uses value traded, available data for the U.S. equity markets is share-
based.\160\ The Commission disagrees with this commenter and notes that 
daily dollar volume is readily available from a number of sources, 
including the SIPs.\161\
---------------------------------------------------------------------------

    \160\ See supra note 139 and accompanying text.
    \161\ See also Proposing Release, supra note 13, at 18094 
(stating that the use of dollar thresholds may better reflect the 
economic impact of trading activity).
---------------------------------------------------------------------------

    The time measurement period for ATSs that trade NMS stocks and non-
NMS stocks is also being adopted as proposed. Thus, ATSs will be 
subject to Regulation SCI only if they meet the numerical thresholds 
for at least four of the preceding six months.\162\ The Commission 
notes that the adopted time measurement period is consistent with the 
current standard in Rule 301(b)(6) of Regulation ATS.\163\ The 
Commission believes that this time measurement period is an appropriate 
time period over which to evaluate the trading volume of an ATS and 
should help to ensure that it does not capture ATSs with relatively low 
trading volume that may have had an anomalous increase in trading on a 
given day or few days. Contrary to concerns raised by some 
commenters,\164\ under this time measurement methodology, an ATS would 
not qualify as an SCI entity simply by trading a single large block of 
an illiquid security during one month (or even two or three months). 
While one commenter suggested that the time measurement period be 
shorter and recommended a period of two to four weeks,\165\ the 
Commission believes that this could cause ATSs to fall within the scope 
of the definition solely as a result of an atypical, short-term 
increase in trading or a small number of large block trades that is not 
reflective of ATSs' general level of trading. Specifically, with such a 
short period of measurement, a short-term spike in trading volume 
uncharacteristic of an ATS's overall trading volume history could (and 
if large enough, likely would) skew the overall trading volume for that 
time period, causing an ATS to meet the volume thresholds and thus 
become subject to Regulation SCI even though the overall risk posed by 
the ATS does not warrant it. Further, the Commission believes that such 
a shorter time measurement period could provide more barriers to entry 
for ATSs, because new ATSs would not have as long of a time period to 
develop their business prior to having to incur the costs of compliance 
associated with being subject to the requirements of Regulation 
SCI.\166\ This potential to incur such costs almost immediately after 
the initial start of operations could act as a barrier to entry for 
some new ATSs.
---------------------------------------------------------------------------

    \162\ See adopted Rule 1000 (definition of ``SCI ATS''). The 
Commission notes that if an ATS that was not previously subject to 
Regulation SCI meets the SCI ATS volume threshold for four 
consecutive months, it would become subject to Regulation SCI at the 
end that four-month period. However, as discussed further below, 
such an ATS would have an additional six months from that time to 
comply with the requirements of Regulation SCI. See infra text 
accompanying notes 169-170.
    \163\ 17 CFR 242.301(b)(6).
    \164\ See, e.g., BIDS Letter at 6.
    \165\ See supra note 138 and accompanying text.
    \166\ See supra note 152 and accompanying text. See also infra 
Section VI.C.1.c (discussing barriers to entry and the effects on 
competition of the adopted thresholds and time measurement period 
for SCI ATSs).
---------------------------------------------------------------------------

    Other commenters recommended a longer measurement period, such as 
12 months.\167\ The Commission does not believe, however, that a longer 
time period is necessary or more appropriate to identify those entities 
that play a significant role in the market for a particular asset class 
and/or that have the potential to significantly impact investors or the 
market, warranting inclusion in the scope of Regulation SCI. The 
Commission believes that the adopted time measurement period provides 
sufficient trading history data so as to indicate an ATS's significance 
to the market, and that the structure of the test (i.e., requiring an 
ATS to meet the threshold for four out of six months) ensures 
sustainability of such trading levels. In addition, modifying the time 
measurement period to 12 months (and thus eliminating the four out of 
six month measurement period) would make such a measure more 
susceptible to capturing ATSs that have a major but isolated spike in 
trading during a single month. Specifically, as noted above, a single 
anomalous large increase in trading volume during one month (or such a 
spike in two or three months) could never result in an ATS becoming 
subject to Regulation SCI solely as a result of such a spike in 
trading, because the ATS would meet the threshold only for one month, 
rather than the four months required by the rule. On the other hand, a 
threshold based on an average over 12 months could be skewed by the 
occurrence of one large spike in trading that results in the overall 
average for the 12-month period being increased to such a level that it 
meets the volume threshold levels. Thus, contrary to one commenter's 
suggestion that a 12-month period would require ``a sustained trading 
level at the threshold,'' \168\ the Commission believes that the 
structure of the adopted measurement period test (i.e., four out of six 
months) may be a better indicator of actual sustained trading levels at 
the threshold warranting the protections of the rule. Further, the 
Commission believes that 12 months is a less appropriate time 
measurement period than the period adopted because, for example, an ATS 
could have significant trading volume early on during such a time 
period such that it may pose significant risk to the markets in the 
event of a systems issue at such an ATS without being subject to 
Regulation SCI for a significant period of time. The Commission 
believes that the adopted time period strikes an appropriate balance 
between being a long enough period so as to not be triggered by 
atypical periods of increased trading or a few occurrences of very 
large trades, while also not causing unnecessary delay in requiring 
that ATSs playing an important role in the market are subject to 
Regulation SCI.
---------------------------------------------------------------------------

    \167\ See supra notes 136-137 and accompanying text. One of 
these commenters noted that the ``four out of the preceding six 
months'' measurement is cumbersome to apply in practice. See KCG 
Letter at 19. The Commission does not believe this measurement 
period to be overly cumbersome to apply in practice, as it would 
require only that an ATS undertake an assessment once at the end of 
each month as to whether the ATSs had exceeded the volume thresholds 
set forth in the rule and then make a determination at the end of a 
six month period whether the ATS met this threshold for four out of 
the six preceding months.
    \168\ See KCG Letter at 19. See also supra notes 136-137 and 
accompanying text.
---------------------------------------------------------------------------

    Finally, as discussed further in Section IV.F, the Commission 
agrees with commenters that it is appropriate to provide ATSs meeting 
the volume thresholds in the definition of SCI ATS for the first time a 
period of time before they are required to comply with Regulation 
SCI.\169\ Thus, consistent with the recommendation of these commenters, 
the Commission is revising the definition of SCI ATS to provide that an 
SCI ATS will not be required to comply with the requirements of 
Regulation SCI until six months after satisfying any of the applicable 
thresholds in the definition of SCI ATS for the first time.\170\
---------------------------------------------------------------------------

    \169\ See supra note 140 and accompanying text.
    \170\ See Rule 1000 (definition of SCI ATS).
---------------------------------------------------------------------------

ATSs Trading Non-NMS Stocks
    Some commenters addressed whether Regulation SCI should apply to 
ATSs trading non-NMS stocks.\171\ Specifically,

[[Page 72269]]

one commenter stated that the rules should apply only to trading in NMS 
securities because non-NMS stock trading--which is dispersed among 
broker-dealers--does not have a single point of failure and is 
therefore less susceptible to rapid, widespread issues that occur as a 
result of a high degree of linkage or inter-dependency.\172\ Another 
commenter stated that, with respect to non-NMS stocks (as well as 
municipal securities and corporate debt securities), the proposed five 
percent threshold was too low and would unnecessarily include ATSs for 
these product types that are ``not systemic to maintaining fair, 
orderly, and efficient markets'' and asked the Commission to further 
study the appropriate threshold for these ATSs.\173\
---------------------------------------------------------------------------

    \171\ See, e.g., OTC Markets Letter at 7; SIFMA Letter at 7; TMC 
Letter at 1-3 (asserting that retail fixed-income ATSs should not be 
subject to Regulation SCI); and KCG Letter at 3, 10-11.
    \172\ See OTC Markets Letter at 7.
    \173\ See SIFMA Letter at 7.
---------------------------------------------------------------------------

    With regard to equity securities that are not NMS stocks and for 
which transactions are reported to a self-regulatory organization, the 
adopted thresholds remain unchanged from the SCI Proposal. Thus, for 
such securities, an ATS will be subject to the requirements of 
Regulation SCI if, during four of the preceding six calendar months, it 
had five percent or more of the average daily dollar volume as 
calculated by the self-regulatory organization to which such 
transactions are reported.\174\ The Commission continues to believe 
that this threshold will appropriately identify ATSs that play a 
significant role in the market for those securities and, thus, should 
be subject to the requirements of Regulation SCI.
---------------------------------------------------------------------------

    \174\ However, as noted above, an ATS meeting the definition of 
SCI ATS for the first time will be afforded a six-month compliance 
period. See supra notes 169-170 and accompanying text.
---------------------------------------------------------------------------

    Using data from the second quarter of 2014, an ATS executing 
transactions in non-NMS stocks at a level exceeding five percent of the 
average daily dollar volume traded in the United States would be 
executing trades at a level exceeding $45.2 million daily.\175\ Based 
on data collected from Form ATS-R for the second quarter of 2014, the 
Commission estimates that two ATSs would exceed this threshold and fall 
within the definition of SCI entity, accounting for approximately 99 
percent of the dollar volume market share of all ATSs trading non-NMS 
stocks.\176\ These thresholds reflect an assessment by the Commission, 
based on qualitative and quantitative analysis, of the likely 
consequences of the specific quantitative thresholds included in the 
definition. From this analysis and in conjunction with considering the 
views of commenters, the Commission has derived what it believes to be 
an appropriate threshold to identify those ATSs that should be subject 
to the requirements of Regulation SCI.
---------------------------------------------------------------------------

    \175\ In the Proposing Release, the Commission used data from 
the first six months of 2012 to estimate that an ATS executing 
transactions in non-NMS stocks at a level exceeding five percent of 
the average daily volume traded in the United States would be 
executed trades at a level exceeding $31 million daily. See 
Proposing Release, supra note 13, at n.111 and accompanying text. 
The Commission has updated this estimate using over-the-counter 
reporting facility data available from FINRA.
    \176\ The Commission notes that the number of ATSs exceeding the 
adopted threshold, and the percentage of volume of trading in non-
NMS stocks that they represent, may change over time in response to 
market and competitive forces.
---------------------------------------------------------------------------

    As discussed above, one commenter objected to the inclusion of ATSs 
trading non-NMS stocks within the scope of Regulation SCI.\177\ This 
commenter argued that non-NMS trading is not susceptible to the issues 
that Regulation SCI is designed to address because such trading is 
dispersed among broker-dealers and does not create the types of single 
points of failure that pose widespread systemic risk.\178\ First, as 
noted above, while the Commission is particularly concerned with 
systems issues that pose the greatest risk to our markets and have the 
potential to cause the most widespread effects and damage (such as 
those that are single points of failure), Regulation SCI is intended to 
address a broader set of risks of systems issues. Accordingly, the 
adopted threshold for non-NMS stock ATSs is designed to identify those 
ATSs that play a significant role in the market for such securities. 
Further, the Commission disagrees with the commenter's assertion that 
trading in non-NMS stocks cannot result in widespread disruptions.\179\
---------------------------------------------------------------------------

    \177\ See supra note 172 and accompanying text.
    \178\ See id.
    \179\ See supra note 33 and accompanying text.
---------------------------------------------------------------------------

    While one commenter stated that the five percent threshold was too 
low, this commenter did not provide an alternative threshold but rather 
asked the Commission to further study this issue.\180\ As noted above, 
based on qualitative and quantitative analysis, the Commission believes 
the five percent threshold to be an appropriate measure to determine 
which ATSs are of sufficient significance in the current market for 
non-NMS stocks to warrant their inclusion within the scope of 
Regulation SCI. The Commission notes that it intends to monitor the 
level of this threshold, and other thresholds being adopted today, to 
ensure that they continue to be appropriate.
---------------------------------------------------------------------------

    \180\ See supra note 173.
---------------------------------------------------------------------------

    The Commission notes that adoption of a higher threshold for non-
NMS stocks than for NMS stocks reflects the Commission's 
acknowledgement of certain differences between the two markets. In 
particular, as noted in the SCI Proposal, while the Commission believes 
that similar concerns about the trading of NMS stocks on ATSs apply to 
the trading of non-NMS stocks, the Commission also believes that 
certain characteristics of the market for non-NMS stocks, such as the 
lower degree of automation, electronic trading, and interconnectedness, 
generally result in an overall lower risk to the market in the event of 
a systems issue.\181\ In particular, the Commission believes that a 
systems issue at an SCI entity that trades non-NMS stocks would not be 
as likely to have as significant or widespread an impact as readily as 
a systems issue at an SCI entity that trades NMS stocks. Therefore, the 
Commission believes that there is less risk of market impact in the 
markets for those securities at this time. As such, the Commission has 
determined not to adopt the same, more stringent, thresholds that would 
trigger the requirements of Regulation SCI that the Commission is 
adopting for ATSs trading NMS stocks. The Commission also believes that 
imposition of a threshold that is set too low in markets that lack 
automation could have the unintended effects of discouraging automation 
in these markets and discouraging new entrants into these markets. 
Specifically, it could increase the cost of automation in relation to 
other methods of executing trades, and thus market participants might 
make a determination that the costs associated with becoming subject to 
Regulation SCI preclude a shift to automated trading or the development 
of a new automated trading system, particularly given the expected 
lower trading volume when beginning operations. Further, the Commission 
notes that it has traditionally provided special safeguards with regard 
to NMS stocks in its rulemaking efforts relating to market 
structure.\182\ For these reasons, the Commission believes that it is 
appropriate at this time to apply a different threshold to ATSs trading 
NMS stocks than those ATSs trading non-NMS stocks.
---------------------------------------------------------------------------

    \181\ See Proposing Release, supra note 13, at 18096.
    \182\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities 
Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 
2005) (Regulation NMS Adopting Release).

---------------------------------------------------------------------------

[[Page 72270]]

ATSs Trading Fixed-Income Securities
    Several commenters specifically addressed the inclusion of 
municipal security and corporate debt security ATSs within the scope of 
Regulation SCI, stating that these ATSs should not be subject to 
Regulation SCI or that the proposed thresholds should be modified.\183\ 
These commenters identified differences in the nature of fixed-income 
trading as compared to the markets for NMS securities and concluded 
that the thresholds were inappropriate and would be detrimental to the 
market for these types of securities.\184\ In particular, commenters 
stated that inclusion of fixed-income ATSs and/or the adoption of the 
proposed thresholds would impose unduly high costs on these entities 
given their size, scope of operations, lack of automation, low speed, 
and resulting low potential to pose risk to systems.\185\ Further, one 
commenter noted that the cost of compliance for these types of entities 
would discourage the shift from manual fixed-income trading in the OTC 
markets to more transparent and efficient automated trading 
venues.\186\
---------------------------------------------------------------------------

    \183\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \184\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \185\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \186\ See KCG Letter at 3, 10-11 (noting that the vast majority 
of fixed-income trades are done in the OTC markets and only a few 
ATSs for the fixed-income market have emerged in recent years).
---------------------------------------------------------------------------

    In addition, one commenter stated that if retail fixed-income ATSs 
are included in the final rule, a better measurement would be to look 
at par amount traded rather than volume.\187\ Finally, one commenter 
requested that the Commission clarify that ATSs relating to listed-
options are not subject to the obligations of proposed Regulation 
SCI.\188\
---------------------------------------------------------------------------

    \187\ See TMC Letter at 1-3.
    \188\ See LiquidPoint Letter at 2-3.
---------------------------------------------------------------------------

    While the adopted definition of SCI ATS remains unchanged from the 
proposal for NMS stocks and non-NMS stocks, the Commission, after 
considering the views of commenters, has determined to exclude ATSs 
that trade only municipal securities or corporate debt securities from 
the definition of SCI ATS at this time.\189\ Accordingly, such fixed-
income ATSs will not be subject to the requirements of Regulation SCI. 
Rather, fixed-income ATSs will continue to be subject to the existing 
requirements in Rule 301(b)(6) of Regulation ATS regarding systems 
capacity, integrity and security if they meet the twenty percent 
threshold for municipal securities or corporate debt securities 
provided by that rule.\190\ The Commission believes that this change is 
warranted given the unique nature of the current fixed-income markets, 
as noted by several commenters. In particular, fixed-income markets 
currently rely much less on automation and electronic trading than 
markets that trade NMS stocks or non-NMS stocks.\191\ In addition, the 
municipal and corporate fixed-income markets tend to be less liquid 
than the equity markets, with slower execution times and less complex 
routing strategies.\192\ As such, the Commission believes that a 
systems issue at a fixed-income ATS would not have as significant or 
widespread an impact as in other markets. Thus, while ensuring the 
capacity, integrity and security of the systems of fixed-income ATSs is 
important, the benefits of lowering the threshold applicable to fixed-
income ATSs from the current twenty percent threshold in Regulation ATS 
and subjecting such ATSs to the safeguards of Regulation SCI would not 
be as great as for ATSs that trade NMS stock or non-NMS stock. As 
commenters pointed out, the cost of the requirements of Regulation SCI 
could be significant for fixed-income ATSs relative to their size, 
scope of operations, and more limited potential for systems risk. The 
Commission is cognizant that lowering the current threshold applicable 
to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the 
requirements of Regulation SCI could have the unintended effect of 
discouraging automation in these markets and discouraging the entry of 
new fixed-income ATSs into the market, which could impede the evolving 
transparency and efficiency of these markets and negatively impact 
liquidity in these markets.
---------------------------------------------------------------------------

    \189\ See supra notes 183-186.
    \190\ See 17 CFR 242.301(b)(6).
    \191\ See, e.g., supra notes 183-186 and accompanying text 
(discussing the unique nature of fixed-income trading). See also 
Tracy Alloway and Michael Mackenzie, ``Goldman Retreats from Bond 
Platform,'' Fin. Times, February 17, 2014 (noting that, despite 
efforts to make the market for bond trades more electronic, large 
bond trading continues to occur overwhelmingly by `voice-brokered' 
transactions); and Lisa Abramowicz, ``Humans Beat Machines as 
Electronic Trading Slows: Credit Markets,'' Bloomberg, February 19, 
2014 (stating that a shift in corporate bond transactions to 
electronic systems is failing to keep up with total volume).
    \192\ See, e.g., TMC Bonds Letter at 1 (stating that fixed-
income markets have significantly lower volumes and slower execution 
times than equity markets and have no meaningful connectivity 
between fixed-income ATS participants).
---------------------------------------------------------------------------

    For these reasons, the Commission believes that it is appropriate 
to continue to apply the requirements in Rule 301(b)(6) of Regulation 
ATS to fixed-income ATSs that meet the volume thresholds of that rule 
and to exclude ATSs that trade only municipal securities or corporate 
debt securities from the scope of Regulation SCI at this time.
c. Plan Processor
    Under Proposed Rule 1000(a), the term ``plan processor'' had the 
meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines 
``plan processor'' as ``any self-regulatory organization or securities 
information processor acting as an exclusive processor in connection 
with the development, implementation and/or operation of any facility 
contemplated by an effective national market system plan.'' \193\ The 
Commission is adopting the definition of ``plan processor'' as 
proposed.\194\
---------------------------------------------------------------------------

    \193\ See 17 CFR 242.600(b)(55).
    \194\ See proposed Rule 1000(a) and Proposing Release supra note 
13, at Section III.B.1.
---------------------------------------------------------------------------

    The Commission received no comments on the proposed definition of 
``plan processor.'' \195\ As noted in the SCI Proposal, the ARP 
Inspection Program included the systems of the plan processors of four 
national market system plans--the CTA Plan, CQS Plan, Nasdaq UTP Plan, 
and OPRA Plan.\196\

[[Page 72271]]

Although an entity selected as the processor of an SCI Plan acts on 
behalf of a committee of SROs, such entity is not required to be an 
SRO, nor is it required to be owned or operated by an SRO.\197\ The 
Commission believes, however, that the systems of such entities, 
because they deal with key market data, are central features of the 
national market system \198\ and should be subject to the same systems 
standards as SCI SROs. The inclusion of plan processors in the 
definition of SCI entity is designed to ensure that the processor for 
an SCI Plan, regardless of its identity, is independently subject to 
the requirements of Regulation SCI. The Commission believes that it is 
important for such plan processors to be subject to the requirements of 
Regulation SCI because of the important role they serve in the national 
market system: Operating and maintaining computer and communications 
facilities for the receipt, processing, validating, and dissemination 
of quotation and/or last sale price information generated by the 
members of the plan.
---------------------------------------------------------------------------

    \195\ However, some commenters did support the overall scope of 
the term ``SCI entity'' or agreed specifically that plan processors 
should be included within the definition of that term. See, e.g., 
Lauer Letter at 3 (urging the Commission to expand the scope of 
entities covered) and KCG Letter at 5-6 (recommending that 
Regulation SCI be targeted to services offered by only one or a few 
entities, such as plan processors). In addition, one commenter, 
although commenting specifically on the definition of ``SCI 
system,'' stated that Regulation SCI should be tailored to focus 
only on systems impacting the core functions of the overall market, 
which should include the exclusive SIPs that transmit market data. 
See OTC Markets Letter at 12-13.
    \196\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each 
of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a 
``national market system plan'' (``NMS Plan'') as defined under Rule 
600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 
242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange 
Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any 
self-regulatory organization or securities information processor 
acting as an exclusive processor in connection with the development, 
implementation and/or operation of any facility contemplated by an 
effective national market system plan.'' Section 3(a)(22)(B) of the 
Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor'' 
to mean ``any securities information processor or self-regulatory 
organization which, directly or indirectly, engages on an exclusive 
basis on behalf of any national securities exchange or registered 
securities association, or any national securities exchange or 
registered securities association which engages on an exclusive 
basis on its own behalf, in collecting, processing, or preparing for 
distribution or publication any information with respect to (i) 
transactions or quotations on or effected or made by means of any 
facility of such exchange or (ii) quotations distributed or 
published by means of any electronic system operated or controlled 
by such association.''
    As a processor involved in collecting, processing, and preparing 
for distribution transaction and quotation information, the 
processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and 
OPRA Plan meets the definition of ``exclusive processor;'' and 
because each acts as an exclusive processor in connection with an 
NMS Plan, each also meets the definition of ``plan processor'' under 
Rule 600(a)(55) of Regulation NMS, as well as Rule 1000(a) of 
Regulation SCI. For ease of reference, an NMS Plan having a current 
or future ``plan processor'' is referred to herein as an ``SCI 
Plan.'' The Commission notes that not every processor of an NMS Plan 
would be a ``plan processor'' under Rule 1000, and therefore not 
every processor of an NMS Plan would be an SCI entity subject to the 
requirements of Regulation SCI. For example, the processor of the 
Symbol Reservation System associated with the National Market System 
Plan for the Selection and Reservation of Securities Symbols (File 
No. 4-533) would not be a ``plan processor'' subject to Regulation 
SCI because it does not meet the ``exclusive processor'' statutory 
definition, as it is not involved in collecting, processing, and 
preparing for distribution transaction and quotation information.
    \197\ Pursuant to Section 11A of the Exchange Act (15 U.S.C. 
78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), 
such entities, as ``exclusive processors,'' are required to register 
with the Commission as securities information processors on Form 
SIP. See 17 CFR 249.1001 (Form SIP, application for registration as 
a securities information processor or to amend such an application 
or registration).
    \198\ See Concept Release on Equity Market Structure, supra note 
4, at 3594-95.
---------------------------------------------------------------------------

    Recent SIP incidents further highlighted the importance of plan 
processors to the U.S. securities markets and the necessity of 
including such processors within the scope of Regulation SCI.\199\ As 
evidenced by the incidents, the availability of consolidated market 
data is central to the functioning of the securities markets. The 
unavailability of a system, such as a plan processor, that is a single 
point of failure with no backups or alternatives can result in a 
significant impact on the entire national market system. Accordingly, 
the Commission believes that that it is essential to ensure that the 
automated systems of the entities responsible for the consolidation and 
processing of important market data, namely, plan processors, have 
adequate levels of capacity, integrity, resiliency, availability, and 
security.\200\
---------------------------------------------------------------------------

    \199\ As noted above, a disruption of the Nasdaq SIP on August 
22, 2013 resulted in a three hour halt in trading in all Nasdaq-
listed securities because of the SIP's inability to process quotes. 
See supra note 32 and accompanying text. Also as noted above, on 
October 30, 2014, according to the NYSE, a network hardware failure 
impacted the Consolidated Tape System, Consolidated Quote System, 
and Options Price Reporting Authority data feeds at the primary data 
center, and SIAC switched over to the secondary data center for 
these data feeds. See id.
    \200\ Systems directly supporting functionality relating to the 
provision of consolidated market data are included within the 
definition of ``critical SCI systems,'' for which heightened 
obligations under Regulation SCI will apply. See adopted Rule 1000. 
See also supra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

    Further, pursuant to its terms, each SCI Plan is required to 
periodically review its selection of its processor, and may in the 
future select a different processor for the SCI Plan than its current 
processor.\201\ Thus, the definition of ``plan processor'' covers any 
entity selected as the processor for a current or future SCI Plan.\202\
---------------------------------------------------------------------------

    \201\ See CTA Plan Section V(d) and CQS Plan Section V(d), 
available at: https://www.nyxdata.com/cta; OPRA Plan Section V, 
available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq 
UTP Plan Section V, available at: https://www.utpplan.com.
    \202\ Currently, SIAC is the processor for the CTA Plan, CQS 
Plan, and OPRA Plan, and Nasdaq is the processor for the Nasdaq UTP 
Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq 
are registered with the Commission as securities information 
processors, as required by Section 11A(b)(1) of the Exchange Act, 15 
U.S.C. 78k-1(b)(1), and in accordance with Rule 609 of Regulation 
NMS, 17 CFR 242.609.
---------------------------------------------------------------------------

d. Exempt Clearing Agency Subject to ARP
    Proposed Rule 1000(a) defined the term ``exempt clearing agency 
subject to ARP'' to mean ``an entity that has received from the 
Commission an exemption from registration as a clearing agency under 
Section 17A of the Act, and whose exemption contains conditions that 
relate to the Commission's Automation Review Policies, or any 
Commission regulation that supersedes or replaces such policies.'' This 
definition is being adopted as proposed.
    As noted in the SCI Proposal, this definition of ``exempt clearing 
agency subject to ARP'' currently covers one entity, Omgeo Matching 
Services--US, LLC (``Omgeo'').\203\ In its comment letter, Omgeo stated 
that it believed its inclusion as an SCI entity was reasonable because 
clearing agencies that provide matching services, such as Omgeo, 
perform a critical role in the infrastructure of the U.S. financial 
markets in handling large amounts of highly confidential proprietary 
trade data.\204\ Omgeo requested, however, that the Commission clarify 
that other similarly situated clearing agencies would also be subject 
to the requirements of Regulation SCI, and further requested that the 
Commission expand the definition of SCI entity, as applied to clearing 
agencies, to include, without limitation, any entity providing either 
matching services or confirmation/affirmation services for depository 
eligible securities that settle in the United States, as contemplated 
by FINRA Rule 11860.\205\
---------------------------------------------------------------------------

    \203\ On April 17, 2001, the Commission issued an order granting 
Omgeo an exemption from registration as a clearing agency subject to 
certain conditions and limitations in order that Omgeo might offer 
electronic trade confirmation and central matching services. See 
Global Joint Venture Matching Services--US, LLC; Order Granting 
Exemption from Registration as a Clearing Agency, Securities 
Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 
23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the 
Commission granted it an exemption from clearing agency 
registration, Omgeo is not a self-regulatory organization.
    \204\ See Omgeo Letter at 2-3.
    \205\ See id.
---------------------------------------------------------------------------

    The Commission notes that the adopted definition of ``exempt 
clearing agency subject to ARP'' does provide that any entity that 
receives from the Commission an exemption from registration as a 
clearing agency under Section 17A of the Act, and whose exemption 
contains conditions that relate to the Automation Review Policies or 
any Commission regulation that supersedes or replaces the Commission's 
Automation Review Policies (such as Regulation SCI) would be included 
within the scope of Regulation SCI. Therefore, clearing agencies that 
are similarly situated as Omgeo (i.e., those that are subject to an 
exemption that contains the relevant conditions) will be subject to 
Regulation SCI.\206\ The Commission does not believe, therefore, that 
an expansion of the definition as suggested by Omgeo is necessary to 
further clarify that

[[Page 72272]]

similarly situated entities will be subject to the requirements of 
Regulation SCI.
---------------------------------------------------------------------------

    \206\ Any entity seeking an exemption from registration as a 
clearing agency is responsible for requesting and obtaining such an 
exemption from the Commission.
---------------------------------------------------------------------------

    Among the operational conditions required by the Commission in the 
Omgeo Exemption Order were several that directly related to the ARP 
policy statements.\207\ For the same reasons that it required Omgeo to 
abide by the conditions relating to the ARP policy statements set forth 
in the Omgeo Exemption Order, the Commission believes it is appropriate 
that Omgeo (or any similarly situated exempt clearing agency) should be 
subject to the requirements of Regulation SCI, and thus is including 
any ``exempt clearing agency subject to ARP'' within the definition of 
SCI entity.
---------------------------------------------------------------------------

    \207\ These conditions require Omgeo to, among other things: 
Provide the Commission with an audit report addressing all areas 
discussed in the Commission ARP policy statements; provide annual 
reports prepared by competent, independent audit personnel in 
accordance with the annual risk assessment of the areas set forth in 
the ARP policy statements; report all significant systems outages to 
the Commission; provide advance notice of any material changes made 
to its electronic trade confirmation and central matching services; 
and respond and require its service providers to respond to requests 
from the Commission for additional information relating to its 
electronic trade confirmation and central matching services, and 
provide access to the Commission to conduct inspections of its 
facilities, records and personnel related to such services. See 
supra note 203.
---------------------------------------------------------------------------

2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems
a. Overview
    Regulation SCI, as adopted, distinguishes three categories of 
systems of an SCI entity: ``SCI systems;'' ``critical SCI systems,'' 
and ``indirect SCI systems.'' The SCI Proposal broadly defined SCI 
systems to mean ``all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity, whether in production, development, or testing, that 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance.'' The SCI Proposal also 
defined the term SCI security systems (to which only the provisions of 
Regulation SCI relating to security and intrusions would apply) as: 
``any systems that share network resources with SCI systems that, if 
breached, would be reasonably likely to pose a security threat to SCI 
systems.'' \208\
---------------------------------------------------------------------------

    \208\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    Many commenters stated that the proposed definitions of SCI systems 
and SCI security systems were too broad and urged the Commission to 
target systems that pose the greatest risk to the market if they 
malfunction.\209\ After careful consideration of the comments, and as 
discussed more fully below, the Commission agrees that certain types of 
systems included in the proposed definition of SCI systems may be 
appropriately excluded from the adopted definition. However, because 
U.S. securities market infrastructure is highly interconnected and 
seemingly minor systems problem at a single entity can spread rapidly 
across the national market system, the Commission does not believe it 
is appropriate to apply Regulation SCI only to the most critical SCI 
systems, as some commenters suggested. Instead, the adopted regulation 
applies to a broader set of systems than urged by some commenters, but 
a more targeted set of systems than proposed. In addition, the adopted 
approach recognizes that some systems pose greater risk than others to 
the maintenance of fair and orderly markets if they malfunction. To 
this end, adopted Regulation SCI identifies three broad categories of 
systems of SCI entities that are subject to the regulation: ``SCI 
systems,'' ``critical SCI systems,'' and ``indirect SCI systems,'' with 
each category subject to differing requirements under Regulation SCI.
---------------------------------------------------------------------------

    \209\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; 
Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 
3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13.
---------------------------------------------------------------------------

    As discussed more fully below, the adopted definition of ``SCI 
systems'' includes those systems that directly support six areas that 
have traditionally been considered to be central to the functioning of 
the U.S. securities markets, namely trading, clearance and settlement, 
order routing, market data, market regulation, and market surveillance. 
SCI systems are subject to all provisions of Regulation SCI, except for 
certain requirements applicable only to critical SCI systems.
    In addition, the Commission is adopting a definition of ``critical 
SCI systems,'' a subset of SCI systems that are subject to certain 
heightened resilience and information dissemination provisions of 
Regulation SCI. Guided significantly by commenters' views on those 
systems that are most critical, the Commission is defining the term 
``critical SCI systems'' as SCI systems that: (1) Directly support 
functionality relating to: (i) Clearance and settlement systems of 
clearing agencies; (ii) openings, reopenings, and closings on primary 
trading markets; (iii) trading halts; (iv) initial public offerings; 
(v) the provision of consolidated market data (i.e., SIPs); or (vi) 
exclusively-listed securities; or (2) provide functionality to the 
securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets.\210\ As more fully 
discussed below, systems in this category are those that, if they were 
to experience systems issues, the Commission believes would be most 
likely to have a widespread and significant impact on the securities 
markets.
---------------------------------------------------------------------------

    \210\ See Rule 1000.
---------------------------------------------------------------------------

    In addition, the Commission is adopting a definition of ``indirect 
SCI systems,'' in place of the proposed definition of ``SCI security 
systems.'' ``Indirect SCI systems'' are subject only to the provisions 
of Regulation SCI relating to security and intrusions. The term 
``indirect SCI systems'' is defined to mean ``any systems of, or 
operated by or on behalf of, an SCI entity that, if breached, would be 
reasonably likely to pose a security threat to SCI systems'' and, if an 
SCI entity puts in place appropriate security measures, is intended to 
refer to few, if any, systems of the SCI entity.
b. SCI Systems
SCI Systems Generally
    Proposed Rule 1000(a) defined the term ``SCI systems'' to mean 
``all computer, network, electronic, technical, automated, or similar 
systems of, or operated by or on behalf of, an SCI entity, whether in 
production, development, or testing, that directly support trading, 
clearance and settlement, order routing, market data, regulation, or 
surveillance.'' \211\ After careful consideration of the comments, the 
Commission is refining the scope of the systems covered by the 
definition of ``SCI systems.'' As adopted, the term ``SCI systems'' in 
Rule 1000 means ``all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity that, with respect to securities, directly support trading, 
clearance and settlement, order routing, market data, market 
regulation, or market surveillance.''
---------------------------------------------------------------------------

    \211\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    One commenter generally supported the proposed definition of SCI 
systems, and stated that the definition should be expanded to include 
any technology system that has direct market access.\212\ In response 
to this comment, the Commission believes that many systems with direct 
market access are captured by the adopted definition. However, as

[[Page 72273]]

discussed above, the Commission has determined not to propose to expand 
the scope of Regulation SCI to include other broker-dealer entities and 
their systems at this time.\213\
---------------------------------------------------------------------------

    \212\ See Lauer Letter at 5.
    \213\ See supra Section IV.A.1 (discussing scope of SCI entities 
covered by Regulation SCI) and infra Section IV.E (discussing 
comments on the inclusion of broker-dealers generally within the 
scope of Regulation SCI).
---------------------------------------------------------------------------

    Contrary to the commenter who urged expansion of the proposed 
definition, many commenters believed the term to be too broad and 
recommended that it be revised in various ways.\214\ These commenters 
argued that the definition was over-inclusive, with some believing that 
it could potentially apply to all systems of an SCI entity.
---------------------------------------------------------------------------

    \214\ See, e.g., NYSE Letter at 10-11; Omgeo Letter at 3-6; MSRB 
Letter at 7-9; FIF Letter at 3; ICI Letter at 4; BIDS Letter at 15-
16; ITG Letter at 5; Liquidnet Letter at 3; CME Letter at 5; DTCC 
Letter at 3-5; OCC Letter at 3-4; Joint SROs Letter at 5; FINRA 
Letter at 5-10; SIFMA Letter at 8; Oppenheimer Letter at 3; OTC 
Markets Letter at 12; and Direct Edge Letter at 2.
---------------------------------------------------------------------------

    Specifically, several commenters recommended that the definition of 
SCI systems be revised to include a more limited set of systems than 
proposed.\215\ Commenters advocating this general approach provided 
various suggestions for the specific standard that they believed should 
apply. For example, among commenters' recommendations were suggestions 
that the definition of SCI systems should include only those systems: 
whose failure or degradation would reasonably be expected to have an 
adverse material impact on the sound operation of financial markets; 
\216\ that are highly critical to functioning as an SCI entity; \217\ 
that have the potential to impact the protection of securities 
investors and the maintenance of fair and orderly markets; \218\ that 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance in real-time; \219\ that 
support the SCI entity's ``core functions . . . which the SCI entity 
performs pursuant to applicable Commission regulations;'' \220\ that 
are reasonably likely to pose a plausible risk to the markets (namely, 
systems that route or execute orders, clear and settle trades, or 
transmit required market data); \221\ or that impact the core functions 
of the overall market, which, according to the commenter, would include 
exclusive SIPs that transmit market data and systems responsible for 
primary NMS auction markets that set daily opening and closing 
prices.\222\ In addition, one commenter suggested that the term should 
be defined as a production system that connects to and is part of the 
electronic network that comprises the market.\223\ This commenter also 
noted that the definition should distinguish between systems that 
connect to the markets and those that are used to run a business.\224\ 
Another commenter suggested that, if Regulation SCI were to apply only 
to exchanges and ATSs, the term should be limited to exchange and ATS 
systems operated by the entity and should not include, for example, 
brokerage systems.\225\
---------------------------------------------------------------------------

    \215\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; 
Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 
3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13. See infra 
text accompanying notes 216-225.
    \216\ See Omgeo Letter at 4.
    \217\ See KCG Letter at 3. See also ICI Letter at 3 and 
Oppenheimer Letter at 3 (stating generally that the proposed 
definitions should be revised to more specifically focus on system 
events that are truly disruptive to the markets and the systems 
themselves that are likely to pose a risk to the fair and orderly 
operation of the markets or participants in the markets).
    \218\ See CME Letter at 5.
    \219\ See Joint SROs Letter at 5. This group of commenters 
further stated that non-real-time systems should not be included, as 
they do not warrant the level of oversight and added costs that the 
regulation imposes.
    \220\ See DTCC Letter at 4.
    \221\ See NYSE Letter at 3, 10. In addition, this commenter 
added that the key to whether a proposed ``supporting'' function 
should be included is whether or not it is critical to the proper 
operation of a core functionality.
    \222\ See OTC Markets Letter at 13.
    \223\ See BIDS Letter at 15-16. Thus, this commenter argued 
that, for a venue that does not route orders, the reporting of trade 
executions to the tape should not be enough to qualify such a system 
as an ``SCI system.''
    \224\ See id.
    \225\ See Liquidnet Letter at 3.
---------------------------------------------------------------------------

    The Commission is further focusing the scope of the definition of 
SCI systems in response to these comments.\226\ The Commission is 
replacing the proposed language referring to ``systems . . . whether in 
production, development, or testing that directly support trading, 
clearance and settlement, order routing, market data, regulation, or 
surveillance'' with the following language: ``systems, with respect to 
securities, that directly support trading, clearance and settlement, 
order routing, market data, market regulation, or market 
surveillance.'' As such, the adopted definition has been limited to 
apply to production systems that relate to securities market functions, 
and in particular to those six functions--trading, clearance and 
settlement, order routing, market data, market regulation, or market 
surveillance--that traditionally have been considered to be central to 
the functioning of the U.S. securities markets, as urged by several 
commenters.\227\ The Commission believes that systems providing these 
six functions may pose a significant risk to the maintenance of fair 
and orderly markets if their capacity, integrity, reliability, 
availability or security is compromised, and therefore that they should 
be covered by the definition of ``SCI systems.''
---------------------------------------------------------------------------

    \226\ See supra notes 215-218, 220-222, and 224-225, and 
accompanying text. The definition is not limited strictly to real-
time systems, however, or those that ``connect to'' and are ``part 
of the electronic network that comprises the market,'' because those 
limitations could exclude relevant systems, such as certain market 
regulation or market surveillance systems operated by or on behalf 
of an SCI entity, which the Commission views as integral to one or 
more of the six functions identified in the definition. In response 
to the commenter requesting that ``brokerage'' systems be excluded 
from the definition of SCI systems, the Commission notes that the 
adopted definition of SCI systems applies to systems that directly 
support the enumerated six functions, operated by or on behalf of an 
SCI entity. The definition therefore would exclude systems, 
including brokerage systems, that are not operated by or on behalf 
of an SCI entity. See, respectively, supra notes 219 and 223 and 
accompanying text.
    \227\ See supra notes 219-221 and accompanying text.
---------------------------------------------------------------------------

    Although some commenters pointed to the phrase ``directly support'' 
in the proposed rule as vague and overbroad,\228\ the Commission has 
retained this phrase in the adopted definition. The term ``directly 
support,'' is retained to acknowledge that systems of SCI entities are 
complex and highly interconnected and that the definition of SCI 
systems should not exclude functionality or supporting systems on which 
the six identified categories of systems rely to remain 
operational.\229\ In response to comment that the definition of SCI 
systems should distinguish between systems that connect to the markets 
and those that are used to run a business,\230\ the Commission notes 
that the adopted definition would not include systems ``used to run a 
business'' if they are not within the six identified categories of 
market-related production systems and not necessary to their continued 
functioning. Further, the adopted definition clarifies that SCI systems 
encompass only those systems that, with respect to securities, directly 
support trading, clearance and settlement, order routing, market data, 
market regulation, or market surveillance. The Commission believes

[[Page 72274]]

that this change appropriately responds to one commenter's concerns 
that the proposed definition would capture systems operated by an SCI 
entity that have ``practically no relevance or relation to SEC 
markets'' and suggested that the definition should be revised to 
include only those systems that would directly impact a market that was 
subject to the Commission's jurisdiction. \231\ As a result of this 
modification, if an SCI SRO does not use its systems to conduct 
business with respect to securities, its systems would not fall within 
the definition of ``SCI systems.'' Further, if an SCI entity operates 
systems for the trading of both futures and securities, only its 
trading systems for securities would be subject to the requirements of 
Regulation SCI.\232\
---------------------------------------------------------------------------

    \228\ See OCC Letter at 3; and NYSE Letter at 10.
    \229\ The Commission notes that it believes that specifying that 
the definition applies to those systems that ``directly support'' 
these core functions is necessary so as to not result in a 
definition that is overly broad and would capture systems that only 
peripherally or indirectly support these functions. See generally 
supra notes 214-225 and accompanying text (discussing comments that 
urged revisions to the definition of SCI systems). See also infra 
Section IV.A.2.d (discussing the definition of ``indirect SCI 
systems'').
    \230\ See supra note 224 and accompanying text.
    \231\ See CME Letter at 5.
    \232\ However, the Commission notes that, if an SCI entity has 
systems that do not relate to securities, and that have not been 
properly walled off from its SCI systems for securities, they may be 
captured by the definition of ``indirect SCI systems'' (as discussed 
below) and subject to certain requirements of the rule including 
those relating to security and intrusions standards. See infra 
Section IV.A.2.d (discussing definition of ``indirect SCI 
systems'').
---------------------------------------------------------------------------

    In addition, one commenter urged that the Commission should 
initially limit the scope of SCI systems to those systems covered by 
the ARP Policy Statements (trading, clearance and settlement, and order 
routing) and phase in other types of systems later.\233\ The Commission 
believes that the adopted definition of SCI systems obviates the need 
for such an approach, as many systems for which the commenter urged a 
delay in compliance will not be covered by the regulation, as adopted.
---------------------------------------------------------------------------

    \233\ See MSRB Letter at 9.
---------------------------------------------------------------------------

SCI Systems: Inclusions and Exclusions
    Various commenters objected to specific categories proposed to be 
included in the definition of SCI systems. First, many commenters 
opposed the proposed inclusion of development and testing systems in 
the definition, noting that issues in development and testing systems 
would have little or no impact on the operations of SCI entities and 
that such systems are designed to identify and address problems before 
they are introduced into production systems.\234\ Some commenters 
argued that inclusion of development and testing systems in the 
definition of SCI systems would subject such systems to more 
requirements under Regulation SCI than was necessary and noted that 
certain other provisions of Regulation SCI would necessarily include 
reporting information to the Commission on such systems, even without 
their inclusion in the definition of SCI systems.\235\ For example, one 
commenter stated that application of most provisions of Regulation SCI 
to testing and development systems would provide little benefit, and 
noted that updates regarding systems in development and material new 
features of existing systems could instead be done through the semi-
annual reports to the Commission under proposed Rule 1000(b)(8).\236\ 
Similarly, one commenter noted that information regarding the status of 
systems that are in development and testing would be captured in the 
notices regarding material systems changes under proposed Rule 
1000(b)(6) and in the updates under proposed Rule 1000(b)(8).\237\ 
Alternatively, this commenter suggested that the Commission could 
require that any testing errors be corrected (and such corrections be 
retested) prior to implementation of those changes in production.\238\
---------------------------------------------------------------------------

    \234\ See NYSE Letter at 11; FINRA Letter at 10-11; Omgeo Letter 
at 5; DTCC Letter at 4; SIFMA Letter at 8; BIDS Letter at 16; MSRB 
Letter at 7-8; OCC Letter at 5; CME Letter at 6; Joint SROs Letter 
at 5; and Direct Edge Letter at 2. One commenter qualified this 
position by stating that, to the extent that a systems issue in a 
development and testing environment were to give rise to an issue 
affecting an SCI system, the proposal should apply to that 
development and testing environment. See OCC Letter at 5.
    \235\ See MSRB Letter at 7; and DTCC Letter at 4.
    \236\ See MSRB Letter at 7.
    \237\ See DTCC Letter at 4.
    \238\ See id.
---------------------------------------------------------------------------

    The Commission believes that certain modifications to the elements 
of the proposed definition of SCI systems are appropriate. First, in 
response to comments, the reference to development and testing systems 
in the proposed definition of SCI systems has been deleted.\239\ As 
commenters pointed out, development and testing systems are generally 
designed to identify and address problems before new systems or systems 
changes are introduced into production systems and, by their nature, 
can often experience issues, both intentional and unplanned, during the 
testing process. The Commission believes that systems issues that occur 
with respect to such systems are less likely to have a significant 
impact on the operations of an SCI entity or on the securities markets 
as a whole than issues occurring with respect to production systems. 
Further, subjecting these systems to the Commission notification 
requirements in adopted Rule 1002(b) could have the unintended effect 
of deterring SCI entities from fully utilizing the testing and 
development processes to test new systems and systems changes and 
develop solutions to issues prior to implementation of such systems or 
changes in production. At the same time, the Commission notes that, in 
order to have policies and procedures reasonably designed to achieve 
capacity, integrity, resiliency, availability, and security for SCI 
systems in accordance with adopted Rule 1001(a), an SCI entity will be 
required to have policies and procedures that include a program to 
review and keep current systems development and testing methodology for 
SCI systems.\240\ Accordingly, review of programs relating to systems 
development and testing for SCI systems is within the scope of 
Regulation SCI, and an SCI entity should reasonably expect Commission 
staff to review such processes and systems during the course of its 
exams and inspections. In addition, the Commission notes that the 
definition of SCI review in adopted Rule 1000 and corresponding 
requirements for an annual SCI review in adopted Rule 1003(b) require 
an assessment of internal control design and effectiveness, which 
includes development processes.\241\ Further, if development and 
testing systems are not appropriately walled off from production 
systems, such systems could be captured under the definition of 
indirect SCI systems as discussed below and be subject to the 
requirements of Regulation SCI. If an SCI entity's development and 
testing systems are not walled off from production systems, the SCI 
entity should consider whether its policies and procedures should 
specify safeguards to ensure that its personnel can clearly distinguish 
the development and testing systems from the production systems, in 
order to avoid inadvertent errors that may result in an SCI event.
---------------------------------------------------------------------------

    \239\ Because the Commission is removing development and testing 
systems from the definition of SCI systems, the reference to 
production systems in the definition of SCI systems is also being 
deleted as it is unnecessary to distinguish between development, 
testing and production systems within the definition. See adopted 
Rule 1000 (definition of ``SCI systems'').
    \240\ See adopted Rule 1001(a) and discussion in infra Section 
IV.B.1 (discussing the policies and procedures requirement under 
adopted Rule 1001(a)).
    \241\ See adopted Rule 1000 and 1003(b) and discussion in infra 
Section IV.B.5 (discussing the SCI review requirement). The 
Commission also notes that development processes include testing 
processes.
---------------------------------------------------------------------------

    Some commenters also opposed the proposed inclusion of regulatory 
and surveillance systems within the definition of SCI systems or 
suggested that the Commission refine or clarify the scope of such 
systems.\242\ Some of these

[[Page 72275]]

commenters argued that inclusion of such systems was not necessary 
because these systems do not operate on a real-time basis or have a 
real-time impact on trading.\243\ Further, one commenter suggested that 
periodic reporting of material outages or delays in the operation of 
regulatory and surveillance systems, pursuant to appropriate policies 
and procedures, would support the goals of Regulation SCI without 
imposing undue burdens on SCI entities or raising the risk that market 
participants would purposefully direct order flow to SCI entities 
experiencing regulatory or surveillance systems issues.\244\ Another 
commenter advocated for replacing the terms ``regulation'' and 
``surveillance'' with ``market regulation'' and ``market 
surveillance,'' respectively, and asked the Commission to clarify the 
difference between ``regulatory'' and ``surveillance'' systems.\245\
---------------------------------------------------------------------------

    \242\ See NYSE Letter at 11; BATS Letter at 5; MSRB Letter at 8-
9; and FINRA Letter at 7-8.
    \243\ See NYSE Letter at 11; and Joint SROs Letter at 5.
    \244\ See NYSE Letter at 11 (citing concerns regarding the 
potential that dissemination of information regarding issues with 
regulatory or surveillance systems to members or participants could 
provide a ``roadmap for violative market behavior'').
    \245\ See FINRA Letter at 7-8.
---------------------------------------------------------------------------

    In consideration of these comments, the Commission has determined 
to limit SCI systems to those systems relating to market regulation and 
market surveillance rather than including all regulation and 
surveillance systems. As proposed, the definition contained no such 
limitations and could potentially be interpreted to cover systems used 
for member regulation and member surveillance. The Commission does not 
believe that inclusion of member regulation or member surveillance 
systems such as those, for example, relating to member registration, 
capital requirements, or dispute resolution, would advance the goals of 
Regulation SCI. Issues relating to such systems are unlikely to have 
the same level of impact on the maintenance of fair and orderly markets 
or an SCI entity's operational capability as those systems identified 
in the definition of SCI systems. The Commission believes that this 
change will more appropriately capture only those regulatory and 
surveillance systems that are related to core market functions, such as 
trading, clearance and settlement, order routing, and market data.\246\ 
Another element of the proposed definition of ``SCI systems'' that some 
commenters addressed was the inclusion of market data systems. 
Specifically, one commenter believed that the inclusion of all market 
data systems was too broad, and argued that only ``systems that 
directly support `the transmission of market data as required by the 
Exchange Act''' should be included, thus limiting the types of market 
data systems to those relating to consolidated data and excluding those 
that transmit proprietary market data.\247\ Although the term ``market 
data'' is not defined in Regulation SCI, that term generally refers to 
price information for securities, both pre-trade and post-trade, such 
as quotations and transaction reports.\248\ In response to the 
commenter urging that only market data systems relating to consolidated 
data be included, the term ``market data'' does not refer exclusively 
to consolidated market data, but includes proprietary market data 
generated by SCI entities as well. The Commission notes that both 
consolidated and proprietary market data systems are widely used and 
relied upon by a broad array of market participants, including 
institutional investors, to make trading decisions, and that if a 
consolidated or a proprietary market data feed became unavailable or 
otherwise unreliable, it could have a significant impact on the trading 
of the securities to which it pertains, and could interfere with the 
maintenance of fair and orderly markets. Therefore, systems of an SCI 
entity directly supporting proprietary market data or consolidated 
market data are both within the scope of the definition of SCI systems 
and subject to Regulation SCI. However, the Commission has repeatedly 
emphasized the importance of consolidated market data to the national 
market system and the protection of investors \249\ and the severe 
impact of its unavailability was evidenced by the SIP outage in August 
2013.\250\ Thus, as discussed below, systems directly supporting 
functionality related to the provision of consolidated market data are 
distinguished by their inclusion in the definition of ``critical SCI 
systems.'' \251\
---------------------------------------------------------------------------

    \246\ The Commission notes that Rule 613 of Regulation NMS 
requires the creation of an NMS plan to govern the creation, 
implementation, and maintenance of a consolidated audit trail and 
central repository. See 17 CFR 242.613. See also Securities Exchange 
Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) 
(``Consolidated Audit Trail Adopting Release''). Although the 
consolidated audit trail central repository has not yet been 
created, the Commission believes that the consolidated audit trail 
repository will be a market regulation system that falls within the 
definition of SCI systems, and further that it will be an SCI system 
of each SCI SRO that is a member of an approved NMS plan under Rule 
613, because it will be a facility of each SCI SRO that is a member 
of such plan. See Consolidated Audit Trail Adopting Release, 77 FR 
at 45774 (stating, ``[T]he central repository will be jointly owned 
by, and be a facility of, each SRO that is a sponsor of the NMS 
plan.''). See also SCI Proposing Release, supra note 13, at 18099 
(contemplating inclusion of the consolidated audit trail central 
repository as an SCI system).
    \247\ See NYSE Letter at 10-11.
    \248\ See Exchange Act Section 11A (15 U.S.C. 78K-
1(a)(1)(C)(iii)), granting the Commission authority to assure the 
availability to brokers, dealers, and investors of ``information 
with respect to quotations for and transactions in securities''). 
See also Regulation of Market Information Fees and Revenues, 
Securities Exchange Act Release No. 42208, 64 FR 70613 (December 17, 
1999) (describing ``market information'' as information concerning 
quotations for and transactions in equity securities and options 
that are actively traded in the U.S. markets).
    \249\ See, e.g., Concept Release on Equity Market Structure, 
supra note 198; and Regulation NMS Adopting Release, supra note 182, 
at 37503-04.
    \250\ See supra note 32 and accompanying text.
    \251\ See infra Section IV.A.2.c (discussing definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

    Further, one commenter questioned whether the phrase ``market data 
systems'' was intended to be limited to data-driven systems devoted to 
price transparency or whether the Commission also intended to include 
document-based systems devoted to public disclosure.\252\ In response 
to this comment, the Commission notes that systems providing or 
directly supporting price transparency are within the scope of SCI 
systems.\253\ However, systems solely providing or directly supporting 
other types of data, such as systems used by market participants to 
submit disclosure documents, or systems used by SCI entities to make 
disclosure documents publicly available, are not within the scope of 
SCI systems, so long as they do not also directly support price 
transparency.
---------------------------------------------------------------------------

    \252\ See MSRB Letter at 8-9 (citing its EMMA Primary Market 
Disclosure Service and EMMA Continuing Disclosure Service system as 
an example of a document-based system devoted to public disclosure).
    \253\ With regard to this particular comment, the Commission 
notes that the specific systems referenced--the RTRS, EMMA Primary 
Market Disclosure Service, EMMA Continuing Disclosure Service and 
SHORT System--all include pricing information for securities, and 
thus would fall within the definition of ``SCI systems.''
---------------------------------------------------------------------------

    Several commenters also argued that the term SCI systems should not 
include systems operated on behalf of an SCI entity by a third 
party.\254\ Some of these commenters pointed to potential difficulties 
with meeting the requirements of Regulation SCI with regard to third 
party systems.\255\ One

[[Page 72276]]

commenter specifically suggested that the proposal should be limited to 
those systems under the control of the SCI entity.\256\ Another 
commenter noted that the SCI entity should instead be responsible for 
managing these relationships through due diligence, contract terms, and 
monitoring of third party performance.\257\ One commenter also 
requested that the Commission clarify how SCI entities should comply 
with the oversight of vendor systems as part of Regulation SCI.\258\
---------------------------------------------------------------------------

    \254\ See Omgeo Letter at 5-6; DTCC Letter at 4; SIFMA Letter at 
8-9; BIDS Letter at 16; and BATS Letter at 4. See also ITG Letter at 
5 (expressing concern about the inclusion of systems of third 
parties operated on behalf of an SCI entity and systems that are 
unrelated to the trading operations of an ATS).
    \255\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4 
(arguing that it would be difficult for SCI entities to ensure 
compliance by third party vendors absent their willingness to 
disclose to SCI entities highly detailed information about their 
intellectual property and proprietary systems).
    \256\ See SIFMA Letter at 9.
    \257\ See BIDS Letter at 16.
    \258\ See FIF Letter at 3.
---------------------------------------------------------------------------

    Although several commenters argued that the term SCI systems should 
not include third-party systems, the Commission continues to believe 
that, if a system is operated on behalf of an SCI entity and directly 
supports one of the six key functions listed within the definition of 
SCI system, it should be included as an SCI system subject to the 
requirements of Regulation SCI. The Commission believes that any system 
that directly supports one of the six functions enumerated in the 
definition of SCI system is important to the functioning of the U.S. 
securities markets, regardless of whether it is operated by the SCI 
entity directly or by a third party. The Commission believes that 
permitting such systems to be excluded from the requirements of 
Regulation SCI would significantly reduce the effectiveness of the 
regulation in promoting the national market system by ensuring the 
capacity, integrity, resiliency, availability, and security of those 
systems important to the functioning of the U.S. securities markets. 
Further, if the definition did not include systems operated on behalf 
of an SCI entity, the Commission is concerned that some SCI entities 
might be inclined to outsource certain of their systems solely to avoid 
the requirements of Regulation SCI, which would further undermine the 
goals of Regulation SCI. The Commission agrees with the comment that an 
SCI entity should be responsible for managing its relationship with 
third parties operating systems on behalf of the SCI entity through due 
diligence, contract terms, and monitoring of third party performance. 
However, the Commission believes that these methods may not be 
sufficient in all cases to ensure that the requirements of Regulation 
SCI are met for SCI systems operated by third parties. The fact that 
they might be sufficient some of the time is therefore not a basis for 
excluding these systems from the definition of SCI systems. Instead, if 
an SCI entity determines to utilize a third party for an applicable 
system, it is responsible for having in place processes and 
requirements to ensure that it is able to satisfy the requirements of 
Regulation SCI for systems operated on behalf of the SCI entity by a 
third party. The Commission believes that it would be appropriate for 
an SCI entity to evaluate the challenges associated with oversight of 
third-party vendors that provide or support its applicable systems 
subject to Regulation SCI. If an SCI entity is uncertain of its ability 
to manage a third-party relationship (whether through due diligence, 
contract terms, monitoring, or other methods) to satisfy the 
requirements of Regulation SCI,\259\ then it would need to reassess its 
decision to outsource the applicable system to such third party.\260\ 
For example, if a third-party vendor is unwilling to disclose to an SCI 
entity information regarding the vendor's intellectual property or 
proprietary system that the SCI entity believes it needs to satisfy the 
requirements of Regulation SCI, as some commenters suggested might be 
the case, an SCI entity will need to reassess its relationship with 
that vendor, because the vendor's unwillingness to provide necessary 
information or other assurances would not exclude the outsourced system 
from the definition of SCI systems. Accordingly, the definition of SCI 
system, as adopted in Rule 1000, retains the reference to systems 
operated ``on behalf of'' SCI entities.
---------------------------------------------------------------------------

    \259\ See BIDS Letter at 16 (suggesting these methods of 
managing third-party relationships to comply with the proposed 
rule).
    \260\ See FIF Letter at 3 and FINRA Letter at 22-23 (requesting 
Commission guidance on how an SCI entity should manage third-party 
relationships in the context of adopted Regulation SCI). See also 
infra notes 851-852 and accompanying text (discussing comments on 
the risk of noncompliance by an SCI entity in connection with 
reporting SCI events and material systems changes due to challenges 
posed by third-party systems).
---------------------------------------------------------------------------

    Finally, some commenters asked for clarification on miscellaneous 
aspects of the definition. For example, one commenter requested that 
the Commission clarify that the definition of SCI system for purposes 
of Regulation SCI is separate and distinct from the definition of a 
facility set forth in Section 3(a)(2) of the Exchange Act.\261\ The 
Commission notes that the term ``SCI system'' under Regulation SCI is 
distinct from the term ``facility'' in Section 3(a)(2) of the Exchange 
Act.\262\ Because a facility of an exchange would only fall within the 
definition of ``SCI systems'' if it is a system that directly supports 
any one of the six functions provided in the definition of ``SCI 
systems,'' not all systems that are facilities of an exchange will be 
SCI systems. For example, as noted in the SCI Proposal, the definition 
of SCI systems would apply to systems of exchange-affiliated routing 
brokers that are facilities of national securities exchanges.\263\ But 
a system used for member regulation that may meet the definition of a 
facility under the Exchange Act, would not be within the scope of the 
definition of ``SCI systems.''
---------------------------------------------------------------------------

    \261\ See NYSE Letter at 10.
    \262\ See 15 U.S.C. 78c3(a)(2).
    \263\ See Proposing Release, supra note 13, at 18099.
---------------------------------------------------------------------------

    Another commenter requested confirmation that internal systems are 
excluded from the definition of SCI system.\264\ The Commission notes 
that the definition of ``SCI system'' does not differentiate between 
``internal systems'' and those systems accessed by market participants 
or other outside parties.\265\ The Commission notes that, while some 
internal systems of an SCI entity may not meet the definition of SCI 
system, it does not believe that that all internal systems (as 
described by this commenter) would be outside of the scope of the 
definition of SCI system.\266\
---------------------------------------------------------------------------

    \264\ See FINRA Letter at 10.
    \265\ See adopted Rule 1000 (definition of SCI systems).
    \266\ In addition, the Commission notes that, while certain 
internal systems may not be ``SCI systems,'' they may instead meet 
the definition of ``indirect SCI systems'' under adopted Rule 1000, 
if they are not properly walled off from SCI systems. However, as 
discussed below, the Commission is clarifying the meaning of this 
defined term to note that systems that are effectively physically or 
logically separated from SCI systems would be outside of the 
definition of indirect SCI systems and thus outside of the scope of 
Regulation SCI. See infra Section IV.A.2.d (discussing the 
definition of ``indirect SCI systems'').
---------------------------------------------------------------------------

    Other commenters advocated that SCI entities should be permitted to 
conduct their own risk-based assessment to determine which of their 
systems should be considered SCI systems.\267\ One commenter noted that 
SCI entities should be required to develop and maintain an established 
methodology for identifying which systems qualify as SCI systems,\268\ 
while other commenters advocated for coordination with the Commission 
in establishing criteria to be used in conducting such risk-based 
assessments or review by the Commission of an SCI entity's own risk-
based assessment.\269\ The Commission has carefully considered these 
comments and generally agrees that

[[Page 72277]]

certain systems pose greater risk to the markets in the event of a 
systems issue and are of paramount importance to the functioning of the 
U.S. securities markets. Rather than include only those in the 
definition of SCI systems, the Commission believes that it is more 
prudent to instead identify these systems as ``critical SCI systems'' 
subject to certain heightened obligations. Further, adopted Rule 
1001(a) requiring SCI entities to have policies and procedures 
reasonably designed to ensure that their systems have adequate levels 
of capacity, integrity, resiliency, availability, and security is 
consistent with a risk-based approach.\270\ Specifically, as discussed 
in further detail below, an SCI entity may tailor its policies and 
procedures based on the relative criticality of a given SCI system to 
the SCI entity and to the securities markets generally.\271\
---------------------------------------------------------------------------

    \267\ See DTCC Letter at 3-5; Omgeo Letter at 5-6; and OCC 
Letter at 3-4.
    \268\ See Omgeo Letter at 5.
    \269\ See OCC Letter at 3-4; and DTCC Letter at 3-4.
    \270\ See adopted Rule 1001(a). See also infra Section IV.B.1 
(discussing policies and procedures for operational capability).
    \271\ See infra Section IV.B.1.a-b (discussing the use of risk-
based considerations to tailor policies and procedures for 
operational capability).
---------------------------------------------------------------------------

c. Critical SCI Systems
    As discussed above, in response to comments, the Commission is 
incorporating a risk-based approach in certain aspects of Regulation 
SCI.\272\ To that end, the Commission is adopting a definition of 
``critical SCI systems'' to designate SCI systems that the Commission 
believes should be subject to the highest level of requirements. As a 
subset of ``SCI systems,'' ``critical SCI systems'' are subject to the 
same provisions as ``SCI systems,'' except that critical SCI systems 
are subject to certain heightened resilience and information 
dissemination provisions of Regulation SCI. In these respects, critical 
SCI systems are subject to an increased level of obligation as compared 
to other SCI systems.\273\
---------------------------------------------------------------------------

    \272\ See supra notes 53-56 and accompanying text (discussing 
comments on a risk-based approach).
    \273\ See infra Sections IV.B.1.b and IV.B.3.d (discussing the 
two-hour resumption goal for ``critical SCI systems'' and 
information dissemination requirement for ``major SCI events,'' 
respectively).
---------------------------------------------------------------------------

    Rule 1000 defines ``critical SCI systems'' as ``any SCI systems of, 
or operated by or on behalf of, an SCI entity that: (1) Directly 
support functionality relating to: (i) Clearance and settlement systems 
of clearing agencies; \274\ (ii) openings, reopenings, and closings on 
the primary listing market; (iii) trading halts; (iv) initial public 
offerings; (v) the provision of consolidated market data; or (vi) 
exclusively-listed securities; or (2) provide functionality to the 
securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets.''
---------------------------------------------------------------------------

    \274\ ``Clearance and settlement systems of clearing agencies'' 
includes systems of registered clearing agencies and exempt clearing 
agencies subject to ARP. See Rule 1000 (definition of ``exempt 
clearing agency subject to ARP,'' which by its terms would also 
include an entity that has received from the Commission an exemption 
from registration as a clearing agency under Section 17A of the Act, 
and whose exemption contains conditions that relate to ARP, or any 
Commission regulation that supersedes or replaces such policies, 
including Regulation SCI).
---------------------------------------------------------------------------

    As noted above, many commenters advocated for a risk-based approach 
to Regulation SCI and either suggested that only the entities or 
systems that pose the greatest risk to the markets should be within the 
scope of the regulation or, alternatively, that the requirements of 
Regulation SCI be tailored to the specific risk-profile of a particular 
entity or particular system.\275\ While the Commission disagrees with 
commenters who suggested that Regulation SCI should apply only to 
``critical systems,'' as it believes that these are not the only 
systems that could pose a significant risk to the securities markets, 
the Commission believes that it is appropriate to hold systems that 
pose the greatest risk to the markets if they malfunction to higher 
standards and more stringent requirements under Regulation SCI. Recent 
events have also demonstrated the importance of certain critical 
systems functionality, including those that represent ``single points 
of failure'' to the securities markets, and the need for more robust 
market infrastructure, particularly with regard to critical market 
systems.\276\
---------------------------------------------------------------------------

    \275\ See supra notes 53-56 and 216-222 and accompanying text 
(discussing comments on a risk-based approach and limiting SCI 
systems to only core or critical systems).
    \276\ See supra Section II.B (describing recent events involving 
systems-related issues). In particular, the Nasdaq SIP incident, 
which caused a disruption in the dissemination of consolidated 
market data in the equity markets and led to a trading halt in all 
Nasdaq-listed stocks for several hours, confirmed that disruptions 
in systems that represent single points of failure can have a major 
and detrimental impact across an entire national market system.
---------------------------------------------------------------------------

    The Commission believes that the adoption of the definition of 
``critical SCI systems'' and heightened requirements for such systems 
recognizes that some systems are critical to the continuous and orderly 
functioning of the securities markets more broadly and, as such, 
ensuring their capacity, integrity, resiliency, availability, and 
security is of the utmost importance. Therefore, as discussed further 
below, the Commission believes that it is appropriate for such critical 
SCI systems to be held to heightened requirements (as compared to those 
for SCI systems) related to capacity, integrity, resiliency, 
availability, and security generally; rapid recovery following wide-
scale disruptions; and disclosure of SCI events. The Commission 
believes that the definition of critical SCI systems is appropriately 
designed to identify those SCI systems whose functions are critical to 
the operation of the markets, including those systems that represent 
potential single points of failure in the securities markets. Systems 
in this category are those that, if they were to experience systems 
issues, the Commission believes would be most likely to have a 
widespread and significant impact on the securities markets.
    The first prong of the definition identifies six specific 
categories of systems that the Commission believes are the most 
critical to the securities markets, and the most likely to have 
widespread and significant market impact should a systems issue occur. 
These are: clearance and settlement systems of clearing agencies; 
openings, reopenings, and closings on the primary listing market; 
trading halts; initial public offerings; the provision of consolidated 
market data (i.e., SIPs); and exclusively-listed securities.
    In the context of suggesting the adoption of a risk-based approach 
for Regulation SCI, some commenters identified those functions that 
they believed were most critical to the functioning of the markets. 
Among those identified were clearance and settlement, opening and 
closing auctions, IPO auctions, the provision of consolidated market 
data by the SIPs; and trading of exclusively-listed securities.\277\ 
The Commission agrees with commenters who characterized these 
categories of systems as critical. In addition, as discussed below, the 
Commission believes that systems that directly support functionality 
relating to

[[Page 72278]]

trading halts should be included in the definition of critical SCI 
systems.
---------------------------------------------------------------------------

    \277\ See, e.g., Direct Edge Letter at 2 (citing, among others, 
SIPs and clearance and settlement systems as essential to continuous 
market-wide operation); KCG Letter at 2-3 (identifying opening and 
closing auctions, IPO auctions, trading of exclusively-listed 
options, market data consolidators, and settlement and central 
clearing as ``single points of failure'' that should be subject to 
heightened regulatory requirements); and SIFMA Letter at 4 (stating 
that highly critical functions should include primary listing 
exchanges, trading exclusively listed securities, SIPs, clearance 
and settlement, distribution of unique post-trade transparency 
information, and real-time market surveillance). Although these 
commenters were urging that Regulation SCI apply only to these 
critical systems, as explained above, the Commission believes that 
such an approach would be too limited.
---------------------------------------------------------------------------

    With respect to ``clearance and settlement systems of clearing 
agencies,'' the clearance and settlement of securities is fundamental 
to securities market activity.\278\ Clearing agencies perform a variety 
of services that help ensure that trades settle on time and at the 
agreed upon terms. For example, clearing agencies compare transaction 
information (or report to members the results of exchange comparison 
operations), calculate settlement obligations (including net 
settlement), collect margin (such as initial and variation margin), and 
serve as a depository to hold securities as certificates or in 
dematerialized form to facilitate automated settlement. Because of 
their role, clearing agencies are critical central points in the 
financial system. A significant portion of securities activity flows 
through one or more clearing agencies. Clearing agencies have direct 
links to participants and indirect links to the customers of 
participants. Clearing agencies are also linked to each other through 
common participants and, in some cases, by operational processes. Safe 
and reliable clearing agencies are essential not only to the stability 
of the securities markets they serve but often also to payment systems, 
which may be used by a clearing agency or may themselves use a clearing 
agency to transfer collateral.\279\ The safety of securities settlement 
arrangements and post-trade custody arrangements is also critical to 
the goal of protecting the assets of investors from claims by creditors 
of intermediaries and other entities that perform various functions in 
the operation of the clearing agency.\280\ Investors are more likely to 
participate in markets when they have confidence in the safety and 
reliability of clearing agencies as well as settlement systems.\281\ 
Accordingly, the Commission believes ``clearance and settlement systems 
of clearing agencies'' are appropriate for inclusion in the definition 
of critical SCI systems.\282\
---------------------------------------------------------------------------

    \278\ See Clearing Agency Standards Release, supra note 76, at 
66220, 66264.
    \279\ See Clearing Agency Standards Release, supra note 76, at 
66264.
    \280\ See id.
    \281\ See id.
    \282\ The Commission notes that systems of SCI entities other 
than clearing agencies that are used in connection with the 
clearance and settlement of trades are not captured by the 
definition of ``critical SCI systems,'' but rather would fall within 
the definition of ``SCI systems,'' as discussed above. See supra 
Section IV.2. The Commission believes that such systems of other SCI 
entities, such as SROs and ATSs, do not provide the same critical 
functions or pose the same level of risk to the market as the 
clearance and settlement systems of clearing agencies as discussed 
above.
---------------------------------------------------------------------------

    Similarly, reliable openings, reopenings, and closings on primary 
listing markets are key to the establishment and maintenance of fair 
and orderly markets. NYSE and Nasdaq, for example, each have an opening 
cross for their listed securities that solicits trading interest and 
generates a single auction price that attracts widespread participation 
and is relied upon as a benchmark by other markets and market 
participants.\283\ Similar processes are used, and heavy levels of 
participation typically are generated, at the primary listing markets 
in the reopening cross that follows a trading halt.\284\ Closing 
auctions at the primary listing markets also attract widespread 
participation, and the closing prices they establish are commonly used 
as benchmarks, such as to value derivative contracts and generate 
mutual fund net asset values. As such, during these critical trading 
periods, market participants rely on the processes of the primary 
listing markets to effect transactions, and establish benchmark prices 
that are used in a wide variety of contexts so that the unavailability 
or disruption of systems directly supporting the opening, reopening and 
closing processes on the primary listing markets could have widespread 
detrimental effects.\285\
---------------------------------------------------------------------------

    \283\ See Nasdaq Rule 4752 (Opening Process) and NYSE Rules 115A 
(Orders at the Opening) and 123D (Openings and Halts in Trading).
    \284\ See, e.g., Nasdaq Rule 4753 (Nasdaq Halt and Imbalance 
Crosses) and NYSE Rules 115A (Orders at the Opening) and 123D 
(Openings and Halts in Trading).
    \285\ For example, press reports indicated that the decision to 
close the New York Stock Exchange in the wake of Superstorm Sandy, 
and the resulting lack of availability of the NYSE opening and 
closing prices, was a significant contributing cause of the 
unscheduled closure of the U.S. national securities exchanges. See, 
e.g., Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ``Behind 
Decision to Close Markets,'' Wall St. J., October 29, 2012. See also 
Proposing Release, supra note 13, at 18091 (discussing the effects 
of Superstorm Sandy on the securities markets). While other 
exchanges outside of the path of Superstorm Sandy did not experience 
the same risks to their electronic trading systems as the NYSE and 
could have otherwise opened for business, the risk that opening and 
closing prices might not be set by NYSE for its listed securities 
contributed to the consensus recommendation of market participants 
that the markets remain closed. See Jenny Strasburg, Jonathan Cheng, 
and Jacob Bunge, ``Behind Decision to Close Markets,'' Wall St. J., 
October 29, 2012.
---------------------------------------------------------------------------

    In addition, the Commission believes that systems directly 
supporting functionality relating to trading halts \286\ are essential 
to the orderly functioning of the securities markets, and therefore 
should be included in the definition of critical SCI systems. In the 
event a trading halt is necessary, it is essential that the systems 
responsible for communicating the trading halt--typically maintained by 
the primary listing market--are robust and reliable so that the trading 
halt is effective across the U.S. securities markets. For example, when 
there is material ``news pending'' with respect to an issuer, it is the 
responsibility of the primary listing market to call a regulatory halt 
by generating a halt message which, when received by other trading 
centers, requires them to cease trading the security.\287\ Similar 
responsibilities are placed on the primary listing market with respect 
to calling trading halts under the National Market System Plan to 
Address Extraordinary Market Volatility, as well as on plan processors 
to disseminate this information to the public.\288\ Thus, systems which 
communicate information regarding trading halts provide an essential 
service in the U.S. markets and, should a systems issue occur affecting 
the ability of an SCI entity to provide such notifications, the fair 
and orderly functioning of the securities markets may be significantly 
impacted.
---------------------------------------------------------------------------

    \286\ For purposes of clarity, the Commission notes that the 
term ``trading halts'' as used in this context is intended to 
capture market-wide halts, such as regulatory halts, rather than a 
halt to trading for securities on a particular market (for example, 
caused by a systems issue specific to that market).
    \287\ See, e.g., CTA Plan Section IX(a), available at: https://www.nyxdata.com/cta; National Market System Plan To Address 
Extraordinary Market Volatility, Section VII (``Limit Up/Limit Down 
Plan''); NYSE Arca Rule 7.12, BATS Rule 11.18, and EDGA Rule 11.14. 
See also Securities Exchange Act Release No. 67091 (May 31, 2012), 
77 FR 33498 (June 6, 2012) (File No. 4-631) (Order Approving, on a 
Pilot Basis, the National Market System Plan To Address 
Extraordinary Market Volatility) (``Limit Up/Limit Down Plan 
Approval Order'').
    \288\ See Limit Up/Limit Down Plan, supra note 287 and Limit Up/
Limit Down Plan Approval Order, supra note 287.
---------------------------------------------------------------------------

    Companies offer shares of capital stock to the general public for 
the first time through the IPO process, in which the primary listing 
market initiates public trading in a company's shares. The IPO is 
conducted exclusively on that exchange, and secondary market trading 
cannot commence on any other exchange until the opening trade is 
printed on the primary listing market.\289\ As such, the Commission 
believes that an exchange's systems that directly support the IPO 
process and the initiation of secondary market trading are a critical 
element of the capital formation process and the effective functioning 
of the securities markets. The Commission believes that these

[[Page 72279]]

systems, which are the sole responsibility of the primary listing 
market, can adversely affect not only the IPO of a particular issuer, 
but may also result in significant monetary losses and harm to 
investors if they fail.\290\ As noted in the SCI Proposal, systems 
issues affecting the two recent high-profile IPOs highlighted how 
disruptions in IPO systems can have a significant impact on the 
market.\291\
---------------------------------------------------------------------------

    \289\ See Rule 12f-2 under the Exchange Act, 17 CFR 240.12f-2 
(providing that a national securities exchange may extend unlisted 
trading privileges to a security when at least one transaction in 
the security has been effected on the national securities exchange 
upon which the security is listed and the transaction has been 
reported pursuant to an effective transaction reporting plan).
    \290\ See, e.g., supra note 36 (discussing the losses associated 
with Nasdaq's Facebook IPO).
    \291\ Specifically, in March 2012, BATS announced that a 
``software bug'' caused BATS to shut down the IPO of its own stock, 
and in May 2012, issues with Nasdaq's trading systems delayed the 
start of trading in the IPO of Facebook, Inc. and some market 
participants experienced delays in notifications of whether orders 
had been filled. See Proposing Release, supra note 13, at 18089; and 
Securities Exchange Act Release No. 69655, In the Matter of The 
NASDAQ Stock Market, LLC and NASDAQ Execution Services, LLC (settled 
action: May 29, 2013), available at: https://www.sec.gov/litigation/admin/2013/34-69655.pdf. Nasdaq and Nasdaq Execution Services, LLC 
consented to an Order Instituting Administrative and Cease-and-
Desist Proceedings Pursuant to Sections 19(h)(1) and 21C of the 
Securities Exchange Act of 1934, Making Findings, and Imposing 
Sanctions and a Cease-and-Desist Order.
---------------------------------------------------------------------------

    Systems directly supporting the provision of consolidated market 
data are also critical to the functioning of U.S. securities markets 
and represent potential single points of failure in the delivery of 
important market information. When Congress mandated a national market 
system in 1975, it emphasized that the systems for collecting and 
distributing consolidated market data would be central features of the 
national market system.\292\ Further, one of the findings of the recent 
report by the staffs of the Commission and the CFTC on the market 
events of May 6, 2010 was that ``fair and orderly markets require that 
the standards for robust, accessible, and timely market data be set 
quite high.'' \293\ Accurate, timely, and efficient collection, 
processing, and dissemination of consolidated market data provides the 
public with ready access to a comprehensive and reliable source of 
information for the prices and volume of any NMS stock at any time 
during the trading day.\294\ This information helps to ensure that the 
public is aware of the best displayed prices for a stock, no matter 
where they may arise in the national market system.\295\ It also 
enables investors to monitor the prices at which their orders are 
executed and serves as a data point that helps them to assess whether 
their orders received best execution.\296\
---------------------------------------------------------------------------

    \292\ See H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975). 
See also Concept Release on Equity Market Structure, supra note 4, 
at 3600, and Proposing Release, supra note 13, at 18108 (each 
discussing the importance of consolidated market data).
    \293\ See Findings Regarding The Market Events Of May 6, 2010, 
Report Of The Staffs Of The CFTC And SEC To The Joint Advisory 
Committee On Emerging Regulatory Issues, September 30, 2010, at 8 
(``May 6 Staff Report'').
    \294\ See id.
    \295\ See id.
    \296\ See id. Also, as discussed above, the recent Nasdaq SIP 
disruption demonstrated that the availability, accuracy, and 
reliability of consolidated market data is currently central to the 
functioning of the securities markets, and systems issues affecting 
such systems can result in major disruptions to the national market 
system, undermining the maintenance of fair and orderly markets.
---------------------------------------------------------------------------

    Finally, systems directly supporting functionality relating to 
exclusively-listed securities represent single points of failure in the 
securities markets, because exclusively-listed securities, by 
definition, are listed and traded solely on one exchange.\297\ As such, 
a trading disruption on the exclusive listing market necessarily will 
disrupt trading by all market participants in those securities.\298\
---------------------------------------------------------------------------

    \297\ As noted above, commenters identified the systems 
supporting the trading of exclusively-listed securities as 
representing critical points of failure or critical functionality in 
the securities markets. See, e.g., KCG Letter at 2-3; and SIFMA 
Letter at 4.
    \298\ For example, as noted above, in April 2013, CBOE delayed 
the opening of trading on its exchange for over three hours due to 
an internal ``software bug,'' preventing investors from trading in 
those products that are singly-listed on CBOE, including options on 
the S&P 500 Index and the VIX. See supra note 28 and accompanying 
text.
---------------------------------------------------------------------------

    The second prong of the definition is a broader catch-all provision 
intended to capture any SCI systems, beyond those specifically 
identified within the first prong of the definition, that provide 
functionality to the securities markets for which the availability of 
alternatives is significantly limited or nonexistent and without which 
there would be a material impact on fair and orderly markets. The 
Commission is not aware of any SCI systems that would fall under this 
prong of the critical SCI systems definition at this time, and notes 
that this prong of the definition is intended to account for further 
technology advancements and the continual evolution of the securities 
markets, in recognition that such developments could result in 
additional or new types of systems that would, similar to the 
enumerated categories of systems in the first prong of the definition, 
become so critical to the continuous and orderly functioning of the 
securities markets such that they should be subject to the requirements 
of Regulation SCI imposed on those systems specifically enumerated in 
the first prong of the definition.
    The Commission also notes that the definition applies to those 
systems ``of, or operated by or on behalf of, an SCI entity.'' This 
language mirrors the language in the definitions of SCI system and 
indirect SCI system, and as discussed above, is intended to cover 
systems that are third-party systems operated on behalf of SCI 
entities.\299\
---------------------------------------------------------------------------

    \299\ See supra notes 254-260 and accompanying text.
---------------------------------------------------------------------------

d. Indirect SCI Systems (Proposed as ``SCI Security Systems'')
    Proposed Rule 1000 defined the term ``SCI security systems'' to 
mean ``any systems that share network resources with SCI systems that, 
if breached, would be reasonably likely to pose a security threat to 
SCI systems.'' \300\ As adopted, Regulation SCI includes the new term 
``indirect SCI systems,'' in place of the proposed term ``SCI security 
systems.'' The term ``indirect SCI systems'' is defined to mean ``any 
systems of, or operated by or on behalf of, an SCI entity that, if 
breached, would be reasonably likely to pose a security threat to SCI 
systems.''
---------------------------------------------------------------------------

    \300\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    As an initial matter, the Commission has determined to replace the 
proposed term ``SCI security systems'' with the adopted term ``indirect 
SCI systems'' because it believes that the latter term, in using the 
word ``indirect,'' better reflects that it is intended to cover non-SCI 
systems only if they are not appropriately secured and segregated from 
SCI systems, and therefore could indirectly pose risk to SCI 
systems.\301\ The adopted definition of indirect SCI systems includes 
systems ``of, or operated by or on behalf of'' of an SCI entity that, 
``if breached, would be reasonably likely to pose a security threat to 
SCI systems.'' As discussed below, in response to comment that the 
proposed term would cover too many systems unrelated to SCI systems, 
the adopted term excludes the phrase ``share network resources.''
---------------------------------------------------------------------------

    \301\ The Commission also believes that eliminating the word 
``security'' from the defined term will help clarify that the term 
is not limited to systems relating only to security of the SCI 
entity and its systems (e.g., firewalls, VPNs).
---------------------------------------------------------------------------

    One commenter expressly supported the definition of SCI security 
systems and urged that it be expanded to include any technology system 
that has direct market access.\302\ In response to this comment, the 
Commission notes that the adopted definition includes any technology 
system of, or operated by or on behalf of an SCI entity, that has 
direct market access if that system meets the definition's test: 
whether a breach of

[[Page 72280]]

that system would be reasonably likely to pose a security threat to SCI 
systems.
---------------------------------------------------------------------------

    \302\ See Lauer Letter at 5.
---------------------------------------------------------------------------

    This commenter also suggested that the Commission additionally 
require SCI entities to have independent security audits performed and 
allow the auditor to have the ability to define which systems should be 
included and which can be safely excluded.\303\ The Commission is not 
requiring ``independent security audits'' to determine which systems 
would fall within the definition of indirect SCI system as suggested by 
this commenter,\304\ because the Commission believes its adopted rule 
requiring an annual SCI review addresses the commenter's request. The 
Commission notes that the adopted annual SCI review requirement 
requires that such review be performed by objective, qualified 
personnel, and that it include an assessment of logical and physical 
security controls for SCI systems and indirect SCI systems. The 
Commission believes that an SCI entity is generally in the best 
position to assess in the first instance which of its systems may fall 
within the definition of indirect SCI systems, and that having an 
independent third party audit to make that determination should be 
optional rather than required at this time.
---------------------------------------------------------------------------

    \303\ See id.
    \304\ See adopted Rule 1000 (definition of ``SCI review'') and 
infra Section IV.B.5 (discussing the SCI review requirement).
---------------------------------------------------------------------------

    Contrary to the commenter urging expansion of the proposed 
definition of SCI security systems, many commenters argued that the 
proposed definition was overbroad,\305\ with several of these same 
commenters suggesting that the term be deleted from the rule 
entirely.\306\ The Commission believes that Regulation SCI warrants 
inclusion of a definition of indirect SCI systems because an issue or 
systems intrusion with respect to a non-SCI system still could cause or 
increase the likelihood of an SCI event with respect to an SCI entity's 
SCI systems.\307\ In particular, because systems that are not 
adequately walled off from SCI systems may present potential entry 
points to an SCI entity's network and thus represent potential 
vulnerabilities to SCI systems, the Commission believes that it is 
important that the provisions of Regulation SCI relating to security 
standards and systems intrusions apply to such systems (i.e., indirect 
SCI systems).
---------------------------------------------------------------------------

    \305\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA 
Letter at 6 (noting specifically that the definition could be read 
to extend to broker-dealers or other third parties); SIFMA Letter at 
8; ITG Letter at 5, 12; BIDS Letter at 16-17; MSRB Letter at 7; OCC 
Letter at 4; FINRA Letter at 12-13; CME Letter at 6; DTCC Letter at 
5; Oppenheimer Letter at 3; and Direct Edge Letter at 3.
    \306\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA 
Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter 
at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5.
    \307\ See Proposing Release, supra note 13, at 18099.
---------------------------------------------------------------------------

    Many commenters objecting to the proposed definition as too broad 
addressed particular elements of the proposed definition of SCI 
security systems or provided specific recommendations for modifications 
or limitations to the definition.\308\ For example, some commenters 
criticized the use of the phrase ``share network resources,'' noting 
that it was vague and too broad, potentially encompassing almost any 
system of an SCI entity.\309\ Similarly, one commenter stated that the 
definition of SCI security system should include only systems that 
``directly'' share network resources with an SCI system.\310\ One 
commenter argued that the definition should only include those systems 
that are materially and directly connected to the trading operations of 
an SCI entity.\311\ Several commenters recommended that systems that 
are logically and/or physically separated from SCI systems should be 
excluded from the definition.\312\ Some commenters qualified this 
position by stating that such systems should be excluded, for example, 
as long as SCI entities monitor those systems for security breaches and 
have the ability to shut the system off if they detect a security 
breach; \313\ or provided that the separation is routinely monitored 
and has appropriate risk controls in place and the system is ``air 
gapped'' (i.e., has no point of entry) from the public internet.\314\ 
One commenter believed that the definition should exclude any system 
with ``compensatory controls in place,'' which it stated would protect 
and secure SCI systems from vulnerabilities that could arise from 
shared network links.\315\ Another commenter asked for greater clarity 
on the extent to which SCI security systems that are isolated from 
production, such as email and intranet sites, raise security issues 
that are within the scope of the proposal.\316\
---------------------------------------------------------------------------

    \308\ See NYSE Letter at 12; BATS Letter at 5-6; ISE Letter at 
7-8; BIDS Letter at 16-17; SROs Letter at 15; Direct Edge Letter at 
3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5; and 
ITG Letter at 12.
    \309\ See NYSE Letter at 12; BATS Letter at 5; and ISE Letter at 
7-8.
    \310\ See BIDS Letter at 16-17.
    \311\ See ITG Letter at 12 (stating that its suggested approach 
would, in its case, cover systems for order handling and execution, 
processing of market data, transaction reporting, and clearing and 
settlement of trades).
    \312\ See, e.g., Joint SROs Letter at 15 (stating that the term 
``SCI security systems'' should be deleted, but if retained, should 
exclude those systems that are physically and logically separated); 
BATS Letter at 5-6; Direct Edge Letter at 3; FINRA Letter at 13; ISE 
Letter at 8; and DTCC Letter at 5.
    \313\ See BATS Letter at 5-6.
    \314\ See Direct Edge Letter at 3.
    \315\ See FINRA Letter at 13.
    \316\ See ISE Letter at 8.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission 
believes that inclusion of the phrase ``share network resources'' in 
the proposed definition could be interpreted in a manner that would 
include almost any system that is part of an SCI entity's network. In 
response to commenters who expressed concern about the breadth of the 
proposed definition, the Commission has determined to eliminate the 
phrase ``share network resources'' from the definition, so that the 
adopted result-oriented test depends on whether a system ``if breached, 
would be reasonably likely to pose a security threat to SCI systems.'' 
As a result, the inquiry into whether any system is an indirect SCI 
system will depend on whether it is effectively physically or logically 
separated from SCI systems. Systems that are adequately physically or 
logically separated (i.e., isolated from SCI systems, such that they do 
not provide vulnerable points of entry into SCI systems) will not fall 
within the definition of indirect SCI systems.
    The Commission believes that having adequate separation and 
security controls should protect SCI systems from vulnerabilities 
caused by other systems. To the extent that non-SCI systems are 
sufficiently walled off from SCI systems using appropriate security 
measures, and thus are not reasonably likely to pose a security threat 
to SCI systems if breached, they would not be included in the 
definition of indirect SCI systems, and thus would be outside of the 
scope of Regulation SCI.
    The Commission notes that the definition of indirect SCI systems 
will not include any systems of an SCI entity for which the SCI entity 
establishes reasonably designed and effective controls that result in 
SCI systems being logically or physically separated from such non-SCI 
systems. Thus, the universe of an SCI entity's indirect SCI systems is 
in the control of each SCI entity, and SCI entities should reasonably 
expect Commission staff to assess its security controls around SCI 
systems in connection with an inspection or examination for compliance 
with Regulation SCI. If these controls are not present or are not 
reasonably designed, the applicable non-SCI systems would be within the 
scope of the definition of indirect SCI systems and subject to the 
security

[[Page 72281]]

standards and systems intrusions provisions of Regulation SCI.
    Some commenters recommended that, rather than including SCI 
security systems in the scope of the regulation, the Commission should 
instead require SCI entities to establish policies and procedures 
designed to ensure the security of their systems.\317\ According to 
these commenters, such an approach would require an evaluation of the 
risks posed to SCI systems by non-SCI systems. As noted, the Commission 
believes that the adopted definition of ``indirect SCI systems'' will 
effectively require SCI entities to evaluate the risks posed to SCI 
systems by non-SCI systems. However, the Commission believes that the 
adopted approach will incentivize SCI entities to seek to have in place 
strong security controls around SCI systems. As noted, if an SCI entity 
designs and implements security controls so that none of its non-SCI 
systems would be reasonably likely to pose a security threat to SCI 
systems, then it will have no indirect SCI systems. If, however, an SCI 
entity does have indirect SCI systems, then certain provisions of 
Regulation SCI will apply to those indirect SCI systems.\318\ The 
Commission believes this approach to indirect SCI systems is more 
appropriate than the policies and procedures approach suggested by some 
commenters because the Commission believes that its approach is more 
comprehensive as it includes, for example, the requirements to take 
corrective action, provide notifications to the Commission, and 
disseminate information for certain SCI events relating to indirect SCI 
systems which, by definition, if breached, would be reasonably likely 
to pose a security threat to SCI systems. Another commenter stated that 
a more precise definition of SCI security systems is important and that 
it would be valuable for the Commission to work with representatives 
within the securities industry to collectively craft the most 
appropriate definition that will ensure that critical security systems 
are captured.\319\ In crafting the definition, the Commission has taken 
into account comments received, with such commenters representing a 
wide variety of types of participants in the securities markets, and 
believes the adopted definition of indirect SCI systems, along with the 
definition of SCI systems, is responsive to a broad range of 
commenters' concerns.\320\
---------------------------------------------------------------------------

    \317\ See, e.g., NYSE Letter at 12; MFA Letter at 6; SIFMA 
Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 
18; OCC Letter at 3; and Joint SROs Letter at 5.
    \318\ See infra notes 323-328 (discussing the provisions of 
Regulation SCI applicable to indirect SCI systems).
    \319\ See DTCC Letter at 5.
    \320\ See supra note 17 and accompanying text.
---------------------------------------------------------------------------

    Another commenter suggested that the definition be limited to 
systems ``of, or operated by or on behalf of, an SCI entity,'' noting 
that the definition of SCI security systems should have parallel 
construction to the definition of ``SCI systems'' and without this 
phrase, SCI entities would be tasked inappropriately with controlling 
for systems outside of their effective control.\321\ As noted, the 
adopted definition of ``indirect SCI systems'' applies to those systems 
``of, or operated by or on behalf of, an SCI entity.'' As a result, the 
adopted definition of indirect SCI systems provides (as is the case for 
SCI systems) that systems ``of, or operated by or on behalf of'' an SCI 
entity, are included in the definition of indirect SCI systems if their 
breach would be reasonably likely to pose a security threat to SCI 
systems.\322\ The Commission believes that the addition of this 
language is warranted to make clear that security of SCI systems is not 
limited solely to threats from systems operated directly by the SCI 
entity. If it were, outsourced systems of SCI entities would not be 
subject to the requirements of Regulation SCI, which would undermine 
the goals of Regulation SCI.
---------------------------------------------------------------------------

    \321\ See MSRB Letter at 7.
    \322\ See supra Section IV.A.2.b (discussing the inclusion of 
third party systems in the definition of ``SCI systems'').
---------------------------------------------------------------------------

    As discussed in further detail below, unlike SCI systems, those 
systems meeting the definition of ``indirect SCI systems'' will only be 
subject to certain provisions of Regulation SCI. Specifically, 
references to ``indirect SCI systems'' are included in the definitions 
of ``responsible SCI personnel,'' ``SCI review,'' and ``systems 
intrusion'' in adopted Rule 1000.\323\ Rule 1001(a), requiring 
reasonably designed policies and procedures to ensure operational 
capability, will apply to indirect SCI systems only for purposes of 
security standards.\324\ In addition, Rule 1002, which relates to an 
SCI entity's obligations with regard to SCI events, will apply to 
indirect SCI systems only with respect to systems intrusions.\325\ 
Further, pursuant to Rule 1003(a), the obligations related to systems 
changes will apply to material changes to the security of indirect SCI 
systems.\326\ In addition, the requirements regarding an SCI review 
will apply to indirect SCI systems.\327\ Finally, Rules 1005 through 
1007, relating to recordkeeping and electronic filing and submission of 
Form SCI, respectively, will also apply to indirect SCI systems.\328\ 
The Commission believes that it is appropriate to subject indirect SCI 
systems to only these specified provisions because the Commission 
believes that the primary risk posed by indirect SCI systems is that 
they may serve as vulnerable entry points to SCI systems. The 
Commission's objective with respect to indirect SCI systems is to guard 
against a non-SCI system being breached in a manner that threatens the 
security of any SCI system. The Commission believes that its approach 
to defining indirect SCI systems, and requiring SCI entities to 
consider, address, and report on security changes and intrusions into 
systems where vulnerabilities have been identified, is tailored to meet 
this objective.
---------------------------------------------------------------------------

    \323\ See adopted Rule 1000.
    \324\ See adopted Rule 1001(a) and supra Section IV.B.1 
(discussing the policies and procedures requirement under Rule 
1001(a)).
    \325\ See adopted Rule 1000 (definitions of system compliance 
and systems disruption, which do not include indirect SCI systems, 
and the definition of systems intrusion, which includes indirect SCI 
systems) and supra Section IV.B.3 (discussing an SCI entity's 
obligations with respect to SCI events).
    \326\ See adopted Rule 1003(a)(i) and Section IV.B.4 (discussing 
requirements relating to material systems changes).
    \327\ See adopted Rule 1003(b) and Section IV.B.5 (discussing 
the SCI review requirement).
    \328\ See adopted Rules 1005-1007 and Section IV.C (discussing 
the recordkeeping and electronic filing of Form SCI).
---------------------------------------------------------------------------

3. SCI Events
    Regulation SCI specifies the types of events--i.e., SCI events--
that give rise to certain obligations under the rule, including taking 
corrective action, reporting to the Commission, and disseminating 
information about such SCI events.\329\ Proposed Rule 1000(a) defined 
the term ``SCI event'' as ``an event at an SCI entity that constitutes: 
(1) A systems disruption; (2) a systems compliance issue; or (3) a 
systems intrusion.'' \330\ The Commission is adopting the definition of 
``SCI event'' as proposed.
---------------------------------------------------------------------------

    \329\ See infra Section IV.B.3 (discussing an SCI entity's 
obligations with respect to SCI events).
    \330\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.
---------------------------------------------------------------------------

    Many commenters believed that the proposed definition of ``SCI 
event'' was vague \331\ or overly broad because it was not limited to 
capturing material SCI events \332\ or events that the commenters 
believed are truly disruptive and pose a risk to the market.\333\ 
Specifically,

[[Page 72282]]

several commenters recommended that the definition of SCI event include 
a materiality threshold, so that only events determined by the SCI 
entity to be material would trigger certain obligations under the 
rule.\334\ One commenter stated that the definition of SCI event could 
be interpreted to include trivial events, and therefore believed that 
the definition needed clarity.\335\ Finally, one commenter suggested 
that SCI event be defined as outlined in Rule 301(b)(6)(ii)(G) under 
Regulation ATS,\336\ which requires a qualifying ATS to notify the 
Commission of material systems outages and significant systems 
changes.\337\
---------------------------------------------------------------------------

    \331\ See ITG Letter at 12; and OTC Markets Letter at 16.
    \332\ See FIF Letter at 2; ITG Letter at 12; DTCC Letter at 5; 
and OTC Markets Letter at 16.
    \333\ See NYSE Letter at 3; ICI Letter at 4; Oppenheimer Letter 
at 3. See also supra note 231 and accompanying text (discussing 
comment that the definition of SCI systems should be revised to 
cover only those systems where a disruption, compliance issue, 
intrusion or material systems change would impact investors and 
markets that are subject to the Commission's jurisdiction).
    \334\ See, e.g., FIF Letter at 2 (suggesting factors for 
determining what is a material SCI event, and urging that only 
material SCI events be subject to notification requirements); ITG 
Letter at 12 (suggesting that a Commission notification requirement 
apply only to those events that have a material impact on the 
ongoing maintenance of fair and orderly markets in an NMS security); 
and DTCC Letter at 5 (recommending that each component of the term 
SCI event be limited by a materiality threshold and be ``risk-
based'' so that the term includes events that cause a disruption to 
the SCI entity's ability to conduct its core functions).
    \335\ See ITG Letter at 12.
    \336\ 17 CFR 242.301(b)(6)(ii)(G).
    \337\ See OTC Markets Letter at 16. In addition, some commenters 
objected to the inclusion of systems compliance issues within the 
definition of SCI events. See infra notes 403-405 and accompanying 
text.
---------------------------------------------------------------------------

    After careful consideration of the views of commenters, although 
the Commission is adopting the definition of ``SCI event'' as proposed, 
the requirements of Regulation SCI are tiered in a manner that the 
Commission believes is responsive to the concerns of commenters about 
the breadth of the definition.\338\ Specifically, and as explained in 
further detail below, the Commission is incorporating a risk-based 
approach to the obligations of SCI entities with respect to SCI 
events.\339\
---------------------------------------------------------------------------

    \338\ See supra notes 331-337 and accompanying text.
    \339\ Under this risk-based approach, for example, de minimis 
SCI events will not be subject to the immediate Commission reporting 
requirements as proposed, but rather, SCI entities will only be 
required to make, keep, and preserve records regarding de minimis 
SCI events and submit de minimis systems disruptions and de minimis 
systems intrusions to the Commission in quarterly summary reports. 
See Rule 1002(b)(5).
---------------------------------------------------------------------------

    The Commission is not incorporating a materiality threshold as 
requested by some commenters,\340\ including by limiting the definition 
of SCI event to only those events that are considered by SCI entities 
to be truly disruptive to the market.\341\ Rather, the Commission 
believes that the adopted Commission notification and information 
dissemination requirements for SCI events will help to focus the 
Commission's and SCI entities' resources on the more significant SCI 
events by providing appropriate exceptions from reporting and 
dissemination for events that have no or de minimis impacts on an SCI 
entity's operations or market participants. In addition, the Commission 
believes that SCI event should not be defined as outlined in Rule 
301(b)(6)(ii)(G) under Regulation ATS as suggested by one 
commenter,\342\ because Rule 301(b)(6)(ii)(G) requires Commission 
notification of ``material systems outages.'' \343\ Such an approach 
would exclude any systems compliance issues or systems intrusions, two 
types of events that the Commission believes should be included as SCI 
events. This approach would also create a materiality threshold for 
systems disruptions, which the Commission believes would not be 
appropriate, as discussed below.
---------------------------------------------------------------------------

    \340\ See supra notes 334 and 337 and accompanying text.
    \341\ See supra note 333 and accompanying text.
    \342\ See supra note 337 and accompanying text.
    \343\ See 17 CFR 242.301(b)(6)(ii)(G). Rule 301(b)(6)(ii)(G) 
also requires that ATSs promptly notify the Commission of 
significant systems changes.
---------------------------------------------------------------------------

    In addition, by not including a materiality threshold within the 
definition, SCI entities will be required to assess, take corrective 
action, and keep records of all such events, some of which may 
initially seem insignificant to an SCI entity, but which may later 
prove to be the cause of significant systems issues at the SCI entity. 
An SCI entity's records of de minimis SCI events may also be useful to 
the Commission in that they may, for example, aid the Commission in 
identifying patterns of de minimis SCI events that together might 
result in a more impactful SCI event, either at an SCI entity or across 
a group of SCI entities, or circumstances in which an SCI event causes 
de minimis systems issues for one particular SCI entity but results in 
significant issues for another SCI entity. The Commission also believes 
that the ability to view such events in the aggregate and across 
multiple SCI entities is important to allow the Commission and its 
staff to be able to gather information about trends related to SCI 
events that could not otherwise be properly discerned. Information 
about trends will assist the Commission in fulfilling its oversight 
role by keeping Commission staff informed about the nature and 
frequency of the types of de minimis SCI events that SCI entities 
encounter. Moreover, information about trends and notifications of de 
minimis SCI events generally can also inform the Commission of areas of 
potential weaknesses, or persistent or recurring problems, across SCI 
entities and also should help the Commission better focus on common 
types of SCI events or issues with certain types of SCI systems across 
SCI entities. This information also will permit the Commission and its 
staff to issue industry alerts or guidance if appropriate. In addition, 
this information would allow the Commission and its staff to review SCI 
entities' classification of SCI events as de minimis SCI events.
    In addition, although the definition of SCI event is unchanged, to 
address commenters' concerns, the Commission has determined to modify 
the various components of that definition (i.e., the definition of 
systems disruption, systems compliance issue, and systems intrusion), 
in certain respects, as discussed below.
a. Systems Disruption
    Proposed Rule 1000(a) would have defined ``systems disruption'' as 
``an event in an SCI entity's SCI systems that results in: (1) A 
failure to maintain service level agreements or constraints; (2) a 
disruption of normal operations, including a switchover to back up 
equipment with near-term recovery of primary hardware unlikely; (3) a 
loss of use of any SCI system; (4) a loss of transaction or clearance 
and settlement data; (5) significant backups or delays in processing; 
(6) a significant diminution of ability to disseminate timely and 
accurate market data; or (7) a queuing of data between systems 
components or queuing of messages to or from customers of such duration 
that normal service delivery is affected.'' \344\ As discussed below, 
in response to comments, the Commission is substantially modifying the 
proposed definition of systems disruption in adopted Rule 1000.
---------------------------------------------------------------------------

    \344\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.a.
---------------------------------------------------------------------------

    One commenter stated that the proposed definition of systems 
disruption was reasonable, but recommended that it be expanded to 
encompass disruptions originating from a third party.\345\ However, 
many other commenters believed that the definition of systems 
disruption was too broad and would include minor events that they 
believed should be excluded from the

[[Page 72283]]

definition.\346\ Several commenters suggested ways to limit the scope 
of the defined term. For example, some commenters suggested limiting 
the definition to material disruptions.\347\ One of these commenters 
added that systems disruptions should exclude any regularly planned 
outages occurring during the normal course of business.\348\ Another 
commenter recommended that development and testing environments should 
be excluded from the definition of systems disruption.\349\ One 
commenter suggested modifying the definition to include only two 
elements: (1) Disruptions of either the SCI systems or of the 
operations of the SCI entity that have the effect of disrupting the 
delivery of the SCI service provided by those systems; and (2) 
degradations of SCI systems processing creating backups or delays of 
such a degree and duration that the delivery of service is effectively 
disrupted or unusable by the market participants who use the 
systems.\350\
---------------------------------------------------------------------------

    \345\ See Lauer Letter at 5-6.
    \346\ See, e.g., FINRA Letter at 16; BATS Letter at 9; Omgeo 
Letter at 7; NYSE Letter at 14; Joint SROs Letter at 6; OCC Letter 
at 6; SIFMA Letter at 9-10; and OTC Markets Letter at 21.
    \347\ See DTCC Letter at 6; SIFMA Letter at 9; OCC Letter at 6; 
OTC Markets Letter at 21; and Joint SROs Letter at 6.
    \348\ See DTCC Letter at 7.
    \349\ See FINRA Letter at 11, 16 (noting also that the many 
elements of the defined term were vague). See also Section IV.A.2.b 
(discussing the definition of ``SCI systems,'' including the 
elimination of test and development systems from its definition).
    \350\ See Omgeo Letter at 11.
---------------------------------------------------------------------------

    Two commenters believed that the proposed definition of systems 
disruption was too rigid and should provide for more flexibility and 
discretion.\351\ Both commenters were skeptical that an event should be 
reportable solely because it matched the description of one of the 
seven elements of the definition.\352\ One of these commenters noted 
that the Commission's proposed definition seeks to codify as a formal 
definition language used by the ARP Inspection Program that was meant 
to provide flexibility and latitude in determining what constitutes a 
systems disruption.\353\ The other commenter thought that the seven 
prongs of the proposed definition of ``systems disruption'' were 
appropriate considerations in determining whether a systems disruption 
had occurred, but that an SCI entity should be afforded more discretion 
and flexibility in determining whether a particular issue meets the 
definition.\354\
---------------------------------------------------------------------------

    \351\ See Omgeo Letter at 7; and OCC Letter at 6-8.
    \352\ See Omgeo Letter at 7; and OCC Letter at 6-8.
    \353\ See Omgeo Letter at 7.
    \354\ See OCC Letter at 6. This commenter also critiqued or 
requested clarification for each prong of the definition, as 
discussed further below.
---------------------------------------------------------------------------

Service Level Agreements
    Two commenters believed that the first element of the definition 
regarding service level agreements should be eliminated.\355\ One of 
these commenters stated that an SCI entity's regulatory requirements 
should not depend upon the negotiated language of an agreement between 
business partners, while the other commenter noted that, in some cases, 
a private contract might have more stringent requirements than required 
by regulation, which would, in effect, transform such agreements into 
new regulatory obligations.\356\ Other commenters stated this element 
should be revised to capture only the most significant disruptions to a 
service level agreement.\357\ In addition, one commenter expressed 
concern that SCI entities may forgo negotiating detailed and stringent 
service level agreements if the first element were to be adopted as 
proposed.\358\
---------------------------------------------------------------------------

    \355\ See NYSE Letter at 13; and BATS Letter at 9.
    \356\ See NYSE Letter at 13; and BATS Letter at 9.
    \357\ See DTCC Letter at 7 (suggesting that the definition 
capture only the most significant disruptions to a service level 
agreement that are caused by the SCI entity and that impede its 
ability to perform its core functions and critical operations); and 
OCC Letter at 7. See also Omgeo Letter at 9 (noting concerns that 
this element could require reporting of events too minor to be 
noticed by participants and that do not cause any disruptions of 
service or material risks to the entity or users).
    \358\ See OCC Letter at 7.
---------------------------------------------------------------------------

Disruptions of Normal Operations
    Two commenters stated that the second element of the definition 
needs clarification because the phrase ``disruption of normal 
operations'' is vague and overbroad and therefore could potentially 
include minor events.\359\ Two commenters stated that, if a switchover 
is utilized and there is no material impact on the core services, then 
there should not be a requirement to notify the Commission of a systems 
disruption.\360\ One of these commenters added that programming errors 
that occur prior to production and regularly scheduled maintenance 
should not be considered disruptions.\361\ Several commenters also 
recommended that testing errors should not be included in the 
definition,\362\ and one commenter stated that testing errors should 
only be included if they result in a material impact on an SCI entity's 
operations.\363\
---------------------------------------------------------------------------

    \359\ See NYSE Letter at 13; and Omgeo Letter at 8.
    \360\ See BATS Letter at 9; and SIFMA Letter at 10.
    \361\ See BATS Letter at 10.
    \362\ See BATS Letter at 11; SIFMA Letter at 10; and NYSE Letter 
at 13.
    \363\ See Omgeo Letter at 9 (noting that inclusion of testing 
errors would discourage SCI entities from conducting effective 
quality assurance programs and could undermine good quality 
engineering practices).
---------------------------------------------------------------------------

Loss of Use of Any System
    One commenter stated that the term ``loss of use of any SCI 
system'' is unclear and expressed concern that the lack of clarity may 
lead to interpretive differences and inconsistencies in application 
among SCI entities.\364\ Three commenters discussed failovers to backup 
systems, with one commenter stating the Commission should clarify 
whether this constitutes a loss of use of a system,\365\ another 
commenter stating that it should not be considered a systems 
disruption,\366\ and the third commenter stating that it should only be 
considered a systems disruption if there is an impact on normal 
operations.\367\
---------------------------------------------------------------------------

    \364\ See OCC Letter at 7.
    \365\ See id.
    \366\ See NYSE Letter at 13.
    \367\ See Direct Edge Letter at 3.
---------------------------------------------------------------------------

Loss of Data
    Several commenters stated that losses of transaction or clearance 
and settlement data that are immediately retrieved, promptly corrected, 
or, for clearance and settlement data, resolved prior to the close of 
the trading day should not be systems disruptions.\368\ One commenter 
suggested that the rule be revised to include as a systems disruption 
data that is altered or corrupted in some way.\369\ Another commenter 
stated that this prong of the definition should include a materiality 
qualifier.\370\
---------------------------------------------------------------------------

    \368\ See, e.g., OCC Letter at 7; DTCC Letter at 7; SIFMA Letter 
at 10; and Omgeo Letter at 11.
    \369\ See Omgeo Letter at 11.
    \370\ See NYSE Letter at 14.
---------------------------------------------------------------------------

Backups or Delays and Market Data Dissemination
    With respect to the fifth and sixth elements of the definition 
regarding significant backups or delays in processing and a significant 
diminution of ability to disseminate timely and accurate market data, 
one commenter expressed support for the inclusion of such performance 
degradations in the definition of systems disruptions but stated that 
it believed that the Commission's interpretation of the term 
``significant'' in the SCI Proposal was overly broad because it would 
encompass delays that are small and, in fact, insignificant.\371\
---------------------------------------------------------------------------

    \371\ See Omgeo Letter at 9. See also Proposing Release, supra 
note 13, at 18101-02.

---------------------------------------------------------------------------

[[Page 72284]]

Data Queuing
    With respect to the seventh element, one commenter stated that 
queuing of data is a very good indicator of a problem, but also noted 
that it is not necessarily being properly monitored by most firms and 
suggested that the Commission require SCI entities to monitor queue 
depth.\372\ However, several other commenters stated that queuing of 
data is normal and necessary.\373\ Some commenters suggested that the 
Commission should only require reporting of such queuing if it 
materially affects the delivery of core services to customers.\374\ One 
commenter asked for additional clarification on this element because 
all systems have queues to some extent with normal functionality and 
only certain queues should trigger recovery actions.\375\ One commenter 
expressed concern that language in the SCI Proposal stating that 
``queuing of data is a warning signal of significant disruption'' \376\ 
would make events that are precursors to system disruptions themselves 
become system disruptions.\377\
---------------------------------------------------------------------------

    \372\ See Lauer Letter at 5.
    \373\ See, e.g., BATS Letter at 10; DTCC Letter at 7; SIFMA 
Letter at 10; Omgeo Letter at 10; and Joint SROs Letter at 6.
    \374\ See, e.g., BATS Letter at 10-11; DTCC Letter at 7; Omgeo 
Letter at 10; and OCC Letter at 8.
    \375\ See NYSE Letter at 14.
    \376\ See Proposing Release, supra note 13, at 18102.
    \377\ See Omgeo Letter at 9.
---------------------------------------------------------------------------

Customer Complaints
    Several commenters objected to the Commission's discussion in the 
SCI Proposal regarding customer complaints,\378\ stating that the 
Commission should not consider each instance in which a customer or 
systems user complains or inquires about a slowdown or disruption of 
operations as an indicator of a systems disruption.\379\ For example, 
one commenter noted that customer complaints are often ultimately 
determined to be the result of system errors or discrepancies on the 
customer's end, and stated that requiring an SCI entity to treat these 
complaints as significant systems disruptions simply because they are 
made would impose an unnecessary burden on the SCI entity.\380\
---------------------------------------------------------------------------

    \378\ See Proposing Release, supra note 13, at 18102.
    \379\ See, e.g., DTCC Letter at 7; Omgeo Letter at 10; BATS 
Letter at 11; NYSE Letter at 14; and OCC Letter at 8.
    \380\ See Omgeo Letter at 10-11.
---------------------------------------------------------------------------

Definition of ``Systems Disruption'' as Adopted
    After careful consideration of the views of commenters, the 
Commission is removing the seven specific types of systems malfunctions 
that were proposed to define systems disruption. As adopted, ``systems 
disruption'' is defined in Rule 1000 to mean ``an event in an SCI 
entity's SCI systems that disrupts, or significantly degrades, the 
normal operation of an SCI system.'' The Commission has considered 
commenters' suggestions and feedback with respect to the proposed 
definition, including the criticisms of various aspects of the seven 
specific types of systems malfunctions delineated in the SCI Proposal 
and believes that the adopted definition, which largely follows the 
definition suggested by a commenter, is appropriate.\381\ Specifically, 
this commenter recommended that the definition of systems disruption be 
revised to have two elements: (1) Disruptions of either the SCI systems 
or of the operations of the SCI entity that have the effect of 
disrupting the delivery of the SCI service provided by those systems; 
and (2) degradations of SCI systems processing creating backups or 
delays of such a degree and duration that the delivery of service is 
effectively disrupted or unusable by the market participants who use 
the systems.\382\
---------------------------------------------------------------------------

    \381\ See id. at 11.
    \382\ See supra note 353 and accompanying text.
---------------------------------------------------------------------------

    The Commission agrees with commenters that the proposed definition 
of systems disruption had the potential to be both over-inclusive and 
under-inclusive. The Commission believes that the adopted definition 
appropriately represents a change in focus of the definition from the 
prescriptive seven prongs in the SCI Proposal's definition that 
represented the effects caused by a disruption of an SCI entity's 
systems to, instead, whether a system is halted or degraded in a manner 
that is outside of its normal operation. The Commission believes the 
revised definition sets forth a standard that SCI entities can apply in 
a wide variety of circumstances to determine in their discretion 
whether a systems issue should be appropriately categorized as a 
systems disruption. Further, because the adopted definition of systems 
disruption takes into account whether a systems problem is outside of 
normal operations, the Commission also believes that partly addresses 
the concerns of the commenters suggesting that the definition of 
systems disruption include a materiality qualifier.\383\
---------------------------------------------------------------------------

    \383\ As discussed more fully below, an SCI entity's assessment 
of the impact of an event meeting the definition of a systems 
disruption will affect whether it is subject to an immediate 
Commission notification obligation, or a recordkeeping and quarterly 
reporting obligation. See infra Section IV.B.3.c (discussing the 
exclusion of de minimis systems disruptions from immediate 
Commission notification requirements in Rule 1002(b)(5)).
---------------------------------------------------------------------------

    Because the Commission agrees with commenters regarding the 
difficulties of the proposed definition of ``systems disruption,'' it 
is not including any of the specific types of systems malfunctions in 
the adopted definition of ``systems disruption.'' Thus, the Commission 
believes SCI entities would likely find it helpful to establish 
parameters that can aid them and their staff in determining what 
constitutes the ``normal operation'' \384\ of each of its SCI systems, 
and when such ``normal operation'' has been disrupted or significantly 
degraded because those parameters have been exceeded. The Commission 
agrees with commenters who noted that, given its voluntary nature, 
entities that participate in the ARP Inspection Program are afforded a 
certain degree of flexibility and discretion in reporting systems 
outages, and agrees that, given its proposed application to a mandatory 
rule, the proposed definition limited the flexibility and discretion of 
SCI entities in a manner that was overly rigid.\385\ Although the 
specific types of systems malfunctions have been removed from the 
adopted definition of systems disruption, the Commission nonetheless 
continues to believe, as suggested by one commenter,\386\ that the 
types of systems malfunctions that comprised the proposed definition 
may be useful to SCI entities to consider as indicia of a systems 
disruption.
---------------------------------------------------------------------------

    \384\ The Commission notes that, for certain SCI systems, 
``normal operation'' may include a certain degree of operational 
variability that would allow for a given amount of degradation of 
functionality (e.g., some data queuing or some slowing of response 
times) before the system's operations reach the point of being 
``significantly degraded.'' However, such variability parameters may 
be included as part of an SCI entity's policies and procedures so 
that the SCI entity and its personnel would be aware of them before 
the occurrence of systems issues.
    \385\ Commenters highlighted many examples where a rigid 
interpretation of the proposed definition had the potential to 
incorporate into the definition events that could be considered part 
of normal operation. See, e.g., supra notes 361, 364, 368, 369, 374, 
and 379 and accompanying text. As adopted, however, such events 
would not be captured by the definition of systems disruptions 
because an event that disrupts, or significantly degrades, the 
normal operation of an SCI system would not be considered the 
``normal operation'' of such SCI system.
    \386\ See supra note 354 and accompanying text.

---------------------------------------------------------------------------

[[Page 72285]]

    As discussed in the SCI Proposal \387\ and by certain 
commenters,\388\ the seven categories of malfunctions in the proposed 
definition of ``systems disruption'' have their origin in ARP staff 
guidance regarding when ARP participants should notify the Commission 
of system outages and represent practical examples that SCI entities 
should consider to be systems disruptions in many circumstances. The 
Commission notes that the revised definition is intended to address 
some commenters' concerns with the particular elements of the 
definition of systems disruption as originally proposed. For example, 
under the modified definition, if an SCI system experiences an 
unplanned outage but fails over smoothly to its backup system such that 
there is no disruption or significant degradation of the normal 
operation of the system, the outage of the primary system would not 
constitute a systems disruption. On the other hand, an SCI entity may 
determine that, even when a primary system fails over smoothly to its 
backup system such that users are not impacted by the failover, 
operating from the backup system without additional redundancy would 
not constitute normal operation. In this case, the outage of the 
primary system would fall within the definition of systems disruption. 
Further, the Commission believes it would be appropriate for an SCI 
entity to take into account regularly scheduled outages or scheduled 
maintenance as part of ``normal operations.'' \389\ In particular, a 
planned disruption to an SCI system that is a part of regularly 
scheduled outages or scheduled maintenance would not constitute a 
systems disruption or be subject to the requirements of Regulation SCI, 
if such regularly scheduled outages or scheduled maintenance are part 
of the SCI entity's normal operations. With regard to data queuing, to 
the extent that such queuing is part of the normal functionality of a 
system and does not cause a disruption or significant degradation of 
normal operations, it would not be captured by the rule, which is 
limited to events occurring to an SCI system that are outside its 
normal operations.\390\ Additionally, by eliminating the seven types of 
malfunctions from the definition as proposed, the Commission has 
responded to commenters who expressed concern that events that are 
precursors to system disruptions, such as the queuing of data, would 
themselves be systems disruptions.\391\ Similarly, by eliminating the 
seven types of malfunctions, the Commission has addressed comments that 
called for the elimination of specific elements of the proposed 
definition, such as service level agreements.\392\
---------------------------------------------------------------------------

    \387\ See Proposing Release, supra note 13, at 18101.
    \388\ See supra note 353 and accompanying text.
    \389\ See supra note 361 and accompanying text.
    \390\ See supra notes 372-377 and accompanying text.
    \391\ See supra note 377 and accompanying text.
    \392\ See supra notes 355 and 358 and accompanying text.
---------------------------------------------------------------------------

    Further, the Commission agrees with commenters that customer 
complaints may be indicia of a systems issue,\393\ but that a customer 
complaint alone would not be determinative of whether a system problem 
has occurred that meets the definition of systems disruption under 
Regulation SCI.\394\ With respect to the commenters who stated that 
losses of transaction or clearance and settlement data that are 
immediately retrieved, promptly corrected, or, for clearance and 
settlement data, resolved prior to the close of the trading day should 
not be systems disruptions, the adopted definition would exclude these 
events if they do not disrupt or significantly degrade the normal 
operations of an SCI system.\395\ However, if loss of transaction or 
clearance and settlement data disrupts or significantly degrades the 
normal operation of an SCI system, it would constitute a systems 
disruption and be subject to the requirements of Regulation SCI (e.g., 
immediate or quarterly Commission notification, depending on the impact 
of the disruption).
---------------------------------------------------------------------------

    \393\ The Commission agrees, as noted by some commenters, that 
in some instances, customer complaints may be the result of a 
problem at a system not operated by (or on behalf of) an applicable 
SCI entity, but rather a system operated by the customer itself. See 
supra note 380 and accompanying text.
    \394\ See supra notes 379-380 and accompanying text.
    \395\ See supra note 368. The Commission notes that for 
clearance and settlement systems, normal operations would include 
all steps necessary to effectuate timely and accurate end of day 
settlement. In response to the commenter who stated that the 
definition of systems disruption should be revised to include data 
that is altered or corrupted in some way, because the Commission has 
determined to eliminate the pronged approach to the definition of 
systems disruption, the Commission notes that, under the adopted 
definition, data that is altered or corrupted in some way may be a 
systems disruption if such altered or corrupted data disrupt or 
significantly degrade the affected SCI system's normal operation. 
See supra note 369.
---------------------------------------------------------------------------

    Several commenters also suggested that testing errors or other 
disruptions in development and testing environments should be excluded 
from the definition of systems disruption.\396\ The Commission notes 
that, as discussed above, development and testing systems have been 
excluded from the definition of SCI systems, and thus such disruptions 
would not be subject to the requirements of Regulation SCI.\397\
---------------------------------------------------------------------------

    \396\ See supra notes 361-363 and accompanying text.
    \397\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems'').
---------------------------------------------------------------------------

    The Commission is not incorporating a materiality threshold into 
the definition of systems disruption as requested by some 
commenters.\398\ Rather, as discussed below, the requirements of 
Regulation SCI are tiered in a manner that the Commission believes is 
responsive to commenters' concerns regarding the breadth of the 
definition of systems disruption (while stopping short of including a 
materiality standard).\399\ In particular, the Commission believes that 
the adopted Commission notification and information dissemination 
requirements for SCI events (i.e., quarterly Commission reporting of de 
minimis systems disruptions, and an exception for de minimis systems 
disruptions from the information dissemination requirement) will help 
to focus the Commission's and SCI entities' resources on the more 
significant systems disruptions. In addition, by not including a 
materiality threshold within the definition, SCI entities will be 
required to assess, take corrective action, and keep records of all 
systems disruptions, some of which may initially seem insignificant to 
an SCI entity, but which may later prove to be the cause of significant 
systems disruptions at the SCI entity. An SCI entity's records of de 
minimis systems disruptions may also be useful to the Commission in 
that they may, for example, aid the Commission in identifying patterns 
of de minimis systems disruptions that together might result in a more 
impactful SCI event, either at an SCI entity or across a group of SCI 
entities, or circumstances in which a systems disruption causes de 
minimis systems issues for one particular SCI entity but results in 
significant issues for another SCI entity. The Commission also believes 
that the ability to view de minimis SCI events in the aggregate and 
across multiple SCI

[[Page 72286]]

entities is important to the Commission and its staff to be able to 
gather information about trends related to such systems disruptions 
that could not otherwise be properly discerned. Information about 
trends will assist the Commission in fulfilling its oversight role by 
keeping Commission staff informed about the nature and frequency of the 
types of de minimis systems disruptions that SCI entities encounter. 
Moreover, information about trends can also inform the Commission of 
areas of potential weaknesses, or persistent or recurring problems, 
across SCI entities and also should help the Commission better focus on 
common types of systems disruptions with certain types of SCI systems 
across SCI entities. This information also would permit the Commission 
and its staff to issue industry alerts or guidance if appropriate. In 
addition, this information would allow the Commission and its staff to 
review SCI entities' classification of events as de minimis systems 
disruptions. Moreover, the Commission believes that, even without 
adopting a materiality threshold, the adopted definition of SCI systems 
further focuses the scope of the definition of systems disruption.\400\
---------------------------------------------------------------------------

    \398\ See supra note 347 and accompanying text.
    \399\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems disruptions). See 
also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing 
information dissemination requirement for certain SCI events, but 
excluding de minimis systems disruptions).
    \400\ See supra Sections IV.A.2.b (discussing the definition of 
``SCI systems'').
---------------------------------------------------------------------------

    The Commission also believes that it is unnecessary to modify the 
definition of systems disruption specifically to encompass disruptions 
originating from a third party, as one commenter suggested.\401\ The 
definition of systems disruption does not limit such events with 
respect to the source of the disruption, whether an internal source at 
the SCI entity or an external third party source.
---------------------------------------------------------------------------

    \401\ See supra note 345.
---------------------------------------------------------------------------

b. Systems Compliance Issue
    Proposed Rule 1000(a) would have defined the term ``systems 
compliance issue'' as ``an event at an SCI entity that has caused any 
SCI system of such entity to operate in a manner that does not comply 
with the federal securities laws and rules and regulations thereunder 
or the entity's rules or governing documents, as applicable.'' \402\ 
The Commission is adopting the definition of systems compliance issue 
substantially as proposed, with modifications to refine its scope.
---------------------------------------------------------------------------

    \402\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.b.
---------------------------------------------------------------------------

    Two commenters stated that the term ``systems compliance issue'' 
should be deleted from the definition of SCI event entirely.\403\ One 
of these commenters stated that the inclusion of systems compliance 
issue as an SCI event would be a departure from the ARP Inspection 
Program and ARP Policy Statements.\404\ The other commenter argued that 
any report regarding a systems compliance issue is an admission that 
the SCI entity has violated a law, rule, or one of its governing 
documents, creating a risk of an enforcement action or other liability 
for the SCI entity.\405\
---------------------------------------------------------------------------

    \403\ See Omgeo Letter at 13; and NYSE Letter at 16.
    \404\ See Omgeo Letter at 14.
    \405\ See NYSE Letter at 16.
---------------------------------------------------------------------------

    Other commenters stated that the proposed definition is too broad 
and should be refined to include only those issues that are material or 
significant.\406\ Commenters' specific recommendations included 
limiting the definition to those systems compliance issues that: have a 
material and significant effect on members; \407\ can be reasonably 
expected to result in significant harm or loss to market participants 
or impact the operation of a fair and orderly market; \408\ or have a 
materially negative impact on the SCI entity's ability to perform its 
core functions.\409\ One commenter also noted that the term should be 
specifically defined to take account of an SCI entity's function, such 
as clearing agencies' ability to comply with Section 17A.\410\
---------------------------------------------------------------------------

    \406\ See, e.g., Joint SROs Letter at 2, 8; ISE Letter at 6; 
SIFMA Letter at 13; Liquidnet Letter at 3; CME Letter at 8; DTCC 
Letter at 6; OCC Letter at 13; and FINRA Letter at 17 (stating that 
systems compliance issues should be reportable only if they would 
directly impact the market or a member firm's ability to comply with 
FINRA rules). See also BATS Letter at 13.
    \407\ See ISE Letter at 6-7.
    \408\ See Liquidnet Letter at 3; and CME Letter at 8. See also 
FINRA Letter at 17.
    \409\ See DTCC Letter at 6; and OCC Letter at 13.
    \410\ See DTCC Letter at 6. See also infra Sections IV.B.3.c and 
IV.B.3.d (discussing comments with respect to systems compliance 
issues and their relation to Commission notification and information 
dissemination to members or participants).
---------------------------------------------------------------------------

    After considering the view of commenters that the proposed 
definition of systems compliance issue is too broad,\411\ the 
Commission is revising the definition to mean an event that has caused 
an SCI system to operate ``in a manner that does not comply with the 
Act'' and the rules and regulations thereunder and the entity's rules 
and governing documents, as applicable.\412\ The Commission believes 
the refinement from ``federal securities laws'' to ``the Act'' (i.e., 
the Securities Exchange Act of 1934) will appropriately focus the 
definition on Exchange Act compliance rather than other areas of the 
federal securities laws. Although the Commission did not receive 
specific comment suggesting that it amend the definition of systems 
compliance issue by using the term ``the Act'' instead of the broader 
``federal securities laws,'' commenters did suggest that the Commission 
limit the scope of the definition to only apply to those sections of 
the Act that are applicable to a particular SCI entity \413\ or the SCI 
entity's rules.\414\ The Commission agrees with these commenters 
insofar as they advocated for focusing the scope to a more specific set 
of securities laws and for reducing the burden on SCI entities, and 
further believes this refinement does not compromise the objective of 
the definition, which is to capture systems compliance issues with 
respect to SCI entities' obligations under the Exchange Act. The 
Commission believes that the refinement provides additional clarity to 
SCI entities that, for purposes of Regulation SCI, their obligations 
are with respect to compliance with the Exchange Act and the rules and 
regulations thereunder and the entity's rules and governing 
documents.\415\
---------------------------------------------------------------------------

    \411\ See supra note 406 and accompanying text.
    \412\ As noted above, proposed Rule 1000 defined systems 
compliance issue as an event at an SCI entity that has caused any 
SCI system of such entity to operate ``in a manner that does not 
comply with the federal securities laws'' and rules and regulations 
thereunder or the entity's rules and governing documents, as 
applicable.
    \413\ See supra note 410 and accompanying text.
    \414\ See supra note 406 and accompanying text.
    \415\ Notwithstanding this provision's focus on compliance with 
the Exchange Act and the rules and regulations thereunder and the 
entity's rules and governing documents, the Commission notes that 
its objective in adopting Regulation SCI is not, for example, to 
change the obligations of SCI entities that are public companies 
with respect to their disclosure obligations under the Securities 
Act of 1933. See 15 U.S.C. 77a et seq.
---------------------------------------------------------------------------

    The Commission disagrees with commenters who suggested removing 
systems compliance issues from the definition of SCI event 
altogether.\416\ Although systems compliance issues have not been 
within the scope of the ARP Inspection Program,\417\ the Commission 
believes that inclusion of systems compliance issues in the definition 
of SCI event and the resulting applicability of the Commission 
reporting, information dissemination, and recordkeeping requirements to 
systems compliance issues is important to help ensure that SCI systems 
are operated by SCI entities in compliance with the Exchange Act, rules 
thereunder, and their own rules and governing documents.
---------------------------------------------------------------------------

    \416\ See supra notes 403-405 and accompanying text.
    \417\ See supra note 404 and accompanying text. See also 
Proposing Release, supra note 13, at 18087.

---------------------------------------------------------------------------

[[Page 72287]]

    In addition, the Commission is not adopting a materiality qualifier 
\418\ or other limiting threshold \419\ in the definition of systems 
compliance issue as suggested by some commenters. Instead, the 
requirements of Regulation SCI are tiered in a manner that the 
Commission believes is responsive to commenters' concerns regarding the 
breadth of the definition of systems compliance issue.\420\ In 
particular, the Commission believes that the adopted Commission 
notification requirement and the information dissemination requirement 
(each of which provides an exception for systems compliance issues that 
have no or de minimis impacts on an SCI entity's operations or market 
participants) will help to focus the Commission's and SCI entities' 
resources on those systems compliance issues with more significant 
impacts. In addition, by not including a materiality threshold within 
the definition, SCI entities will be required to assess, take 
corrective action, and keep records of all systems compliance issues, 
some of which may initially seem to have little or no impact, but which 
may later prove to be the cause of significant systems compliance 
issues at the SCI entity. The Commission notes that all SCI entities 
are required to comply with the Exchange Act, the rules and regulations 
thereunder, and their own rules, as applicable. Therefore, even if an 
SCI entity determines that a systems compliance issue has no or a de 
minimis impact, the Commission believes that it is important that it 
have ready access to records regarding such de minimis systems 
compliance issues to allow it to more effectively oversee SCI entities' 
compliance with the Exchange Act and relevant rules. An SCI entity's 
records of de minimis systems compliance issues may also be useful to 
the Commission in that they may, for example, aid the Commission in 
identifying areas of potential weaknesses, or persistent or recurring 
problems, at an SCI entity or across multiple SCI entities. This 
information also would permit the Commission and its staff to issue 
industry alerts or guidance if appropriate. In addition, this 
information would allow the Commission and its staff to review SCI 
entities' classification of events as de minimis systems compliance 
issues.
---------------------------------------------------------------------------

    \418\ See supra notes 406-407 and 409 and accompanying text.
    \419\ See supra note 408.
    \420\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and the 
exclusion for de minimis systems compliance issues). See also Rule 
1002(c)(4) and infra Section IV.B.3.d (discussing the information 
dissemination requirement for certain SCI events, but excluding de 
minimis systems compliance issues).
---------------------------------------------------------------------------

    Finally, the Commission believes that, even without adopting a 
materiality threshold, the adopted definition of SCI systems, as 
described in Section IV.A.2 above, further focuses the scope of the 
definition of systems compliance issue.
    With respect to a commenter's concern that any report regarding a 
systems compliance issue would be an admission of a violation and thus 
create a risk of enforcement action or other liability,\421\ the 
Commission notes that the Commission notification requirement is not 
triggered until a responsible SCI personnel has a reasonable basis to 
conclude that a systems compliance issue has occurred.\422\ The 
Commission acknowledges that it could consider the information provided 
to the Commission in determining whether to initiate an enforcement 
action. However, the Commission notes that the occurrence of a systems 
compliance issue also does not necessarily mean that the SCI entity 
will be subject to an enforcement action. Rather, the Commission will 
exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.\423\ With respect 
to the potential for other types of liability as suggested by this 
commenter, many entities that fall within the definition of SCI entity 
already currently disclose to the Commission and their members or 
participants certain information regarding systems issues, including 
issues that may potentially give rise to liability.\424\ Moreover, the 
Commission recognizes that compliance with Regulation SCI will increase 
the amount of information about SCI events available to the Commission 
and SCI entities' members and participants, and that the greater 
availability of this information has some potential to increase 
litigation risks for SCI entities, including the risk of private civil 
litigation. The Commission believes that the value of disclosure to the 
Commission, market participants and investors justifies the potential 
increase in litigation risk. Moreover, the Commission notes that, to 
the extent members and participants or the public suffer damages when 
SCI events occur, SCI entities are already subject to litigation risk.
---------------------------------------------------------------------------

    \421\ See supra note 405 and accompanying text.
    \422\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \423\ See, e.g., infra notes 626-628 and accompanying text.
    \424\ See supra Section II.B (discussing recent events related 
to systems issues).
---------------------------------------------------------------------------

    As adopted, Rule 1000 defines ``systems compliance issue'' as ``an 
event at an SCI entity that has caused any SCI system of such entity to 
operate in a manner that does not comply with the Act and the rules and 
regulations thereunder or the entity's rules or governing documents, as 
applicable.'' As noted in the SCI Proposal, a systems compliance issue 
could, for example, occur when a change to an SCI system is made by 
information technology staff, without the knowledge or input of 
regulatory staff, that results in the system operating in a manner that 
does not comply with the Act and rules thereunder or the entity's rules 
and other governing documents.\425\ For an SCI SRO, systems compliance 
issues would include SCI systems operating in a manner that does not 
comply with the SCI SRO's rules as defined in the Act and the rules 
thereunder.\426\ For a plan processor, systems compliance issue would 
include SCI systems operating in a manner that does not comply with an 
applicable effective national market system plan. For an SCI ATS or 
exempt clearing agency subject to ARP, a systems compliance issue would 
include SCI systems operating in a manner that does not comply with 
documents such as subscriber agreements and any rules provided to 
subscribers and users and, for an ATS, described in its Form ATS 
filings with the Commission.\427\
---------------------------------------------------------------------------

    \425\ See Proposing Release, supra note 13, at 18103.
    \426\ The rules of an SCI SRO include, among other things, its 
constitution, articles of incorporation, and bylaws. See 15 U.S.C. 
78c(a)(27)-(28). See also 17 CFR 240.19b-4(c).
    \427\ Subscriber agreements and other similar documents that 
govern operations of SCI ATSs and exempt clearing agencies subject 
to ARP are generally not publicly available, but are typically 
provided to subscribers and users of such entities. See 17 CFR 
242.301(b) for a description of the filing requirements for ATSs.
---------------------------------------------------------------------------

c. Systems Intrusion
    Proposed Rule 1000(a) defined ``systems intrusion'' as ``any 
unauthorized entry into the SCI systems or SCI security systems of an 
SCI entity.'' \428\ The proposed definition is being adopted as 
proposed, with one technical modification to replace the term ``SCI 
security systems'' with ``indirect SCI systems.'' \429\
---------------------------------------------------------------------------

    \428\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.c.
    \429\ See supra Section IV.A.2.d (discussing the definition of 
``indirect SCI systems'').
---------------------------------------------------------------------------

    While one commenter noted its general support for the inclusion of 
systems intrusions within the scope of

[[Page 72288]]

Regulation SCI,\430\ this commenter and others stated that the proposed 
definition was too broad or vague.\431\ Several commenters asserted 
that the proposed definition would capture too many insignificant and 
minor incidents.\432\ Some commenters recommended limiting the 
definition to material systems intrusions, and offered various 
suggestions for how to do so.\433\
---------------------------------------------------------------------------

    \430\ See NYSE Letter at 15.
    \431\ See, e.g., NYSE Letter at 15; BATS Letter at 12; DTCC 
Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10-11; and Joint 
SROs Letter at 7.
    \432\ See, e.g., BATS Letter at 12; DTCC Letter at 7; Omgeo 
Letter at 11; SIFMA Letter at 10-11; and Joint SROs Letter at 7.
    \433\ See, e.g., NYSE Letter at 15 (recommending that the 
definition include only major intrusions that pose a plausible risk 
to the trading, routing, or clearance and settlement operations of 
the exchange or to required market data transmission); Omgeo Letter 
at 11-12 (expressing concern that the definition did not contain a 
reference to the materiality of an intrusion, nor the intrusion's 
impact on markets or market participants); DTCC Letter at 7 
(suggesting that the definition capture only unauthorized entries 
where the SCI entity has reason to believe such entry could 
materially impact its ability to perform its core functions or 
critical operations); Joint SROs Letter at 7 (stating that the 
definition should include only those intrusions that the SCI entity 
reasonably estimated would result in significant harm or loss to 
market participants); FINRA Letter at 18 (arguing that only 
intrusions that have a material impact on the SCI system or a direct 
impact on the market or market participants should be included); and 
OCC Letter at 13 (suggesting, as an alternative to a ``risk-based'' 
approach, that the definition be limited to any unauthorized entry 
into the SCI systems or SCI security systems of an SCI entity, which 
the SCI entity reasonably believes may materially impact its ability 
to perform its core functions or critical operations).
---------------------------------------------------------------------------

    One commenter stated that the proposed definition was overbroad 
because it would include both intentional and unintentional conduct, as 
well as events that have no adverse impact.\434\ Another commenter also 
stated that the definition should be modified to make clear that an 
intrusion that is inadvertent would not qualify as a systems 
intrusion.\435\ This commenter further stated that a systems intrusion 
should be limited to unauthorized access to confidential information or 
to the SCI systems of an SCI entity that materially disrupts the 
operations of such systems.\436\ Another commenter suggested that the 
definition focus on the unauthorized control of the confidentiality, 
integrity, or availability of an SCI system and/or its data.\437\
---------------------------------------------------------------------------

    \434\ See, e.g., BATS Letter at 12.
    \435\ See SIFMA Letter at 11.
    \436\ See id.
    \437\ See NYSE Letter at 15.
---------------------------------------------------------------------------

    Some commenters noted that the proposed definition of systems 
intrusion did not take into account the multi-layered nature of today's 
technology systems. Two commenters stated that the multi-layered 
protections of systems architecture are designed to anticipate 
intrusions into the outer layer without material risk or impact, thus 
intrusions into such a peripheral system should not constitute a 
systems intrusion under the rule.\438\
---------------------------------------------------------------------------

    \438\ See SIFMA Letter at 11; and Omgeo Letter at 12. The 
Commission discusses below the comments that advocated greater 
Commission use of FS-ISAC for reporting systems intrusions.
---------------------------------------------------------------------------

    Several commenters stated that only successful systems intrusions 
should be covered in the definition.\439\ One commenter suggested that 
this concept be made explicit in the rule text by adding the term 
``successful'' to the definition.\440\ Two commenters, while supporting 
the inclusion of only successful systems intrusions in the definition, 
pointed out the value of sharing information regarding unsuccessful 
systems intrusions, stating that this practice already occurs today 
among SCI entities, their regulators, and appropriate law enforcement 
agencies.\441\
---------------------------------------------------------------------------

    \439\ See BIDS Letter at 17; SIFMA Letter at 11; NYSE Letter at 
15; DTCC Letter at 8.
    \440\ See NYSE Letter at 15.
    \441\ See BIDS Letter at 17; and DTCC Letter at 8.
---------------------------------------------------------------------------

    As adopted, Rule 1000 defines ``systems intrusion'' to mean ``any 
unauthorized entry into the SCI systems or indirect SCI systems of an 
SCI entity.'' This definition is intended to cover any unauthorized 
entry into SCI systems or indirect SCI systems, regardless of the 
identity of the person committing the intrusion (whether they are 
outsiders, employees, or agents of the SCI entity), and regardless of 
whether or not the intrusion was part of a cyber attack, potential 
criminal activity, or other unauthorized attempt to retrieve, 
manipulate, or destroy data, or access or disrupt systems of SCI 
entities. Thus, for example, this definition is intended to cover the 
introduction of malware or other attempts to disrupt SCI systems or 
indirect SCI systems provided that such systems were actually breached. 
In addition, the definition is intended to cover unauthorized access, 
whether intentional or inadvertent, by employees or agents of the SCI 
entity that resulted from weaknesses in the SCI entity's access 
controls and/or procedures. In response to comments, the Commission 
emphasizes that the definition of systems intrusion does not include 
unsuccessful attempts at unauthorized entry because an unsuccessful 
systems intrusion is much less likely to disrupt the systems of an SCI 
entity than a successful intrusion. The Commission believes that it is 
unnecessary and redundant to specifically state in the definition of 
systems intrusion that unauthorized entries must be ``successful'' 
because the term ``entry'' incorporates the concept of successfully 
gaining access to an SCI system or indirect SCI system.
    Further, the Commission is not incorporating a materiality 
threshold for the definition of systems intrusion or otherwise limiting 
the definition of systems intrusion to only those systems intrusions 
that are major or significant as requested by some commenters. The 
Commission believes that, even without adopting a materiality 
threshold, the adopted definitions of SCI systems and indirect SCI 
systems further focus the scope of the definition of systems intrusion. 
Further, because any unauthorized entry into an SCI system or indirect 
SCI system is a security breach of which the Commission, having 
responsibility for oversight of the U.S. securities markets, should be 
notified, the Commission is not including a materiality threshold. In 
addition, as discussed below, the requirements of Regulation SCI are 
tiered in a manner that the Commission believes is responsive to 
commenters' concerns regarding the breadth of the definition of systems 
intrusion.\442\ By not including a materiality threshold within the 
definition, SCI entities will be required to assess, take corrective 
action, and keep records of all systems intrusions, some of which may 
initially seem insignificant to an SCI entity, but which may later 
prove to be the cause of significant systems issues at the SCI entity. 
An SCI entity's records of de minimis systems intrusions may also be 
useful to the Commission in that they may, for example, aid the 
Commission in identifying patterns of de minimis systems intrusions 
that together might result in a more impactful SCI event, either at an 
SCI entity or across a group of SCI entities, or circumstances in which 
a systems intrusion causes de minimis systems issues for one particular 
SCI entity but results in significant issues for another SCI entity. 
The Commission also believes that the ability to view de minimis 
systems intrusions in the aggregate and across multiple SCI entities is 
important to allow the Commission and its staff to be able to gather 
information about trends related to such systems intrusions that could 
not otherwise be properly discerned. Information about trends will

[[Page 72289]]

assist the Commission in fulfilling its oversight role by keeping 
Commission staff informed about the nature and frequency of the types 
of de minimis systems intrusions that SCI entities encounter. Moreover, 
information about trends and notifications of de minimis systems 
intrusions generally can also inform the Commission of areas of 
potential weaknesses, or persistent or recurring problems, across SCI 
entities and also should help the Commission better focus on common 
types of systems intrusions or issues with certain types of SCI systems 
across SCI entities. This information also would permit the Commission 
and its staff to issue industry alerts or guidance if appropriate. In 
addition, this information would allow the Commission and its staff to 
review SCI entities' classification of events as de minimis systems 
intrusions.
---------------------------------------------------------------------------

    \442\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems intrusions). See 
also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing 
information dissemination requirement for certain SCI events, but 
excluding de minimis systems intrusions).
---------------------------------------------------------------------------

    The Commission also is not distinguishing between intentional and 
unintentional systems intrusions, as suggested by some commenters.\443\ 
The Commission acknowledges that intentional systems intrusions may 
result in more severe disruptions to the systems of an SCI entity than 
unintentional or inadvertent intrusions. On the other hand, the 
Commission believes that it should be notified of successful 
unintentional or inadvertent systems intrusions because they can still 
indicate weaknesses in a system's security controls. To the extent that 
these systems intrusions have no or a de minimis impact on the SCI 
entity's operations or on market participants, they will only be 
subject to a quarterly reporting requirement and will be excepted from 
the information dissemination requirement.\444\
---------------------------------------------------------------------------

    \443\ See supra notes 434-435 and accompanying text.
    \444\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems intrusions). See 
Rule 1002(c)(4), and infra Sections IV.B.3.d (discussing the 
information dissemination requirements for certain SCI events, but 
excluding de minimis systems intrusions).
---------------------------------------------------------------------------

    Additionally, the Commission does not agree that the definition of 
systems intrusion should be limited to unauthorized access to 
confidential information \445\ or should be focused on the unauthorized 
control of the confidentiality, integrity, or availability of an SCI 
system and/or its data \446\ because the Commission believes that these 
modifications would create a definition that would limit the 
Commission's ability to be aware of events that fall outside the 
limited definition that commenters suggested but that could, for 
example, have industry-wide implications. Similarly, with respect to 
the comment that intrusions into a peripheral system should not 
constitute a systems intrusion because the multi-layered protections of 
systems architecture are designed to anticipate intrusions into the 
outer layer and help prevent material risk or impact,\447\ the 
Commission believes that its discussion of indirect SCI systems in 
Section IV.A.2.d above responds to commenters' concerns by explaining 
that systems intrusions into an indirect SCI system could cause or 
increase the likelihood of an SCI event with respect to an SCI system. 
And to the extent a system intrusion occurs with respect to an SCI 
system or indirect SCI system but the SCI entity's multi-layered 
systems architecture helps prevent material risk or impact, the 
Commission notes that de minimis systems intrusions (if such a system 
intrusion was determined to be de minimis) would be subject to less 
frequent Commission reporting requirements and would not be subject to 
the information dissemination requirements.
---------------------------------------------------------------------------

    \445\ See supra note 436 and accompanying text.
    \446\ See supra note 437 and accompanying text.
    \447\ See supra note 438 and accompanying text.
---------------------------------------------------------------------------

B. Obligations of SCI Entities--Rules 1001-1004

    Proposed Rules 1000(b)(1)-(9) are renumbered as adopted Rules 1001-
1004. Adopted Rule 1001 corresponds to proposed Rules 1000(b)(1)-(2) 
and contains the policies and procedures requirements for SCI entities 
with respect to operational capability and the maintenance of fair and 
orderly markets (Rule 1001(a)), systems compliance (Rule 1001(b)), and 
identification and designation of responsible SCI personnel and 
escalation procedures (Rule 1001(c)).\448\ Adopted Rule 1002 
corresponds to proposed Rules 1000(b)(3)-(5) and contains the 
obligations of SCI entities with respect to SCI events, which include 
corrective action, Commission notification, and information 
dissemination. Adopted Rule 1003 corresponds to proposed Rules 
1000(b)(6)-(8) and contains requirements relating to material systems 
changes and SCI reviews. Finally, adopted Rule 1004 corresponds to 
proposed Rule 1000(b)(9) and contains requirements relating to business 
continuity and disaster recovery plan testing, including requiring 
participation of designated members or participants of SCI entities in 
such testing.
---------------------------------------------------------------------------

    \448\ The discussion of Rule 1001(c), which relates to the 
triggering standard for Rule 1002, is discussed below in Section 
IV.B.3.a.
---------------------------------------------------------------------------

1. Policies and Procedures To Achieve Capacity, Integrity, Resiliency, 
Availability and Security--Rule 1001(a)
a. Proposed Rule 1000(b)(1)
    Proposed Rule 1000(b)(1) would have required an SCI entity to: (1) 
Establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets; and (2) include certain required elements in 
such policies and procedures. As proposed, these policies and 
procedures were required to provide for: (A) The establishment of 
reasonable current and future capacity planning estimates; (B) periodic 
capacity stress tests of systems to determine their ability to process 
transactions in an accurate, timely, and efficient manner; (C) a 
program to review and keep current systems development and testing 
methodology; (D) regular reviews and testing of systems, including 
backup systems, to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters; 
(E) business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption; and (F) standards that result in 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data.
    Proposed Rule 1000(b)(1)(i) also provided that an SCI entity's 
applicable policies and procedures would be deemed to be reasonably 
designed if they were consistent with ``current SCI industry 
standards.'' Proposed Rule 1000(b)(1)(ii) provided that ``current SCI 
industry standards'' were to be comprised of ``information technology 
practices that are widely available for free to information technology 
professionals in the financial sector . . . and issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely

[[Page 72290]]

recognized organization.'' \449\ The SCI Proposal also included, on 
``Table A,'' a list of publications that the Commission had 
preliminarily identified as examples of current SCI industry standards 
in each of nine information security domains.\450\ The SCI Proposal 
stated that an SCI entity, taking into account its nature, size, 
technology, business model, and other aspects of its business, could, 
but would not be required to, use the publications listed on Table A to 
establish, maintain, and enforce reasonably designed policies and 
procedures that satisfy the requirements of proposed Rule 
1000(b)(1).\451\ The SCI Proposal also stated that ``current SCI 
industry standards'' were not limited to those identified in the 
publications on Table A and could include other publications meeting 
the proposed criteria for ``current SCI industry standards.'' \452\ In 
addition, proposed Rule 1000(b)(1)(ii) stated that compliance with 
``current SCI industry standards'' would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1).\453\
---------------------------------------------------------------------------

    \449\ See Proposing Release, supra note 13, at 18178.
    \450\ The domains covered in Table A of the SCI Proposal are: 
application controls; capacity planning; computer operations and 
production environment controls; contingency planning; information 
security and networking; audit; outsourcing; physical security; and 
systems development methodology. See id. at 18111.
    \451\ See id. at 18110.
    \452\ See id. at 18110 (stating that an SCI entity could elect 
standards contained in publications other than those identified on 
proposed Table A to comply with the rule).
    \453\ See id. at 18109.
---------------------------------------------------------------------------

b. Comments Received on Proposed Rule 1000(b)(1) and Commission 
Response
i. Policies and Procedures Generally--Rules 1001(a)(1) and (3)
    The Commission received a wide range of comments on proposed Rule 
1000(b)(1). With respect to policies and procedures generally, some 
commenters believed the proposal was too prescriptive.\454\ Several 
characterized it as a ``one-size-fits-all'' approach that did not 
adequately take into account differences between SCI entities and SCI 
entity systems.\455\ Several commenters objecting to the rule as too 
prescriptive urged that the adopted rule incorporate a risk-based 
framework, so that SCI entities and/or systems of greater criticality 
would be required to adhere to a stricter set of policies and 
procedures than SCI entities and/or systems of lesser criticality.\456\ 
These commenters maintained that each SCI entity should have discretion 
to calibrate its policies and procedures based on its own assessment of 
the criticality of the SCI entity and its systems to market stability, 
or that the Commission should ``tier'' the obligations of SCI entities 
or SCI entity systems based on their market function.\457\
---------------------------------------------------------------------------

    \454\ See, e.g., Angel Letter at 2, 8; BIDS Letter at 7; FIF 
Letter at 3-4; Joint SROs Letter at 4; LiquidPoint Letter at 3-4; 
MFA Letter at 3; and SIFMA Letter at 12-13.
    \455\ See, e.g., FIF Letter at 3-4; FINRA Letter at 31; Joint 
SROs Letter at 4; KCG Letter at 2-3, 6-8; Liquidpoint Letter at 3-4; 
MFA Letter at 3; OCC Letter at 3-4; SIFMA Letter at 12-13; UBS 
Letter at 2-4; Tellefsen Letter at 13; and BIDS Letter at 2-3, 6-9.
    \456\ See, e.g., Joint SROs Letter at 4; LiquidPoint Letter at 
3; MFA Letter at 3; and SIFMA Letter at 8, 12-13. See also FIF 
Letter at 4; MSRB Letter at 3; Fidelity Letter at 2; NYSE Letter at 
3, 4, 21; FINRA Letter at 13-14; and OCC Letter at 3.
    \457\ See, e.g., Joint SROs Letter at 4; FINRA Letter at 13-14; 
MSRB Letter at 3; MFA Letter at 6; NYSE Letter at 3, 4, and 21; 
SIFMA Letter at 12-13; FIF Letter at 4; Fidelity Letter at 2; and 
OCC Letter at 3.
---------------------------------------------------------------------------

    In contrast, some commenters stated that the Commission's proposed 
approach was too vague or insufficient.\458\ For example, one commenter 
characterized the minimum elements of policies and procedures in 
proposed Rule 1000(b)(1)(A)-(F) as ``so vague that they will fail to 
provide any meaningful improvement in technological systems.'' \459\ 
Another commenter stated that the proposed scope of required policies 
and procedures was appropriate, but that further elaboration on the 
details was warranted.\460\ One commenter stated that the proposed rule 
lacked adequate discussion of what it means for policies and procedures 
to be reasonably designed ``to maintain . . . operational capability 
and promote the maintenance of fair and orderly markets.'' \461\
---------------------------------------------------------------------------

    \458\ See Better Markets Letter at 3-5; CAST Letter at 4; CISQ 
Letter at 2, 5; CISQ2 Letter at 5; and Direct Edge Letter at 4.
    \459\ See Better Markets Letter at 3.
    \460\ See CISQ Letter at 2.
    \461\ See Direct Edge Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters on 
its proposed policies and procedures approach to ensuring adequate 
capacity, integrity, resiliency, availability, and security of SCI 
systems (and security for indirect SCI systems). The Commission agrees 
with commenters who stated that requiring SCI entities to have policies 
and procedures relating to the capacity, integrity, resiliency, 
availability, and security of SCI systems (and security for indirect 
SCI systems) should not be a ``one-size-fits-all'' approach and, as 
discussed in detail below, is therefore clarifying that the adopted 
rule is consistent with a risk-based approach, as it allows an SCI 
entity's policies and procedures to be tailored to a particular 
system's criticality and risk. As noted above, while some commenters 
characterized the proposed rule as too vague and sought further 
specificity, others found the rule to be too prescriptive. The 
Commission believes that the adopted rule provides an appropriate 
balance between these two opposing concerns by providing a framework 
that identifies the minimum areas that are required to be addressed by 
an SCI entity's policies and procedures without prescribing the 
specific policies and procedures that an SCI entity must follow, or 
detailing how each element in Rule 1001(a)(2) should be addressed. 
Given the various types of systems at SCI entities, each of which 
represent a different level of criticality and risk to each SCI entity 
and to the securities markets more broadly, the adopted rule seeks to 
provide flexibility to SCI entities to design their policies and 
procedures consistent with a risk-based approach, as discussed in 
further detail below. At the same time, because the Commission believes 
that additional guidance on how an SCI entity may comply with the rule 
is warranted in certain areas, the Commission is providing further 
guidance below. In response to comment, the Commission is adopting Rule 
1001(a) with modifications that it believes will better provide SCI 
entities with sufficient flexibility to develop their policies and 
procedures to achieve robust systems, while also providing guidance on 
how an SCI entity may comply with the final rule. Specifically, adopted 
Rule 1001(a) is modified to: (i) Clarify that the rule is consistent 
with a risk-based approach that requires more robust policies and 
procedures for higher-risk systems and provides an SCI entity with 
flexibility to tailor its policies and procedures to the nature of its 
business, technology, and the relative criticality of each of its SCI 
systems; (ii) make clear that an SCI entity's reasonable policies and 
procedures remain subject to ongoing self-assessment; (iii) provide 
increased flexibility in the manner in which an SCI entity may satisfy 
the minimum elements of required policies and procedures; and (iv) 
revise the criteria for ``current SCI industry standards.'' In 
addition, proposed Table A is recharacterized and will be issued as 
staff guidance that will evolve over time.
Response to Commenters Advocating a Risk-Based Approach
    Adopted Rule 1001(a)(1) requires each SCI entity to establish, 
maintain, and enforce written policies and procedures

[[Page 72291]]

reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, indirect SCI systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. The text of this part of the rule is largely 
unchanged from the proposal. Although several commenters expressed 
concern that the proposed rule would have imposed a ``one-size-fits-
all'' approach, requiring all SCI entities to hold all of their SCI 
systems to the same standards,\462\ this was not the intent of proposed 
Rule 1000(b)(1), nor is it what adopted Rule 1001(a)(1) requires. By 
requiring an SCI entity to have policies and procedures ``reasonably 
designed'' and ``adequate'' to maintain operational capability and 
promote the maintenance of fair and orderly markets, the adopted rule 
provides an SCI entity with flexibility to determine how to tailor its 
policies and procedures to the nature of its business, technology, and 
the relative criticality of each of its SCI systems.\463\ Although the 
adopted rule does not assign differing obligations to an SCI entity 
based on its registration status, or its general market function, as 
some commenters urged, by allowing each SCI entity to tailor its 
policies and procedures accordingly, the adopted approach recognizes 
that there are differences between, and varying roles played by, 
different systems at various SCI entities. In tandem with the refined 
definition of ``SCI systems,'' the modified definition of ``SCI 
security systems'' (adopted as ``indirect SCI systems''), and the new 
definition of ``critical SCI systems,\464\ adopted Rule 1001(a)(1) 
explicitly recognizes that policies and procedures that are 
``reasonably designed'' and ``adequate'' to maintain operational 
capability and promote the maintenance of fair and orderly markets for 
critical SCI systems may differ from those that are ``reasonably 
designed'' and ``adequate'' to maintain operational capability and 
promote the maintenance of fair and orderly markets for other SCI 
systems, or indirect SCI systems. As such, the Commission believes that 
its adopted approach in Regulation SCI is consistent with a risk-based 
approach, and that adopted Regulation SCI may result in the systems of 
certain SCI entities (for example, those that have few or no critical 
SCI systems) generally being subject to less stringent policies and 
procedures than the systems of other SCI entities. Thus, a risk 
assessment is appropriate for an SCI entity to determine how to tailor 
its policies and procedures for its SCI systems and indirect SCI 
systems.
---------------------------------------------------------------------------

    \462\ See supra note 455 and accompanying text.
    \463\ See Proposing Release, supra note 13, at 18109 (stating: 
``The Commission intends to . . . provide SCI entities sufficient 
flexibility, based on the nature, size, technology, business model, 
and other aspects of their business, to identify appropriate 
policies and procedures that would meet the articulated standard, 
namely that they be reasonably designed to ensure that their systems 
have levels of capacity, integrity, resiliency, availability, and 
security adequate to maintain the SCI entity's operational 
capability and promote the maintenance of fair and orderly 
markets.'').
    \464\ As a result of these changes, the adopted rule applies to 
fewer systems than as proposed, and only to those types of systems 
that the Commission believes pose significant risk to market 
integrity if not adequately safeguarded.
---------------------------------------------------------------------------

    The Commission also believes that requiring an SCI entity to tailor 
its policies and procedures so that they are reasonably designed and 
adequate will entail that an SCI entity assess the relative criticality 
and risk of each of its SCI systems and indirect SCI systems. 
Evaluation of the risk posed by any particular SCI system to the SCI 
entity's operational capability and the maintenance of fair and orderly 
markets will be the responsibility of the SCI entity in the first 
instance. The Commission believes this approach will achieve the goal 
of improving Commission review and oversight of U.S. securities market 
infrastructure, but will do so within a more focused framework than as 
proposed. By being subject to requirements for a more targeted set of 
SCI systems, and guided by consideration of the relative risk of each 
of its SCI systems, SCI entities may more easily determine how to 
allocate their resources to achieve compliance with the regulation than 
they would have under the proposed regulation.
    As noted above, one commenter urged the Commission to discuss what 
it means for policies and procedures to be reasonably designed ``to 
maintain . . . operational capability and promote the maintenance of 
fair and orderly markets.'' \465\ This commenter characterized the 
proposed standard of ``maintaining operational capability'' as an 
``introspective standard relevant to the applicable SCI entity,'' and 
the proposed standard of ``promoting the maintenance of fair and 
orderly markets'' as implying ``some incremental responsibility to the 
collective market.'' \466\ The Commission agrees with this commenter's 
characterization and believes that it is appropriate for SCI entities 
to assess the risk of their systems taking into consideration both 
objectives, which are related and complementary.\467\ Specifically, the 
Commission believes that it is important that an SCI entity's policies 
and procedures are reasonably designed to ensure its own operational 
capability, including the ability to maintain effective operations, 
minimize or eliminate the effect of performance degradations, and have 
sufficient backup and recovery capabilities. At the same time, an SCI 
entity's own operational capability can have broader effects and, as 
entities that play a significant role in the U.S. securities markets 
and/or have the potential to impact investors, the overall market, or 
the trading of individual securities,\468\ the Commission believes that 
the policies and procedures should also be reasonably designed to 
promote the maintenance of fair and orderly markets.
---------------------------------------------------------------------------

    \465\ See supra note 461 and accompanying text.
    \466\ See Direct Edge Letter at 4.
    \467\ The Commission notes that the identification of ``critical 
SCI systems'' in Regulation SCI emphasizes that some systems pose 
greater risk than others to the maintenance of fair and orderly 
markets if they malfunction, and that it is appropriate for an SCI 
entity to consider the risk to other SCI entities and market 
participants in the event of a systems malfunction.
    \468\ See supra note 59 and accompanying text.
---------------------------------------------------------------------------

Periodic Review
    Some commenters expressed concern that, when an SCI entity's 
policies and procedures fail to prevent an SCI event, the Commission 
might use such failure as the basis for an enforcement action, charging 
that the policies and procedures were not reasonable.\469\ One 
commenter suggested that the Commission's focus should be on an 
entity's adherence to its own set of policies and procedures, developed 
based on ``experience, annual SCI reviews, and other inputs,'' rather 
than a ``set of generic standards.'' \470\
---------------------------------------------------------------------------

    \469\ See, e.g., BATS Letter at 3-4; Angel Letter at 2; and FSR 
Letter at 5. See also ITG Letter at 14 (stating that no set of 
policies and procedures could guarantee perfect operational 
compliance); and NYSE Letter at 32 (urging inclusion of a good faith 
safe harbor).
    \470\ See FIF Letter at 4.
---------------------------------------------------------------------------

    In response to these comments, the Commission notes that the 
reasonably designed policies and procedures approach taken in adopted 
Rule 1001(a) does not require an entity to guarantee flawless systems. 
But the Commission believes it should be understood to require 
diligence in maintaining a reasonable set of policies and procedures 
that keeps pace with changing technology and circumstances and does not 
become outdated over time. The Commission is therefore adopting a 
requirement for periodic review by an SCI entity of the effectiveness 
of its policies and procedures required by Rule 1001(a), and prompt 
action by the SCI entity to

[[Page 72292]]

remedy deficiencies in such policies and procedures.\471\ An SCI entity 
will not be found to be in violation of this maintenance requirement 
solely because it failed to identify a deficiency in its policies and 
procedures immediately after the deficiency occurred if the SCI entity 
takes prompt action to remedy the deficiency once it is discovered, and 
the SCI entity had otherwise reviewed the effectiveness of its policies 
and procedures and took prompt action to remedy those deficiencies that 
were discovered, as required by Rule 1001(a)(3).
---------------------------------------------------------------------------

    \471\ See Rule 1001(a)(3).
---------------------------------------------------------------------------

    Further, the occurrence of a systems disruption or systems 
intrusion will not necessarily mean that an SCI entity has violated 
Rule 1001(a), or that it will be subject to an enforcement action for 
violation of Regulation SCI. The Commission will exercise its 
discretion to initiate an enforcement action if the Commission 
determines that such action is warranted, based on the particular facts 
and circumstances. While a systems problem may be probative as to the 
reasonableness of an SCI entity's policies and procedures, it is not 
determinative.
ii. Minimum Elements of Reasonable Policies and Procedures--Rule 
1001(a)(2)
    Proposed Rule 1000(b)(1)(i) would have required that an SCI 
entity's policies and procedures provide for, at a minimum: (A) The 
establishment of reasonable current and future capacity planning 
estimates; (B) periodic capacity stress tests of systems to determine 
their ability to process transactions in an accurate, timely, and 
efficient manner; (C) a program to review and keep current systems 
development and testing methodology; (D) regular reviews and testing of 
systems, including backup systems, to identify vulnerabilities 
pertaining to internal and external threats, physical hazards, and 
natural or manmade disasters; (E) business continuity and disaster 
recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse to 
ensure next business day resumption of trading and two-hour resumption 
of clearance and settlement services following a wide-scale disruption; 
and (F) standards that result in systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data. References to ``systems'' in the proposed rule were to the 
proposed definition of SCI systems, and with respect to security 
standards only, the proposed definition of SCI security systems.
    Adopted Rule 1001(a)(2) includes the items formerly proposed as 
Rules 1001(b)(1)(i)(A)-(F) as renumbered Rules 1001(2)(i)-(vi) and a 
new item (vii), relating to monitoring of SCI systems. Proposed items 
(A), (D), and (E) are revised in certain respects in response to 
comment. In addition, the Commission discusses below each of the 
adopted provisions of Rule 1001(a)(2) in the context of the adopted 
definitions of SCI systems and indirect SCI systems, where 
relevant.\472\
---------------------------------------------------------------------------

    \472\ In particular, the Commission is adopting the language of 
items (B) and (C) as proposed (renumbered as Rule 1001(a)(2)(ii) and 
(iii), respectively) but elaborates on the scope of these 
provisions, as well as the scope of revised item (D) (renumbered as 
Rule 1001(a)(2)(iv)) and in the context of the adopted definitions 
of SCI systems and indirect SCI systems.
---------------------------------------------------------------------------

Capacity Planning
    The SCI Proposal stated that policies and procedures for the 
establishment of reasonable current and future capacity planning 
(proposed item (A)) would help an SCI entity determine its systems' 
ability to process transactions in an accurate, timely, and efficient 
manner, and thereby help ensure market integrity.\473\ One commenter 
expressed support for the requirement in proposed item (A),\474\ and 
another commenter recommended that proposed item (A) be revised to make 
clear that SCI entity capacity planning estimates apply to ``technology 
infrastructure'' capacity, as opposed to capacity with respect to non-
technology infrastructure of an SCI entity.\475\ Because the Commission 
intended proposed item (A) to relate to capacity planning for SCI 
systems, rather than capacity planning more broadly (for example, in 
relation to an SCI entity's office space), the Commission is including 
this suggested clarification in adopted Rule 1001(a)(2)(i), and thus 
requires that an SCI entity's policies and procedures include the 
establishment of reasonable current and future technology 
infrastructure capacity planning estimates.
---------------------------------------------------------------------------

    \473\ See Proposing Release, supra note 13, at 18107.
    \474\ See MSRB Letter at 9.
    \475\ See DTCC Letter at 14-15. The Commission also received 
comments in regard to capacity planning as it relates to proposed 
industry standards on the capacity planning domain set out in 
proposed Table A. See, e.g., infra note 580 and accompanying text.
---------------------------------------------------------------------------

Stress Testing
    A few commenters raised concerns about proposed item (B), which 
required periodic capacity stress tests.\476\ Some of these commenters 
urged that the adopted rule provide an SCI entity with flexibility to 
determine, using a risk-based assessment, when capacity stress tests 
are appropriate.\477\ Others suggested that capacity stress tests be 
required in specified circumstances or time frames, such as when new 
capabilities are released into production,\478\ whenever required 
system capacity increases by 10 percent, on a quarterly basis, or in 
conjunction with any material systems change.\479\ One commenter 
suggested that SCI entities should supplement dynamic stress and load 
testing with static analysis, a technique used to help uncover 
structural weaknesses in software.\480\ In proposing item (B), the 
Commission intended for SCI entities to engage in a careful risk-based 
assessment (as suggested by some commenters) \481\ of its SCI systems 
to determine when to stress test its systems.\482\ Rule 1001(a)(2)(ii), 
as adopted, affords SCI entities the flexibility to consider the 
factors suggested by commenters, as appropriate for their specific 
systems and circumstances.\483\ The adopted rule does not prescribe a 
particular frequency or trigger for stress testing; however, because 
the Commission believes that, in light of the variability in SCI 
systems, an SCI entity's experience with its particular systems

[[Page 72293]]

and assessment of risk in this area will dictate when capacity stress 
testing is warranted. The requirement for periodic capacity stress 
tests of systems to determine their ability to process transactions in 
an accurate, timely, and efficient manner is therefore adopted as 
proposed as Rule 1001(a)(2)(ii).
---------------------------------------------------------------------------

    \476\ See, e.g., CISQ Letter at 5; DTCC Letter at 14; Lauer 
Letter at 6; MSRB Letter at 9; OCC Letter at 10; and SIFMA Letter at 
12.
    \477\ See DTCC Letter at 14; and OCC Letter at 10. See also 
SIFMA Letter at 12 (suggesting that periodic capacity monitoring 
would be more appropriate and cost-effective than periodic capacity 
stress testing).
    \478\ See MSRB Letter at 9.
    \479\ See Lauer Letter at 6.
    \480\ See CISQ Letter at 5. See also infra notes 491 and 497, 
and 498 and accompanying text (further discussing this comment and 
the commenter's views on the value of assessing the structural 
quality of software).
    \481\ See supra note 477 and accompanying text.
    \482\ In response to the commenter that suggested periodic 
capacity monitoring would be more appropriate and cost-effective 
than periodic capacity stress testing, see supra note 477 and 
accompanying text, the Commission believes that such monitoring is 
appropriate and may play an important role in an SCI entity's 
assessing when to stress tests its systems. However, the Commission 
continues to believe that stress testing is necessary to help an SCI 
entity determine its systems' ability to process transactions in an 
accurate, timely, and efficient manner, and thereby help ensure 
market integrity. See Proposing Release, supra note 13, at 18107. 
While monitoring may be a cost-effective method to determine when a 
stress test is warranted, the Commission does not believe monitoring 
alone will be an effective substitute for stress testing, which, 
unlike monitoring, is designed to challenge systems capacity.
    \483\ See supra notes 478-479 and accompanying text.
---------------------------------------------------------------------------

Systems Development and Testing Methodology
    In the SCI Proposal, the Commission explained that proposed item 
(C), which would require SCI entities to have policies and procedures 
for a ``program to review and keep current systems development and 
testing methodology,'' would help an SCI entity monitor and maintain 
systems capacity and availability.\484\ The Commission is adopting the 
language of this item as proposed as Rule 1001(a)(2)(iii).
---------------------------------------------------------------------------

    \484\ See Proposing Release, supra note 13, at 18107.
---------------------------------------------------------------------------

    Two commenters supported this requirement as proposed.\485\ Another 
commenter argued that sufficient controls were in place with respect to 
production systems, as proposed, and therefore that separate policies 
and procedures specifically for the development and testing environment 
would be unnecessary and duplicative.\486\ This commenter added that, 
if development and testing systems were not excluded from the 
definition of SCI systems altogether, then the policies and procedures 
requirements regarding systems development and testing methodology 
should not apply separately to these environments. The Commission 
agrees with this comment, and believes it logically follows that 
policies and procedures requiring a program to review and keep current 
systems development and testing methodology for SCI systems, and 
indirect SCI systems, as applicable, are important if development and 
testing systems are excluded from the definition of SCI systems, as 
they are under the adopted regulation.\487\ An SCI entity's systems 
development and testing methodology is a core part of the systems 
development life cycle for any SCI system. Therefore, the Commission 
believes that if an SCI entity did not have a program to review and 
keep current systems development and testing methodology for SCI 
systems, and indirect SCI systems, as applicable, its ability to assess 
the capacity, integrity, reliability, availability and security of its 
SCI systems and indirect SCI systems, as applicable, would be 
undermined. In complying with this adopted requirement, an SCI entity 
may wish to consider how closely its testing environment simulates its 
production environment; whether it designs, tests, installs, operates, 
and changes SCI systems through use of appropriate development, 
acquisition, and testing controls by the SCI entity and/or its third-
party service providers, as applicable; whether it identifies and 
corrects problems detected in the development and testing stages; 
whether it verifies change implementation in the production stage; 
whether development and test environments are segregated from SCI 
systems in production; and whether SCI entity personnel have adequately 
segregated roles between the development and/or test environment, and 
the production environment.
---------------------------------------------------------------------------

    \485\ See CISQ Letter at 2; and MSRB Letter at 9.
    \486\ See FINRA Letter at 12.
    \487\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems''). Because development and testing systems are not 
part of the adopted definition of ``SCI systems,'' systems issues 
with regard to development and testing systems would not be subject 
to the requirements of adopted Rule 1002 relating to corrective 
action, Commission notification, and dissemination of information on 
SCI events; or Rule 1003(a) regarding notification of systems 
changes.
---------------------------------------------------------------------------

Reviews of SCI Systems and Indirect SCI Systems
    The SCI Proposal explained that proposed item (D), which would have 
required an SCI entity to establish, maintain, and enforce policies and 
procedures to review and test regularly SCI systems (and SCI security 
systems, as applicable), including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters, would assist an SCI entity 
in ascertaining whether such systems are and remain sufficiently secure 
and resilient.\488\ Proposed item (D) garnered a range of comments. 
Some commenters addressing this item focused on internal SCI entity 
testing,\489\ whereas others focused more broadly on industry-wide 
testing and testing of backup systems.\490\
---------------------------------------------------------------------------

    \488\ See Proposing Release, supra note 13, at 18107.
    \489\ See, e.g., CAST Letter at 4; CISQ Letter at 3-7; FIA PTG 
Letter at 4; Lauer Letter at 6; and MSRB Letter at 10.
    \490\ See, e.g., Angel Letter at 2; CoreOne Letter at 3-5; DTCC 
Letter at 13; FIA PTG Letter at 2; FIX Letter at 1-2; Tradebook 
Letter at 1-4; UBS Letter at 4; and CISQ Letter at 6. See also infra 
Section IV.B.6 (discussing adopted Rule 1004, requiring business 
continuity and disaster recovery testing, including required 
participation of designated members or participants of SCI entities 
in such testing).
---------------------------------------------------------------------------

    With respect to comments on internal testing, one commenter 
suggested that the proposed requirement be expanded beyond testing to 
cover a range of ``quality assurance activities'' with each release of 
software into production.\491\ Two commenters advocated for requiring 
an SCI entity to focus on identifying structural deficiencies, which 
they stated pose much greater risks than functional deficiencies.\492\ 
A few commenters urged that groups independent of the team that 
designed and developed the systems should be involved in testing to 
offer a diverse perspective.\493\ One of these commenters further 
suggested that enforcement of the policies governing development and 
testing activities should be conducted by a ``process audit'' role that 
evaluates compliance with policies, provides guidance to development 
and testing teams on how to comply, and reports on compliance to senior 
management.\494\
---------------------------------------------------------------------------

    \491\ See CISQ Letter at 3-7 (encouraging the Commission to 
require quality assurance activities other than testing, including 
that an SCI entity evaluate and measure the structural quality of 
its SCI systems because ``the attributes of an SCI system most 
critically affecting its capacity, integrity, resiliency, 
availability, and security are predominantly structural 
(engineering) rather than functional (correctness)'').
    \492\ See CAST Letter at 4; and CISQ Letter at 3-7.
    \493\ See, e.g., CISQ Letter at 7; and Lauer Letter at 6.
    \494\ See CISQ Letter at 7. This commenter further recommended 
that such process audits be conducted at least annually for each SCI 
system, and more often for SCI systems with operational problems, a 
record of non-compliance, or those being developed, tested, or 
operated by an inexperienced staff, and stated that process auditors 
who perform a mentoring role to software teams have proven a cost-
effective mechanism for on-the-job training.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission is 
adopting this provision with modifications as Rule 1001(a)(2)(iv). 
Specifically, adopted Rule 1001(a)(2)(iv) requires an SCI entity's 
reasonably designed policies and procedures to include ``[r]egular 
reviews and testing, as applicable, of [its SCI systems and, for 
purposes of security standards, indirect SCI systems], including backup 
systems, to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters.''
    As adopted, this provision will afford an SCI entity greater 
flexibility, through the addition of the phrase ``as applicable,'' to 
determine how to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters. 
Specifically, the adopted rule replaces the proposed rule's requirement 
that an SCI entity conduct ``regular reviews and testing'' of relevant 
systems (including backup systems) with a more flexible requirement 
that an SCI entity conduct ``regular reviews and

[[Page 72294]]

testing, as applicable'' of relevant systems, including backup systems. 
In response to some commenters' concerns that the proposed requirement 
focused too much on regular testing and not enough on other methods to 
assess systems operation,\495\ the adopted rule provides an SCI entity 
the flexibility to determine an assessment methodology that would be 
most appropriate for a given system, or particular functionality of a 
system. Thus, consistent with commenters' views, the adopted provision 
does not specifically require both regular reviews and regular testing 
in connection with an SCI entity's identification of vulnerabilities. 
Instead, the provision requires reviews or testing (or both) to occur 
as applicable, so long as the approach is effective to identify 
vulnerabilities in SCI systems, and indirect SCI systems, as 
applicable.
---------------------------------------------------------------------------

    \495\ See supra notes 491-492 and accompanying text.
---------------------------------------------------------------------------

    While Rule 1001(a)(2)(iv) specifically identifies reviews and 
testing as means to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters, 
it does not dictate the precise manner or frequency of reviews and 
testing, and does not prohibit an SCI entity from determining that 
there are methods other than reviews and testing that may be effective 
in identifying vulnerabilities. For example, reviews and testing would 
each be one of the methods that an SCI entity could employ, and each 
SCI entity would be able to determine which method(s) are most 
appropriate for each SCI system (or indirect SCI system, as applicable) 
or particular functionality of a given system, as well as the frequency 
with which such method(s) should be employed.\496\ In addition, in 
response to commenters advocating that SCI entities should focus on 
identifying structural vulnerabilities or weaknesses,\497\ an SCI 
entity may also find it useful to conduct reviews of its software and 
systems architecture and design to assess whether they have flaws or 
dependencies that constitute structural risks that could pose a threat 
to SCI systems' operational capability.\498\ Likewise, an inspection by 
an SCI entity of its physical premises may be a method of assessing 
some of the vulnerabilities listed in the rule (such as physical 
hazards).
---------------------------------------------------------------------------

    \496\ Rule 1001(a)(2)(iv) would also permit an SCI entity to 
engage personnel independent of the team that designed and developed 
the systems in testing, or to employ a process audit role, to comply 
with this requirement, as some commenters suggested. See supra notes 
493-494 and accompanying text. Like other methods of review and 
testing, such engagements could identify vulnerabilities in a number 
of ways, such as through assessments of the SCI entity's compliance 
with applicable standards, its risk management and control 
framework, or its use of resources.
    In response to the comment suggesting that process audits be 
conducted at least annually for each SCI system, and more often for 
SCI systems with operational problems, a record of non-compliance, 
or those being developed, tested, or operated by an inexperienced 
staff, the Commission notes that Rule 1001(a)(2)(iv) does not 
specify the precise manner or frequency of reviews and tests. 
Rather, Rule 1001(a)(2)(iv) provides flexibility to an SCI entity in 
determining the precise manner and frequency of reviews and/or 
tests. For example, an SCI entity could determine that, in order for 
its policies and procedures to be reasonably designed, as required 
by Rule 1001(a), its policies and procedures should provide that 
process audits be conducted at least annually for some SCI systems, 
and more frequently for certain other SCI systems.
    \497\ See supra note 492 and accompanying text.
    \498\ As noted by one commenter, static analysis could be a 
technique SCI entities could choose to utilize to help uncover 
structural weaknesses in software. See supra note 480 and 
accompanying text.
---------------------------------------------------------------------------

Business Continuity and Disaster Recovery
    Proposed item (E) would have required an SCI entity to have 
business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption. The Commission received significant 
comment on this aspect of the proposal, with several commenters 
questioning or challenging the principle that securities market 
infrastructure resilience is achieved by requiring both geographic 
diversity and specific recovery times for the backup and recovery 
capabilities of all SCI entities.\499\ Although several commenters were 
supportive of the broad goals of the proposed requirement,\500\ others 
maintained that, because the national market system has built-in 
redundancies, the proposed geographic diversity and resumption 
requirements need not apply to all SCI entities to ensure securities 
market resilience.\501\ Some of these commenters urged that the 
specific redundancy requirement implicit in the proposed geographic 
diversity provision should apply to a more limited set of SCI 
entities.\502\ In addition, some commenters stated that proposed time 
frames were too inflexible.\503\
---------------------------------------------------------------------------

    \499\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF 
Letter at 3; Group One Letter at 2-3; KCG Letter at 6-8, 11-14; 
FINRA Letter at 35-36; Angel Letter at 12; and ITG Letter at 15.
    \500\ See Direct Edge Letter at 4; FINRA Letter at 35; ISE 
Letter at 2; and MSRB Letter at 10.
    \501\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF 
Letter at 3; Group One Letter at 2-3; and KCG Letter at 6-8, 11-14. 
According to these commenters, because of the ease with which market 
participants are able to shift their order flow when there is an 
issue at one or more markets, the proposed requirements are 
burdensome and unnecessary. See also Angel Letter at 12 (stating 
that, if an exchange experiences an issue, other exchanges have more 
than enough capacity to handle the trading volume, and suggesting 
that it is not necessary for each exchange to have totally redundant 
backup facilities if the market network as a whole has sufficient 
capacity).
    \502\ See, e.g., FIA PTG Letter at 4. See also supra note 53 and 
accompanying text.
    \503\ See, e.g., SIFMA Letter at 13; and Joint SROs Letter at 
17.
---------------------------------------------------------------------------

    The Commission has carefully considered commenters' views and is 
revising this provision from the proposal to: (i) Specify that the 
stated recovery timeframes in Regulation SCI are goals, rather than 
inflexible requirements; \504\ and (ii) provide that the stated two-
hour recovery goal applies to critical SCI systems generally. In 
addition, the Commission is adopting the geographic diversity 
requirement, which does not specify any minimum distance for an SCI 
entity's backup and recovery facilities, as proposed. As explained 
below, the Commission continues to believe that geographic diversity of 
physical facilities is an important component of every SCI entity's BC/
DR plan.
---------------------------------------------------------------------------

    \504\ See Interagency Paper on Sound Practices to Strengthen the 
Resilience of the U.S. Financial Systems, Securities Exchange Act 
Release No. 47638 (April 7, 2003), 68 FR 17809, 17812 (April 11, 
2003) (``Interagency White Paper''), stating: ``Recovery-time 
objectives provide concrete goals to plan for and test against. They 
should not be regarded as hard and fast deadlines that must be met 
in every emergency situation;'' and 2003 Policy Statement on 
Business Continuity Planning for Trading Markets, Securities 
Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656, 
56658 (October 1, 2003) (``2003 BCP Policy Statement''), stating: 
``Consistent with the approach taken in the Interagency Paper, the 
next-day resumption objective should provide a concrete goal to plan 
for and test against. This should not be regarded as a hard and fast 
deadline that must be met in every emergency situation.''
---------------------------------------------------------------------------

Recovery Timeframes as Goals
    Several commenters addressing proposed item (E) focused their 
comments specifically on the proposed recovery timeframes.\505\ A few 
commenters that are clearing agencies specifically expressed concern 
about the proposed requirement for the two-hour resumption of clearance 
and settlement services, urging that the two-hour standard be a goal 
rather than a requirement.\506\ One commenter noted

[[Page 72295]]

that the ``Interagency White Paper itself recognizes that `various 
external factors surrounding a disruption such as time of day, scope of 
disruption, and status of critical infrastructure--particularly 
telecommunications can affect actual recovery times,' and concludes 
that `[r]ecovery-time objectives provide concrete goals to plan for and 
test against . . . they should not be regarded as hard and fast 
deadlines that must be met in every emergency situation.' '' \507\ 
Several commenters suggested that SCI entities generally be given more 
discretion to decide when to resume trading following a wide-scale 
disruption.\508\ Other commenters stated more broadly that the proposed 
recovery timeframes were too rigid and inconsistent with the 
Interagency White Paper and the 2003 BCP Policy Statement.\509\ Other 
commenters similarly noted that it might be in the public interest and 
consistent with the protection of investors and the maintenance of fair 
and orderly markets for the markets to remain closed following a wide-
scale disruption.\510\
---------------------------------------------------------------------------

    \505\ See, e.g., SIFMA Letter at 3, 13, 18; KCG Letter at 11-12; 
DTCC Letter at 15; OCC Letter at 9-10; Omgeo Letter at 27-28; Angel 
Letter at 16-17; Direct Edge Letter at 4-5; ISE Letter at 2-5; Joint 
SROs Letter at 16-17; FINRA Letter at 36; MSRB Letter at 10; 
Tellefsen Letter at 6; and Group One Letter at 2.
    \506\ See DTCC Letter at 15 (``[P]roposed Rule 1000(b)(l)(i)(E) 
has made what is currently a target within the 2003 Interagency 
White Paper that clearing and settling services be resumed within 2 
hours of a disruption into a requirement that may not be attainable 
in all circumstances. . . .''); OCC Letter at 9-10 (``While a two-
hour recovery time objective is a laudable goal . . . current 
guidelines remain appropriate to recover and resume clearing and 
settlement activities within the business day on which the 
disruption occurs, with the overall aspiration of achieving recovery 
and resumption within two hours''); and Omgeo Letter at 27-28 
(``While Omgeo agrees that SCI entities should be required to 
rapidly recover from a wide-scale disruption and resume operations 
to avoid disrupting the critical markets beyond a single business 
day, it is unreasonable to require these operations to be resumed 
within two hours.'').
    \507\ See Omgeo Letter at 27-28.
    \508\ See Angel Letter at 16-17; Direct Edge Letter at 4-5; ISE 
Letter at 2; Joint SROs Letter at 16-17; and Group One Letter at 2.
    \509\ See SIFMA Letter at 13 (noting that the Interagency White 
Paper recommends that ``core clearing and settlement organizations 
develop the capacity to recover and resume clearing and settlement 
activities within the business day on which the disruption occurs 
with the overall goal of achieving recovery and resumption within 
two hours after an event.'' See also Joint SROs Letter at 17 (noting 
that the 2003 BCP Policy Statement, supra note 504, provides that 
rapid recovery should not be regarded as a hard and fast deadline 
that must be met in every emergency situation).
    \510\ See, e.g., Angel Letter at 16-17; Direct Edge Letter at 4-
5, 9; ISE Letter at 2-5; and Joint SROs Letter at 16-17.
---------------------------------------------------------------------------

    In response to comments that the proposed two-hour recovery time 
frame was too inflexible,\511\ the Commission is eliminating the 
proposed requirement that an SCI entity must ``ensure'' next business 
day resumption of trading and two-hour resumption of clearance and 
settlement services following a wide-scale disruption. The Commission 
acknowledges that a hard and fast resumption timeframe may not be 
achievable in each and every case, given the variety of disruptions 
that potentially could arise and pose challenges even for well-designed 
business continuity and disaster recovery. For this reason, the 
Commission is revising the proposed requirement by replacing it with a 
requirement that an SCI entity have policies and procedures that 
include ``business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse and that are reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of critical 
SCI systems following a wide-scale disruption.'' Replacement of the 
phrase ``to ensure'' with the phrase ``reasonably designed to achieve'' 
means that Regulation SCI's enumerated recovery timeframes are concrete 
goals, consistent with the Interagency White Paper and 2003 BCP Policy 
Statement.\512\ As such, the rule's specified recovery timeframes are 
the standards against which the reasonableness of business continuity 
and disaster recovery (``BC/DR'') plans will be assessed by the 
Commission and its inspection staff. Moreover, as recovery goals, 
rather than hard and fast deadlines, the enumerated time frames in the 
rule will continue to allow for SCI entities to account for the 
specific facts and circumstances that arise in a given scenario to 
determine whether it is appropriate to resume a system's operation 
following a wide-scale disruption.
---------------------------------------------------------------------------

    \511\ See supra notes 506-510 and accompanying text.
    \512\ See Interagency White Paper, supra note 504, at 17812-13, 
and the 2003 BCP Policy Statement, supra note 504, at 56658.
---------------------------------------------------------------------------

Recovery Timeframe Distinctions
    In the SCI Proposal, the Commission solicited comment on whether 
the proposed next business day resumption of trading following a wide-
scale disruption and proposed two-hour resumption of clearance and 
settlement services following a wide-scale disruption were 
appropriate.\513\ The Commission also solicited comment on whether it 
should consider revising the proposed next business day resumption 
requirement for trading to a shorter period for certain entities that 
play a significant role within the securities markets.\514\ One 
commenter stated that it agreed with imposing more stringent 
requirements for resumption of clearance and settlement services than 
for trading services following a wide-scale disruption.\515\ However, 
this commenter also urged more broadly that the Commission take into 
account the criticality of the functions performed by an SCI entity to 
the maintenance of fair and orderly markets in order to tailor the 
obligations of the rule more effectively.\516\ According to this 
commenter, ``[n]otification and remediation requirements . . . should 
be tailored to the time sensitivity of each of the functions performed, 
not applied uniformly across all activities of an SCI entity.'' This 
commenter identified ``highly critical functions'' as including the 
primary listing exchanges, trading of securities on an exclusive basis, 
securities information processors, clearance and settlement agencies, 
distribution of unique post-trade transparency information, and real-
time market surveillance,'' and urged the Commission to ``leverage the 
best practices of the Interagency White Paper, and expand them to 
include the [highly] critical functions. . . .'' \517\ Other commenters 
also urged the Commission to consider the criticality of SCI systems 
functionality and tailor requirements accordingly.\518\ One

[[Page 72296]]

commenter noted that the August 2013 Nasdaq SIP outage revealed each of 
SIAC and Nasdaq (in their roles as plan processors) as a potential 
``single point of failure'' in the national market system, and 
specifically urged improved backup capabilities for these systems.\519\ 
Another commenter, in the context of questioning the need for all 
markets to have geographically diverse backups, acknowledged that 
specific redundancy might be appropriate in certain areas, such as 
where an instrument is traded only on one exchange or in the case of a 
primary market during the open and closing periods of the market.\520\
---------------------------------------------------------------------------

    \513\ See Proposing Release, supra note 13, at 18112, question 
73.
    \514\ See id. at 18112, question 76.
    \515\ See SIFMA Letter at 12-13. Specifically, this commenter 
noted that the Interagency White Paper, supra note 504, 
distinguishes between ``core clearing and settlement organizations'' 
and firms that play ``significant roles in the financial markets'' 
and recommended that the Commission continue to distinguish between 
SCI entities that are responsible for the highly critical function 
of centralized counterparties (e.g., clearing agencies registered 
with the Commission) and SCI entities that are not.
    \516\ See SIFMA Letter at 4.
    \517\ See id. at 4, 18. SIFMA also listed the distribution of 
unique post-trade transparency information and real-time market 
surveillance as highly critical functions. While such systems are 
not specifically identified in the first prong of the definition of 
critical SCI systems (as are SCI systems that directly support 
functionality relating to: (1) Clearance and settlement systems of 
clearing agencies; (2) openings, reopenings, and closings on the 
primary listing market; (3) trading halts; (4) initial public 
offerings; (5) the provision of consolidated market data; or (6) 
exclusively-listed securities), the Commission notes that systems 
that provide functionality to the securities markets for which the 
availability of alternatives is significantly limited or nonexistent 
and without which there would be a material impact on fair and 
orderly markets are considered critical SCI systems under its second 
prong. See supra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
    \518\ See, e.g., KCG Letter at 8, 13-14 (suggesting that 
proposed item (E) apply only to SCI entities that perform critical, 
unique functions in the market), and at 5 (stating ``when critical 
services are provided, additional heightened regulatory 
requirements, as proposed in Regulation SCI, may be appropriate''). 
See also UBS Letter at 3 (urging the Commission to take into 
consideration the difference between ``interruptions of activities 
that hold significant implications for the National Market System'' 
and ``low criticality activities [that] are much more manageable and 
localized in impact . . . because market participants are not 
directly touched or are equipped to quickly route around the 
problem''). According to this commenter, activities that hold such 
significant implications would include: ``disruption at primary 
exchange during [the] open/close, [a] problem with protected quote 
data, [an] outage at listing exchange during [an] IPO, [and] SIP 
data disruptions.''
    \519\ See Angel Letter 2 at 3-4.
    \520\ See FIA PTG Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered these comments and believes 
they support revising the proposed rule to provide that the two-hour 
recovery goal specified in the adopted rule, as the standard against 
which BC/DR plans are to be assessed, should apply not only to 
``clearance and settlement services,'' but more generally to the 
functions performed by critical SCI systems. Given that the securities 
markets are dependent upon the reliable operation of critical SCI 
systems, the Commission believes it is reasonable to distinguish the 
two-hour and next-business day recovery goals in a manner consistent 
with other provisions of adopted Regulation SCI: Specifically, to have 
the shorter recovery goal apply to critical SCI systems, and the longer 
recovery goal apply to resumption of trading by non-critical SCI 
systems. The Commission also notes that, because the proposed recovery 
timeframes are being adopted as concrete goals that the policies and 
procedures must be reasonably designed to achieve, rather than hard and 
fast requirements, the adopted approach is somewhat more flexible than 
that proposed. Accordingly, adopted Rule 1001(a)(2)(v) holds BC/DR 
plans for critical SCI systems (as defined in Rule 1000) to a higher 
standard than BC/DR plans for resumption of trading operations more 
generally. Specifically, an SCI entity responsible for a given critical 
SCI system will be expected to design BC/DR plans that contemplate 
resumption of critical SCI system functionality to meet a recovery goal 
of two hours or less. The Commission believes that this approach is 
consistent with the broader risk-based approach urged by 
commenters.\521\ The Commission also believes that its approach to 
holding critical SCI systems to stricter resiliency standards than 
other systems is an appropriate measure that responds not only to 
comments received, but also to recent events highlighting the effects 
of malfunctions in critical SCI systems.\522\
---------------------------------------------------------------------------

    \521\ See supra notes 53-57 and accompanying text (summarizing 
commenters' recommendations with regard to adopting a risk-based 
approach generally).
    \522\ See supra Section II.B (discussing recent systems issues, 
including a systems problem that resulted in certain exclusively-
listed securities being unable to trade for over three hours, and a 
systems problem affecting the SIP that halted trading in all Nasdaq-
listed securities for more than three hours).
---------------------------------------------------------------------------

    Two commenters requested clarification on the expectations for 
resumption of SCI systems that are not related to trading, clearance, 
or settlement.\523\ In response to this comment, the Commission notes 
that the adopted definition of SCI systems has been refined from the 
proposed definition of SCI systems and that all SCI systems could be 
considered to be ``related to'' trading. However, systems that directly 
support market regulation and/or market surveillance will not be held 
to the resumption goals of Rule 1001(a)(2)(v) (unless they are critical 
SCI systems) because the Commission believes that the resumption of 
trading and critical SCI systems could occur following a wide-scale 
disruption without the immediate availability of market regulation and/
or market surveillance systems (unless they are critical SCI systems). 
However, systems that directly support trading, order routing, and 
market data would be subject to the next-business day resumption goal, 
unless they are also critical SCI systems, in which case they would be 
subject to the two-hour resumption goal.
---------------------------------------------------------------------------

    \523\ See FINRA Letter at 36; and MSRB Letter at 10.
---------------------------------------------------------------------------

    One commenter questioned what the expectations are with respect to 
next-day resumption if an SCI entity loses functionality towards the 
end of the trading day.\524\ In response to this comment, the 
Commission notes that neither the next-business day resumption of 
trading goal nor the two-hour recovery goal for critical SCI systems is 
dependent on the time of day that the loss of functionality occurs. 
Consistent with the Interagency White Paper and 2003 BCP Policy 
Statement, however, the Commission acknowledges that the time of day of 
a disruption can affect actual recovery times.\525\ The Commission 
believes it is important, particularly with respect to clearing 
agencies, that SCI entities endeavor to take all steps necessary to 
effectuate end of day settlement.
---------------------------------------------------------------------------

    \524\ See Tellefsen Letter at 6.
    \525\ See Interagency White Paper, supra note 504, at 17812, and 
the 2003 BCP Policy Statement, supra note 504, at 56658.
---------------------------------------------------------------------------

Geographic Diversity To Ensure Resilience
    Several commenters addressing proposed item (E) expressed concern 
about the proposed geographic diversity requirement.\526\ Some 
commenters cited a reluctance on the part of SCI entity members or 
participants to incur the cost or assume the risk of connecting to a 
backup site that would only be used infrequently.\527\ In addition, 
some commenters cited concerns, such as challenges to market makers 
generating quotes, if a backup site did not have the same low latency 
as the primary site.\528\ One of these commenter suggested that 
allowing other fully operational exchanges to fill in and perform the 
duties of an exchange experiencing an outage would offer the advantages 
of continued operation on tested systems and the introduction of fewer 
variables.\529\ Another of these commenters argued that, in many 
respects, the goal of resilient and redundant markets is already in 
place due to the existence of multiple competing and interconnected 
venues, operating as a collective system under Regulation NMS.\530\
---------------------------------------------------------------------------

    \526\ See, e.g., KCG Letter at 13; FIA PTG Letter at 3-4; Group 
One Letter at 2-3; ISE Letter at 2-5; BIDS Letter at 8; and ITG 
Letter at 15.
    \527\ See KCG Letter at 13; FIA PTG Letter at 3-4; and Group One 
Letter at 2-3.
    \528\ See KCG Letter at 13; and FIA PTG Letter at 3-4.
    \529\ See Group One Letter at 2-3.
    \530\ See FIA PTG Letter at 4. See also Angel 2 Letter at 3.
---------------------------------------------------------------------------

    One commenter agreed that it is a best business practice for a 
market to have backup disaster recovery facilities and robust BC/DR 
plans, but stated that ``significant geographic diversity'' should not 
be an absolute requirement,'' because a wide-scale disruption in New 
York or Chicago would make next day resumption difficult, even with a 
geographically diverse backup.\531\ This commenter noted that the more 
remote the backup, the more difficult it would be to staff such a 
facility, and even more so in a surprise disaster, unless the backup 
was fully staffed at all times.\532\ Several commenters also argued 
that SCI entities that are ATSs are less critical to market stability, 
and therefore

[[Page 72297]]

should be subject to less stringent geographic diversity and recovery 
requirements.\533\ One commenter suggested eliminating the reference to 
``geographic diversity'' in favor of requiring ``comprehensive business 
continuity and disaster recovery plans with recovery time objectives of 
the next business day for trading and two hours for clearance and 
settlement,'' and emphasizing as guidance that geographic diversity of 
physical facilities would be an expected component of any such 
plan.\534\
---------------------------------------------------------------------------

    \531\ See ISE Letter at 2-5.
    \532\ See id.
    \533\ See BIDS Letter at 8; FIA PTG Letter at 4; ITG Letter at 
15; and KCG Letter at 8, 13. These commenters believed that the 
proposed geographic diversity requirements are burdensome and 
unnecessary because of the ease with which market participants are 
able to shift their order flow when there is an issue at one or more 
markets. In addition, two commenters argued that, because ATSs are 
subject to FINRA regulations with respect to BC/DR plans, further 
regulation would be redundant and unnecessary. See ITG Letter at 15; 
and OTC Markets Letter at 9.
    \534\ See Direct Edge Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered commenters' views on the 
proposed geographic diversity requirement and continues to believe that 
geographic diversity of physical facilities is an important component 
of every SCI entity's BC/DR plan.\535\ The Commission believes that 
challenges to recovery are increased when a disruption impacts a broad 
geographic area, and therefore that an SCI entity's arrangements to 
assure resilience in the event of a wide-scale disruption cannot 
reliably be achieved without geographic diversity of its BC/DR 
resources.\536\ The Commission does not agree with commenters who 
argued that the existence of multiple competing and interconnected 
venues operating as a collective system under Regulation NMS obviates 
the need for geographic diversity at the individual SCI entity 
level.\537\ For example, a wide-scale disruption, such as a natural 
disaster or man-made attack, could affect a large number of SCI 
entities, and absent individual SCI entity responsibility for 
maintaining geographic diversity, there could be a greater likelihood 
that a critical mass of SCI entities would not be operational, so that 
the continued maintenance of fair and orderly markets could be 
impacted. The Commission notes that some of the practical difficulties 
commenters cited as the basis for objecting to a backup site 
requirement, such as the cost and operational risk of maintaining a 
redundant connection to an SCI entity backup facility that would be 
used infrequently, are concerns raised on behalf of SCI entity members 
and participants.\538\ In response to commenters who expressed concern 
regarding the cost for members or participants to co-locate their 
systems at backup sites to replicate the speed and efficiency of the 
primary site, the Commission emphasizes that adopted Rule 1001(a)(2)(v) 
does not require an SCI entity to require members or participants to 
use the backup facility in the same way it uses the primary facility. 
Rather, the assessment of the effectiveness of a BC/DR plan that 
includes geographically diverse backup facilities is whether it is 
reasonably designed to achieve next business day resumption of trading 
and two-hour resumption of critical SCI systems following a wide-scale 
disruption.
---------------------------------------------------------------------------

    \535\ The Commission's view is consistent with the 2003 BCP 
Policy Statement. See 2003 BCP Policy Statement, supra note 504, at 
56658. See also infra Section VI.C.2.b (discussing the benefits of 
geographic diversity).
    \536\ See, e.g., 2003 BCP Policy Statement, supra note 504, at 
56657 (stating that a critical ``lesson learned'' from the events of 
September 11, 2001 is the need for more rigorous business continuity 
planning in the financial sector to address problems of wider 
geographic scope and longer duration than those previously 
addressed).
    \537\ See supra notes 530 and 533 and accompanying text.
    \538\ See infra Section IV.B.6 (discussing SCI entity BC/DR 
testing requirements for members or participants).
---------------------------------------------------------------------------

    In response to comments that geographic diversity should be 
encouraged but not required for all SCI entities, the Commission does 
not believe that it would be appropriate to eliminate the proposed 
requirement that SCI entities maintain geographically diverse backup 
and recovery capabilities (which the Commission understands many SCI 
entities already have) because, as stated, absent individual SCI entity 
responsibility for maintaining geographic diversity, there could be a 
greater likelihood that a critical mass of SCI entities would not be 
operational following a wide-scale disruption. In response to comment 
that ATSs are less critical to market stability, and therefore should 
be subject to less stringent geographic diversity and recovery 
requirements, the Commission notes that ATSs that do not have critical 
SCI systems will be subject to less stringent geographic diversity and 
recovery requirements than SCI entities that do.\539\ However, because 
the Commission believes that SCI ATSs have the potential to 
significantly impact investors, the overall market, and the trading of 
individual securities as a result of an SCI event, the Commission 
believes that these entities are appropriate for inclusion in the 
definition of SCI entity and for the application of the geographic 
diversity requirement.\540\
---------------------------------------------------------------------------

    \539\ In addition, in response to commenters who argued that, 
because ATSs are subject to FINRA regulations with respect to BC/DR 
plans further regulation would be redundant and unnecessary (see 
supra note 533), the Commission notes that FINRA Rule 4370 generally 
requires that a member maintain a written continuity plan 
identifying procedures relating to an emergency or significant 
business disruption. Unlike Regulation SCI, however, the FINRA rule 
does not include the requirement that the business continuity and 
disaster recovery plans be reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of 
critical SCI systems following a wide-scale disruption, nor does it 
require the functional and performance testing and coordination of 
industry or sector-testing of such plans, which the Commission 
believes to be instrumental in achieving the goals of Regulation SCI 
with respect to SCI entities. See also supra note 115.
    \540\ See supra notes 107-109 and accompanying text.
---------------------------------------------------------------------------

    Like the proposed rule, the adopted rule does not specify any 
particular minimum distance or geographic location that would be 
necessary to achieve geographic diversity.\541\ However, as stated in 
the SCI Proposal, the Commission continues to believe that backup sites 
should not rely on the same infrastructure components, such as for 
transportation, telecommunications, water supply, and electric 
power.\542\ The Commission also continues to believe that an SCI entity 
should have a reasonable degree of flexibility to determine the precise 
nature and location of its backup site depending on the particular 
vulnerabilities associated with those sites, and the nature, size, 
technology, business model, and other aspects of its business.'' \543\ 
In response to comment that a geographically diverse backup facility is 
impractical if key personnel do not live sufficiently close to the 
backup facility, the Commission notes that adopted Regulation SCI does 
not require an SCI entity to have a geographically diverse backup 
facility so distant from the primary facility that the SCI entity may 
not rely primarily on the same labor pool to staff both facilities if 
it believed it to be appropriate.\544\ Given that the Commission did 
not propose a specified minimum distance to achieve geographic 
diversity, the Commission believes that the geographic diversity 
requirement is reasonable and appropriate for all SCI entities. The

[[Page 72298]]

geographic diversity requirement is therefore adopted as proposed.
---------------------------------------------------------------------------

    \541\ See Proposing Release, supra note 13, at 18108, n. 182 and 
accompanying text.
    \542\ See id.
    \543\ See id.
    \544\ An SCI entity with critical SCI systems subject to a two-
hour recovery goal may, however, find it prudent to establish back-
up facilities a significant distance away from their primary sites, 
or otherwise address the risk that a wide-scale disruption could 
impact either or both of the sites and their labor pool. See 
Interagency White Paper, supra note 504, at 17813.
---------------------------------------------------------------------------

    In sum, the Commission believes that adopted Rule 1001(a)(2)(v), 
requiring an SCI entity to have business continuity and disaster 
recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse and that 
are reasonably designed to achieve next business day resumption of 
trading and two-hour resumption of critical SCI systems following a 
wide-scale disruption, is consistent with, and builds upon, both the 
Interagency White Paper and the 2003 BCP Policy Statement by applying 
their principles to SCI entities in today's trading environment, one 
with a heavy reliance on technological infrastructure. The Commission 
believes that individual SCI entity resilience is fundamental to 
achieving the goal of improving U.S. securities market infrastructure 
resilience.
Robust Standards for Market Data
    Proposed item (F), requiring an SCI entity to have standards that 
result in systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data, received 
little comment. One commenter supported the proposed requirement, 
subject to further clarification about what constitutes market 
data.\545\ Another commenter believed that this proposed requirement is 
redundant because SROs and other market participants are already 
subject to substantial requirements for market data.\546\
---------------------------------------------------------------------------

    \545\ See MSRB Letter at 8.
    \546\ See Angel Letter at 19.
---------------------------------------------------------------------------

    While consolidated market data is collected and distributed 
pursuant to a variety of Exchange Act rules and joint industry 
plans,\547\ the Commission does not believe that existing requirements 
have the same focus on ensuring the operational capability of the 
systems for collecting, processing, and disseminating market data. 
Thus, the Commission believes that this provision, while consistent 
with existing rules, acts as a complement to such requirements and is 
not redundant. Further, as explained above, the term ``market data'' is 
not intended to include only consolidated market data, but proprietary 
market data as well and, as such, SCI systems directly supporting 
proprietary market data or consolidated market data are subject to the 
requirements of item (F). As stated in the SCI Proposal, the Commission 
believes that the accurate, timely, and efficient processing of data is 
important to the proper functioning of the securities markets. The 
Commission continues to believe that it is important that each SCI 
entity's market data systems are reasonably designed to maintain market 
integrity and that the proposed requirement would facilitate that 
goal.\548\ This element, requiring that an SCI entity's policies and 
procedures include standards that result in systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data, is adopted as proposed, as Rule 
1001(a)(2)(vi).
---------------------------------------------------------------------------

    \547\ See, e.g., Rules 601-604 of Regulation NMS and Rule 
301(b)(3) of Regulation ATS. See also supra Section IV.A.1.c 
(discussing definition of plan processor) and Concept Release on 
Equity Market Structure, supra note 4, at 3600 (discussing various 
rules and requirements relating to consolidated market data).
    \548\ See Proposing Release, supra note 13, at 18108.
---------------------------------------------------------------------------

Monitoring
    The Commission is adopting an additional provision, designated as 
Rule 1001(a)(2)(vii), that requires an SCI entity's policies and 
procedures to provide for monitoring of SCI systems, and, for purposes 
of security standards, indirect SCI systems, to identify potential SCI 
events. Several commenters argued that Regulation SCI should allow 
entities to adopt and follow escalation procedures instead of providing 
that obligations under Regulation SCI are triggered by one employee's 
awareness of a systems issue.\549\ The Commission is modifying 
Regulation SCI in three respects in response to these comments: 
revising the definition of responsible SCI personnel to focus on senior 
managers; requiring that an SCI entity have policies and procedures to 
identify, designate, and escalate potential SCI events to responsible 
SCI personnel; and explicitly requiring policies and procedures for 
monitoring.\550\ The requirement that an SCI entity have policies and 
procedures to provide for monitoring of SCI systems and, for purposes 
of security standards, indirect SCI systems, is added to make explicit 
that escalation of a systems problem should occur not only if a systems 
problem is identified by chance, but rather that an SCI entity should 
have a monitoring process in place so that systems problems are able to 
be identified as a matter of standard operations and pursuant to 
parameters reasonably established by the SCI entity. In addition, the 
Commission believes that the reliability of escalation of potential SCI 
events to designated responsible SCI personnel for determination as to 
whether they are, in fact, SCI events is likely to be more effective 
when it occurs in connection with established procedures for monitoring 
of SCI systems and indirect SCI systems and pursuant to a process for 
the communication of systems problems by those who are not responsible 
SCI personnel to those who are. The Commission notes that several 
commenters discussed the role that technology staff play in monitoring 
and identifying potential systems problems and escalating issues up the 
chain of command to management as well as legal and/or compliance 
personnel. Although systems monitoring may already be routine in many 
SCI entities, there are expected benefits of monitoring and thus it is 
appropriate to require an SCI entity's policies and procedures to 
provide for monitoring of SCI systems, and, for purposes of security 
standards, indirect SCI systems, to identify potential SCI events. The 
Commission believes that monitoring in tandem with escalation to 
responsible SCI personnel is an appropriate approach to ensuring SCI 
compliance. As noted, the requirement that an SCI entity have policies 
and procedures for monitoring provides an SCI entity with flexibility 
to establish parameters that define the types of systems problems to 
which technology personnel should be alert, as well as the frequency 
and duration of monitoring. The Commission also believes this 
requirement is consistent with a risk-based approach, and that an SCI 
entity's policies and procedures for monitoring may be tailored to the 
relative criticality of SCI systems, with critical SCI systems likely 
to be subject to relatively more rigorous policies and procedures for 
monitoring than other SCI systems.
---------------------------------------------------------------------------

    \549\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. See also 
infra notes 758-761 and accompanying text (discussing comments on 
the proposed ``becomes aware'' standard).
    \550\ See infra Section IV.B.3.a (discussing the Commission's 
determination to further focus the definition of ``responsible SCI 
personnel'').
---------------------------------------------------------------------------

iii. Policies and Procedures Consistent With ``Current SCI Industry 
Standards''--Rule 1001(a)(4)
    Proposed Rule 1000(b)(1)(ii) stated that an SCI entity's policies 
and procedures would be deemed to be reasonably designed if they are 
consistent with ``current SCI industry standards,'' such as those 
listed on proposed Table A. ``Current SCI industry standards'' were not 
limited to those listed on proposed Table A, but

[[Page 72299]]

were proposed to be required to be: (A) Comprised of information 
technology practices that are widely available for free to information 
technology professionals in the financial sector; and (B) issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely 
recognized organization. The rule further stated that ``compliance with 
such current SCI industry standards . . . shall not be the exclusive 
means to comply with the requirements of paragraph (b)(1).''
    The goal of proposed Rule 1000(b)(1)(ii) was to provide guidance to 
SCI entities on policies and procedures that would meet the articulated 
standard of being ``reasonably designed to ensure that their systems 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain their operational capability and promote 
the maintenance of fair and orderly markets.'' The proposal sought to 
provide this guidance by identifying example information technology 
publications describing processes, guidelines, frameworks, and/or 
standards that SCI entities could elect to look to in developing its 
policies and procedures. Proposed Table A set forth an example of one 
set of technology publications that the Commission preliminarily 
believed was an appropriate set of reference documents. The SCI 
Proposal acknowledged that ``current SCI industry standards'' would not 
be limited to the publications identified on proposed Table A. As such, 
an SCI entity's choice of a current SCI industry standard in a given 
domain or subcategory thereof could appropriately be different from 
those contained in the publications identified in proposed Table 
A.\551\ Many commenters, however, objected to the proposed objective 
criteria for reference publications, and/or one or more of the specific 
publications listed on proposed Table A. The Commission has carefully 
considered commenters' views and is adopting Rule 1000(b)(1)(ii), 
renumbered as Rule 1001(a)(4), with certain modifications as described 
below.
---------------------------------------------------------------------------

    \551\ See Proposing Release, supra note 13, at 18109.
---------------------------------------------------------------------------

Criteria for Identifying SCI Industry Standards: Comments Received and 
Commission Response
    Some commenters disagreed with the Commission's proposal to require 
SCI industry standards to be ``comprised of information technology 
practices that are widely available for free to information technology 
professionals in the financial sector.'' Several commenters argued that 
there were significant disadvantages to requiring that standards be 
available free of charge.\552\ One of these commenters stated that 
requiring standards to be available for free ``may encourage SCI 
entities to use standards that may be outdated when more suitable 
standards may be available and would be more appropriate.'' \553\ 
Another of these commenters stated that ``the cost or lack thereof of a 
technology standard or standard framework has no bearing on the quality 
or appropriateness of such standard or framework and bears no 
significance to the maintenance of fair and orderly markets.'' \554\
---------------------------------------------------------------------------

    \552\ See ANSI Letter at 1; DTCC Letter at 15; OCC Letter at 9; 
Omgeo Letter at 33-34; and X9 Letter at 1.
    \553\ See OCC Letter at 9.
    \554\ See Omgeo Letter at 33 (noting also that the proposed 
criteria would eliminate appropriate standards such ITIL and ISO 
27000).
---------------------------------------------------------------------------

    Two standard setting organizations commented regarding the use of 
consensus standards, citing OMB Circular No. A-119, which directs 
agencies to use voluntary consensus standards (i.e., standards 
developed by professional standards organizations), and urged the 
Commission to eliminate the requirement that SCI industry standards be 
``available for free.'' \555\ Another commenter similarly urged that it 
was important for SCI entities to use publications generated by 
professional organizations that regularly update their standards and 
employ open processes for gathering industry input.\556\
---------------------------------------------------------------------------

    \555\ See ANSI Letter at 1; and X9 Letter at 1.
    \556\ See CISQ2 Letter at 6. See also Angel Letter at 8 
(suggesting that the proposed criteria could potentially result in 
the creation of race-to-the-bottom standards organizations that 
establish lax standards).
---------------------------------------------------------------------------

    The Commission agrees that the cost or lack thereof of a technology 
standard or standard framework has no bearing on the quality or 
appropriateness of such standard, and also that SCI entities should be 
encouraged to use appropriate standards developed by professional 
organizations that regularly update their standards and employ open 
processes for gathering industry input. While the Commission did not 
propose to require that particular standards be used, in response to 
comment, the Commission is adopting Rule 1001(a)(4) without the 
criterion in the SCI Proposal that a technology standard be available 
free of charge. The other criteria are adopted as proposed. Thus, to 
qualify as an ``SCI industry standard,'' a publication must be 
comprised of information technology practices that are widely available 
to information technology professionals in the financial sector and 
issued by an authoritative body that is a U.S. governmental entity or 
agency, association of U.S. governmental entities or agencies, or 
widely recognized organization. The Commission believes that this 
criterion is sufficiently flexible to include technology practices 
issued by professional organizations, including the professional 
organizations referenced by commenters.\557\
---------------------------------------------------------------------------

    \557\ See infra notes 583-601 and accompanying text. The 
Commission expresses no view, however, on any particular publication 
that is not specifically identified in infra notes 584-601, or 
standards that remain in development (e.g., a standard being drafted 
by AT 9000) (see infra note 601 and accompanying text).
---------------------------------------------------------------------------

Proposed Table A: Comments Received
    The SCI Proposal stated that written policies and procedures that 
are consistent with the relevant examples of SCI industry standards 
contained in the publications identified in Table A would be deemed to 
be ``reasonably designed'' for purposes of proposed Rule 
1000(b)(1).\558\ Proposed Table A listed publications covering nine 
inspection areas, or ``domains,'' that Commission staff historically 
has evaluated under the ARP Inspection Program.\559\
---------------------------------------------------------------------------

    \558\ See Proposing Release, supra note 13, at 18109.
    \559\ See id.
---------------------------------------------------------------------------

    Proposed Table A elicited significant and varied comment. Some 
commenters objected generally to the Table A framework.\560\ Others 
objected more specifically to Table A's proposed content,\561\ and some 
commenters objected to Table A as a premature attempt to establish 
consensus on SCI industry standards where consensus has not yet 
emerged.\562\
---------------------------------------------------------------------------

    \560\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; BIDS 
Letter at 7; Direct Edge Letter at 2; Joint SROs Letter at 4; MSRB 
Letter at 11-12; and NYSE Letter at 20-21.
    \561\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; FIF 
Letter at 3-4; ISE Letter at 11-12; CAST Letter at 10; MSRB Letter 
at 11-12; DTCC Letter at 15; FINRA Letter at 31; Omgeo Letter at 33; 
CISQ Letter at 1-2; OCC Letter at 9; Lauer Letter at 5-7; BIDS 
Letter at 7; and Liquidnet Letter at 3-4.
    \562\ See, e.g., FIF Letter at 3-4; Liquidnet Letter at 3-4; UBS 
Letter at 7; and ISE Letter at 11-12.
---------------------------------------------------------------------------

Table A Framework and Process

    One group of commenters suggested that, in lieu of the publications 
identified in Table A, the Commission should characterize policies and 
procedures as reasonably designed if they comply with ``generally 
accepted standards.'' \563\ Another commenter similarly suggested that 
the Commission replace the proposed rule's reference to ``current SCI 
industry standards'' with

[[Page 72300]]

the phrase ``generally accepted technology principles,'' and delete 
Table A and the proposed Table A criteria.\564\ These commenters viewed 
proposed Table A as flawed in concept.\565\ Specifically, one of these 
commenters expressed concern that the standards set forth in Table A 
might not keep pace with a constantly evolving technological landscape 
and that, despite this evolution, Commission staff might take a 
checklist approach to its review of policies and procedures, which 
would result in unintended consequences.\566\
---------------------------------------------------------------------------

    \563\ See Joint SROs Letter at 4.
    \564\ See NYSE Letter at 20-21.
    \565\ See Joint SROs Letter at 4; and NYSE Letter at 20.
    \566\ See Joint SROs Letter at 4. Other commenters similarly 
expressed concern that SCI entities would closely adhere to the 
publications listed in Table A (even though the SCI Proposal 
specified that such adherence would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1)), rather 
than take advantage of the flexibility built into the proposed rule 
out of concern that if they did not, they would expose themselves to 
potential regulatory action for failure to comply with Regulation 
SCI. See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 
6; and NYSE Letter at 20-21.
---------------------------------------------------------------------------

    The other commenter stated that it was more common, and more 
appropriate in any industry that relies heavily on technology, for an 
entity to review a variety of different standards for frameworks or 
best practices, and then adopt a derivative of multiple standards, 
customizing them for the systems at issue.\567\ According to this 
commenter, SCI entities would be unlikely to comply with all aspects of 
any particular standard in Table A at any particular time, thereby 
``obviating its usefulness.'' \568\
---------------------------------------------------------------------------

    \567\ See NYSE Letter at 20.
    \568\ See id.
---------------------------------------------------------------------------

    Other commenters argued that the Table A concept was flawed because 
Table A would always be on the verge of being outdated. For example, 
one commenter characterized the proposed Table A publications as 
``soon-to-be outdated'' and stated that it is crucial that SCI entity 
policies and procedures be ``forward-looking'' and able to respond to 
future threats.\569\ Another commenter stated that the proposed process 
for updating Table A \570\ would not be sufficiently nimble to assure 
that SCI entities adhere to the best possible then-current standards, 
and suggested that the Commission defer to the expertise of the 
organizations that have established the listed standards and rely on 
the updates provided by these organizations.\571\ Another commenter 
stated that any ``hard coded'' solutions are likely to become obsolete 
very quickly.\572\
---------------------------------------------------------------------------

    \569\ See id. See also ISE Letter at 10 (stating that the 
standards listed in Table A are not the most current or appropriate 
standards). See also infra notes 577-578 and accompanying text.
    \570\ In the SCI Proposal, the Commission stated that it 
``preliminarily believes that, following its initial identification 
of one set of SCI industry standards . . . it would be appropriate 
for Commission staff, from time to time, to issue notices to update 
the list of previously identified set of SCI industry standards 
after receiving appropriate input from interested persons. . . . 
However, until such time as Commission staff were to update the 
identified set of SCI industry standards, the then-current set of 
SCI industry standards would be the [relevant] standards. . . .'' 
Proposing Release, supra note 13, at 18111.
    \571\ See MSRB Letter at 11-12.
    \572\ See Direct Edge Letter at 2.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission 
acknowledges that the proposed framework for identifying and updating 
publications on Table A may not be sufficiently nimble to assure that 
its list of publications does not become obsolete as technology and 
standards change. The Commission agrees that, in an industry that 
relies heavily on technologies that are constantly evolving, the 
prescription of hard-coded solutions that may become quickly outdated 
is not the better approach. However, because several commenters stated 
that there is currently a lack of consensus on what constitutes 
generally accepted standards or principles in the securities 
industry,\573\ the Commission continues to believe that there is value 
in identifying example publications for SCI entities to consider 
looking to in establishing policies and procedures that are consistent 
with ``current SCI industry standards.'' \574\
---------------------------------------------------------------------------

    \573\ See supra note 633 and accompanying text.
    \574\ See Rule 1001(a)(4), which states: ``For purposes of 
[complying with Rule 1001(a)], such policies and procedures shall be 
deemed to be reasonably designed if they are consistent with current 
SCI industry standards, which shall be comprised of information 
technology practices that are widely available to information 
technology professionals in the financial sector and issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely 
recognized organization. Compliance with such current SCI industry 
standards, however, shall not be the exclusive means to comply with 
[Rule 1001(a)].''
---------------------------------------------------------------------------

    After considering the potential disadvantages of ``hard-coding'' 
Table A in a Commission release, and the potential benefits of 
providing further guidance to SCI entities on the meaning of ``current 
SCI industry standards,'' the Commission has determined that, rather 
than the Commission issuing Table A in this release, Commission staff 
should issue guidance to assist SCI entities in developing policies and 
procedures consistent with ``current SCI industry standards'' in a 
manner that is consistent with the Commission's response to comments 
received on proposed Table A, as discussed in this Section 
IV.B.1.b.iii, and periodically update such guidance as appropriate. The 
Commission believes that guidance issued by the Commission staff will 
have the advantage of easier updating and allow for emerging consensus 
on standards more focused on the securities industry. Thus, concurrent 
with the Commission's adoption of Regulation SCI, Commission staff is 
issuing guidance to SCI entities on developing policies and procedures 
consistent with ``current SCI industry standards.'' \575\
---------------------------------------------------------------------------

    \575\ Staff Guidance on Current SCI Industry Standards will be 
available on the Commission's Web site at: www.sec.gov.
---------------------------------------------------------------------------

Table A Publications

    Many commenters who did not urge elimination of Table A altogether 
addressed the content of proposed Table A. Those commenters did not 
express opposition to the identification of certain inspection areas or 
domains on proposed Table A, but some commenters identified issues with 
specific publications listed on Table A.\576\ Specifically, two 
commenters stated that the NIST publication listed for the Systems 
Development Methodology domain was outdated.\577\ One of these 
commenters objected to this publication as reflecting a burdensome 
staged process to software development that favors the ``waterfall 
methodology'' over ``agile'' software development, which generally uses 
more ``nimble processes'' and is more typical in the financial services 
industry today.\578\ Another commenter noted that this publication had 
both strengths and weaknesses.\579\ Two commenters objected to the 
FFIEC's Operations IT Examination Handbook in the capacity planning 
domain as too generic.\580\ One commenter objected to the inclusion of 
FFIEC's Audit IT Examination Handbook.\581\ Another commenter stated 
more broadly that the proposed Table A publications focus too heavily

[[Page 72301]]

on firm-level risks and do not take into account the technological and 
economic stability of the U.S. market as a whole.\582\
---------------------------------------------------------------------------

    \576\ See, e.g., Angel Letter at 9; BATS Letter at 6-7; FIF 
Letter at 3-4; and ISE Letter at 10.
    \577\ See BATS Letter at 6; and ISE Letter at 10 (objecting to 
the inclusion of NIST Security Considerations in the System 
Development Life Cycle (Special Publication 800-64 Rev. 2) as a 
suitable ``current SCI industry standard'' in the systems 
development methodology domain).
    \578\ See BATS Letter at 6-7.
    \579\ See CISQ2 Letter at 4-5 (stating that NIST Special 
Publication 800-64, Rev. 2 and any derivative standard should ``be 
reviewed and if necessary revised by a panel of industry 
practitioners and technical experts to balance the requirement for 
rigor with the amount of practices and documentation specified in 
the standard'').
    \580\ See ISE Letter at 10; and FIF Letter at 3-4 (both 
described this publication as setting forth a process for conducting 
capacity planning).
    \581\ See ISE Letter at 10.
    \582\ See Angel Letter at 9.
---------------------------------------------------------------------------

    In addition, several commenters suggested specific additions to the 
proposed list of publications on Table A.\583\ For example, more than 
one commenter suggested the following standards as appropriate for 
inclusion on Table A: COBIT/ISACA; \584\ ISO-27000; \585\ ISO 25000; 
\586\ and NFPA-1600.\587\ Other standards or publications mentioned by 
commenters as useful, particularly in the area of software quality or 
software security, include the CISQ Software Quality 
Specification,\588\ the Capability Maturity Model Integration (CMMI) 
framework, \589\ ``SANS 20 Critical Security Controls,'' \590\ ``CWE/
SANS Top 25 Most Dangerous Software Errors,'' \591\ the Open Source 
Security Testing Methodology Manual (OSSTMM),\592\ the BITS Financial 
Services Roundtable Software Assurance Framework (January 2012),\593\ 
the ``Build Security In Maturity Model'' (BSTMM),\594\ Microsoft's 
SDL,\595\ and resources for defining secure software development 
practices from organizations such as OWASP, WASC and SAFECode,\596\ and 
publications issued by Scrum Alliance,\597\ the Association for 
Software Testing (AST),\598\ the Institute of Electrical and 
Electronics Engineers (IEEE),\599\ and the Association for Computing 
Machinery (ACM).\600\ In addition, one commenter suggested a standard 
currently being drafted by AT 9000, a working group which focuses on 
trading safety, regulatory requirements, and achieving efficiency and 
effectiveness of systems involved in automated trading.\601\
---------------------------------------------------------------------------

    \583\ See, e.g., CAST Letter; ISE Letter; MSRB Letter; DTCC 
Letter; FINRA Letter; Omgeo Letter; CISQ2 Letter; OCC Letter; BIDS 
Letter; Liquidnet Letter; and X9 Letter.
    \584\ See CAST Letter at 10; ISE Letter at 11; and MSRB Letter 
at 11. COBIT (formerly known as Control Objectives for Information 
and related Technology) is an enterprise information technology 
governance framework developed by ISACA (formerly known as the 
Information Systems Audit and Control Association).
    \585\ See DTCC Letter at 15; ISE Letter at 11; FINRA Letter at 
31; and Omgeo Letter at 33. FINRA recommended ISO-27000 series 
because it provides ``greater specificity'' and may be ``less 
burdensome'' than the standards identified in proposed Table A. ISE 
and DTCC recommended ISO 27000 specifically for application 
controls, information security and networking, and physical security 
controls. Omgeo stated more broadly that it models aspects of its 
program on widely accepted international standards and frameworks 
such as ITIL and ISO 27000.
    \586\ See CAST Letter and CISQ2 Letter. CAST suggested 
supplementing the SCI industry standards with standards that address 
development, as well as standards that pertain to structural 
software quality, such as ISO 25010 and CISQ Software Quality 
Specification. See CAST Letter at 5. CISQ2 agreed that standards 
addressing structural software quality are needed and suggested 
including CISQ Specification for Automated Quality Characteristic 
Measures: CISQ-TR-2012-01 in Table A. CISQ also pointed to the 
Capability Maturity Model Integration (CMMI) as another potential 
option, noting that it was the most widely adopted process standard 
for rigorous software development practices. See CISQ2 Letter at 3-
4.
    \587\ See OCC Letter at 9; and ISE Letter at 11. ISE also 
specifically recommended BS 25999 as an alternative contingency 
planning standard.
    \588\ See CAST Letter at 5; and CISQ Letter at 1.
    \589\ See CAST Letter at 10.
    \590\ See FIF Letter at 4.
    \591\ See id.
    \592\ See Lauer Letter at 5-7.
    \593\ See BIDS Letter at 7.
    \594\ See id.
    \595\ See id.
    \596\ See id.
    \597\ See Liquidnet Letter at 4.
    \598\ See id.
    \599\ See id.
    \600\ See id.
    \601\ See X9 Letter at 2.
---------------------------------------------------------------------------

    A few commenters opposed referencing standards in Regulation SCI at 
the outset and instead supported establishing a process that they 
believed would, after a certain period of time, yield a coherent set of 
standards.\602\ One of these commenters urged that best practices 
should evolve from the Commission's experience with the annual SCI 
review process and experience with the ARP program, because such best 
practices will be specific to the securities industry and reflect the 
actual practices of SCI entities.\603\ Finally, several commenters 
suggested that the Commission establish a working group to develop SCI 
industry standards.\604\
---------------------------------------------------------------------------

    \602\ See, e.g., FIF Letter at 4, 6; Liquidnet Letter at 3; UBS 
Letter at 7; and ISE Letter at 11.
    \603\ See FIF Letter at 4, 6.
    \604\ See, e.g., Liquidnet Letter at 3 (urging that a working 
group consisting of regulators, industry participants (from 
exchanges, ATSs and broker-dealers) and security and controls 
experts be established to develop a security and controls framework 
for the industry). See also UBS Letter at 7 (urging the Commission 
to convene a ``cross-industry, multi-disciplinary Working Group'' to 
be responsible for developing recommendations for appropriate 
standards); and ISE Letter at 11 (recommending that the Commission 
authorize SCI entities to establish a standards committee to review 
and recommend specific sets of standards). See also CISQ Letter at 
2, 6 (supporting the Table A approach but also seeing value in 
tailoring existing standards from professional organizations into an 
industry-specific set of standards for SCI entities).
---------------------------------------------------------------------------

    The Commission has carefully considered these comments, and 
continues to believe that there is value in identifying publications 
for SCI entities to consider looking to in establishing reasonable 
policies and procedures, because doing so will provide guidance on how 
an SCI entity may comply with adopted Rule 1001(a). The Commission 
therefore believes that issuance of staff guidance that does this, as 
discussed above, will be useful for SCI entities. However, after 
careful consideration of commenters' views regarding the publications 
on proposed Table A, the Commission believes it is useful to 
characterize how such staff guidance should be used by SCI entities. In 
particular, the Commission understands that some commenters who 
objected to the proposed Table A concept and/or the proposed Table A 
content were more broadly taking issue with the characterization of 
certain of the documents on proposed Table A, such as the NIST 800-53 
document, as a ``standard,'' rather than a ``framework'' or a 
``process.'' \605\ The Commission believes that many commenters 
implicitly were questioning why certain identified technology 
frameworks (such as NIST 800-53) were being labeled as, and thereby 
elevated to, an example of ``current SCI industry standards'' when many 
SCI entities were already following ISO 27000, COBIT, or other 
technology standards that they viewed as more specific, relevant, and/
or cost effective than the NIST frameworks identified on proposed Table 
A.\606\ In response to these comments, the Commission believes it is 
appropriate that the staff's guidance be characterized as listing 
examples of publications describing processes, guidelines, frameworks, 
or standards for an SCI entity to consider looking to in developing 
reasonable policies and procedures, rather than strictly as listing 
industry standards. Thus, the Commission believes it is appropriate if 
Commission staff were to list publications that provide guidance to SCI 
entities on suitable processes for developing, documenting, and 
implementing policies and procedures for their SCI systems (and 
indirect SCI systems, as applicable), taking into account the 
criticality of each such system.
---------------------------------------------------------------------------

    \605\ The Commission also notes that this point was made by a 
member of the third panel at the Cybersecurity Roundtable, supra 
note 39. See also FINRA Letter at 31.
    \606\ See supra notes 577-601 and accompanying text.
---------------------------------------------------------------------------

    With respect to the publications commenters suggested for inclusion 
on proposed Table A, the Commission is not disputing the value of such 
standards, and believes that each, when considered with respect to a 
particular system at an SCI entity, may contain appropriate standards 
for the SCI entity to use as, or incorporate within, its

[[Page 72302]]

policies and procedures.\607\ The Commission notes that the guidance is 
intended to be used as a baseline from which the staff may work with 
SCI entities and other interested market participants to build 
consensus on industry-specific standards, as discussed more fully 
below. Further, the Commission believes that the goal of providing 
general and flexible guidance to SCI entities does not necessitate 
providing a lengthy list of all the publications that meet the criteria 
set forth in Rule 1001(a)(4).\608\
---------------------------------------------------------------------------

    \607\ See supra notes 577-601 and accompanying text.
    \608\ See supra note 557 and accompanying text.
---------------------------------------------------------------------------

    The Commission continues to believe that it may be appropriate for 
an SCI entity to choose to adhere to a standard or guideline in a given 
domain or subcategory thereof that is different from those contained in 
the staff guidance, and emphasizes that nothing that the staff may 
include in its guidance precludes an SCI entity from adhering to 
standards such as ISO 27000, COBIT, or others referenced by commenters 
to the extent they result in policies and procedures that comply with 
the requirements of Rule 1001(a).\609\ Moreover, adopted Rule 
1001(a)(4) explicitly provides that compliance with current SCI 
industry standards (i.e., including those publications identified by 
the Commission staff) is not the exclusive method of compliance with 
Rule 1001(a). Accordingly, an SCI entity's determination not to adhere 
to some or all of the publications included in the staff guidance in 
developing its policies and procedures does not necessarily mean that 
its policies and procedures will be deficient or unreasonable for 
purposes of Rule 1001(a)(1). Importantly, the publications listed by 
Commission staff should be understood to provide guidance to SCI 
entities on selecting appropriate controls for applicable systems, as 
well as suitable processes for developing, documenting, and 
implementing policies and procedures for their SCI systems (and 
indirect SCI systems, as applicable), taking into account the 
criticality of each such system. Thus, for example, the Commission 
believes it would be reasonable for the most robust controls to be 
selected and implemented for ``critical SCI systems,'' as compared to 
other types of SCI systems, and the Commission believes it would be 
appropriate that the staff's guidance include publications that require 
more rigorous controls for higher-risk systems. The staff guidance is 
not intended to be static, however. As the Commission staff works with 
SCI entities, as well as members of the securities industry, technology 
experts, and interested members of the public, and as technology 
standards continue to evolve, the Commission anticipates that the 
Commission staff will periodically update the staff guidance as 
appropriate.
---------------------------------------------------------------------------

    \609\ Likewise, such guidance would not preclude an SCI entity 
from adopting a derivative of multiple standards, and/or customizing 
one or more standards for the particular system at issue, as one 
commenter suggested. See supra note 567 and accompanying text. In 
assessing whether an SCI entity's use of such an approach in 
designing its policies and policies and procedures would be 
``deemed'' to be reasonably designed, the Commission's inquiry would 
be into whether its policies and procedures were consistent with 
standards meeting the criteria in adopted Rule 1001(a)(4).
---------------------------------------------------------------------------

    Another way in which the publications identified by Commission 
staff should provide guidance to SCI entities is by providing 
transparency on how the staff will, at least initially, prepare for and 
conduct inspections relating to Regulation SCI. As discussed in the SCI 
Proposal and above,\610\ for over two decades, ARP staff has conducted 
inspections of ARP entity systems, with a goal of evaluating whether an 
ARP entity's controls over its information technology resources in each 
domain are consistent with ARP and industry guidelines,\611\ as 
identified by ARP staff from a variety of information technology 
publications that ARP staff believed were appropriate for securities 
market participants.\612\ With the adoption of Regulation SCI, and the 
resultant transition away from the voluntary ARP Inspection Program to 
an inspection program under Regulation SCI, the Commission believes it 
is helpful to establish consistency in its approach to examining SCI 
entities for compliance with Regulation SCI. Importantly, establishing 
consistency does not mean that the Commission will take a one-size-
fits-all or checklist approach. Because the publications identified by 
Commission staff should be general and flexible enough to be compatible 
with many widely-recognized technology standards that SCI entities 
currently use, the Commission believes the publications identified by 
Commission staff should provide guidance for an SCI entity to self-
assess whether its policies and procedures comply with Rules 
1001(a)(1)-(2). Moreover, because use of the publications identified by 
Commission staff is not mandatory, the staff guidance should not be 
regarded as establishing a checklist, the use of which could result in 
unintended consequences, but rather a basis for considering how an SCI 
entity's selected standards relate to the guidance provided by 
Commission staff and whether they are appropriate standards for use by 
that particular SCI entity for a given system.
---------------------------------------------------------------------------

    \610\ See supra Section II.A.
    \611\ As stated in the SCI Proposal, the domains covered during 
an ARP inspection depend in part upon whether the inspection is a 
regular inspection or a ``for-cause'' inspection. Typically, 
however, to make the most efficient use of resources, a single ARP 
inspection will cover fewer than nine domains. See Proposing 
Release, supra note 13, at 18086.
    \612\ See id. and supra Section II.A (discussing the ARP 
Inspection Program).
---------------------------------------------------------------------------

    The Commission believes that it would be appropriate that the 
publications initially identified by Commission staff at a minimum 
include the nine inspection areas, or ``domains,'' that the Commission 
identified on Table A in the SCI Proposal and that are relevant to SCI 
entities' systems capacity, integrity, resiliency, availability, and 
security, namely: Application controls; capacity planning; computer 
operations and production environment controls; contingency planning; 
information security and networking; audit; outsourcing; physical 
security; and systems development methodology.
    The Commission believes it would be appropriate that each 
publication identified by Commission staff be identified with 
specificity and include the particular publication's date, volume 
number, and/or publication number, as the case may be. Thus, for SCI 
entities that establish or self-assess their policies and procedures in 
reliance on the guidance provided by the publications identified by 
Commission staff, the Commission believes that the publications should 
be the relevant publications until such time as the list is updated by 
Commission staff. Of course, SCI entities may elect to use publications 
describing processes, guidelines, frameworks, and/or standards other 
than those identified by Commission staff to develop policies and 
procedures that satisfy the requirements of Rules 1001(a)(1)-(2).
    As stated in the SCI Proposal, however, the Commission continues to 
believe that the development of securities-industry specific standards 
is a worthy goal. Although some commenters urged the Commission not to 
adopt Table A at the outset, and instead establish a process to achieve 
that end,\613\ the Commission believes that the better approach is for 
Commission staff to provide examples of publications through its 
guidance that form a baseline and remain open to emerging consensus on 
industry-specific standards. In response to the

[[Page 72303]]

commenter that suggested that the Commission leverage the annual SCI 
review process and the SCI inspection process to yield a coherent set 
of industry-specific standards that could be referenced on Table A, the 
Commission believes that such an approach could serve as an appropriate 
input into the future development of such standards.\614\ In response 
to the commenter who stated that the proposed Table A publications do 
not take into account the technological and economic stability of the 
U.S. market as a whole,\615\ the Commission notes that the 
technological stability of individual SCI entities, in tandem with a 
heightened focus on critical SCI systems, are necessary prerequisites 
to achieving such market-wide goals. Accordingly, the Commission 
believes that the publications identified by Commission staff today 
should serve as an appropriate initial set of publications, processes, 
guidelines, frameworks, and standards for SCI entities to use as 
guidance to develop their policies and procedures under Rule 1001(a). 
With this guidance as a starting point, the Commission expects that the 
Commission staff will seek to work with members of the securities 
industry, technology experts, and interested members of the public 
towards developing standards relating to systems capacity, integrity, 
resiliency, availability, and security appropriately tailored for the 
securities industry and SCI entities, and periodically issue staff 
guidance that updates the guidance with such standards.
---------------------------------------------------------------------------

    \613\ See supra note 604 and accompanying text.
    \614\ See supra note 602 and accompanying text.
    \615\ See supra note 582 and accompanying text.
---------------------------------------------------------------------------

2. Policies and Procedures To Achieve Systems Compliance--Rule 1001(b)
    Proposed Rule 1000(b)(2)(i) would have required each SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner that complies with the federal 
securities laws and rules and regulations thereunder and the SCI 
entity's rules and governing documents, as applicable.
    Proposed Rule 1000(b)(2) also would have included safe harbors for 
an SCI entity and its employees. Specifically, proposed Rule 
1000(b)(2)(ii) provided that an SCI entity would be deemed not to have 
violated proposed Rule 1000(b)(2)(i) if the SCI entity: (1) Established 
policies and procedures reasonably designed to provide for specified 
elements; (2) established and maintained a system for applying such 
policies and procedures which would reasonably be expected to prevent 
and detect, insofar as practicable, any violations of such policies and 
procedures by the SCI entity or any person employed by the SCI entity; 
and (3) reasonably discharged the duties and obligations incumbent upon 
it by such policies and procedures, and was without reasonable cause to 
believe that such policies and procedures were not being complied with 
in any material respect. The safe harbor for SCI entities in proposed 
Rule 1000(b)(2)(ii) specified that the SCI entity's policies and 
procedures must be reasonably designed to provide for: (1) Testing of 
all SCI systems and any changes to such systems prior to 
implementation; (2) periodic testing of all SCI systems and any changes 
to such systems after their implementation; (3) a system of internal 
controls over changes to SCI systems; (4) ongoing monitoring of the 
functionality of SCI systems to detect whether they are operating in 
the manner intended; (5) assessments of SCI systems compliance 
performed by personnel familiar with applicable federal securities laws 
and rules and regulations thereunder and the SCI entity's rules and 
governing documents, as applicable; and (6) review by regulatory 
personnel of SCI systems design, changes, testing, and controls to 
prevent, detect, and address actions that do not comply with applicable 
federal securities laws and rules and regulations thereunder and the 
SCI entity's rules and governing documents, as applicable.
    In addition, proposed Rule 1000(b)(2)(iii) set forth a safe harbor 
for individuals. It provided that a person employed by an SCI entity 
would be deemed not to have aided, abetted, counseled, commanded, 
caused, induced, or procured the violation by any other person of 
proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity 
has reasonably discharged the duties and obligations incumbent upon 
such person by the policies and procedures, and was without reasonable 
cause to believe that such policies and procedures were not being 
complied with in any material respect.
    After careful consideration of the comments, proposed Rule 
1000(b)(2) is adopted as Rule 1001(b) with modifications, as discussed 
below.
a. Reasonable Policies and Procedures To Achieve Systems Compliance
    The Commission received significant comment on its proposal to 
require that SCI entities establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure systems 
compliance. Some commenters supported the broad goals of a policies and 
procedures requirement to help ensure that SCI systems operate as 
intended.\616\ Other commenters questioned whether any set of policies 
and procedures could guarantee perfect operational compliance.\617\ One 
commenter emphasized that no set of policies and procedures can 
guarantee 100% operational compliance and that, historically, the 
Commission has allowed entities to use a reasonableness standard so 
that policies and procedures are required to be reasonably designed to 
promote compliance, and the same should be used for the underlying 
predicate requirement in Regulation SCI.\618\ A few commenters 
expressed concern that, in instances where an SCI entity's policies and 
procedures failed to prevent SCI events, the Commission might use such 
failures as the basis for an enforcement action, charging that the 
policies and procedures were not reasonable.\619\ One commenter 
believed that compliance with Regulation SCI should be measured against 
a firm's adherence to its own set of policies and procedures that are 
in keeping with SCI system objectives, and such policies should be 
reviewed and updated as part of the annual SCI review process.\620\ 
Another commenter requested that the Commission more clearly 
distinguish between liability under Regulation SCI and liability for 
SCI events, stating that compliance with Regulation SCI and compliance 
with other federal securities laws and rules must remain distinct.\621\
---------------------------------------------------------------------------

    \616\ See MSRB Letter at 12-13; SIFMA Letter at 12; and MFA 
Letter at 3. Two of these commenters believed that SCI entities that 
perform critical market functions should be required to have more 
stringent policies and procedures than less critical SCI entities. 
See SIFMA Letter at 12; and MFA Letter at 3-4.
    \617\ See ITG Letter at 14. See also BATS Letter at 3-4, 6.
    \618\ See ITG Letter at 14.
    \619\ See BATS Letter at 3-4; Angel Letter at 4; and FSR Letter 
at 5. One of these commenters considered this possibility as, in 
effect, imposing a strict liability standard with respect to systems 
issues, and was concerned that the proposed approach would result in 
``finger-pointing'' and constant enforcement actions for immaterial 
violations that desensitize people to actual material violations. 
See FSR Letter at 3-8.
    \620\ See FIF Letter at 4.
    \621\ See FSR Letter at 6.
---------------------------------------------------------------------------

    Whereas adopted Rule 1001(a) \622\ concerns the robustness of the 
SCI entity's systems, adopted Rule 1001(b) \623\ concerns the 
operational compliance of an SCI entity's SCI systems with the Exchange 
Act, the rules and regulations thereunder, and

[[Page 72304]]

the SCI entity's governing documents. The Commission continues to 
believe, as stated in the SCI Proposal, that a rule requiring SCI 
entities to establish, maintain, and enforce policies and procedures 
reasonably designed to ensure operational compliance will help to: 
ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; 
\624\ reinforce existing SRO rule filing processes to assist market 
participants and the public in understanding how the SCI systems of SCI 
SROs are intended to operate; and assist SCI SROs in meeting their 
obligations to file plan amendments to SCI Plans under Rule 608 of 
Regulation NMS.\625\ It will similarly help other SCI entities (i.e., 
SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) 
to achieve operational compliance with the Exchange Act, the rules and 
regulations thereunder, and their governing documents.
---------------------------------------------------------------------------

    \622\ Adopted Rule 1001(a) was proposed as Rule 1000(b)(1).
    \623\ Adopted Rule 1001(b) was proposed as Rule 1000(b)(2).
    \624\ See 15 U.S.C. 78s(b)(1) (requiring each SRO to file with 
the Commission copies of any proposed rule or any proposed change 
in, addition to, or deletion from the rules of the SRO).
    \625\ See Proposing Release, supra note 13, at 18115.
---------------------------------------------------------------------------

    The Commission notes that Rule 1001(b) is intended to help prevent 
the occurrence of systems compliance issues at SCI entities. The 
Commission discussed in Section IV.A.3.b the rationale for further 
focusing the definition of systems compliance issue (i.e., replacing 
the reference to operating ``in the manner intended, including in a 
manner that complies with the federal securities laws'' with a 
reference to operating ``in a manner that complies with the Act''). To 
provide consistency between the definition of systems compliance issue 
and the requirement for policies and procedures to ensure systems 
compliance, the Commission is similarly revising Rule 1001(b)(1) to 
require each SCI entity to establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure that its SCI 
systems operate ``in a manner that complies with the Act'' and the 
rules and regulations thereunder and the entity's rules and governing 
documents, as applicable.
    As noted above, some commenters expressed concern that an SCI 
entity would be found to be in violation of Rule 1001(b) if an SCI 
event occurs.\626\ Consistent with the discussion above regarding Rule 
1001(a), the Commission emphasizes that the occurrence of a systems 
compliance issue at an SCI entity does not necessarily mean that the 
SCI entity has violated Rule 1001(b) of Regulation SCI. As stated in 
the SCI Proposal, an SCI entity will not be deemed to be in violation 
of Rule 1001(b) solely because it experienced a systems compliance 
issue.\627\ The Commission also notes that Rule 1001(b) requires 
systems compliance policies and procedures to be reasonably 
designed.\628\ The Commission acknowledges that reasonable policies and 
procedures will not ensure the elimination of all systems issues, 
including systems compliance issues. While a systems compliance issue 
may be probative as to the reasonableness of an SCI entity's policies 
and procedures, it is not determinative. Further, the occurrence of a 
systems compliance issue also does not necessarily mean that the SCI 
entity will be subject to an enforcement action. Rather, the Commission 
will exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.
---------------------------------------------------------------------------

    \626\ See supra notes 617-620 and accompanying text. One of 
these commenters believed that compliance with Regulation SCI should 
be measured against a firm's adherence to its own set of policies 
and procedures that are in keeping with SCI systems objectives. See 
supra note 620 and accompanying text. The Commission understands 
this commenter to be expressing the same concern as other commenters 
that an SCI entity would be found to be in violation of Rule 1001(b) 
if an SCI event occurs. This commenter also noted that policies and 
procedures should be reviewed and updated as part of the annual SCI 
review process. See supra note 620 and accompanying text. The 
comment regarding reviews and updates of policies and procedures is 
addressed below. See infra note 673 and accompanying text.
    \627\ Also, as noted in the SCI Proposal, an employee of an SCI 
entity would not be deemed to have aided, abetted, counseled, 
commanded, caused, induced, or procured the violation by any other 
person of Rule 1001(b) merely because the SCI entity at which the 
employee worked experienced a systems compliance issue. See 
Proposing Release, supra note 13, at 18116.
    \628\ As stated above, one commenter noted that no set of 
policies and procedures can guarantee 100% operational compliance 
and that historically, the Commission has allowed entities to use a 
reasonableness standard so that policies and procedures are required 
to be reasonably designed to promote compliance, and the same 
approach should be used for Regulation SCI. See supra note 618 and 
accompanying text. The Commission agrees with this commenter that 
reasonably designed policies and procedures might not completely 
eliminate the occurrence of systems compliance issues. Also, adopted 
Rule 1001(b) is consistent with this commenter's suggestion, because 
it requires policies and procedures that are ``reasonably designed'' 
to ensure systems compliance.
---------------------------------------------------------------------------

    In response to one commenter's request that the Commission more 
clearly distinguish between liability under Regulation SCI and 
liability for SCI events,\629\ the Commission notes that liability 
under Regulation SCI is separate and distinct from liability for other 
violations that may arise from the underlying SCI event. In particular, 
whether an SCI entity violated Regulation SCI does not affect the 
determination of whether the underlying SCI event also caused the SCI 
entity to violate other laws or rules, and compliance with Regulation 
SCI is not a safe harbor or other shield from liability under other 
laws or rules. Thus, even if the occurrence of an SCI event does not 
cause an SCI entity to be found to be in violation of Regulation SCI, 
the SCI entity may still be liable under other Commission rules or 
regulations, the Exchange Act, or SRO rules for the underlying SCI 
event.\630\
---------------------------------------------------------------------------

    \629\ See supra note 621 and accompanying text.
    \630\ For example, it is possible for an SCI SRO to have 
established, maintained, and enforced reasonably designed systems 
compliance policies and procedures consistent with the requirements 
of Rule 1001(b) of Regulation SCI, but still potentially violate 
Section 19(g) of the Exchange Act if the operation of its systems is 
inconsistent with its own rules. See 15 U.S.C. 78s(g) (requiring 
every SRO to comply with the Exchange Act, the rules and regulations 
thereunder, and its own rules).
---------------------------------------------------------------------------

b. Proposed Safe Harbor for SCI Entities
i. Comments Received
    In the SCI Proposal, the Commission solicited comment on the 
proposed approach to include safe harbor provisions in proposed Rule 
1000(b)(2) and specifically asked whether commenters agreed with the 
proposed inclusion of safe harbors.\631\ Many commenters specifically 
addressed the safe harbors in proposed Rule 1000(b)(2). Two commenters 
urged elimination of the proposed safe harbors.\632\ One of these 
commenters stated that the safe harbors were framed so generally that 
they would be easy to invoke.\633\ This commenter also stated that 
inclusion of a safe harbor provision for compliance standards would 
unnecessarily and severely limit the Commission's ability to deter 
violations through meaningful enforcement actions.\634\ The other 
commenter stated that, if a safe harbor is adopted, the Commission 
should be as specific as possible in establishing how to qualify for 
the safe harbor, and recommended that Commission guidance ensure that 
SCI entities are actively building and improving upon safety systems 
and not simply checking boxes and doing the minimal amount necessary to 
ensure compliance.\635\
---------------------------------------------------------------------------

    \631\ See Proposing Release, supra note 13, at 18117, question 
104.
    \632\ See Better Markets Letter at 5-6; and Lauer Letter at 7-8.
    \633\ See Better Markets Letter at 5-6.
    \634\ See id. at 6.
    \635\ See Lauer Letter at 7-8.
---------------------------------------------------------------------------

    In contrast, several commenters supported the inclusion of a safe 
harbor in proposed Rule 1000(b)(2) in theory, but objected to the 
proposed

[[Page 72305]]

approach.\636\ Some commenters stated that the proposed safe harbor, 
with its prescriptive requirements, would evolve into the de facto rule 
itself as SCI entities decide to adhere to the requirements of the safe 
harbor rather than risk a potential enforcement action stemming from an 
SCI event.\637\ One of these commenters noted that the safe harbor 
merely further defined the elements that the policies and procedures 
must have by providing a list of points that reasonably designed 
policies and procedures must cover.\638\ This commenter believed that 
including a requirement for reasonably designed policies and procedures 
and providing a safe harbor when those policies and procedures are 
reasonably designed is inherently circular, and expressed concern about 
liability under Regulation SCI whenever there is a systems or 
technology malfunction or error.\639\ This commenter also compared the 
proposed SCI entity safe harbor to other rules, stating that the other 
rules requiring policies and procedures recognize the need for those 
policies and procedures to be reasonably designed in light of the 
manner in which business is conducted.\640\ This commenter further 
noted that, if the Commission intends that all SCI entities conform to 
the standards articulated in the safe harbor, the Commission should set 
them forth as express provisions of the rule, although this commenter 
believed that such an approach would be misguided because it would 
create strictures that impose protocols that may not be suitable for 
certain market participants.\641\
---------------------------------------------------------------------------

    \636\ See, e.g., Angel Letter; Direct Edge Letter; FSR Letter; 
ITG Letter; MSRB Letter; NYSE Letter; OCC Letter; OTC Markets 
Letter; and Joint SROs Letter.
    \637\ See ITG Letter at 14 (stating that ``[t]he safe harbor 
contains so many requirements that it operates as a rule by 
itself''); and FSR Letter at 8.
    \638\ See FSR Letter at 4-5.
    \639\ See id. at 5-6.
    \640\ See FSR Letter at 8-9 (expressing concern that the safe 
harbor will become the sole yardstick by which conduct is measured 
and, even if the safe harbor were non-exclusive, it could become the 
de facto standard to the exclusion of other, legitimate approaches).
    \641\ See FSR Letter at 9.
---------------------------------------------------------------------------

    Several other commenters expressed concern that the proposed safe 
harbors were unclear.\642\ One group of commenters noted that the 
provisions in the proposed safe harbors were vague, subjective, and 
merely duplicate elements that would result from a logical 
interpretation of Rule 1000(b)(1),\643\ which these commenters believed 
offered no safe harbor protection at all.\644\ Another commenter stated 
that the use of a reasonableness standard with respect to the design of 
systems and the discharge of duties under an SCI entity's policies and 
procedures would mean that an SCI entity and its employees would never 
know with certainty whether they met the terms of the safe harbor.\645\ 
Another commenter similarly stated that SCI entities cannot know if 
they have complied with the safe harbor unless more guidance is 
provided on the concept of ``reasonable policies and procedures'' and 
the Commission explains what constitutes adequate testing, monitoring, 
assessments, and review for each system.\646\ One commenter agreed with 
the need for a safe harbor but stated that the proposed safe harbor is 
not sufficiently robust because it contains ``vague and extensive 
requirements that are overly subjective'' and the Commission therefore 
would be ``likely to review an SCI entity's interpretation of the safe 
harbor in the event of a systems issue with the benefit of 20/20 
hindsight.'' \647\ This commenter expressed concern that the occurrence 
of a significant systems event would mean that an exchange did not have 
reasonable policies and procedures and would be outside the terms of 
the proposed safe harbor.\648\
---------------------------------------------------------------------------

    \642\ See, e.g., FSR Letter; OCC Letter; and OTC Markets Letter.
    \643\ See Joint SROs Letter at 13 (stating that the proposed 
safe harbor should provide a more objective and transparent 
approach, and provide SCI entities a clear, affirmative defense from 
allegations of having violated Regulation SCI).
    \644\ See Joint SROs Letter at 13.
    \645\ See OCC Letter at 11. This commenter also questioned the 
value of the safe harbors as proposed and requested that the 
Commission consider including bright-line tests and minimum 
standards in the safe harbor provisions to better guide SCI entities 
and their employees in avoiding liability under Regulation SCI. See 
OCC Letter at 11. See also NYSE Letter at 30 (noting that the 
Commission provided no guidance on the phrase ``policies and 
procedures reasonably designed'').
    \646\ See OTC Markets Letter at 15.
    \647\ See NYSE Letter at 30.
    \648\ See id.
---------------------------------------------------------------------------

    A few commenters suggested specific alternatives to the proposed 
safe harbors.\649\ One commenter recommended that the Commission adopt 
a safe harbor with objective criteria to protect SCI entities from 
enforcement actions under Regulation SCI except in cases of intentional 
or reckless non-compliance or patterns of non-compliance with 
Regulation SCI, or if an SCI entity fails to implement reasonable 
corrective action in response to a written communication from the 
Commission regarding Regulation SCI.\650\ This commenter urged that, 
even if the Commission does not include the suggested safe harbor, the 
adopting release should clearly state that the Commission will not 
pursue enforcement actions against SCI entities that establish, 
maintain, and enforce compliance policies and procedures or act in good 
faith, notwithstanding a violation of Regulation SCI.\651\
---------------------------------------------------------------------------

    \649\ See, e.g., FSR Letter; ITG Letter; OTC Markets Letter; 
Joint SROs Letter; and NYSE Letter.
    \650\ See NYSE Letter at 29, 31-32. This commenter also 
suggested that SCI entity employees be protected except in instances 
where employees intentionally or recklessly fail to discharge their 
duties and obligations under the SCI entity's policies and 
procedures. See NYSE Letter at 29, 31-32. This comment and the 
individual safe harbor are addressed in Section IV.B.2.d below. 
Another commenter, expressing support for NYSE's suggested approach 
for SCI entities and their employees, stated that an objective 
standard would provide the proper incentives for compliance and 
allow SCI entities to reasonably evaluate their potential exposure 
when an SCI event occurs and act quickly in the critical moments 
following an SCI event. See OTC Markets Letter at 16.
    \651\ See NYSE Letter at 32, n. 41.
---------------------------------------------------------------------------

    One group of commenters similarly recommended that the Commission 
adopt an objective safe harbor.\652\ These commenters noted that minor 
mistakes and unintentional errors occur in the daily operations of 
running a business, and a safe harbor should provide protection to SCI 
entities that follow the policies and procedures as intended, including 
in the resolution and containment of such mistakes and errors.\653\ 
These commenters believed that it should be sufficient for an SCI 
entity to qualify for the safe harbor if it adopts policies and 
procedures reasonably designed to comply with Regulation SCI and does 
not knowingly violate such policies and procedures.\654\ These 
commenters further requested that the Commission clarify its views on 
the protections of the safe harbor for inadvertent violations of other 
laws and rules despite compliance with Regulation SCI and expand the 
safe harbor to explicitly cover such instances.\655\
---------------------------------------------------------------------------

    \652\ See Joint SROs Letter at 13-14.
    \653\ See id.
    \654\ See id. These commenters suggested a parallel safe harbor 
for employees of SCI entities. See id. at 14.
    \655\ See id.
---------------------------------------------------------------------------

    One commenter suggested simplifying the safe harbor to require only 
that an SCI entity adopt reasonable policies and procedures to comply 
with proposed Regulation SCI, which should include reasonable ongoing 
responsibilities related to testing and monitoring.\656\ Another 
commenter believed that the safe harbor should grant immunity from 
enforcement penalties for all problems that are self-reported by SCI 
entities and individuals.\657\ One commenter suggested that Regulation 
SCI should: (1) Encourage parties to discover and

[[Page 72306]]

remediate technology errors and malfunctions, and/or deficiencies in 
their policies and procedures; (2) avoid ipso facto liability under 
Regulation SCI for failures by technology or systems; and (3) require 
some form of causation in order for liability to attach.\658\ This 
commenter also recommended that the Commission provide safe harbors 
from liability under both proposed Rules 1000(b)(1) and (2) where 
either: (1) The SCI entity or SCI personnel discovers and remediates a 
problem without regulatory intervention and assuming no underlying 
material violation; or (2) no technology error or problem has occurred, 
but the policies and procedures might benefit from improvements.\659\ 
According to this commenter, the remediation safe harbor should also 
apply to underlying technology problems if the SCI entity had complied 
with Regulation SCI.\660\ One commenter expressed concern that, without 
a safe harbor and a guarantee of immunity, the disclosures to the 
Commission required under Regulation SCI would provide a roadmap for 
litigation against non-SRO entities.\661\
---------------------------------------------------------------------------

    \656\ See ITG Letter at 14.
    \657\ See Angel Letter at 4.
    \658\ See FSR Letter at 9.
    \659\ See id. at 9-10.
    \660\ See id. at 3, 9-10.
    \661\ See OTC Markets Letter at 15-16 (stating that ``entities 
that do not have SRO immunity, such as ATSs, may be subject to 
liability based on information reported under Reg. SCI's Rule 
1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of 
immunity, this kind of disclosure provides a roadmap for litigation 
against non-SRO SCI entities'').
---------------------------------------------------------------------------

ii. Elimination of Proposed Safe Harbor for SCI Entities and 
Specification of Minimum Elements
    As discussed in greater detail below, after careful consideration 
of the comments, and in light of the more focused scope of Regulation 
SCI, the Commission has determined not to adopt the proposed safe 
harbor for SCI entities.\662\ Rather, Rule 1001(b) sets forth non-
exhaustive minimum elements that an SCI entity must include in its 
systems compliance policies and procedures. The Commission recognizes 
that the precise nature, size, technology, business model, and other 
aspects of each SCI entity's business vary. Therefore, the minimum 
elements are intended to be general in order to accommodate these 
differences, and each SCI entity will need to exercise judgment in 
developing and maintaining specific policies and procedures that are 
reasonably designed to achieve systems compliance. The Commission also 
believes that SCI entities should consider the evolving nature of the 
securities industry, as well as industry practices and standards, in 
developing and maintaining such policies and procedures. As such, the 
elements specified in Rule 1001(b) are non-exhaustive, and each SCI 
entity should consider on an ongoing basis what steps it needs to take 
in order to ensure that its policies and procedures are reasonably 
designed.
---------------------------------------------------------------------------

    \662\ The Commission's decision not to adopt an SCI entity safe 
harbor also addresses a commenter's concern that the inclusion of a 
safe harbor provision in Rule 1001(b) could unnecessarily and 
severely limit the Commission's ability to deter violations through 
meaningful enforcement actions. See supra notes 633-634 and 
accompanying text. As discussed in Section IV.B.2.d below, however, 
the Commission is adopting a safe harbor for personnel of SCI 
entities.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission stated that, ``[b]ecause of the 
complexity of SCI systems and the breadth of the federal securities 
laws and rules and regulations thereunder and the SCI entities' rules 
and governing documents, the Commission preliminarily believes that it 
would be appropriate to provide an explicit safe harbor for SCI 
entities and their employees in order to provide greater clarity as to 
how they can ensure that their conduct will comply with [Rule 
1000(b)(2)].'' \663\
---------------------------------------------------------------------------

    \663\ See Proposing Release, supra note 13, at 18115.
---------------------------------------------------------------------------

    One reason that the Commission is not adopting the proposed safe 
harbor for SCI entities is that the Commission has focused the scope of 
Regulation SCI as adopted. For example, adopted Rule 1001(b) requires 
policies and procedures that are reasonably designed to ensure 
compliance with ``the Act''--rather than operating ``in the manner 
intended, including in a manner that complies with the federal 
securities laws'' as was proposed--and the rules and regulations 
thereunder, and the SCI entity's rules and governing documents. 
Therefore, the requirement under adopted Rule 1001(b) is more targeted 
than the requirement under proposed Rule 1000(b)(2), and alleviates 
some of the concern regarding the ``breadth of the federal securities 
laws and rules and regulations thereunder'' that was expressed in the 
SCI Proposal. The Commission expects that SCI entities are familiar 
with their obligations under the Exchange Act, the rules and 
regulations thereunder, and their own rules and governing documents. In 
addition, as discussed in Section IV.A.2.b above, the Commission has 
further focused the scope of SCI systems, which also alleviates some of 
the concern regarding the ``complexity of SCI systems'' that was 
expressed in the SCI Proposal.\664\
---------------------------------------------------------------------------

    \664\ See id.
---------------------------------------------------------------------------

    Further, as noted above, in the SCI Proposal, the Commission stated 
its preliminary belief that it would be appropriate to provide an 
explicit safe harbor for SCI entities in order to provide greater 
clarity on how they could comply with proposed Rule 1000(b)(2).\665\ 
Rather than achieving this goal, commenters argued that the proposed 
safe harbor merely further defined the elements that the policies and 
procedures must have, and did not include sufficient guidance or 
specificity to SCI entities seeking to rely on it.\666\ For example, 
one commenter noted that the policies and procedures specified in the 
safe harbor would still need to be ``reasonably designed.'' \667\ 
Further, the Commission acknowledges some commenters' concern that the 
proposed safe harbor, ``with its prescriptive requirements,'' could 
evolve into the de facto rule itself.\668\
---------------------------------------------------------------------------

    \665\ See id.
    \666\ See supra notes 638-639, 643-648 and accompanying text. 
With respect to the group of commenters who suggested that the safe 
harbor should give SCI entities a clear, affirmative defense from 
allegations of having violated Regulation SCI, as discussed above, 
the Commission is eliminating the proposed safe harbor for SCI 
entities. See supra note 643. As discussed below, the Commission 
believes that, by specifying non-exhaustive minimum elements that an 
SCI entity must include in its systems compliance policies and 
procedures, the rule will encourage SCI entities to actively build 
and improve upon the compliance of their systems, rather than limit 
their compliance to some fixed elements of a safe harbor.
    \667\ See supra notes 638-639 and accompanying text. This 
commenter also compared the proposed SCI entity safe harbor to other 
rules, stating that the other rules requiring policies and 
procedures recognize the need for those policies and procedures to 
be reasonably designed in light of the manner in which business is 
conducted. See supra note 640 and accompanying text. Rule 1001(b), 
as adopted, requires policies and procedures to be ``reasonably 
designed'' to ensure the compliance of SCI systems. Therefore, Rule 
1001(b) recognizes the need for policies and procedures to be 
reasonably designed in light of the manner in which an SCI entity's 
business is conducted.
    \668\ See supra note 637 and accompanying text and supra note 
640. The Commission acknowledges that some commenters who believed 
that the proposed safe harbor was inadequate also advocated for 
alternative safe harbors, such as those that require knowledge or 
recklessness for liability. These comments are discussed below in 
Section IV.B.2.b.iii.
---------------------------------------------------------------------------

    As discussed above, the Commission is not adopting a safe harbor 
for SCI entities. Rather, adopted Rule 1001(b)(1) requires an SCI 
entity to have reasonably designed policies and procedures to achieve 
systems compliance and adopted Rule 1001(b)(2) specifies non-
exhaustive, general minimum elements that an SCI entity must include in 
its systems compliance policies and procedures. These minimum elements 
are based on the elements contained in the proposed safe harbor for SCI 
entities, but modified in

[[Page 72307]]

response to concerns raised by commenters. As adopted, Rules 1001(b)(1) 
and (b)(2) specify the minimum elements of reasonably designed policies 
and procedures to achieve systems compliance, and at the same time 
provide flexibility by permitting an SCI entity to establish policies 
and procedures that are reasonably designed based on the nature, size, 
technology, business model, and other aspects of its business. 
Moreover, the Commission believes that, by specifying non-exhaustive, 
general minimum elements of systems compliance policies and procedures, 
the rule will encourage SCI entities to actively build and improve upon 
the compliance of their systems rather than limit their compliance to 
bright-line tests or the fixed elements of a safe harbor, and encourage 
the evolution of sound practices over time. In addition, the Commission 
notes that there currently are no publicly available written industry 
standards regarding systems compliance that are applicable to all SCI 
entities that can serve as the basis for a clear, objective safe 
harbor, as there is with current SCI industry standards (e.g., the 
publications listed in staff guidance) relating to operational 
capability. Even if such standards existed, the Commission believes 
that the specificity necessary to achieve the goal of a clear, 
objective safe harbor would disincentivize SCI entities from continuing 
to improve their systems over time. Finally, the Commission believes 
that, because the minimum elements specified in Rule 1001(b)(2) are 
non-exhaustive, Rule 1001(b) can accommodate the possibility that, as 
technology evolves, additional or updated elements could become 
appropriate for SCI entities to include in their systems compliance 
policies and procedures to ensure that such policies and procedures 
remain reasonably designed on an ongoing basis.
iii. Response to Other Comments on the SCI Entity Safe Harbor
    With respect to commenters who requested clarification on the 
protection of the safe harbor for inadvertent violations of other laws 
and rules despite compliance with Regulation SCI,\669\ as noted above, 
the Commission clarifies that liability under Regulation SCI is 
separate and distinct from liability for other violations that may 
arise from the underlying SCI events under other laws and rules. 
Specifically, Regulation SCI imposes new requirements on SCI entities 
and is not intended to alter the standards for determining liability 
under other laws or rules. Therefore, if an SCI entity is in compliance 
with Regulation SCI but inadvertently violates another law or rule, 
whether or not the SCI entity will be liable under the other law or 
rule depends on the standards for determining liability under such law 
or rule. Because the new requirements under Regulation SCI are separate 
and distinct from existing requirements under other laws or rules, 
Regulation SCI is not a shield from liability under such laws or rules.
---------------------------------------------------------------------------

    \669\ See supra notes 655 and 660 and accompanying text.
---------------------------------------------------------------------------

    The Commission also does not believe that it would be appropriate 
to provide a safe harbor for all problems that are self-reported by SCI 
entities and individuals or that are discovered and remediated without 
regulatory intervention, as suggested by commenters.\670\ In 
particular, Rule 1001(b) is intended to help ensure that SCI entities 
operate their systems in compliance with the Exchange Act and relevant 
rules in the first place, and thus is not only focused on helping to 
ensure that SCI entities appropriately respond to a compliance issue 
(e.g., by taking corrective action or reporting the issue to the 
Commission) after it has occurred and impacted the market or market 
participants. Therefore, the Commission does not believe that the 
suggested self-report or remediation safe harbors will effectively 
further this intent of Rule 1001(b). In particular, the Commission 
notes that reporting and remediation of SCI events are separately 
required under Rules 1002(b) and (a) of Regulation SCI, respectively. 
The purposes of Rule 1002(b) include keeping the Commission informed of 
SCI events after they have occurred. Moreover, Rule 1002(a) is intended 
to ensure that SCI entities remedy a systems issue and mitigate the 
resulting harm after the issue has already occurred. The Commission 
believes that, if an SCI entity is protected from liability under Rule 
1001(b) simply because it self-reported systems compliance issues or 
discovered and remediated systems compliance issues without regulatory 
intervention, the SCI entity will not be effectively incentivized to 
have reasonably designed policies and procedures to ensure systems 
compliance in the first place. As discussed above, the occurrence of an 
SCI event will not necessarily cause a violation of Regulation SCI. 
Further, the occurrence of a systems compliance issue also does not 
necessarily mean that the SCI entity will be subject to an enforcement 
action. Rather, the Commission will exercise its discretion to initiate 
an enforcement action if the Commission determines that action is 
warranted, based on the particular facts and circumstances of an 
individual situation.
---------------------------------------------------------------------------

    \670\ See supra notes 657 and 659 and accompanying text.
---------------------------------------------------------------------------

    As discussed above, some commenters expressed concern that the 
occurrence of a significant systems issue would mean that an SCI entity 
did not have reasonable policies and procedures and therefore suggested 
``objective'' safe harbors.\671\ The Commission notes that all SCI 
entities are required to comply with the Exchange Act, the rules and 
regulations thereunder, and their own rules and governing documents, as 
applicable, and the purpose of Rule 1001(b) is to effectively help 
ensure compliance of the operation of SCI systems with these laws and 
rules. The Commission does not believe that Rule 1001(b) would further 
this goal to the same degree if the Commission were to adopt 
commenters' safe harbor suggestions (i.e., an SCI entity is deemed to 
be in compliance with Rule 1001(b) so long as: The SCI entity is not 
knowingly out of compliance; such non-compliance is not intentional, 
reckless, or in bad faith; or there is no pattern of non-compliance) 
because, with these suggested ``objective'' safe harbors, SCI entities 
may not be effectively incentivized to establish, maintain, and enforce 
reasonably designed policies and procedures to ensure systems 
compliance. Moreover, the Commission notes that Rule 1001(b) requires 
``reasonably designed'' policies and procedures, which already provides 
flexibility to SCI entities in complying with the rule. The Commission 
also emphasizes again that, while it is eliminating the safe harbor for 
SCI entities, the occurrence of a systems compliance issue may be 
probative, but is not determinative, of whether an SCI entity violated 
Regulation SCI. As noted above, an SCI entity would not be

[[Page 72308]]

deemed to be in violation of Rule 1001(b)(1) merely because it 
experienced a systems compliance issue. Further, the occurrence of a 
systems compliance issue also does not necessarily mean that the SCI 
entity will be subject to an enforcement action. Rather, the Commission 
will exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.
---------------------------------------------------------------------------

    \671\ See supra notes 650-654 and accompanying text. As 
discussed above, some of these commenters suggested that the safe 
harbor should protect SCI entities from enforcement action except in 
cases of intentional or reckless non-compliance, or patterns of non-
compliance with Regulation SCI. See supra note 650 and accompanying 
text. As an alternative to the intentional and recklessness 
standard, one of these commenters requested that the Commission 
specifically state that the Commission will not pursue enforcement 
actions against SCI entities that establish, maintain, and enforce 
systems compliance policies and procedures or act in good faith, 
notwithstanding a violation of Regulation SCI. See supra note 651 
and accompanying text. One commenter noted that it should be 
sufficient for an SCI entity to qualify for the safe harbor if it 
adopts policies and procedures reasonably designed to comply with 
Regulation SCI and does not knowingly violate such policies and 
procedures. See supra note 654 and accompanying text.
---------------------------------------------------------------------------

    Further, as noted above, one commenter recommended that the 
Commission provide a safe harbor where no technology error or problem 
has occurred, but the policies and procedures might benefit from 
improvements.\672\ The Commission believes that there may be instances 
where an SCI entity's policies and procedures might benefit from 
improvement, even though they are reasonably designed. In such 
instances, the SCI entity is in compliance with Rule 1001(b) and 
therefore does not need a safe harbor. At the same time, the Commission 
notes that there may be instances where no technology error or problem 
has occurred, but an SCI entity's policies and procedures with regard 
to systems compliance might nonetheless be deficient and not satisfy 
the requirements of Rule 1001(b). The Commission does not believe that 
it would be appropriate to provide a safe harbor in these instances. As 
noted above, Rule 1001(b) is intended to help ensure that SCI entities 
operate their SCI systems in compliance with the Exchange Act and 
relevant rules. The Commission does not believe that a safe harbor that 
effectively insulates deficient policies and procedures will further 
the intent of this rule. Further, the Commission notes that one 
requirement of Rule 1001(b)(1) is that an SCI entity ``maintain'' its 
policies and procedures. To explicitly set forth an SCI entity's 
obligation to review and update its policies and procedures, similar to 
Rule 1001(a), the Commission is adopting a requirement for periodic 
review by an SCI entity of the effectiveness of its systems compliance 
policies and procedures, and prompt action by the SCI entity to remedy 
deficiencies in such policies and procedures.\673\ The Commission notes 
that an SCI entity will not be found to be in violation of this 
maintenance requirement solely because it failed to identify a 
deficiency immediately after the deficiency occurred, if the SCI entity 
takes prompt action to remedy the deficiency once it is discovered, and 
the SCI entity had otherwise appropriately reviewed the effectiveness 
of its policies and procedures and took prompt action to remedy those 
deficiencies that were discovered.
---------------------------------------------------------------------------

    \672\ See supra note 659 and accompanying text.
    \673\ See Rule 1001(b)(3). The adoption of this review and 
update requirement is consistent with the views of some commenters. 
See supra notes 620 and accompanying text (discussing a commenter's 
suggestion that policies and procedures should be reviewed and 
updated as part of the annual SCI review process) and 658 and 
accompanying text (discussing a commenter's suggestion that 
Regulation SCI should encourage parties to discover and remediate 
deficiencies in policies and procedures). The Commission notes that 
Rule 1001(b)(3) requires SCI entities to review and update their 
systems compliance policies and procedures rather than simply 
``encourage'' the discovery and remediation of deficiencies because, 
in order to achieve the intended benefits of Rule 1001(b), an SCI 
entity's systems compliance policies and procedures must remain 
reasonably designed. If the Commission simply encourages SCI 
entities to review and update their systems compliance policies and 
procedures, the Commission believes that there would be a greater 
likelihood that such policies and procedures might become outdated 
and less effective in preventing systems compliance issues.
---------------------------------------------------------------------------

    Finally, as noted above, one commenter believed that, without a 
safe harbor and a guarantee of immunity (such as the regulatory 
immunity of SROs), information provided to the Commission pursuant to 
Rule 1000(b)(4)(iv) would provide a roadmap for litigation. As 
discussed below in Section IV.B.3.c, the Commission acknowledges that, 
if an SCI entity experiences an SCI event, it could become the subject 
of litigation (including private civil litigation). At the same time, 
the Commission notes that the information submitted to the Commission 
pursuant to Regulation SCI will be treated as confidential, subject to 
applicable law.\674\ On the other hand, the Commission acknowledges 
that it could consider the information provided to the Commission 
pursuant to Rule 1002(b) in determining whether to initiate an 
enforcement action. The Commission notes that all SCI entities are 
required to comply with the Exchange Act, the rules and regulations 
thereunder, and their own rules and governing documents, as applicable, 
and the requirement for Commission notification of systems compliance 
issues is intended to assist the Commission in its oversight of such 
compliance. With respect to the regulatory immunity of SROs, the 
Commission notes that, although courts have found that SROs are 
entitled to absolute immunity from private claims under certain 
circumstances,\675\ if an SRO fails to comply with the provisions of 
the Exchange Act, the rules or regulations thereunder, or its own 
rules, the Commission is still authorized to impose sanctions.\676\ As 
such, like other SCI entities, SROs are not immune from Commission 
sanctions. Finally, as discussed in detail above, the Commission does 
not believe that it would be appropriate to provide a safe harbor for 
all problems that are self-reported to the Commission by SCI entities 
and individuals.
---------------------------------------------------------------------------

    \674\ The Commission notes that the General Instructions to Form 
SCI, Item G. Paperwork Reduction Act Disclosure, provides that the 
Commission ``will keep the information collected pursuant to Form 
SCI confidential to the extent permitted by law.'' See infra Section 
IV.C.2.
    \675\ The Commission notes that SRO immunity applies only under 
certain circumstances. In particular, ``when acting in its capacity 
as a SRO, [the SRO] is entitled to immunity from suit when it 
engages in conduct consistent with the quasi-governmental powers 
delegated to it pursuant to the Exchange Act and the regulations and 
rules promulgated thereunder.'' See DL Capital Group, LLC v. NASDAQ 
Stock Market, Inc., 409 F.3d 93, 97 (2d Cir. 2005) (quoting 
D'Alessio v. New York Stock Exchange, Inc., 258 F.3d 93, 106 (2d 
Cir. 2001)).
    \676\ See 15 U.S.C. 78s(g).
---------------------------------------------------------------------------

c. Minimum Elements of Reasonable Policies and Procedures
    The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) 
specified that, to qualify for the safe harbor, the SCI entity's 
policies and procedures must be reasonably designed to provide for: (1) 
Testing of all SCI systems and any changes to such systems prior to 
implementation; (2) periodic testing of all SCI systems and any changes 
to such systems after their implementation; (3) a system of internal 
controls over changes to SCI systems; (4) ongoing monitoring of the 
functionality of SCI systems to detect whether they are operating in 
the manner intended; (5) assessments of SCI systems compliance 
performed by personnel familiar with applicable federal securities laws 
and rules and regulations thereunder and the SCI entity's rules and 
governing documents, as applicable; and (6) review by regulatory 
personnel of SCI systems design, changes, testing, and controls to 
prevent, detect, and address actions that do not comply with applicable 
federal securities laws and rules and regulations thereunder and the 
SCI entity's rules and governing documents, as applicable. In the SCI 
Proposal, the Commission asked whether each element of the proposed 
safe harbor for SCI entities was appropriate.\677\ Several commenters 
addressed one or more of the proposed safe harbor elements.
---------------------------------------------------------------------------

    \677\ See Proposing Release, supra note 13, at 18116-17.
---------------------------------------------------------------------------

    As discussed above, rather than adopting the proposed safe harbor 
for SCI entities, the Commission is specifying non-exhaustive, general

[[Page 72309]]

minimum elements that an SCI entity must include in its systems 
compliance policies and procedures. The minimum elements are based on 
the proposed safe harbor. These elements are: (i) Testing of all SCI 
systems and any changes to SCI systems prior to implementation; (ii) a 
system of internal controls over changes to SCI systems; (iii) a plan 
for assessments of the functionality of SCI systems designed to detect 
systems compliance issues, including by responsible SCI personnel and 
by personnel familiar with applicable provisions of the Act and the 
rules and regulations thereunder and the SCI entity's rules and 
governing documents; and (iv) a plan of coordination and communication 
between regulatory and other personnel of the SCI entity, including by 
responsible SCI personnel, regarding SCI systems design, changes, 
testing, and controls designed to detect and prevent systems compliance 
issues. Each of these elements is discussed below.
    As noted above, some commenters requested more guidance or 
certainty regarding the safe harbor elements (e.g., by including 
bright-line tests and minimum standards).\678\ As discussed above in 
Section IV.B.2.b, the Commission is not adopting a safe harbor but is 
specifying the minimum elements that an SCI entity must include in its 
systems compliance policies and procedures. By generally requiring 
policies and procedures to be reasonably designed and specifying non-
exhaustive, general minimum elements of systems compliance policies and 
procedures, the Commission intends to provide specificity on how to 
comply with Rule 1001(b), and at the same time provide a reasonable 
degree of flexibility to SCI entities in establishing and maintaining 
policies and procedures that are appropriately tailored to each SCI 
entity.
---------------------------------------------------------------------------

    \678\ See supra notes 645-647 and accompanying text.
---------------------------------------------------------------------------

    Regarding elements (1) and (2) of the proposed safe harbor, a few 
commenters opposed the inclusion of a requirement that an SCI entity 
conduct periodic testing of systems absent systems changes.\679\ One 
commenter stated that it performs testing prior to implementation of 
trading systems changes in the production environment and conducts 
regression testing to ensure that the changes did not introduce any 
undesired side-effects.\680\ This commenter explained that the proposed 
periodic testing requirement would impose additional cost and not 
provide any benefit.\681\ One commenter believed that the pre- and 
post-implementation testing components of the safe harbor, which would 
apply to all systems changes, could potentially drive SCI entities to 
take a narrow view of what constitutes a systems change.\682\ Another 
commenter sought further guidance from the Commission on the scope of 
periodic testing of all SCI systems and whether, for example, systems 
testing would be required following a systems change if the SCI entity 
has already provided notice of the systems change to the 
Commission.\683\ One commenter requested clarification that the testing 
described in proposed Rules 1000(b)(2)(ii)(A)(1) and (2) refers to 
testing to ensure that SCI systems operate in the manner intended, and 
noted that testing should not be required to be periodic, but instead 
should be based on the relative risks of non-compliance arising from 
any changes being introduced into production or any changes to the 
applicable laws or rules.\684\ One commenter stated that it believed 
that the frequency and type of testing under proposed Rules 
1000(b)(2)(ii)(A)(1) and (2) are open to interpretation.\685\
---------------------------------------------------------------------------

    \679\ See FINRA Letter at 33; BATS Letter at 7; and ISE Letter 
at 7.
    \680\ See ISE Letter at 7.
    \681\ See id. See also FINRA Letter at 33.
    \682\ See Direct Edge Letter at 6. This commenter expressed 
concern that, under the proposed approach, any opening of a customer 
port, the removal of access rights from a departing employee, and 
the previously unscheduled closing of the market for the death of a 
U.S. president all involve ``changes'' to SCI systems that need to 
be tracked, approved, and catalogued within the construct of an 
enterprise-wide change management system. See id. This commenter 
stated that these ``changes'' cannot all be tested, either prior to 
or after implementation, without an extraordinary amount of 
redundancy and bureaucracy, if at all. See id. This commenter 
therefore suggested requiring instead ``[a]ppropriate testing of 
[SCI] systems and changes to such systems prior to their 
implementation.'' See id.
    \683\ See OCC Letter at 11.
    \684\ See MSRB Letter at 13-14.
    \685\ See NYSE Letter at 30.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission 
believes that testing of SCI systems and changes to such systems prior 
to implementation is appropriate for inclusion as a required element of 
systems compliance policies and procedures. As noted in the SCI 
Proposal, elements (1) and (2) of the proposed safe harbor were 
intended to help SCI entities to identify potential problems before 
such problems have the ability to impact markets and investors.\686\ 
The Commission believes that testing prior to implementation of SCI 
systems and prior to implementation of any SCI systems changes would 
likely be an important component for achieving this goal and it is 
included as a required element of systems compliance policies and 
procedures.\687\ In contrast, the Commission believes that the value of 
the proposed element for additional testing in the absence of systems 
changes may be variable, depending on the SCI system or change to an 
SCI system at issue.\688\ At the same time, each SCI entity should 
consider on an ongoing basis what steps it needs to take in order to 
ensure that its policies and procedures are reasonably designed, 
including whether its policies and procedures should provide for 
testing of certain systems changes after their implementation to ensure 
that they operate in compliance with the Exchange Act and relevant 
rules.
---------------------------------------------------------------------------

    \686\ See Proposing Release, supra note 13, at 18115.
    \687\ With respect to a commenter's concern that ``changes'' to 
SCI systems could include, for example, any opening of a customer 
port, the removal of access rights from a departing employee, and 
the previously unscheduled closing of the market for the death of a 
U.S. president, the Commission does not view these as changes to an 
SCI entity's systems, because the Commission believes that these 
actions are part of an SCI entity's standard operations. See supra 
note 682. In particular, the Commission believes that the opening of 
a customer port, the removal of access rights, and the closing of 
the market are existing functionalities at SCI entities, and are 
routinely performed by SCI entities without the need to change 
existing functionalities.
    \688\ See supra notes 681-682 and accompanying text. The 
Commission notes that a commenter asked about the scope of periodic 
testing under the proposed safe harbor, and whether systems testing 
under the proposed safe harbor would be required following a systems 
change if the SCI entity has already provided notice of the systems 
change to the Commission. Another commenter noted that testing under 
the proposed safe harbor should not be required to be periodic, but 
instead could be based on the relative risks of non-compliance 
arising from any changes being introduced into production or any 
changes to applicable laws or rules. The Commission is not requiring 
periodic testing or testing following systems changes in Rule 
1001(b), and, as discussed above, the Commission is not adopting the 
proposed safe harbor.
---------------------------------------------------------------------------

    With regard to element (3) of the proposed safe harbor, one 
commenter stated that it is unclear what minimum standards are required 
for the internal controls under proposed Rule 
1000(b)(2)(ii)(A)(3).\689\ As discussed above, the Commission believes 
it is appropriate to set forth minimum elements of systems compliance 
policies and procedures that are broad enough to provide SCI entities 
with reasonable flexibility to design their policies and procedures 
based on the nature, size, technology, business model, and other 
aspects of their businesses. Therefore, while the Commission believes 
that a system of internal controls over changes to SCI systems is 
appropriate for inclusion as a required element of systems compliance 
policies and

[[Page 72310]]

procedures, the Commission is not specifying the minimum standard for 
internal controls. As stated in the SCI Proposal, a system of internal 
controls and ongoing monitoring of systems functionality are intended 
to help ensure that an SCI entity adopts a framework that will help it 
bring newer, faster, and more innovative SCI systems online without 
compromising due care, and to help prevent SCI systems from becoming 
noncompliant resulting from, for example, inattention or failure to 
review compliance with established written policies and procedures. The 
Commission believes that such internal controls would likely include, 
for example, protocols that provide for: Communication and cooperation 
between legal, business, technology, and compliance departments in an 
SCI entity; appropriate authorization of systems changes by relevant 
departments of the SCI entity prior to implementation; review of 
systems changes by legal or compliance departments prior to 
implementation; and monitoring of systems changes after implementation.
---------------------------------------------------------------------------

    \689\ See NYSE Letter at 30.
---------------------------------------------------------------------------

    With regard to elements (4)-(6) of the proposed safe harbor, one 
commenter noted that the proposed requirement related to ongoing 
monitoring was too broad and should be eliminated or revised to be more 
flexible.\690\ This commenter noted that the proposal for ``monitoring 
of the functionality of [SCI] systems to detect whether they are 
operating in the manner intended'' is potentially quite broad and seems 
to suggest some form of independent validation.\691\ Another commenter 
asked the Commission to clarify how the testing requirements in 
proposed Rules 1000(b)(2)(ii)(1) and (2) (testing prior to and after 
implementation) differ from those in proposed Rule 1000(b)(2)(ii)(A)(5) 
(assessments of systems compliance by personnel familiar with 
applicable laws and rules).\692\ One commenter noted that the 
monitoring, assessments, and reviews under proposed Rules 
1000(b)(2)(ii)(A)(4), (5), and (6) are unclear.\693\ Two commenters 
sought guidance on how an SCI entity could satisfy the requirements 
related to reviews and assessments by legal and compliance personnel 
(i.e., proposed Rules 1000(b)(2)(ii)(A)(5) and (6)).\694\ One of these 
commenters suggested that each SCI entity be given the discretion to 
determine the level of familiarity necessary to qualify as personnel 
able to undertake the assessments and which personnel are regulatory 
personnel, and asked whether these two categories of personnel are 
different.\695\ Another commenter also sought clarification on the 
meaning of the term ``regulatory personnel'' and suggested that each 
SCI entity should have discretion in determining which of its employees 
constitute regulatory personnel.\696\ One commenter expressed concern 
that review by regulatory personnel of SCI systems would unreasonably 
expose non-technology persons to potential liability if an SCI entity 
suffers a malfunction.\697\
---------------------------------------------------------------------------

    \690\ See FINRA Letter at 33-34.
    \691\ See id.
    \692\ See MSRB Letter at 13.
    \693\ See NYSE Letter at 30.
    \694\ See FINRA Letter at 34-35; and MSRB Letter at 13.
    \695\ See MSRB Letter at 13-14.
    \696\ See OCC Letter at 11. See also FINRA Letter at 34-35 
(requesting more guidance on which types of personnel are intended 
to fulfill the requirements of proposed Rules 1000(b)(2)(ii)(A)(5) 
and (6)).
    \697\ See ITG Letter at 14.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission 
believes that ``a plan for assessments of the functionality of SCI 
systems designed to detect systems compliance issues, including by 
responsible SCI personnel and by personnel familiar with applicable 
provisions of the Act and the rules and regulations thereunder and the 
SCI entity's rules and governing documents'' is appropriate for 
inclusion as a required element of systems compliance policies and 
procedures. In particular, rather than ``ongoing monitoring of the 
functionality of [SCI] systems to detect whether they are operating in 
the manner intended'' and also ``assessments of SCI systems compliance 
. . . ,'' the Commission believes that ``a plan for assessments'' of 
SCI systems compliance would be more appropriate.\698\ The Commission 
notes that ``a plan for assessments'' could include, for example, not 
only a plan for monitoring, but also a plan for testing or assessments, 
as appropriate, and at a frequency (e.g., periodic or continuous) that 
is based on the SCI entity's risk assessment of each of its SCI 
systems.\699\ The Commission is not specifying the manner and frequency 
of assessments that must be set forth in such plan because the 
Commission believes that each SCI entity will likely be in the best 
position to assess and determine the assessment plan that is most 
appropriate for its SCI systems. The Commission emphasizes that the 
nature and frequency of the assessments contemplated by an SCI entity's 
plan will vary based on a range of factors, including the entity's 
governance structure, business lines, and legal and compliance 
framework. The plan for assessments does not require the SCI entity to 
conduct a specific kind of assessment, nor does it require that 
assessments be performed at a certain frequency. The plan, however, may 
address the specific reviews required by Rule 1003(b)(1).
---------------------------------------------------------------------------

    \698\ The Commission notes that ``a plan for assessments'' is 
derived from a combination of the ``ongoing monitoring'' and 
``assessments'' elements of the proposed SCI entity safe harbor. 
Because ``a plan for assessments'' could provide for ongoing (i.e., 
periodic or continuous) monitoring, the Commission believes that it 
would be duplicative to include both monitoring and a plan for 
assessments as required elements of systems compliance policies and 
procedures.
    \699\ See supra note 690 and accompanying text (discussing the 
view of a commenter that the proposed element of the SCI entity safe 
harbor related to ongoing monitoring was too broad and should be 
eliminated or revised to be more flexible) and supra note 694 and 
accompanying text (discussing comments seeking guidance on how an 
SCI entity could satisfy the requirements related to reviews and 
assessments by legal and compliance personnel). Further, in response 
to a commenter, a plan for assessments is different from the testing 
of SCI systems prior to implementation of systems changes. See supra 
note 692 and accompanying text.
---------------------------------------------------------------------------

    In addition, in response to a commenter's concern that the proposed 
safe harbor element of ``monitoring of the functionality of [SCI] 
systems to detect whether they are operating in the manner intended'' 
is potentially quite broad and seems to suggest some form of 
independent validation, the Commission notes that it is not requiring 
SCI entities to include independent validation in their assessment 
plans.\700\ However, if an SCI entity determines that its reasonably 
designed systems compliance policies and procedures should provide for 
independent validation in its assessment plan under certain 
circumstances, then the SCI entity should design its policies and 
procedures accordingly. In that case, pursuant to Rule 1001(b), which 
requires an SCI entity to establish, maintain, and enforce its written 
policies and procedures, the SCI entity would be required to enforce 
its own policies and procedures, including those related to independent 
validation.
---------------------------------------------------------------------------

    \700\ See supra note 691 and accompanying text.
---------------------------------------------------------------------------

    In addition, the Commission believes that ``a plan of coordination 
and communication between regulatory and other personnel of the SCI 
entity, including by responsible SCI personnel, regarding SCI systems 
design, changes, testing, and controls designed to detect and prevent 
systems compliance issues'' is appropriate for inclusion as a required 
element of systems compliance policies and procedures. As noted in the 
SCI Proposal, assessments of SCI systems compliance by personnel 
familiar with applicable laws and rules

[[Page 72311]]

and regulatory personnel review of SCI systems design, changes, 
testing, and controls are intended to help foster coordination between 
the information technology and regulatory staff of an SCI entity so 
that SCI events and other issues related to SCI systems would be more 
likely to be addressed by a team of staff in possession of the 
requisite range of knowledge and skills.\701\ They are also intended to 
help ensure that an SCI entity's business interests do not undermine 
regulatory, surveillance, and compliance functions and, more broadly, 
the requirements of the Exchange Act, during the development, testing, 
implementation, and operation processes for SCI systems.\702\ The 
Commission believes that a plan of coordination and communication 
between regulatory and other personnel, including by responsible SCI 
personnel, would further these same goals.
---------------------------------------------------------------------------

    \701\ See Proposing Release, supra note 13, at 18116.
    \702\ For example, profit incentive could lead an SCI entity to 
introduce a new functionality before regulatory personnel are able 
to adequately check that the functionality will operate in 
compliance with relevant laws and rules.
---------------------------------------------------------------------------

    The Commission expects that an SCI entity will determine for itself 
the responsible SCI personnel and other personnel who have sufficient 
knowledge of relevant laws and rules to be able to effectively 
implement systems assessments,\703\ such that the SCI entity's policies 
and procedures are reasonably designed to ensure that SCI systems 
operate in compliance with the Exchange Act and relevant rules, as 
required by Rule 1001(b).\704\ Similarly, the Commission expects that 
an SCI entity will determine for itself the regulatory and other 
personnel, including responsible SCI personnel, who have sufficient 
knowledge with respect to the legal and technical aspects of systems 
design, changes, testing, and controls to engage in coordination and 
communication regarding such operations, such that the SCI entity's 
policies and procedures are reasonably designed to ensure that its SCI 
systems operate in compliance with the Exchange Act and relevant rules, 
as required by Rule 1001(b).\705\
---------------------------------------------------------------------------

    \703\ See supra notes 694-696 and accompanying text (describing 
comments on the proposed safe harbor related to who would be 
involved in systems assessments).
    \704\ Criteria for identification of such personnel could, for 
example, be set forth in the SCI entity's systems compliance 
policies and procedures.
    \705\ Some commenters expressed concern regarding the potential 
liability for regulatory personnel. See supra note 697 and 
accompanying text. The Commission discusses individual liability in 
Section IV.B.2.d below.
---------------------------------------------------------------------------

    One commenter sought clarity on how an SCI entity would satisfy the 
requirement that it does ``not have reasonable cause to believe the 
policies and procedures were not being complied with.'' \706\ Another 
commenter stated that there is no guidance for SCI entities on how to 
appropriately follow the procedures that they have developed and stated 
that as proposed, it would be reasonable to interpret the safe harbor 
as excluding any SCI entity that suffers a significant systems 
event.\707\ One commenter believed that the Commission should resolve 
any potential ambiguity between the requirements of proposed Rule 
1000(b)(2)(ii)(C)(1) (requiring SCI entities to reasonably discharge 
the duties and obligations set forth in the policies and procedures) 
and proposed Rule 1000(b)(2)(ii)(C)(2) (requiring that SCI entities not 
have reasonable cause to believe such policies and procedures were not 
being complied with).\708\ As discussed throughout this section, the 
Commission is not adopting the proposed safe harbor for SCI entities. 
Therefore, as adopted, Rule 1001(b) does not include the provisions of 
proposed Rules 1000(b)(2)(ii)(B) and (C). Further, the Commission 
believes that proposed Rules 1000(b)(2)(ii)(B) and (C) reiterated the 
requirements for SCI entities to establish, maintain, and enforce their 
systems compliance policies and procedures, and provided an example of 
how SCI entities could satisfy these requirements. For example, the SCI 
Proposal noted that proposed Rules 1000(b)(2)(ii)(B) and (C) specified 
that an SCI entity's policies and procedures must be reasonably 
designed to achieve SCI systems compliance, and that, as part of such 
policies and procedures, the SCI entity must establish and maintain 
systems for applying those policies and procedures, and enforce its 
policies and procedures, in a manner that would reasonably allow it to 
prevent and detect violations of the policies and procedures.\709\ The 
Commission believes that Rule 1001(b), as adopted, provides flexibility 
to SCI entities regarding their methods for establishing, maintaining, 
and enforcing their systems compliance policies and procedures.
---------------------------------------------------------------------------

    \706\ See FINRA Letter at 35.
    \707\ See OTC Markets Letter at 15.
    \708\ See MSRB Letter at 13-15.
    \709\ See Proposing Release, supra note 13, at 18116.
---------------------------------------------------------------------------

d. Individual Safe Harbor
    Proposed Rule 1000(b)(2)(iii) set forth a safe harbor for 
individuals. It provided that a person employed by an SCI entity would 
be deemed not to have aided, abetted, counseled, commanded, caused, 
induced, or procured the violation by any other person of proposed Rule 
1000(b)(2)(i) if the person employed by the SCI entity has reasonably 
discharged the duties and obligations incumbent upon such person by the 
policies and procedures, and was without reasonable cause to believe 
that such policies and procedures were not being complied with in any 
material respect.
    In the SCI Proposal, the Commission asked whether commenters agreed 
with the requirements of the proposed safe harbor for employees of SCI 
entities, and whether a similar safe harbor should be available to 
individuals other than employees of SCI entities.\710\ Some commenters 
specifically addressed the proposed safe harbor for individuals.\711\ 
Several commenters urged that individuals not be subject to liability 
under Regulation SCI absent an intentional act of willful 
misconduct.\712\ Two commenters questioned the need for a safe harbor 
for individuals generally,\713\ and one commenter stated

[[Page 72312]]

that inclusion of a safe harbor would unnecessarily and severely limit 
the Commission's ability to deter violations through meaningful 
enforcement actions.\714\ Two commenters questioned why the proposed 
safe harbor for individuals was limited to SCI entity employees.\715\ 
One commenter expressed concern that the proposed safe harbor for 
individuals could be counterproductive and create an environment of 
second-guessing and distrust, where employees act in a way to avoid 
potential liability (i.e., each person would be effectively deputized 
to police others' actions).\716\ A few commenters added that the 
proposed safe harbor for individuals, and the resulting implication of 
potential individual liability, may have the unintended consequence of 
limiting the ability of SCI entities to hire the best available talent 
in information technology, risk-management, and compliance 
disciplines.\717\ One commenter questioned why the proposed safe harbor 
for individuals would apply only to actions of aiding any other person 
and not apply to any actions of the reporting individual.\718\
---------------------------------------------------------------------------

    \710\ See id. at 18117, question 103.
    \711\ See, e.g., Angel Letter; Direct Edge Letter; FINRA Letter; 
FSR Letter; and MSRB Letter.
    \712\ See Direct Edge Letter at 6; and MSRB Letter at 17. See 
also supra notes 650 and 654 and accompanying text (discussing 
comments suggesting individual safe harbors). One commenter 
suggested that the safe harbor should provide that a person employed 
by an SCI entity shall be deemed not to have aided, abetted, 
counseled, commanded, caused, induced, or procured the violation by 
any other person unless such violation directly or indirectly 
relates to the duties and obligations of such person under the 
policies and procedures described in Rule 1000(b)(2)(i) and such 
person: (A) Has not reasonably discharged the applicable duty or 
obligation under such policies and procedures; (B) was not directed 
by his or her supervisor, SCI entity legal counsel, SCI senior 
management, or the governing body of the SCI entity to act in a 
manner that would constitute such a failure to discharge such duty 
or obligation; and (C) acted recklessly or intentionally with 
respect to such failure to discharge such duty or obligation. See 
MSRB Letter at 17. The Commission believes that elements (A) and (B) 
of this commenter's suggestion are consistent with the adopted 
individual safe harbor. In particular, the Commission notes that the 
safe harbor specifies that an individual must have reasonably 
discharged the duties and obligations incumbent upon such person by 
the SCI entity's policies and procedures. The Commission believes 
that there can be instances where a person has reasonably discharged 
his or her duties and obligations under the SCI entity's policies 
and procedures, even though such person was directed by his or her 
supervisor, SCI entity legal counsel, SCI entity senior management, 
or the governing body of the SCI entity to act in a manner that is 
inconsistent with his or her duties that are set forth the policies 
and procedures. For example, the SCI entity's reasonably designed 
policies and procedures could specifically set forth circumstances 
where certain personnel of the SCI entity may direct another person 
to act outside of his or her duties or obligations that are set 
forth in the policies and procedures.
    \713\ See FINRA Letter at 35; and FSR Letter at 3-8 (stating 
that the proposed rule lacks clarity over why individuals need a 
safe harbor when the policies and procedures requirement is placed 
exclusively on SCI entities, and lacks clarity regarding to whom SCI 
entities or SCI personnel would be liable for a breach and how 
liability would be apportioned between market participants for an 
SCI event). See also MSRB Letter at 15 (seeking further 
clarification from the Commission regarding the nature of the 
potential liabilities faced by individuals).
    \714\ See Better Markets Letter at 6.
    \715\ See FINRA Letter at 35; and MSRB Letter at 17. These 
commenters suggested extending the safe harbor to contractors, 
consultants, and other non-employees used by SCI entities in 
connection with their SCI systems. See FINRA Letter at 35; and MSRB 
Letter at 17.
    \716\ See MSRB Letter at 15-17.
    \717\ See Direct Edge Letter at 6; and MSRB Letter at 17.
    \718\ See Angel Letter at 4.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission is 
adopting the individual safe harbor with certain modifications. With 
respect to the commenter who expressed concern that a safe harbor would 
``unnecessarily and severely'' limit the Commission's ability to deter 
violations through meaningful enforcement actions,\719\ the Commission 
notes that Regulation SCI only imposes obligations directly on SCI 
entities and the Commission is not adopting a safe harbor for SCI 
entities. Further, personnel of SCI entities qualify for the individual 
safe harbor under Rule 1001(b) only if they satisfy certain 
requirements.\720\ In particular, in connection with a Commission 
finding that an SCI entity violated Rule 1001(b), the individual safe 
harbor will not apply if an SCI entity personnel failed to reasonably 
discharge his or her duties and obligations under the policies and 
procedures. In addition, for an SCI entity personnel who is responsible 
for or has supervisory responsibility over an SCI system, the 
individual safe harbor also will not apply if he or she had reasonable 
cause to believe that the policies and procedures related to such an 
SCI system were not in compliance with Rule 1001(b) in any material 
respect. Therefore, the Commission does not believe that the individual 
safe harbor will ``unnecessarily and severely'' limit the Commission's 
ability to deter violations.
---------------------------------------------------------------------------

    \719\ See supra note 714 and accompanying text.
    \720\ As discussed below in this section, the Commission is 
extending the safe harbor to all personnel of an SCI entity, rather 
than only persons employed by an SCI entity, as proposed.
---------------------------------------------------------------------------

    With respect to commenters who questioned the need for an 
individual safe harbor because Rule 1001(b) imposes an obligation on 
SCI entities,\721\ the Commission agrees that Regulation SCI imposes 
direct obligations on SCI entities, and does not impose obligations 
directly on personnel of SCI entities. At the same time, as with all 
other violations of the Exchange Act and rules that impose obligations 
on an entity, there is a potential for secondary liability for an 
individual who aided and abetted or caused a violation. The Commission 
is therefore revising the individual safe harbor to clarify that 
personnel of an SCI entity shall be deemed not to have aided, abetted, 
counseled, commanded, caused, induced, or procured the violation by 
``an SCI entity'' (rather than ``any other person'') of Rule 1001(b) if 
the elements of the safe harbor are satisfied.
---------------------------------------------------------------------------

    \721\ See supra note 713 and accompanying text.
---------------------------------------------------------------------------

    As noted above, one commenter questioned why the proposed safe 
harbor for individuals would only apply to actions of aiding another 
and not apply to any direct violative action of the reporting 
individual.\722\ The Commission notes that the individual safe harbor 
only applies to actions of aiding, abetting, counseling, commanding, 
causing, inducing, or procuring the violation by an SCI entity because 
Regulation SCI does not impose any direct obligations on personnel of 
SCI entities. Therefore, individuals could not be found to be in 
violation of Regulation SCI, except through aiding, abetting, 
counseling, commanding, causing, inducing, or procuring the violation 
by an SCI entity of Regulation SCI.
---------------------------------------------------------------------------

    \722\ See supra note 718 and accompanying text.
---------------------------------------------------------------------------

    With respect to commenters who suggested extending the individual 
safe harbor to contractors, consultants, and other non-employees used 
by SCI entities in connection with their SCI systems,\723\ the 
Commission agrees with these comments and is extending the safe harbor 
to all ``personnel of an SCI entity,'' rather than only persons 
employed by an SCI entity, as was proposed. Specifically, the 
Commission believes that contractors, consultants, and other similar 
non-employees may act in a capacity similar to an SCI entity's 
employees, and thus should be able to avail themselves of the 
individual safe harbor if they satisfy its requirements.
---------------------------------------------------------------------------

    \723\ See supra note 715 and accompanying text.
---------------------------------------------------------------------------

    To be covered by the individual safe harbor, for which the 
individual has the burden of proof, personnel of an SCI entity must: 
(i) Have reasonably discharged the duties and obligations incumbent 
upon such person by the SCI entity's policies and procedures; and (ii) 
be without reasonable cause to believe that the policies and procedures 
relating to an SCI system for which such person was responsible, or had 
supervisory responsibility, were not established, maintained, or 
enforced in accordance with Rule 1001(b) in any material respect. 
Element (i) of the adopted individual safe harbor is substantively 
unchanged from the proposal. For the reasons discussed below in this 
section, element (ii) of the adopted individual safe harbor specifies 
that it applies only to a person who is responsible for or has 
supervisory responsibility over an SCI system. In addition, rather than 
requiring an individual to be without reasonable cause to believe that 
systems compliance policies and procedures ``were not being complied 
with in any material respect'' as proposed, element (ii) of the adopted 
safe harbor requires the applicable personnel to be without reasonable 
cause to believe that the relevant systems compliance policies and 
procedures ``were not established, maintained, or enforced'' in 
accordance with Rule 1001(b) in any material respect. The Commission 
notes that element (ii) of the adopted safe harbor tracks the language 
of the general requirement under Rule 1001(b) that an SCI entity 
``establish, maintain, and enforce'' written policies and procedures 
reasonably designed to ensure systems compliance, and appropriately 
reflects the responsibilities of a person who is responsible for or has 
supervisory responsibility over an SCI system.\724\
---------------------------------------------------------------------------

    \724\ As noted below, the Commission believes it is appropriate 
in the context of the safe harbor that, if a person with 
responsibility over an SCI system becomes aware of potential 
material non-compliance of the SCI entity's policies and procedures 
related to that system, such person should take action to review and 
address, or direct other personnel to review and address, such 
material non-compliance.

---------------------------------------------------------------------------

[[Page 72313]]

    The Commission believes that it is appropriate to not provide a 
safe harbor to a person with responsibility over an SCI system if such 
person had reasonable cause to believe that the policies and procedures 
for such system were not established, maintained, or enforced as 
required by Rule 1001(b) in a material respect. The limited application 
of this element to such personnel (rather than to any person employed 
by an SCI entity as proposed) is intended to mitigate commenters' 
concerns that the proposed safe harbor would create an environment of 
distrust and limit the ability of SCI entities to hire high quality 
personnel.\725\ In particular, personnel who are not responsible for 
and do not have supervisory responsibility over SCI systems can qualify 
for the individual safe harbor, regardless of their belief regarding 
the reasonableness of the SCI entity's systems compliance policies and 
procedures. Therefore, such personnel would not be ``deputized to 
police'' the actions of other personnel, as a commenter believed they 
would.\726\ Further, with respect to personnel who are responsible for 
or have supervisory responsibility over an SCI system, such personnel 
likely already have the responsibility to supervise others' activities 
related to that SCI system, which would provide such personnel with 
information to form a reasonable belief regarding the reasonableness of 
the policies and procedures. Because Rule 1001(b) is intended to help 
prevent the occurrence of systems compliance issues at SCI entities, 
the Commission believes that it is appropriate for supervisory 
personnel to be knowledgeable regarding the entity's policies and 
procedures regarding systems compliance, which may be accomplished 
through training provided by the SCI entity. Moreover, the Commission 
believes it is appropriate in the context of the safe harbor that, if a 
person with responsibility over an SCI system becomes aware of 
potential material non-compliance of the SCI entity's policies and 
procedures related to that system, such person should take action to 
review and address, or direct other personnel to review and address, 
such material non-compliance. Finally, to further mitigate commenters' 
concern that potential individual liability may limit the hiring 
ability of SCI entities,\727\ as noted above, personnel of an SCI 
entity will not be deemed to have aided, abetted, counseled, commanded, 
caused, induced, or procured the violation by an SCI entity of 
Regulation SCI merely because the SCI entity experienced a systems 
compliance issue, whether or not the person was able to take advantage 
of the individual safe harbor.
---------------------------------------------------------------------------

    \725\ See supra notes 716-717 and accompanying text.
    \726\ See supra note 716 and accompanying text.
    \727\ See supra note 717 and accompanying text.
---------------------------------------------------------------------------

    As noted above, with respect to a personnel of an SCI entity who is 
not responsible for and does not have supervisory responsibility over 
SCI systems, the safe harbor provides that such personnel shall be 
deemed not to have aided, abetted, counseled, commanded, caused, 
induced, or procured the violation by an SCI entity of Rule 1001(b) if 
such person has reasonably discharged the duties and obligations 
incumbent upon him or her by the systems compliance policies and 
procedures. Therefore, unlike personnel who are responsible for or have 
supervisory responsibility over SCI systems, these persons would not be 
liable even if the SCI entity itself did not have reasonably designed 
systems compliance policies and procedures or did not enforce its 
policies and procedures, as long as they discharged their duties and 
obligations under the policies and procedures in a reasonable 
manner.\728\ The Commission believes this safe harbor is appropriate 
because the persons who will seek to rely on this safe harbor are those 
who do not have responsibility for the establishment, maintenance, and 
enforcement of the policies and procedures, or the actions of other 
personnel of the SCI entity.
---------------------------------------------------------------------------

    \728\ The Commission believes that, in order for a person to 
reasonably discharge his duties and obligations under the SCI 
entity's policies and procedures, that person must be able to 
understand his duties and obligations under such policies and 
procedures, which may be accomplished through training provided by 
the SCI entity.
---------------------------------------------------------------------------

    With respect to commenters who argued that individuals should not 
be subject to liability under Regulation SCI absent an intentional act 
of willful misconduct,\729\ the Commission notes again that Regulation 
SCI imposes direct obligations only on SCI entities, and not on 
individuals. However, as with all other violations of provisions of the 
Exchange Act and rules that impose obligations on an entity, there is a 
potential for secondary liability for an individual who aided and 
abetted or caused a violation. As discussed above in the context of SCI 
entities, all SCI entities are required to comply with the Exchange 
Act, the rules and regulations thereunder, and their own rules and 
governing documents, as applicable, and the purpose of Rule 1001(b) is 
to effectively help ensure compliance of the operation of SCI systems 
with the Exchange Act, the rules and regulations thereunder, and their 
own rules and governing documents. The Commission does not believe that 
the rule would further this goal to the same degree if the Commission 
adopts commenters' suggestions for the individual safe harbor (i.e., 
personnel of an SCI entity are permitted to cause an SCI entity to be 
out of compliance with Rule 1001(b) so long as the personnel did not 
act intentionally or willfully).
---------------------------------------------------------------------------

    \729\ See supra note 712 and accompanying text.
---------------------------------------------------------------------------

3. SCI Events: Corrective Action; Commission Notification; 
Dissemination of Information--Rule 1002
    Adopted Rule 1002, which corresponds to proposed Rules 1000(b)(3)-
(5), requires an SCI entity to take corrective action, notify the 
Commission, and disseminate information regarding certain SCI events.
a. Triggering Standard
    As proposed, the obligation of an SCI entity to take corrective 
action (proposed Rule 1000(b)(3)), notify the Commission (proposed Rule 
1000(b)(4)), and disseminate information (proposed Rule 1000(b)(5)) 
would have been triggered upon ``any responsible SCI personnel becoming 
aware of'' an SCI event.\730\ Proposed Rule 1000(a) defined 
``responsible SCI personnel'' to mean, for a particular SCI system or 
SCI security system impacted by an SCI event, any personnel, whether an 
employee or agent, of an SCI entity having responsibility for such 
system.\731\ In the SCI Proposal, the Commission noted that this 
proposed definition was intended to include any personnel of the SCI 
entity having responsibility for the specific system(s) impacted by a 
given SCI event.\732\ The Commission stated that such personnel would 
include any technology, business, or operations staff with 
responsibility for such systems, and with respect to systems compliance 
issues, any regulatory, legal, or compliance personnel with legal or 
compliance responsibility for such systems.\733\ The Commission also

[[Page 72314]]

explained that ``responsible SCI personnel'' would not be limited to 
managerial or senior-level employees of the SCI entity and could 
include junior personnel with responsibility for a particular 
system.\734\
---------------------------------------------------------------------------

    \730\ See proposed Rules 1000(b)(3), 1000(b)(4)(i)-(ii), and 
1000(b)(5)(i)-(ii).
    \731\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.C.3.a.
    \732\ See Proposing Release, supra note 13, at 18118.
    \733\ See id.
    \734\ See id.
---------------------------------------------------------------------------

    After considering the views of commenters, the Commission is 
modifying the proposed standard for triggering corrective action, 
Commission notification, and dissemination of information obligations 
in adopted Rule 1002, including by amending the definition of 
responsible SCI personnel, as discussed below.
Responsible SCI Personnel
    Many commenters expressed concern that the proposed definition of 
responsible SCI personnel was too broad.\735\ These commenters 
generally urged the Commission to revise the scope of the definition to 
cover only those employees in management or supervisory roles that have 
responsibility over an SCI system, rather than including relatively 
junior or inexperienced employees.\736\ Some of these commenters stated 
that junior employees and/or technology personnel may not have the 
training or breadth of knowledge or experience necessary to identify, 
analyze, and determine whether a systems issue is an SCI event under 
the rule.\737\ Similarly, one commenter advocated limiting responsible 
SCI personnel to employees with full knowledge and authority over a 
system.\738\ Some commenters also suggested that SCI entities should 
have the discretion to decide which employees are responsible SCI 
personnel.\739\
---------------------------------------------------------------------------

    \735\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6; BATS 
Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 
12; Joint SROs Letter at 12; FINRA Letter at 25-26; and OTC Markets 
Letter at 19. See also NYSE Letter at 19 (stating that the proposed 
definition was too vague and suggesting an alternative approach). 
See also infra note 761 and accompanying text.
    \736\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6, 18; NYSE 
Letter at 19; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 
7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25-26; 
and OTC Markets Letter at 19. Similarly, with regard to the 
Commission notification requirement in proposed Rule 1000(b)(4), one 
commenter stated that the obligation to notify the Commission should 
only be triggered when the responsible SCI personnel notifies the 
officer or senior staff responsible for the SCI system or systems 
generally. See DTCC Letter at 9.
    \737\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; and 
OTC Markets Letter at 19.
    \738\ See FIF Letter at 3, 5.
    \739\ See, e.g., Liquidnet Letter at 3; NYSE Letter at 19; and 
Joint SROs Letter at 12.
---------------------------------------------------------------------------

    Similarly, several commenters emphasized the importance of 
escalation policies and procedures, pursuant to which technology staff 
or junior employees could assess a systems problem and escalate the 
issue up the chain of command to management as well as legal and/or 
compliance personnel, who will help determine whether a systems issue 
was an SCI event and whether the obligations under Regulation SCI are 
triggered.\740\ These commenters argued that the rule should allow 
entities to adopt and follow such escalation procedures rather than 
triggering the obligations under Regulation SCI upon one employee's 
awareness of a systems issue.\741\ One commenter also asserted that 
limiting the definition of responsible SCI personnel would be 
appropriate if the Commission also required a robust escalation 
procedure.\742\
---------------------------------------------------------------------------

    \740\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20.
    \741\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20.
    \742\ See FIF Letter at 5.
---------------------------------------------------------------------------

    Some commenters also expressed concern about the potential 
liability that responsible SCI personnel could face if the rule were 
adopted as proposed, given the breadth of the definition of 
``responsible SCI personnel.'' \743\ Specifically, commenters asserted 
that, as a result of including junior and information technology 
personnel within the definition and the potential liability of such 
individuals, the proposed provision would make it more difficult for 
SCI entities to attract and retain high quality information technology 
employees.\744\ Another commenter noted that responsible operations or 
technical personnel may not be in a position to make legal 
determinations about when a compliance issue has arisen.\745\
---------------------------------------------------------------------------

    \743\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs 
Letter at 13; and OTC Markets Letter at 18. See also supra note 717.
    \744\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs 
Letter at 13; and OTC Markets Letter at 18. These commenters 
therefore recommended that the definition include only senior 
personnel who would more appropriately be responsible for making a 
determination as to whether an SCI event had occurred given their 
knowledge and authority.
    \745\ See Omgeo Letter at 13.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
revised the term ``responsible SCI personnel'' to mean, ``for a 
particular SCI system or indirect SCI system impacted by an SCI event, 
such senior manager(s) of the SCI entity having responsibility for such 
system, and their designee(s).'' \746\ The Commission agrees that the 
proposed definition of responsible SCI personnel was broad and, 
consistent with the views of some commenters, believes that it is 
appropriate to instead focus the adopted definition on senior personnel 
of SCI entities that have responsibility for a particular system.\747\ 
The Commission believes that adopting a more focused definition of 
responsible SCI personnel to include only senior managers having 
responsibility for a given system (and their designees) addresses 
commenters' concerns that the obligations of the rule could have been 
triggered upon the awareness of junior or inexperienced employees who 
lack the knowledge or experience to be able to make a determination 
regarding whether an SCI event had, in fact, occurred.\748\ The 
Commission believes that the revised definition is a better approach 
than the proposed definition because, consistent with suggestions from 
some commenters, it will appropriately allow SCI entities to adopt 
procedures that would require personnel of an SCI entity to escalate a 
systems issue to senior individuals who are responsible for a 
particular system and who have the ability and authority to 
appropriately analyze and assess the issue affecting the SCI system or 
indirect SCI system, and their designees, as applicable.\749\
---------------------------------------------------------------------------

    \746\ See adopted Rule 1000.
    \747\ See generally supra notes 735-738 and accompanying text.
    \748\ See supra notes 736-737. See also note 738 and 
accompanying text.
    \749\ See supra Section IV.B.1.b (discussing Rule 
1001(a)(1)(2)(vii), which requires an SCI entity to have policies 
and procedures to provide for monitoring of SCI systems, and 
indirect SCI systems, as applicable, to identify potential SCI 
events, and escalate them to responsible SCI personnel); and infra 
notes 758-761 and accompanying text.
---------------------------------------------------------------------------

    The Commission also notes that, consistent with some commenters' 
recommendations, under the adopted rule, SCI entities will be afforded 
flexibility to determine which personnel to designate as ``responsible 
SCI personnel.'' \750\ Specifically, SCI entities will need to 
affirmatively identify one or more senior managers that have 
responsibility for each of its SCI systems or indirect SCI 
systems.\751\ In addition, the Commission notes that the definition of 
responsible SCI personnel affords SCI entities with the flexibility to 
designate one or more other personnel as designees for a given 
system.\752\ The Commission believes that it is important to include 
designees within the definition of responsible SCI personnel to provide 
an SCI entity with the flexibility that it may need, and

[[Page 72315]]

which the Commission believes is necessary, given the varying sizes, 
natures, and complexities of each SCI entity. A senior manager may name 
a designee (or designees) who would also have responsibility for a 
given system with regard to Regulation SCI, for example, if the senior 
manager is absent, is occupied with other oversight responsibilities 
for a period of time, or because of other practical limitations, is 
otherwise unavailable to assess the SCI entity's obligations under 
Regulation SCI at a given point in time. The Commission believes it is 
likely that the designation of a designee and such designee's 
particular responsibilities with regard to an SCI system or indirect 
SCI system would be addressed by an SCI entity's policies and 
procedures, as discussed below. However, the Commission notes that 
while the definition of ``responsible SCI personnel'' does not permit 
the senior manager having responsibility for an applicable system to 
disclaim responsibility under the rule by delegating it fully to one or 
more designees (i.e., the adopted rule reads ``and their designees'' 
rather than ``or their designees''), it may assist SCI entities in 
fulfilling their responsibilities under Regulation SCI by allowing them 
to delegate to personnel other than senior managers such that those 
designees can also serve in the role of responsible SCI personnel.
---------------------------------------------------------------------------

    \750\ See supra note 739 and accompanying text.
    \751\ See Rule 1001(c).
    \752\ The Commission notes that the rules do not, however, 
require SCI entities to have designees. Rather, each SCI entity has 
the discretion to have designees if they choose to do so.
---------------------------------------------------------------------------

    The Commission further believes that the modifications to the 
definition addresses some commenters' concerns regarding the potential 
liability of junior SCI personnel, as the obligations of the rule are 
now triggered only when senior managers, rather than junior employees, 
having responsibility for a particular system have a reasonable basis 
to conclude that an SCI event has occurred.\753\ Further, the 
Commission reiterates that Regulation SCI imposes direct obligations on 
SCI entities and does not impose obligations directly on personnel of 
SCI entities. For these reasons, the Commission believes that an SCI 
entity's ability to attract and retain employees should not be 
negatively affected by the requirements of Regulation SCI, as 
adopted.\754\ The Commission also reiterates that the occurrence of an 
SCI event may be probative, but is not determinative of whether an SCI 
entity violated Regulation SCI.\755\
---------------------------------------------------------------------------

    \753\ See supra notes 743-744 and accompanying text.
    \754\ See supra notes 721 and 743-744 and accompanying text. The 
Commission notes that commenters' concerns regarding potential 
liability of employees were related to the scope of the proposed 
definition of responsible SCI personnel and the effect on the hiring 
and retention of junior and information technology personnel. 
Commenters believed that the definition should instead focus on 
senior managers who could appropriately be held responsible given 
their responsibilities and authority to take necessary actions under 
the rule.
    \755\ See, e.g., supra notes 470 and 627 and accompanying text.
---------------------------------------------------------------------------

    In light of the more focused definition of responsible SCI 
personnel and consistent with commenters' suggestions,\756\ the 
Commission believes it is appropriate to also adopt a policies and 
procedures requirement with respect to the designation of responsible 
SCI personnel and escalation procedures. As discussed above, many 
commenters highlighted the importance of escalation procedures and 
advocated for their use as an alternative to the adoption of a broader 
definition of responsible SCI personnel.\757\ Specifically, the 
Commission is adopting Rule 1001(c), which requires each SCI entity to 
``[e]stablish, maintain, and enforce reasonably designed written 
policies and procedures that include the criteria for identifying 
responsible SCI personnel, the designation and documentation of 
responsible SCI personnel, and escalation procedures to quickly inform 
responsible SCI personnel of potential SCI events.'' The Commission 
believes that it is important for an SCI entity's policies and 
procedures to have a defined set of criteria for identifying 
responsible SCI personnel so that such personnel are identified in a 
consistent manner across all of an SCI entity's operations and with 
regard to all of its SCI systems and indirect SCI systems. The 
Commission believes that SCI entities are best suited to establish the 
appropriate criteria for such a designation but notes that such 
criteria could include, for example, consideration of the level of 
knowledge, skills, and authority necessary to take the required actions 
under the rules. The Commission also believes it is important for 
policies and procedures to include the designation and documentation of 
responsible SCI personnel, so that it is clear to all employees of the 
SCI entity who the designated responsible SCI personnel are for 
purposes of the escalation procedures and so that Commission staff can 
easily identify such responsible SCI personnel in the course of its 
inspections and examinations and other interactions with SCI entities. 
The Commission also believes that, given the more focused definition of 
responsible SCI personnel, escalation procedures to quickly inform 
responsible SCI personnel of potential SCI events are necessary to help 
ensure that the appropriate person(s) are provided notice of potential 
SCI events so that any appropriate actions can be taken in accordance 
with the requirements of Regulation SCI without unnecessary delay. Such 
escalation procedures would establish the means by which, and actions 
required for, escalating information regarding a systems issue that may 
be an SCI event up the chain of command to the responsible SCI 
personnel, who will be responsible for determining whether an SCI event 
has occurred and what resulting obligations may be triggered. The 
Commission notes that each SCI entity may establish escalation 
procedures that conform to its needs, organization structure, and size. 
By requiring that responsible SCI personnel are ``quickly inform[ed]'' 
of potential SCI events, the Commission intends to require that 
escalation procedures emphasize promptness and ensure that responsible 
SCI personnel are informed of potential SCI events without delay. At 
the same time, the rule does not prescribe a specific time requirement 
in order to give flexibility to SCI entities in recognition that 
immediate notification may not be possible or feasible. Further, 
similar to adopted Rules 1001(a) and 1001(b), Rule 1001(c) requires 
that an SCI entity periodically review the effectiveness of the 
policies and procedures related to responsible SCI personnel, and to 
take prompt action to remedy deficiencies in such policies and 
procedures.
---------------------------------------------------------------------------

    \756\ See supra notes 740-742 and accompanying text and infra 
notes 759-761 and accompanying text.
    \757\ See supra notes 740-742 and accompanying text.
---------------------------------------------------------------------------

Becomes Aware
    Several commenters criticized the proposed requirement that certain 
obligations under Regulation SCI be triggered when a responsible SCI 
personnel ``becomes aware'' of an SCI event. Some commenters stated 
that the standard was vague and lacked clarity regarding when, exactly, 
responsible SCI personnel would be deemed to become aware of an SCI 
event.\758\ Further, some commenters noted that the ``becomes aware'' 
standard emphasized immediate action over methodical escalation, 
diagnosis, and resolution procedures.\759\ As noted above, several 
commenters emphasized the importance of escalation policies and 
procedures, and argued that the rule should allow entities to adopt and 
follow such escalation procedures rather

[[Page 72316]]

than triggering the obligations under Regulation SCI upon one 
employee's awareness of a systems issue.\760\ Another commenter 
suggested specific revisions to the triggering standard so that the 
phrase ``responsible SCI personnel becoming aware'' would be eliminated 
entirely and replaced with ``SCI entity having a reasonable basis to 
conclude,'' which it believed would allow for escalation through a 
normal chain of command.\761\
---------------------------------------------------------------------------

    \758\ See, e.g., BATS Letter at 8-9; NYSE Letter at 19; and 
Joint SROs Letter at 12.
    \759\ See Joint SROs Letter at 3, 9, and 12. See also OCC Letter 
at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; 
and NYSE Letter at 19-20.
    \760\ See supra notes 740-742 and accompanying text.
    \761\ See NYSE Letter at 19.
---------------------------------------------------------------------------

    With regard to the Commission notification requirements 
specifically,\762\ one commenter suggested that SCI entities should 
only be required to notify the Commission ``upon confirming the 
existence of an SCI event,'' \763\ while another commenter stated that 
the rule should require notification to the Commission as soon as 
reasonably practicable after responsible personnel becomes aware of the 
SCI event.\764\ Similarly, one commenter believed that the ``becomes 
aware'' standard was problematic because it would require notification 
before an SCI entity has accurate information upon which to act.\765\
---------------------------------------------------------------------------

    \762\ See infra Section IV.B.3.c (discussing the Commission 
notification requirement for SCI events).
    \763\ See Direct Edge Letter at 8.
    \764\ See Omgeo Letter at 17.
    \765\ See FIF Letter at 5 (urging that notification be required 
when ``accurate and actionable'' information is provided to 
responsible SCI personnel). See also BATS Letter at 9.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
determined to revise the triggering standard so that SCI entities will 
be required to comply with the obligations of adopted Rule 1002 upon 
responsible SCI personnel having ``a reasonable basis to conclude'' 
that an SCI event has occurred, as suggested by a commenter.\766\ This 
standard permits an SCI entity to gather relevant information and 
perform an initial analysis and assessment as to whether a systems 
issue may be an SCI event, rather than requiring an SCI entity to take 
corrective action, notify the Commission, and/or disseminate 
information about an SCI event immediately upon responsible SCI 
personnel becoming aware of an SCI event.\767\ Thus, the Commission 
believes that the ``reasonable basis to conclude'' standard should 
provide some additional flexibility and time for judgment to determine 
whether there is a ``reasonable basis to conclude'' in contrast to the 
``becomes aware'' standard which many commenters noted would be 
difficult to apply in practice due to the difficulty of determining 
when an individual, in fact, ``becomes aware'' of an SCI event.\768\ 
Further, the Commission believes that, consistent with commenters' 
recommendations, the revised standard, in conjunction with the revised 
definition of ``responsible SCI personnel,'' will allow an SCI entity 
to adopt and follow its internal escalation policies and procedures to 
inform senior SCI entity personnel of systems issues, and allow 
meaningful assessment of the issues by such senior management prior to 
triggering obligations of the rule.\769\ At the same time, the 
Commission believes that the obligations of the rule will continue to 
be triggered in a timely manner because the Commission is adopting a 
separate requirement in Rule 1001(c), as noted above, for escalation 
procedures to quickly inform responsible SCI personnel of potential SCI 
events.
---------------------------------------------------------------------------

    \766\ See adopted Rules 1002(a), (b), and (c). See also supra 
note 761.
    \767\ See supra notes 759 and 763-765 and accompanying text. 
Additionally, the Commission does not agree with the commenter who 
stated that notification should be required only as soon as 
reasonably practicable after responsible personnel become aware of 
an SCI event because that standard would unnecessarily delay the 
requirement for an SCI entity to take necessary actions under the 
rule and the Commission's knowledge of an SCI event. See supra note 
764.
    \768\ See supra note 758 and accompanying text.
    \769\ See supra notes 758-760 and accompanying text. The 
Commission believes that the adopted standard similarly allows for 
escalation of a systems issue to senior officials because the 
Commission believes that having ``a reasonable basis to conclude'' 
is a good indication that an SCI event has likely occurred and does 
not require that the responsible SCI personnel come to a definitive 
conclusion, which would cause unnecessary delay in taking the 
actions required by Regulation SCI. Rather, once responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred, the Commission believes that an SCI entity should begin to 
take corrective action, provide notice to the Commission, and/or 
disclose such event, as applicable, because these requirements are 
designed to ensure that the SCI entity begins to take action in a 
timely fashion to mitigate potential harm arising from the incident 
and that the Commission and relevant market participants are kept 
apprised of an SCI event even where a definitive conclusion is not 
yet available. The Commission does not agree with the commenter that 
it should apply the triggering standard only to the SCI entity 
rather than responsible SCI personnel. The Commission notes, as 
discussed above, that the adopted definition of responsible SCI 
personnel imposes obligations only upon the senior personnel of an 
SCI entity that have responsibility for a particular system. 
Additionally, the Commission believes that it is important to apply 
the triggering standard to responsible SCI personnel rather than to 
the SCI entity because, when combined with an SCI entity's policies 
and procedures with respect to the designation of responsible SCI 
personnel and escalation and monitoring procedures, the triggering 
standard is designed to ensure that senior managers are provided 
notice of potential SCI events so that any appropriate actions can 
be taken in accordance with the requirements of Regulation SCI 
without unnecessary delay.
---------------------------------------------------------------------------

b. Corrective Action--Rule 1002(a)
    Proposed Rule 1000(b)(3) required an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take appropriate corrective action including, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the SCI 
event and devoting adequate resources to remedy the SCI event as soon 
as reasonably practicable.\770\ The corrective action requirement is 
being adopted substantially as proposed, but with the triggering 
standard modified as discussed above.\771\
---------------------------------------------------------------------------

    \770\ See proposed Rule 1000(b)(3) and Proposing Release, supra 
note 13, at 18117.
    \771\ See supra Section IV.B.3.a (discussing the triggering 
standard).
---------------------------------------------------------------------------

    Two commenters supported the corrective action provision 
generally.\772\ Several commenters stated that the proposed requirement 
put too great an emphasis on immediately taking corrective action at 
the expense of thoroughly analyzing the SCI event and its cause, 
considering potential remedies, and/or acting in accordance with 
internal policies and procedures before committing to a plan to take 
corrective action.\773\ One group of commenters suggested that the rule 
should make clear that ``corrective action'' should also include a 
variety of other potential actions, such as communicating with 
responsible parties, diagnosing the root cause, disclosing to members 
and the public, and mitigating potential harm by following their 
policies and procedures.\774\ Another commenter stated that, in certain 
circumstances, it is ``aggressive to presume that one individual's 
knowledge should prompt an immediate response by the SCI [e]ntity at 
large.'' \775\ This commenter further stated that a standard requiring 
an SCI entity to mitigate potential harm to investors is extremely 
vague.\776\
---------------------------------------------------------------------------

    \772\ See MSRB Letter at 17 and DTCC Letter at 9-10.
    \773\ See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter 
at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge 
Letter at 7.
    \774\ See Joint SROs at 11.
    \775\ See Direct Edge Letter at 7.
    \776\ Id.
---------------------------------------------------------------------------

    As adopted, Rule 1002(a) requires an SCI entity, upon any 
responsible SCI personnel having a reasonable basis to conclude that an 
SCI event has occurred, to begin to take appropriate corrective action 
including, at a minimum, mitigating potential harm to investors and 
market integrity resulting

[[Page 72317]]

from the SCI event and devoting adequate resources to remedy the SCI 
event as soon as reasonably practicable. The Commission continues to 
believe that this provision of Regulation SCI is important to make 
clear that each SCI entity has the obligation to respond to SCI events 
with appropriate steps necessary to remedy the problem or problems 
causing such SCI event and mitigate the negative effects of the SCI 
event, if any, on market participants and the securities markets more 
broadly. As discussed below, the specific steps that an SCI entity will 
need to take to mitigate the harm will be dependent on the particular 
systems issue, its causes, and the estimated impact of the event, among 
other factors. To the extent that a systems issue affects not only the 
particular users of an SCI system, but also has a more widespread 
impact on the market generally, as may be likely with regard to systems 
issues affecting critical SCI systems, the SCI entity will need to 
consider how it might mitigate any potential harm to the overall market 
to help ensure market integrity. For example, an SCI entity would need 
to take steps to regain a system's ability to process transactions in 
an accurate, timely, and efficient manner, or to ensure the accurate, 
timely, and efficient collection, processing, and dissemination of 
market data.
    As noted above, many of the comments on this requirement are 
related to the standard for triggering the obligation to take 
corrective action under this provision, namely ``upon any SCI 
responsible personnel becoming aware of'' an SCI event. As discussed 
above, the Commission has further focused the scope of the term 
``responsible SCI personnel'' in response to commenters' concerns that 
the term was too broad and could inappropriately capture junior and/or 
inexperienced employees. Further, as discussed above, the Commission 
has revised the ``becomes aware'' standard to instead trigger 
obligations when responsible personnel have ``a reasonable basis to 
conclude'' an SCI event has occurred. As explained above, the 
Commission believes that these important modifications are responsive 
to commenters' concerns that the corrective action requirement could be 
triggered upon the knowledge of only one individual or a junior 
employee of a systems issue without sufficient time to analyze and 
assess the systems problem and follow internal escalation procedures. 
Under the adopted standard, only when (i) suspected systems problems 
are escalated to senior managers of the SCI entity who have 
responsibility for the SCI system or indirect SCI system experiencing 
an SCI event and their designees, and (ii) such personnel have ``a 
reasonable basis to conclude'' that an SCI event has occurred are the 
appropriate corrective actions required by Rule 1002(a) triggered.
    Further, in response to commenters who stated that the proposed 
rule places too large an emphasis on immediate corrective action,\777\ 
in addition to the modifications noted above which are intended to 
allow for appropriate time for an SCI entity to perform an initial 
analysis and preliminary investigation into a potential systems issue 
before the obligations under Rule 1002(a) are triggered, the Commission 
notes that it does not use the term ``immediate'' in either the 
proposed or adopted rules. Rather, the Commission emphasizes that the 
rule requires that corrective action be taken ``as soon as reasonably 
practicable'' once the triggering standard has been met. The Commission 
believes that, because the facts and circumstances of each specific SCI 
event will be different, this standard ensures that an SCI entity will 
take necessary corrective action soon after an SCI event, but not 
without sufficient time to first consider what is the appropriate 
action to remedy the SCI event in a particular situation and how such 
action should be implemented.
---------------------------------------------------------------------------

    \777\ See supra notes 773-775 and accompanying text.
---------------------------------------------------------------------------

    Moreover, the Commission has considered the comment that the rule 
prescribe in more specificity the particular types of corrective action 
that must be taken by an SCI entity and believes that it is appropriate 
to adopt, as proposed, a rule that requires more generally that 
``appropriate'' corrective action be taken and requires that, at a 
minimum, the SCI entity take appropriate steps to mitigate potential 
harm to investors and market integrity resulting from the SCI event and 
devote adequate resources to remedy the SCI event. The Commission notes 
that the rule is designed to afford flexibility to SCI entities in 
determining how to best respond to a particular SCI event in order to 
remedy the problem causing the SCI event and mitigate its effects. As a 
general matter, though, the Commission agrees that such corrective 
action would likely include a variety of actions, such as those 
identified by one group of commenters, including determining the scope 
of the SCI event and its causes, making a determination regarding its 
known and anticipated impact, following adequate internal diagnosis and 
resolution policies and procedures, and taking additional action to 
respond as each SCI entity deems appropriate.\778\ The Commission also 
notes that certain other specific types of corrective action identified 
by such commenters are already required by other provisions of 
Regulation SCI, such as communicating and escalating the issue to 
responsible personnel and making appropriate disclosures to members or 
participants regarding the SCI event.\779\
---------------------------------------------------------------------------

    \778\ See supra note 774 and accompanying text.
    \779\ See adopted Rule 1001(c) (requiring policies and 
procedures that include, among other things, escalation procedures 
to quickly inform responsible SCI personnel of potential SCI events) 
and Rule 1002(c) (requiring dissemination of information regarding 
SCI events).
---------------------------------------------------------------------------

c. Commission Notification--Rule 1002(b)
i. Proposed Rule 1000(b)(4)
    Proposed Rule 1000(b)(4) addressed the Commission notification 
obligations of an SCI entity upon any responsible SCI personnel 
becoming aware of an SCI event.\780\ Specifically, proposed Rule 
1000(b)(4)(i) required an SCI entity, upon any responsible SCI 
personnel becoming aware of a systems disruption that the SCI entity 
reasonably estimated would have a material impact on its operations or 
on market participants, any systems compliance issue, or any systems 
intrusion (``immediate notification SCI event''), to notify the 
Commission of such SCI event, which could be done orally or in writing 
(e.g., by email). Proposed Rule 1000(b)(4)(ii) required an SCI entity 
to submit a written notification pertaining to any SCI event to the 
Commission within 24 hours of any responsible SCI personnel becoming 
aware of the SCI event. Proposed Rule 1000(b)(4)(iii) required an SCI 
entity to submit to the Commission continuing written updates on a 
regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, until such time as the SCI event was 
resolved.
---------------------------------------------------------------------------

    \780\ See proposed Rule 1000(b)(4) and Proposing Release, supra 
note 13, at Section III.C.3.b.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iv) detailed the types of information that 
was required for written notifications under proposed Rule 
1000(b)(4).\781\ In

[[Page 72318]]

addition, proposed Rule 1000(b)(4)(iv)(C) required an SCI entity to 
provide a copy of any information disseminated regarding the SCI event 
to its members or participants or on the SCI entity's publicly 
available Web site.
---------------------------------------------------------------------------

    \781\ Specifically, the SCI Proposal required written 
notifications and updates to be made electronically and required 
initial written notifications to include all pertinent information 
known about an SCI event, including: (1) A detailed description of 
the SCI event; (2) the SCI entity's current assessment of the types 
and number of market participants potentially affected by the SCI 
event; (3) the potential impact of the SCI event on the market; and 
(4) the SCI entity's current assessment of the SCI event, including 
a discussion of the SCI entity's determination regarding whether the 
SCI event was a dissemination SCI event or not. In addition, as 
proposed, to the extent available as of the time of the initial 
notification, Exhibit 1 to Form SCI would have required inclusion of 
the following information: (1) A description of the steps the SCI 
entity was taking, or planned to take, with respect to the SCI 
event; (2) the time the SCI event was resolved or timeframe within 
which the SCI event was expected to be resolved; (3) a description 
of the SCI entity's rule(s) and/or governing documents, as 
applicable, that related to the SCI event; and (4) an analysis of 
the parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. See proposed Rule 
1000(b)(4)(iv)(A).
---------------------------------------------------------------------------

    As described below, adopted Rule 1002(b) retains the general 
framework of proposed Rule 1000(b)(4) for Commission notification of 
SCI events, but makes several modifications in response to comments.
Comments Regarding Commission Notification of SCI Events
    One commenter generally supported proposed Rule 1000(b)(4), stating 
that it would enhance transparency and might allow the Commission to 
see patterns in small, seemingly non-material SCI events that are 
worthy of attention.\782\ However, many other commenters expressed 
concerns about proposed Rule 1000(b)(4).\783\ Many of these commenters 
stated that the scope of proposed Rule 1000(b)(4) was too broad, and 
that the notification requirement would lead to over-reporting to the 
Commission.\784\ Commenters also suggested various ways to revise the 
reporting requirement. For example, several commenters recommended 
requiring notification to the Commission only for ``material'' or 
``significant'' events.\785\ For example, one commenter recommended 
reporting most SCI events as part of the annual SCI review process, 
while focusing Commission notification on material SCI events.\786\ 
Similarly, another commenter suggested that SCI entities should only be 
required to report information relating to ``impactful'' systems 
disruptions in an annual report to the Commission rather than in near 
real time reports.\787\ Another commenter recommended requiring 
notification only for systems issues that warrant notification to an 
SCI entity's subscribers or participants.\788\ Some commenters 
recommended a risk-based approach under which each SCI event would be 
subject to a risk-based assessment, in which the obligation to notify 
the Commission would be based on the attendant risk, with only material 
events requiring notification.\789\
---------------------------------------------------------------------------

    \782\ See Lauer Letter at 6. The Commission also notes that, 
although many other commenters expressed reservations with proposed 
Rule 1000(b)(4), many of these commenters also expressed their 
general support for a notification rule that is more limited in 
scope. See, e.g., ITG Letter at 12 (stating that a reduction in 
notifications would result in lower costs, reduce the over-reporting 
of events, and allow the Commission to focus on events that warrant 
review); and FINRA Letter at 18 (``FINRA fully supports the 
Commission's goal of ensuring that Commission staff is informed of 
events that could potentially impact the market'').
    \783\ See, e.g. NYSE Letter at 21; BATS Letter at 12-13; ITG 
Letter at 12; FINRA Letter at 16-17; Omgeo Letter at 16; SIFMA 
Letter at 13; ISE Letter at 6; OCC Letter at 11; and CME Letter at 
9.
    \784\ See, e.g., NYSE Letter at 22; Omgeo Letter at 16; SIFMA 
Letter at 14; ISE Letter at 6; and OCC Letter at 12.
    \785\ See, e.g., ITG Letter at 12; CME Letter at 9; DTCC Letter 
at 8; and Omgeo Letter at 15.
    \786\ See FIF Letter at 4.
    \787\ See BATS Letter at 10.
    \788\ See OTC Markets Letter at 19 (stating that the 
notification requirement to the Commission should be aligned with 
the current industry practice of notifying SCI entities' subscribers 
of material events, explaining that competitive forces motivate 
entities to promptly notify subscribers about significant issues).
    \789\ See, e.g., OCC Letter at 13; SIFMA Letter at 13; Omgeo 
Letter at 1; FINRA Letter at 14; and NYSE Letter at 25.
---------------------------------------------------------------------------

    Commenters also identified potential problems resulting from a 
notification requirement that they perceived as too broad. For example, 
one commenter stated that the notification requirements have the 
potential to create efficiency issues, delay system remediation, create 
substantial resource demands, and create instability, which would 
diminish an SCI entity's ability to be responsive to investors and 
damage market efficiency.\790\ Similarly, several commenters stated 
that the proposed Commission notification provision would require SCI 
entities to divert resources to comply with the requirement which, in 
turn, would risk delaying resolution of the SCI event that is being 
reported on.\791\ Other commenters suggested that the proposed rule 
would result in large volumes of data and reporting, which would 
present challenges to, and burdens on, SCI entities as well as 
Commission staff.\792\ One commenter also questioned the extent to 
which the reported information provided by the notifications would be 
useful to the Commission.\793\
---------------------------------------------------------------------------

    \790\ See UBS Letter at 3.
    \791\ See Omgeo Letter at 16; MSRB Letter at 19; and OCC Letter 
at 14.
    \792\ See SunGard Letter at 5; and Joint SROs Letter at 7.
    \793\ See NYSE Letter at 22.
---------------------------------------------------------------------------

    Some commenters focused their comments on the proposal's 
requirements for Commission reporting of systems intrusions and offered 
alternative approaches to reporting systems intrusions. One commenter 
stated that, in order to limit the number of notifications, SCI 
entities should be required to investigate and keep a record of all 
systems intrusions that did not cause a material disruption of service, 
or that were a malicious (but unsuccessful) attempt in gaining 
unauthorized access to confidential data, and make these records 
available to the Commission staff if requested.\794\ Another commenter 
recommended that non-material systems intrusions be recorded within the 
SCI entity's records.\795\ Another commenter suggested that systems 
intrusions in a development or testing environment should only be 
reportable if there is a likelihood that the same issue or 
vulnerabilities exist in the current production environment and cannot 
be verified within a certain period, such as, for example, 24 to 48 
hours.\796\ In addition, one commenter suggested that, for systems 
intrusions, rather than impose the Commission notification requirement 
on SCI entities, the Commission should instead require SCI entities to 
establish policies and procedures reasonably designed to prevent, 
detect, and respond to systems intrusions.\797\
---------------------------------------------------------------------------

    \794\ See Omgeo Letter at 12.
    \795\ See DTCC Letter at 8.
    \796\ See FINRA Letter at 11-12.
    \797\ See BATS Letter at 12. This commenter believed that the 
cost of the proposed requirement would outweigh any benefits because 
the proposed rule would require SCI entities to ``rapidly 
investigate and report a multitude of minor incidents that regularly 
occur during the normal course of business.'' Id.
---------------------------------------------------------------------------

    One commenter stated that the Commission should support the 
enhancement of the Financial Services Information Sharing and Analysis 
Center (``FS-ISAC'') \798\ and another commenter suggested that non-
material cyber-relevant events be provided to and disseminated through 
FS-ISAC rather than the Commission.\799\ Some commenters further 
suggested that certain systems intrusions should be reported to FS-
ISAC.\800\
---------------------------------------------------------------------------

    \798\ FS-ISAC is a service that gathers information from a 
multitude of sources related to threat, vulnerability, and risk of 
cyber and physical security and communicates timely notifications 
and authoritative information specifically designed to help protect 
critical systems and assets from physical and cybersecurity threats. 
See FS-ISAC: Financial Services--Information Sharing and Analysis 
Center, available at: www.fsisac.com.
    \799\ See BIDS Letter at 10; and Omgeo Letter at 12.
    \800\ See SIFMA Letter at 14 (recommending that systems 
intrusions be reported to FS-ISAC in addition to the Commission); 
and Omgeo Letter at 12 and 21 (recommending that non-material 
systems intrusions be reported solely to FS-ISAC).
---------------------------------------------------------------------------

    Other commenters stated that reporting a systems compliance issue 
is

[[Page 72319]]

reporting a legal conclusion, and that requiring an SCI entity to do so 
would overburden them with extensive technical and legal analysis and 
potentially expose those entities to Commission sanctions or 
litigation.\801\ Several commenters expressed concerns regarding the 
confidentiality of the information provided pursuant to proposed Rule 
1000(b)(4), and stated that the such information should be confidential 
and protected from public disclosure.\802\ One of these commenters 
requested that the Commission confirm in the final rule that the 
information will remain confidential.\803\
---------------------------------------------------------------------------

    \801\ See OTC Markets Letter at 16. See also NYSE Letter at 16.
    \802\ See NYSE Letter at 24; Joint SROs Letter at 12; and DTCC 
Letter at 11.
    \803\ See DTCC Letter at 11.
---------------------------------------------------------------------------

    Commenters also raised other general concerns and made suggestions 
with regard to proposed Rule 1000(b)(4). One commenter argued that the 
proposed rules could cause SCI entities to release information before 
all relevant factors are known, which could be counterproductive and 
harmful.\804\ Another commenter was concerned that SCI entities would 
be required to provide notification reports multiple times to different 
Commission staff for the same event.\805\ Another commenter suggested 
that the proposed requirement is onerous and costly and thus, to 
realize benefits, the Commission, based on notifications received from 
SCI entities, should provide regular summary-level feedback that 
communicates the types, frequency, severity, and impact of market 
incidents across all reporting entities and other related data on the 
root cause of problems.\806\ Another commenter suggested that the 
Commission provide examples, such as publications and reference 
blueprints, which could be useful to SCI entities as they attempt to 
understand the types of SCI events that warrant Commission 
notification.\807\ Finally, some commenters broadly questioned the 
Commission's legal authority to adopt Regulation SCI as proposed, 
asserting, among other things that the Commission's proposed 
notification requirement was beyond its legal authority.\808\
---------------------------------------------------------------------------

    \804\ See ITG Letter at 13.
    \805\ See NYSE Letter at 22. Another commenter suggested that 
the notification requirement with respect to system disruptions 
should make clear that multiple notifications are not required if a 
disruption impacts multiple SCI entities. See FINRA Letter at 22.
    \806\ See BIDS Letter at 10.
    \807\ See SunGard Letter at 6.
    \808\ See NYSE Letter at 4-6; and OTC Markets at 6. See infra 
notes 833-837 and accompanying text (discussing ``Commission Legal 
Authority'').
---------------------------------------------------------------------------

ii. Rule 1002(b)
    After careful consideration of the comments on proposed Rule 
1000(b)(4), the Commission is adopting Rule 1002(b), with several 
modifications in response to comments.\809\
---------------------------------------------------------------------------

    \809\ Specific comments on proposed Rules 1000(b)(4)(i)-(iii) 
that are not discussed above are discussed below in conjunction with 
the Commission's response to those comments.
---------------------------------------------------------------------------

Overview
    The Commission notes that, even without the modifications the 
Commission is making in adopted Rule 1002(b), the proposed Commission 
notification rule would require Commission notice of fewer SCI events 
than as proposed as a result of the adopted definitions of SCI systems, 
indirect SCI systems, systems disruption, and systems compliance issue, 
and the revised triggering standard discussed above. In addition, the 
Commission has determined to refine the scope of the adopted Commission 
notification requirement by incorporating a risk-based approach that 
requires SCI entities, for purposes of Commission notification, to 
divide SCI events into two main categories: SCI events that ``[have] 
had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants'' (``de minimis'' SCI events); and SCI events that are not 
de minimis SCI events. De minimis SCI events will not be subject to an 
immediate Commission notification requirement as proposed. Instead, all 
de minimis SCI events will be subject to recordkeeping requirements, 
and de minimis systems disruptions and de minimis systems intrusions 
will be subject to a quarterly reporting obligation, as set forth in 
adopted Rule 1002(b)(5). For SCI events that are not de minimis, 
Commission notification will be governed by adopted Rules 1002(a)(1)-
(4), which is substantially similar to proposed Rules 1000(b)(4)(ii)-
(iv), but relaxed in certain respects in response to comment, as 
discussed below.
Effect of Revised Definitions and Revised Triggering Standard on 
Commission Notification Requirement
    The Commission believes that the revisions made to a number of 
definitions already focus the scope of the Commission notification 
requirement in adopted Rule 1002(b) from the SCI Proposal. For example, 
elimination of member regulation and member surveillance systems from 
the adopted definition of SCI systems will substantially reduce the 
potential number of SCI events that would be subject to Commission 
notification under the proposal.\810\ Likewise, systems problems that 
would otherwise meet the definition of SCI event do not meet the 
definition of an SCI event if they occur in the development or testing 
environment.\811\ In addition, the Commission believes that the revised 
definition of ``systems disruption'' and ``systems compliance issue'' 
also will result in fewer systems issues being identified as SCI 
events.\812\ In tandem with the revised definitions, the Commission 
also believes that the revised triggering standard for notification of 
SCI events, which affords an SCI entity time to evaluate whether a 
potential SCI event is an actual SCI event, will also result in fewer 
SCI events being subject to the requirements of Rules 1002(b)(1)-
(4).\813\ The Commission believes that these changes respond to 
comments that proposed Rule 1000(b)(4) was overbroad and overly 
burdensome for SCI entities.\814\
---------------------------------------------------------------------------

    \810\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems'').
    \811\ See supra note 796 and accompanying text. See also supra 
Section IV.A.2.b (discussing the definition of ``SCI systems''). 
According to one commenter who supported excluding non-market 
systems from the definition of SCI systems and the notification and 
dissemination requirements, applying the reporting requirements to 
non-market systems ``would significantly increase the volume of the 
reports the Commission receives.'' FINRA Letter at 10. (``If the 
definition of SCI systems is broadly construed to apply to non-
market regulatory and surveillance systems, approximately 111 FINRA 
systems could be subject to Regulation SCI.'') FINRA Letter at 7.
    \812\ See supra Section IV.A.3 (discussing the definition of 
``SCI event,'' ``systems disruption,'' and ``systems compliance 
issue'').
    \813\ See supra Section IV.B.3.a (discussing the definition of 
``responsible SCI personnel'') and Section IV.B.3.a (discussing the 
triggering standard).
    \814\ See supra note 784 and accompanying text. See also Section 
VI (discussing comments regarding the burdens associated with 
proposed Rule 1000(b)(4)).
---------------------------------------------------------------------------

Exclusion of De Minimis SCI Events From Immediate Notification 
Requirements: Adopted Rule 1002(b)(5)
    Adopted Rule 1002(b)(5) states that the requirements of Rules 
1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI 
entity reasonably estimates would have, no or a de minimis impact on 
the SCI entity's operations or on market participants. For such de 
minimis events, Rule 1002(b)(5) requires that an SCI entity: (i) Make, 
keep, and preserve records relating to all such SCI events; and (ii) 
submit to the Commission a report, within 30 calendar days after the 
end of each calendar quarter, containing a summary description of such 
systems

[[Page 72320]]

disruptions and systems intrusions, including the SCI systems and, for 
systems intrusions, indirect SCI systems, affected by such systems 
disruptions and systems intrusions during the applicable calendar 
quarter.
    The Commission believes that this exception will result in a less 
burdensome reporting framework for de minimis SCI events than for other 
SCI events, and therefore responds to comment that the proposed 
reporting framework was too burdensome. The Commission believes that 
the quarterly reporting of de minimis systems disruptions and de 
minimis systems intrusions will reduce the frequency and volume of SCI 
event notices submitted to the Commission and also will allow both the 
SCI entity and its personnel, as well as the Commission and its staff, 
to focus their attention and resources on other, more significant SCI 
events. Consistent with taking a risk-based approach in other aspects 
of Regulation SCI, the Commission believes this modification from the 
SCI Proposal will result in more focused Commission monitoring of SCI 
events than if this aspect of the SCI Proposal was adopted without 
modification. Further, by reducing the number of SCI event notices 
provided to the Commission on an immediate basis as compared to the SCI 
Proposal, the adopted rule should also impose lower compliance costs 
and fewer burdens than if this aspect of the SCI Proposal was adopted 
without modification.
    However, the Commission has determined not to incorporate a 
materiality threshold as requested by some commenters,\815\ to limit 
the Commission reporting requirements to those events that are 
considered by SCI entities to be truly disruptive to the markets, as 
suggested by other commenters,\816\ or to limit the Commission 
reporting requirement only to those events that warrant notification to 
an SCI entity's subscribers or participants, as suggested by still 
other commenters.\817\ The Commission has made this determination 
because while there may be SCI events with little apparent impact on an 
SCI entity's operations or on market participants and the burden on an 
SCI entity to provide immediate notice to the Commission every time 
such an event occurs may not justify the benefit of providing such 
notice to the Commission on an immediate basis, the Commission does not 
believe that such de minimis events are irrelevant or that the 
Commission should never be made aware of them. To fulfill its oversight 
role, the Commission believes that the Commission and its staff should 
regularly be made aware of de minimis systems disruptions and de 
minimis systems intrusions and should have ready access to records 
regarding de minimis systems compliance issues that SCI entities are 
facing and addressing because, as the regulator of the U.S. securities 
markets, it is important that the Commission and its staff have access 
to information regarding all SCI events (including de minimis SCI 
events) and their impact on the technology systems and systems 
compliance of SCI entities, which may also provide useful insights into 
learning about indications of more impactful SCI events. The Commission 
has, however, determined to distinguish the timing of its receipt of 
information regarding SCI events based on their impact: those SCI 
events that an SCI entity reasonably estimates to have a greater impact 
are subject to ``immediate'' notification upon responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred; and those SCI events that an SCI entity reasonably estimates 
to have no or a de minimis impact are subject to recordkeeping 
obligations, and for de minimis systems disruptions and de minimis 
systems intrusions, a quarterly summary notification. Despite 
commenters' arguments to the contrary that de minimis SCI events do not 
warrant the Commission's and its staff's attention, the Commission 
believes that quarterly reporting of de minimis systems disruptions and 
de minimis systems intrusions and review of records regarding de 
minimis systems compliance issues is beneficial to the Commission and 
its staff in understanding SCI entity systems operations at the level 
of the individual SCI entity, as well as across the spectrum of SCI 
entities, and to monitor compliance with the Exchange Act and rules 
thereunder. The Commission notes that, while it is not requiring that 
de minimis systems compliance issues be submitted to the Commission in 
quarterly reports, Commission staff may request records relating to 
such de minimis systems compliance issues as necessary. The Commission 
encourages and does not intend to inhibit an evaluation by SCI entities 
of systems compliance issues, including de minimis systems compliance 
issues, which may inherently involve legal analysis.
---------------------------------------------------------------------------

    \815\ See, e.g., supra note 785 and accompanying text.
    \816\ See, e.g., supra notes 785-787.
    \817\ See supra note 788.
---------------------------------------------------------------------------

    As noted, some commenters focused specifically on systems 
intrusions, urging the Commission to modify or significantly reduce the 
instances in which notice of systems intrusions would be required,\818\ 
or provide that non-material systems intrusions not be reported at all, 
and only be recorded by the SCI entity.\819\ The Commission believes 
that the recordkeeping and quarterly reporting requirement for de 
minimis systems intrusions described in Rule 1002(b)(5) is partially 
responsive to these comments, but also believes that notice of 
intrusions in SCI systems and indirect SCI systems is important to 
allow the Commission and its staff to detect patterns or understand 
trends in the types of systems intrusions that may be occurring at 
multiple SCI entities. However, as compared to what would have been 
required if the SCI Proposal was adopted without modification, the 
Commission expects that the exception from the immediate reporting 
requirement provided for de minimis SCI events under Rule 1002(b)(5) 
will result in a much lower number of systems intrusions that SCI 
entities will be required to immediately report to the Commission than 
commenters believed,\820\ and will achieve this result without 
compromising the Commission's interest in receiving more timely 
notification of impactful SCI events.
---------------------------------------------------------------------------

    \818\ See supra notes 794-797 and accompanying text.
    \819\ See supra notes 794-795 and accompanying text.
    \820\ See, e.g., supra note 794 and accompanying text 
(discussing a commenter's suggestion to limit the number of 
notifications by requiring recordkeeping of all systems intrusions 
that did not cause a material disruption of service or that were a 
malicious (but unsuccessful) attempt in gaining unauthorized access 
to confidential data).
---------------------------------------------------------------------------

    In addition, some commenters suggested that certain types of 
systems intrusions or non-material SCI events be reported exclusively 
to FS-ISAC or to both the Commission and FS-ISAC, and some advocated 
that the Commission support the enhancement of FS-ISAC.\821\ The 
Commission believes that FS-ISAC, and other information sharing 
services play an important role in assisting SCI entities and other 
entities with respect to security issues. Consistent with views shared 
by several members of the third panel at the Cybersecurity Roundtable, 
to the extent SCI entities determine that such information sharing 
services are useful, the Commission encourages SCI entities to 
cooperate with and share information relating to information security 
threats and related issues with such entities to

[[Page 72321]]

further enhance their utility.\822\ At the same time, for the reasons 
discussed above,\823\ the Commission believes that it is important that 
the Commission directly receive information regarding systems 
intrusions from SCI entities, through immediate notifications or 
quarterly reports, as applicable.
---------------------------------------------------------------------------

    \821\ See supra notes 799-800 and accompanying text.
    \822\ See supra notes 39-40 and accompanying text. During the 
Cybersecurity Roundtable, panelists referenced other services that 
they believed useful to SROs, including the Financial Services 
Sector Coordinating Council for Critical Infrastructure Protection 
and Homeland Security (FSSCC), the Clearing House and Exchange Forum 
(CHEF), and the Worldwide Federation of Exchange's recently 
established Global Exchanges Cyber Security Working Group (GLEX). 
See supra note 39.
    \823\ See supra notes 904-906 and accompanying text.
---------------------------------------------------------------------------

    In response to comments that recordkeeping of non-material SCI 
events would be more appropriate than reporting, the Commission 
believes that quarterly reporting of de minimis systems disruptions and 
de minimis systems intrusions will better achieve the goal of keeping 
Commission staff informed regarding the nature and frequency of SCI 
events that arise but are reasonably estimated by the SCI entity to 
have a de minimis impact on the entity's operations or on market 
participants. Importantly, submission and review of regular reports 
will facilitate Commission staff comparisons among SCI entities and 
thereby permit the Commission and its staff to have a more holistic 
view of the types of systems operations challenges that were posed to 
SCI entities in the aggregate.
    With regard to de minimis systems compliance issues, however, the 
Commission believes the goals of Regulation SCI can be achieved through 
the SCI entity's obligation to keep, and provide to representatives of 
the Commission upon request, records of such de minimis systems 
compliance issues. The Commission believes that systems compliance 
issues generally are more specific to a particular entity's systems and 
rules and less likely, as compared to systems disruptions and systems 
intrusions, to raise market-wide issues that could affect several SCI 
entities. Accordingly, information on such events are less likely to 
provide valuable insight into trends and risks across the industry and, 
therefore, the Commission believes that the benefits of receiving 
quarterly reports on such de minimis systems compliance issues would be 
less relative to de minimis systems disruptions and de minimis systems 
intrusions. Further, the Commission notes that, based on Commission 
staff's experience with notifications of compliance-related issues at 
SROs, the Commission believes that SCI entities will experience a 
relatively small number of systems compliance issues each year, and 
thus, its regular examinations of SCI entities will provide an adequate 
mechanism for reviewing and addressing de minimis systems compliance 
issues affecting SCI entities. As noted above, Commission staff may 
request records relating to such de minimis systems compliance issues 
as necessary.
    In response to the concerns raised by one commenter that the 
notification requirements have the potential to create efficiency 
issues, delay system remediation, create substantial resource demands, 
and create instability, the Commission believes that these concerns 
have been mitigated by the numerous changes made from the proposal, 
such as the adoption of a quarterly reporting framework for de minimis 
systems disruptions and de minimis systems intrusions and revised 
definitions of the terms SCI systems, indirect SCI systems, systems 
disruption, and systems compliance issue, in addition to the reduction 
in the obligations SCI entities have with respect to reporting 
requirements.\824\ In addition, ARP entities today are able to 
regularly notify the Commission of systems related issues, such as 
systems outages, and the Commission therefore believes that the 
notification requirements will not require a majority of SCI entities 
to develop policies and procedures that are incongruous with their 
current practice. Moreover, the Commission believes that providing SCI 
entities with 30 days after the end of each quarter is adequate time 
for an SCI entity to prepare its report without unduly diverting SCI 
entity resources away from focusing on SCI events occurring in real 
time.\825\
---------------------------------------------------------------------------

    \824\ See supra note 790.
    \825\ See supra notes 791-793 and accompanying text.
---------------------------------------------------------------------------

    The Commission believes that requiring SCI entities to report de 
minimis systems disruptions and de minimis systems intrusions quarterly 
balances the interest of SCI entities in having a limited reporting 
burden for such types of events with the Commission's interest in 
oversight of the information technology programs and systems compliance 
of SCI entities.\826\ Similarly, the Commission believes that requiring 
recordkeeping of de minimis systems compliance issues allows the 
Commission to adequately monitor compliance with the Exchange Act and 
rules thereunder, while reducing the burdens on SCI entities with 
regard to providing information to the Commission on such de minimis 
systems compliance issues. Accordingly, the Commission has determined 
to exclude certain SCI events from the immediate Commission reporting 
requirements, subject to certain recordkeeping and reporting 
requirement for such events, as applicable.\827\
---------------------------------------------------------------------------

    \826\ The Commission notes an SCI entity should be prepared for 
the possibility that Commission staff may, whether upon request 
pursuant to Rule 1002(b)(3), Rule 1005(b)(3), or Rule 1007 or during 
an examination of its compliance with Regulation SCI, include a 
review of the entity's classification of SCI events as de minimis 
SCI events under Rule 1002(b).
    \827\ While the facts and circumstances surrounding a particular 
SCI event will ultimately determine the severity of a given event, 
including whether the event is reasonably estimated to be a de 
minimis event, a wide range of factors may be relevant to an SCI 
entity in making such a determination. For example, such factors 
could include, but are not limited to: whether critical SCI systems 
are impacted; the duration of the SCI event; whether there is a loss 
of redundancy (that negatively impacts, for example, a source of 
power, telecommunications, or other key service); whether an 
alternate trading system is available following a trading system 
disruption; the size of the affected market trading volume; whether 
the processes for trade completion or clearance and settlement are 
adversely impacted; whether settlement is completed on time; whether 
an event is resolved prior to the market's open; whether a post-
trade event is resolved before the market closes; whether a 
failover, despite being successful, results in a given system 
operating without a backup; and the number of securities symbols 
that are adversely affected.
---------------------------------------------------------------------------

    As described above, the de minimis exception from the immediate 
Commission notification requirements applies to systems compliance 
issues as well as systems disruptions and systems intrusions. The 
Commission believes that this approach strikes a balance that will help 
focus the Commission's and SCI entities' resources on those systems 
compliance issues with more significant impacts. Even if an SCI entity 
determines that the impact of the systems compliance issue is none or 
negligible, however, the Commission believes that it should have ready 
access to records regarding such systems compliance issues, and notes 
that Rule 1002 requires that an SCI entity take corrective action with 
respect to all SCI events, including de minimis systems compliance 
issues.\828\
---------------------------------------------------------------------------

    \828\ See infra note 829 and accompanying text.
---------------------------------------------------------------------------

    The Commission recognizes that in many cases, the discovery of a 
potential systems compliance issue may be of a different nature than 
the discovery of potential systems disruptions or systems intrusions, 
as the latter types of events often have an immediately apparent and 
negative impact on the operations of a given system of the SCI entity. 
In contrast, in many instances, a systems compliance issue may require 
the involvement of various personnel

[[Page 72322]]

(potentially including compliance and/or legal personnel) and a period 
of time may be required to afford such personnel the chance to perform 
a preliminary legal analysis to analyze whether a systems compliance 
issue had, in fact, occurred. Because Rule 1002(b)(1) only requires 
notification to the Commission when responsible SCI personnel have a 
``reasonable basis to conclude'' that a non-de minimis SCI event has 
occurred, the Commission believes it is appropriate for an SCI entity 
to notify the Commission of a non-de minimis systems compliance issue 
after it has conducted such a preliminary legal analysis, unless the 
nature of the issue makes it readily identifiable as a systems 
compliance issue.\829\ Further, if an SCI entity determines that a 
systems compliance issue is de minimis, such event will not be required 
to be reported immediately to the Commission, but rather the SCI entity 
will be required to keep, and provide to representatives of the 
Commission upon request, records of such de minimis systems compliance 
issue. Thus, the Commission believes that, as adopted, the requirements 
with respect to systems compliance issues are reasonable because SCI 
entities are afforded flexibility to assess and understand potential 
SCI events and are not required to notify the Commission prior to 
forming a reasonable basis to conclude that an SCI event has occurred. 
The Commissions also believes that, as part of its oversight of the 
securities markets, it should have access to information regarding de 
minimis systems compliance issues when requested. And, although some 
commenters expressed concern that a systems compliance issue is a legal 
conclusion that requires time to analyze and could possibly expose the 
entity to liability if reported,\830\ as discussed above, the 
Commission believes these concerns will be mitigated by the revised 
triggering standard for the obligations in Rule 1002.\831\ However, 
while commenters are correct that the occurrence of a systems 
compliance issue may expose an SCI entity to liability,\832\ the 
occurrence of an SCI event will not necessarily cause a violation of 
Regulation SCI. Further, the occurrence of a systems compliance issue 
also does not necessarily mean that the SCI entity will be subject to 
an enforcement action. Rather, the Commission will exercise its 
discretion to initiate an enforcement action if the Commission 
determines that action is warranted, based on the particular facts and 
circumstances of an individual situation.
---------------------------------------------------------------------------

    \829\ At the same time, the Commission cautions SCI entities 
against unnecessarily delaying Commission notifications of SCI 
events, including systems compliance issues. The Commission notes 
that the notification requirement is triggered when responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred and not, for example, when responsible SCI personnel have 
definitively concluded that an SCI event has occurred. As discussed 
above, the Commission does not believe it is appropriate for an SCI 
entity to delay notifying its regulator of a systems compliance 
issue once the SCI entity has a reasonable basis to conclude there 
is one. See supra note 828 and accompanying text.
    \830\ See OTC Markets Letter at 16; and NYSE Letter at 16.
    \831\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \832\ If an SRO fails to, among other things, comply with the 
provisions of the Exchange Act, the rules or regulations thereunder, 
or its own rules, the Commission is authorized to impose sanctions. 
See 15 U.S.C. 78s(g).
---------------------------------------------------------------------------

Commission Legal Authority
    As noted above, some commenters broadly questioned the Commission's 
legal authority to adopt certain provisions of Regulation SCI as 
proposed, including those relating to Commission notification of SCI 
events, as well as Commission notification of material systems 
changes.\833\ Section 11A(a)(2) of the Exchange Act directs the 
Commission, having due regard for the public interest, the protection 
of investors, and the maintenance of fair and orderly markets, to use 
its authority under the Exchange Act to facilitate the establishment of 
a national market system for securities in accordance with the 
Congressional findings and objectives set forth in Section 11A(a)(1) of 
the Exchange Act. Among the findings and objectives in Section 
11A(a)(1) is that ``[n]ew data processing and communications techniques 
create the opportunity for more efficient and effective market 
operations'' and ``[i]t is in the public interest and appropriate for 
the protection of investors and the maintenance of fair and orderly 
markets to assure . . . the economically efficient execution of 
securities transactions.'' In addition, Sections 6(b), 15A, and 
17A(b)(3) of the Exchange Act impose obligations on national securities 
exchanges, national securities associations, and clearing agencies, 
respectively, to be ``so organized'' and ``[have] the capacity to . . . 
carry out the purposes of [the Exchange Act].''
---------------------------------------------------------------------------

    \833\ See supra note 808 and accompanying text. See infra note 
1268 (noting comments relating to the Commission's legal authority 
for the proposed access provision, which the Commission has 
determined not to adopt in its final rules because the Commission 
can adequately assess an SCI entity's compliance with Regulation SCI 
through existing recordkeeping requirements and examination 
authority, as well as through the new recordkeeping requirement in 
Rule 1005 of Regulation SCI).
---------------------------------------------------------------------------

    Consistent with this statutory authority, the Commission is 
adopting Regulation SCI to require, among other things, that SCI 
entities: (1) Provide certain notices and reports to the Commission to 
improve Commission oversight of securities market infrastructure; and 
(2) have comprehensive policies and procedures in place to help ensure 
the robustness and resiliency of their technological systems, and also 
that their technological systems operate in compliance with the 
Exchange Act, rules thereunder, and with their own rules and governing 
documents. These requirements are important to furthering the 
directives in Section 11A(a)(2) of the Exchange Act that the 
Commission, having due regard for the public interest, the protection 
of investors, and the maintenance of fair and orderly markets, 
facilitate the establishment of a national market system for securities 
in accordance with the Congressional findings and objectives set forth 
in Section 11A(a)(1) of the Exchange Act, including the economically 
efficient execution of securities transactions.
    As discussed in Section I, the U.S. securities markets have been 
transformed in recent years by technological advancements that have 
enhanced the speed, capacity, efficiency, and sophistication of the 
trading functions that are available to market participants. Central to 
these technological advancements have been changes in the automated 
systems that route and execute orders, disseminate quotes, clear and 
settle trades, and transmit market data. At the same time, however, 
these technological advances have generated an increasing risk of 
operational problems with automated systems, including failures, 
disruptions, delays, and intrusions. Accordingly, in today's securities 
markets, properly functioning technology is central to the maintenance 
of fair and orderly markets, the national market system, and the 
efficient and effective market operations and the execution of 
securities transactions. While the Commission's ARP Inspection Program 
has been active in this area, the Commission has not adopted rules 
specific to these matters. The Commission believes that the adoption of 
Regulation SCI, with the modifications from the SCI Proposal as 
discussed above, and compliance with the regulation by SCI entities, 
will further the goals of the national market system. It will help to 
ensure the capacity, integrity, resiliency, availability, and security 
of the automated systems of entities important

[[Page 72323]]

to the functioning of the U.S. securities markets, as well as reinforce 
the requirement that such systems operate in compliance with the 
Exchange Act and rules and regulations thereunder, thus strengthening 
the infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In addition, Regulation SCI 
establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of these systems 
whose proper functioning is central to the maintenance of fair and 
orderly markets and for the continued operation of the national market 
system. For these reasons, the Commission disagrees with the comments 
questioning the Commission's legal authority to adopt Regulation SCI.
    More specifically, the Commission disagrees with comment regarding 
its legal authority under Rule 1002(b) related to Commission 
notification of SCI events. As discussed above, having immediate notice 
and continuing updates of non-de minimis SCI events, quarterly reports 
related to de minimis systems disruptions and de minimis systems 
intrusions, and recordkeeping requirements for de minimis SCI events, 
directly enables the Commission to have more effective oversight of the 
systems whose proper functioning is central to the maintenance of fair 
and orderly markets and for the continued operation of the national 
market system. In this respect, Rule 1002(b) is integral to furthering 
the statutory purposes of Section 11A of the Act under which the 
Commission is directed to act. Moreover, the Commission underscores 
that the adopted Commission notification provisions would require 
immediate Commission notice of fewer SCI events than as proposed 
because the adopted definitions of SCI systems, indirect SCI systems, 
systems disruption, and systems compliance issue have been refined from 
the proposal, and de minimis SCI events are not subject to immediate 
notice.
    Some commenters also questioned the Commission's legal authority to 
require Commission notification of material systems changes.\834\ As 
discussed in more detail below, the material systems change reports are 
intended to make the Commission and its staff aware of significant 
systems changes at SCI entities, and thereby improve Commission 
oversight of U.S. securities market infrastructure, which directly 
furthers the findings and objectives set forth in Section 11A(a)(1) of 
the Exchange Act.\835\ The Commission believes that the adopted 
material systems change notification requirement will allow the 
Commission to more efficiently and effectively participate in 
discussions with SCI entities when systems issues occur and will allow 
Commission staff to effectively prepare for inspections and 
examinations of SCI entities. Moreover, Rule 1003(a), as adopted, 
differs significantly from the proposed requirements as it no longer 
requires 30-day advance notification, but rather requires quarterly 
reports of material systems changes. As such, the requirement is 
designed not to result in ``close, minute regulation of computer 
systems and computer security.'' \836\ Additionally, the Commission 
notes that Regulation SCI does not provide for a new review or approval 
process for SCI entities' material systems changes.\837\
---------------------------------------------------------------------------

    \834\ See infra note 1046 and accompanying text.
    \835\ See infra Section IV.B.4 (discussing the requirement to 
notify the Commission of material systems changes).
    \836\ See infra note 1046.
    \837\ As noted below in Section IV.B.4, Commission staff will 
not use material systems change reports to require any approval of 
prospective systems changes in advance of their implementation 
pursuant to any provision of Regulation SCI, or to delay 
implementation of material systems changes pursuant to any provision 
of Regulation SCI.
---------------------------------------------------------------------------

Immediate Commission Notification--Proposed Rule 1000(b)(4)(i)
    Commenters also specifically discussed proposed Rule 1000(b)(4)(i) 
regarding reporting to the Commission on immediate notification SCI 
events. One commenter stated that it generally supported the immediate 
notification requirement of proposed Rule 1000(b)(4)(i) in the case of 
material SCI events,\838\ but other commenters were critical.\839\ For 
example, some commenters stated that the Commission should adopt a 
materiality threshold which would only require an SCI entity to 
immediately report material SCI events.\840\ Similarly, one group of 
commenters suggested a tiered method that would reserve immediate 
notification to the Commission for truly critical events ``where the 
Commission's input would contribute to an expedient resolution,'' while 
requiring SCI entities to have written policies and procedures that 
focus the SCI entity's attention primarily on taking corrective 
measures during an SCI event and maintaining records to provide 
information to the Commission and members and participants as 
appropriate.\841\ Two commenters suggested that different reporting 
standards should apply to different types of systems, suggesting, for 
example, that immediate notification should be required only for higher 
priority systems.\842\
---------------------------------------------------------------------------

    \838\ See MSRB Letter at 18.
    \839\ See, e.g., NYSE Letter at 22.
    \840\ See SIFMA Letter at 13; FIF Letter at 4; ITG Letter at 12; 
NYSE Letter at 23; FINRA Letter at 10, 22; and OCC Letter at 13. One 
commenter stated that, in considering factors that would determine 
whether or not an SCI event is material, the Commission should 
consider the overall market disruption caused by the SCI event, the 
length of the event, the financial impact of the event, and the 
inability to meet core regulatory obligations regarding order 
handling and execution activities. See ITG Letter at 13. Similarly, 
two commenters stated that, with respect to systems compliance 
issues or systems intrusions, immediate notification SCI events 
should be limited to systems compliance issues or systems intrusions 
that the SCI entity reasonably estimates would have a material 
impact on its operations or on market participants. See MSRB Letter 
at 18; and Omgeo Letter at 15. Further, in the case of intrusions, 
one commenter stated that notifications could also include 
intrusions that would cause a malicious unauthorized access to 
confidential data, but recommended that other types of intrusions be 
subject to recordkeeping. See Omgeo Letter at 15. One group of 
commenters supported implementing a materiality threshold for 
systems compliance issues, which it stated should be based on 
factors such as the number of members affected, financial impact and 
operation impact, and these guidelines should be articulated in the 
SCI entities' policies and procedures. See Joint SROs Letter at 9.
    \841\ See Joint SROs Letter at 10.
    \842\ See FINRA Letter at 22 (suggesting, for example, that 
immediate Commission notification should not be required for SCI 
events that occur in systems that do not provide real-time data to 
the market); and SIFMA Letter at 13 (stating that that lower 
priority systems should only be reported on an aggregate and 
periodic basis).
---------------------------------------------------------------------------

    One commenter questioned the adequacy of the Commission's asserted 
basis and purpose for requiring notification for the vast majority of 
SCI events.\843\ In this commenter's view, the Commission's asserted 
rationale for the Commission notification requirement \844\ would only 
support requiring immediate notification for a limited number of SCI 
events, where the Commission's involvement is necessary.\845\ For other 
SCI events, in which the Commission would only be gathering and 
analyzing submitted information, the commenter stated that the 
Commission's rationale for requiring immediate notification is 
insufficient.\846\
---------------------------------------------------------------------------

    \843\ See NYSE Letter at 21-22.
    \844\ See Proposing Release, supra note 13, at 18119.
    \845\ See NYSE Letter at 22; see also Joint SROs Letter at 10.
    \846\ See NYSE Letter at 22.
---------------------------------------------------------------------------

    Some commenters addressed the use of the term ``immediately'' in 
the proposed rule. One commenter characterized the proposed immediate 
reporting requirements as rigid, and questioned why reporting could not 
occur ``promptly'' with follow-up as reasonably requested by the 
Commission staff.\847\ Another commenter stated that immediate 
notification is unrealistic and predicted

[[Page 72324]]

that it could trigger an innumerable amount of false alarms.\848\
---------------------------------------------------------------------------

    \847\ See BATS Letter at 12.
    \848\ See Direct Edge Letter 8.
---------------------------------------------------------------------------

    Other commenters addressed SCI events that occur outside of normal 
business hours. Two commenters believed that an SCI entity should not 
be required to notify the Commission of an SCI event outside of normal 
business hours.\849\ Other commenters stated that material events 
should require immediate notification to the Commission, but all other 
types of events should be reported by the next business day.\850\
---------------------------------------------------------------------------

    \849\ See FINRA Letter at 21; and BATS Letter at 12. FINRA also 
stated that an SCI entity should have one full business day to 
report an SCI event.
    \850\ See, e.g., DTCC Letter at 9 (stating that, outside of 
normal business hours, an SCI entity should only be required to 
notify the Commission of the most critical events; i.e., those with 
the potential to impact the core functions and critical operations 
of the SCI entity); and OCC Letter at 14 (stating that when an event 
is material because it could have a market-wide impact or impact the 
core functions of an SCI entity, immediate notification should be 
required even outside of normal business hours, but all other SCI 
events should be reported no later than the next business day).
---------------------------------------------------------------------------

    One commenter stated that immediate notification of an SCI event 
may be difficult where an SCI entity uses a third party to operate its 
systems, and therefore believed that an SCI entity should not be 
responsible for reporting an SCI event caused by a third party unless 
there is a material impact to the market or the SCI entity's ability to 
meet its service level agreements.\851\ This commenter stated that the 
rule should permit SCI entities flexibility on how to address third 
party issues and requested further guidance from the Commission in this 
area.\852\
---------------------------------------------------------------------------

    \851\ See FINRA Letter at 22; see also supra Section IV.A.2.b 
(discussing the definition of ``SCI systems'' as it relates to third 
parties).
    \852\ See FINRA Letter at 22.
---------------------------------------------------------------------------

Immediate Notification of SCI Events: Adopted Rule 1002(b)(1)
    Adopted Rule 1002(b)(1) requires each SCI entity to notify the 
Commission of an SCI event immediately upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred (unless it is a de minimis SCI event). Such notification may 
be provided orally (e.g., by telephone) or in writing (e.g., by email 
or on Form SCI). Although many commenters were critical of the 
immediate notification provision, Rule 1002(b)(1) substantially retains 
the requirements of proposed Rule 1000(b)(4)(i), but is modified in 
certain respects in response to comments.
    The Commission has considered the views of commenters who stated 
that the Commission should require immediate notification only for 
material SCI events, or when Commission involvement would contribute to 
an expedient resolution.\853\ Given the Commission's oversight 
responsibilities over SCI entities and the U.S. securities market 
generally, the notification rule is not intended to be limited to 
instances in which SCI entities might believe that it would be useful 
for the Commission to provide input. SCI event notifications also serve 
the function of providing the Commission and its staff with information 
about the potential impact of an SCI event on the securities markets 
and market participants more broadly, which potential impacts may not 
be readily apparent or important to the SCI entity reporting such an 
event. Moreover, the Commission believes that there will be instances 
in which an SCI entity will not know the significance of an SCI event 
at the time of the occurrence of an event, or whether such event (or, 
potentially, the aggregated impact of several SCI events occurring, for 
example, across many SCI entities) will warrant the Commission's input 
or merit the Commission's awareness, nor does the Commission believe it 
should be solely within an SCI entity's discretion to make such a 
determination. And SCI entities retain the flexibility to revise their 
initial assessments should they subsequently determine that the event 
in question was incorrectly initially assessed to be a de minimis event 
(or incorrectly initially assessed to not be a de minimis event). 
Consequently, the Commission does not agree with commenters who stated 
that only material SCI events should be reported to the Commission 
immediately.\854\
---------------------------------------------------------------------------

    \853\ See supra notes 838-846 and accompanying text.
    \854\ See, e.g., supra note 842 and accompanying text.
---------------------------------------------------------------------------

    The Commission has also considered comments that the term 
``immediately'' as used in proposed Rule 1000(b)(4) is rigid and 
unrealistic.\855\ The Commission, in adopting Rule 1002(b), has 
retained the requirement that SCI entities must notify the Commission 
immediately; however, as discussed in detail above,\856\ the triggering 
standard has been modified so that the notification obligations of Rule 
1002(b) are triggered only upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred. The 
Commission believes this modification responds to commenters concerns 
that the ``immediate'' reporting requirement is too rigid or would pose 
practical difficulties, as it allows additional time for escalation to 
senior SCI entity personnel and for the performance of preliminary 
analysis and assessment regarding whether an SCI event has, in fact, 
occurred before requiring notification to the Commission. As such, the 
Commission believes that the immediate notification requirement of Rule 
1002(b)(1) will not unduly cause ``false alarms,'' as one commenter 
stated.\857\ At the same time, the Commission believes that the 
immediate notification requirement, as adopted, will help ensure that 
the Commission and its staff are kept apprised of SCI events after they 
occur, and as their impact unfolds and is mitigated and, ultimately, as 
the SCI entity engages in corrective action to resolve the SCI events. 
Additionally, the Commission notes that immediate notifications made 
pursuant to Rule 1002(b)(1) may be made orally (e.g., by telephone) or 
in a written form (e.g., by email or on Form SCI).\858\ The Commission 
notes that, by not prescribing the precise method of communication for 
an immediate notification, SCI entities are afforded the flexibility to 
determine the most effective and efficient method to communicate with 
the Commission.
---------------------------------------------------------------------------

    \855\ See supra note 847 and accompanying text.
    \856\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \857\ See supra note 848 and accompanying text. The Commission 
notes that, if an SCI entity at some point after submitting an 
immediate notification concludes after further investigation and 
analysis that it was incorrect in its initial determination that an 
SCI event had occurred, the SCI entity should alert the Commission 
of its updated assessment pursuant to Rule 1002(b)(3). Relatedly, 
Rule 1002(b) is designed to provide SCI entities flexibility in 
notifying the Commission of the details regarding an SCI event (for 
example, through the ability to provide the Rule 1002(b)(2) written 
notification on a good faith, best efforts basis) and time to assess 
and analyze the SCI event (for example, by requiring that the Rule 
1002(b)(2) written notification only provide a description of the 
SCI event, including the system(s) affected, and with additional 
information only required to the extent available at that time).
    \858\ The Commission notes that, prior to the compliance date of 
Regulation SCI, Commission staff intends to notify SCI entities of 
the email addresses, phone numbers, and contact persons that SCI 
entities should use when notifying the Commission of SCI events 
under Rule 1002(b).
---------------------------------------------------------------------------

    The Commission has also considered comments that immediate 
notification should not be required outside of normal business hours, 
or that it should only be required outside of normal business hours in 
the case of material SCI events.\859\ The Commission notes that the 
adopted rule will afford SCI entities considerable flexibility in how 
to communicate an immediate notification to the Commission--that is, 
SCI entities may satisfy the immediate

[[Page 72325]]

notification requirement simply by communicating with the Commission 
via telephone or email. In addition, because an SCI entity's obligation 
to report to the Commission is not triggered until responsible SCI 
personnel has a reasonable basis to conclude that an SCI event has 
occurred,\860\ the Commission does not believe that timely 
notification, even outside of normal business, is so onerous that it 
necessitates allowing a full business day to comply. Particularly 
because it has determined to exclude de minimis SCI events from the 
immediate notification requirement, the Commission believes that it is 
reasonable to require that an SCI event (except those specified in Rule 
1002(b)(5)) be reported to the Commission orally (e.g., by telephone) 
or in writing (e.g., by email or on Form SCI) when responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred, even if such communication may be outside of normal business 
hours. Because the rule provides flexibility to more easily enable 
communication--by permitting oral notification--of the fact of an SCI 
event to the Commission, and because only non-de minimis SCI events are 
subject to this requirement, the Commission believes notice to the 
Commission is appropriate sooner rather than later. In addition, as 
discussed above, the Commission believes that there may be situations 
where the severity of an SCI event may not be immediately apparent to 
an SCI entity experiencing the event, but the Commission, from its 
unique position, may determine as a result of receiving multiple 
immediate notifications, each related to an SCI event of a similar 
nature, that the SCI event is part of a pattern of a larger, more 
significant occurrence. The Commission is therefore adopting Rule 
1002(b) to require that an SCI entity notify the Commission of an SCI 
event immediately upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, without an 
exception for periods outside of normal business hours.
---------------------------------------------------------------------------

    \859\ See, e.g., supra notes 849 and 794-797 and accompanying 
text.
    \860\ See supra Section IV.B.3.a (discussing the triggering 
standard).
---------------------------------------------------------------------------

    In addition, as noted above, the information submitted to the 
Commission pursuant to Regulation SCI will be treated as confidential, 
subject to applicable law \861\ and, as noted in Sections IV.B.1.b.i 
and IV.B.2.a, the occurrence of an SCI event does not necessarily mean 
that an SCI entity has violated Regulation SCI.
---------------------------------------------------------------------------

    \861\ See supra note 674.
---------------------------------------------------------------------------

    The Commission disagrees with the commenter who stated that the 
Commission should not require SCI entities to be responsible for 
reporting an SCI event caused by a third party because immediate 
notification would be difficult.\862\ An SCI event, whether or not 
caused by a third party system, by definition relates to an SCI system 
or indirect SCI system. As explained in Section IV.A.2 above 
(discussing the definitions of ``SCI systems'' and ``indirect SCI 
systems''), the Commission has adopted the definition of SCI systems to 
include, specifically, those systems of SCI entities that would be 
reasonably likely to impact the protection of investors and the 
maintenance of fair and orderly markets and an SCI entity's operational 
capability, and has not excluded third party systems from the 
definition. As stated above, if an SCI entity is uncertain of its 
ability to manage a third-party relationship to satisfy the 
requirements of Regulation SCI, then it would need to reassess its 
decision to outsource the applicable system to such third party.\863\
---------------------------------------------------------------------------

    \862\ See supra notes 851-852 and accompanying text.
    \863\ See supra note 260 and accompanying text.
---------------------------------------------------------------------------

    In response to comment that SCI entities would be required to 
provide notification reports multiple times to different Commission 
staff for the same event,\864\ the Commission notes that rule does not 
include such a requirement. In addition, the Commission also disagrees 
with the commenter who stated that, for systems disruptions, 
notifications should not be required from each separate entity where a 
disruption impacts multiple SCI entities.\865\ Excusing immediate 
notification where a given event seems to be affecting multiple SCI 
entities would not be appropriate because the Commission, as the 
centralized receiver of notifications, will be the entity that will be 
in a position to determine whether, in fact, SCI entities are 
concurrently experiencing the same SCI event. Moreover, even if a given 
event affects multiple SCI entities, it may be the case that the event 
impacts each SCI entity and the affected systems in a different manner, 
and thus the Commission believes it is important to receive individual 
notifications from each affected SCI entity.
---------------------------------------------------------------------------

    \864\ See, e.g., supra note 805 and accompanying text.
    \865\ See, e.g., id.
---------------------------------------------------------------------------

Written Commission Notification: Proposed Rule 1000(b)(4)(ii)
    Commenters also specifically discussed and suggested alternatives 
to proposed Rule 1000(b)(4)(ii), which would have required an SCI 
entity, within 24 hours of any responsible SCI personnel becoming aware 
of any SCI event, to submit a written notification pertaining to such 
SCI event to the Commission. Many commenters stated that the proposed 
24-hour time frame was too short or burdensome.\866\ Several commenters 
specifically suggested that the Commission extend the time frame to 
allow SCI entities to attend to the SCI event without also devoting 
resources to notifying the Commission, suggesting different time frames 
they believed to be appropriate.\867\ One commenter suggested that SCI 
entities be given until 24 to 48 hours after final resolution of the 
SCI event to submit a written notification.\868\ Another commenter 
similarly recommended that, where real-time notification is needed, 
written notification should not be required unless an SCI event remains 
unresolved after a reasonable period (such as 10 or 15 days).\869\
---------------------------------------------------------------------------

    \866\ See NYSE Letter at 23; FINRA Letter at 19; BATS Letter at 
12; DTCC Letter at 9; MSRB Letter at 18; SIFMA Letter at 13; FIF 
Letter at 5; BIDS Letter at 10; Omgeo Letter at 17; and CME Letter 
at 9.
    \867\ Commenters suggested time frames of 48 hours (CME Letter 
at 9); 72 hours (OCC Letter at 12; DTCC Letter at 9, 11 (noting, 
however, that details surrounding an SCI event should not be 
required to be provided in writing until after the investigation of 
the event is complete and the event has been resolved)); and five 
business days (BIDS Letter at 10).
    \868\ See FINRA Letter at 20. This commenter further suggested 
that, if an SCI event has not been fully resolved within a 
reasonable period, e.g.,10 or 15 days, an SCI entity could be 
required to submit written notification based on currently available 
information at the end of that period, with periodic status updates 
via telephone or email, and a final written submission within 24 to 
48 hours after the event has been fully resolved.
    \869\ See SIFMA Letter at 14.
---------------------------------------------------------------------------

    Some commenters also suggested that, if the Commission retains the 
24-hour requirement, it should require provision of less information. 
For example, one commenter suggested that SCI entities should only be 
required to provide whatever information is sufficiently reliable at 
that time.\870\ Two other commenters stated that SCI entities should 
not be required to include an estimate of the markets and participants

[[Page 72326]]

impacted by an SCI event or to quantify such impact because this 
requirement may create a risk of civil liability for the SCI 
entity.\871\ Another commenter recommended that the rule require only a 
brief written summary that is one or two paragraphs, which could be 
supplemented by oral communications and a longer summary within 15 days 
after an SCI event has been fully resolved.\872\
---------------------------------------------------------------------------

    \870\ See FINRA Letter at 20. This commenter also suggested that 
the rule require an SCI entity to assess the ``business impact'' of 
an SCI event, noting that this information may provide more context 
than requiring an SCI entity to estimate the number of market 
participants impacted by an SCI event (which in some cases could be 
zero, but still have a negative impact on the SCI entity). See FINRA 
Letter at 30.
    \871\ See DTCC Letter at 10; and Omgeo Letter at 30. Omgeo added 
that such a calculation would be difficult to compute, likely 
inaccurate, and of little use to the Commission.
    \872\ See Omgeo Letter at 17.
---------------------------------------------------------------------------

    With respect to the information provided to the Commission via 
notification of an SCI event, one commenter suggested that the rule 
provide a safe harbor for entities and employees for either inadvertent 
omissions in a submitted report, or when a good faith, documented 
determination is made that no report is required.\873\ One commenter 
stated that that the Commission should expressly provide that initial 
written submissions are to be made on a best efforts basis and SCI 
entities will incur no liability or penalty for any unintentional 
inaccuracies or omissions contained in these submissions.\874\ Some 
commenters stated that entities should not be liable for information 
that is later found to be incomplete or inaccurate.\875\
---------------------------------------------------------------------------

    \873\ See id. at 18.
    \874\ See FINRA Letter at 20.
    \875\ See, e.g., SIFMA Letter at 14; and UBS Letter at 4 
(stating that SCI entities acting in good faith should not be held 
accountable if details offered in reports to the Commission are 
substantially different from what is revealed by further analysis).
---------------------------------------------------------------------------

    Some commenters \876\ questioned the purpose of requiring that 
information disseminated to members and participants (under proposed 
Rule 1000(b)(5)) be copied and attached to Form SCI as part of 
notifications to the Commission, and considered it ``an overly broad 
inclusion of communications'' that would have ``a chilling effect on 
communications between the SCI entities and their members and 
participants,'' \877\ while another commenter argued that, when an 
exchange is having a technology issue, many members may be reaching out 
to the exchange's staff with requests for information and status. 
Therefore, that commenter questioned the feasibility, need, and 
potential impact of the proposed requirement that SCI entities provide 
a copy of any information disseminated to date regarding the SCI event 
to their members or participants.\878\
---------------------------------------------------------------------------

    \876\ Because the requirement to provide information 
disseminated to an SCI entity's members or participants is now 
included in the Final Report (Rule 1002(b)(4)) instead of with the 
24-written notification requirement as proposed, the Commission's 
response to these comments is discussed below in the subsection 
``Final Report: Adopted Rule 1002(b)(4).''
    \877\ See Joint SROs Letter at 11.
    \878\ See Direct Edge Letter at 7-8.
---------------------------------------------------------------------------

    One commenter stated that, to reduce the cost of compliance, the 
Commission should accept the same notifications of service 
interruptions that an ATS already provides to its subscribers.\879\
---------------------------------------------------------------------------

    \879\ See BIDS Letter at 11.
---------------------------------------------------------------------------

    Commenters also provided suggestions for limiting the circumstances 
for which 24-hour written notification would be required under proposed 
Rule 1000(b)(4)(ii). One commenter stated that only SCI events that 
materially impact an SCI entity's operations or market participants 
should be subject to the 24-hour written notification requirement, but 
questioned whether 24 hours was realistic even for those events.\880\ 
One commenter suggested that proposed Rule 1000(b)(4)(ii) only apply to 
significant SCI events and that other events only be subject to a 
recordkeeping requirement.\881\ In addition, some commenters suggested 
that if an SCI entity has provided oral notification to the Commission, 
it should not be required to file written notice within 24 hours after 
the initial report unless reasonably requested by the Commission.\882\
---------------------------------------------------------------------------

    \880\ See MSRB Letter at 18.
    \881\ See CME Letter at 9.
    \882\ See BATS Letter at 12; and Omgeo Letter at 17. See also 
DTCC Letter at 10; and OCC Letter at 14 (suggesting 72 hours to 
provide written information after providing verbal notification).
---------------------------------------------------------------------------

Written Notification Within 24 Hours: Adopted Rule 1002(b)(2)
    Adopted Rule 1002(b)(2) requires an SCI entity, within 24 hours of 
any responsible SCI personnel having a reasonable basis to conclude 
that the SCI event has occurred, to submit a written notification 
pertaining to such SCI event to the Commission. Rule 1002(b)(2) allows 
for such written notifications to be made on a good faith, best efforts 
basis and requires that it include: (i) A description of the SCI event, 
including the system(s) affected; and (ii) to the extent available as 
of the time of the notification: the SCI entity's current assessment of 
the types and number of market participants potentially affected by the 
SCI event; the potential impact of the SCI event on the market; a 
description of the steps the SCI entity has taken, is taking, or plans 
to take, with respect to the SCI event; the time the SCI event was 
resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.
    The Commission has considered comments stating that 24 hours is too 
short and burdensome a duration for an SCI entity to submit a compliant 
written notification.\883\ The Commission understands commenters' 
concerns that SCI entities may still be actively investigating and 
working to resolve an SCI event and that information it initially 
provides to the Commission about an SCI event may not ultimately prove 
correct.\884\ Therefore, in line with commenters' concerns regarding a 
good faith and best efforts standard,\885\ the Commission has modified 
the 24-hour written notification requirement in adopted Rule 1002(b) to 
make clear that the written notification should be provided on a ``good 
faith, best efforts basis.'' This modification acknowledges that a 
written notification provided within 24 hours may provide only a 
preliminary assessment of the SCI event, that additional information 
may come to light after the initial 24-hour period, and that the 
initial assessment may prove in retrospect to be incorrect or 
incomplete. Consequently, the adopted rule requires that the written 
notification provided within 24 hours be submitted on a good faith, 
best efforts basis, and does not require that the written notification 
be a comprehensive or complete assessment of the SCI event (unless, of 
course, an SCI entity has completed a full assessment by such time). 
The Commission believes that a ``good faith'' standard will help to 
ensure that SCI entities will not be accountable for unintentional 
inaccuracies or omissions contained in these submissions, and a ``best 
efforts'' standard will help to ensure that SCI entities will make a 
diligent and timely attempt to provide all the information required by 
the written notification requirement. The Commission also notes that an 
SCI entity will not need to submit a written notification where an SCI 
entity documents that an SCI event is determined to be a de minimis SCI 
event, other than including de minimis systems disruptions and de 
minimis systems intrusions in the quarterly report required by Rule 
1002(b)(5). As discussed in further detail below, in the event that new 
information comes to light or previously reported information is found 
to be materially incorrect, adopted Rule 1002(b)(3) requires an SCI 
entity to update the information at that

[[Page 72327]]

time, and does not require that such updates be written.\886\ The 
Commission believes these modifications will help ensure that SCI 
entities are able to provide the information required by Rule 
1002(b)(2) within 24 hours, and therefore the Commission is not 
modifying the timeframe to extend beyond 24 hours, as requested by 
several commenters.\887\ Moreover, because the information need only be 
provided on a good faith, best efforts basis and, pursuant to Rule 
1002(b)(3), updates can be provided on a regular basis to correct any 
materially incorrect information previously provided or when new 
material information is discovered, the Commission disagrees with 
commenters that stated that the information required by Rule 1002(b) 
should be provided only after resolution of the SCI event. The 
Commission continues to believe that Rule 1002(b)(2)'s requirement to 
provide information to the Commission within 24 hours is appropriately 
tailored to help the Commission and its staff quickly assess the nature 
and the scope of an SCI event and will contribute to more timely and 
effective Commission oversight of systems whose proper functioning is 
central to the maintenance of fair and orderly markets, and that this 
would particularly be the case for SCI events that are not yet 
resolved.\888\
---------------------------------------------------------------------------

    \883\ See, e.g., supra note 866 and accompanying text.
    \884\ See supra notes 873-875 and accompanying text.
    \885\ See id.
    \886\ See infra note 909 and accompanying text.
    \887\ See supra notes 867-869 and accompanying text; and 
Proposing Release, supra note 13, at 18119.
    \888\ See supra notes 868 and 872 and accompanying text.
---------------------------------------------------------------------------

    Adopted Rule 1002(b)(2) is also responsive to comments urging the 
Commission to require less information in a 24-hour written 
notification.\889\ Specifically, whereas proposed Rule 1000(b)(4) 
required a detailed description of the SCI event, adopted Rule 
1002(b)(2)(i) specifies that an SCI entity must only provide ``a 
description of the SCI event, including the system(s) affected.'' 
Additional information is only required to the extent available as of 
the time of the notification, which includes an ``SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; the potential impact of the SCI event on the 
market; a description of the steps the SCI entity has taken, is taking, 
or plans to take, with respect to the SCI event; the time the SCI event 
was resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.'' \890\ This information is the type of necessary 
information that SCI entities are able to provide in a short timeframe 
and that the Commission has come, over time, to rely upon to properly 
assess systems issues.
---------------------------------------------------------------------------

    \889\ See supra notes 870-872 and accompanying text.
    \890\ Rule 1002(b)(2)(ii). The information required to be 
provided in Rule 1002(b)(2)(ii) is a subset of information proposed 
to be required under Rule 1000(b)(4)(iv)(A)(1)-(2) of the SCI 
Proposal.
---------------------------------------------------------------------------

    Additionally, the Commission notes that adopted Rule 1002(b) does 
not require that an SCI entity provide the Commission, at the time of 
the initial notice to the Commission, with its current assessment of 
the SCI event, including a discussion of the determination of whether 
it is subject to a dissemination requirement, as proposed in Rule 
1000(b)(4).
    The Commission has also determined to further refine the scope of 
information that needs to be reported in the 24-hour written 
notification by requiring that the following items instead be included 
in the final report under Rule 1002(b)(4), rather than in the 24-hour 
written notification required by Rule 1002(b)(2): A description of the 
SCI entity's rule(s) and/or governing document(s), as applicable, that 
relate to the SCI event; and an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss.\891\
---------------------------------------------------------------------------

    \891\ At the same time, if such information is known at the time 
of the notification, the SCI entity will be required to provide it 
pursuant to Rule 1002(b)(2)(ii)'s requirement that the SCI entity 
provide ``any other pertinent information known . . . about the SCI 
event.'' Additionally, such information would be provided under the 
requirement to provide the Commission with regular updates under 
Rule 1002(b)(3)'s requirement to provide any of the information 
listed in Rule 1002(b)(2)(ii) if it becomes available after the time 
of submission of the 24-hour notification. The Commission also notes 
that Rule 1002(b)(4)(ii) requires that an SCI entity include in the 
final report a copy of any information disseminated pursuant to Rule 
1002(c) by the SCI entity to date regarding an SCI event to any of 
its members or participants.
---------------------------------------------------------------------------

    In response to commenters who suggested that the Commission limit 
the events for which 24-hour written notification would be required to 
material events,\892\ the Commission notes that it has partially 
responded to such comments by providing an exception to the immediate 
notification requirement for de minimis events in Rule 1002(b)(5). The 
Commission believes that this exception should reduce the overall 
number of SCI events subject to immediate notification requirements as 
compared to what would have been required if the SCI Proposal was 
adopted without modification and, consequently, the requirement to 
submit a written notification within 24 hours of an SCI event, thereby 
alleviating some of the burdens about which commenters expressed 
concerns. Moreover, the Commission believes that a materiality 
threshold would likely exclude from the 24-hour written notification a 
large number of SCI events that are not de minimis SCI events but that 
the Commission, as part of its oversight role, should be updated on so 
that the Commission and its staff can quickly assess the nature and 
scope of those SCI events and potentially assist the SCI entity in 
identifying the appropriate response, including ways to mitigate the 
impact of SCI events on investors and promote the maintenance of fair 
and orderly markets. The Commission reemphasizes that the information 
to be provided under the 24-hour written notification would represent 
the SCI entity's preliminary assessment--performed on a good faith, 
best efforts basis--of the SCI event, and only certain key information 
is required under the 24-hour written notification, with ``other 
pertinent information'' required only where ``known by the SCI entity'' 
within the 24-hour timeframe. For these reasons, the Commission has 
determined not to adopt a materiality threshold for the requirement 
that an SCI entity update the Commission within 24 hours after it has a 
reasonable basis to conclude that an SCI event has occurred.
---------------------------------------------------------------------------

    \892\ See supra note 880 and accompanying text.
---------------------------------------------------------------------------

    Additionally, the Commission disagrees with those commenters who 
stated that written notification should only be required when 
reasonably requested by the Commission.\893\ The Commission believes 
that it should be notified of all SCI events and that all SCI events 
(other than those specified in Rule 1002(b)(5)) should be subject to 
the 24-hour written notification requirement because, by articulating 
in a single notification what is currently known about an SCI event and 
the steps expected to be taken to respond to the SCI event, the 
Commission will be better able to assess the nature and scope of, and 
respond to, SCI events and potentially assist SCI entities in 
identifying the appropriate response, including ways to mitigate the 
impact of SCI events on investors and promote the maintenance of fair 
and orderly markets.
---------------------------------------------------------------------------

    \893\ See supra note 882 and accompanying text.
---------------------------------------------------------------------------

    In response to the comment that the Commission should accept the 
same notifications of service interruptions that an ATS provides to its

[[Page 72328]]

subscribers,\894\ the Commission believes that SCI ATSs can use the 
types of information contained in ATS notices to subscribers when 
completing Form SCI, but nevertheless believes that it is more useful 
and efficient for the Commission and its staff to be able to have all 
SCI event notifications standardized in a single format (i.e., Form 
SCI).
---------------------------------------------------------------------------

    \894\ See supra note 879 and accompanying text.
---------------------------------------------------------------------------

    As discussed above, the information required under the adopted 24-
hour written notification requirement has been refined as compared with 
the requirements in the proposal. Consequently, the Commission believes 
that SCI entities should be able to provide the Commission with this 
information in a written format, and does not agree that such 
information should be provided in an oral format, as requested by some 
commenters, regardless of the manner in which the immediate 
notification was provided to the Commission.\895\ The Commission 
emphasizes that regular updates provided under Rule 1002(b)(3) may, 
however, be provided either orally or in written form.\896\
---------------------------------------------------------------------------

    \895\ See supra notes 872 and 882 and accompanying text.
    \896\ See infra note 911 and accompanying text.
---------------------------------------------------------------------------

    In response to commenters that stated SCI entities should not be 
required to include an estimate of the market participants impacted by 
an SCI event or to quantify such impact because this requirement may 
create a risk of civil liability for the SCI entity,\897\ the 
Commission notes that the information submitted to the Commission 
pursuant to Regulation SCI will be treated as confidential, subject to 
applicable law, including amended Rule 24b-2.\898\ Moreover, the 
requirement to provide a 24-hour written notification does not itself 
create a risk of civil liability, but the Commission acknowledges that 
the information provided to it may be subject to FOIA requests.
---------------------------------------------------------------------------

    \897\ See supra note 871.
    \898\ See supra notes 802-803 and accompanying text. For a 
discussion of the amendment to Rule 24b-2, see infra notes 1245-1248 
and accompanying text.
---------------------------------------------------------------------------

    Regarding the comment that the requirement to include an estimate 
of the markets and participants impacted by an SCI event or to quantify 
such impact would be difficult to compute, likely inaccurate, and of 
little use to the Commission,\899\ the Commission disagrees. The rule 
requires an SCI entity to provide its current assessment of the types 
and number of market participants potentially affected by the SCI event 
and the potential impact of the SCI event on the market, to the extent 
this information is available as of the time of the notification, 
rather than an exact computation. In addition, the rule does not 
require that the assessment be submitted only if the SCI entity ensures 
that it is free of inaccuracies. Further, contrary to the commenter's 
suggestion, the Commission believes that such estimates will be of 
significant use to the Commission and its staff in understanding the 
potential severity of the SCI event. In addition, because the SCI 
entity is likely to be in the best position to assess an SCI event, the 
Commission also believes that an assessment of the impact of an SCI 
event on markets and participants is useful because it afford the 
Commission the opportunity to learn the SCI entity's perspective on the 
potential or actual impact of an SCI event.\900\
---------------------------------------------------------------------------

    \899\ See supra note 871 and accompanying text.
    \900\ The Commission notes that SCI entities retain the 
flexibility to provide additional information to the Commission as 
part of their assessments, such as providing the ``business impact'' 
of an SCI event, as suggested by one commenter. See supra note 870.
---------------------------------------------------------------------------

Written Commission Updates: Proposed Rule 1000(b)(4)(iii)
    Commenters also addressed proposed Rule 1000(b)(4)(iii), which 
required an SCI entity to provide the Commission written updates 
pertaining to an SCI event on a regular basis, or at such frequency as 
reasonably requested by a representative of the Commission, until the 
SCI event was resolved. Some commenters urged the Commission to provide 
clarity on the definition of ``resolved.'' \901\ For example, one 
commenter suggested that the Commission should define the resolution of 
an SCI event to be when the affected SCI systems have been 
normalized,\902\ and another commenter stated that there should be a 
precise definition of when an SCI event is resolved and that definition 
should be linked directly to the definition of the SCI event 
itself.\903\ Other commenters expressed concern that the continuing 
update requirement could divert resources from resolution of the SCI 
event and suggested that updates be required only to the extent they 
would not interfere with event resolution.\904\ One commenter stated 
that continual updates should only be necessary if the SCI entity had 
not resolved the event within a reasonable period, such as 10 to 15 
days.\905\
---------------------------------------------------------------------------

    \901\ See DTCC Letter at 11; and Omgeo Letter at 18.
    \902\ See DTCC Letter at 11.
    \903\ See Omgeo Letter at 18.
    \904\ See MSRB Letter at 19; and OCC Letter at 14.
    \905\ See FINRA Letter at 20.
---------------------------------------------------------------------------

    Other commenters addressed the method of providing updates. For 
example, one commenter stated that only oral communication should be 
required when an SCI event is ongoing, and that the rule should allow a 
written supplement to a final or post mortem report if additional 
information comes to light regarding the SCI event.\906\ Another 
commenter suggested that updates should be permitted to be in writing 
or provided orally based on the judgment of the SCI entity.\907\ 
Finally, one commenter stated that requests for updates regarding SCI 
events should only be permitted to come from senior staff at the 
Commission.\908\
---------------------------------------------------------------------------

    \906\ See Omgeo Letter at 17.
    \907\ See MSRB Letter at 19.
    \908\ See NYSE Letter at 24.
---------------------------------------------------------------------------

Regular Updates: Adopted Rule 1002(b)(3)
    Rule 1002(b)(3) requires that, until such time as an SCI event is 
resolved, and the SCI entity's investigation of the SCI event is 
closed, an SCI entity provide the Commission with updates pertaining to 
the SCI event on a regular basis, or at such frequency as reasonably 
requested by a representative of the Commission. Updates are required 
to correct any materially incorrect information previously provided, or 
when new material information is discovered, including not limited to, 
any of the information listed in Rule 1002(b)(2)(ii).
    While the Commission recognizes that providing the Commission with 
such updates imposes an additional reporting requirement on SCI 
entities, the Commission also believes that updates are important to 
allow the Commission to fully monitor the SCI event. In addition, the 
Commission believes that the update requirement will encourage SCI 
entities to formalize their processes for gathering information on SCI 
events, which will help to ensure that responsible SCI personnel 
receive accurate and updated information on SCI events as they are 
being resolved, and further, that this process may be helpful to SCI 
entities when providing information about SCI events to their members 
or participants. Also, because the Commission has revised the 
requirements of the 24-hour notification to allow SCI entities to 
provide information on a good faith, best efforts basis and has limited 
the scope of information required in that report as discussed above, 
the Commission believes that updates to the Commission to correct 
materially incorrect information previously reported or when new 
material information is

[[Page 72329]]

discovered as required by the rule is important to keep the Commission 
up to date with accurate information, including the following: The SCI 
entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; the potential 
impact of the SCI event on the market; a description of the steps the 
SCI entity has taken, is taking, or plans to take, with respect to the 
SCI event; the time the SCI event was resolved or timeframe within 
which the SCI event is expected to be resolved; and any other pertinent 
information known by the SCI entity about the SCI event. Consequently, 
the Commission does not agree with the commenter who suggested that 
updates should be only required if an SCI event has not been resolved 
within a reasonable amount of time, such as 10 to 15 days.\909\
---------------------------------------------------------------------------

    \909\ See supra note 870 and accompanying text.
---------------------------------------------------------------------------

    The Commission believes that updates regarding this information are 
important to enhance the Commission's oversight of the securities 
markets and its informed and continued understanding of an SCI event. 
Moreover, the Commission underscores that updates are only required to 
the extent that they correct any materially incorrect information 
previously provided or when new material information is discovered, 
including but not limited to, any of the information listed in Rule 
1002(b)(2)(ii), thereby alleviating the burden to SCI entities of 
providing such updates absent such circumstances.\910\ The Commission 
has also eased the requirements of the proposed update provision by 
eliminating the proposed requirements that an SCI entity attach a copy 
of any information disseminated to date regarding the SCI event to its 
members or participants or on the SCI entity's publicly available Web 
site; a description of the SCI entity's rule(s) and/or governing 
document(s), as applicable, that relate to the SCI event; an analysis 
of parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. Instead, these 
information requirements must only be provided as part of the final 
report required by Rule 1002(b)(4), and the Commission therefore 
believes that burdens associated with the continuing update requirement 
will be streamlined because SCI entities will not need to devote 
resources to providing written updates while an SCI event is ongoing.
---------------------------------------------------------------------------

    \910\ The requirement that updates regarding new or corrected 
information be provided on a regular basis (unless an alternative, 
specific frequency is reasonably requested by a representative of 
the Commission) is designed to take into account the fact that new 
or updated information may develop at different frequencies for 
different SCI events.
---------------------------------------------------------------------------

    At the same time, the Commission is cognizant of the burdens 
associated with requiring written updates and therefore has revised the 
update requirement in adopted Rule 1002(b)(3) to remove the proposed 
requirement that such updates be provided in written form. Thus, 
submission of updates may be provided either orally or in written form, 
and will result in a lighter burden on SCI entities than the proposed 
requirement, and is responsive to commenters that suggested that SCI 
entity resources would be better directed to resolving an SCI 
event.\911\
---------------------------------------------------------------------------

    \911\ See supra note 791 and accompanying text. SCI entities 
may, but are not required to, utilize Form SCI to submit such 
updates. See Section IV.D (discussing Form SCI). The Commission also 
believes that, to the extent commenters suggested that the 
Commission permit oral updates, they did so because, at least in 
part, oral updates are less burdensome to SCI entities than written 
updates. See supra notes 906-907 and accompanying text.
---------------------------------------------------------------------------

    In response to comment that the Commission provide guidance to 
clarify when an SCI event has been ``resolved'' \912\ and in line with 
the particular comment that the concept of resolution should be linked 
directly to the definition of the SCI event itself,\913\ the Commission 
believes that an SCI event is resolved when the event no longer meets 
the definitions of a systems disruption, systems intrusion, or systems 
compliance issue, as defined in Rule 1000, and that an SCI entity's 
Rule 1002(b) reporting obligations are completed when an SCI entity 
submits a final report as required by Rule 1002(b)(4). Further, the 
Commission does not believe that it is necessary to prescribe that 
requests to SCI entities regarding updates should come solely from 
senior Commission staff, as suggested by one commenter.\914\ The 
Commission believes that requiring an SCI entity to update the 
Commission at such frequency as reasonably requested by a 
representative of the Commission provides appropriate flexibility to 
the Commission to request additional information as necessary, but does 
not anticipate that requests will be made by multiple members of the 
Commission staff because the Commission expects that such requests 
would be coordinated by a particular group of Commission staff that are 
assigned to handle specific reports from SCI entities.
---------------------------------------------------------------------------

    \912\ See supra notes 902-903 and accompanying text.
    \913\ See supra note 903 and accompanying text.
    \914\ See supra note 802 and accompanying text.
---------------------------------------------------------------------------

Final Report: Adopted Rule 1002(b)(4)
    Adopted Rule 1002(b)(4) requires that if an SCI event is resolved 
and the SCI entity's investigation of the SCI event is closed within 30 
days of the occurrence of the SCI event, then within five business days 
after the resolution of the SCI event and closure of the SCI entity's 
investigation regarding the SCI event, the SCI entity is to submit a 
final written notification pertaining to such SCI event to the 
Commission (``final report''). The final report is required to include: 
(i) A detailed description of: The SCI entity's assessment of the types 
and number of market participants affected by the SCI event; the SCI 
entity's assessment of the impact of the SCI event on the market; the 
steps the SCI entity has taken, is taking, or plans to take, with 
respect to the SCI event; the time the SCI event was resolved; the SCI 
entity's rule(s) and/or governing document(s), as applicable, that 
relate to the SCI event; and any other pertinent information known by 
the SCI entity about the SCI event; (ii) a copy of any information 
disseminated pursuant to Rule 1002(c) by the SCI entity to date 
regarding the SCI event to any of its members or participants; and 
(iii) an analysis of parties that may have experienced a loss, whether 
monetary or otherwise, due to the SCI event, the number of such 
parties, and an estimate of the aggregate amount of such loss. Rule 
1002(b)(4) also specifies that, if an SCI event is not resolved or the 
SCI entity's investigation of the SCI event is not closed within 30 
days of the occurrence of the SCI event, then, the SCI entity is 
required to submit a written notification pertaining to such SCI event 
to the Commission within 30 days after the occurrence of the SCI event 
containing the information required in Rules 1002(b)(4)(i)-(iii), to 
the extent known at the time. Within five business days after the 
resolution of such SCI event and closure of the investigation regarding 
such SCI event, the SCI entity is required to submit a final written 
notification pertaining to such SCI event to the Commission containing 
the information specified in the rule.
    As an initial matter, the Commission notes that several of the 
items that are specifically required to be described in the final 
report (as specified in adopted Rule 1002(b)(4)) were proposed to be 
required to be provided to the Commission under proposed Rule 
1000(b)(4)(ii), within a shorter time frame.\915\ The Commission 
believes that

[[Page 72330]]

the adopted rule, by requiring that this information be submitted to 
the Commission after resolution of an SCI event and closure of the SCI 
entity's investigation, will encourage SCI entities to devote resources 
first to resolving the SCI event, and providing status reports when 
required, and then to preparing a comprehensive final report. In 
particular, as some commenters suggested, certain information would be 
more accurate, and therefore more useful, if provided after an SCI 
event is resolved.\916\ The Commission believes that the information 
required under Rule 1002(b)(4) will provide the Commission with a 
comprehensive analysis to more fully understand and assess the impact 
caused by the SCI event. In addition, the Commission ordinarily would 
expect an SCI entity to include the root cause of an SCI event as part 
of ``any other pertinent information'' known about the SCI event. The 
Commission also believes that certain of the information requested by 
Rule 1002(b)(4) is more suitable to be provided after, rather than 
prior to, resolution of an SCI event. Specifically, much of the 
information required by Rule 1002(b)(4) (an analysis of parties that 
may have experienced a loss, whether monetary or otherwise, due to the 
SCI event, the number of such parties, and an estimate of the aggregate 
amount of such loss) can only be comprehensively known after the final 
resolution of an SCI event.\917\
---------------------------------------------------------------------------

    \915\ The Commission notes that while proposed Rule 
1000(b)(4)(iv)(C) specified that an SCI entity was required to 
provide a copy of any information disseminated on the SCI entity's 
publicly available Web site, adopted Rule 1002(b)(4) specifies that 
an SCI entity provide a copy of any information disseminated 
pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI 
event to any of its members or participants.
    \916\ See supra notes 870-878 and accompanying text.
    \917\ The Commission notes that a notification required pursuant 
to proposed Rule 1000(b)(4)(ii) required the SCI entity to provide 
information on the ``potential impact of the SCI event on the 
market,'' whereas adopted Rule 1002(b)(4)(ii)(A) requires a 
description of ``the SCI entity's assessment of the impact of the 
SCI event on the market.'' Because adopted Rule 1002(b)(4) requires 
a final report upon resolution of an SCI event and the closure of 
the SCI entity's investigation of the SCI event, the Commission 
believes it is appropriate that an SCI entity provide its assessment 
of the impact of the SCI event in the final report, rather than 
information on the SCI event's potential impact.
---------------------------------------------------------------------------

    Similarly, the Commission is revising the proposed requirement that 
SCI entities provide to the Commission a copy of any information 
disclosed by the SCI entity to date regarding the SCI event to any of 
its members or participants. First, rather than requiring that SCI 
entities provide a copy of ``any information disclosed by the SCI 
entity,'' the adopted rule requires that SCI entities provide a copy of 
any information ``disseminated pursuant to paragraph (c) of [Rule 
1002]'' by the SCI entity to date regarding the SCI event to any of its 
members or participants. The Commission believes that this refined 
requirement will more appropriately capture only the information needed 
for the Commission to assess compliance with the dissemination 
requirements of Rule 1002(c). Further, to limit the burden on, and 
provide additional flexibility to, SCI entities as they resolve SCI 
events, the adopted rule does not require this information to be 
included as part of a Form SCI submission until the final report is to 
be submitted to the Commission. The Commission believes that it is 
sufficient to require that this information be included in the final 
report because it is an important part of the record of an SCI event 
and SCI entity's response to such event.\918\ As noted above, one 
commenter questioned the purpose of this requirement and expressed 
concern that it may negatively impact open communication between an SCI 
entity and its members and participants,\919\ while another commenter 
questioned the feasibility, need, and potential impact of this 
requirement in light of the numerous communications that SCI entities 
will engage in with their members or participants.\920\ While the 
Commission recognizes that it is possible that the requirement could 
have some chilling effect on such communications, it believes that this 
information is important for SCI entities to share with the Commission 
because it is an efficient means for the Commission to assess whether 
SCI entities are complying with the dissemination requirements of Rule 
1002(c). Further, the Commission believes that, by requiring that SCI 
entities provide a copy only of information disseminated pursuant to 
Rule 1002(c) (rather than all information disclosed to members or 
participants regarding the SCI event), it addresses one commenter's 
concern that it would be difficult, unnecessary, and could impede open 
communication, to provide the Commission with a copy of all information 
disclosed to members or participants, which could include hundreds of 
individual communications via email or telephone for each SCI event.
---------------------------------------------------------------------------

    \918\ Under Rule 1002(b)(4), SCI entities are required to 
provide a copy of any information disseminated pursuant to Rule 
1002(c) by the SCI entity to date regarding the SCI event to any of 
its members or participants.
    \919\ See supra note 877.
    \920\ See supra note 878 and accompanying text. Specifically, 
this commenter noted that there could be hundreds of communications 
between the SCI entity and its members or participants during a 
systems incident and questioned the feasibility of, and need for, 
recreating and providing to the Commission a copy of all such 
communications. Further, the commenter noted that this requirement 
could have an unintended effect of discouraging open communication 
between the SCI entity and its members.
---------------------------------------------------------------------------

    The Commission also believes that, if an SCI event is not resolved 
or the SCI entity's investigation of the SCI event is not closed within 
30 days of the occurrence of the SCI event, it is reasonable to require 
that an SCI entity submit within thirty business days after the 
occurrence of the SCI event the information required in Rule 
1002(b)(4)(ii), to the extent known at the time, because this timeframe 
provides SCI entities with flexibility to continue their investigation 
while also apprising the Commission of relevant information discovered 
during the course of the SCI entity's investigation. Moreover, the rule 
takes into account the Commission's recognition that an SCI entity's 
investigation regarding an SCI may not yet be complete despite the fact 
that the SCI event itself has resolved. In such cases, within five 
business days after the SCI event has resolved and the investigation 
regarding the SCI event has closed, the Commission believes that it is 
reasonable and necessary to provide it with a comprehensive and 
complete understanding of the SCI event. Consequently, SCI entities are 
required to submit a final written notification that contains all 
information required by Rule 1002(b).
Goals of Adopted Commission Notification Rule
    As discussed in greater detail above, the Commission has carefully 
considered the views of commenters as well as what it believes is 
necessary for the Commission and its staff with respect to the timing 
and content of notifications regarding SCI events, and believes that 
the adopted rule will be less burdensome for SCI entities than if the 
proposed rule was adopted without modification, while still resulting 
in meaningful notice to the Commission and its staff with information 
about SCI events in a timely manner that permits the Commission to 
fulfill its oversight role.
    With regard to comments on the resource and efficiency demands of 
the notification requirements,\921\ the Commission believes that while 
SCI entities will need to devote resources to fulfilling the 
notification requirements, the Commission does not believe that these 
resources will diminish SCI entities' ability to respond to SCI events 
because it is the Commission's

[[Page 72331]]

experience that the staff that engages in corrective action is 
generally distinct from the staff that has been charged with notifying 
the Commission of systems issues. Consequently, the Commission does not 
believe that, due to this requirement, staff that engages in corrective 
action will be unable to fulfill its responsibilities after 
implementation of Regulation SCI.
---------------------------------------------------------------------------

    \921\ See supra notes 790-793.
---------------------------------------------------------------------------

    The Commission believes that adopted Rules 1002(b)(1)-(4) are 
responsive to concerns that the proposed Commission notification 
requirements would have required SCI entities to notify the Commission 
of information before all relevant facts are known.\922\ As discussed, 
in tandem with the revised triggering standard, which affords an SCI 
entity time to assess whether an SCI event has occurred,\923\ the 
adopted rule affords an SCI entity the flexibility to gather 
information for the 24-hour written notification on a good faith best, 
efforts basis,\924\ and adopted Rule 1002(b)(3) makes clear that an SCI 
entity is required to update the Commission to correct any materially 
inaccurate information previously provided, or when pertinent new 
information is discovered, until such time as the SCI event is 
resolved, and the SCI entity's investigation of the SCI event is 
closed. Further, the final report for a given SCI event is only 
required once, when both the SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed, with an interim report 
required only when an SCI event is not resolved or the SCI entity's 
investigation of the SCI event is not closed within 30 days of the 
occurrence of the SCI event. Taken together, the Commission believes 
that Rule 1002(b) does not require reporting before all relevant fact 
are known, which one commenter suggested would be counterproductive and 
harmful.\925\ Instead, the Commission believes that the rule is 
designed to provide SCI entities with a process that gives them 
sufficient time to submit information to the Commission when known. In 
addition, and in response to comment questioning the usefulness of the 
notification requirement for the Commission,\926\ the Commission 
believes that adopted Rule 1002(b) will foster a system for 
comprehensive reporting of SCI events, which should enhance the 
Commission's review and oversight of U.S. securities market 
infrastructure and foster cooperation between the Commission and SCI 
entities in responding to SCI events. The Commission also believes that 
the aggregated data that will result from the reporting of SCI events 
will enhance its ability to comprehensively analyze the nature and 
types of various SCI events and identify more effectively areas of 
persistent or recurring problems across the systems of all SCI 
entities. Some commenters suggested that the Commission provide to SCI 
entities regular summary-level feedback on SCI entities' notifications 
\927\ or provide examples of the types of SCI events that warrant 
notification.\928\ To the extent it believes that guidance or other 
information, including summary-level feedback, publications, or 
reference blueprints, would be appropriate to share, the Commission or 
its staff may do so in the future.
---------------------------------------------------------------------------

    \922\ See supra note 804 and accompanying text.
    \923\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \924\ See supra discussion of ``good faith, best efforts'' 
above.
    \925\ See supra note 804.
    \926\ See supra note 793.
    \927\ See supra note 806 and accompanying text.
    \928\ See supra note 807 and accompanying text.
---------------------------------------------------------------------------

d. Dissemination of Information--Rule 1002(c)
i. Proposed Rule 1000(b)(5)
    Proposed Rule 1000(b)(5) would have required an SCI entity to 
provide specified information relating to ``dissemination SCI events'' 
to SCI entity members or participants. The term ``dissemination SCI 
event'' was proposed to mean an SCI event that is a: (1) Systems 
compliance issue; (2) systems intrusion; or (3) systems disruption that 
results, or the SCI entity reasonably estimates would result, in 
significant harm or loss to market participants.
    Proposed Rule 1000(b)(5)(i)(A) would have required an SCI entity, 
promptly after any responsible SCI personnel becomes aware of a 
dissemination SCI event other than a systems intrusion, to disseminate 
to its members or participants the following information about such SCI 
event: (1) The systems affected by the SCI event; and (2) a summary 
description of the SCI event. Proposed Rule 1000(b)(5)(i)(B) would have 
required an SCI entity to further disseminate to its members or 
participants, when known: (1) A detailed description of the SCI event; 
(2) the SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; and (3) a 
description of the progress of its corrective action for the SCI event 
and when the SCI event has been or is expected to be resolved. Proposed 
Rule 1000(b)(5)(i)(C) would have further required an SCI entity to 
provide regular updates to members or participants on any of the 
information required to be disseminated under proposed Rules 
1000(b)(5)(i)(A) and (i)(B). In the case of a systems intrusion, the 
proposed rule permitted a limited delay in dissemination if the 
dissemination would compromise the security of the SCI entity's 
systems.\929\ Except for the delay in dissemination of information for 
systems intrusions in specified circumstances, the proposed rule did 
not distinguish dissemination obligations based on the severity or 
impact of a dissemination SCI event.
---------------------------------------------------------------------------

    \929\ See proposed Rule 1000(b)(5)(ii) (permitting a delay in 
dissemination of information regarding a systems intrusion if ``the 
SCI entity determines that dissemination of such information would 
likely compromise the security of the SCI entity's SCI systems or 
SCI security systems, or an investigation of the systems intrusion, 
and documents the reasons for such determination'').
---------------------------------------------------------------------------

ii. Comments Regarding Information Dissemination
    Two commenters generally supported proposed Rule 1000(b)(5).\930\ 
One commenter characterized it as ``one of the major benefits of th[e] 
proposal.'' \931\ Another commenter suggested broadening the proposal 
to require an SCI entity to reveal dissemination SCI events to the 
public at large, and not just to its members or participants.\932\ This 
commenter believed that public dissemination of the facts of an SCI 
event would help enhance investor confidence by preventing speculation 
and misinformation, and would provide important learning opportunities 
for the industry and other SCI entities.\933\
---------------------------------------------------------------------------

    \930\ See Angel Letter at 5; and MFA Letter at 7.
    \931\ See Angel Letter at 5. This commenter stated: ``Instead of 
keeping information about hardware failures, system intrusions, and 
software glitches private, sharing the information will alert others 
in the industry about such problems and help to reduce system wide 
costs of diagnosing problems, as well as result in improved 
responses to technology problems. These will serve as warnings to 
the other SCI entities to stay vigilant to prevent similar problems 
from occurring on their platforms.'' Angel Letter at 5.
    \932\ See MFA Letter at 7.
    \933\ See id.
---------------------------------------------------------------------------

    In contrast, many commenters urged the Commission to revise the 
proposed dissemination requirement.\934\ For example, a few commenters 
expressed concern that the proposal would require dissemination of too 
much information too soon.\935\ One of these commenters stated that the 
proposed rule would be counterproductive and harmful because

[[Page 72332]]

it would cause the release of information before all relevant facts are 
known and suggested dissemination should only be required when the SCI 
entity has credible information that can be acted upon.\936\ Another 
commenter suggested that dissemination should only be required when the 
information to be disseminated is certain and clear.\937\ Another 
commenter urged that, if immediate dissemination is required, then the 
information required to be disseminated should be limited to 
communication of the basic fact that there is a systems issue and 
additional information will be provided when known.\938\
---------------------------------------------------------------------------

    \934\ See, e.g., NYSE Letter at 28-29; FINRA Letter at 24; BATS 
Letter at 13; DTCC Letter at 11-12; OCC Letter at 16; CME Letter at 
9-10; ICI Letter at 4; Oppenheimer Letter at 2; Direct Edge Letter 
at 8; Omgeo Letter at 21; ITG Letter at 13; and FIA PTG Letter at 3.
    \935\ See, e.g., DTCC Letter at 12, NYSE Letter at 29; and ITG 
Letter at 13.
    \936\ See ITG Letter at 13. See also supra note 804 and 
accompanying text.
    \937\ See DTCC Letter at 12.
    \938\ See NYSE Letter at 29 (stating also that the scope of the 
information required to be provided is too extensive, particularly 
given the timing requirements of the proposed rule).
---------------------------------------------------------------------------

    Several commenters opposed requiring information dissemination to 
all members and participants.\939\ For example, some commenters urged 
that an SCI entity be required to provide information only to members 
or participants actually impacted by an SCI event, or that interact 
with the SCI system impacted, rather than to all members or 
participants of an SCI entity.\940\ One commenter recommended that an 
SCI entity be required to disseminate information only to persons 
reasonably likely to be affected by a significant systems issue.\941\ 
Two commenters stated that SCI entities should have reasonable 
discretion to determine who among their members and participants should 
receive notification of an SCI event, as well as the manner and timing 
for providing notice.\942\ A few commenters more broadly expressed 
concern that the proposed rule would result in over-reporting of 
information about SCI events and would have limited usefulness.\943\ 
Some of these commenters stated that the proposed approach would result 
in SCI entity members and participants becoming immunized to the 
notifications because they would receive too many notifications and 
therefore would not focus on the truly significant events.\944\
---------------------------------------------------------------------------

    \939\ See, e.g., MSRB Letter at 20-21; DTCC Letter at 11; CME 
Letter at 10; NYSE Letter at 28; FINRA Letter at 24-25; ISE Letter 
at 6-7; SIFMA Letter at 15; and OCC Letter at 17.
    \940\ See MSRB Letter at 20-21; DTCC Letter at 11; CME Letter at 
9; NYSE Letter at 28; FINRA Letter at 25; and ISE Letter at 6-7. In 
addition, one of these commenters sought clarification on whether 
the term ``participant'' refers to a formal participant or, more 
broadly speaking, any market participant that interacts with the SCI 
system in question. See MSRB Letter at 20. See also Omgeo Letter at 
21, and infra note 954.
    \941\ See NYSE Letter at 28.
    \942\ See SIFMA Letter at 15 (urging that an SCI entity should 
have discretion to determine which participants or members are 
affected and how to notify them); and OCC Letter at 17 (urging that 
an SCI entity should be able to limit the communication to those 
members and participants that are actually affected and to provide 
the communication on a confidential and secure basis when the SCI 
entity has reasonable certainty of the information that is required 
to be provided).
    \943\ See, e.g., CME Letter at 9; FIA PTG Letter at 3; and Omgeo 
Letter at 39. See also Fidelity Letter at 5 (requesting that the 
Commission provide greater specificity regarding the types of 
dissemination SCI events that must be disclosed and to whom 
disclosure must be made).
    \944\ See, e.g., Omgeo Letter at 40; FIA PTG Letter at 3; and 
CME Letter at 9.
---------------------------------------------------------------------------

    Several commenters suggested that the Commission apply the proposed 
dissemination requirement to fewer types of SCI events.\945\ For 
example, several commenters stated that information dissemination 
should only be required for material or significant SCI events.\946\ 
One commenter suggested that, for an SCI event that is ``de minimis,'' 
information dissemination to members or participants should not be 
required at all.\947\ This commenter suggested that a de minimis SCI 
event would be one that is limited in impact, brief in duration, or 
involves little or no member or participant harm.\948\ Another 
commenter noted that, as proposed, Commission notification would be 
required for a systems disruption if the systems disruption had a 
``material impact'' on the SCI entity's operations or on market 
participants, whereas information dissemination to members or 
participants would be required if an SCI entity reasonably estimated 
that the systems disruption would result ``in significant harm or loss 
to market participants.'' \949\ This commenter criticized the differing 
standards for Commission notification and member/participant 
notification and suggested that the Commission clarify the standards or 
adopt a uniform standard for both types of notifications.\950\
---------------------------------------------------------------------------

    \945\ See, e.g., NYSE Letter at 28; FIA PTG Letter at 3; FINRA 
Letter at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 
9-10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge 
Letter at 8.
    \946\ See NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter 
at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 9-10; 
ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 
8.
    \947\ See BATS Letter at 13.
    \948\ See id.
    \949\ See OCC Letter at 16.
    \950\ See id.
---------------------------------------------------------------------------

    Several commenters specifically opposed the proposed dissemination 
requirement for systems compliance issues. Some commenters urged that 
an SCI entity be required to disseminate information only for material 
or significant systems compliance issues.\951\ One of these commenters 
stated that prompt dissemination of information regarding systems 
compliance issues to members or participants might lead to widespread 
dissemination of extraneous and potentially inaccurate 
information.\952\
---------------------------------------------------------------------------

    \951\ See, e.g., FINRA Letter at 24; Joint SROs Letter at 9; 
SIFMA Letter at 12; BATS Letter at 13; MSRB Letter at 6; and CME 
Letter at 10.
    \952\ See Joint SROs Letter at 8.
---------------------------------------------------------------------------

    Regarding systems intrusions, a few commenters stated that 
dissemination of systems intrusions information could raise significant 
risks and security concerns.\953\ One commenter recommended that a 
dissemination requirement apply only in the case of members, 
participants, or clients for whom confidential data was disclosed, 
processing was impacted, or where such member, participant, or client 
could take further action to mitigate the risk of such disclosure.\954\ 
This commenter also expressed support for the limited exception for 
intrusions that would compromise an investigation or resolution of the 
systems intrusion, noting that once dissemination would no longer 
compromise an investigation or the resolution of the issue, the entity 
should notify materially affected members, participants, or clients.
---------------------------------------------------------------------------

    \953\ See DTCC Letter at 11; and NYSE Letter at 29. See also 
Direct Edge Letter at 3 (suggesting that, to ensure that sensitive 
information does not fall into the wrong hands, the Commission 
should require reporting of systems intrusions to the Commission, 
and only require public disclosure in instances where there is a 
risk of significant harm to the SCI entity's customers).
    \954\ See Omgeo Letter at 21.
---------------------------------------------------------------------------

    One commenter stated that information should not be disseminated 
regarding disruptions in regulatory or surveillance systems, nor should 
information be disseminated about intrusions or compliance issues, 
arguing that the information could be misused, or if disseminated too 
soon, could be inaccurate and misleading.\955\ Two other commenters 
also expressed concern that information dissemination should not be 
required when the information provided might be misused to the 
detriment of the markets or investors, such as with respect to systems 
intrusions or issues relating to surveillance systems.\956\
---------------------------------------------------------------------------

    \955\ See NYSE Letter at 29. See also supra note 935 and 
accompanying text.
    \956\ See ICI Letter at 4; and Oppenheimer Letter at 2.
---------------------------------------------------------------------------

iii. Rule 1002(c)
    In the SCI Proposal, the Commission stated that the intended 
purpose of the proposed rule was twofold: To aid members or 
participants of SCI entities

[[Page 72333]]

in determining whether their trading activity has been or might be 
impacted by the occurrence of an SCI event at an SCI entity so that 
they could consider that information in making trading decisions, 
seeking corrective action or pursuing remedies, or taking other 
responsive action; and to provide an incentive for SCI entities to 
devote more resources and attention to improving the integrity and 
compliance of their systems and preventing the occurrence of SCI 
events.\957\ Although commenters generally did not object to the 
Commission's stated rationale for proposed Rule 1000(b)(5), several 
commenters suggested that the proposed approach did not adequately 
consider circumstances in which the proposed information dissemination 
might not be helpful to the market or market participants, or could be 
detrimental to the markets or market participants. One commenter, 
however, urged that public dissemination of information regarding SCI 
events would help to prevent speculation and misinformation regarding 
such events.\958\
---------------------------------------------------------------------------

    \957\ See Proposing Release, supra note 13, at 18120.
    \958\ See supra note 933 and accompanying text.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters 
with respect to proposed Rule 1000(b)(5), and has determined to adopt 
it as Rule 1002(c), with several modifications in response to comment. 
In particular, the Commission has determined to eliminate the 
definition of ``dissemination SCI event'' from the final rule and adopt 
an information dissemination requirement that scales dissemination 
obligations in accordance with the nature and severity of an SCI event. 
In response to comment that the proposed rule would result in over-
reporting of information about SCI events and have limited usefulness, 
the Commission has further focused the rule from the proposal by 
requiring dissemination of information about SCI events that are not 
major SCI events only to affected SCI entity members and participants, 
and excepting de minimis SCI events and SCI events regarding market 
regulation or market surveillance systems from the information 
dissemination requirement.\959\ In the case of a ``major SCI event,'' 
the Commission agrees with the commenter who stated that requiring 
dissemination should help to prevent speculation and misinformation 
regarding such events.\960\ Therefore, in the case of a ``major SCI 
event,'' the adopted rule requires an SCI entity to disseminate 
information to all of its members or participants. At the same time, as 
with other SCI events, any SCI event that meets the definition of major 
SCI event that has had, or the SCI entity reasonably estimates would 
have, no or a de minimis impact on the SCI entity's operations or on 
market participants is excepted from the information dissemination 
requirement.\961\ The Commission believes the revised approach will 
better achieve the purpose of maximizing the utility of information 
disseminated to SCI entity members and participants while 
simultaneously reducing compliance burdens for SCI entities.
---------------------------------------------------------------------------

    \959\ See supra notes 943-956 and accompanying text.
    \960\ See supra note 933 and accompanying text.
    \961\ See Rule 1002(c)(4)(ii).
---------------------------------------------------------------------------

Rule 1002(c)(1): Information Dissemination for Systems Disruptions and 
Systems Compliance Issues
    Adopted Rule 1002(c)(1) generally addresses dissemination 
requirements for systems disruptions and systems compliance issues. 
Rule 1002(c)(1)(i) requires an SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event that is a systems disruption or systems compliance issue has 
occurred, to disseminate information about such SCI event, unless an 
exception applies. When the dissemination obligation is triggered,\962\ 
Rule 1002(c)(1)(i) requires an SCI entity to disseminate to the persons 
specified in Rule 1002(c)(3) information on the system(s) affected by 
the SCI event and a summary description of the SCI event. Thereafter, 
Rule 1002(c)(1)(ii) provides that, when known, an SCI entity shall 
promptly further disseminate: A detailed description of the SCI event; 
the SCI entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; and a description 
of the progress of its corrective action for the SCI event and when the 
SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) 
provides that, until resolved, an SCI entity shall provide regular 
updates of any information required to be disseminated under Rules 
1002(c)(1)(i) and (ii). The specified types of information and the 
update requirements are unchanged from the proposal. The Commission 
continues to believe that, for the dissemination of information to be 
meaningful, it is necessary for an SCI entity to describe the SCI event 
in sufficient detail to permit a member or participant to determine 
whether and how it was affected by the SCI event and make appropriate 
decisions based on that determination.\963\ Adopted Rule 1002(c)(1)(i) 
requires that the information initially disseminated include the 
systems affected by the SCI event and a summary description of the SCI 
event, and only after responsible SCI personnel have a reasonable basis 
to conclude that a systems disruption or systems compliance issue has 
occurred. Implicit in this requirement is that the disseminated 
information be accurate. Without the dissemination of accurate 
information, the impact on the SCI entity's members or participants or 
the market may be more pronounced because market participants may not 
recognize that an SCI event is occurring, or may mistakenly attribute 
unusual market activity to some other cause.
---------------------------------------------------------------------------

    \962\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \963\ See Proposing Release, supra note 13, at 18120.
---------------------------------------------------------------------------

    Adopted Rule 1002(c)(1) also requires that required information be 
disseminated ``promptly.'' \964\ Although the Commission agrees that 
SCI entities should not prematurely disseminate information regarding 
an SCI event, lest it be inaccurate, speculative, misleading, or 
otherwise unhelpful, as some commenters were concerned about,\965\ the 
Commission does not agree with the commenter who suggested that 
information dissemination be provided at a time chosen by the SCI 
entity.\966\ The Commission believes that accurate information that is 
timely is more likely to aid a market participant in determining 
whether its trading activity has been or might be impacted by the 
occurrence of an SCI event than accurate information that is delayed. 
However, as compared to Commission notification, which is required to 
be provided immediately after an SCI entity has a reasonable basis to 
conclude that an SCI event has occurred, and which notice may be 
provided orally, dissemination of information to SCI entity members or 
participants is required to be provided promptly. The requirement for 
prompt dissemination, as opposed to immediate dissemination, is 
designed to provide some limited flexibility to an SCI entity to 
determine an efficient way to disseminate information to multiple 
potentially affected members or participants, or all of its members or 
participants, as the case may be, in a timely manner. Likewise, as new 
information becomes

[[Page 72334]]

known, immediate updates are not required, but an SCI entity is 
obligated to also disseminate updated information ``promptly'' after it 
is known. The Commission believes that adopted Rule 1002(c)(1) strikes 
an appropriate balance by requiring an SCI entity to disseminate 
specific information about SCI events, but also permits an SCI entity 
to have time to check relevant facts before disseminating that 
information. The Commission therefore believes that adopted Rule 
1002(c)(1) is responsive to comment that the proposed rule would have 
required release of information too soon, before it is determined to be 
credible, or before relevant facts were known.\967\
---------------------------------------------------------------------------

    \964\ The persons to whom the required information about systems 
disruptions and systems compliance issues is to be disseminated are 
specified in Rules 1002(c)(3) and (4).
    \965\ See also supra notes 935-938 and 933 and accompanying 
text.
    \966\ See supra note 942 and accompanying text.
    \967\ See supra notes 935-938 and accompanying text.
---------------------------------------------------------------------------

Rule 1002(c)(2): Information Dissemination for Systems Intrusions
    Adopted Rule 1002(c)(2) requires an SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event that is a systems intrusion has occurred, to disseminate a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or indirect SCI 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination. This rule applies to systems 
intrusions that are not de minimis events. In response to commenters 
stating that information about a systems intrusion in many cases will 
be sensitive and raise security concerns, and those urging that the 
dissemination requirement apply only in limited cases,\968\ the 
Commission notes that, although it does not wholly exclude systems 
intrusions from the dissemination requirement, the rule permits a delay 
in dissemination of any information about a systems intrusion if 
dissemination would compromise the security of the SCI entity's SCI 
systems or indirect SCI systems, or an investigation of the systems 
intrusion, and the SCI entity documents the reason for such 
determination.\969\ Adopted Rule 1002(c)(2) also provides that the 
content of the required disclosure for a systems intrusion is less 
detailed than required for other types of SCI events. These provisions 
are unchanged from the SCI Proposal.\970\ As stated in the SCI 
Proposal, the Commission continues to believe that there may be 
circumstances in which the dissemination of information related to a 
systems intrusion should be delayed to avoid compromising the 
investigation or resolution of a systems intrusion.\971\ Also, as 
stated in the SCI Proposal, the affirmative documentation required by 
Rule 1002(c)(2) is important to allow the Commission to ensure that SCI 
entities are not improperly invoking the limited exception provided by 
Rule 1002(c)(2).\972\ This delayed dissemination provision permits an 
SCI entity to delay providing information about an intrusion to its 
members or participants to protect legitimate security concerns. 
However, under Rule 1002(c)(2), if an SCI entity cannot, or can no 
longer, determine that information dissemination as required by Rule 
1002(c)(2) would likely compromise the security of the SCI entity's SCI 
systems or indirect SCI systems, or an investigation of the systems 
intrusion, no delay (or further delay, if applicable) in dissemination 
is permitted.\973\ Pursuant to Rule 1002(c)(2), information about a 
systems intrusion is required to be disseminated eventually, as the 
Commission believes that circumstances permitting a delay (i.e., 
dissemination of information would likely compromise the security of 
the SCI entity's SCI systems or indirect SCI systems, or an 
investigation of the systems intrusion), will not continue 
indefinitely.\974\
---------------------------------------------------------------------------

    \968\ See, e.g., supra notes 953-954 and accompanying text.
    \969\ See Rule 1002(c)(4) (excepting de minimis systems 
intrusions and intrusions into market regulation or market 
surveillance systems from the dissemination requirement) and Rule 
1001(c)(2) (permitting a delay in dissemination).
    \970\ The persons to whom the required information about a 
systems intrusion is to be disseminated (provided the circumstances 
warranting a delay do not apply) is specified in Rules 1002(c)(3) 
and (4).
    \971\ See Proposing Release, supra note 13, at 18120.
    \972\ See id.
    \973\ See id.
    \974\ Some commenters urged modifications to the proposed rule 
that would further circumscribe the proposed dissemination 
requirement for systems intrusions. See, e.g., supra notes 953-954 
and accompanying text (urging that dissemination for systems 
intrusions only be required for affected persons and only if 
material). These comments are addressed in the discussion of adopted 
Rules 1002(c)(3) and (4).
---------------------------------------------------------------------------

Rule 1002(c)(3): To Whom Information Is To Be Disseminated
    Adopted Rule 1002(c)(3) provides that the information required to 
be provided under Rules 1002(c)(1) and (2) promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event has occurred, shall be promptly disseminated by the SCI 
entity to those members or participants of the SCI entity that any 
responsible SCI personnel has reasonably estimated may have been 
affected by the SCI event, and promptly disseminated to any additional 
members or participants that any responsible SCI personnel subsequently 
reasonably estimates may have been affected by the SCI event. The rule 
further requires that, for major SCI events, such information shall be 
disseminated by the SCI entity to all of its members or participants. 
As noted, several commenters urged that an SCI entity be required to 
disseminate information relating to an SCI event only to those members 
or participants affected by the SCI event.\975\ Some suggested that an 
SCI entity have discretion to determine who should receive information 
regarding SCI events,\976\ and one suggested that SCI events warrant 
public disclosure.\977\ Others expressed more general concern that the 
breadth of the proposed dissemination requirement would result in over-
reporting of information about SCI events because they believed that 
SCI entities would over-report out of an abundance of caution \978\ or 
that SCI entity members and participants would become immunized to 
reports of SCI events and not focus on significant events.\979\
---------------------------------------------------------------------------

    \975\ See supra note 940 and accompanying text.
    \976\ See supra note 942 and accompanying text.
    \977\ See supra notes 932-933 and accompanying text.
    \978\ See supra note 943 and accompanying text.
    \979\ See supra notes 943-944 and accompanying text.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission 
believes that, to maximize the utility of information dissemination, a 
more tailored approach to who should receive information about an SCI 
event is warranted, based on an SCI event's impact. Because information 
about an SCI event is likely to be of greatest value to those market 
participants affected by it, who can use such information to evaluate 
the event's impact on their trading and other activities and develop an 
appropriate response, adopted Rule 1002(c)(3) requires prompt 
dissemination to those members or participants of the SCI entity that 
any responsible SCI personnel has reasonably estimated may have been 
affected by the SCI event. With respect to more serious SCI events, 
however, the Commission believes that dissemination to all members or 
participants of an SCI entity is warranted. Accordingly, under adopted 
Regulation SCI, certain SCI events will be defined as ``major SCI 
events.''
    Adopted Rule 1000 defines ``major SCI event'' as ``an SCI event 
that has

[[Page 72335]]

had, or the SCI entity reasonably estimates would have: (1) Any impact 
on a critical SCI system; or (2) a significant impact on the SCI 
entity's operations or on market participants.'' The Commission 
believes that dissemination of information regarding a major SCI event 
to all members or participants of an SCI entity is appropriate because 
major SCI events are likely to impact a large number of market 
participants (e.g., with respect to critical SCI systems, a disruption 
of consolidated market data or the clearance and settlement system, or 
an event significantly impacting the operations of an exchange).\980\ 
As noted, one commenter suggested broadening the proposed rule to 
generally require an SCI entity to reveal dissemination SCI events 
(other than intrusions) to the public at large. This commenter 
expressed the view that public dissemination of the facts of an SCI 
event would help ``enhance investor confidence by presenting the facts 
of the SCI event, preventing speculation and misinformation, and 
informing the public of corrective action being taken'' and would 
``serve as an important collective learning opportunity'' that would 
allow for ``SCI [e]ntities and market participants [to] learn from [the 
event] . . . and build upon their policies and controls as 
appropriate.'' This commenter stated further that such an ``industry 
protocol would help strengthen and enhance the integrity and security 
of our markets.'' \981\ The Commission agrees with this commenter that 
it is appropriate for an SCI entity to present the facts, prevent 
speculation and misinformation, and provide transparency about 
corrective action being taken when the impact of an SCI event is most 
likely to be felt by many market participants (i.e., when it is a major 
SCI event). In the context of a major SCI event, the Commission 
believes these goals can be achieved by requiring an SCI entity to 
disseminate information to all of its members or participants (as 
opposed to the ``public at large''). Moreover, the Commission believes 
it is appropriate to require dissemination of information on major SCI 
events to all of the SCI entity's members or participants because these 
market participants are the most likely to act on this information. 
Based on the experience of the Commission and its staff, when an entity 
disseminates information about a systems issue to all of its members or 
participants (e.g., on the entity's Web site), and that information has 
the potential to affect the market and investors more broadly 
(including market participants that may not be members or participants 
of the SCI entity reporting the event), such information is routinely 
picked up by financial or other media outlets, and also may be relayed 
to market participants for whom such information is relevant (e.g., by 
members or participants of SCI entities to their own clients). 
Therefore, the Commission believes that when information about a 
systems issue with broad potential impact is disseminated to all of an 
SCI entity's member or participants, such dissemination is tantamount 
to public dissemination.\982\ As such, the Commission believes that it 
can achieve the purposes of the rule without requiring public 
dissemination, and believes that any additional gain in benefits from 
public dissemination would be minimal. Rule 1002(c)(3) does not specify 
how an SCI entity is to disseminate information to all of its members 
or participants when required to do so, but the Commission believes 
that posting the information on a Web site accessible to, at a minimum, 
all of its member or participants (for example, on a ``systems status 
alerts'' page) would meet the rule's requirements.\983\
---------------------------------------------------------------------------

    \980\ At the same time, the Commission recognizes that some SCI 
events that meet the definition of ``major SCI event'' could also 
qualify as de minimis SCI events. Like other de minimis SCI events, 
they are excepted from the information dissemination requirement. 
See Rule 1002(c)(4).
    \981\ See supra notes 932-933.
    \982\ The Commission notes that one commenter referred to the 
dissemination provision in the SCI Proposal as the ``public 
dissemination provision of Proposed Reg SCI.'' See NYSE Letter at 
28. See also ICI Letter at 4 and Oppenheimer Letter at 4 (each 
supporting ``transparency of SCI events to members and participants 
of an SCI entity'' but recommending that the Commission only require 
``public dissemination'' where such information enhances investor 
protection).
    \983\ The Commission notes that, irrespective of the medium 
chosen to disseminate information to the SCI entity members or 
participants, the SCI entity would also be required to submit the 
disseminated information to the Commission as part of the report 
submitted pursuant to Rule 1002(b)(4). See supra Section IV.B.3.c.
---------------------------------------------------------------------------

    For an SCI event that is neither a major SCI event nor an event 
identified in Rule 1002(c)(4), however, the information specified in 
Rule 1002(c)(1) or (2), as applicable, is required to be disseminated 
by the SCI entity to those members or participants of the SCI entity 
that any responsible SCI personnel has reasonably estimated may have 
been affected by the SCI event.\984\ The Commission believes that an 
SCI entity is generally in the best position to identify those of its 
members or participants that are or are reasonably likely to be 
affected by such events. Under this approach, as commenters urged, 
members or participants not reasonably estimated to be affected by such 
events will not be the recipients of information likely to be 
irrelevant to them. The Commission believes that SCI entities will be 
able to analyze which members or participants are or reasonably likely 
will be impacted, and the rule requires SCI entities to disseminate 
information to such members or participants. The requirement that 
information is to be disseminated only to those members or participants 
that any responsible SCI personnel has reasonably estimated may have 
been affected by the SCI event (other than a major SCI event or a de 
minimis SCI event) addresses the concern raised by some commenters that 
members and participants will become immunized by receiving irrelevant 
notifications \985\ because, under the adopted approach, members or 
participants should only receive notifications relevant to them.
---------------------------------------------------------------------------

    \984\ In response to the commenter seeking clarification on 
whether the term ``participant'' refers to a formal participant or, 
more broadly speaking, any market participant that interacts with 
the SCI system in question (see supra note 940), for purposes of 
adopted Rule 1002, the term ``participant'' refers to a formal 
participant. The Commission also notes that, with respect to the 
MSRB, the term ``members'' as used in Regulation SCI includes 
entities that are registered with the MSRB, but does not include ``a 
member of the Board,'' which is the definition of ``member'' in MSRB 
Rule D-5.
    \985\ See supra notes 944 and 952 and accompanying text.
---------------------------------------------------------------------------

    Whereas the proposed rule would have required dissemination of 
information about certain SCI events to all SCI entity members and 
participants, the adopted rule requires dissemination only to those 
members and participants reasonably estimated to be affected by an SCI 
event (other than a major SCI event or a de minimis SCI event). Because 
it is possible that an SCI entity's reasonable estimate of members or 
participants affected may change as an SCI event unfolds, the adopted 
rule also requires prompt dissemination of information to newly 
identified members or participants reasonably estimated to be affected 
by an SCI event.\986\ This provision reflects the view that newly 
identified affected members or participants should receive prompt 
dissemination of information about an SCI event, just as those 
originally identified as affected members or participants. Although 
compliance with this requirement may result in an SCI entity 
disseminating information at several different times to

[[Page 72336]]

different members and participants, consistent with commenters' 
suggestions, the Commission believes that this requirement is 
appropriately tailored to result in information dissemination being 
provided to the relevant members or participants of an SCI entity.\987\
---------------------------------------------------------------------------

    \986\ Rule 1002(c)(1) requires that, among other things, the SCI 
entity must disseminate the SCI entity's current assessment of the 
types and number of market participants potentially affected by the 
SCI event, and until resolved, provide regular updates of this and 
any other information required to be disseminated under the rule.
    \987\ The Commission notes that an SCI entity would be in 
compliance with the rule if it disseminated the required information 
to all members or participants, rather than disseminating only to 
those members and participants it reasonably initially estimated to 
be affected by the event (which might require subsequent 
dissemination(s) to additional members or participants if its 
estimate regarding those members or participants that were affected 
by a given SCI event changes over time).
---------------------------------------------------------------------------

    If an SCI event is a de minimis event--i.e., is an SCI event that 
has had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants--the adopted rule does not impose any dissemination 
requirement.\988\
---------------------------------------------------------------------------

    \988\ See discussion of adopted Rule 1002(c)(4) below 
(excepting, among other things, de minimis systems SCI events from 
the dissemination requirement). See also supra Section IV.B.3.c 
(discussing Rule 1002(b)(5), which requires that, for de minimis SCI 
events, an SCI entity is required to: (i) Make, keep, and preserve 
records relating to all such SCI events; and (ii) submit to the 
Commission a report, within 30 calendar days after the end of each 
calendar quarter, containing a summary description of such systems 
disruptions and systems intrusions, including the SCI systems and, 
for systems intrusions, indirect SCI systems, affected by such 
systems disruptions and systems intrusions during the applicable 
calendar quarter).
---------------------------------------------------------------------------

Adopted Rule 1002(c)(4): Exceptions to the General Rules on Information 
Dissemination
    Adopted Rule 1002(c)(4) provides that the requirements of Rules 
1002(c)(1)-(3) shall not apply to: (i) SCI events to the extent they 
relate to market regulation or market surveillance systems; or (ii) any 
SCI event that has had, or the SCI entity reasonably estimates would 
have, no or a de minimis impact on the SCI entity's operations or on 
market participants. The Commission has added the exception in adopted 
Rule 1002(c)(4)(i) in response to comments that information should not 
be disseminated regarding disruptions in regulation and surveillance 
systems, because dissemination of such information to an SCI entity's 
members or participants or the public at large could encourage 
prohibited market activity.\989\ The Commission notes that the 
exception for market regulation or market surveillance systems is 
limited to dissemination of information about SCI events related to 
market regulation or market surveillance systems. Information about an 
SCI event that impacts other SCI systems would still be required to be 
disseminated in accordance with Rule 1002(c) even if that same SCI 
event also impacts market regulation or market surveillance systems.
---------------------------------------------------------------------------

    \989\ See supra notes 955-956 and accompanying text.
---------------------------------------------------------------------------

    The exception in Rule 1002(c)(4)(ii) for de minimis SCI events is 
consistent with the Commission's approach to excluding de minimis SCI 
events from the immediate Commission notification requirements in Rule 
1002(b), and is therefore responsive to comment that notification and 
dissemination of systems disruptions were subject to differing 
standards under the proposal,\990\ as well as to the comment that a de 
minimis SCI event should not be subject to dissemination.\991\ With 
respect to the comment that dissemination should only be required for 
material or significant SCI events,\992\ while the Commission is not 
limiting the dissemination requirement as suggested by these 
commenters, the exception for de minimis SCI events is responsive to 
this comment, to an extent. Moreover, the Commission believes that a 
materiality threshold would likely exclude from the information 
dissemination requirement a large number of SCI events that are not de 
minimis SCI events, but that an SCI entity's members or participants 
should be made aware of so that they can quickly assess the nature and 
scope of those SCI events and identify the appropriate response, 
including ways to mitigate the impact of the SCI events. The Commission 
also believes that, even without adopting a materiality threshold, the 
adopted definitions of SCI systems and indirect SCI systems 
significantly focus the scope of the Commission dissemination 
requirements from the SCI Proposal.
---------------------------------------------------------------------------

    \990\ See supra notes 949-950 and accompanying text.
    \991\ See supra notes 947-948 and accompanying text; Section 
IV.B.3.c (discussing Rule 1002(b)) and supra note 988 and 
accompanying text. The Commission notes that, because major SCI 
events are a subset of SCI events, the exception in Rule 
1002(c)(4)(ii) also applies to major SCI events that meet the 
requirements of that rule.
    \992\ See supra note 946 and accompanying text; see also supra 
notes 941 and 944 and accompanying text.
---------------------------------------------------------------------------

    Consistent with its statements in the SCI Proposal, the Commission 
notes that the requirements relating to dissemination of information in 
Regulation SCI relate solely to Regulation SCI.\993\ Nothing in adopted 
Regulation SCI should be construed as superseding, altering, or 
affecting the reporting obligations of SCI entities or their affiliates 
under other federal securities laws or regulations. Accordingly, in the 
case of an SCI event, SCI entities or their affiliates subject to the 
public company reporting requirements of Section 13 or Section 15(d) of 
the Exchange Act would need to comply with their disclosure obligations 
pursuant to those provisions (including, for example, with respect to 
Regulation S-K and Forms 10-K, 10-Q, and 8-K) in addition to their 
disclosure and reporting obligations under Regulation SCI.\994\ In 
addition, the Commission also wishes to highlight that the requirements 
of Rule 1002(c) address to whom and when SCI entities are obligated 
under Regulation SCI to disseminate information. Subject to any 
applicable laws or regulations, SCI entities still retain the 
flexibility to disseminate information--e.g., to their members or 
participants, the public, or market participants that interact with the 
affected SCI systems--at any time they determine to be appropriate.
---------------------------------------------------------------------------

    \993\ See Proposing Release, supra note 13, at 18119, n. 235.
    \994\ As an additional example, nothing in adopted Regulation 
SCI should be construed as superseding any obligations under 
Regulation FD. SCI entities may also wish to consider staff guidance 
on this topic. See CF Disclosure Guidance: Topic No. 2, 
Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
---------------------------------------------------------------------------

4. Notification of Systems Changes--Rule 1003(a)
a. Proposed Definition of Material Systems Change, Proposed Rules 
1000(b)(6) and (b)(8)(ii)
    Proposed Rule 1000(a) would have defined the term ``material 
systems change'' as a change to one or more: (1) SCI systems of an SCI 
entity that: (i) Materially affects the existing capacity, integrity, 
resiliency, availability, or security of such systems; (ii) relies upon 
materially new or different technology; (iii) provides a new material 
service or material function; or (iv) otherwise materially affects the 
operations of the SCI entity; or (2) SCI security systems of an SCI 
entity that materially affects the existing security of such systems. 
In the SCI Proposal, the Commission set forth examples that it 
preliminarily believed could be included within the proposed definition 
of material systems change.\995\
---------------------------------------------------------------------------

    \995\ These examples included: Major systems architecture 
changes; reconfiguration of systems that would cause a variation 
greater than five percent in throughput or storage; the introduction 
of new business functions or services; changes to external 
interfaces; changes that could increase susceptibility to major 
outages; changes that could increase risks to data security; changes 
that were, or would be, reported to or referred to the entity's 
board of directors, a body performing a function similar to the 
board of directors, or senior management; and changes that could 
require allocation or use of significant resources. See Proposing 
Release, supra note 13, at 18105-06. These examples were cited in 
the 2001 Staff ARP Interpretive Letter. The Commission also stated 
its preliminary belief that any systems change occurring as a result 
of the discovery of an actual or potential systems compliance issue 
would be material. See id.

---------------------------------------------------------------------------

[[Page 72337]]

    Proposed Rule 1000(b)(6)(i) would have required an SCI entity, 
absent exigent circumstances, to notify the Commission in writing at 
least 30 calendar days before implementation of any planned material 
systems changes, including a description of the planned material 
systems changes as well as the expected dates of commencement and 
completion of implementation of such changes. If exigent circumstances 
existed, or if the information previously provided to the Commission 
regarding any planned material systems change had become materially 
inaccurate, proposed Rule 1000(b)(6)(ii) would have required the SCI 
entity to notify the Commission, either orally or in writing, with any 
oral notification to be memorialized within 24 hours after such oral 
notification by a written notification, as early as reasonably 
practicable. A written notification to the Commission made pursuant to 
proposed Rule 1000(b)(6) would have been required to be made 
electronically on Form SCI and include all information as prescribed in 
Form SCI and the instructions thereto.
    Proposed Rule 1000(b)(8)(ii) would have required each SCI entity to 
submit to the Commission a report, within 30 calendar days after the 
end of June and December of each year, containing a summary description 
of the progress of any material systems change during the six month 
period ending on June 30 or December 31, as the case may be, and the 
date, or expected date, of completion of implementation of such 
changes. A written notification to the Commission made pursuant to 
proposed Rule 1000(b)(8)(ii) would have been required to be made 
electronically on Form SCI and include all information as prescribed in 
Form SCI and the instructions thereto.
b. Quarterly and Supplemental Material Systems Change Reports--Rule 
1003(a)
i. Adopted Rule 1003(a)(1): Quarterly Material Systems Change Reports
    Many commenters viewed the proposed 30-day advance notification 
requirement for material systems changes as burdensome.\996\ For 
example, one commenter believed that the Commission significantly 
underestimated the number of material systems changes, and suggested 
that the proposal might require reporting of as many as 60 material 
systems changes per week, rather than that same amount per year, as the 
Commission estimated in the SCI Proposal.\997\ Some commenters stated 
that many SCI entities implement frequent agile modifications rather 
than major episodic or ``waterfall'' changes, and therefore viewed the 
proposed 30-day advance notification requirement as favoring a model 
that employs waterfall changes over agile changes.\998\ Several 
commenters stated more broadly that the proposed requirement would 
mandate constant reporting that would stifle innovation, interfere with 
an SCI entity's natural planning and development process, and 
potentially do more harm than good by curtailing an SCI entity's 
ability to respond to systems issues with appropriate fixes.\999\ 
Several commenters also expressed concern that the burden of reporting 
would incentivize an SCI entity to change its systems less often 
instead of making smaller and more frequent iterative systems 
adjustments, which they believed would be inconsistent with current 
software best practices, curtail innovation, and expose their systems 
to increased risk.\1000\ One commenter questioned the purpose of the 
proposed requirement, stating that the Commission has not presented any 
empirical evidence that major or material technology changes by SCI 
entities are in fact the leading cause of market disruption, and that 
non-material systems changes by SCI entities and non-SCI entities have 
a high likelihood of causing market disruptions, but they are not 
captured by the proposal.\1001\ At the same time, this commenter stated 
that providing 30-day advance notification of these non-material 
systems changes would hamstring SCI entities.\1002\
---------------------------------------------------------------------------

    \996\ See, e.g., NYSE Letter at 26; BATS Letter at 14; ISE 
Letter at 8; BIDS Letter at 14; UBS Letter at 3-4; SIFMA Letter at 
15; ITG Letter at 8 and 13; FIF Letter at 5; MFA Letter at 5-6; CME 
Letter at 11; FINRA Letter at 27; Joint SROs Letter at 7; and OTC 
Markets Letter at 20.
    \997\ See BATS Letter at 14. See also NYSE Letter at 26; and ISE 
Letter at 8 (stating that the proposal would require reporting of 
too many routine changes), and infra discussion of the definition of 
material systems change.
    \998\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
and ITG Letter at 8. ``Agile'' software development, which involves 
smaller, more frequent changes in software code, is contrasted with 
the ``waterfall'' methodology, which involves larger, episodic 
software overhauls.
    \999\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
BATS Letter at 14; and ITG Letter at 8. See also SunGard Letter at 
3.
    \1000\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
BATS Letter at 14; and ITG Letter at 8. See also SIFMA Letter at 16.
    \1001\ See SunGard Letter at 3.
    \1002\ See id.
---------------------------------------------------------------------------

    Some commenters also noted that Regulation ATS already requires an 
ATS to report material changes to the operation of the ATS at least 20 
calendar days prior to their implementation.\1003\ One of these 
commenters noted that it is common for an ATS to finalize the systems 
specifications for a change close to when the ATS wants to go live with 
the change, but the ATS must wait 20 days before implementation, and 
occasionally the questions from Commission staff can further delay 
implementation.\1004\ This commenter expressed concern that Regulation 
SCI would lengthen the notification requirement to 30 calendar days and 
broaden the requirement to include any significant systems change, not 
just a material change to the operation of the ATS.\1005\
---------------------------------------------------------------------------

    \1003\ See BIDS Letter at 14; and ITG Letter at 8.
    \1004\ See ITG Letter at 8.
    \1005\ See id.
---------------------------------------------------------------------------

    The Commission continues to believe that it is important to receive 
notifications of planned and implemented material changes to SCI 
systems or the security of indirect SCI systems in connection with its 
oversight of U.S. securities market infrastructure.\1006\ However, 
after considering the views of commenters regarding the 30-day advance 
notification requirement, the Commission is instead adopting a 
quarterly reporting requirement, which will permit the Commission and 
its staff to have up-to-date information regarding an SCI entity's 
systems development progress and plans, to aid in understanding the 
operations and functionality of the systems and any material changes 
thereto, without requiring SCI entities to submit a notification to the 
Commission for each

[[Page 72338]]

material systems change.\1007\ Specifically, Rule 1003(a)(1) requires 
an SCI entity, within 30 calendar days after the end of each calendar 
quarter, to submit to the Commission a report describing completed, 
ongoing, and planned material systems changes to its SCI systems and 
security of indirect SCI systems, during the prior, current, and 
subsequent calendar quarters, including the dates or expected dates of 
commencement and completion.\1008\
---------------------------------------------------------------------------

    \1006\ See Proposing Release, supra note 13, at 18122, 18144. As 
noted above, one commenter argued that the Commission has not 
presented any empirical evidence that major or material technology 
changes by SCI entities are in fact the leading cause of market 
disruption, and that non-material systems changes have a high 
likelihood of causing market disruptions. See supra note 1001 and 
accompanying text. The Commission notes that the primary purpose of 
Rule 1003(a) is not to prevent market disruptions. Rather, it is to 
keep the Commission and its staff informed of the systems changes 
that SCI entities determine to be material, which will assist the 
Commission with its oversight of U.S. securities market 
infrastructure. While the Commission acknowledges that non-material 
systems changes could cause market disruptions, the Commission 
agrees with this commenter that requiring Commission notification of 
all systems changes would be burdensome. See supra note 1002 and 
accompanying text (noting this commenter's view that providing 30-
day advance notification of non-material systems changes would 
hamstring SCI entities).
    \1007\ As discussed in more detail below, the Commission is also 
not adopting the proposed definition of material systems change or 
the proposed semi-annual reporting requirement.
    \1008\ Using the quarter ending December 31, 2014 as an example, 
an SCI entity would be required to submit a report by January 30, 
2015 (i.e., within 30 calendar days after December 31, 2014) that 
describes material systems changes that the SCI entity has made 
(including the dates when those changes commenced and were 
completed), are currently implementing (including the dates when 
those changes commenced and are expected to be completed), and plan 
to make (including the dates those changes are expected to commence 
and complete) for the period from October 1, 2014 (the beginning of 
the prior calendar quarter) through June 30, 2015 (the end of the 
subsequent calendar quarter). The next report that corresponds to 
the quarter ending March 31, 2015 would be required to be submitted 
by April 30, 2015. As discussed in more detail below, Rule 
1003(a)(2) requires an SCI entity to promptly submit a supplemental 
report notifying the Commission of a material error in or material 
omission from a report previously submitted under Rule 1003(a)(1).
---------------------------------------------------------------------------

    The Commission believes that elimination of the 30-day advance 
notification requirement for material systems changes is responsive to 
commenters who were concerned that the proposed approach was unsuited 
to the agile systems development methodology that some SCI entities use 
today. In particular, an SCI entity will have the ability to implement 
material systems changes without having to individually report each 
material systems change to the Commission 30 days in advance, which 
commenters noted could lead SCI entities to favor the waterfall 
methodology of systems changes over the agile methodology.\1009\ The 
Commission also believes that the adopted quarterly reporting 
requirement provides more flexibility to SCI entities with respect to 
the timing of implementing material systems changes. In particular, SCI 
entities will not be required to wait 30 calendar days after notifying 
the Commission in order to implement a material systems change. 
Therefore, the adopted rule is responsive to commenters who stated that 
the proposed rule would stifle innovation, interfere with an entity's 
planning and development process, and expose SCI entities' systems to 
risk. Moreover, the Commission believes that elimination of the 
proposed 30-day advance notification requirement is responsive to 
commenters' concern that ATSs are already required to report material 
changes to the operation of the ATSs at least 20 calendar days prior to 
implementation, and that proposed Regulation SCI would extend the 
advance notification period to 30 calendar days.\1010\
---------------------------------------------------------------------------

    \1009\ At the same time, because systems changes utilizing the 
waterfall methodology are often planned well in advance, these 
systems changes would generally be included in the quarterly report, 
as Rule 1003(a) requires the quarterly report to describe, among 
other things, planned material systems changes during the subsequent 
calendar quarter. However, this requirement of Rule 1003(a) is not 
limited to planned material systems changes utilizing the waterfall 
methodology, but also would apply to planned material systems 
changes utilizing other development methodologies, including the 
agile methodology.
    \1010\ The Commission notes that the adoption of Rule 1003(a) 
does not affect an SCI ATS's existing obligation under Rule 
301(b)(2)(ii) of Regulation ATS to file amendments on Form ATS at 
least 20 calendar days prior to implementing material change to the 
operation of the ATS. Therefore, with respect to a material systems 
change, an SCI ATS may be required to describe such change in a 
quarterly report under Rule 1003(a) and submit an amendment to Form 
ATS.
---------------------------------------------------------------------------

    The Commission also believes that adopting the quarterly reporting 
requirement instead of the 30-day advance notification requirement 
lessens SCI entities' burden of compliance as compared to the 
proposal.\1011\ For example, rather than submitting a Form SCI for each 
material systems change, an SCI entity is now required to submit four 
reports each year pursuant to Rule 1003(a)(1) and, as applicable, 
supplemental reports pursuant to Rule 1003(a)(2). To the extent certain 
material systems changes are related or similar, an SCI entity will not 
be required to separately notify the Commission of each change. 
Instead, the SCI entity can describe such related changes within the 
single quarterly report. The Commission also believes that this 
quarterly report process will provide the Commission and its staff with 
a more efficient framework to review material systems changes that are 
described in the larger context afforded by such periodic reports, 
rather than parsing every submission that reports a material systems 
change.\1012\
---------------------------------------------------------------------------

    \1011\ See supra notes 996-997 and accompanying text.
    \1012\ The Commission acknowledges that some systems changes 
deployed by an SCI entity may not by themselves be considered 
material by the SCI entity, but that, in the aggregate, can be 
considered material by the SCI entity (e.g., making a series of 
small systems changes over time in order to implement a broad 
systems change). The Commission believes that the adopted quarterly 
reporting requirement is better suited to capture such changes than 
the proposed 30-day advance notification requirement (i.e., 30-day 
advance notification for each single systems change that is by 
itself considered material by the SCI entity).
---------------------------------------------------------------------------

    One commenter expressed concern that the proposed exception for 
exigent circumstances was too narrow.\1013\ Because adopted Rule 
1003(a)(1) requires quarterly reports of material systems changes 
rather than 30-day advance notification of each material systems 
change, the Commission is not adopting the proposed ``exigent 
circumstances'' exception. Specifically, the Commission notes that the 
purpose of the exception was to accommodate situations where it would 
not be prudent or desirable for an SCI entity to delay a systems change 
simply to provide 30-day advance notification of the change. At the 
same time, the Commission notes that, because Rule 1003(a)(1) requires 
in part a description of completed, ongoing, and planned material 
systems changes during the prior and current calendar quarters, an SCI 
entity's quarterly report will be required to include a description of 
all material changes to its SCI systems or the security of its indirect 
SCI systems, including those that have been implemented in response to 
exigent circumstances during the prior and current calendar quarters.
---------------------------------------------------------------------------

    \1013\ See BATS Letter at 15.
---------------------------------------------------------------------------

    Several commenters suggested possible alternatives to the proposed 
requirements related to material systems changes. Some commenters 
suggested eliminating the proposed advance notification requirement for 
material systems changes.\1014\ One of these commenters explained that 
information regarding material systems changes would be available to 
the Commission during an inspection, but stated that, if an advance 
notification requirement is adopted, it should be folded into the 
proposed semi-annual reporting requirement.\1015\ Another commenter 
similarly urged that the Commission require only semi-annual reporting 
of material systems changes, as proposed in Rule 1000(b)(8).\1016\ One 
commenter supported the reporting of material systems changes in the 
annual SCI review report.\1017\ One commenter believed that information 
related to systems changes should be reported periodically.\1018\ 
Another commenter noted that if the Commission retains the 30-day 
advance notification requirement, it should be limited to material 
systems changes of only higher priority SCI systems and that

[[Page 72339]]

notifications of changes to lower criticality systems could be provided 
at the time of the change or periodically.\1019\
---------------------------------------------------------------------------

    \1014\ See MFA Letter at 7 and ITG Letter at 13-14. See also 
Joint SROs Letter at 8 (stating that material systems changes should 
be reported in a periodic, post-hoc basis, as was required under 
ARP).
    \1015\ See MFA Letter at 7.
    \1016\ See Direct Edge Letter at 8.
    \1017\ See CME Letter at 11.
    \1018\ See NYSE Letter at 27.
    \1019\ See SIFMA Letter at 15.
---------------------------------------------------------------------------

    Some commenters suggested that the Commission provide more 
flexibility and allow SCI entities more time to report material systems 
changes.\1020\ One commenter supported giving SCI entities discretion 
to determine the appropriate timing and format for reporting changes to 
the Commission, and stated that the current practice under ARP to 
submit quarterly reports that cover changes for the previous and 
upcoming quarters has proven effective in keeping the Commission staff 
apprised of planned and completed systems changes.\1021\
---------------------------------------------------------------------------

    \1020\ See NYSE Letter at 27; FINRA Letter at 27; and MSRB 
Letter at 22. See also CME Letter at 11 (stating ``instead of 
setting firm time limits under which an entity is required to submit 
notifications of material systems changes under Rule 1000(b)(6), the 
Commission should instead simply require `timely advance notice of 
all material planned changes to SCI systems that may impact the 
reliability, security, or adequate scalable capacity of such 
systems''').
    \1021\ See FINRA Letter at 27.
---------------------------------------------------------------------------

    One commenter suggested that SCI entities be required to keep 
records of all systems changes and technical issues, and make that 
information available to the Commission upon request.\1022\ If the 
Commission decides to retain the notification requirement, this 
commenter recommended that it be satisfied through periodic (ideally, 
quarterly) reporting of material systems changes.\1023\ One commenter 
believed the Commission should allow all 30-day advance notifications 
regarding pending material systems changes to be communicated orally, 
and only submitted in writing after development and testing is 
completed and the feature is finalized.\1024\
---------------------------------------------------------------------------

    \1022\ See OTC Markets Letter at 20.
    \1023\ See id. This commenter also noted that this would allow 
for the elimination of proposed Rule 1000(b)(6)(ii), which required 
notices for material inaccuracies in prior notifications. See OTC 
Markets Letter at 20-22. According to this commenter, quarterly 
updates would disclose material deviations from plans described in a 
previous report, whether stemming from inaccuracies in prior reports 
or new information that prompts beneficial deviations from a systems 
implementation plan. See id.
    \1024\ See Omgeo Letter at 22.
---------------------------------------------------------------------------

    The Commission believes that the adopted quarterly reporting 
requirement is responsive to commenters who requested additional 
flexibility or time for material systems change notifications, as well 
as to commenters who suggested that such notices be submitted on a 
periodic or quarterly basis.\1025\ The Commission does not agree with 
the commenters who suggested that the Commission completely eliminate 
the advance notification requirements. The Commission believes that 
advance notifications of planned material systems changes will help 
ensure that the Commission has up-to-date information regarding 
important future systems changes at an SCI entity, to aid in its 
understanding of the operations and functionality of the systems post-
change.\1026\ As adopted, Rule 1003(a)(1) requires an SCI entity to 
provide the Commission with advance notification of planned material 
systems changes in the current and subsequent quarters through the 
quarterly reports. As noted above, after considering the views of 
commenters, the Commission is not adopting the proposed 30-day advance 
notification requirement for each material systems change.
---------------------------------------------------------------------------

    \1025\ Because the Commission is only adopting a quarterly 
reporting requirement for material systems changes, the adopted 
approach is responsive to a commenter's suggestion that 
notifications of changes to lower criticality systems could be 
provided at the time of the change or periodically. See supra note 
1019 and accompanying text.
    \1026\ The Commission acknowledges that there may occasionally 
be unexpected material systems changes that are not reported to the 
Commission in advance, but expects that material systems changes 
generally will be planned well in advance and reported in the 
quarterly report accordingly.
---------------------------------------------------------------------------

    The Commission is also not adopting commenters' suggestion that 
material systems changes be reported semi-annually or annually.\1027\ 
As noted in the SCI Proposal, proposed Rule 1000(b)(8)(ii) required 
semi-annual reports because the proposal would have separately required 
information relating to each planned material systems change to be 
submitted at least 30 calendar days before its implementation.\1028\ 
Thus, in the SCI Proposal, the Commission stated its preliminary view 
that requiring ongoing summary reports more frequently would not be 
necessary.\1029\ At the same time, the Commission expressed the concern 
that a longer period of time would permit significant updates and 
milestones relating to systems changes to occur without notice to the 
Commission.\1030\ Because the Commission is not adopting the 30-day 
advance notification requirement, the Commission believes that it is 
appropriate to require more frequent reports of material systems 
changes than on a semi-annual basis. Further, as noted above, some 
commenters suggested quarterly reports, which is consistent with the 
practice of some entities under the ARP Inspection Program.\1031\
---------------------------------------------------------------------------

    \1027\ See supra notes 1015-1017 and accompanying text.
    \1028\ See Proposing Release, supra note 13, at 18124.
    \1029\ See id.
    \1030\ See id.
    \1031\ See supra notes 1021, 1023 and accompanying text.
---------------------------------------------------------------------------

    The Commission does not agree with the commenter who suggested that 
Regulation SCI should only require SCI entities to keep records of all 
systems changes and make that information available to the Commission 
upon request.\1032\ Similarly, the Commission does not agree with 
commenters who suggested that SCI entities be given discretion to 
determine the timing of the reports.\1033\ The Commission believes that 
quarterly reporting of material systems changes will help ensure that 
the Commission has, on an ongoing basis, a comprehensive view and up-
to-date information regarding material systems changes at an SCI 
entity.
---------------------------------------------------------------------------

    \1032\ See supra note 1022 and accompanying text. As discussed 
above, this commenter also stated that, if the Commission decides to 
retain the notification requirement for material systems changes, 
the Commission should require periodic (ideally, quarterly) 
reporting. See supra note 1023 and accompanying text. Adopted Rule 
1003(a)(1) is consistent with this commenter's alternative 
suggestion.
    \1033\ See supra note 1021 and accompanying text. See also supra 
note 1020.
---------------------------------------------------------------------------

    With respect to the commenter who suggested that all 30-day advance 
material systems change notifications should be provided orally, and 
submitted in writing only after the changes are fully tested and 
implemented,\1034\ the Commission notes that it is not adopting the 
proposed 30-day advance notification requirement for material systems 
changes.
---------------------------------------------------------------------------

    \1034\ See supra note 1024 and accompanying text.
---------------------------------------------------------------------------

    With respect to the commenter who suggested giving SCI entities 
discretion to determine the format for reporting changes to the 
Commission,\1035\ the Commission notes that Rule 1003(a) does not 
prescribe a specific style that the quarterly reports should take. The 
Commission intends for the quarterly report to allow the Commission and 
its staff to gain a sufficient level of understanding of the material 
systems changes that have been implemented, are on-going, and are 
planned for the future, which would aid the Commission and its staff in 
understanding the operations and functionality of the systems of an SCI 
entity and any changes to such systems. In particular, the Commission 
notes that Rule 1003(a)(1) only specifically requires the quarterly 
reports to ``describe'' the material systems changes and the dates or 
expected dates of their commencement and completion. Therefore, Rule 
1003(a)(1) gives each

[[Page 72340]]

SCI entity reasonable flexibility in determining precisely how to 
describe its material systems changes in the report in a manner that 
best suits the needs of that SCI entity as well as the needs of the 
Commission and its staff.\1036\ In addition, to the extent the 
Commission seeks additional information about a given change noted in a 
quarterly report, an SCI entity would be required to provide Commission 
staff with such information in accordance with Rule 1005 (Recordkeeping 
Requirements Related to Compliance with Regulation SCI).\1037\
---------------------------------------------------------------------------

    \1035\ See supra note 1021 and accompanying text.
    \1036\ See also Omgeo Letter at 43 (requesting that the 
Commission specify in the final rule the required content for a 
planned material systems change notification).
    \1037\ See infra Section IV.C.
---------------------------------------------------------------------------

    The Commission also notes that the quarterly reports are required 
to include descriptions of material systems changes during the prior 
calendar quarter that were completed, ongoing, or planned. Therefore, 
if a report for the first quarter of a given year discusses the SCI 
entity's plan to implement a particular series of material changes to 
an SCI system, Rule 1003(a)(1) requires that, in the report for the 
second quarter of that year, the SCI entity describe the material 
systems changes that were completed, ongoing, and planned in the first 
quarter, including the planned changes discussed in the prior quarter's 
report, as applicable.
    Several commenters expressed concern that the proposed 30-day 
advance notification requirement would potentially give the Commission 
new authority to ``reject'' a Form SCI filing describing material 
systems changes, similar to the way the Commission may reject an 
improperly filed proposed rule change pursuant to Rule 19b-4 under the 
Exchange Act.\1038\ Three commenters requested that the Commission 
clarify how proposed Rule 1000(b)(6) would relate to Rule 19b-4, 
suggesting that there may be unnecessary redundancy between the two 
processes.\1039\ Another commenter suggested limiting the types of 
changes that would require 30-day advance notification to those changes 
that are already required to be filed with the Commission as proposed 
rule changes for immediate effectiveness under Section 19(b)(3)(A) of 
the Exchange Act (excluding those filings that would not become 
operative for 30 days after the date of the filing because those 
filings would already provide the Commission with 30 days' advance 
notification of the material systems changes).\1040\ This commenter 
also noted that where a material systems change would be filed for 
approval under Section 19(b)(2) of the Exchange Act, the Section 
19(b)(2) approval process provides the Commission sufficient 
notification of the systems change.\1041\ One commenter stated that 
proposed Rule 1000(b)(6) was improperly premised on the notion that the 
Commission should be responsible for a minutely-detailed understanding 
of the IT infrastructure of SCI entities and for assessing prospective 
changes in advance of their implementation.\1042\
---------------------------------------------------------------------------

    \1038\ See Omgeo Letter at 23; and SIFMA Letter at 16. See 
Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b).
    \1039\ See KCG Letter at 19; Joint SROs Letter at 8; and FIF 
Letter at 5.
    \1040\ See MSRB Letter at 22.
    \1041\ See MSRB Letter at 22. This commenter also suggested that 
material systems changes (other than those filed pursuant to Rule 
19b-4 under the Exchange Act) be reported semi-annually, or that de 
minimis changes be excepted from the notice requirement altogether 
if the Commission continues to require 30-day advance notification. 
See MSRB Letter at 22-23. As discussed above, the Commission is 
adopting a quarterly reporting requirement for systems changes that 
an SCI entity determines to be material.
    \1042\ See Direct Edge Letter at 1, 8. See also ITG Letter at 
13-14 (stating that the Exchange Act does not enable the Commission 
to ``bootstrap its SRO rule review authority or its national market 
system authority to force regulated entities to submit upcoming 
material systems changes for agency approval'' and that ``the 
Commission need only receive notifications when they are a 
significant part of proposed rule changes by SROs or amendments to 
Form ATS of material changes to the operation of the ATS'').
---------------------------------------------------------------------------

    The Commission disagrees with commenters who believed that material 
systems change reports are redundant given the rule filing requirements 
of Rule 19b-4 under the Exchange Act, or that material systems change 
reports should not be required if the SCI entity submitted certain 
types of rule filings regarding the same change.\1043\ The Commission 
acknowledges that some systems changes require proposed rule changes 
under Rule 19b-4, and some Rule 19b-4 proposed rule changes result in 
systems changes. However, based on Commission staff's experience with 
the ARP Inspection Program and the rule filing process, the Commission 
believes that the type of information regarding systems changes 
included in rule filings is different from the type of information that 
will be included in reports on material systems changes. In particular, 
the technical details or specifications of SCI systems and indirect SCI 
systems are generally not specifically set forth in the rules of an SCI 
SRO. Therefore, technical information regarding systems changes is 
usually not set forth in rule filings. In addition, the Commission 
notes that the rule filing process and the material systems change 
reports serve different purposes. In particular, the material systems 
change reports are intended to inform the Commission and its staff of 
important technical changes to an SCI entity's systems. On the other 
hand, the rule filing process provides notice of changes to an SCI 
entity's rules, including, for example, the statutory basis for such 
changes, and in some cases seeks approval by the Commission of the rule 
changes. Therefore, if an SCI SRO submits a rule filing regarding a 
particular systems change and the change is also included in a material 
systems change report, the information included in the rule filing may 
not necessarily further the goal of the material systems change 
reporting requirement, and the information included in the material 
systems change report may not necessarily assist in the Commission's 
review of the rule filing. Moreover, commenters' concern regarding the 
redundancy between the rule filing process and the material systems 
change reports stemmed from concerns regarding the 30-day advance 
notification requirement. As discussed above, the Commission is not 
adopting a 30-day advance notification requirement.
---------------------------------------------------------------------------

    \1043\ See supra notes 1039-1041 and accompanying text. The 
Commission notes that the requirement under Regulation SCI to submit 
reports of material systems changes does not alter an SRO's 
obligation to file proposed rule changes, the obligation of 
participants of an SCI Plan to file a proposed amendment to such SCI 
Plan, or any other obligation any SCI entity may have under the 
Exchange Act or rules thereunder.
---------------------------------------------------------------------------

    The Commission also reiterates that the material systems change 
reports are intended to inform the Commission and its staff of such 
changes and help the Commission in its oversight of U.S. securities 
market infrastructure. Regulation SCI does not provide for a new 
approval process for SCI entities' material systems changes. As such, 
Commission staff will not use material systems change reports to 
require any approval of prospective systems changes in advance of their 
implementation pursuant to any provision of Regulation SCI,\1044\ or to 
delay implementation of material systems changes pursuant to any 
provision of Regulation SCI.\1045\
---------------------------------------------------------------------------

    \1044\ See supra note 1042 and accompanying text.
    \1045\ See supra note 1038 and accompanying text.
---------------------------------------------------------------------------

    Three commenters questioned the Commission's legal authority to 
adopt the proposed material systems change notification requirements, 
including, in particular, those set forth in proposed Rule 
1000(b)(6).\1046\ For the reasons

[[Page 72341]]

discussed above in Section IV.B.3.c, the Commission disagrees with 
these comments and believes that adopted Rule 1003(a) will assist the 
Commission in its oversight of U.S. securities market infrastructure 
consistent with its legal authority under the Exchange Act.
---------------------------------------------------------------------------

    \1046\ See NYSE Letter at 4 (stating the belief that 
``[a]uthority to facilitate a national market or assure economically 
efficient execution of securities transaction is remote from close, 
minute regulation of computer systems and computer security''); ITG 
Letter at 13 (stating the belief that the proposed notification 
requirement for material systems changes ``would extend the SEC's 
reach far beyond that of a securities regulator and instead enable 
it to regulate the IT process of marketplace participants'' and that 
the Exchange Act does not enable the Commission to ``bootstrap its 
SRO rule review authority or its national market system authority to 
force regulated entities to submit upcoming material systems changes 
for agency approval''); and KCG Letter at 19 (stating the belief 
that ``[t]he Commission does not have authority to stop 
implementation of systems changes by ATSs or systems changes that 
exchanges are not required to submit under Section 19(b) of the 
Exchange Act'').
---------------------------------------------------------------------------

    In light of the 30-day advance notification requirement in proposed 
Rule 1000(b)(6), some commenters suggested eliminating the semi-annual 
reporting requirement in proposed Rule 1000(b)(8)(ii) because they 
considered it duplicative and unnecessary.\1047\ One commenter believed 
that the required semi-annual reporting requirement was excessive and 
should instead be incorporated into the annual reporting obligations in 
proposed Rule 1000(b)(8)(i).\1048\ As discussed above, the Commission 
is adopting a quarterly reporting requirement under Rule 1003(a)(1) and 
is not adopting the proposed 30-day advance notification requirement. 
Therefore, the Commission is not adopting the requirement in proposed 
Rule 1000(b)(8)(ii) for semi-annual progress reports.
---------------------------------------------------------------------------

    \1047\ See Omgeo Letter at 24-25; and OCC Letter at 16.
    \1048\ See CME Letter at 11.
---------------------------------------------------------------------------

ii. Definition of Material Systems Change
    Commenters generally opposed the proposed definition of material 
systems change. Many commenters stated their belief that the term was 
too broad and would therefore necessitate an excessive number of 
notifications of material systems changes.\1049\ Some commenters 
believed that the definition should be revised and offered a variety of 
suggestions.\1050\ Several commenters advocated for creating a risk-
based definition whereby, for example, notifications are only required 
for those material systems changes that pose a risk to critical 
operations of an entity.\1051\ One commenter suggested that the 
requirement focus on SCI systems only.\1052\ One commenter stated that 
SCI entities should be afforded flexibility to establish reasonable 
standards for defining material systems changes for their 
systems.\1053\
---------------------------------------------------------------------------

    \1049\ See, e.g., BATS Letter at 14; MFA Letter at 6; ICI Letter 
at 4; BIDS Letter at 14; Liquidnet Letter at 3; FINRA Letter at 24-
26; MSRB Letter at 22; NYSE Letter at 26-27; Joint SROs Letter at 7; 
CME Letter at 5; Oppenheimer Letter at 3; OTC Markets Letter at 20-
21; and Direct Edge Letter at 3.
    \1050\ See, e.g., BATS Letter at 14-15 (recommending that only 
those material systems changes that are reported to an SCI entity's 
board of directors or similar body should be required to be reported 
to the Commission, which BATS stated is the standard it uses 
currently for the ARP Inspection Program); OCC Letter at 15 (stating 
that the reporting of systems changes to the board of directors, or 
to a similar governing body, is a more appropriate standard for 
determining materiality than reporting to ``senior management''); 
BIDS Letter at 14-15 (stating its belief that the Commission should 
define a ``material systems change'' to be a large-scale 
architectural upgrade, the implementation of industry-wide rules or 
other market structure changes, or other technology changes that may 
be required because of changes in trading rules defined in the 
exchange's or the ATS's trading rule book); and FIF Letter at 5 
(recommending that the term be defined to include significant 
functional enhancements, major technology infrastructure changes, or 
changes requiring member/participant notifications).
    \1051\ See, e.g., OCC Letter at 15; DTCC Letter at 16; Liquidnet 
Letter at 3; MFA Letter at 6; ICI Letter at 4; CME Letter at 5; and 
Direct Edge at 4.
    \1052\ See NYSE Letter at 27.
    \1053\ See FINRA Letter at 27.
---------------------------------------------------------------------------

    Several commenters sought guidance from the Commission on the 
materiality threshold, which commenters believed was unclear, 
explaining, for example, that the term ``material'' appears both in the 
term ``material systems change'' and in the definition of that 
term.\1054\ Similarly, several commenters requested that the Commission 
provide more guidance on the meaning of ``material'' in the context of 
systems changes because, although the wording of the proposed 
definition contained the concept of ``materiality,'' the commenters 
believed some of the examples provided in the SCI Proposal to be non-
material.\1055\ One commenter asked that the Commission clearly define 
what types of systems changes are not subject to the prior notification 
requirement in order to avoid receiving notices of all systems changes, 
material or otherwise.\1056\ One commenter asked that the Commission 
clarify the meaning of ``material'' and confirm that prior notification 
would not be required for changes that do not pertain to the production 
environment.\1057\
---------------------------------------------------------------------------

    \1054\ See Direct Edge Letter at 3-4; OCC Letter at 15; and NYSE 
Letter at 26.
    \1055\ See, e.g., Joint SROs Letter at 7; DTCC Letter at 15-16; 
Omgeo Letter at 23; OCC Letter at 15; FINRA Letter at 27; OTC 
Markets Letter at 20-21; BIDS Letter at 14; Direct Edge Letter at 3-
4; and ISE Letter at 8. See also supra note 1050.
    \1056\ See KCG Letter at 20.
    \1057\ See SIFMA Letter at 15-16.
---------------------------------------------------------------------------

    Rather than adopting a detailed definition of material systems 
change as proposed, Rule 1003(a)(1) requires an SCI entity to establish 
reasonable written criteria for identifying a change to its SCI systems 
and the security of indirect SCI systems as material and to report to 
the Commission those changes the SCI entity identified as material in 
accordance with such criteria. This change is responsive to a 
commenter's suggestion that SCI entities should be granted flexibility 
to establish reasonable standards for determining whether a systems 
change is material. In addition, the Commission does not believe that 
it is appropriate to adopt a precise definition for the term ``material 
systems change'' because SCI entities differ in nature, size, 
technology, business model, and other aspects of their businesses. The 
Commission notes that there currently is no industry definition of 
``material systems change'' that is applicable to all SCI entities that 
can serve as the basis for a precise definition of the term ``material 
systems change'' in Regulation SCI, and believes that whether a systems 
change is material is dependent on the facts and circumstances, such as 
the reason for the change and how it may impact operations. Moreover, 
requiring SCI entities to establish their own reasonable criteria for 
identifying material systems changes reflects the Commission's view 
that an SCI entity is in the best position to determine, in the first 
instance, whether a change, or series of changes, is material in the 
context of its systems. Because adopted Rule 1003(a)(1) allows each SCI 
entity to identify material systems changes, it is responsive to 
commenters' concern that the proposed definition was too broad and 
would result in an excessive number of notifications, and to 
commenters' suggestion that the definition should be revised.
    Further, the Commission's determination to not adopt the proposed 
definition of material systems change mitigates commenters' concern 
that the proposed definition was unclear. In particular, by eliminating 
the proposed definition of material systems change, the Commission 
seeks to eliminate the confusion caused by the proposed definition of 
this term, which contained the word ``material.'' Moreover, some 
commenters requested additional clarity on the definition of material 
systems change because they believed that some of the examples the 
Commission provided in the SCI Proposal were not material systems 
changes. Because adopted Rule 1003(a)(1) requires SCI entities to 
establish reasonable written criteria for identifying material systems 
changes, SCI entities will not be required to identify material systems 
changes in accordance with the detailed definition and examples from 
the SCI

[[Page 72342]]

Proposal. Rather, an SCI entity will have reasonable discretion in 
establishing the written criteria in order to capture the systems 
changes that it believes are material. Specifically, the Commission 
believes that adopted Rule 1003(a) is sufficiently flexible to allow 
each SCI entity to identify changes that it believes are material, 
which may include some of the suggestions identified by the commenters 
if an SCI entity determines such changes to be appropriate to include 
in its criteria for identifying material systems changes. For example, 
if an SCI entity reasonably believes that its systems changes are 
material if they involve significant functional enhancements, major 
technology infrastructure changes, or changes requiring member/
participant notifications, and such criteria is set forth in the SCI 
entity's reasonable written criteria, the SCI entity may identify 
material systems changes in accordance with such written criteria. 
Likewise, if an SCI entity reasonably believes that some of the 
examples of material systems changes identified in the SCI Proposal can 
appropriately serve as criteria for identifying material systems 
changes, and such criteria is set forth in the SCI entity's reasonable 
written criteria, the SCI entity may identify material systems changes 
in accordance with such written criteria.
    In response to a commenter's suggestion that the Commission clearly 
define what types of systems changes are not subject to the prior 
notification requirement in order to avoid notification of all systems 
changes, material or otherwise, the Commission notes that Rule 
1003(a)(1) specifically requires SCI entities to identify material 
systems changes and report only material systems changes. With respect 
to a commenter's question regarding whether prior notification would be 
required for changes that do not pertain to the production environment, 
the Commission notes that SCI systems do not include development and 
testing systems, although indirect SCI systems could include 
development and testing systems if they are not walled-off from SCI 
systems. Therefore, Rule 1003(a) could apply to material changes to the 
security of development and testing systems that are not walled-off 
from SCI systems. Finally, with respect to a commenter's suggestion 
that Rule 1003(a) focus only on SCI systems, the Commission believes 
that notifications of material systems changes regarding the security 
of indirect SCI systems is important to the Commission's oversight of 
U.S. securities market infrastructure. At the same time, the Commission 
notes that Rule 1003(a)(1) provides that each SCI entity establish its 
own reasonable criteria for identifying a change to the security of its 
indirect SCI systems as material. Therefore, to the extent that an SCI 
entity determines that certain changes to the security of its indirect 
SCI systems are not material in accordance with its reasonable written 
criteria, such changes are not required to be reported to the 
Commission.
    As with an SCI entity's other policies and procedures under 
Regulation SCI, Commission staff may review an SCI entity's established 
criteria relating to the materiality of a systems change (e.g., in the 
course of an examination) to determine whether it agrees with the SCI 
entity's assessment that such criteria is reasonable and in compliance 
with the requirements of Rule 1003(a). The Commission believes that, by 
providing SCI entities flexibility in establishing the criteria and 
reviewing SCI entities' established criteria, it strikes the proper 
balance between granting discretion to SCI entities and ensuring that 
SCI entities carry out their obligations under Regulation SCI.
iii. Adopted Rule 1003(a)(2): Supplemental Material Systems Change 
Reports
    A commenter who advocated for a quarterly reporting requirement 
noted that quarterly updates would disclose material deviations from 
plans described in a previous report, including those stemming from 
inaccuracies in prior reports.\1058\ Another commenter similarly noted 
that periodic reporting of any inaccuracies is sufficient for oversight 
purposes.\1059\ The Commission believes that there may be circumstances 
in which an SCI entity realizes that information previously provided to 
the Commission in a quarterly report was materially inaccurate or that 
the quarterly report omitted material information. The Commission 
believes that it should, on an ongoing basis, have complete and correct 
information regarding material systems changes at an SCI entity, rather 
than waiting until the next quarterly report to receive corrected 
information, as suggested by these commenters. The Commission is 
therefore adopting Rule 1003(a)(2), which requires an SCI entity to 
promptly submit a supplemental report to notify the Commission of a 
material error in or material omission from a report previously 
submitted under Rule 1003(a)(1). The Commission notes that the 
supplemental report requirement applies only if the error or omission 
in a prior report is material.
---------------------------------------------------------------------------

    \1058\ See OTC Markets Letter at 22.
    \1059\ See NYSE Letter at 28.
---------------------------------------------------------------------------

5. SCI Review--Rule 1003(b)
    Proposed Rule 1000(b)(7) required an SCI entity to conduct an SCI 
review of the SCI entity's compliance with Regulation SCI not less than 
once each calendar year, and submit a report of the SCI review to 
senior management of the SCI entity no more than 30 calendar days after 
completion of such SCI review.\1060\ Further, proposed Rule 
1000(b)(8)(i) required an SCI entity to submit to the Commission a 
report of the SCI review required by paragraph (b)(7), together with 
any response by senior management, within 60 calendar days after its 
submission to senior management of the SCI entity.\1061\
---------------------------------------------------------------------------

    \1060\ See proposed Rule 1000(b)(7) and Proposing Release, supra 
note 13, at Section III.C.5.
    \1061\ See proposed Rule 1000(b)(8)(i) and Proposing Release, 
supra note 13, at Section III.C.6.
---------------------------------------------------------------------------

    Proposed Rule 1000(a) defined the term ``SCI review'' to mean a 
review, following established procedures and standards, that is 
performed by objective personnel having appropriate experience in 
conducting reviews of SCI systems and SCI security systems, and which 
review contains: (1) A risk assessment with respect to such systems of 
the SCI entity; and (2) an assessment of internal control design and 
effectiveness to include logical and physical security controls, 
development processes, and information technology governance, 
consistent with industry standards.\1062\ In addition, the proposed 
definition provided that such review must include penetration test 
reviews of the SCI entity's network, firewalls, and production systems 
at a frequency of not less than once every three years.\1063\
---------------------------------------------------------------------------

    \1062\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.C.5.
    \1063\ See id.
---------------------------------------------------------------------------

    The Commission is adopting the provisions relating to SCI reviews 
with modifications in response to comment. In addition, the Commission 
is adopting a definition of ``senior management'' in Rule 1000 for 
purposes of the SCI review requirement.
    Some commenters expressed support for the proposed requirements for 
SCI reviews,\1064\ with a few advocating that the SCI review be 
conducted by an independent third party, rather than ``objective 
personnel.'' \1065\ One commenter noted that it agreed that annual SCI 
reviews and reports can have a meaningful impact on improving

[[Page 72343]]

technology and business practices.\1066\ Another commenter expressed 
support for proposed Rule 1000(b)(7), but asked for clarification that 
any review of a processor under an NMS plan be performed independently 
of reviews of the same entity in other capacities (e.g., as an exchange 
or other SCI entity).\1067\
---------------------------------------------------------------------------

    \1064\ See, e.g., MSRB Letter at 23; Lauer Letter at 5; Better 
Markets Letter at 5; and Direct Edge Letter at 9.
    \1065\ See Lauer Letter at 5; Better Markets Letter at 5; and 
BlackRock Letter at 4.
    \1066\ See FIF Letter at 6 (expressing support for the SCI 
review requirement while also providing suggestions for 
modifications to the rule).
    \1067\ See Direct Edge Letter at 9.
---------------------------------------------------------------------------

    With regard to the suggestion that the Commission adopt a 
requirement that SCI reviews be conducted by an independent third party 
rather than ``objective personnel'' as proposed,\1068\ the Commission 
continues to believe that it is appropriate to permit SCI reviews to be 
performed by personnel of the SCI entity or an external firm, provided 
that such personnel are, in fact, objective and, as required by rule, 
have the appropriate experience to conduct reviews of SCI systems and 
indirect SCI systems. Experienced personnel should have the knowledge 
and skills necessary to conduct such reviews. In the SCI Proposal, the 
Commission noted that to satisfy the criterion that an SCI review be 
conducted by ``objective personnel,'' it should be performed by persons 
who have not been involved in the development, testing, or 
implementation of such systems being reviewed.\1069\ The Commission 
continues to believe that persons who were not involved in the process 
for development, testing, and implementation of the systems being 
reviewed would generally be in a better position to identify weaknesses 
and deficiencies that were not identified in the development, testing, 
and implementation stages. The Commission believes that, given the 
requirement that such personnel be ``objective,'' any personnel with 
conflicts of interest that have not been adequately mitigated to allow 
for objectivity should be excluded from serving in this role. In 
particular, the Commission believes that a person or persons conducting 
an SCI review should not have a conflict of interest that interferes 
with their ability to exercise judgment, express opinions, and present 
recommendations with impartiality. While the Commission recognizes 
that, as one commenter asserted, all personnel of an SCI entity could 
be viewed as having some level of conflict of interest,\1070\ the 
Commission believes that SCI entities can have appropriate policies and 
procedures in place to mitigate such conflicts or to help ensure that 
certain departments and/or specified personnel (such as internal audit 
departments) are appropriately insulated from such conflicts so as to 
be able to objectively conduct SCI reviews.\1071\
---------------------------------------------------------------------------

    \1068\ See supra note 1065 and accompanying text.
    \1069\ See Proposing Release, supra note 13, at 18123.
    \1070\ See Better Markets Letter at 5.
    \1071\ For example, the Commission believes that many entities 
implement a reporting structure pursuant to which internal audit 
employees or departments report directly to the board of directors 
or an audit committee of the board. The Commission notes that, while 
utilizing external personnel (i.e., third parties) to conduct an SCI 
entity's SCI review generally would not raise the same concerns 
regarding objectivity, the SCI entity would likewise need to 
mitigate any conflicts of interest that would prevent such personnel 
from meeting the objectivity standard required for an SCI review. 
For example, among the factors an SCI entity may consider in 
evaluating the objectivity of a third party review could be who 
within the SCI entity is managing the third party review, is setting 
the scope of review, is authorizing payment for such review, and has 
the authority to review and comment on the third party report, among 
others. Further, an SCI entity may consider the third party's 
ability to remain objective in light of any other services provided 
by the third party to the SCI entity.
---------------------------------------------------------------------------

    Accordingly, the Commission believes that the goals of Regulation 
SCI can be achieved through reviews by either internal objective 
personnel or external objective personnel. Taking into consideration 
the advantages and disadvantages associated with each approach, each 
SCI entity should make its own determination regarding the levels of 
review or assurance that can be provided by different personnel, the 
best means to ensure their objectivity, and whether it is appropriate 
to incur the additional costs of an independent third party review. An 
SCI entity may, for example, determine that it is appropriate to 
utilize personnel not employed by the SCI entity (i.e., third parties) 
to conduct such review each year or only on a less frequent, periodic 
basis (e.g., every three years), or only with regard to certain of its 
systems. In addition, with regard to one commenter's suggestion that an 
SCI review should be performed independently for each capacity in which 
an SCI entity acts, the Commission notes that the definition of SCI 
review and provisions of Rule 1003(b) require that an SCI entity 
perform a review, following established procedures and standards, for 
compliance with Regulation SCI that includes a risk assessment of the 
SCI entity's SCI systems and indirect SCI systems and an assessment of 
internal control design and effectiveness of such systems and does not 
require an SCI entity that serves in two different capacities with 
respect to Regulation SCI to conduct two independent SCI reviews. The 
Commission believes that, as a practical matter, an SCI entity may 
determine that, to comply with these requirements, it is necessary to 
conduct separate assessments and analysis for each capacity of the SCI 
entity, because the standards used, risk assessments, applicable 
policies and procedures, and assessment of internal control design and 
effectiveness are different with regard to the distinct and differing 
functions of the SCI entity in each capacity. For example, an entity 
that meets both the definition of an SCI SRO and a plan processor may 
determine that it is necessary to conduct separate reviews for each 
function performed, because, for instance, the findings of a risk 
assessment determine that certain SCI systems fall into the category of 
``critical SCI systems'' with regard to the functions of the plan 
processor, but not with regard to the functions of the SRO. At the same 
time, the Commission notes that, even where separate reviews are 
conducted, there may be certain overlap in conducting such reviews (for 
example, the entity may use the same objective reviewer for each 
function performed), such reviews may be conducted at the same time, 
and a single SCI review report may contain findings for each capacity.
    While other commenters also supported some form of review, many of 
these commenters stated that the term SCI review is defined too broadly 
and/or that the SCI review requirements should allow more 
flexibility.\1072\ Some commenters expressed concerns about the need to 
review all systems on an annual basis, which they argued could be 
costly, burdensome, and unnecessary.\1073\ Several commenters suggested 
the adoption of a risk-based approach for determining the scope of the 
review, which would entail conducting a risk assessment to determine 
which systems should be reviewed and how often.\1074\ Under such an 
approach, the highest risk systems would be reviewed more frequently 
than other, less critical systems, which could be reviewed less 
frequently than annually or on a rotational basis. Similarly, one

[[Page 72344]]

commenter recommended that SCI reviews should be focused only on those 
core systems capable of having a material impact on members or 
participants, and ``adjacent'' systems should not be subject to the 
review process.\1075\
---------------------------------------------------------------------------

    \1072\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; 
OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter 
at 16-17.
    \1073\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; 
OCC Letter at 19; NYSE Letter at 35; DTCC Letter at 16-17; and BIDS 
Letter at 11.
    \1074\ See, e.g., FINRA Letter at 39-41; OCC Letter at 19; NYSE 
Letter at 35; SIFMA Letter at 17; DTCC Letter at 16-17; LiquidPoint 
Letter at 3; and Omgeo Letter at 24. One commenter noted that the 
proposed SCI review requirement essentially eliminated the ability 
to utilize its current risk assessment approach to determine the 
frequency of review for each system (ranging from annually to once 
every four years). See FINRA Letter at 40.
    \1075\ See FIF Letter at 6.
---------------------------------------------------------------------------

    After considering the views of commenters, the Commission has 
determined to adopt the provisions relating to SCI reviews with 
modifications in response to comment.\1076\ Thus, adopted Rule 1003(b) 
requires an SCI entity to conduct an SCI review of the SCI entity's 
compliance with Regulation SCI not less than once each calendar 
year.\1077\ However, the Commission notes that, because it has revised 
the scope of the definition of ``SCI systems'' as described above, 
fewer systems of each SCI entity will be subject to the SCI review, 
thereby focusing the overall scope of the SCI review requirement.\1078\ 
Further, to address some commenters' concerns about the burdens and 
inflexibility of the proposed rule and the recommendation that the 
proposed rule utilize a more risk-based approach, the adopted rule is 
being revised to allow assessments of SCI systems directly supporting 
market regulation or market surveillance to be conducted, based upon a 
risk-assessment, at least once every three years, rather than 
annually.\1079\ SCI entities would be required to determine the 
specific frequency with which to conduct assessments of these systems 
depending on the risk assessment that they conduct as part of the 
annual SCI review, provided that these systems are assessed at least 
once every three years. The Commission believes that market regulation 
and market surveillance systems have the potential to pose less risk to 
an entity or the market than other SCI systems. While the Commission 
believes that these systems are essential to investor protection and 
market integrity and that they can pose a significant risk to the 
markets in the event of a systems issue, the Commission also believes 
that certain market regulation and market surveillance systems may not 
have as immediate or widespread of an impact on the maintenance of fair 
and orderly markets or an entity's operational capability as the other 
categories of systems included within the definition of SCI systems. 
While a systems issue affecting a trading system could result in the 
immediate inability of a market, and thus market participants, to 
continue trading on such system and potentially impact trading on other 
markets as well, the Commission believes that the temporary disruption 
or failure of a SCI entity's market regulation and/or market 
surveillance systems in the wake of a wide-scale disruption would 
likely not have as direct an impact on market participants' ability to 
continue to trade. Thus, after considering commenters' views regarding 
the costs and burdens of the proposed SCI review requirements, as well 
as the suggestion that the Commission incorporate more of a risk-based 
approach in Regulation SCI, the Commission believes that a longer 
frequency of review of these systems may be appropriate in cases where 
the risk assessment conducted as part of the SCI review results in such 
a determination. The Commission also notes that, as originally proposed 
the rule would have required penetration test reviews of the SCI 
entity's network, firewalls and development, testing, and production 
systems at a frequency of not less than once every three years in 
recognition of the potentially significant costs that may be associated 
with the performance of such tests.\1080\ However, consistent with 
modifications to the definition of SCI systems, references to 
development and test systems have been deleted in adopted Rule 
1003(b)(1)(i).\1081\ The Commission notes that SCI entities may, 
however, determine that based on its risk assessment, it is appropriate 
and/or necessary to conduct such penetration test reviews more 
frequently than once every three years.
---------------------------------------------------------------------------

    \1076\ See adopted Rule 1003(b). However, the Commission is 
moving the clause regarding penetration test reviews from the 
definition of SCI review into Rule 1003(b), which addresses the 
timing of reviews. Further, the adopted definition of SCI review 
will require that the objective reviewer have ``appropriate 
experience to conduct reviews'' rather than ``appropriate experience 
in conducting reviews'' as proposed. The Commission believes this 
revision is appropriate given that, prior to the adoption of 
Regulation SCI today, no individual or entity would have experience 
in conducting the specific SCI reviews required by Rule 1003(b). 
Rather, the Commission believes that there are individuals or 
entities that have experience in conducting reviews, audits, and/or 
testing similar to the functions that would be necessary to address 
certain aspects of the SCI review requirement, and thus, the 
objective reviewer should have this type of appropriate experience 
that would allow them to conduct SCI reviews in accordance with the 
requirements of Regulation SCI. Thus, as adopted, the term ``SCI 
review'' means ``a review, following established procedures and 
standards, that is performed by objective personnel having 
appropriate experience to conduct reviews of SCI systems and 
indirect SCI systems, and which review contains: (1) A risk 
assessment with respect to such systems of an SCI entity; and (2) An 
assessment of internal control design and effectiveness of its SCI 
systems and indirect SCI systems to include logical and physical 
security controls, development processes, and information technology 
governance, consistent with industry standards.'' See Rule 1000. 
Further, the Commission is moving the requirement relating to 
reports to the Commission on SCI reviews from proposed Rule 
1000(b)(8) into Rule 1003(b) so that all provisions regarding SCI 
reviews are in the same rule.
    \1077\ See adopted Rule 1003(b)(1).
    \1078\ The Commission also notes that it has clarified that the 
definition of ``indirect SCI systems'' includes only those systems 
that have not been effectively logically or physically separated 
from SCI systems. Thus, the scope of the SCI review is also more 
focused than what some commenters may have believed. It is also 
further focused by the elimination of references to development and 
test systems from the penetration test requirement in adopted in 
Rule 1003(b)(1)(i).
    \1079\ See adopted Rule 1003(b)(1)(ii).
    \1080\ As noted by some commenters, penetration tests are highly 
technical and would require special expertise, and thus the 
Commission believes such testing could potentially require 
substantial costs. See, e.g., DTCC Letter at 17; and Omgeo Letter at 
44. See also infra Sections V.D.2.d and VI.C.2.b.vi (discussing 
estimated costs associated with the SCI review requirement, which 
takes into consideration the costs of penetration testing) and 
Proposing Release, supra note 13, at 18123 (stating that the 
Commission seeks to balance the frequency of such tests with the 
costs associated with performing the tests). As noted in the SCI 
Proposal, the Commission believes that the penetration test reviews 
should help an SCI entity evaluate the system's security and 
resiliency in the face of attempted and successful intrusions. See 
id.
    \1081\ See supra Section IV.A.2.b (discussing elimination of 
development and test systems from the definition of SCI systems).
---------------------------------------------------------------------------

    The Commission is not, however, adopting a broader risk-based 
approach to determine the required frequency of an SCI review (i.e., 
for SCI systems other than market regulation and market surveillance 
systems), as suggested by some commenters.\1082\ The Commission 
believes that a critical element to ensuring the capacity, integrity, 
resiliency, and availability of SCI systems and indirect SCI systems is 
conducting an annual objective review to assess the risks of an SCI 
entity's systems and the effectiveness of its internal information 
technology controls and procedures. Such reviews will not only assist 
the Commission in improving its oversight of the technology 
infrastructure of SCI entities, but also each SCI entity in assessing 
the effectiveness of its information technology practices, helping to 
ensure compliance with the safeguards provided by the requirements of 
Regulation SCI, identifying potential areas of weakness that require 
additional or modified controls, and determining where to best devote 
resources. Further, the Commission believes that the competitive 
environment of today's securities markets drives SCI entities to 
continually update, modify, and introduce new technology and systems, 
often in an effort to meet specific business needs and achieve ``quick-
to-market'' results, potentially without

[[Page 72345]]

adequate focus on ensuring the continuous integrity of its systems. In 
addition, given today's fast-paced nature of technological advancement, 
existing controls can quickly become obsolete or ineffective and the 
relative criticality or risk nature of a system can change over time as 
well.\1083\ Further, as one commenter noted, it is not uncommon for 
entities to experience repeated unsuccessful attempts to gain access to 
their systems,\1084\ which the Commission believes can expose certain 
vulnerabilities not identified previously and, if successful, also 
create new vulnerabilities and risk. For these reasons, the Commission 
believes that it is appropriate to require an SCI entity to conduct an 
SCI review of its applicable systems not less than once every 12 
months.\1085\
---------------------------------------------------------------------------

    \1082\ See supra note 1074 and accompanying text.
    \1083\ In addition, the Commission believes changes in personnel 
with access to SCI systems throughout the year can create additional 
risk that should be considered in evaluating the risks of any 
particular system.
    \1084\ See SIFMA Letter at 11.
    \1085\ The Commission notes that, while the rule requires that 
an SCI review be conducted ``not less than once each calendar 
year,'' an SCI entity may determine that it is appropriate to 
conduct an assessment of an SCI system more frequently, particularly 
for critical SCI systems. See adopted Rule 1003(b)(1).
---------------------------------------------------------------------------

    Further, the Commission notes that, as described in detail above, 
Regulation SCI is consistent with a risk-based approach in several 
areas, and thus, a risk assessment is appropriate in order to determine 
the standards and requirements applicable to a given SCI system. As 
such, the Commission believes that it is appropriate to require SCI 
entities to conduct a risk-based assessment with regard to its SCI 
systems and indirect SCI systems as part of its SCI review at least 
annually to help ensure that SCI entities are meeting the requirements 
of Regulation SCI.\1086\
---------------------------------------------------------------------------

    \1086\ See adopted Rule 1003(b) and Rule 1000 (definition of 
``SCI review'').
---------------------------------------------------------------------------

    For the reasons noted above, the Commission believes it is 
appropriate to require that SCI reviews be conducted at least annually, 
rather than utilizing a risk-based approach to determine the frequency 
of the required SCI review.\1087\ At the same time, the Commission 
notes that this provision is consistent with a risk-based approach in 
that SCI entities may design the scope and rigor of the SCI review for 
a particular system based on its risk assessment of such system, 
provided that the review meets the requirements of the rule, such as 
including an assessment of internal control design and effectiveness to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards \1088\ and performing penetration test reviews at least once 
every three years.\1089\
---------------------------------------------------------------------------

    \1087\ However, as discussed above, an SCI entity may conduct an 
SCI review of its market regulation and market surveillance systems 
based upon its risk assessment of such systems, but not less than 
once every three years. See adopted Rule 1003(b)(1)(ii).
    \1088\ See adopted Rule 1000 (definition of ``SCI review'').
    \1089\ See adopted Rule 1003(b)(1)(i).
---------------------------------------------------------------------------

    Some commenters sought clarification on various aspects of the SCI 
review requirement. One commenter stated that the term SCI review, as 
proposed, expanded significantly on what is required under ARP and 
asked for greater specificity as to the objectives and intended scope 
of the SCI review.\1090\ This commenter suggested, as an alternative, 
that the Commission establish an ``agreed upon procedures'' approach, 
which would involve outlining specific SCI review objectives and 
procedures that would be performed by an objective reviewer.\1091\ One 
commenter also requested that the Commission clarify whether there is a 
distinction between the existing ARP report and the SCI review and 
whether the ARP practice of on-site inspections would be 
eliminated.\1092\
---------------------------------------------------------------------------

    \1090\ See FINRA Letter at 39-40.
    \1091\ See id. at 40.
    \1092\ See OCC Letter at 19.
---------------------------------------------------------------------------

    With regard to the comment seeking clarity on the scope of the 
review as compared to what is done under the current ARP Inspection 
Program,\1093\ as noted in the SCI Proposal, the requirement for an 
annual SCI review was intended to formalize a practice in place under 
the current ARP Inspection Program in which SROs conduct annual systems 
reviews following established audit procedures and standards that 
result in the presentation of a report to senior SRO management on the 
recommendations and conclusions of the review.\1094\ Specifically, the 
ARP Policy Statements called for each SRO to have its automated systems 
reviewed annually by an ``independent reviewer'' \1095\ and stated that 
independent reviews and analysis should: ``(1) Cover significant 
elements of the operations of the automation process, including the 
capacity planning and testing process, contingency planning, systems 
development methodology and vulnerability assessment; (2) be performed 
on a cyclical basis by competent and independent audit personnel 
following established audit procedures and standards; and (3) result in 
the presentation of a report to senior SRO management on the 
recommendations and conclusions of the independent reviewer, which 
report should be made available to Commission staff for its review and 
comment.'' \1096\ Similar to (1) above, the definition of SCI review 
requires the review to contain an assessment of internal control design 
and effectiveness of its SCI systems and indirect SCI systems to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards. Consistent with element (2), an SCI review must be performed 
by objective personnel having appropriate experience to conduct reviews 
of SCI systems and indirect SCI systems and must be performed following 
established procedures and standards. Finally, like item (3), Rule 
1003(b)(2)-(3) requires SCI entities to submit a report of the SCI 
review to senior management after completion of the review, and 
following submission to senior management, to submit a report of the 
SCI review to the Commission, along with any response by senior 
management. Senior management, after reviewing the report, should note, 
in addition to any other response that may be made, any material 
inaccuracy or omission that, to their knowledge, is in the report. In 
this regard, the Commission recognizes that senior managers, by virtue 
of their positions and experience, may have differing levels of 
knowledge regarding their entity's SCI systems and indirect SCI systems 
and compliance with Regulation SCI.
---------------------------------------------------------------------------

    \1093\ See supra note 1092 and accompanying text. See also supra 
note 1090 and accompanying text.
    \1094\ See Proposing Release, supra note 13, at 18123.
    \1095\ See ARP I, supra note 1, at 48706-07. ARP I provided that 
an ``independent reviewer'' could be either an internal auditor 
group or an external audit firm so long as the independent reviewer 
had the competence, knowledge, consistency, and independence 
sufficient to perform the role.
    \1096\ See ARP II, supra note 1, at 22491. In ARP II, the 
Commission also explained that, in its view, ``a critical element to 
the success of the capacity planning and testing, security 
assessment and contingency planning processes for [automated] 
systems is obtaining an objective review of those planning processes 
by persons independent of the planning process to ensure that 
adequate controls and procedures have been developed and 
implemented.'' Id.
---------------------------------------------------------------------------

    While the SCI review requirement in Rule 1003 is based on the ARP 
review and report, a greater number of automated systems meeting the 
definition of SCI system or indirect SCI system would be subject to the 
SCI review requirements because the scope of Regulation SCI expands 
upon the current ARP Inspection Program. The Commission notes that the 
SCI review is not a substitute for inspections and

[[Page 72346]]

examinations conducted by Commission staff, and therefore SCI entities 
should expect that technology systems inspections and examinations will 
continue following the adoption of Regulation SCI. Along with 
notifications of material systems changes under adopted Rule 1003(a) 
and SCI event notifications pursuant to adopted Rule 1002(b), one 
purpose of SCI reviews will be to aid the Commission and its staff in 
understanding the operations and risks associated with the applicable 
systems of an SCI entity.
    In addition, as noted above, one commenter, in seeking further 
clarity on the scope of the SCI review requirement, suggested that the 
Commission take an ``agreed upon approach'' which would outline more 
specific review objectives and procedures that would be performed by 
the objective reviewer. The Commission believes that an SCI entity 
should have the ability to design the specific parameters of an SCI 
review within the confines of the general framework of the rule, 
including identifying its own review objectives and procedures, given 
the SCI entity's in-depth knowledge of, and familiarity with, its own 
systems and their attendant risks. As such, the adopted rule is 
designed to provide a general framework for the scope of the SCI review 
by specifying that the review must include a risk assessment of SCI 
systems and indirect SCI systems and an assessment of the internal 
control design and effectiveness of its systems in certain areas.\1097\ 
At the same time, the rule provides flexibility by permitting the 
review to be conducted ``following established procedures and 
standards,'' which would be identified and established by the SCI 
entity itself.\1098\
---------------------------------------------------------------------------

    \1097\ See adopted Rule 1000 (defining ``SCI review'').
    \1098\ See id.
---------------------------------------------------------------------------

    Some commenters expressed views on the provisions requiring SCI 
entities to submit reports of the SCI review to senior management of 
the SCI entity and to the Commission. Specifically, two commenters 
supported the proposed requirement that reports of the SCI review be 
submitted to senior management of the SCI entity no later than 30 days 
after completion of the SCI review.\1099\ One commenter urged that 
senior management of an SCI entity certify the report before it is 
submitted to the Commission in order to promote accountability at the 
highest ranks of the SCI entity.\1100\ Another commenter believed that 
45 days for submission of such reports to senior management would be 
more appropriate as a target timeframe given the complexity of the 
issues addressed in an SCI review, and that should this target fail to 
be met, the Board of Directors Audit Committee (or similar governing 
body) should be informed of the reason therefor.\1101\ Two commenters 
recommended that the distribution cycle within proposed Rule 
1000(b)(8)(i) be modified so that individual, focused audit reports 
resulting from rotational reviews could be bundled and distributed to 
the Commission on a regular basis (semi-annually or quarterly).\1102\
---------------------------------------------------------------------------

    \1099\ See MSRB Letter at 23; and FIF Letter at 6.
    \1100\ See Better Markets Letter at 6.
    \1101\ See DTCC Letter at 17.
    \1102\ See OCC Letter at 19; and DTCC Letter at 17.
---------------------------------------------------------------------------

    The Commission does not believe that it is necessary to require 
senior management certification of the report of the SCI review, as 
suggested by one commenter.\1103\ Adopted Rules 1003(b)(2)-(3) require 
that the SCI entity submit a report of the SCI review to senior 
management of the SCI entity no more than 30 calendar days after 
completion of such SCI review, and that the SCI entity submit a report 
of the SCI review, together with any response by senior management, to 
the Commission and the board of directors of the SCI entity or the 
equivalent of such board within 60 calendar days after its submission 
to senior management. Because reports of SCI reviews and any responses 
by senior management are required to be filed using Form SCI under the 
Exchange Act and Regulation SCI, it is unlawful for any person to 
willfully or knowingly make, or cause to be made, a false or misleading 
statement with respect to any material fact in such reports or 
responses.\1104\
---------------------------------------------------------------------------

    \1103\ See supra note 1100 and accompanying text.
    \1104\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 
78ff(a).
---------------------------------------------------------------------------

    The Commission recognizes that senior management certifications are 
used in other regulatory contexts, including in some Commission rules 
and regulations.\1105\ However, at this time, the Commission believes 
that, in light of the other requirements for an SCI entity, the goals 
of Regulation SCI can be achieved without the imposition of an 
additional requirement on SCI entities for senior management 
certification. Specifically, the Commission believes that the adopted 
requirements promote the responsibility and accountability of senior 
management of an SCI entity by helping to ensure that senior management 
receives and reviews reports of SCI reviews, is made aware of issues 
relating to compliance with Regulation SCI, and is encouraged to 
promptly establish plans for resolving such issues.
---------------------------------------------------------------------------

    \1105\ See, e.g., 17 CFR 240.15c3-5(e)(2) (chief executive 
officer certification under the Market Access Rule); and 17 CFR 
240.13a-14 (principal executive and principal financial officer 
certification of disclosure in annual and quarterly reports).
---------------------------------------------------------------------------

    The Commission is also adopting a definition of ``senior 
management'' in Rule 1000 to make clear which individuals at an SCI 
entity must receive and review the report of the SCI review. The 
Commission believes that, in the context of the SCI review requirement, 
senior management should not be limited to a single individual or 
officer of an SCI entity. Thus, ``senior management,'' for purposes of 
adopted Rule 1003(b) is defined as an SCI entity's Chief Executive 
Officer, Chief Technology Officer, Chief Information Officer, General 
Counsel, and Chief Compliance Officer, or the equivalent of such 
employees or officers of an SCI entity. The Commission believes that, 
in order to achieve the goals of the rule to promote increased 
awareness and oversight of the technology infrastructure at an SCI 
entity by its most senior employees and officers, it is important that 
the SCI entity's senior management team receive and carefully review 
reports of SCI reviews. The Commission believes that these employees 
and officers, or their functional equivalent, represent the executive, 
technology, legal, and compliance functions that are necessary to 
effectively review the reports of SCI reviews. The Commission also 
believes that awareness by an SCI entity's senior management of SCI 
reviews and issues with Regulation SCI compliance should help to 
promote a focus by senior management on such reviews and issues, 
enhance communication and coordination regarding such reviews and 
issues among business, technology, legal, and compliance personnel, 
and, in turn, strengthen the capacity, integrity, resiliency, and 
availability of the systems of SCI entities. To help ensure that 
persons at the highest levels of an SCI entity are made aware of any 
issues raised in the SCI review, the Commission is also adopting a 
requirement for each SCI entity to submit to its board of directors or 
the equivalent of such board a report of the SCI review and any 
response by senior management within 60 calendar days after the 
submission of the report to senior management of the SCI entity.
    With regard to one commenter's suggestion that SCI entities should 
be given 45 days rather than 30 days to submit the report of the SCI 
review to senior management (and that it should be only a target 
timeframe rather than a

[[Page 72347]]

requirement),\1106\ the Commission notes that the 30-day timeframe is 
based on the Commission's experience with the current ARP Inspection 
Program that an ARP entity is able to consider the review and prepare a 
report for senior management consideration prior to the submission to 
the Commission.\1107\ The Commission acknowledges that a greater number 
of systems will be subject to the SCI review requirement than the 
current ARP Inspection Program given the definitions of SCI system and 
indirect SCI system,\1108\ and that the issues addressed in an SCI 
review may be complex. However, the Commission notes that the adopted 
timeframe, while based on experience with the current ARP Inspection 
Program, also takes into account these factors.\1109\ Further, the 
Commission believes that the complexity of the issues presented during 
an SCI review would more likely affect the timing of conducting and 
completing the SCI review, rather than the timing for submitting a 
report of the review to senior management. The Commission, therefore, 
continues to believe that this requirement is appropriate. The 
Commission also notes that the requirement to submit the annual report 
to the Commission within 60 calendar days after its submission to 
senior management is similarly based on the Commission's experience 
with the ARP Inspection Program that this time period is a sufficient 
period to enable senior management to consider such review or report 
before submitting it to the Commission.\1110\ Because an SCI entity 
will already have prepared the report and any response by senior 
management for filing with the Commission, the Commission believes that 
an SCI entity will not need significant additional time to submit the 
same report and response to its board of directors or the equivalent of 
such board.
---------------------------------------------------------------------------

    \1106\ See supra note 1101 and accompanying text.
    \1107\ See Proposing Release, supra note 13, at 18123.
    \1108\ The Commission also notes, however, that as discussed 
above, the scope of systems subject to Regulation SCI has been 
refined from what was proposed.
    \1109\ The Commission notes that, while the ARP II Release 
recommended that an SRO's independent review should result in the 
presentation of a report to senior SRO management on the 
recommendations and conclusions of the independent review and such 
report should be made available to Commission staff, it did not 
provide recommended time periods for the submission of such reports. 
See ARP II Release, supra note 1. The adopted 30-day time period is 
based on experience with the ARP Inspection Program, as well as a 
consideration of the scope of the review required under Regulation 
SCI.
    \1110\ See Proposing Release, supra note 13, at 18124.
---------------------------------------------------------------------------

    Contrary to the suggestion of some commenters, the Commission does 
not believe it is appropriate to allow an SCI entity to delay the 
submission of SCI review reports to the Commission in order to bundle 
several reports together and submit them on a quarterly or semi-annual 
basis. Rather, the Commission believes that it is important to receive 
such reports in a timely manner after completion of the SCI review, so 
that the Commission is made aware of potential areas of weakness in an 
SCI entity's systems that may pose risk to the entity or the market as 
a whole, as well as areas of non-compliance with the provisions of 
Regulation SCI, without undue delay.
    With respect to clearing agencies, two commenters noted that the 
SCI review requirement potentially might overlap with staff guidance 
for clearing agencies that calls for an annual report on internal 
controls and recommended that the Commission consider further 
coordination on potential redundancies.\1111\ The Commission notes that 
the section in the guidance provided in the Announcement for Standards 
for the Registration of Clearing Agencies referenced by commenters is 
distinct from the adopted SCI review requirement, as such section in 
the guidance relates to the review and evaluation of clearing agencies' 
accounting controls.\1112\ In contrast, the SCI review requirement 
involves a risk assessment and assessment of internal control design 
and effectiveness of all of an SCI entity's SCI systems and indirect 
SCI systems.
---------------------------------------------------------------------------

    \1111\ See OCC Letter at 19-20; and DTCC Letter at 18 (citing 
Securities Exchange Act Release No. 16900, 45 FR 41920, available 
at: https://sec.gov/rules/other/34-16900.pdf).
    \1112\ See Securities Exchange Act Release No. 16900 (June 17, 
1980), 45 FR 41920 (June 23, 1980).
---------------------------------------------------------------------------

    Finally, it should be noted that the required review and timely 
reporting to the Commission will enable the Commission and Commission 
staff to monitor the quality of compliance with Regulation SCI, 
thoroughness and robustness of SCI reviews, and the responses of senior 
management to such reviews. Accordingly, the Commission will be in a 
position to consider enhancing these regulatory requirements in the 
future, if necessary.
6. SCI Entity Business Continuity and Disaster Recovery Plans Testing 
Requirements for Members or Participants--Rule 1004
    Adopted Rule 1004 addresses testing of SCI entity business 
continuity and disaster recovery plans, including backup systems, by 
SCI entity members or participants. Rule 1004 corresponds to proposed 
Rule 1000(b)(9), and is adopted with certain modifications in response 
to comment, as discussed below.
a. Proposed Rule 1000(b)(9)
    Proposed Rule 1000(b)(9)(i) required each SCI entity, with respect 
to its BC/DR plans, to require participation by designated members or 
participants in scheduled functional and performance testing of the 
operation of such plans, in the manner and frequency specified by the 
SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) 
further required each SCI entity to coordinate the testing of such 
plans on an industry- or sector-wide basis with other SCI entities. 
Proposed Rule 1000(b)(9)(iii) would have additionally required each SCI 
entity to designate those members or participants it deems necessary, 
for the maintenance of fair and orderly markets in the event of the 
activation of its BC/DR plans, to participate in the testing of such 
plans, and notify the Commission of such designations and its standards 
for such designation on Form SCI.
b. Comments and Commission Response
    The Commission received significant comment on proposed Rule 
1000(b)(9) and is adopting it with revisions, as Rule 1004. As more 
fully discussed below, the adopted rule requires designation of a more 
limited set of SCI entity members and participants for mandatory 
participation in BC/DR testing than the proposed rule. Further, the 
adopted rule does not require an SCI entity to file designation 
standards or member/participant designations with the Commission on 
Form SCI, as was proposed, but instead an SCI entity must keep records 
of its standards and designations. The scope, frequency, and 
coordination aspects of the proposed rule are adopted as proposed.
i. Mandatory BC/DR Testing Generally
    Some commenters expressed general support for the goals of proposed 
Rule 1000(b)(9).\1113\ One commenter in particular stated that ``[i]t 
is vital that as many firms as possible participate in [market-wide] 
testing with conditions as realistic as possible.'' \1114\ According to 
this commenter, broader mandatory participation in testing would be 
``one of the most valuable parts of Regulation SCI and will do the most 
to ensure improved market network reliability.''\1115\ Another 
commenter

[[Page 72348]]

expressed support for broad participation in BC/DR testing, but also 
expressed concern that the testing requirement would put SCI entities 
at a competitive disadvantage versus non-SCI entities.\1116\
---------------------------------------------------------------------------

    \1113\ See, e.g., Angel Letter at 9; UBS Letter at 4-5; and FIF 
Letter at 6-7.
    \1114\ See Angel Letter at 9.
    \1115\ See id. at 10.
    \1116\ See FIF Letter at 7.
---------------------------------------------------------------------------

    Several commenters objected to the proposed mandatory testing 
requirement for SCI ATSs.\1117\ For example, two commenters suggested 
that few ATSs are critical enough to warrant inclusion in the proposed 
mandatory testing requirement.\1118\ One commenter urged that only SCI 
entities that provide market functions on which other market 
participants depend be subject to the requirements for separate backup 
and recovery capabilities.\1119\ Another commenter stated that the 
added benefit of requiring fully redundant backup systems is almost 
impossible to measure while the cost of implementation is significant, 
and added further that fully redundant systems and increased testing do 
not guarantee a flawless backup plan.\1120\
---------------------------------------------------------------------------

    \1117\ See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter 
at 15.
    \1118\ See BIDS Letter at 5, 8; and ITG Letter at 15.
    \1119\ See KCG Letter at 8.
    \1120\ See Group One Letter at 3.
---------------------------------------------------------------------------

    Two commenters stated that the current voluntary coordinated 
testing organized by SIFMA \1121\ already attracts significant 
participation without any mandate in place.\1122\ However, a different 
commenter noted the difficulties it has encountered in fostering 
participation in its voluntary disaster recovery exercises, and stated 
that, despite encouraging users to participate in its disaster recovery 
exercises, participation levels were only 20 percent of its targeted 
high volume client base.\1123\ One commenter sought clarification on 
whether the requirements of proposed Rule 1000(b)(9) would apply only 
to trading and clearance systems, or would extend to other SCI systems 
as well.\1124\ Two commenters asked whether third parties that perform 
critical market functions for an SCI entity, such as data vendors and 
service bureaus, would be subject to the proposed requirement.\1125\ 
One commenter stated that testing by an SCI entity of its business 
continuity capabilities should not be required to be coordinated with 
members.\1126\ According to this commenter, ``[t]he entire point of 
[business continuity plan testing] would be to not coordinate it with 
customers, and assess whether operations out of [backup] facilities was 
seamless to members and other market participants.'' \1127\ One 
commenter stated that it would be more appropriate for SCI entities' 
members and participants to be responsible for their own business 
continuity plans and testing.\1128\ The Commission has carefully 
considered commenters' views on the need for all SCI entities to be 
subject to the proposed mandatory testing requirement. The Commission 
continues to believe that adopted Rule 1004 should apply to all SCI 
entities.
---------------------------------------------------------------------------

    \1121\ SIFMA organizes an annual industry-wide testing exercise 
for firms and exchanges to submit and process test orders using 
their backup facilities. Participation is voluntary. See https://www.sifma.org/services/bcp/industry-testing/.
    \1122\ See CME Letter at 13; and Tellefsen Letter at 7-8.
    \1123\ See Omgeo Letter at 26 (noting also that it lacks the 
ability to require participation by its clients).
    \1124\ See FINRA Letter at 37.
    \1125\ See FINRA Letter at 39; and MSRB Letter at 25.
    \1126\ See Direct Edge Letter at 9.
    \1127\ See id.
    \1128\ See SIFMA Letter at 17. In addition, some commenters 
believed that ATSs should be excluded from requiring members or 
participants to test, given that ATSs and their broker-dealer 
participants are already subject to FINRA Rule 4370, which relates 
to BC/DR plans. See FIA PTG Letter at 5; and BIDS Letter at 9.
---------------------------------------------------------------------------

    Whereas adopted Rule 1001(a)(2)(v) requires that each SCI entity's 
policies and procedures include BC/DR plans and specifies recovery 
goals and geographic diversity requirements for such plans,\1129\ 
adopted Rule 1004 sets forth certain minimum requirements for SCI 
entity testing of its BC/DR plans. Adopted Rule 1004, like proposed 
Rule 1000(b)(9), aims to reduce the risks associated with an SCI 
entity's decision to activate its BC/DR plans and help to ensure that 
such plans operate as intended, if activated, by requiring that an SCI 
entity include participation by certain members and participants in 
testing of the SCI entity's BC/DR plans. Although some commenters, 
including several ATSs, argued that ATSs should be excluded from 
requiring members or participants to test because, according to these 
commenters, ATSs are less critical to the orderly functioning of the 
markets than other SCI entities,\1130\ the Commission believes that 
eliminating any category of SCI entity--including SCI ATSs--from the 
testing requirement would undermine the goal of maintaining fair and 
orderly markets in the wake of a wide-scale disruption, and assuring 
the smooth and effective implementation of an SCI entity's BC/DR 
plans.\1131\ The Commission continues to believe that a testing 
participation requirement will help an SCI entity to ensure that its 
efforts to develop effective BC/DR plans are not undermined by a lack 
of participation by members or participants that the SCI entity 
believes are necessary to the successful activation of such 
plans.\1132\ As stated in the SCI Proposal, the Commission believes 
that a factor in the shutdown of the equities and options markets in 
the wake of Superstorm Sandy was the exchanges' belief regarding the 
inability of some market participants to adequately operate from the 
backup facilities of all market centers.\1133\ And, although testing 
protocols were in place and the chance to participate in such testing 
was available, the member participation rate was low.\1134\ The 
Commission does not agree with comments that seamless operation of 
backup facilities should not require coordination of testing, or that 
the fact that members and participants have their own BC/DR plans and 
testing means that they should not be required, if designated, to 
participate in the testing of an SCI entity's BC/DR plans.\1135\ The 
Commission continues to believe that testing of the effectiveness of 
back-up arrangements in recovering from a wide-scale disruption is a 
sound principle, and that, without the participation of significant 
members or participants of SCI entities, the effectiveness of such 
testing could be

[[Page 72349]]

undermined. Based on its experience with the ARP Inspection Program, 
the Commission understands that many SCI entities have already made 
significant investments in their backup facilities.\1136\ The 
Commission believes that the requirements of Rule 1004 will help to 
ensure that such facilities will be effective in the event they are 
needed.\1137\
---------------------------------------------------------------------------

    \1129\ See supra Section IV.B.1.b (discussing the requirement 
that an SCI entity have reasonable policies and procedures that 
include business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient 
and geographically diverse and that are reasonably designed to 
achieve next business day resumption of trading and two-hour 
resumption of critical SCI systems following a wide-scale 
disruption).
    \1130\ See supra note 1118 and accompanying text.
    \1131\ See supra Section IV.A.1 (discussing the Commission's 
rationale for adopting the definition of SCI entity as proposed). 
See supra Section IV.B.1.b (discussing the BC/DR requirements in 
Rule 1001(a)(2)(v) for SCI entities). See also infra Sections 
VI.C.1.c and VI.C.2.b.vii (discussing competitive concerns raised by 
requiring SCI entities to require members or participants to 
participate in the SCI entities' BC/DR testing).
    \1132\ See Proposing Release, supra note 13, at 18125.
    \1133\ See id. at 18158. See also id. at 18091. The Commission 
notes that its basis for adopting a mandatory testing rule is 
independent of whether the market closures in the wake of Superstorm 
Sandy were appropriate to protect the health and safety of exchange 
personnel.
    \1134\ See id. at 18158 and text accompanying n. 83 at 18091. In 
addition, based on the discussions of Commission staff with market 
participants in the months following Superstorm Sandy, the 
Commission understands that many market participants had previously 
engaged in connectivity testing with backup facilities, and yet 
remained uncomfortable about switching over to the use of backup 
facilities in advance of the storm.
    \1135\ Nor does the Commission agree that Rule 1004 would be 
duplicative of FINRA Rule 4370, as Rule 1004 relates to 
participation by members or participants in the testing of an SCI 
entity's business continuity plans, whereas FINRA Rule 4370 relates 
to the testing of the member's or participant's own business 
continuity plan. See supra note 539 and accompanying text.
    \1136\ See infra Section VI.B.2 (stating that nearly all 
national securities exchanges already have backup facilities that do 
not rely on the same infrastructure components as those used by 
their primary facility).
    \1137\ See 2003 BCP Policy Statement, supra note 512, at 56658 
(stating: ``The effectiveness of back-up arrangements in recovering 
from a wide-scale disruption should be confirmed through 
testing.''). See also Interagency White Paper, supra note 512, at 
17811 (identifying ``a high level of confidence, through ongoing use 
or robust testing, that critical internal and external continuity 
arrangements are effective and compatible'' as one of three 
important business continuity objectives). See also supra Section 
IV.B.1.b (discussing adopted Rule 1001(a)(2)(v)).
---------------------------------------------------------------------------

    In response to commenters who questioned the need for mandatory 
participation by SCI entity members and participants,\1138\ the 
Commission believes that current voluntary industry-led testing has 
been useful because it annually brings together a wide variety of 
market participants, including many SCI entities, and involves a range 
of asset classes.\1139\ The current industry-led testing program 
coordinated by SIFMA therefore could provide a foundation for the 
development of the testing required by Rule 1004. However, because 
participation rates by members and participants in voluntary testing 
generally has been low, the Commission believes that a mandatory 
participation requirement is the best means to achieve effective and 
coordinated BC/DR testing with assured participation by the more 
significant SCI entity members and participants.\1140\ In addition, 
although the Commission generally agrees with the comment that ``[i]t 
is vital that as many firms as possible participate in [market-wide] 
testing with conditions as realistic as possible,'' \1141\ because of 
the burden and costs of requiring participation by all SCI entity 
members and participants, regardless of their market significance, the 
Commission believes it is appropriate to adopt a more measured approach 
to mandatory participation in BC/DR testing.\1142\ The Commission is 
therefore adopting a BC/DR testing designation requirement that applies 
to all SCI entities, but does not apply to all members and participants 
of SCI entities, as discussed below.\1143\
---------------------------------------------------------------------------

    \1138\ See supra notes 1117-1122 and accompanying text.
    \1139\ See https://www.sifma.org/services/bcp/industry-testing/ 
(in which SIFMA describes its annual BC/DR test held annually in 
October, which includes assets classes such as commercial paper, 
equities, options, futures, fixed-income, settlement, payments, 
Treasury auctions and market data).
    \1140\ See supra note 1123 (noting Omgeo's comment that 
voluntary participation levels are low). See also Proposing Release, 
supra note 13, at 18091, n. 83 and accompanying text (noting that 
press reports indicated that a large number of NYSE members did not 
participate in NYSE's contingency plan testing that occurred seven 
months prior to Superstorm Sandy).
    \1141\ See supra note 1114 and accompanying text.
    \1142\ In addition, because the Commission recognizes that the 
coordination of such testing is complex and time-consuming, it has 
provided for a compliance date for the coordination requirement of 
Rule 1004(d) that is 12 months after the compliance date required 
for other provisions of Regulation SCI. See Section IV.F.
    \1143\ In response to commenters seeking clarification on the 
types of systems that would be subject to the mandatory testing 
requirement (see supra notes 1124-1125 and accompanying text), 
because the required testing is BC/DR testing, all systems necessary 
for an SCI entity to successfully activate it BC/DR plan would be 
included.
---------------------------------------------------------------------------

ii. SCI Entity Designation of Members or Participants for Participation 
in BC/DR Testing--Rules 1004(a)-(c)
    Several commenters raised concerns about the proposed requirement 
that SCI entities exercise discretion to designate members or 
participants for participation in coordinated BC/DR testing under 
proposed Rule 1000(b)(9).\1144\ After careful consideration of the 
views of commenters, the Commission is adopting the requirement that 
SCI entities designate certain members or participants to participate 
in testing BC/DR plans with certain modifications from the proposal. As 
proposed, the rule would have required each SCI entity to designate 
those members or participants it ``deems necessary, for the maintenance 
of fair and orderly markets in the event of the activation of its 
business continuity and disaster recovery plans . . .'' The Commission 
has determined instead to require that each SCI entity designate those 
members or participants ``that the SCI entity reasonably determines 
are, taken as a whole, the minimum necessary for the maintenance of 
fair and orderly markets in the event of the activation of such 
plans.'' This change is broadly consistent with the suggestion of one 
commenter to revise the criteria for designation to those firms 
``critical to the operation of the SCI entity.'' \1145\ However, the 
Commission believes that the adopted standard is more appropriate in 
that it focuses on the ability of the SCI entity to maintain fair and 
orderly markets under its BC/DR plan.\1146\
---------------------------------------------------------------------------

    \1144\ See NYSE Letter at 33; FIF Letter at 6-7; Omgeo Letter at 
26; Fidelity Letter at 6; and Angel Letter at 10.
    \1145\ See ISE Letter at 9.
    \1146\ As discussed more fully in Section IV.B.6.b.iv infra, the 
Commission also believes that the adopted standard could, but would 
be unlikely to, cause members or participants to elect to withdraw 
from participation in an SCI entity (particularly a smaller SCI 
entity) to save on the cost of connectivity fees.
---------------------------------------------------------------------------

    Several commenters suggested eliminating SCI entity discretion and 
setting forth in the rule clear, objective criteria (such as trading 
volume) for which members or participants would be required to 
participate in testing.\1147\ One commenter suggested that the 
Commission require that all members or participants that represent a 
meaningful percentage of the volume in the marketplace participate in 
the testing in order to capture the more significant market 
participants, while recognizing the financial burden such testing may 
pose for smaller entities.\1148\ This commenter believed that giving 
discretion to SCI entities in this area might lead to regulatory 
arbitrage and a race to the bottom regarding how many and which members 
or participants are designated to participate in testing.\1149\ On the 
other hand, another commenter commented that the discretion 
contemplated by the proposal keeps the rule flexible enough to 
accommodate SCI entities conducting a diverse range of business 
activities.\1150\ This commenter also suggested that SCI entities 
should not be required to report to the Commission who they have 
designated to test, and instead should only be required to keep a 
record of who they have designated.\1151\
---------------------------------------------------------------------------

    \1147\ See NYSE Letter at 33; Omgeo Letter at 26; Angel Letter 
at 10; and FIF Letter at 6.
    \1148\ See NYSE Letter at 33.
    \1149\ See NYSE Letter at 33.
    \1150\ See CME Letter at 12.
    \1151\ See id. at 13.
---------------------------------------------------------------------------

    In response to commenters who were concerned about the 
discretionary aspect of the designation requirement,\1152\ the 
Commission believes the SCI entity is in the best position to determine 
which of its members or participants collectively represent sufficient 
liquidity for the SCI entity to maintain fair and orderly markets in a 
BC/DR scenario following a wide-scale disruption. The Commission 
believes such determinations require the exercise of reasonable 
judgment by each SCI entity, and are not well-suited for a ``one-size-
fits-all'' objective measure determined by the Commission. For example, 
if the Commission were to establish an objective measure (e.g., based 
on a specified percentage of trading volume),

[[Page 72350]]

it might represent a meaningful percentage for some SCI entities, but 
not for others. Thus, the rule requires that each SCI entity establish 
standards for the designation of those members or participants that the 
SCI entity ``reasonably'' determines are, taken as a whole, the minimum 
necessary for the maintenance of fair and orderly markets in the event 
of the activation of its BC/DR plans. This adopted provision is in lieu 
of the proposed requirement, which would have required an SCI entity to 
designate those members or participants it ``deems necessary'' for the 
maintenance of fair and orderly markets in the event of the activation 
of its BC/DR plans. Because the adopted rule requires an SCI entity's 
determination to be reasonable, it provides some degree of flexibility 
to SCI entities but also imposes a check on SCI entity discretion, 
which the Commission believes should help prevent an SCI entity's 
designations from being overly limited. In response to concerns that a 
discretionary designation requirement would lead to regulatory 
arbitrage and a race to the bottom regarding how many and which members 
or participants are designated to participate in testing, the 
Commission believes that this is unlikely to occur because each SCI 
entity will be subject to the same requirement and will be required to 
make a reasonable determination that the designated members or 
participants are those that are the minimum necessary for it to 
maintain fair and orderly markets in the event of activation of its BC/
DR plans. Further, the Commission believes that broad participation in 
BC/DR testing will enhance the utility of the testing, and that 
allowing non-designated members or participants the opportunity to 
participate in such testing generally will further this goal. 
Therefore, the Commission encourages SCI entities to permit non-
designated members or participants to participate in the testing of the 
SCI entity's BC/DR plans if they request to do so.
---------------------------------------------------------------------------

    \1152\ See supra notes 1144, 1147-1149 and accompanying text.
---------------------------------------------------------------------------

    Consistent with the recommendation of one commenter, however, the 
Commission has determined not to require that each SCI entity notify 
the Commission of its designations and its standards for designation on 
Form SCI as proposed. Instead, an SCI entity's standards, designations, 
and updates, if applicable, would be part of its records and therefore 
available to the Commission and its staff upon request.\1153\ Unlike de 
minimis systems disruptions and de minimis systems intrusions, which 
may occur with regularity (and for which a quarterly summary report 
would aid Commission oversight of systems whose proper functioning is 
central to the maintenance of fair and orderly markets), the 
establishment of standards for designation, the designations 
themselves, and updates to such standards or designations are likely to 
occur less frequently. Thus, the Commission believes it is sufficient 
for the Commission to review records relating to such designations when 
the Commission determines that it is necessary to do so to fulfill its 
oversight role, such as during its examination of an SCI entity.\1154\ 
More broadly, the Commission believes this revision is generally 
consistent with modifications that the Commission has made in response 
to comment that proposed Regulation SCI would have required unnecessary 
and burdensome notice and reporting submissions.
---------------------------------------------------------------------------

    \1153\ See infra Section IV.C.1 (discussing SCI entity 
recordkeeping requirements).
    \1154\ See supra Sections IV.A.3 and IV.B.3.c (discussing the 
rationale for quarterly reporting of de minimis systems disruptions 
and de minimis systems intrusions).
---------------------------------------------------------------------------

    Some commenters questioned whether many SCI entities, particularly 
non-SROs and ATSs, have the authority to require their members or 
participants to participate in such testing.\1155\ Another commenter 
more generally stated that it was unclear how an SCI entity could 
enforce a requirement that its customers engage in BC/DR testing.\1156\ 
In response to these comments, the Commission believes that SCI SRO 
rulemaking authority and non-SRO contractual arrangements would enable 
SCI entities to implement this requirement.\1157\ Specifically, SROs 
have the authority, and legal responsibility, under Section 6 of the 
Exchange Act, to adopt and enforce rules (including rules to comply 
with Regulation SCI's requirements relating to BC/DR testing) 
applicable to their members or participants that are designed to, among 
other things, foster cooperation and coordination with persons engaged 
in regulating, clearing, settling, processing information with respect 
to, and facilitating transactions in securities, to remove impediments 
to and perfect the mechanism of a free and open market and a national 
market system, and, in general, to protect investors and the public 
interest.\1158\ Further, SCI entities that are not SROs have the 
ability to include provisions in their contractual agreements with 
their participants (such as their subscriber or participant agreements) 
requiring such parties to engage in BC/DR testing.
---------------------------------------------------------------------------

    \1155\ See Omgeo Letter at 26; MSRB Letter at 24; BIDS Letter at 
8; LiquidNet Letter at 4; and SIFMA Letter at 17. See also ITG 
Letter at 15-16.
    \1156\ See SIFMA Letter at 17-18 (suggesting that the Commission 
instead adopt a ``BCP testing requirement more akin to the `best 
practices' described in the Interagency White Paper'').
    \1157\ While some designated members or participants of SCI 
entities might choose to withdraw from membership or participation 
in an SCI entity if they assess the cost of participating in BC/DR 
testing to be too great, the Commission believes that other aspects 
of their involvement with the SCI entity, including an interest in 
maintaining a profitable business relationship, will factor 
significantly into any decision regarding their continued membership 
or participation in the SCI entity. See also infra Sections VI.C.1.c 
and VI.C.2.b.vii (discussing competition between SCI entities and 
non-SCI entities in relation to the requirements under Rule 1004).
    \1158\ See Section 6 of the Exchange Act, 15 U.S.C. 78f.
---------------------------------------------------------------------------

    Other commenters focused on the potential impact of the rule on the 
members or participants designated to participate in testing. One 
commenter pointed out that, without clearly defined industry level 
coordination, some members or participants may be overburdened by being 
subject to multiple individual tests with various SCI entities.\1159\ 
Another commenter asked the Commission to clarify what the obligation 
is for firms that are members or participants at multiple SCI 
entities.\1160\ Several commenters expressed concern that the 
Commission underestimated the costs and burdens of the proposed 
testing.\1161\ According to some of these commenters, under the 
proposal, certain firms, such as market makers and other firms 
performing important market functions, could be required to maintain 
connections to the backup sites of a number of SCI entities, at 
significant cost.\1162\ A group of commenters requested that the scope 
be targeted to only cover those instances in which an SCI entity 
determines to enact its disaster recovery plans.\1163\ One commenter 
agreed that the designation requirement could be relaxed and still 
achieve the provision's aim, because the bulk of the liquidity at a 
market center is provided by a small number of firms.\1164\ Another 
commenter asked the Commission to give designated firms the

[[Page 72351]]

ability to opt-out if they have a good reason.\1165\
---------------------------------------------------------------------------

    \1159\ See OCC Letter at 18.
    \1160\ See DTCC Letter at 13.
    \1161\ See FINRA Letter at 37-39; OCC Letter at 18; Fidelity 
Letter at 6; Joint SROs Letter at 15-16; ISE Letter at 9; and Group 
One Letter at 3. See also infra Section VI (discussing the costs and 
burdens of the requirement, including the costs for members or 
participants to participate in BC/DR testing).
    \1162\ See FINRA Letter at 37-39; OCC Letter at 18; and Fidelity 
Letter at 6 (expressing concern an SCI entity might cast a wide net 
with its designation powers to include more firms than necessary).
    \1163\ See Joint SROs Letter at 16 (noting the complexity of 
testing a scenario in which a market participant may have enacted 
its business continuity plan but can still access an SCI entity 
through the primary facility).
    \1164\ See Tellefsen Letter at 9.
    \1165\ See Fidelity Letter at 6.
---------------------------------------------------------------------------

    The Commission believes that adoption of a more focused designation 
requirement that requires SCI entities to exercise reasonable 
discretion to identify those members or participants that, taken as a 
whole, are the ``minimum necessary'' for the maintenance of fair and 
orderly markets in the event of the activation of such plans is likely 
to result in a smaller number of SCI entity members or participants 
being designated for participation in testing as compared to the SCI 
Proposal. Because the Commission believes that SCI entities have an 
incentive to limit the imposition of the cost and burden associated 
with testing to the minimum necessary to comply with the rule, it also 
believes that, given the option, most SCI entities would, in the 
exercise of reasonable discretion, prefer to designate fewer members or 
participants to participate in testing, than to designate more. On 
balance, the Commission believes that adopted rule will incentivize SCI 
entities to designate those members and participants that are in fact 
the minimum necessary for the maintenance of fair and orderly markets 
in the event of the activation of their BC/DR plans, and that this 
should reduce the number of designations to which any particular member 
or participant would be subject, as compared to the SCI Proposal, and 
would potentially simplify efforts for SCI entities to coordinate BC/DR 
testing, as required by adopted Rule 1004(d). Despite the modifications 
from the proposal, it remains possible, as some commenters noted, that 
firms that are members of multiple SCI entities will be the subject of 
multiple designations, and that multiple designations could require 
certain firms to maintain connections to and participate in testing of 
the backup sites of multiple SCI entities. The Commission believes this 
possibility, though real, may be mitigated by the fact that multiple 
designations are likely to be made to firms that are already connected 
to one or more SCI entity backup facilities, since they represent 
significant members or participants of the applicable SCI entities; and 
that, because some SCI entity backup facilities are located in close 
proximity to each other, multiple connections to such backup facilities 
may be less costly than if SCI entity backup facilities were not so 
located. The Commission recognizes that there will be greater costs to 
a firm being designated by multiple SCI entities to participate in the 
testing of their BC/DR plans than to a firm designated by only one SCI 
entity. However, the Commission believes that these greater costs are 
warranted for such firms, as they represent significant participants in 
each of the SCI entities for which they are designated, and their 
participation in the testing of each such SCI entity's BC/DR plans is 
necessary to evaluate whether such plans are reliable and effective. 
The designation of a firm to participate in the BC/DR testing of an SCI 
entity means that such firm is significant, as the SCI entity has 
reasonably determined it to be included in the set of its members or 
participants that is, ``taken as a whole, the minimum necessary for the 
maintenance of fair and orderly markets in the event of the activation 
of such plans.'' Nonetheless, the Commission acknowledges that there 
may be instances in which an SCI entity has reasonably designated a 
firm to participate in BC/DR testing, and the firm is unwilling to bear 
the cost of participation in BC/DR testing with a given SCI entity. In 
such instances, there may be firms that opt out of such testing by 
withdrawing as a member or subscriber of one or more SCI entities, but 
the Commission believes that is unlikely. In particular, the Commission 
believes that it is unlikely that a firm determined to be significant 
enough to be designated to participate in testing by an SCI entity 
would choose to withdraw its membership or participation in an SCI 
entity solely because of the costs and burdens of Regulation SCI's BC/
DR testing provisions. The Commission also believes that such firm is 
likely to be a larger firm with greater resources and a significant 
level of participation in such SCI entity, and is likely to already be 
connected to the backup facility of the SCI SRO that is designating it 
to test.\1166\ Moreover, the Commission does not agree with the 
suggestion made by one commenter that the Commission give designated 
firms the ability to ``opt-out'' if they have a good reason,\1167\ 
because the ability to opt-out in this manner would render 
participation in BC/DR testing voluntary which, as discussed above, is 
unlikely to result in adequate BC/DR testing.\1168\ The Commission 
continues to believe, as stated in the SCI Proposal, that ``unless 
there is effective participation by certain of its members or 
participants in the testing of [BC/DR] plans, the objective of ensuring 
resilient and available markets in general, and the maintenance of fair 
and orderly markets in particular, would not be achieved.'' \1169\ 
Although the Commission recognizes that testing of a BC/DR plan does 
not guarantee flawless execution of that plan, the Commission believes 
that a tested plan is likely to be more reliable and effective than an 
inadequately tested plan.\1170\
---------------------------------------------------------------------------

    \1166\ See infra Section IV.B.6.b.iv.
    \1167\ See Fidelity Letter at 6.
    \1168\ See supra note 1140 and accompanying text.
    \1169\ See Proposing Release, supra note 13, at 18091, 18125.
    \1170\ Further, because the Commission believes that increased 
participation in BC/DR testing is likely to enhance the utility of 
the testing, the Commission encourages SCI entities to permit 
members or participants that do not meet the SCI entity's reasonable 
designation standards to participate in such testing if they request 
to do so.
---------------------------------------------------------------------------

iii. Scope, Timing, and Frequency of BC/DR Testing--Rule 1004(b)
    The SCI Proposal specified that the type of testing for which 
designees would be required to participate was ``scheduled functional 
and performance testing of the operation of [BC/DR] plans, in the 
manner and frequency specified by the SCI entity, at least once every 
12 months.'' \1171\ After careful consideration of the views of 
commenters, the Commission is adopting the scope, frequency, and timing 
requirements in the rule as proposed. Specifically, adopted Rule 
1004(b) requires that an SCI entity's designees participate in 
``scheduled functional and performance testing of the operation of [BC/
DR] plans, in the manner and frequency specified by the SCI entity, 
provided that such frequency shall not be less than once every 12 
months.''
---------------------------------------------------------------------------

    \1171\ See proposed Rule 1000(b)(9)(i).
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission noted that functional testing 
is commonly understood to examine whether a system operates in 
accordance with its specifications, whereas performance testing 
examines whether a system is able to perform under a particular 
workload.\1172\ The Commission added that functional and performance 
testing should include not only testing of connectivity, but also 
testing of an SCI entity's systems, such as order entry, execution, 
clearance and settlement, order routing, and the transmission and/or 
receipt of market data, as applicable, to determine if they can operate 
as contemplated by its business continuity and disaster recovery 
plans.\1173\ With regard to the proposed scope of testing, several 
commenters expressed specific concerns about the requirement for 
``functional and performance'' testing of BC/DR

[[Page 72352]]

plans.\1174\ Specifically, one commenter expressed concern about the 
logistical challenges of conducting functional and performance testing 
at the same time.\1175\ Two commenters expressed concern that requiring 
firms to perform industry-wide, end-to-end testing by processing 
transactions in their disaster recovery systems would introduce risk to 
the markets because such testing would increase the chance that test 
transactions could inadvertently be introduced into production 
systems.\1176\ Another commenter stated that a full functional test 
across all primary and recovery data centers for any significant number 
of members or participants would require substantial time to conduct 
and may require market downtime, as would a full performance 
test.\1177\ One group of commenters suggested that the scope of the 
requirement should be revised to only cover ``functional and 
operational testing'' of disaster recovery plans, but requested 
additional guidance with regard to the scope of testing required to 
establish the effectiveness of disaster recovery plans.\1178\ This 
group of commenters expressed concern about the ``complexity and cost 
associated with establishing an effective coordinated test script that 
captures the significant number of possibilities that may occur to each 
significant market participant or SCI entity'' and recommended that the 
scope of the coordinated functional and operational testing 
requirements be revised to cover those instances in which an SCI entity 
determines to enact its disaster recovery plan.\1179\ Two commenters 
believed the tests should be ``scenario-based'' to recreate as closely 
as possible the actual conditions that would trigger widespread use of 
BC/DR plans.\1180\
---------------------------------------------------------------------------

    \1172\ See Proposing Release, supra note 13, at 18125, n. 267.
    \1173\ See id. at 18126.
    \1174\ See, e.g., FINRA Letter at 37; OCC Letter at 18; and DTCC 
Letter at 12.
    \1175\ See FINRA Letter at 37 (stating that combining 
performance testing with functional testing on weekends would be 
difficult and possibly not feasible because an end-to-end functional 
test combined with a stress test would require much more time to 
accommodate processing volumes than would be afforded in an 
abbreviated non-business day session).
    \1176\ See OCC Letter at 17-18 (stating that its systems and 
systems of many member firms are configured to prevent test activity 
from being processed by production or disaster recovery systems); 
and DTCC Letter at 12 (stating similarly that the testing proposed 
by Rule 1000(b)(9) (as opposed to communication and connectivity 
testing) would not be supported by most SCI entities' current 
systems configurations, and encouraging the Commission to consider 
this in adopting testing requirements).
    \1177\ See Omgeo Letter at 26-27. This commenter urged a more 
limited scope of testing. Specifically, this commenter urged the 
Commission to focus on ``smoke testing,'' which it characterized as 
a more limited form of testing to validate that system functionality 
is fully deployed and operational in the new recovered or resumed 
production environment, and with respect to the goals of performance 
testing, a more limited set of system operations to assure that the 
recovery system would perform those operations at roughly comparable 
speeds as those performed on the main production systems. This 
commenter further stated that, in both cases, the purpose of these 
tests would be to validate that the backup or recovery systems have 
the necessary functionality to perform the service required of the 
SCI systems, and have sufficient capacity to process the production 
workloads at roughly comparable levels of performance, rather than 
to test the actual functional or performance characteristics of the 
backup or alternate recovery systems in their own right. See Omgeo 
Letter at 27.
    \1178\ See Joint SROs Letter at 15-16.
    \1179\ See id. at 16.
    \1180\ See FIF Letter at 7; and UBS Letter at 4.
---------------------------------------------------------------------------

    Adopted Rule 1004(b) provides that the scope of required testing is 
``functional and performance testing of the operation of BC/DR plans.'' 
As stated in the SCI Proposal, such functional and performance testing 
should include not only testing of connectivity, but also testing of an 
SCI entity's systems, such as order entry, execution, clearance and 
settlement, order routing, and the transmission and/or receipt of 
market data, as applicable, to determine if they can operate as 
contemplated by its business continuity and disaster recovery 
plans.\1181\ In response to commenters expressing concern about the 
breadth of the requirement, the Commission notes that the rule requires 
functional and performance testing of the ``operation of [BC/DR] 
plans.'' While the type of testing required by adopted Rule 1004(b) is 
more rigorous than some types of testing urged by some commenters, the 
Commission does not believe that the requirement for ``functional and 
performance testing of the operation of such plans'' requires 
additional testing that is as burdensome as that feared by some of 
those commenters. Importantly, ``functional and performance testing of 
the operation of [BC/DR] plans'' entails testing that goes beyond 
communication and connectivity testing, and beyond validation testing, 
which are more limited types of testing urged by some commenters. But 
the requirement to conduct ``functional and performance testing of the 
operation of [BC/DR] plans'' does not mean that a full test of the 
functional and performance characteristics of each backup facility is 
required to be conducted all at once and in coordination with other SCI 
entities all at the same time, as some commenters characterized the 
proposed requirement.\1182\ Specifically, the Commission notes that the 
testing of BC/DR plans, which is required by Rule 1004, is different 
from testing of the function and performance of backup facilities 
generally.\1183\ What Rule 1004 requires is coordinated testing to 
evaluate annually whether such backup facilities of SCI entities can 
function and perform in accordance with the operation of BC/DR plans in 
the event of wide-scale disruption. In addition, the Commission notes 
that performance testing, which examines whether a system is able to 
perform under a particular workload, is not synonymous with ``stress 
testing,'' in which capacity limits are tested, and therefore should 
not require as much time to conduct as one commenter suggested.
---------------------------------------------------------------------------

    \1181\ See Proposing Release, supra note 13, at 18126.
    \1182\ Conducting the required testing is not intended to 
require market downtime, but permits a range of possibilities, as 
SCI entities determine to be appropriate, including weekend testing, 
as well as testing in segments over the course of a year, if SCI 
entities determine that, to meet the requirements of the rule, a 
single annual test cannot be properly conducted within a single 
period of time (e.g., over the course of a weekend).
    \1183\ Testing of the function and performance of backup 
facilities generally would occur before such facilities are launched 
into production (such as pursuant to Rule 1001(a)), and Regulation 
SCI does not impose a requirement for coordinating such testing with 
other SCI entities.
---------------------------------------------------------------------------

    In response to commenters concerned that the required testing would 
necessitate system reconfigurations,\1184\ the Commission understands 
that the requirement to test backup facilities may require technology 
adjustments to permit testing activity to be processed by BC/DR 
systems, and believes that such adjustments to permit testing are 
warranted to achieve the goal, as discussed above, of achieving 
reliable and effective BC/DR plans at SCI entities. The Commission also 
believes that such system reconfigurations would be less burdensome 
than a Commission rule requiring the establishment of a dedicated 
environment for safe end-to-end testing that accurately simulates the 
trading environment, which some commenters suggested might be 
appropriate. One group of commenters noted the ``complexity and cost 
associated with establishing an effective coordinated test script,'' 
and urged that the scope of the coordinated testing be ``narrowed to 
cover those instances in which an SCI entity determines to enact its 
disaster recovery plan.'' The Commission acknowledges that 
establishment of an effective coordinated test script will involve

[[Page 72353]]

some costs and complexity, but believes that this is an important first 
step in establishing robust and effective testing under the rule. The 
Commission encourages SCI entities to develop one or more test scripts 
contemplating a wide-scale disruption and the enactment by SCI entities 
in the region of the wide-scale disruption of their BC/DR plans.
---------------------------------------------------------------------------

    \1184\ See supra note 1176 and accompanying text. See also 
Tradebook Letter at 2-3 (stating its view that ``the only way to 
test integration from order generation to allocation and then 
through to final settlement, is in the production environment'' and 
``test tickers that operate in the production environment are the 
only way to reliably simulate exactly what will happen in the 
production environment with a live order'').
---------------------------------------------------------------------------

    Further, the Commission notes that nothing in Rule 1001(a) nor Rule 
1004 requires that an SCI entity's BC/DR plan specify that its backup 
site must fully replicate the capacity, speed, and other features of 
the primary site. Similarly, SCI entity members and participants are 
not required by Regulation SCI to maintain the same level of 
connectivity with the backup sites of an SCI entity as they do with the 
primary sites.\1185\ In the event of a wide-scale disruption in the 
securities markets, the Commission acknowledges that an SCI entity and 
its members or participants may not be able to provide the same level 
of liquidity as on a normal trading day. In addition, the Commission 
recognizes that the concept of ``fair and orderly markets'' does not 
require that trading on a day when business continuity and disaster 
recovery plans are in effect will reflect the same levels of liquidity, 
depth, volatility, and other characteristics of trading on a normal 
trading day. Nevertheless, the Commission believes it is critical that 
SCI entities and their designated members or participants be able to 
operate with the SCI entities' backup systems in the event of a wide-
scale disruption. Therefore, Rule 1004 requires that an SCI entity's 
BC/DR plan that meets the requirements of Rule 1001(a)(2)(v) be tested 
for both its functionality and performance as specified by the SCI 
entity's BC/DR plan.
---------------------------------------------------------------------------

    \1185\ See infra Section VI.C.2.b.vii (discussing the estimated 
costs of adopted Rule 1004).
---------------------------------------------------------------------------

    In addition, several commenters addressed testing more 
generally.\1186\ For example, some commenters urged that comprehensive, 
industry-wide, end-to-end testing could be enhanced if there were 
uniform test tickers supported by the testing infrastructure at all SCI 
entities.\1187\ Two commenters urged the establishment of principles 
for end-to-end, integrated testing.\1188\ Specifically, one of these 
commenters suggested that SCI entities, the Commission, and relevant 
third-parties think about how to establish a dedicated environment 
where end-to-end testing could be done safely, and where it could 
accurately simulate the trading environment.\1189\ This commenter also 
suggested that testing plans concentrate on high volume periods, stress 
testing common order types, and focusing on securities that generally 
experience low liquidity.\1190\ This commenter believed that industry-
wide testing should include derivatives and cross-asset scenarios, and 
possibly include some involvement by foreign regulators and markets as 
well.\1191\ While the suggestions of these commenters are not 
inconsistent with the rule's requirement for functional and performance 
testing of BC/DR plans, the Commission has determined not to require 
them because the Commission does not believe, at this time, that these 
suggestions are necessary in every instance to achieve reliable and 
effective BC/DR plans at SCI entities. However, to the extent an SCI 
entity believes them to be appropriate for its systems, these 
suggestions could be utilized in its BC/DR plans testing.
---------------------------------------------------------------------------

    \1186\ See Tradebook Letter at 1-3; CAST Letter at 9; FIA PTG 
Letter at 2; and CoreOne Letter at 3-7.
    \1187\ See Tradebook Letter at 2-3; CAST Letter at 9; and FIA 
PTG Letter at 2.
    \1188\ See CoreOne Letter at 3; and Tradebook Letter at 1-3.
    \1189\ See CoreOne Letter at 3.
    \1190\ See id. at 3-4.
    \1191\ See id. at 7.
---------------------------------------------------------------------------

    Importantly, the adopted rule does not prescribe how SCI entities 
are to develop plans for functional and performance testing of order 
entry, execution, clearance and settlement, order routing, and the 
transmission and/or receipt of market data, as applicable, to determine 
if these functions can operate as contemplated by SCI entity BC/DR 
plans. Thus, as with the proposed requirement, the adopted rule 
provides an SCI entity with discretion to determine the precise manner 
and content of the BC/DR testing required pursuant to Rule 1004, and 
SCI entities have discretion to determine, for example, the duration of 
the testing, the sample size of transactions tested, the scenarios 
tested, and the scope of the test. Therefore, while comments urging the 
creation of uniform test tickers, establishment of principles for end-
to-end testing, mandatory types of test scripts, and cross-asset and 
cross-jurisdictional coordination are matters that SCI entities may 
wish to consider in implementing the testing required by the rule, the 
Commission does not believe it is appropriate to mandate such details 
in Regulation SCI. To do so would be more prescriptive than the 
Commission believes is appropriate, as this requirement is designed to 
provide SCI entities flexibility and discretion in determining how to 
meet it. The Commission believes that the adopted testing requirement 
will help to improve securities market infrastructure resilience by 
helping to ensure not only that an SCI entity can operate following an 
event that triggers its BC/DR plans, but also that it can do so with a 
greater level of confidence that its core members or participants are 
also ready based on experience during testing. The Commission is 
adopting Rule 1004(b) substantively as proposed because it gives SCI 
entities discretion to develop a test that meets the requirements of 
the rule.
    One commenter recommended requiring that each entity be run 
entirely under its backup plan at least one day a year for a full 
trading day, and that the entire market run off of the backup sites at 
least once a year.\1192\ While adopted Rule 1004 would not preclude 
this approach, the Commission notes that other commenters disagreed 
with the wisdom of it.\1193\ Specifically, one group of commenters 
stated that the risks of testing in a ``live production environment on 
a periodic basis'' outweigh the benefits.\1194\ Another commenter 
stated that requiring SCI entities to operate using their backup 
facilities would increase the risk of erroneous quotes and orders 
entering the marketplace.\1195\
---------------------------------------------------------------------------

    \1192\ See Angel Letter at 10.
    \1193\ See Joint SROs Letter at 15; and Group One Letter at 2.
    \1194\ See Joint SROs Letter at 15.
    \1195\ See Group One Letter at 2.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission has 
determined not to prescribe the time of day or week during which 
testing shall occur. In addition, the adopted rule does not require an 
SCI entity to test its BC/DR plan in live production, but also does not 
prohibit an SCI entity from testing its BC/DR plans in live production, 
either, if an SCI entity determines such a method of testing to be 
appropriate. The Commission continues to believe that SCI entities are 
in the best position to structure the details of the test in a way that 
would maximize its utility.
    With respect to testing frequency, one commenter agreed with the 
proposal that an SCI entity's BC/DR plans, including its backup 
systems, be tested ``at least once every 12 months.'' \1196\ One 
commenter stated that the rule should explicitly set forth the required 
frequency of testing.\1197\ One commenter believed that two coordinated 
industry tests per year would be more appropriate.\1198\ One commenter

[[Page 72354]]

believed that testing once per year is arbitrary, and suggested that a 
risk-based approach might justify testing certain systems with more or 
less frequency.\1199\
---------------------------------------------------------------------------

    \1196\ See DTCC Letter at 13
    \1197\ See NYSE Letter at 33.
    \1198\ See FIF Letter at 6.
    \1199\ See MSRB Letter at 24.
---------------------------------------------------------------------------

    The Commission is adopting as proposed the requirement that testing 
occur not less than once every 12 months. Although commenters offered 
differing views on the appropriate frequency for the required 
testing,\1200\ the Commission continues to believe that a testing 
frequency of once every 12 months is an appropriate minimum frequency 
that encourages regular and focused attention on the establishment of 
meaningful and effective testing. In the context of coordinated BC/DR 
testing, the Commission believes the key is for testing to occur 
regularly enough to offer practical utility in the event of a wide-
scale disruption without imposing undue cost, and that a minimum 
frequency of one year achieves this balance. This requirement does not 
prevent SCI entities from testing more frequently, but rather is 
intended to give SCI entities the flexibility to test their BC/DR 
plans, including their backup systems, at more frequent intervals if 
they find it appropriate to do so.
---------------------------------------------------------------------------

    \1200\ See supra notes 1196-1199.
---------------------------------------------------------------------------

iv. Industry- or Sector-Wide Coordination--Rule 1004(d)
    Proposed Rule 1000(b)(9)(a)(ii) specified that an SCI entity would 
be required to coordinate the testing of BC/DR plans on an industry- or 
sector-wide basis with other SCI entities. The Commission received 
significant comment on this aspect of the proposal.
    Two commenters supported the coordinated testing requirement.\1201\ 
Specifically, one of these commenters stated that a coordination 
requirement targets an area where technology risks have left the 
markets more vulnerable, namely, the complex ways that firms 
interact.\1202\ This commenter favored market-wide testing as a way to 
better manage that risk.\1203\ This commenter also stated that 
coordination is vital because the more SCI entities and member firms 
that participate in testing, the more realistic that testing will 
be.\1204\ Another commenter noted that one of the most important steps 
in validating and maintaining systems integrity is an effective BC/DR 
model and urged the Commission to promptly advance a program to 
introduce a new and more comprehensive BC/DR testing paradigm.\1205\
---------------------------------------------------------------------------

    \1201\ See Angel Letter at 9; and UBS Letter at 4.
    \1202\ See Angel Letter at 9.
    \1203\ See id.
    \1204\ See id.
    \1205\ See UBS Letter at 4-5. This commenter also stated that 
improved BC/DR testing should not be delayed until Regulation SCI is 
adopted. See UBS Letter at 5.
---------------------------------------------------------------------------

    In contrast, some commenters opposed the proposed comprehensive, 
coordinated testing structure.\1206\ Some commenters stated that 
coordinating testing presents significant technological and logistical 
challenges that need to be weighed carefully.\1207\ One commenter 
stated that coordinated testing is a good aspirational goal, but 
expressed concern that too much is outside of the control of an 
individual SCI entity, and therefore the rule should, at most, require 
SCI entities to attempt to coordinate such testing.\1208\ Another 
commenter stated that the fixed-income market is so fragmented that 
coordinated testing is difficult to conduct and much less 
imperative.\1209\
---------------------------------------------------------------------------

    \1206\ See DTCC Letter at 12-13; FINRA Letter at 37-39; OCC 
Letter at 17-18; and ISE Letter at 8.
    \1207\ See LiquidPoint Letter at 4; and SIFMA Letter at 17-18. 
See also supra notes 1175-1177 and accompanying text.
    \1208\ See CME Letter at 13.
    \1209\ See TMC Letter at 3.
---------------------------------------------------------------------------

    Some commenters offered suggestions on how to improve the proposed 
coordination requirement. One commenter urged that coordination only be 
required among providers of singular services in the market (i.e., 
exchanges that list securities, exclusive processors under NMS plans, 
and clearing and settlement agencies).\1210\ Some commenters believed 
that coordination would work best if it was organized by an entity with 
regulatory authority over SCI entities, or by an organization 
designated by the Commission to fulfill that role.\1211\ One such 
commenter supported coordinating testing through a Commission-approved 
plan, provided SCI entities have the right to maintain the 
confidentiality of certain critical information.\1212\ Another 
commenter recommended that the Commission work with the CFTC to adopt a 
coordinated approach to dealing with technology issues across financial 
markets, including through participation by derivatives exchanges in 
testing alongside their equity markets counterparts.\1213\
---------------------------------------------------------------------------

    \1210\ See Direct Edge Letter at 9.
    \1211\ See DTCC Letter at 13; OCC Letter at 18; and NYSE Letter 
at 33.
    \1212\ See NYSE Letter at 33.
    \1213\ See Angel Letter at 12.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission has 
determined to adopt the coordination requirement as proposed. 
Specifically, Rule 1004(d) requires that an SCI entity ``coordinate the 
testing of [BC/DR] plans on an industry- or sector-wide basis with 
other SCI entities.'' The Commission recognizes that coordinating 
industry- or sector-wide testing among SCI entities and their 
designated members or participants may present logistical challenges. 
Because of these challenges, the Commission does not believe that a 
more prescriptive approach is warranted. Instead, the coordination 
requirement provides discretion to SCI entities to determine how to 
meet it.
    The Commission does not agree with commenters suggesting that the 
Commission should assume leadership on the organization of coordinated 
testing, designate an organization to fulfill that role, or require a 
``Commission-approved plan'' for testing, because it believes at this 
time that SCI entities can achieve coordination more quickly and 
efficiently without the imposition of a formal procedural framework 
that these suggestions would entail.\1214\ In response to comment 
suggesting that coordination should be aspirational rather than 
required, the Commission believes that, because trading in the U.S. 
securities markets today is dispersed among a wide variety of 
exchanges, ATSs, and other trading venues, and is often conducted 
through sophisticated trading strategies that access many trading 
platforms simultaneously, requiring SCI entities to coordinate testing 
would result in testing under more realistic market conditions.\1215\ 
The Commission also continues to believe that it would be more cost-
effective for SCI entity members and participants to participate in 
testing of SCI entity BC/DR plans on an industry- or sector-wide basis 
than to test with each SCI entity on an individual basis because such 
coordination would likely reduce duplicative testing efforts.\1216\ In

[[Page 72355]]

addition, if SCI entities that are ``providers of singular services'' 
in the markets (i.e., which the Commission believes would be synonymous 
with SCI entities that are providers of ``critical SCI systems'') lead 
coordination efforts on behalf of all SCI entities, such an approach 
would not be impermissible under Rule 1004(d), provided all SCI 
entities agreed to such an approach.
---------------------------------------------------------------------------

    \1214\ With respect to the suggestion that there be a Commission 
approved plan, the Commission notes that Rule 608 of Regulation NMS 
is designed to facilitate participation in NMS plans by self-
regulatory organizations, which does not include SCI entities that 
are not SCI SROs, including SCI ATSs. The Commission notes that at 
least one commenter suggested that the Commission work with the CFTC 
to adopt a coordinated approach to testing. But, as discussed above, 
the Commission believes that Regulation SCI is an important step to 
reduce the risks associated with a decision to activate BC/DR plans. 
And, although the Commission may in the future consider additional 
initiatives to promote further coordination with the CFTC, in the 
Commission's view, this initial step of adopting Regulation SCI 
should not be delayed.
    \1215\ See Proposing Release, supra note 13, at 18126.
    \1216\ In response to comment that coordinated BC/DR testing is 
not needed in the current fixed-income market, the Commission notes 
that it has determined to exclude ATSs trading only municipal 
securities or corporate debt securities from the scope of Regulation 
SCI. See supra notes 189-192 and accompanying text (discussing the 
exclusion of ATSs trading only fixed-income securities from the 
definition of SCI ATS).
---------------------------------------------------------------------------

    In response to commenters who more generally expressed concern 
about the rule subjecting SCI entity members and participants to 
multiple duplicative and costly testing requirements,\1217\ the 
Commission notes that the flexibility provided in the adopted 
coordination requirement, in tandem with the more focused adopted 
mandatory designation requirement should mitigate these concerns. As 
discussed above, adoption of a more focused designation requirement 
that requires SCI entities to exercise reasonable discretion is likely 
to reduce the extent to which SCI entity member or participant 
designations overlap and possibly result in a smaller number of SCI 
entity members or participants being designated for participation in 
testing than as contemplated by the SCI Proposal, and a fewer number of 
members or participants designated to participate in testing should 
simplify efforts to coordinate testing. However, as some commenters 
noted, it remains possible that, despite coordination, some firms that 
are members of multiple SCI entities may be designated to participate 
in testing with multiple SCI entities at greater cost than if they had 
been designated by only one SCI entity, and may be required to test 
more than once annually, as this may be necessary for each SCI entity 
to meet its obligations under the rule. Though the Commission 
recognizes that the possibility of being designated by multiple SCI 
entities to participate in the testing of their BC/DR plans may be 
costly, the Commission ultimately believes that such a cost is 
appropriate to help ensure that the BC/DR plan of each SCI entity is 
useful and effective. If, for example, a firm is designated for 
mandatory testing by multiple SCI entities, it would be so designated 
because each such SCI entity determines that such firm is necessary to 
the successful activation of its BC/DR plan. The Commission recognizes 
that it is conceivable that a firm that is required to participate in 
testing with multiple SCI entities assesses the costs and burdens of 
participating in every such test to be too great, and makes its own 
business decision to withdraw its membership or participation in one or 
more such SCI entities so as to avoid the costs and burdens of such 
testing, but believes such scenario to be unlikely. Specifically, the 
Commission believes that it is unlikely that a firm determined to be 
significant enough to be designated to participate in testing by an SCI 
entity (even a smaller SCI entity) would choose to withdraw its 
membership or participation in an SCI entity solely because of the 
costs and burdens of Regulation SCI's BC/DR testing provisions. The 
Commission also believes that such firm is likely to be a larger firm 
with greater resources and a significant level of participation in such 
SCI entity, and is likely to already be connected to the backup 
facility of the SCI SRO that is designating it to test. The Commission 
continues to believe that SCI entities are best suited to find the most 
efficient and effective manner in which to test its BC/DR plans.\1218\
---------------------------------------------------------------------------

    \1217\ See supra notes 1159-1160 and accompanying text.
    \1218\ See Proposing Release, supra note 13, at 18126.
---------------------------------------------------------------------------

    Furthermore, the Commission is also adopting a longer compliance 
period with regard to the industry- or sector-wide coordinated testing 
requirement in adopted Rule 1004(d).\1219\ Specifically, SCI entities 
will have 21 months from the Effective Date to coordinate the testing 
of an SCI entity's business continuity and disaster recovery plans on 
an industry- or sector-wide basis with other SCI entities pursuant to 
adopted Rule 1004(d). In sum, the Commission believes that Rule 1004, 
as adopted, will enhance the resilience of the infrastructure of the 
U.S. securities markets.
---------------------------------------------------------------------------

    \1219\ See infra Section IV.F (discussing the delayed 
implementation time for adopted Rule 1004(d)).
---------------------------------------------------------------------------

C. Recordkeeping, Electronic Filing on Form SCI, and Access--Rules 
1005-1007

    Adopted Rules 1005 through 1007 specify several additional 
requirements of Regulation SCI relating to recordkeeping and electronic 
filing and submission. As discussed below, the Commission has 
determined not to adopt the proposed provision regarding Commission 
access to the systems of an SCI entity because the Commission can 
adequately assess an SCI entity's compliance with Regulation SCI 
through existing recordkeeping requirements and examination authority, 
as well as through the new recordkeeping requirement in Rule 1005 of 
Regulation SCI.
1. Recordkeeping--Rules 1005-1007
a. Recordkeeping Related to Compliance With Regulation SCI--Rule 1005
    Proposed Rule 1000(c) required SCI SROs to make, keep, and preserve 
all documents relating to their compliance with Regulation SCI, as 
prescribed in Rule 17a-1 under the Exchange Act. Proposed Rule 1000(c) 
required SCI entities other than SCI SROs to: Make, keep, and preserve 
at least one copy of all documents relating to their compliance with 
Regulation SCI; keep these documents for not less than five years, the 
first two years in a place that is readily accessible to the Commission 
or its representatives for inspection and examination; and promptly 
furnish to Commission representatives \1220\ copies of any of these 
documents upon request. Further, proposed Rule 1000(c) provided that, 
upon or immediately prior to ceasing to do business or ceasing to be 
registered under the Exchange Act, an SCI entity must ensure that the 
required records are accessible to the Commission and its 
representatives in a manner required by Rule 1000(c) for the remainder 
of the period required by Rule 1000(c).
---------------------------------------------------------------------------

    \1220\ As discussed above, the Commission has renamed the ARP 
Inspection Program the Technology Controls Program. See supra note 
6.
---------------------------------------------------------------------------

    The Commission received one comment letter supporting proposed Rule 
1000(c).\1221\ The Commission is adopting Rule 1000(c) as proposed, but 
re-designated as Rule 1005.\1222\
---------------------------------------------------------------------------

    \1221\ See MSRB Letter at 25. As discussed above, some 
commenters suggested recordkeeping in lieu of certain Commission 
reporting requirements. See, e.g., supra note 881 and accompanying 
text.
    \1222\ The Commission notes that adopted Rule 1005 replaces the 
term ``SCI security systems'' with ``indirect SCI systems'' as 
described in more detail in Section IV.A.2.d. Furthermore, internal 
cross references to Rules 1000(c)(2)(i) and (c)(2)(ii) in Rule 
1000(c)(2)(iii) were updated to paragraphs (b)(1) and (b)(2) of Rule 
1005 in accordance with the renumbering of the rule.
---------------------------------------------------------------------------

    As noted in the SCI Proposal, SCI entities are already subject to 
recordkeeping requirements,\1223\ but records relating to Regulation 
SCI may not be specifically addressed in certain

[[Page 72356]]

current recordkeeping rules.\1224\ As adopted, Rule 1005 specifically 
addresses recordkeeping requirements for SCI entities with respect to 
records relating to Regulation SCI compliance.
---------------------------------------------------------------------------

    \1223\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 
CFR 240.17a-3 and 17a-4, applicable to broker-dealers; and 17 CFR 
242.301-303, applicable to ATSs.
     It has been the experience of the Commission that SCI entities 
presently subject to the ARP Inspection Program (nearly all of whom 
are SCI SROs that are also subject to the recordkeeping requirements 
of Rule 17a-1(a)) do generally keep and preserve the types of 
records that would be subject to the requirements of Rule 1005. 
Nevertheless, the Commission continues to believe that Regulation 
SCI's codification of these preservation practices will support an 
accurate, timely, and efficient inspection and examination process 
and help ensure that all types of SCI entities keep and preserve 
such records.
    \1224\ See Proposing Release, supra note 13, at 18128.
---------------------------------------------------------------------------

    With respect to SCI SROs, Rule 17a-1(a) under the Exchange Act 
requires every national securities exchange, national securities 
association, registered clearing agency, and the MSRB to keep and 
preserve at least one copy of all documents, including all 
correspondence, memoranda, papers, books, notices, accounts, and other 
such records as shall be made and received by it in the course of its 
business as such and in the conduct of its self-regulatory 
activity.\1225\ In addition, Rule 17a-1(b) requires these entities to 
keep all such documents for a period of not less than five years, the 
first two years in an easily accessible place, subject to the 
destruction and disposition provisions of Rule 17a-6.\1226\ Rule 17a-
1(c) requires these entities, upon request of any representative of the 
Commission, to promptly furnish to the possession of Commission 
representatives copies of any documents required to be kept and 
preserved by it pursuant to Rules 17a-1(a) and (b).\1227\ Therefore, as 
noted in the SCI Proposal, the breadth of Rule 17a-1 under the Exchange 
Act is such that it would require SCI SROs to make, keep, and preserve 
records relating to their compliance with Regulation SCI.\1228\ The 
Commission continues to believe that it is appropriate to cross-
reference Rule 17a-1 in Rule 1005 to be clear that all SCI entities are 
subject to the same recordkeeping requirements regarding compliance 
with Regulation SCI. The Commission also continues to believe that it 
is appropriate to adopt recordkeeping requirements for SCI entities 
other than SCI SROs that are consistent with the recordkeeping 
requirements applicable to SROs under Rule 17a-1 under the Exchange 
Act. The Commission believes it is important to require such records be 
kept at both SCI SROs and SCI entities other than SCI SROs because such 
records are essential to understanding whether an SCI entity is meeting 
its obligations under Regulation SCI, to assess whether an SCI entity 
has appropriate policies and procedures with respect to its technology 
systems, to help identify the causes and consequences of an SCI event, 
and to understand the types of material systems changes occurring at an 
SCI entity.\1229\
---------------------------------------------------------------------------

    \1225\ See 17 CFR 240.17a-1(a). Such records would, for example, 
include copies of incident reports and the results of systems 
testing.
    \1226\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange 
Act states: ``Any document kept by or on file with a national 
securities exchange, national securities association, registered 
clearing agency or the Municipal Securities Rulemaking Board 
pursuant to the Act or any rule or regulation thereunder may be 
destroyed or otherwise disposed of by such exchange, association, 
clearing agency or the Municipal Securities Rulemaking Board at the 
end of five years or at such earlier date as is specified in a plan 
for the destruction or disposition of any such documents if such 
plan has been filed with the Commission by such exchange, 
association, clearing agency or the Municipal Securities Rulemaking 
Board and has been declared effective by the Commission.'' 17 CFR 
240.17a-6(a).
    \1227\ See 17 CFR 240.17a-1(c).
    \1228\ See Proposing Release, supra note 13, at 18128.
    \1229\ To achieve the goals for which the recordkeeping 
requirements are designed, and to comply with the recordkeeping 
requirements of Rule 17a-1 and Rule 1005 of Regulation SCI, SCI 
entities must ensure that the records that they make, keep, and 
maintain are complete and accurate.
---------------------------------------------------------------------------

    Further, as noted above, the definitions of SCI system and indirect 
SCI system include systems operated ``on behalf of'' an SCI entity by 
third parties. An SCI entity retains legal responsibility for systems 
operated on its behalf and, as such, is responsible for producing to 
Commission representatives records required to be made, kept, and 
preserved under Regulation SCI, even if those records are maintained by 
third parties, and the SCI entity is responsible for ensuring that such 
third parties produce those requested documents, upon examination or 
other request. Accordingly, the Commission believes that an SCI entity 
should have processes and requirements in place, such as contractual 
provisions with a third party, to ensure that it is able to satisfy the 
requirements of Regulation SCI for systems operated on its behalf by a 
third party, including the recordkeeping requirements in Rule 
1005.\1230\ The Commission believes that if an SCI entity is unable to 
ensure compliance with Regulation SCI with regard to third party 
systems or recordkeeping, it should reassess its decision to outsource 
its systems or recordkeeping.
---------------------------------------------------------------------------

    \1230\ See also Rule 1007, which states that, if records 
required to be filed or kept by an SCI entity under Regulation SCI 
are prepared or maintained by a service bureau or other 
recordkeeping service on behalf of the SCI entity, the SCI entity is 
required to ensure that the records are available for review by the 
Commission and its representatives by submitting a written 
undertaking, in a form acceptable to the Commission, by such service 
bureau or other recordkeeping service, signed by a duly authorized 
person at such service bureau or other recordkeeping service.
---------------------------------------------------------------------------

    The Commission believes that Rule 1005 will facilitate its 
inspections and examinations of SCI entities and assist it in 
evaluating an SCI entity's compliance with Regulation SCI. In 
particular, Rule 1005 should facilitate Commission examination of SCI 
entities by helping to reduce delays in obtaining relevant records 
during an examination. Therefore, as noted in the SCI Proposal, the 
Commission's ability to examine for, and enforce compliance with, 
Regulation SCI could be hampered if an SCI entity were not required to 
adequately provide accessibility to its records for the full proposed 
retention period.
    Further, while many SCI events may occur, be discovered, and be 
resolved in a short time frame, there may be other SCI events that may 
not be discovered until months or years after their occurrences, or may 
take significant periods of time to fully resolve. In such cases, 
having an SCI entity's records available even after it has ceased to do 
business or be registered under the Exchange Act would be beneficial. 
Because SCI events have the potential to negatively impact trade 
execution, price discovery, liquidity, and investor participation, the 
Commission believes that its ability to oversee the securities markets 
could be undermined if it is unable to review records to determine the 
causes and consequences of one or more SCI events experienced by an SCI 
entity that deregisters or ceases to do business. This information 
should provide an additional tool to help the Commission reconstruct 
important market events and better understand how such events impacted 
trade execution, price discovery, liquidity, and investor 
participation.
b. Service Bureau--Rule 1007
    Proposed Rule 1000(e) required that, if the records required to be 
filed or kept by an SCI entity under Regulation SCI were prepared or 
maintained by a service bureau or other recordkeeping service on behalf 
of the SCI entity, the SCI entity ensure that the records are available 
for review by the Commission and its representatives by submitting a 
written undertaking, in a form acceptable to the Commission, by such 
service bureau or other recordkeeping service and signed by a duly 
authorized person at such service bureau or other recordkeeping 
service. Further, the written undertaking was required to include an 
agreement by the service bureau designed to permit the Commission and 
its representatives to examine such records at any time or from time to 
time during business hours, and to promptly furnish to the Commission 
and its representatives true, correct, and current electronic files in 
a form acceptable to the Commission or its representatives or hard 
copies of any, all, or any part of such records,

[[Page 72357]]

upon request, periodically, or continuously and, in any case, within 
the same time periods as would apply to the SCI entity for such 
records. Proposed Rule 1000(e) also provided that the preparation or 
maintenance of records by a service bureau or other recordkeeping 
service would not relieve an SCI entity from its obligation to prepare, 
maintain, and provide the Commission and its representatives with 
access to such records.
    The Commission did not receive any comments on proposed Rule 
1000(e) and is adopting Rule 1000(e) as proposed, but re-designated as 
Rule 1007. As noted in the SCI Proposal, Rule 1007 is substantively the 
same as the requirement applicable to broker-dealers under Rule 17a-
4(i) of the Exchange Act.\1231\ The Commission continues to believe 
that this requirement will help ensure the Commission's ability to 
obtain required records that are held by a third party who may not 
otherwise have an obligation to make such records available to the 
Commission. In addition, the Commission continues to believe that the 
requirement that SCI entities obtain from such third parties a written 
undertaking will also help ensure that such service bureau or other 
recordkeeping service is aware of its obligation with respect to 
records relating to Regulation SCI. The Commission believes that this 
requirement will help ensure that the Commission has prompt and 
efficient access to all required records, including those housed at a 
service bureau or any other recordkeeping service.\1232\
---------------------------------------------------------------------------

    \1231\ 17 CFR 240.17a-4(i). See Proposing Release, supra note 
13, at 18129.
    \1232\ See 17 CFR 240.17a-4(i) (records preserved or maintained 
by a service bureau).
---------------------------------------------------------------------------

2. Electronic Filing and Submission of Reports, Notifications, and 
Other Communications--Rule 1006
    Proposed Rule 1000(d) required that, except with respect to 
notifications to the Commission made pursuant to proposed Rule 
1000(b)(4)(i) (Commission notification of certain SCI events) or oral 
notifications to the Commission made pursuant to proposed Rule 
1000(b)(6)(ii) (Commission notification of certain material systems 
changes), any notification, review, description, analysis, or report to 
the Commission required under Regulation SCI be submitted 
electronically on Form SCI and include an electronic signature. 
Proposed Rule 1000(d) also required that the signatory to an 
electronically submitted Form SCI manually sign a signature page or 
document, in the manner prescribed by Form SCI, authenticating, 
acknowledging, or otherwise adopting his or her signature that appears 
in typed form within the electronic filing. This document would be 
required to be executed before or at the time Form SCI is 
electronically submitted and would be required to be retained by the 
SCI entity in accordance with the recordkeeping requirements of 
Regulation SCI. The Commission is adopting Rule 1000(d) substantially 
as proposed, as discussed below, but re-designated as Rule 1006.
    One commenter supported the electronic submission of Form 
SCI.\1233\ One commenter suggested that the Commission should make 
clear that Regulation SCI filings do not need to be made in a tagged 
data format such as XBRL, which could be costly.\1234\ Another 
commenter stated that the electronic signature requirement was 
appropriate only if the final rule included a safe harbor for good 
faith reporting of SCI events.\1235\ According to this commenter, the 
requirement that there be an electronic signature and a manual 
signature could put SCI entity personnel at risk if it is later 
determined that there were factual errors, omissions, or other flaws in 
the initial filing.\1236\
---------------------------------------------------------------------------

    \1233\ See MSRB Letter at 25.
    \1234\ See OTC Markets Letter at 4. See also FINRA Letter at 28.
    \1235\ See Omgeo Letter at 20.
    \1236\ See id.
---------------------------------------------------------------------------

    After consideration of the comments, the Commission is adopting 
Rule 1000(d) substantially as proposed, and with updated internal cross 
references to reflect revisions to other aspects of Regulation SCI, as 
adopted. Specifically, Rule 1006 provides that notifications made 
pursuant to Rule 1002(b)(1) (immediate Commission notification of SCI 
events) and updates made pursuant to Rule 1002(b)(3) (updates regarding 
SCI events) are not required to be filed on Form SCI.\1237\ As noted in 
the SCI Proposal, Rule 1006 is intended to provide a uniform manner in 
which the Commission would receive--and SCI entities would provide--
written notifications, reviews, descriptions, analyses, or reports made 
pursuant to Regulation SCI.\1238\ Rule 1006 should therefore allow SCI 
entities to efficiently draft and submit the required reports, and for 
the Commission to efficiently review, analyze, and respond to the 
information provided.\1239\ In addition, the Commission believes that 
filing Form SCI in an electronic format would be less burdensome and 
more efficient for SCI entities and the Commission than mailing and 
filing paper forms.\1240\ Further, after considering comments regarding 
the burden of submitting Form SCI in a tagged data format such as XBRL, 
the Commission is not requiring the use of XBRL formatting for Form 
SCI. Rather, certain fields in Sections I-III of Form SCI will require 
information to be provided by SCI entities in a format that will allow 
the Commission to gather information in a structured manner (e.g., the 
submission type and SCI event type in Section I), whereas the exhibits 
to Form SCI will allow SCI entities to provide narrative responses, 
such as through a text format. Further, the Commission also is 
specifying that documents filed through the EFFS system must be in a 
text-searchable format without the use of optical character 
recognition. If, however, a portion of a Form SCI submission (e.g., an 
image or diagram) cannot be made available in a text-searchable format, 
such portion may be submitted in a non-text-searchable format.\1241\ 
The Commission believes that requiring documents to be submitted in a 
text-searchable format (with the limited exception noted) is necessary 
to allow Commission staff to efficiently review and analyze information 
provided by SCI entities. In particular, a text-searchable format 
allows Commission staff to better gather, analyze and use data 
submitted as exhibits, whereas a non-text-searchable format submission 
would require significantly more steps and labor to review and analyze 
data. The Commission notes that word processing and spreadsheet 
applications that are widely used by many businesses, including SCI 
entities, generate documents in this format.
---------------------------------------------------------------------------

    \1237\ See supra Section IV.B.3.c (discussing the Commission 
notification requirement for SCI events). Adopted Rule 1006 refers 
to an electronically ``filed'' Form SCI, rather than an 
electronically ``submitted'' Form SCI as proposed in Rule 
1000(d)(1). This change clarifies that notices and reports required 
to be submitted under Regulation SCI are filings under the Exchange 
Act and Regulation SCI. See proposed and adopted 17 CFR 249.1900 
(stating that Form SCI shall be used to ``file'' notices and reports 
as required by Regulation SCI). See also amended Rule 24b-2 
(referring to material ``filed'' in electronic format on Form SCI).
    \1238\ See Proposing Release, supra note 13, at 18129-30.
    \1239\ See id. at 18130.
    \1240\ The Commission will implement Form SCI through the 
electronic form filing system (``EFFS'') currently used by SCI SROs 
to file Form 19b-4 filings. See Securities Exchange Act Release No. 
50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the 
EFFS for use in filing Form 19b-4). See also Proposing Release, 
supra note 13, at 18130.
    \1241\ See General Instructions to Form SCI, Item A.
---------------------------------------------------------------------------

    As noted above, one commenter stated that the electronic signature 
requirement was appropriate only if the

[[Page 72358]]

final rule included a safe harbor for good faith reporting of SCI 
events. The Commission is adopting the electronic signature requirement 
as proposed. The Commission notes that, as discussed above in Section 
IV.B.3.c, immediate Commission notification following an SCI event and 
updates regarding the SCI event may be given orally; the 24-hour 
Commission notification is required to be made on a good faith, best 
efforts basis; and the final Commission notification is not required 
until the resolution of the SCI event and the completion of the SCI 
entity's investigation of the SCI event. The Commission also notes that 
the purpose of the electronic signature requirement on Form SCI is to 
ensure that the person submitting the form to the Commission has been 
properly authorized by the SCI entity to submit the form on its 
behalf.\1242\ Therefore, the electronic signature requirement would not 
put SCI entity personnel at risk if the SCI entity later determines 
that there were factual errors, omissions, or other flaws in the 
initial filing. As such, the Commission does not agree with the comment 
that the electronic signature requirement was appropriate only if the 
final rule included a safe harbor for good faith reporting of SCI 
events.\1243\
---------------------------------------------------------------------------

    \1242\ Additionally, similar to use of the EFFS in the context 
of electronic filing of Form 19b-4, by using a digital ID for each 
duly authorized signatory providing an electronic signature, both 
the Commission and an SCI entity may be assured of the authenticity 
and integrity of the electronic filing of Form SCI. See infra 
Section V.D.2.e (noting the necessity of completing a form to gain 
access to EFFS).
    \1243\ The same rationale also applies to the requirement for 
manual signature in Rule 1006.
---------------------------------------------------------------------------

Amendment To Facilitate Electronic Filing Requirements
    In addition, to permit implementation of Rule 1006,\1244\ the 
Commission is adopting an amendment to Rule 24b-2 under the Exchange 
Act.\1245\ Rule 24b-2 currently provides confidential treatment 
requests and the confidential portion of an electronic filing may be 
submitted in paper format only.\1246\ The Commission is amending Rule 
24b-2 by amending the rule's preliminary note, and paragraph (b) of the 
rule to clarify that under Rule 24b-2, confidential treatment requests 
and the confidential portion of an electronic filing may be submitted 
in paper format only, unless Rule 24b-2 provides otherwise. The 
Commission also is adding a new paragraph (g) to Rule 24b-2 to provide 
an electronic means by which an SCI entity may request confidential 
treatment of its filings on Form SCI. New paragraph (g) will provide 
that an SCI entity's electronic filings on Form SCI pursuant to 
Regulation SCI must include any information with respect to which 
confidential treatment is requested (``confidential portion''), and 
provide that, in lieu of the procedures described in Rule 24b-2b, an 
SCI entity may request confidential treatment of all information 
submitted on Form SCI by completing Section IV of Form SCI. The 
Commission's amendment provides an exception from Rule 24b-2's paper-
only request for confidential treatment for all Form SCI filings, and 
specifically permits an SCI entity to electronically request 
confidential treatment of all information filed on Form SCI in 
accordance with Regulation SCI. The Commission believes that allowing 
for electronic submission of confidential treatment requests will 
reduce the burden on SCI entities by not requiring a separate paper 
submission, and provided the confidential treatment request is properly 
made, will expedite Commission review of the requests for confidential 
treatment, as all information submitted on Form SCI will be deemed to 
be the subject of the request for confidential treatment.
---------------------------------------------------------------------------

    \1244\ See Rule 1006, 17 CFR 242.1006; see also General 
Instruction E to Form SCI (requiring Form SCI and exhibits to be 
filed electronically under Rule 1006).
    \1245\ 17 CFR 240.24b-2.
    \1246\ See 17 CFR 240.24b-2.
---------------------------------------------------------------------------

    If such a confidential treatment request is properly made, the 
Commission will keep the information collected pursuant to Form SCI 
confidential to the extent permitted by law.\1247\
---------------------------------------------------------------------------

    \1247\ The Freedom of Information Act (``FOIA'') provides at 
least two pertinent exemptions under which the Commission has 
authority to withhold certain information. FOIA Exemption 4 provides 
an exemption for ``trade secrets and commercial or financial 
information obtained from a person and privileged or confidential.'' 
5 U.S.C. 552(b)(4). FOIA Exemption 8 provides an exemption for 
matters that are ``contained in or related to examination, 
operating, or condition reports prepared by, on behalf of, or for 
the use of an agency responsible for the regulation or supervision 
of financial institutions.'' 5 U.S.C. 552(b)(8).
---------------------------------------------------------------------------

3. Access to the Systems of an SCI Entity
    Proposed Rule 1000(f) would have required each SCI entity to 
provide Commission representatives reasonable access to its SCI systems 
and SCI security systems to assess the SCI entity's compliance with 
Regulation SCI.\1248\ In the SCI Proposal, the Commission noted that 
the proposed rule would facilitate the access of representatives of the 
Commission to such systems of an SCI entity either remotely or on site, 
noting, for example, that with such access, Commission representatives 
could test an SCI entity's firewalls and vulnerability to 
intrusions.\1249\ Further, the Commission noted that the proposed rule 
was intended to be consistent with the Commission's current authority 
with respect to access to records generally \1250\ and could help 
ensure that Commission representatives have ready access to the SCI 
systems and SCI security systems of SCI entities in order to evaluate 
an SCI entity's practices with regard to the requirements of Regulation 
SCI.\1251\ As discussed below, the Commission has determined not to 
adopt the proposed requirement because it believes it can achieve the 
goal of the proposed rule through its existing recordkeeping 
requirements and examination authority, as well as through the new 
recordkeeping requirement in Rule 1005 of Regulation SCI.
---------------------------------------------------------------------------

    \1248\ See proposed Rule 1000(f) and Proposing Release, supra 
note 13, at Section III.D.3.
    \1249\ See Proposing Release, supra note 13, at 18130.
    \1250\ See Proposing Release, supra note 13, at 18130 (citing 
Section 17(b) of the Exchange Act, as well as Sections 11A, 6(b)(1), 
15A(b)(2), and 17A(b)(3)(A) of the Exchange Act).
    \1251\ See Proposing Release, supra note 13, at 18130.
---------------------------------------------------------------------------

    Many commenters criticized the SCI Proposal's discussion of the 
proposed access requirement as permitting unfettered access by third 
parties that could pose significant security risks to an SCI entity's 
systems.\1252\ Potential issues identified by commenters included 
unauthorized access to confidential information,\1253\ risk and damage 
to systems,\1254\ and contractual issues with third party 
vendors.\1255\ One commenter stated that the Commission should bear in 
mind that access to such highly sensitive environments of SCI entities 
carries a duty of care commensurate with the sensitivity of the access 
and information involved.\1256\
---------------------------------------------------------------------------

    \1252\ See, e.g., NYSE Letter at 34; BATS Letter at 15; ISE 
Letter at 10; MSRB Letter at 25-26; Omgeo Letter at 28-29; SIFMA 
Letter at 18-19; FIF Letter at 7; Fidelity Letter at 5-6; 
LiquidPoint Letter at 4; ITG Letter at 16; KCG Letter at 20-21; 
Joint SROs Letter at 17-18; OCC Letter at 20; UBS Letter at 5; 
Tellefsen Letter at 10; and FINRA Letter at 41.
    \1253\ See, e.g., FINRA Letter at 41; and Omgeo Letter at 29.
    \1254\ See, e.g., Omgeo Letter at 29; and ITG Letter at 16.
    \1255\ See, e.g., SIFMA Letter at 19.
    \1256\ See OCC Letter at 20.
---------------------------------------------------------------------------

    While several commenters advocated for the elimination of the 
proposed access provision,\1257\ some commenters recommended ways to 
refine the proposed requirement while still achieving its goals.\1258\ 
These

[[Page 72359]]

suggestions included: Limiting the category of Commission staff to whom 
access could be provided; \1259\ providing the Commission with access 
to ``configuration and information flows of the system, instead of 
direct access;'' \1260\ providing the Commission with reports and 
metrics on systems vulnerabilities rather than direct access; \1261\ 
requiring only that SCI entities demonstrate for Commission staff their 
controls and safeguards and compliance with the rule; \1262\ mandating 
training of Commission staff and supervision of Commission staff access 
by SCI entity personnel; \1263\ and requiring that an SCI entity's 
staff conduct any tests while Commission staff observed, rather than 
providing Commission staff with direct access.\1264\ One commenter also 
noted that the concept of reasonable access was vague.\1265\ Other 
commenters asked that the Commission more clearly prescribe what would 
constitute ``reasonable access.'' \1266\ One commenter also recommended 
that SCI entities provide an individual contact for a designated 
Commission representative to communicate and meet with regarding an SCI 
entity's systems.\1267\
---------------------------------------------------------------------------

    \1257\ See, e.g., ITG Letter at 16; and CME Letter at 11.
    \1258\ See, e.g., NYSE Letter at 34; OCC Letter at 20; ISE 
Letter at 10; DTCC Letter at 14; CME Letter at 11; Omgeo Letter at 
29; Joint SROs Letter at 18; and MSRB Letter at 26.
    \1259\ See, e.g., NYSE Letter at 34.
    \1260\ See NYSE Letter at 34.
    \1261\ See, e.g., ISE Letter at 10; DTCC Letter at 14; OCC 
Letter at 20; and CME Letter at 11.
    \1262\ See, e.g., Omgeo Letter at 28-29; and DTCC Letter at 14.
    \1263\ See MSRB Letter at 26.
    \1264\ See OCC Letter at 20.
    \1265\ See, e.g., ITG Letter at 16.
    \1266\ See, e.g., MSRB Letter at 26; Joint SROs Letter at 18; 
and FINRA Letter at 41.
    \1267\ See SIFMA Letter at 19.
---------------------------------------------------------------------------

    A few commenters also questioned whether the proposed access 
requirement is authorized by Section 17(b) or Section 11A of the 
Exchange Act, as stated in the SCI Proposal.\1268\ Other commenters 
considered the proposed access requirement unnecessary and questioned 
the Commission's justification for needing this authority.\1269\ 
Another commenter pointed out that this type of access is authorized by 
other sections of the Exchange Act and an additional provision in 
Regulation SCI is redundant.\1270\
---------------------------------------------------------------------------

    \1268\ See NYSE Letter at 34; BATS Letter at 15; and CME Letter 
at 11.
    \1269\ See FINRA Letter at 41; BATS Letter at 15; Omgeo Letter 
at 28-29; and Fidelity Letter at 5.
    \1270\ See Angel Letter at 18.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
determined not to adopt the proposed reasonable access provision 
because it believes it can achieve its goals through existing 
recordkeeping requirements and its examination authority, as well as 
through the new recordkeeping requirement in Rule 1005 of Regulation 
SCI. As discussed in the SCI Proposal, the reasonable access provision 
was designed to help ensure that the Commission was able to evaluate an 
SCI entity's practices with regard to the requirements of proposed 
Regulation SCI.\1271\ The Commission believes that it can adequately 
assess an SCI entity's compliance with Regulation SCI through its 
authority provided by existing provisions of the Exchange Act and rules 
thereunder, as well as through the additional recordkeeping provisions 
being adopted today in Rule 1005 of Regulation SCI, as described above. 
In this regard, as discussed above, Section 17(a) of the Exchange Act 
provides the Commission with the authority to adopt recordkeeping 
rules, and the breadth of Rule 17a-1 thereunder is such that it would 
require SCI SROs to make, keep, and preserve records relating to their 
compliance with Regulation SCI, including records produced by SCI 
systems and indirect SCI systems.\1272\ Further, adopted Rule 1005 
specifically imposes requirements on each SCI entity (other than SCI 
SROs) to, among other things: Make, keep, and preserve at least one 
copy of all documents relating to its compliance with Regulation SCI; 
keep all such documents for a period of not less than five years, the 
first two years in a place that is readily accessible to the Commission 
or its representatives for inspection and examination; and upon request 
of any representative of the Commission, promptly furnish to the 
possession of such representative copies of any documents required to 
be kept and preserved by it pursuant to Rules 1005(b)(1) and (2).\1273\ 
The Commission also notes that Section 17(b) of the Exchange Act 
authorizes the Commission to conduct reasonable periodic, special, or 
other examinations of all records maintained by the entities described 
in Section 17(a).\1274\ These examinations can be conducted ``at any 
time, or from time to time,'' as the Commission ``deems necessary or 
appropriate in the public interest, for the protection of investors, or 
otherwise in furtherance of the purposes of [the Exchange Act].'' 
\1275\
---------------------------------------------------------------------------

    \1271\ See Proposing Release, supra note 13, at 18130.
    \1272\ See supra note 1251 and accompanying text.
    \1273\ See supra Section IV.C.1 (discussing recordkeeping 
requirements of adopted Rule 1005). As noted above, the 
recordkeeping requirements also extend to records of third parties. 
Specifically, an SCI entity is responsible for producing to 
Commission representatives records required to be made, kept, and 
preserved under Regulation SCI, even if those records are maintained 
by third parties, and the SCI entity is responsible for ensuring 
that such third parties produce those requested documents, upon 
examination or other request. See id.
    \1274\ See Section 17(b) of the Exchange Act, 15 U.S.C. 78q(b).
    \1275\ Id.
---------------------------------------------------------------------------

    Taken together, the Commission believes that these provisions 
afford the Commission the authority and ability to assess SCI entities' 
compliance with the requirements of Regulation SCI, rendering the 
adoption of a reasonable access provision unnecessary. Pursuant to this 
authority, in some circumstances, the Commission's assessment of an SCI 
entity's compliance may require appropriate access to certain SCI 
systems in coordination with the relevant SCI entity. In particular, 
the Commission's ability to assess the accuracy and completeness of an 
SCI entity's records with regard to Regulation SCI, including the 
written policies and procedures established and maintained pursuant to 
Rule 1001 and the report of the SCI review prepared in accordance with 
Rule 1003(b), and to evaluate whether SCI entities are otherwise 
complying with Regulation SCI, may necessitate the observation of SCI 
systems and indirect SCI systems by Commission representatives.\1276\
---------------------------------------------------------------------------

    \1276\ The Commission notes that, under the ARP Inspection 
Program, such access has been routinely requested by Commission 
staff and provided by ARP entities.
---------------------------------------------------------------------------

    The Commission believes that such access would not require an SCI 
entity to agree to remote or direct access by Commission personnel to 
an SCI entity's systems, such as by permitting Commission staff to run 
tests or use system scanning tools on its SCI systems or indirect SCI 
systems. Rather, as suggested by some commenters, access would entail 
allowing Commission staff to observe the SCI entity's SCI systems and 
indirect SCI systems with appropriate safeguards, including through 
systems demonstrations for Commission staff performed by the SCI entity 
and running tests on an SCI system with Commission staff onsite to 
observe.\1277\ The Commission believes that such access does not raise 
the potential security risks posed by unrestricted third party access 
to SCI systems.\1278\
---------------------------------------------------------------------------

    \1277\ See supra notes 1262 and 1264 and accompanying text.
    \1278\ The Commission believes that the elimination of the 
proposed reasonable access provision addresses the other comments on 
this provision.
---------------------------------------------------------------------------

D. Form SCI

    Pursuant to proposed Rule 1000(d), subject to certain exceptions, 
notices, reports, and other information required

[[Page 72360]]

to be provided to the Commission under Regulation SCI would have been 
required to be submitted electronically through the EFFS on proposed 
Form SCI.\1279\ Proposed Form SCI included detailed instructions 
regarding the specific information that SCI entities would have been 
required to submit to the Commission. After careful consideration of 
comments, the Commission is adopting Form SCI with certain 
modifications, as further discussed below. These modifications to 
proposed Form SCI correspond to the changes to the Commission 
notification and reporting requirements as adopted, each of which is 
discussed in greater detail above.\1280\
---------------------------------------------------------------------------

    \1279\ Proposed Rule 1000(d) provided exceptions for 
notifications under proposed Rule 1000(b)(4)(i) and oral 
notifications pursuant to proposed Rule 1000(b)(6)(ii).
    \1280\ See supra Sections IV.B.3.c, IV.B.4, and IV.B.5 
(discussing the reporting requirements of the adopted regulation). 
See also supra Section IV.B.6 (discussing the business continuity 
and disaster recovery plans testing requirement for SCI entity 
members or participants, and elimination of the proposed Commission 
notification requirement related to member or participation 
designations).
---------------------------------------------------------------------------

    Adopted Rule 1006 provides that, except with respect to 
notifications to the Commission made pursuant to Rule 1002(b)(1) or 
updates to the Commission made pursuant to Rule 1002(b)(3), all 
notifications, reviews, descriptions, analyses, or reports to the 
Commission required to be submitted under Regulation SCI must be filed 
electronically on Form SCI. Form SCI solicits information through a 
series of questions designed to elicit short-form answers, but also 
requires SCI entities to provide information and/or reports in 
narrative form by attaching specified exhibits. All filings on Form SCI 
require that an SCI entity identify itself and indicate the basis for 
submitting the form. Specifically, an SCI entity would indicate on the 
form the specific type of submission it is making: A notification 
regarding an SCI event pursuant to Rule 1002(b)(2); a final report or 
interim status report regarding an SCI event pursuant to Rule 
1002(b)(4); a quarterly report on de minimis systems disruptions and de 
minimis systems intrusions pursuant to Rule 1002(b)(5)(ii); a quarterly 
report of material systems changes pursuant to Rule 1003(a)(1); a 
supplemental report of material system changes pursuant to Rule 
1003(a)(2); or a submission of the report of an SCI review, together 
with any response by senior management, pursuant to Rule 1003(b)(3). In 
addition, Form SCI permits, but does not require, SCI entities to 
utilize the form to submit initial notifications of SCI events pursuant 
to Rule 1002(b)(1), as well as updates regarding SCI events pursuant to 
Rule 1002(b)(3). Moreover, if an SCI entity decides to withdraw a 
previously submitted Form SCI, it would complete page 1 of Form SCI and 
select the appropriate check box to indicate the withdrawal. A filing 
on Form SCI also requires that an SCI entity provide additional 
information on attached exhibits, as discussed below. Because Form SCI 
is a report that is required to be filed under the Exchange Act and 
Regulation SCI, it is unlawful for any person to willfully or knowingly 
make, or cause to be made, a false or misleading statement with respect 
to any material fact in Form SCI.\1281\
---------------------------------------------------------------------------

    \1281\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 
78ff(a).
---------------------------------------------------------------------------

    Several commenters addressed the information required by Form SCI 
as well as the submission process for the form. One commenter asked a 
number of questions on how the submission process would work in 
practice, including: (i) Whether the form would be rejected by the 
Commission if information was missing; (ii) whether the Commission 
would deem it a failure to comply with Regulation SCI if a Form SCI is 
rejected for incompleteness and the SCI entity is unable to resubmit 
within the applicable reporting time frame; (iii) how SCI entities 
would update or correct information previously submitted on Form SCI; 
(iv) will the EFFS system be available for Form SCI submissions during 
non-business hours and whether there is an alternative means to submit 
notifications if the EFFS system is down or unavailable; (v) who at the 
Commission would be reviewing submissions and whether they would be 
familiar with technical jargon; and (vi) whether the SCI entities will 
be expected to attach documentation supporting the descriptions 
provided in the exhibits.\1282\ The commenter also expressed several 
concerns, including: (i) The amount of time it would take SCI entities 
to master the new submission process for proposed Form SCI and 
suggested a delayed implementation or transition period; (ii) that the 
form could encourage SCI entities to guess where they are missing 
information if a form could be rejected for incomplete information; 
(iii) that a submission that needs to be updated or corrected would not 
be considered timely filed; (iv) that the updating procedure could 
become burdensome if the SCI entity needed to explain the reason for 
any changes to information previously provided; and (v) that 
submissions would be more burdensome if technical notifications and 
reports needed to be translated into plain English.\1283\ Another 
commenter requested that the electronic filing system that the 
Commission puts in place to receive Form SCI submissions be made 
available on weekends and outside normal business hours.\1284\ This 
commenter also suggested that the Commission remain open to changes to 
Form SCI as it and SCI entities gain experience with the use of Form 
SCI and that the Commission should work with SCI entities to test the 
electronic submission system to ensure its operational 
capability.\1285\
---------------------------------------------------------------------------

    \1282\ See FINRA Letter at 28-30.
    \1283\ See id.
    \1284\ See MSRB Letter at 19, 25. See also FINRA Letter at 29 
(questioning whether the EFFS system would be available during non-
business hours for Form SCI submissions).
    \1285\ See MSRB Letter at 25-26.
---------------------------------------------------------------------------

    The Commission has considered these comments and has addressed many 
of the issues raised by commenters by revising the substantive 
requirements of adopted Rules 1002 and 1003, as well as making certain 
changes to the adopted form. With respect to a commenter's question 
regarding whether a Form SCI would be rejected if information was 
missing,\1286\ as stated in the General Instructions for Form SCI, an 
SCI entity must provide all information required by the form, including 
the exhibits. The General Instructions for Form SCI also state that a 
filing that is incomplete or similarly deficient may be returned to the 
SCI entity, and any filing so returned will be deemed not to have been 
filed with the Commission.\1287\ In response to the commenter who 
expressed concern that a submission that needed to be updated or 
corrected would not be considered timely filed, the Commission notes 
that an SCI entity is responsible for submitting a complete and correct 
Form SCI within the time period specified in the relevant provisions 
under Regulation SCI.\1288\ At the same time, the Commission notes

[[Page 72361]]

that, while the SCI event notification under Rule 1002(b)(2) is 
required to be provided within 24 hours of any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event 
occurred, information for such notifications is only required to be 
provided on a good faith, best efforts basis. For other types of 
notifications and reports required to be submitted on Form SCI, SCI 
entities have more time to prepare such submission, and to ensure that 
the information provided is complete and correct.
---------------------------------------------------------------------------

    \1286\ See supra note 1282 and accompanying text.
    \1287\ While the Commission has the ability to reject a Form SCI 
filing, the Commission notes that the Form SCI submission process is 
different from the Form 19b-4 filing process. Specifically, SCI 
entities file Form SCI to provide notification to the Commission 
regarding SCI events and material systems changes, and reports of 
SCI reviews. On the other hand, SROs file Form 19b-4 for immediately 
effective rule changes or to seek Commission approval of rule 
changes. Therefore, the process for rejecting a Form 19b-4 filing 
does not apply to Form SCI submissions.
    \1288\ With respect to a commenter's concern that SCI entities 
may have to guess where information is missing if a form could be 
rejected for incomplete information, the Commission intends there to 
be communication between Commission staff and SCI entity personnel 
in instances where a Form SCI is rejected to discuss the information 
missing in the submission and anything else necessary to comply with 
the form requirements. See supra note 1283 and accompanying text.
---------------------------------------------------------------------------

    With respect to a commenter's question regarding how SCI entities 
would update or correct information previously submitted on Form SCI, 
the Commission notes that the rules under Regulation SCI already 
provide for updates for many of the Form SCI submissions. Specifically, 
Rule 1002(b)(2) requires certain information to be submitted on a good 
faith, best efforts basis within 24 hours of any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred. Rule 1002(b)(3) requires SCI entities to provide updates 
regarding SCI events until the SCI event is resolved and the SCI 
entity's investigation of the SCI event is closed.\1289\ As such, SCI 
entities may use the updates under Rule 1002(b)(3) to correct or update 
previously submitted information. Also, Rule 1003(a)(2) requires SCI 
entities to submit supplemental reports to notify the Commission of any 
material error in or material omission from a previously submitted 
material systems change report.
---------------------------------------------------------------------------

    \1289\ As discussed in detail in Section IV.B.3.c above, Rule 
1002(b)(3) allows SCI entities to discuss the update with Commission 
staff orally, rather than by completing the form, although an SCI 
entity may use Form SCI if it chooses to do so. To the extent an SCI 
entity chooses to utilize the form for such updates, the written 
updates can facilitate the Commission's tracking and assessment of 
SCI events.
---------------------------------------------------------------------------

    With respect to the Form SCI submissions where the rules do not 
specifically provide for updates (i.e., SCI event notifications under 
Rule 1002(b)(4), quarterly SCI event notifications under Rule 
1002(b)(5), report of SCI reviews under Rule 1003(b)(3)), if an SCI 
entity discovers that a previously submitted Form SCI must be corrected 
or updated, the SCI entity should contact Commission staff as it 
corrects or updates the prior submission. In addition, an SCI entity 
will be able to withdraw and re-submit a previously submitted Form 
SCI.\1290\ However, as noted above, an SCI entity is responsible for 
submitting a complete and correct Form SCI within the time period 
specified in the relevant provisions under Regulation SCI.\1291\
---------------------------------------------------------------------------

    \1290\ See General Instructions to Form SCI, Item F.
    \1291\ As noted above, one commenter expressed concern that an 
updating procedure could become burdensome if the SCI entity needs 
to explain the reason for any changes to information previously 
provided. See supra note 1283 and accompanying text. The Commission 
notes that, with respect to rules under Regulation SCI that require 
updates, those rules specify the information that is required to be 
contained in an update, and do not require an explanation of the 
reason for the update. With respect to the Form SCI submissions 
where the rules do not specifically provide for updates, as noted 
above, the SCI entity can contact Commission staff as the SCI entity 
corrects or updates the prior submission.
---------------------------------------------------------------------------

    In addition, in response to comments,\1292\ the Commission notes 
that Form SCI does not require SCI entities to attach documentation 
supporting the descriptions in the exhibits, although SCI entities will 
be able to do so if they so choose by attaching the documentation as 
part of the relevant exhibit. Moreover, in response to the commenter 
who asked who at the Commission would be reviewing submissions and 
whether they would be familiar with technical jargon, the Commission 
notes that appropriate Commission staff from different offices or 
divisions with the necessary expertise to understand the Form SCI 
submission will review it depending on the nature of the submission 
(i.e., legal or technical), and thus, it is not necessary for SCI 
entities to translate technical jargon into plain English.
---------------------------------------------------------------------------

    \1292\ See supra notes 1282-1283 and accompanying text.
---------------------------------------------------------------------------

    In response to the commenter who expressed concern as to the amount 
of time it would take SCI entities to master the Form SCI submission 
process and suggested delayed implementation, the Commission believes 
that, by utilizing the EFFS system currently used by many SROs for Rule 
19b-4 and Rule 19b-7 filings, it will allow for a quicker and smoother 
implementation of the Form SCI submission process for certain SCI 
entities, and allow the Commission to apply its experience with EFFS to 
facilitate the submissions of notifications and reports required by 
Regulation SCI. Nevertheless, the Commission notes that it is delaying 
the date for compliance with Regulation SCI, as discussed in Section 
IV.F below. The Commission does not expect that the Form SCI submission 
process will require substantial time for SCI entities to master and 
the delayed date for compliance with Regulation SCI provides SCI 
entities with more time to learn and adopt it.
    With respect to commenters' question regarding whether the EFFS 
system will be available during non-business hours and whether there is 
an alternative means to submit notifications if the EFFS system is down 
or unavailable,\1293\ the Commission notes that, as is the case with 
Rule 19b-4 and Rule 19b-7 filings, EFFS is available 24 hours a day. If 
EFFS becomes unavailable for a period of time, the Commission 
recognizes that SCI entities will not be able to submit any required 
notifications during that time period, and the Commission would expect 
the SCI entities to file any required notifications promptly once it 
becomes available. In response to the commenter who suggested that the 
Commission remain open to changes to Form SCI and that the Commission 
work with SCI entities to test the electronic submission system to 
ensure its operational capability, the Commission expects, as it has 
done with the SRO rule filing process, to periodically evaluate the 
effectiveness of the submission process for Form SCI, as well as the 
form itself, and may consider improvements in the future as 
appropriate.\1294\ The Commission also notes that it expects, prior to 
the compliance date, that its staff will provide materials to SCI 
entities regarding the operation of the electronic filing system to 
submit Forms SCI. Furthermore, the Commission will perform internal 
testing to help ensure the operational capability of EFFS prior to the 
compliance date.
---------------------------------------------------------------------------

    \1293\ See supra notes 1282, 1284 and accompanying text.
    \1294\ See supra note 1285 and accompanying text.
---------------------------------------------------------------------------

1. Notice of SCI Events Pursuant to Rule 1002(b)
    Proposed Rule 1000(b)(4) would have required each SCI entity to 
submit certain information regarding SCI events to the Commission using 
proposed Form SCI.\1295\ The Commission is adopting proposed Rule 
1000(b)(4) as Rule 1002(b) with certain modifications, which are 
discussed above in Section IV.B.3.c.
---------------------------------------------------------------------------

    \1295\ Proposed Rule 1000(d) provided an exception for 
notifications under proposed Rule 1000(b)(4)(i).
---------------------------------------------------------------------------

    With respect to Commission notifications under Rule 1002, adopted 
Form SCI requires an SCI entity to provide the following information in 
a short, standardized format: (i) Whether the Commission has previously 
been notified of the SCI event pursuant to Rule 1002(b)(1); (ii) the 
type of submission (i.e., an initial notification pursuant to Rule 
1002(b)(1), a notification pursuant to Rule 1002(b)(2), an update 
pursuant to Rule 1002(b)(3), a final report pursuant to Rule 
1002(b)(4), or an interim status report

[[Page 72362]]

pursuant to Rule 1002(b)(4)); (iii) the type(s) of SCI event (i.e., 
systems compliance issue, systems disruption, or systems intrusion); 
\1296\ (iv) the date/time the SCI event occurred; (v) the duration of 
the SCI event; (vi) when responsible SCI personnel had a reasonable 
basis to conclude that an SCI event occurred; (vii) whether the SCI 
event has been resolved and, if so, the date/time of resolution; (viii) 
whether the SCI entity's investigation of the SCI event is closed and, 
if so, the date of closure; (ix) the estimated number of market 
participants potentially impacted by the SCI event; (x) whether the SCI 
event is a major SCI event; (xi) the types of systems impacted (i.e., 
trading, clearance and settlement, order routing, market data, market 
regulation, market surveillance, or indirect SCI systems) and the name 
of such system(s); and (xii) whether any critical SCI system(s) are 
impacted by the SCI event and, if so, the types of such critical SCI 
systems (i.e., systems that directly support functionality relating to: 
Clearance and settlement systems of clearing agencies; openings, 
reopenings, and closings on the primary listing market; trading halts; 
initial public offerings; the provision of consolidated market data; 
exclusively listed securities; or systems that provide functionality to 
the securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets) and a description of such 
systems.
---------------------------------------------------------------------------

    \1296\ Some SCI events may meet the definition of more than a 
single SCI event type, and the form permits SCI entities to check 
one, two, or all three SCI event types.
---------------------------------------------------------------------------

    If an SCI entity chooses to utilize Form SCI to submit an initial 
notification required by Rule 1002(b)(1), an SCI entity will be able to 
submit a short description of the SCI event, and be allowed to attach 
documents regarding such SCI event as part of Exhibit 6 of Form SCI if 
the SCI entity chooses to do so.
    For a notification required by Rule 1002(b)(2), in addition to 
providing the applicable standardized information on Form SCI as 
discussed above, an SCI entity is required to submit an Exhibit 1. An 
SCI entity is required to provide the following information on a good 
faith, best efforts basis in the Exhibit 1: (i) A description of the 
SCI event, including the system(s) affected; and (ii) to the extent 
available as of the time of notification, the SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; the potential impact of the SCI event on the 
market; a description of the steps the SCI entity has taken, is taking, 
or plans to take, with respect to the SCI event; the time the SCI event 
was resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.
    If an SCI entity chooses to utilize Form SCI to submit an update 
required by Rule 1002(b)(3), an SCI entity will be able to submit a 
short description of the update, and be allowed to attach documents 
regarding such update as part of Exhibit 6 of Form SCI if the SCI 
entity chooses to do so.
    For a submission required by Rule 1002(b)(4), in addition to 
providing the applicable standardized information on Form SCI as 
discussed above, adopted Form SCI also requires an SCI entity to 
indicate if it is a final report or an interim status report and submit 
an Exhibit 2. If an SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed within 30 calendar days of the 
occurrence of the SCI event, an SCI entity must file a final report 
under Rule 1002(b)(4)(i)(A) within five business days after the 
resolution of the SCI event and closure of the investigation regarding 
the SCI event. However, if an SCI event is not resolved or the SCI 
entity's investigation of the SCI event is not closed within 30 
calendar days of the occurrence of the SCI event, an SCI entity must 
file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 
calendar days after the occurrence of the SCI event. For SCI events in 
which an interim status report is required to be filed, an SCI entity 
must file a final report under Rule 1002(b)(4)(i)(B)(2) within five 
business days after the resolution of the SCI event and closure of the 
investigation regarding the SCI event. For any submission required by 
Rule 1002(b)(4), an SCI entity is required to provide the following 
information in the Exhibit 2: (i) A detailed description of: The SCI 
entity's assessment of the types and number of market participants 
affected by the SCI event; the SCI entity's assessment of the impact of 
the SCI event on the market; the steps the SCI entity has taken, is 
taking, or plans to take, with respect to the SCI event; the time the 
SCI event was resolved; the SCI entity's rule(s) and/or governing 
document(s), as applicable, that relate to the SCI event; and any other 
pertinent information known by the SCI entity about the SCI event; (ii) 
a copy of any information disseminated pursuant to Rule 1002(c) by the 
SCI entity to date regarding the SCI event to any of its members or 
participants; and (iii) an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss. As noted above, if an SCI entity submits an 
interim written notification under Rule 1000(b)(4)(i)(B), the SCI 
entity is required to provide the information specified in Exhibit 2, 
but only to the extent known at the time. The SCI entity is also 
required to subsequently submit a final report under Rule 
1000(b)(4)(i)(B) and provide all the information specified in Exhibit 
2.
    Rule 1002(b)(5) states that the Commission notification 
requirements under Rules 1002(b)(1)-(4) do not apply to any SCI event 
that has had, or the SCI entity reasonably estimates would have, no or 
a de minimis impact on the SCI entity's operations or on market 
participants. Rule 1002(b)(5)(i) instead requires that an SCI entity 
make, keep, and preserve records relating to all such SCI events and 
Rule 1002(b)(5)(ii) requires an SCI entity to submit to the Commission 
quarterly reports containing a summary description of such de minimis 
systems disruptions and de minimis systems intrusions. For a quarterly 
report required by Rule 1002(b)(5), an SCI entity is required to 
indicate the end date of the applicable calendar quarter for which the 
report is being submitted. The SCI entity is also required to submit an 
Exhibit 3, containing a summary description of such de minimis systems 
disruptions and de minimis systems intrusions, including the SCI 
systems and, for systems intrusions, the indirect SCI systems, affected 
by such de minimis systems disruptions and de minimis systems 
intrusions during the applicable calendar quarter.
2. Notices of Material Systems Changes Pursuant to Rule 1003(a)
    Proposed Rule 1000(b)(6) would have required an SCI entity to 
provide advance Commission notifications of material systems changes. 
Proposed Rule 1000(b)(8)(ii) would have required an SCI entity to 
submit to the Commission semi-annual reports on material systems 
changes. As discussed in detail in Section IV.B.4 above, many 
commenters were critical of the proposed reporting framework with 
respect to material systems changes, including the 30-day advance 
notification procedure. After considering the views of commenters, the 
Commission is not adopting the 30-day advance notification requirement 
or the semi-annual reporting requirement

[[Page 72363]]

for material systems changes. Rather, an SCI entity is required to 
submit quarterly reports for material systems changes under Rule 
1003(a)(1). An SCI entity is also required under Rule 1003(a)(2) to 
promptly submit a supplemental report notifying the Commission of a 
material error in or material omission from a report previously 
submitted under Rule 1003(a).
    One commenter raised a concern that an advance notification could 
be rejected by the Commission for inadequate description and result in 
a delay to a planned systems change.\1297\ As noted above in Section 
IV.B.4, the Commission is adopting a quarterly reporting system that 
does not require the advanced notification of individual planned 
material systems changes required by proposed Rule 1000(b)(6). The 
adopted framework is intended to keep the Commission and its staff 
apprised of systems changes at SCI entities while reducing the burdens 
related to notifying the Commission of such changes and allowing for 
the various types of development processes used by SCI entities 
(including agile development processes). Also, as noted above in 
Section IV.B.4, Regulation SCI does not provide for a new review or 
approval process for SCI entities' material systems changes. As such, 
Commission staff will not use material systems change reports to 
require any approval of prospective systems changes in advance of their 
implementation pursuant to any provision of Regulation SCI, or to delay 
implementation of material systems changes pursuant to any provision of 
Regulation SCI.\1298\
---------------------------------------------------------------------------

    \1297\ See SIFMA Letter at 16.
    \1298\ At the same time, the Commission notes that the General 
Instructions for Form SCI state that a filing that is incomplete or 
similarly deficient may be returned to the SCI entity, and any 
filing so returned will be deemed not to have been filed with the 
Commission.
---------------------------------------------------------------------------

    For a notification required by Rule 1003(a) (including supplemental 
reports under Rule 1003(a)(2)), an SCI entity is required to indicate 
the end date of the applicable calendar quarter for which the report is 
being submitted and submit an Exhibit 4. For a notification required by 
Rule 1003(a)(1), Exhibit 4, is required to contain a description of 
completed, ongoing, and planned material changes to its SCI systems and 
the security of its indirect SCI systems, during the prior, current, 
and subsequent calendar quarters, including the dates or expected dates 
of commencement and completion. For a notification required by Rule 
1003(a)(2), Exhibit 4 is required to contain the supplemental report of 
a material error in or material omission from a report previously 
submitted under Rule 1003(a)(1).\1299\
---------------------------------------------------------------------------

    \1299\ See General Instructions to Form SCI, Item C.
---------------------------------------------------------------------------

3. Reports of SCI Reviews Pursuant to 1003(b)
    Proposed Rule 1000(b)(8)(i) would have required an SCI entity to 
submit to the Commission a report of the SCI review required by 
proposed Rule 1000(b)(7), together with any response by senior 
management, within 60 calendar days after its submission to senior 
management of the SCI entity. As discussed above in Section IV.B.5, the 
Commission is adopting this Commission reporting requirement as 
proposed. There were no comments on proposed Form SCI with respect to 
reports of SCI reviews.
    For a notification required by Rule 1003(b), an SCI entity is 
required to indicate on Form SCI the date of completion of the SCI 
review and the date of submission of the SCI review to the SCI entity's 
senior management. An SCI entity is also required to submit an Exhibit 
5, containing the report of the SCI review that was submitted to the 
SCI entity's senior management, along with any response to the report 
by senior management.\1300\
---------------------------------------------------------------------------

    \1300\ As discussed in Section IV.B.5, the SCI review would 
contain: (1) A risk assessment with respect to SCI systems and 
indirect SCI systems of an SCI entity; and (2) an assessment of 
internal control design and effectiveness of SCI systems and 
indirect SCI systems to include logical and physical security 
controls, development processes, and information technology 
governance, consistent with industry standards.
---------------------------------------------------------------------------

4. Notification of Member or Participant Designation Standards and List 
of Designees
    Proposed Rule 1000(b)(9) would have required an SCI entity to 
notify the Commission of its members or participants that have been 
designated for business continuity and disaster recovery plans testing, 
as well as the standards for such designation. Proposed Rule 1000(b)(9) 
would have also required SCI entities to promptly update such 
notification after any changes to its list of designees or standards 
for designation. As discussed above in Section IV.B.6, the Commission 
is not adopting these Commission notification requirements.
5. Other Information and Electronic Signature
    Proposed Form SCI would have required an SCI entity to provide the 
Commission with contact information for the systems personnel, 
regulatory personnel, and senior officer responsible for addressing an 
SCI event, including the name, title, telephone number, and email 
address of such persons. Proposed Form SCI would also have given the 
SCI entity an option to provide contact information for an additional 
systems personnel and regulatory personnel. Finally, proposed Form SCI 
would have required an electronic signature to help ensure the 
authenticity of the Form SCI submission.
    Adopted Form SCI more generally requires an SCI entity to provide 
contact information for a person who is prepared to respond to 
questions for a particular submission. Form SCI continues to require an 
electronic signature to help ensure the authenticity of the Form SCI 
submission. The Commission believes that these requirements will 
expedite communications between Commission staff and SCI entities, 
because they will help identify the person or persons responsible for 
communicating with Commission staff about an SCI event even though one 
or more other persons may be responsible for addressing and resolving 
the SCI event, and also help ensure that only authorized personnel at 
each SCI entity submit filings required by adopted Regulation SCI.

E. Other Comments Received

1. Applying Regulation SCI to Security-Based Swap Data Repositories and 
Security-Based Swap Execution Facilities
    As noted in the SCI Proposal, on July 21, 2010, the President 
signed the Dodd-Frank Act into law.\1301\ The Dodd-Frank Act was 
enacted, among other things, to promote the financial stability of the 
United States by improving the accountability and transparency of the 
nation's financial system.\1302\ Title VII of the Dodd-Frank Act 
provides the Commission and the CFTC with the authority to regulate 
over-the-counter derivatives.
---------------------------------------------------------------------------

    \1301\ The Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act'').
    \1302\ See Dodd-Frank Act Preamble.
---------------------------------------------------------------------------

    In particular, as noted in the SCI Proposal, Section 763 of the 
Dodd-Frank Act amends the Exchange Act by adding new statutory 
provisions to govern the regulation of various entities, including 
security-based swap data repositories (``SB SDRs'') and security-based 
swap execution facilities (``SB SEFs'').\1303\

[[Page 72364]]

Under the authorities of Section 13(n) of the Exchange Act, applicable 
to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB 
SEFs, the Commission proposed rules for these entities with regard to 
their automated systems' capacity, resiliency, and security.\1304\ In 
the SB SDR Proposing Release and the SB SEF Proposing Release, 
respectively, the Commission proposed Rule 13n-6 and Rule 822 under the 
Exchange Act, which would set forth the requirements for these entities 
with regard to their automated systems' capacity, resiliency, and 
security. In each release, the Commission stated that it was proposing 
standards comparable to the standards applicable to SROs, including 
exchanges and clearing agencies, and other registrants, pursuant to the 
Commission's ARP standards.\1305\ The SCI Proposal described in detail 
the SB SDR and SB SEF proposals relating to systems' capacity, 
resiliency, and security; the comments received on those proposals; and 
the differences between proposed Regulation SCI and those 
proposals.\1306\
---------------------------------------------------------------------------

    \1303\ See Dodd-Frank Act, Section 763 (adding Sections 13(n), 
3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the 
Commission to harmonize to the extent possible Commission regulation 
of SB SDRs and SB SEFs with CFTC regulation of swap data 
repositories (``SDRs'') and swap execution facilities (``SEFs'') 
under the CFTC's jurisdiction, an endeavor that Commission staff is 
undertaking as it seeks to move the SB SDR and SB SEF proposals 
toward adoption. See Dodd-Frank Act, Section 712 (directing the 
Commission, before commencing any rulemaking with regard to SB SDRs 
or SB SEFs, to consult and coordinate with the CFTC for purposes of 
assuring regulatory consistency and comparability to the extent 
possible).
    \1304\ See Securities Exchange Act Release Nos. 63347 (November 
19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6 
under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing 
Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28, 
2011) (proposing new Rule 822 under the Exchange Act applicable to 
SB SEFs) (``SB SEF Proposing Release''). See also Dodd-Frank Act, 
Section 761(a) (adding Section 3(a)(75) of the Exchange Act) 
(defining the term ``security-based swap data repository''), and 
Section 761(a) (adding Section 3(a)(77) of the Exchange Act) 
(defining the term ``security-based swap execution facility'').
    \1305\ See SB SDR Proposing Release, supra note 1304, at 77332 
and SB SEF Proposing Release, supra note 1304, at 10987.
    \1306\ See Proposing Release, supra note 13, at 18133-34.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission recognized that there could be 
differences between Regulation SCI, as adopted, and Rules 13n-6 and 
822, if adopted. Therefore, the Commission sought comment on whether it 
should propose to apply the requirements of Regulation SCI, in whole or 
in part, to SB SDRs and/or SB SEFs.\1307\ In addition, the Commission 
sought comment on what--if the Commission were to propose to apply some 
or all of the requirements of Regulation SCI to SB SDRs or SB SEFs--
would be the most appropriate way to implement such requirements for SB 
SDRs and SB SEFs.\1308\ However, the Commission also noted that, should 
the Commission decide to propose to apply the requirements of 
Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a 
separate release discussing such a proposal.\1309\
---------------------------------------------------------------------------

    \1307\ See id. at 18134-37.
    \1308\ See id. at 18137-38. As noted in the SCI Proposal, 
although the Commission has issued a policy statement regarding the 
anticipated sequencing of the compliance dates of final rules to be 
adopted by the Commission for certain provisions of Title VII of the 
Dodd-Frank Act, the precise timing for adoption of or compliance 
with any final rules relating to SB SDRs or SB SEFs is not known at 
this time. See Securities Exchange Act Release No. 67177 (June 11, 
2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on 
the Sequencing of the Compliance Dates for Final Rules Applicable to 
Security-Based Swaps Adopted Pursuant to the Securities Exchange Act 
of 1934 and the Dodd-Frank Wall Street Reform and Consumer 
Protection Act).
    \1309\ See Proposing Release, supra note 13, at 18134.
---------------------------------------------------------------------------

    One commenter supported the inclusion of SB SEFs and possibly SB 
SDRs under proposed Regulation SCI.\1310\ Several commenters supported 
some form of harmonization, but were cognizant of the practical 
differences between options and equities, on the one hand, and 
derivatives, on the other.\1311\
---------------------------------------------------------------------------

    \1310\ See Tellefsen Letter at 5.
    \1311\ See DTCC Letter at 18-19; and NYC Bar Letter at 2-5. See 
also CoreOne Letter at 5-7.
---------------------------------------------------------------------------

    In the context of considering whether Regulation SCI should apply 
to SB SDRs or SB SEFs, one commenter supported principles-based rules 
relating to systems compliance and integrity, and generally believed 
that principles applicable to one type of system should be applicable 
to all types of systems.\1312\ This commenter noted that the Commission 
should not promulgate principles-based rules that would apply different 
principles to different systems, unless such difference is clearly 
warranted by the facts and circumstances relating to and the purpose of 
a particular system.\1313\ This commenter also commented that, because 
technology continues to evolve at a rapid pace and because specific and 
technical rules may create conflicting standards, any attempt to 
provide specific and technical rules should be avoided, unless the 
context clearly warrants such specific and technical rules.\1314\ This 
commenter concluded that the similarities between certain SCI entities 
and SB SDRs and SB SEFs do not provide a clear justification for a 
different set of rules.\1315\
---------------------------------------------------------------------------

    \1312\ See NYC Bar Letter at 3.
    \1313\ See id. at 3-4.
    \1314\ See id. at 4.
    \1315\ See id. This commenter also specifically noted that 
important market systems should not have differing recovery 
requirements without a clear justification, particularly in light of 
a Congressional mandate in the Dodd-Frank Act to ensure regulatory 
consistency and comparability, to the extent possible. See NYC Bar 
Letter at 5.
---------------------------------------------------------------------------

    One commenter noted that SB SDRs should have standards that are 
consistent with, but not identical to, those of SCI entities.\1316\ 
According to this commenter, the functions that SB SDRs perform are 
significantly different from those performed by SCI entities.\1317\ 
However, this commenter supported applying to SB SDRs: Proposed Rule 
1000(b)(1)(i)(A)-(E); \1318\ requirements relating to Commission 
notification of SCI events (by adopting the notification provisions 
described in proposed Rule 13n-6(3)); and requirements for business 
continuity planning and testing (but SB SDRs should not be required to 
test with other SB SDRs given the structure of the proposed SB SDR 
Regulations).\1319\ Finally, rather than making Regulation SCI 
applicable to SB SDRs, this commenter recommended that these provisions 
be incorporated into Rule 13n-6.\1320\
---------------------------------------------------------------------------

    \1316\ See DTCC Letter at 18.
    \1317\ See id.
    \1318\ However, this commenter noted that specific industry 
standards should be adopted for SB SDRs, rather than adopting 
existing standards that were largely developed before repositories 
were developed and were not intended to cover these types of 
entities. See id.
    \1319\ See id. at 18-19.
    \1320\ See id. at 19.
---------------------------------------------------------------------------

    The Commission appreciates the comments received on the potential 
application of Regulation SCI to SB SDRs and SB SEFs. As noted above, 
should the Commission decide to propose to apply the requirements of 
Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a 
separate release discussing such a proposal and would take these 
comments into account.
2. Applying Regulation SCI to Broker-Dealers Other Than SCI ATSs and 
Other Types of Entities
    Regulation SCI, as proposed and as adopted, would apply to national 
securities exchanges, registered securities associations, registered 
clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt 
clearing agencies subject to ARP. It would not apply to other types of 
market participants, such as market makers or other broker-dealers. As 
noted in the SCI Proposal, recent events have highlighted the 
significance of systems integrity of a broader set of market 
participants than those included in the definition of SCI entity.\1321\ 
Also, as

[[Page 72365]]

noted in the SCI Proposal, some broker-dealers have grown in size and 
importance to the market in recent years.\1322\ As such, the Commission 
recognized that systems disruptions, systems compliance issues, and 
systems intrusions at broker-dealers could pose a significant risk to 
the market.\1323\ The Commission also noted that Rule 15c3-5 under the 
Exchange Act,\1324\ which requires brokers or dealers with market 
access to implement risk management controls and supervisory procedures 
to limit risk, already seeks to address certain risks posed to the 
markets by broker-dealer systems.\1325\
---------------------------------------------------------------------------

    \1321\ See Proposing Release, supra note 13, at 18138, n. 334.
    \1322\ See id. at 18138, n. 335.
    \1323\ See id. at 18138.
    \1324\ 17 CFR 240.15c3-5.
    \1325\ See supra note 114 and Proposing Release, supra note 13, 
at 18138-39.
---------------------------------------------------------------------------

    The Commission did not propose to apply Regulation SCI to 
registered broker-dealers (other than SCI ATSs) or to other types of 
entities not covered by the definition of SCI entity. As noted in the 
SCI Proposal, if the Commission were to decide to propose to apply the 
requirements of Regulation SCI to such entities, the Commission would 
issue a separate release discussing such a proposal.\1326\ 
Nevertheless, in the SCI Proposal, the Commission sought comment on 
whether such entities should be subject to Regulation SCI in whole or 
in part.\1327\
---------------------------------------------------------------------------

    \1326\ See id. at 18139.
    \1327\ See id. at 18139-41.
---------------------------------------------------------------------------

    Some commenters stated that the Commission should expand the 
definition of SCI entity to include broker-dealers.\1328\ One commenter 
stated that the goals of Regulation SCI could not be met without 
expanding the definition of SCI entity to include the following types 
of broker-dealers: Exchange market maker, OTC market maker, and any 
other broker or dealer that executes orders internally by trading as a 
principal or crossing orders as an agent.\1329\ This commenter stated 
that these entities should be included because they play a critical 
role in the markets, handle market share that exceeds that of certain 
SCI ATSs, and, like exchanges and ATSs, rely heavily on sophisticated 
automated systems.\1330\ Another commenter also believed that the 
objectives of Regulation SCI could more readily be achieved if the 
regulation also applied to market makers, high-frequency trading firms, 
and other broker-dealers because the activities of these types of 
entities could present systemic risks to the market.\1331\
---------------------------------------------------------------------------

    \1328\ See NYSE Letter at 8-10; and Liquidnet Letter at 2-3. 
Another commenter expressed its view that inclusion of order routing 
systems within the definition of ``SCI systems'' puts SCI entities 
at a competitive disadvantage against broker-dealers that are not 
covered by Regulation SCI. See BATS Letter at 4. See also supra 
notes 48-50, 94-96, and 152 and accompanying text (discussing 
comments regarding broadening the coverage of ``SCI entity'' and 
``SCI ATS'' and the effect of the adopted ATS thresholds on barriers 
to entry), and infra Section VI.C.1.c (discussing the effect of 
Regulation SCI on competition between SCI entities and non-SCI 
entities).
    \1329\ See NYSE Letter at 9.
    \1330\ See id.
    \1331\ See Liquidnet Letter at 2.
---------------------------------------------------------------------------

    In connection with questions in the SCI Proposal regarding the 
application of Regulation SCI to broker-dealers other than SCI ATSs, 
one commenter urged the Commission to broaden the definition of SCI 
entity to include any entity with direct electronic access to equity 
markets because the equity markets can be disrupted by a single 
server.\1332\ Another commenter stated that all direct access 
proprietary trading market participants (including high frequency 
market participants) should be included as SCI entities because of 
their significant footprint in the markets, past incidents like Knight 
Capital Group's massive trading losses from a systems malfunction in 
August 2012,\1333\ and flaws in the existing compliance controls and 
practices of such firms.\1334\ One commenter stated that Regulation SCI 
should be extended to any trading platforms that transact significant 
volume, including systems that are not required to register as an ATS, 
because all executions are against the bids and offers of a single 
dealer.\1335\
---------------------------------------------------------------------------

    \1332\ See Lauer Letter at 3. See also supra notes 212-213 
(explaining that the Commission believes that many systems with 
direct market access are captured by the adopted definition but the 
Commission is not expanding the scope of Regulation SCI to include 
other broker-dealer entities and their systems at this time).
    \1333\ See Proposing Release, supra note 13, at 18090, n. 70 
(discussing Knight's systems malfunction in August 2012).
    \1334\ See Leuchtkafer Letter at 1-7. See supra notes 124-126 
and accompanying text (discussing the Commission's determination to 
not apply Regulation SCI to non-ATS broker-dealers at this time).
    \1335\ See BlackRock Letter at 4.
---------------------------------------------------------------------------

    A few commenters further argued that Rule 15c3-5 under the Exchange 
Act is not sufficient by itself and therefore some broker-dealers 
should be treated as SCI entities.\1336\ One of these commenters stated 
that non-ATS broker-dealers should be treated as SCI entities because 
Rule 15c3-5, concerning the implementation of risk management and 
supervisory controls to limit risk associated with routing orders to 
exchanges or ATSs, does not address reliability or integrity of the 
systems that implement such controls.\1337\
---------------------------------------------------------------------------

    \1336\ See Lauer Letter at 3 and NYSE Letter at 9.
    \1337\ See NYSE Letter at 9.
---------------------------------------------------------------------------

    Many other commenters stated more generally that broker-dealers 
should not be captured by the definition of SCI entity.\1338\ Several 
commenters stated that they do not support the expansion of Regulation 
SCI to all broker-dealers because broker-dealers generally perform 
functions that do not have any systemic impact on the operation of the 
national market system and are presently subject to numerous 
regulations that require the establishment of controls (such as the 
Market Access Rule, Rule 17a-3, and Rule 17a-4), making Regulation SCI 
duplicative and unduly burdensome.\1339\
---------------------------------------------------------------------------

    \1338\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter 
at 5; FSI Letter at 3; WF Letter at 2; Fidelity Letter at 4; KCG 
Letter at 14-17; LiquidPoint Letter at 4; and FSR Letter at 2-3, n. 
5.
    \1339\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter 
at 5; WF Letter at 2; KCG Letter at 15-17; LiquidPoint Letter at 4; 
and FSR Letter at 2-3, n. 5.
---------------------------------------------------------------------------

    One commenter stated that broker-dealers are currently subject to 
high standards of systems compliance and integrity by FINRA and state 
laws, and disciplinary actions for failure to maintain sufficient 
protection of customer data and supervisory policies.\1340\ Moreover, 
this commenter noted that, if potential systems issues could be 
addressed by Regulation SCI as applied to SCI entities, there would be 
no need to apply Regulation SCI to broker-dealers conducting activities 
on behalf of retail clients.\1341\ This commenter stated that 
additional regulation would only be warranted after a meticulous cost-
benefit analysis and implementation of the additional regulation at the 
lowest cost to firms and investors.\1342\ This commenter concluded that 
the inclusion of broker-dealers would raise investors' costs and is 
unnecessary.\1343\
---------------------------------------------------------------------------

    \1340\ See FSI Letter at 3.
    \1341\ See id.
    \1342\ See id.
    \1343\ See id.
---------------------------------------------------------------------------

    Another commenter believed that non-SCI ATS broker-dealers should 
not be included in the definition of SCI entity because, despite the 
longstanding practice of retail brokers routing their customers' orders 
to market markers for execution, those market makers are not 
critical.\1344\ Moreover, this commenter believed that FINRA's rules 
with respect to broker-dealers are more appropriate than the SCI 
Proposal, and FINRA rules hold broker-dealers accountable and do not 
shield them from liability.\1345\ This commenter stated that the 
combination of Commission and FINRA rules on

[[Page 72366]]

broker-dealers ensures that broker-dealers are sufficiently regulated, 
although this commenter stated that FINRA could provide additional 
guidance on its rules in light of the weaknesses revealed by Superstorm 
Sandy.\1346\ Similarly, another commenter stated that broker-dealers 
should not be regulated under Regulation SCI because broker-dealer 
operational regulation has been overseen almost entirely by 
FINRA.\1347\ Specifically, FINRA member broker-dealers are required to 
create and implement written supervisory procedures covering the 
operation of their business.\1348\ According to this commenter, this 
process allows broker-dealers to devise procedures that keep them in-
line with FINRA and Commission regulations, and allows FINRA to focus 
on bigger picture issues impacting the broker-dealer industry.\1349\
---------------------------------------------------------------------------

    \1344\ See KCG Letter at 14.
    \1345\ See id. at 14-15.
    \1346\ See id. at 14-17.
    \1347\ See OTC Markets Letter at 11.
    \1348\ See id.
    \1349\ See id.
---------------------------------------------------------------------------

    In addition, one commenter stated that the Commission should not 
propose a requirement that SCI SROs require their members to institute 
policies and procedures similar to those required under Regulation 
SCI.\1350\ According to this commenter, SCI SROs already impose 
regulatory requirements addressing similar concerns as those that 
Regulation SCI is designed to address.\1351\
---------------------------------------------------------------------------

    \1350\ See WF Letter at 2.
    \1351\ See id. at 2-3.
---------------------------------------------------------------------------

    One commenter stated that the term SCI entity should not encompass 
clearing broker-dealers or transfer agents because they are not 
involved in ``real-time'' trading activities and therefore there would 
not be any material impact on critical market functions should their 
systems fail.\1352\ Additionally, this commenter stated that because 
Regulation SCI ``is designed to formalize the Commission's existing ARP 
Program,'' and clearing broker-dealers and transfer agents do not 
participate in ARP, those entities should not be included within the 
scope of Regulation SCI.\1353\ Another commenter echoed these positions 
with respect to transfer agents, and also stated that transfer agents 
should not be included within the definition of SCI entity because the 
majority of transfer agents do not have electronic connectivity to SCI 
entities.\1354\ Additionally, this commenter stated that larger 
transfer agents are already required to have business continuity plans 
and written policies and procedures to ensure that their systems are 
robust and will function as intended.\1355\ In determining whether to 
expand the scope of SCI entities, one commenter commented that the 
Commission should consider the role of an entity in the securities 
markets and the risks presented by that entity, and stated that 
transfer agents should not be covered because they raise fewer risks to 
the markets than the proposed SCI entities, as their systems do not 
directly support the functions intended to be targeted by the SCI 
Proposal.\1356\ Another commenter similarly stated that transfer agents 
should not be covered because there is little chance that a problem 
with a transfer agent's operations would impact market activity.\1357\
---------------------------------------------------------------------------

    \1352\ See Fidelity Letter at 4.
    \1353\ See id.
    \1354\ See STA Letter at 2.
    \1355\ See id.
    \1356\ See ICI Letter at 3.
    \1357\ See Oppenheimer Letter at 2.
---------------------------------------------------------------------------

    The Commission appreciates the comments received on the potential 
application of Regulation SCI to broker-dealers other than SCI ATSs and 
other types of entities. As noted above, should the Commission decide 
to propose to apply the requirements of Regulation SCI to these 
entities, the Commission would issue a separate release discussing such 
a proposal and would take these comments into account.

F. Effective Date and Compliance Dates

    Several commenters provided recommendations for when the 
requirements of Regulation SCI should go into effect and/or when SCI 
entities should be required to comply with the various requirements of 
the regulation.\1358\ Each commenter recommended allowing what they 
believed to be sufficient time for SCI entities to prepare for what 
they perceived as complex or substantial regulatory 
responsibilities.\1359\
---------------------------------------------------------------------------

    \1358\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC 
Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 
7; and OTC Markets Letter at 4, 22-23.
    \1359\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC 
Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 
7; and OTC Markets Letter at 4, 22-23.
---------------------------------------------------------------------------

    Several commenters suggested that the implementation period should 
vary between those entities and/or systems currently subject to the ARP 
Inspection Program and those that are not.\1360\ For example, one 
commenter suggested an implementation period of no less than two years 
for SCI systems that are subject to the ARP Inspection Program and 
three years for all other systems.\1361\ Similarly, another commenter 
recommended that certain systems of non-ARP participants should be 
provided at least an additional one year transition period, after a 
six-month delayed effectiveness after final approval of Regulation SCI 
for SCI systems of current ARP participants that are trading, clearance 
and settlement, and order routing systems.\1362\ Another commenter 
stated that systems currently covered by the ARP Inspection Program 
should be granted two years to phase-in the rule and that non-ARP 
systems would need a phase-in period of at least four years.\1363\ One 
commenter also noted more generally that the time needed to meet the 
new requirements of Regulation SCI will vary by the type of SCI entity 
and the level of its current participation in the ARP Inspection 
Program.\1364\
---------------------------------------------------------------------------

    \1360\ See, e.g., FINRA Letter at 41-42; DTCC Letter at 3; and 
OTC Markets Letter at 4, 22-23.
    \1361\ See FINRA Letter at 41-42.
    \1362\ See MSRB Letter at 39-40.
    \1363\ See OTC Markets Letter at 4, 22-23.
    \1364\ See DTCC Letter at 3.
---------------------------------------------------------------------------

    Some commenters requested a special phase-in period for ATSs. 
Specifically, two commenters suggested that ATSs should be given six 
months after meeting the given threshold in the definition of SCI ATS 
to come into compliance with Regulation SCI.\1365\
---------------------------------------------------------------------------

    \1365\ See KCG Letter at 19; and SIFMA Letter at 7. See also 
adopted Rule 1000 (definition of ``SCI ATS'') and supra Section 
IV.A.1.b (discussing definition of ``SCI ATS'').
---------------------------------------------------------------------------

    Other commenters provided detailed suggestions for a phase-in 
compliance timeline for the requirements of Regulation SCI.\1366\ For 
example, one commenter suggested implementing the rule in three phases 
so that it would apply: (1) After initial six-month delayed 
effectiveness, to SCI systems of current ARP participants that are 
trading, clearance and settlement, and order routing systems, and after 
one additional year, to such systems of non-ARP participants (for at 
least one annual cycle); (2) to indirect SCI systems relating to the 
systems in phase one (for at least one annual cycle); and (3) to SCI 
systems that are market data, regulation and surveillance systems and 
related indirect SCI systems.\1367\ Another commenter believed the rule 
should be phased-in over four stages, where each SCI entity would: (1) 
Review its SCI systems risk-based assessment with Commission staff; (2) 
review and update its policies and procedures to reasonably ensure 
compliance with Regulation SCI; (3) implement such policies and 
procedures; and (4) conduct an annual review.\1368\
---------------------------------------------------------------------------

    \1366\ See MSRB Letter at 39-40; and OCC Letter at 2-3.
    \1367\ See MSRB Letter at 40.
    \1368\ See OCC Letter at 3.

---------------------------------------------------------------------------

[[Page 72367]]

    Other commenters recommended individual compliance deadlines for 
certain requirements of Regulation SCI.\1369\ Specifically, two 
commenters suggested that phased-in compliance should be permitted for 
proposed Rule 1000(b)(9) addressing testing of SCI entity business 
continuity and disaster recovery plans by SCI entity members or 
participants.\1370\ Specifically, one commenter believed that, if end-
to-end business continuity and disaster recovery plans testing were to 
be required, it should be phased-in to allow SCI entities to conduct 
testing of specific SCI systems over time, rather than be required to 
conduct a full end-to-end test, which it stated cannot be done within a 
reasonable timeframe.\1371\ The other commenter recommended a phased-in 
approach to implementation of broader BC/DR testing over a period of 
years.\1372\ One commenter recommended that the Commission institute an 
implementation period for the Commission notification requirement under 
proposed Rule 1000(b)(4) to allow SCI entities to prepare for what the 
commenter believed to be an increase in the number of notifications 
that would be required.\1373\ This commenter also noted generally that 
business continuity and end-to-end testing requirements,\1374\ the two-
hour recovery time objective,\1375\ and adopting the required policies 
and procedures may take longer to comply with than other provisions of 
Regulation SCI.\1376\
---------------------------------------------------------------------------

    \1369\ See OCC Letter at 2-3, 11, and 18; and SIFMA Letter at 
18.
    \1370\ See adopted Rule 1004 and supra Section IV.B.6 
(discussing business continuity and disaster recovery plans testing 
requirements).
    \1371\ See OCC Letter at 18.
    \1372\ See SIFMA Letter at 18.
    \1373\ See OCC Letter at 11; see also adopted Rule 1002(b) and 
supra Section IV.B.3.c (discussing the Commission notification 
requirement for SCI events). One commenter also expressed concern 
about SCI entities being able to effectively make submissions on 
Form SCI upon Regulation SCI becoming effective, and urged 
Commission staff to work with the SCI entities in the development, 
testing, and implementation of the Form SCI electronic submission 
system, including provision of any systems requirements (e.g., 
supported browsers, required certificates, or authentication 
protocols). See MSRB Letter at 25. Another commenter requested that 
the Commission provide SCI entities sufficient time to learn the new 
Form SCI submission process, and recommended that the Commission 
delay implementation of Form SCI until SCI entities and Commission 
staff have gained experience with the Regulation SCI reporting 
requirements. See FINRA Letter at 28. In the alternative, this 
commenter recommended that the Commission provide a transition 
period for SCI entities to establish their processes for submission 
of Form SCI. See FINRA Letter at 28.
    \1374\ See adopted Rule 1004 and supra Section IV.B.6 
(discussing business continuity and disaster recovery plans testing 
requirements).
    \1375\ See adopted Rule 1001(a)(2)(v) and supra Section IV.B.1.b 
(discussing the policies and procedures requirement and the two-hour 
recovery time objective).
    \1376\ See OCC Letter at 2-3; see also adopted Rule 1001 and 
supra Sections IV.B.1-2 (discussing the policies and procedures 
requirement for operational capability and systems compliance).
---------------------------------------------------------------------------

    Regulation SCI will become effective 60 days after publication of 
the rules in the Federal Register (``Effective Date''). As proposed, 
SCI entities would have been required to meet the requirements of 
Regulation SCI on the Effective Date. However, after consideration of 
the views of commenters, the Commission has determined to adopt a 
compliance date for Regulation SCI of nine months after the Effective 
Date, except as described below with regard to: (1) ATSs newly meeting 
the thresholds in the definition of ``SCI ATS;'' and (2) the industry- 
or sector-wide coordinated testing requirement, which will have 
different compliance periods. The Commission believes that the 
importance of strengthening the technology infrastructure of key market 
participants, the potential significant risks posed by systems issues 
to the U.S. securities markets, and the significant number of recent 
systems issues at various trading venues, necessitates as prompt an 
implementation of the requirements of Regulation SCI by SCI entities as 
possible. At the same time, the Commission understands that SCI 
entities will need time to prepare for the obligations imposed by 
Regulation SCI and, accordingly, believes that this nine-month time 
frame provides SCI entities adequate time to meet the requirements of 
Regulation SCI. While certain commenters suggested longer compliance 
periods or phased-in compliance periods, the Commission understands 
that entities currently subject to the ARP Inspection Program may 
already comply with certain requirements of Regulation SCI. In 
addition, the Commission also believes that SCI entities that have not 
previously participated in the ARP Inspection Program may also 
currently operate in accordance with certain of the adopted 
requirements. For example, the Commission believes that most SCI 
entities generally have in place policies and procedures designed to 
ensure its systems' capacity, integrity, resiliency, availability, and 
security and that most SCI entities already take corrective actions in 
response to systems issues.
    Further, the Commission notes that, as described above, it has 
further focused the scope of the requirements of Regulation SCI from 
the SCI Proposal and, thus, has lessened the potential burdens on SCI 
entities.\1377\ Therefore, the Commission believes that many of the 
concerns expressed by commenters regarding the time that would be 
needed to prepare for the responsibilities imposed by Regulation SCI 
have been significantly mitigated or addressed by this overall 
refinement of the rules and obligations of SCI entities. For example, 
as discussed above, the Commission has further focused the definition 
of ``SCI systems'' and clarified the scope of ``indirect SCI systems,'' 
which will result in fewer systems being subject to the requirements of 
Regulation SCI.\1378\ In addition, the Commission notification 
provision will require immediate Commission notice of fewer SCI events 
than as proposed as a result of the refining of several definitions and 
the adoption of an exception from the immediate reporting requirements 
for de minimis SCI events, which will instead be subject to 
recordkeeping requirements and/or a quarterly reporting obligation, as 
applicable.\1379\ Further, the Commission has clarified that an SCI 
entity's policies and procedures relating to the capacity, integrity, 
resiliency, availability, and security of its SCI systems and indirect 
SCI systems can to be tailored to a particular SCI system's criticality 
and risk, contrary to the belief of some commenters that the rule 
required all systems to be held to the same standards.\1380\ The 
Commission also notes that it expects, prior to the compliance date, 
that its staff will provide information to SCI entities regarding the 
operation of the electronic filing system to submit Forms SCI.
---------------------------------------------------------------------------

    \1377\ See supra Section III (providing a summary of the key 
modifications from the SCI Proposal) and Section IV (providing a 
detailed discussion of changes from the SCI Proposal).
    \1378\ See supra Sections IV.A.2.b and IV.A.2.d (discussing the 
definitions of ``SCI systems'' and ``indirect SCI systems''). The 
Commission notes that the refining of these definitions also reduces 
the need to phase-in compliance based on type of system as suggested 
by one commenter, because fewer systems overall will be subject to 
the regulation than proposed and many systems for which the 
commenter urged a delay in compliance will not be covered by the 
regulation, as adopted.
    \1379\ See supra Section IV.B.3.c (discussing the Commission 
notification requirement). As discussed above, SCI entities will be 
required to make, keep, and preserve records relating to all de 
minimis SCI events and to report de minimis systems disruptions and 
de minimis systems intrusions quarterly.
    \1380\ See supra Section IV.B.1 (discussing the requirement for 
policies and procedures to achieve capacity, integrity, resiliency, 
availability, and security).
---------------------------------------------------------------------------

    With regard to some commenters' suggestions that there should be 
different compliance periods for SCI entities currently subject to the 
ARP Inspection Program and those that do not currently participate in 
the ARP Inspection Program (or phased-in compliance based, in part, on 
this

[[Page 72368]]

distinction), as noted above, the Commission believes that both 
categories of entities already have some level of processes or 
procedures in place that are in compliance with the requirements of 
Regulation SCI. Further, given the voluntary nature of the current ARP 
Inspection Program, the Commission believes that the extent of current 
compliance with the requirements of adopted Regulation SCI by entities 
subject to the ARP Inspection Program varies for different entities. In 
addition, as noted above, Regulation SCI has a broader scope than the 
current ARP Inspection Program and imposes mandatory requirements on 
entities subject to the rules, and accordingly will require all SCI 
entities (both ARP entities and non-ARP entities) to take steps, 
including implementing necessary systems changes, to meet the 
requirements of Regulation SCI. For these reasons, the Commission 
believes that it is appropriate to provide all SCI entities nine months 
to become compliant with the requirements of Regulation SCI.
    With regard to two commenters' suggestions that the Commission 
should adopt specific phased-in compliance periods based on type of 
entity (i.e., ARP or non-ARP), type of system, or other factors, the 
Commission believes that such an approach is not necessary for the 
reasons stated above. Further, the Commission believes that having 
multiple phases of compliance would create unnecessary complexity and 
raise practical difficulties for implementation.
    At the same time, the Commission believes that it is appropriate to 
provide additional compliance periods for limited aspects of Regulation 
SCI, as requested by some commenters. Specifically, the Commission 
believes that ATSs meeting the volume thresholds in the definition of 
``SCI ATS'' for the first time should be provided an additional six 
months from the time that the ATS first meets the applicable thresholds 
to comply with the requirements of Regulation SCI.\1381\ The Commission 
believes that this additional six-month period is appropriate and 
necessary to allow an SCI ATS the time needed to take steps to meet the 
requirements of the rules, rather than requiring compliance immediately 
upon meeting the volume thresholds. The Commission also believes that 
this additional compliance period should give a new ATS entrant the 
opportunity to initiate and develop its business by allowing additional 
time before a new ATS must incur the costs associated with compliance 
with Regulation SCI.\1382\
---------------------------------------------------------------------------

    \1381\ See supra note 1365 and accompanying text. See also supra 
Section IV.A.1.b (discussing the definition of ``SCI ATS,'' 
including the applicable volume thresholds and the inclusion of a 
six-month compliance period within the definition). For example, if 
a new ATS begins operations in January 2016 and subsequently meets 
the volume thresholds in the definition of ``SCI ATS'' for four out 
of the six months ending December 31, 2016, it would have until June 
30, 2017 to become compliant with the requirements of Regulation 
SCI.
    \1382\ See supra note 152 and accompanying text.
---------------------------------------------------------------------------

    The Commission is also adopting a longer compliance period with 
regard to the industry- or sector-wide coordinated testing requirement 
in adopted Rule 1004(d).\1383\ Specifically, SCI entities will have 21 
months from the Effective Date to coordinate the testing of an SCI 
entity's business continuity and disaster recovery plans on an 
industry- or sector-wide basis with other SCI entities pursuant to 
adopted Rule 1004(d). Given that the compliance date for the other 
requirements of Regulation SCI is nine months from the Effective Date, 
this will provide SCI entities an additional year (12 months) beyond 
the compliance date for the other requirements of Regulation SCI (for a 
total of 21 months) to comply with Rule 1004(d). The Commission 
believes that this additional time period is appropriate in light of 
commenters' concerns regarding the complexity and logistical challenges 
posed by the requirement.\1384\ The Commission expects SCI entities to 
work cooperatively to address these logistical hurdles and to carefully 
plan such testing, and believes that the additional time for compliance 
should help to ensure that such testing is implemented effectively.
---------------------------------------------------------------------------

    \1383\ See supra Section IV.B.6.b.iv (discussing the coordinated 
testing requirement of adopted Rule 1004(d)).
    \1384\ See id.
---------------------------------------------------------------------------

    If any provision of Regulation SCI, or the application thereof to 
any person or circumstance, is held to be invalid, such invalidity 
shall not affect other provisions or application of such provisions to 
other persons or circumstances that can be given effect without the 
invalid provision or application.

V. Paperwork Reduction Act

    Certain rules under Regulation SCI impose new ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA'').\1385\ An agency may not conduct or 
sponsor, and a person is not required to respond to, a collection of 
information unless it displays a currently valid control number. In 
accordance with 44 U.S.C. 3507 and 5 CFR 1320.11, the Commission 
submitted these collections of information to the Office of Management 
and Budget (``OMB'') for review. The title for the collection of 
information requirement is ``Regulation Systems Compliance and 
Integrity.'' The collection of information was assigned OMB Control No. 
3235-0703.
---------------------------------------------------------------------------

    \1385\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission solicited comments on the 
collection of information burdens associated with Regulation SCI. In 
particular, the Commission asked whether commenters agree with the 
Commission's estimate of the number of respondents and the burden 
associated with compliance with Regulation SCI.\1386\ In addition, the 
Commission asked whether SCI entities would outsource the work 
associated with compliance with Regulation SCI.\1387\ Some commenters 
noted that the Commission underestimated the burdens that would be 
imposed by proposed Regulation SCI.\1388\ As discussed above, the 
Commission received 60 comment letters on the proposal. Some of these 
comments relate directly or indirectly to the PRA. These comments are 
addressed below.
---------------------------------------------------------------------------

    \1386\ See Proposing Release, supra note 13, at 18155.
    \1387\ See id. at 18154-55.
    \1388\ See, e.g., Joint SRO Letter at 18-19; CME Letter at 4-5; 
OCC Letter at 11-12.
---------------------------------------------------------------------------

A. Summary of Collection of Information

    Regulation SCI includes four categories of obligations that require 
a collection of information within the meaning of the PRA. 
Specifically, an SCI entity is required to: (1) Establish specified 
written policies and procedures, and mandate participation by 
designated members or participants in certain testing of the SCI 
entity's business continuity and disaster recovery plans; (2) provide 
certain notifications, disseminate certain information, and create 
reports; (3) take corrective actions, and identify critical SCI 
systems, major SCI events, de minimis SCI events, and material systems 
changes; and (4) comply with recordkeeping requirements.
1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    Rule 1001 requires SCI entities to establish policies and 
procedures with respect to various matters. Rule 1001(a) requires each 
SCI entity to establish, maintain, and enforce written policies and 
procedures reasonably designed to ensure that its SCI systems and, for 
purposes of security standards, indirect SCI systems, have levels of 
capacity,

[[Page 72369]]

integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. Rule 1001(a)(2) specifies that such policies 
and procedures are required to include, at a minimum: (i) The 
establishment of reasonable current and future technology 
infrastructure capacity planning estimates; (ii) periodic capacity 
stress tests of such systems to determine their ability to process 
transactions in an accurate, timely, and efficient manner; (iii) a 
program to review and keep current systems development and testing 
methodology for such systems; (iv) regular reviews and testing, as 
applicable, of such systems, including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters; (v) business continuity and 
disaster recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse and that 
are reasonably designed to achieve next business day resumption of 
trading and two-hour resumption of critical SCI systems following a 
wide-scale disruption; (vi) standards that result in such systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data; and (vii) monitoring of such systems to 
identify potential SCI events. Rule 1001(a)(3) requires each SCI entity 
to periodically review the effectiveness of the policies and procedures 
required by Rule 1001(a), and take prompt action to remedy deficiencies 
in such policies and procedures. Rule 1001(a)(4) states that an SCI 
entity's policies and procedures shall be deemed to be reasonably 
designed if they are consistent with current SCI industry standards, 
which are required to be comprised of information technology practices 
that are widely available to information technology professionals in 
the financial sector and issued by an authoritative body that is a U.S. 
governmental entity or agency, association of U.S. governmental 
entities or agencies, or widely recognized organization, though 
compliance with current SCI industry standards is not the exclusive 
means to comply with the requirements of Rule 1001(a).
    Rule 1001(b)(1) requires each SCI entity to establish, maintain, 
and enforce written policies and procedures reasonably designed to 
ensure that its SCI systems operate in a manner that complies with the 
Act and rules and regulations thereunder and the entity's rules and 
governing documents, as applicable. Rule 1001(b)(2) specifies that such 
policies and procedures are required to include, at a minimum: (i) 
Testing of all SCI systems and any changes to SCI systems prior to 
implementation; (ii) a system of internal controls over changes to SCI 
systems; (iii) a plan for assessments of the functionality of SCI 
systems designed to detect systems compliance issues, including by 
responsible SCI personnel and by personnel familiar with applicable 
provisions of the Act and the rules and regulations thereunder and the 
SCI entity's rules and governing documents; and (iv) a plan of 
coordination and communication between regulatory and other personnel 
of the SCI entity, including by responsible SCI personnel, regarding 
SCI systems design, changes, testing, and controls designed to detect 
and prevent systems compliance issues. Rule 1001(b)(3) requires each 
SCI entity to periodically review the effectiveness of the policies and 
procedures required by Rule 1001(b), and take prompt action to remedy 
deficiencies in such policies and procedures. Further, pursuant to Rule 
1001(b)(4), personnel of an SCI entity is deemed not to have aided, 
abetted, counseled, commanded, caused, induced, or procured the 
violation by an SCI entity of Rule 1001(b) if the person: (i) Has 
reasonably discharged the duties and obligations incumbent upon such 
person by the SCI entity's policies and procedures; and (ii) was 
without reasonable cause to believe that the policies and procedures 
relating to an SCI system for which such person was responsible, or had 
supervisory responsibility, were not established, maintained, or 
enforced in accordance with Rule 1001(b) in any material respect.
    Rule 1001(c)(1) requires each SCI entity to establish, maintain, 
and enforce reasonably designed written policies and procedures that 
include the criteria for identifying responsible SCI personnel, the 
designation and documentation of responsible SCI personnel, and 
escalation procedures to quickly inform responsible SCI personnel of 
potential SCI events. Rule 1001(c)(2) requires each SCI entity to 
periodically review the effectiveness of the policies and procedures 
required by Rule 1001(c)(1), and take prompt action to remedy 
deficiencies in such policies and procedures.
    Rule 1004 requires an SCI entity, with respect to its business 
continuity and disaster recovery plans, including its backup systems, 
to: (a) Establish standards for the designation of those members or 
participants that the SCI entity reasonably determines are, taken as a 
whole, the minimum necessary for the maintenance of fair and orderly 
markets in the event of the activation of such plans; and (b) designate 
members or participants pursuant to such standards and require 
participation by such members or participants in scheduled functional 
and performance testing of the operation of such plans, in the manner 
and frequency as specified by the SCI entity, at least once every 12 
months (e.g., for SCI SROs, by submitting proposed rule changes under 
Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership 
or subscriber agreements and internal procedures; for plan processors, 
through an amendment to an SCI Plan under Rule 608 of Regulation NMS; 
and, for exempt clearing agencies subject to ARP, by revising 
participant agreements and internal procedures). Rule 1004(c) requires 
an SCI entity to coordinate such required testing on an industry- or 
sector-wide basis with other SCI entities.
2. Notification, Dissemination, and Reporting Requirements for SCI 
Entities
    Certain rules under Regulation SCI require SCI entities to notify 
or report information to the Commission, or disseminate information to 
their members or participants. Rules 1002 and 1003 each contain 
notification, dissemination, or reporting requirements.\1389\
---------------------------------------------------------------------------

    \1389\ To access EFFS, the secure Commission Web site for filing 
of Form SCI, an SCI entity will submit to the Commission an External 
Application User Authentication Form (``EAUF'') to register each 
individual at the SCI entity who will access the EFFS system on 
behalf of the SCI entity. Upon receipt and verification of the 
information in the EAUF process, the Commission will issue each such 
person a User ID and Password to permit access to the Commission's 
secure Web site.
---------------------------------------------------------------------------

    Rule 1002(b) requires Commission notification of SCI events. Rule 
1002(b)(1) requires an SCI entity to immediately notify the Commission 
upon any responsible SCI personnel having a reasonable basis to 
conclude that an SCI event has occurred. These notifications may be 
made orally or in writing.
    Rule 1002(b)(2) requires an SCI entity, within 24 hours of any 
responsible SCI personnel having a reasonable basis to conclude that an 
SCI event has occurred, to submit a written notification to the 
Commission on Form SCI pertaining to such SCI event.\1390\

[[Page 72370]]

Rule 1002(b)(2) requires that this notification include: (i) A 
description of the SCI event, including the system(s) affected; and 
(ii) to the extent available as of the time of the notification, the 
SCI entity's current assessment of the types and number of market 
participants potentially affected by the SCI event, the potential 
impact of the SCI event on the market, a description of the steps the 
SCI entity has taken, is taking, or plans to take, with respect to the 
SCI event, the time the SCI event was resolved or timeframe within 
which the SCI event is expected to be resolved, and any other pertinent 
information known by the SCI entity about the SCI event.
---------------------------------------------------------------------------

    \1390\ This notification is required to be submitted on a good 
faith, best efforts basis.
---------------------------------------------------------------------------

    Rule 1002(b)(3) requires an SCI entity, until an SCI event is 
resolved and the SCI entity's investigation of the SCI event is closed, 
to provide updates pertaining to such SCI event to the Commission on a 
regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, to correct any materially incorrect 
information previously provided, or when new information is discovered 
(including but not limited to any of the information listed in Rule 
1002(b)(2)(ii)). The updates under Rule 1002(b)(3) may be made orally 
or in writing.
    Rule 1002(b)(4) states that, if an SCI event is resolved and the 
SCI entity's investigation of the SCI event is closed within 30 
calendar days of the occurrence of the event, then within 5 business 
days after the resolution of the SCI event and closure of the 
investigation regarding the SCI event, the SCI entity is required to 
submit a final written notification to the Commission pertaining to the 
SCI event. This notification is required to include: (i) A detailed 
description of the SCI entity's assessment of the types and number of 
market participants affected by the SCI event, the SCI entity's 
assessment of the impact of the SCI event on the market, the steps that 
the SCI entity has taken, is taking, or plans to take with respect to 
the SCI event, the time the SCI event was resolved, the SCI entity's 
rule(s) and/or governing document(s), as applicable, that relate to the 
SCI event, and any other pertinent information known by the SCI entity 
about the SCI event; (ii) a copy of any information disseminated 
pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI 
event to any of its members or participants; and (iii) an analysis of 
parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. Rule 1002(b)(4)(iv) 
further states that, if an SCI event is not resolved or the SCI 
entity's investigation of the SCI event is not closed within 30 days of 
the occurrence of the SCI event, then the SCI entity is required to 
submit an interim written notification pertaining to such event within 
30 calendar days after the occurrence of the event, containing the 
information required by Rule 1002(b)(4)(ii) to the extent known at that 
time. Within 5 business days after the resolution of such event and 
closure of the investigation, the SCI entity is required to submit a 
final written notification to the Commission, containing the 
information required by Rule 1002(b)(4)(ii).
    Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)-
(4) do not apply to de minimis SCI events. Instead, for these types of 
SCI events, an SCI entity is required to make, keep, and preserve 
records relating to these events, and submit to the Commission 
quarterly reports containing a summary description of de minimis 
systems disruptions and de minimis systems intrusions, including the 
SCI systems and, for systems intrusions, indirect SCI systems, affected 
by such systems disruptions and systems intrusions during the 
applicable calendar quarter.
    Rule 1002(c) requires the dissemination of information regarding 
certain SCI events and specifies the nature and timing of such 
dissemination. Rule 1002(c)(1)(i) requires an SCI entity, promptly 
after any responsible SCI personnel has a reasonable basis to conclude 
that a systems disruption or systems compliance issue has occurred, to 
disseminate the following information about such SCI event: (A) The 
system(s) affected by the SCI event; and (B) a summary description of 
the SCI event. In addition, Rule 1002(c)(1)(ii) requires an SCI entity, 
when known, to further disseminate the following information: (A) A 
detailed description of the SCI event; (B) the SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; and (C) a description of the progress of its 
corrective action for the SCI event and when the SCI event has been or 
is expected to be resolved. Rule 1002(c)(1)(iii) requires that an SCI 
entity provide regular updates of the information required to be 
disseminated under Rule 1002(c)(1)(i) and (ii).
    With respect to systems intrusions, Rule 1002(c)(2) states that, 
promptly after any responsible SCI personnel has a reasonable basis to 
conclude that a systems intrusion has occurred, an SCI entity is 
required to disseminate a summary description of the systems intrusion, 
including a description of the corrective action taken by the SCI 
entity and when the systems intrusion has been or is expected to be 
resolved, unless the SCI entity determines that dissemination of such 
information would likely compromise the security of the SCI entity's 
SCI systems or indirect SCI systems, or an investigation of the systems 
intrusion, and documents the reasons for such determination.\1391\
---------------------------------------------------------------------------

    \1391\ Rule 1002(c)(3) provides that the information specified 
in Rules 1002(c)(1) and (2) is required to be disseminated to 
members or participants of the SCI entity that a responsible SCI 
personnel has reasonably estimated may have been affected by the SCI 
event, and promptly disseminated to any additional members or 
participants that any responsible SCI personnel subsequently 
reasonably estimates may have been affected by the SCI event. 
However, information regarding major SCI events must be disseminated 
to all members or participants of an SCI entity.
---------------------------------------------------------------------------

    Rule 1002(c)(4) provides that the information dissemination 
requirement does not apply to SCI events to the extent they relate to 
market regulation or market surveillance systems, or to any de minimis 
SCI events.
    Rule 1003(a)(1) requires an SCI entity, within 30 calendar days 
after the end of each calendar quarter, to submit to the Commission a 
report describing completed, ongoing, and planned material changes to 
its SCI systems and the security of indirect SCI systems, during the 
prior, current, and subsequent calendar quarters, including the dates 
or expected dates of commencement and completion. Rule 1003(a)(2) 
further requires an SCI entity to promptly submit a supplemental report 
to notify the Commission of a material error in or material omission 
from a report previously submitted under Rule 1003(a).
    Rules 1003(b)(1) and (2) require an SCI entity to conduct periodic 
SCI reviews of its compliance with Regulation SCI,\1392\ and to submit 
a report of the SCI review to senior management of the SCI entity for 
review no more than 30 calendar days after completion of such SCI 
review. Rule 1003(b)(3) also requires an SCI entity to submit to the 
Commission, and to the board of directors of the SCI entity or the 
equivalent of such board, a report of the SCI review, together with any 
response by senior management, within

[[Page 72371]]

60 calendar days after its submission to senior management of the SCI 
entity.
---------------------------------------------------------------------------

    \1392\ SCI entities are required to conduct an SCI review not 
less than once each calendar year. However, under Rule 
1003(b)(1)(i), penetration test reviews of the network, firewalls, 
and production systems are required to be conducted not less than 
once every three years. Under Rule 1003(b)(1)(ii), assessments of 
SCI systems directly supporting market regulation or market 
surveillance are required to be conducted at a frequency based on 
risk assessment, but not less than once every three years.
---------------------------------------------------------------------------

    Rule 1006 requires any notifications to the Commission required to 
be submitted under Regulation SCI, except notifications pursuant to 
Rule 1002(b)(1) or 1002(b)(3), to be filed electronically on Form SCI, 
include all information as prescribed in Form SCI and the instructions 
thereto, and contain an electronic signature. In addition, pursuant to 
Rule 1006(b), the signatory to an electronically filed Form SCI is 
required to manually sign a signature page or document authenticating, 
acknowledging, or otherwise adopting his or her signature that appears 
in typed form within the electronic filing. Such document is required 
to be retained by the SCI entity in accordance with Rule 1005.
3. Requirements To Take Corrective Action and Identify Critical SCI 
Systems, Major SCI Events, De Minimis SCI Events, and Material Systems 
Changes
    Rule 1002(a) requires an SCI entity, upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred, to begin to take appropriate corrective action, which is 
required to include, at a minimum, mitigating potential harm to 
investors and market integrity resulting from the SCI event and 
devoting adequate resources to remedy the SCI event as soon as 
reasonably practicable. The Commission believes that SCI entities are 
likely to work to develop a written process for ensuring that they are 
prepared to comply with the corrective action requirement and are 
likely to also periodically review this process.
    In connection with the reporting of material systems changes, Rule 
1003(a)(1) requires an SCI entity to establish reasonable written 
criteria for identifying a change to its SCI systems and the security 
of indirect SCI systems as material. In addition, because the 
Commission notification and information dissemination requirements 
under Rules 1002(b) and (c), respectively, apply differently to SCI 
events depending on whether an event is a ``major SCI event'' or 
whether the event has no or a de minimis impact on the SCI entity's 
operations or on market participants, when an SCI event occurs, an SCI 
entity must determine whether an SCI event is a major SCI event or a de 
minimis SCI event. Moreover, because the business continuity and 
disaster recovery policies and procedures requirement under Rule 
1001(a)(2)(v) imposes different resumption goals for critical SCI 
systems as compared to other SCI systems, an SCI entity must determine 
whether an SCI system is a critical SCI system.\1393\ As such, SCI 
entities would likely work to develop a written process for ensuring 
that they are able to make timely and accurate determinations regarding 
the nature of an SCI system or SCI event, and periodically review this 
process.
---------------------------------------------------------------------------

    \1393\ Also, pursuant to the definition of ``major SCI event,'' 
in determining whether an SCI event is a major SCI event, an SCI 
entity is required to consider whether an SCI event can have any 
impact on a critical SCI system. See Rule 1000.
---------------------------------------------------------------------------

4. Recordkeeping Requirements
    Rule 1005 sets forth recordkeeping requirements for SCI entities. 
Under Rule 1005(a), SCI SROs are required to make, keep, and preserve 
all documents relating to their compliance with Regulation SCI as 
prescribed in Rule 17a-1 under the Exchange Act. Under Rule 1005(b), 
each SCI entity that is not an SCI SRO is required to make, keep, and 
preserve at least one copy of all documents, including correspondence, 
memoranda, papers, books, notices, accounts, and other such records, 
relating to its compliance with Regulation SCI, including, but not 
limited to, records relating to any changes to its SCI systems and 
indirect SCI systems. Each SCI entity that is not an SCI SRO is 
required to keep all such documents for a period of not less than five 
years, the first two years in a place that is readily accessible to the 
Commission or its representatives for inspection and examination. Upon 
request of any representative of the Commission, such SCI entities 
would be required to promptly furnish to the possession of such 
representative copies of any documents required to be kept and 
preserved by it under Rules 1005(b)(1) and (2). Under Rule 1005(c), 
upon or immediately prior to ceasing to do business or ceasing to be 
registered under the Exchange Act, an SCI entity is required to take 
all necessary action to ensure that the records required to be made, 
kept, and preserved by Rule 1005 will be accessible to the Commission 
and its representatives in the manner required by Rule 1005 and for the 
remainder of the period required by Rule 1005.
    In addition, Rule 1007 provides that, if the records required to be 
filed or kept by an SCI entity under Regulation SCI are prepared or 
maintained by a service bureau or other recordkeeping service on behalf 
of the SCI entity, the SCI entity is required to ensure that the 
records are available for review by the Commission and its 
representatives by submitting a written undertaking, in a form 
acceptable to the Commission, by such service bureau or other 
recordkeeping service and signed by a duly authorized person at such 
service bureau or other recordkeeping service.

B. Use of Information

1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    The requirement that SCI entities establish policies and procedures 
under adopted Rule 1001(a) should advance the goal of improving 
Commission review and oversight of U.S. securities market 
infrastructure by requiring an SCI entity's policies and procedures to 
be reasonably designed to ensure its own operational capability, 
including the ability to maintain effective operations, minimize or 
eliminate the effect of performance degradations, and have sufficient 
backup and recovery capabilities. Because an SCI entity's own 
operational capability can have the potential to impact investors, the 
overall market, or the trading of individual securities, the Commission 
believes that these policies and procedures will help promote the 
maintenance of fair and orderly markets.
    The Commission believes that Rule 1001(b), which requires each SCI 
entity to establish, maintain, and enforce written policies and 
procedures reasonably designed to ensure that its SCI systems operate 
in a manner that complies with the Exchange Act and the rules and 
regulations thereunder and the entity's rules and governing documents, 
as applicable, will help to prevent the occurrence of systems 
compliance issues. In addition, the Commission believes Rule 1001(b) 
will help to: Ensure that SCI SROs comply with Section 19(b)(1) of the 
Exchange Act; reinforce existing SRO rule filing processes to assist 
market participants and the public in understanding how the SCI systems 
of SCI SROs are intended to operate; and assist SCI SROs in meeting 
their obligations to file plan amendments to SCI Plans under Rule 608 
of Regulation NMS. It should similarly help other SCI entities to 
achieve operational compliance with the Exchange Act, the rules and 
regulations thereunder, and their governing documents.
    The requirement to establish policies and procedures pursuant to 
Rule 1001(c) that include the designation and documentation of 
responsible SCI personnel should help make it clear to all employees of 
the SCI entity who the designated responsible SCI personnel are for 
purposes of the escalation procedures and so that Commission staff

[[Page 72372]]

can easily identify such responsible SCI personnel in the course of its 
inspections and examinations and other interactions with SCI entities. 
The Commission also believes that escalation procedures to quickly 
inform responsible SCI personnel of potential SCI events will help 
ensure that the appropriate person(s) are provided notice of potential 
SCI events so that any appropriate actions can be taken in accordance 
with the requirements of Regulation SCI without unnecessary delay.
    The Commission believes that the requirement that SCI entities 
establish standards that require designated members or participants to 
participate in the testing of their business continuity and disaster 
recovery plans will help reduce the risks associated with an SCI 
entity's decision to activate its BC/DR plans and help to ensure that 
such plans operate as intended, if activated. The testing participation 
requirement should help an SCI entity to ensure that its efforts to 
develop effective BC/DR plans are not undermined by a lack of 
participation by members or participants that the SCI entity believes 
are necessary to the successful activation of such plans. This 
requirement should also assist the Commission in maintaining fair and 
orderly markets in a BC/DR scenario following a wide-scale disruption.
2. Notification, Dissemination, and Reporting Requirements for SCI 
Entities
    Adopted Rule 1002(b), including adopted Rules 1002(b)(1)-(3), will 
foster a system for comprehensive reporting of SCI events, which should 
enhance the Commission's review and oversight of U.S. securities market 
infrastructure and foster cooperation between the Commission and SCI 
entities in responding to SCI events. The Commission also believes that 
the aggregated data that will result from the reporting of SCI events 
will enhance its ability to comprehensively analyze the nature and 
types of various SCI events and identify more effectively areas of 
persistent or recurring problems across the systems of all SCI 
entities. The information in the final report required under Rule 
1002(b)(4) should provide the Commission with a comprehensive analysis 
to more fully understand and assess the impact caused by the SCI event. 
The Commission expects that the quarterly reporting required by Rule 
1002(b)(5) will better achieve the goal of keeping Commission staff 
informed regarding the nature and frequency of systems disruptions and 
systems intrusions that arise but are reasonably estimated by the SCI 
entity to have a de minimis impact on the entity's operations or on 
market participants. Further, submission and review of regular reports 
should facilitate Commission staff comparisons among SCI entities and 
thereby permit the Commission and its staff to have a more holistic 
view of the types of systems operations challenges that were posed to 
SCI entities in the aggregate.
    Adopted Rule 1002(c) advances the Commission's goal of promoting 
fair and orderly markets by disseminating information about an SCI 
event to some or all of the SCI entity's members or participants, who 
can use such information to evaluate the event's impact on their 
trading and other activities and develop an appropriate response.
    The quarterly material systems change reports required by Rule 
1003(a) should permit the Commission and its staff to have up-to-date 
information regarding an SCI entity's systems development progress and 
plans, and help the Commission with its oversight of U.S. securities 
market infrastructure.
    The SCI reviews under Rule 1003(b) should not only assist the 
Commission in improving its oversight of the technology infrastructure 
of SCI entities, but also each SCI entity in assessing the 
effectiveness of its information technology practices, helping to 
ensure compliance with the safeguards provided by the requirements of 
Regulation SCI, identifying potential areas of weakness that require 
additional or modified controls, and determining where to best devote 
resources.
    Rule 1006 provides a uniform manner in which the Commission would 
receive--and SCI entities would provide--written notifications, 
reviews, descriptions, analyses, or reports made pursuant to Regulation 
SCI. The Commission believes that Rule 1006 therefore allows SCI 
entities to efficiently draft and submit the required reports, and for 
the Commission to efficiently review, analyze, and respond to the 
information provided.
    As noted above, in order to access EFFS, an SCI entity will submit 
to the Commission an EAUF to register each individual at the SCI entity 
who access the EFFS system on behalf of the SCI entity. The information 
provided via EAUF will be used by the Commission to verify the identity 
of the individual submitting Form SCI on behalf of the SCI entity and 
provide such individual access to the EFFS.
3. Requirements To Take Corrective Action and Identify Critical SCI 
Systems, Major SCI Events, De Minimis SCI Events, and Material Systems 
Changes
    The requirement that SCI entities begin to take appropriate 
corrective action upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, and the 
policies and procedures SCI entities would likely use to implement this 
requirement, should help facilitate SCI entities' responses to SCI 
events, including taking appropriate steps necessary to remedy the 
problem or problems causing such SCI event and mitigate the negative 
effects of the SCI event, if any, on market participants and the 
securities markets more broadly. The requirement that each SCI entity 
establish written criteria for identifying material systems changes 
should help the Commission ensure that it is kept apprised of the 
systems changes that SCI entities believe to be material and aid the 
Commission and its staff in understanding the operations and 
functionality of the systems of an SCI entity and any changes to such 
systems. The Commission expects that the application of different 
requirements (e.g., Commission notification requirements and 
information dissemination requirements) to critical SCI systems, major 
SCI events, and de minimis SCI events, and the policies and procedures 
required by SCI entities to make these determinations, will help to 
ensure that the Commission is kept apprised of SCI events, and that 
relevant market participants have basic information about SCI events so 
that those notified can better develop an appropriate response. These 
policies and procedures should also assist SCI entities in complying 
with the notification, dissemination and reporting requirements of 
Regulation SCI.
4. Recordkeeping Requirements
    Rule 1005 requires each SCI entity to make, keep, and preserve 
records relating to its compliance with Regulation SCI because such 
records should assist the Commission in understanding whether an SCI 
entity is meeting its obligations under Regulation SCI, assessing 
whether an SCI entity has appropriate policies and procedures with 
respect to its technology systems, helping to identify the causes and 
consequences of an SCI event, and understanding the types of material 
systems changes occurring at an SCI entity. The Commission expects that 
Rule 1005 will also facilitate the

[[Page 72373]]

Commission's inspections and examinations of SCI entities and assist it 
in evaluating an SCI entity's compliance with Regulation SCI. Moreover, 
having an SCI entity's records available even after it has ceased to do 
business or to be registered under the Exchange Act should provide an 
additional tool to help the Commission to reconstruct important market 
events and better understand the impact of such events.
    Rule 1007 should help ensure the Commission's ability to obtain 
required records that are held by a third party who may not otherwise 
have an obligation to make such records available to the Commission.

C. Respondents

    The ``collection of information'' requirements contained in 
Regulation SCI apply to SCI entities, as described below. Currently, 
there are 27 entities that would satisfy the definition of SCI 
SRO,\1394\ 14 entities that would satisfy the definition of SCI 
ATS,\1395\ 2 entities that would satisfy the definition of plan 
processor,\1396\ and 1 entity that would meet the definition of exempt 
clearing agency subject to ARP.\1397\ Accordingly, the Commission 
estimates that there are currently 44 entities that meet the definition 
of SCI entity and are subject to the collection of information 
requirements of Regulation SCI.
---------------------------------------------------------------------------

    \1394\ See supra notes 74-77 and accompanying text (listing 18 
registered national securities exchanges, 7 registered clearing 
agencies, FINRA, and the MSRB). See also supra note 80 and 
accompanying text.
    \1395\ See supra notes 150 and 175 and accompanying text.
    \1396\ See supra note 202 and accompanying text.
    \1397\ See supra note 203 and accompanying text.
---------------------------------------------------------------------------

D. Total Initial and Annual Reporting and Recordkeeping Burdens

    The Commission notes that national securities exchanges, national 
securities associations, registered clearing agencies, plan processors, 
one ATS, and one exempt clearing agency currently participate in the 
ARP Inspection Program. Under the ARP Inspection Program, Commission 
staff conducts inspections of these entities, attends periodic 
technology briefings by staff of these entities, monitors planned 
significant systems changes, and responds to reports of systems 
failures, disruptions, and other systems problems of these 
entities.\1398\
---------------------------------------------------------------------------

    \1398\ See supra Section II.A.
---------------------------------------------------------------------------

    Under Regulation SCI, many of the principles of the ARP policy 
statements with which some SCI entities are familiar are codified. As 
such, current practices of these SCI entities already comply with 
certain requirements of Regulation SCI.\1399\ However, because 
Regulation SCI has a broader scope than the current ARP Inspection 
Program and imposes mandatory recordkeeping obligations on SCI 
entities,\1400\ the Commission believes Regulation SCI will impose 
paperwork burdens on all SCI entities.
---------------------------------------------------------------------------

    \1399\ In addition, some SCI entities already comply with 
certain requirements of Regulation SCI to some extent as a matter of 
prudent business practice or pursuant to other rules. For example, 
as noted above, FINRA Rule 4370 includes requirements for FINRA 
members related to business continuity plans. See supra note 115. In 
addition, NASD Rule 3010 and FINRA Rule 3130 include requirements 
for FINRA members related to procedures to achieve compliance with 
applicable securities laws and regulations and certain SRO rules. 
See supra note 115. Further, FINRA Rule 4530 includes reporting 
requirements related to certain compliance issues. See supra note 
115. Compliance with existing requirements under FINRA rules could 
help SCI ATSs to comply with Regulation SCI. Therefore, the 
Commission acknowledges that SCI ATSs may experience a lower 
paperwork burden in complying with certain provisions of Regulation 
SCI than some other SCI entities. However, unlike SCI entities that 
participate in the ARP Inspection Program (where in many instances 
the Commission has estimated a 50% reduction in SCI entity staff 
compliance burden as compared to other SCI entities when estimating 
paperwork costs with regard to Regulation SCI requirements due to 
participation in the ARP inspection program), the Commission 
believes that any reduction in burden resulting from compliance with 
these FINRA and NASD rules is unlikely to be significant.
    \1400\ As discussed more fully in supra Section IV.C.1, SCI SROs 
are already subject to existing recordkeeping and retention 
requirements under Rule 17a-1.
---------------------------------------------------------------------------

    The Commission's total burden estimates in this Paperwork Reduction 
Act section reflect the total burdens on all SCI entities, taking into 
account the extent to which some SCI entities already comply with some 
of the requirements of Regulation SCI. The Commission also notes that 
the burden estimates per SCI entity are intended to reflect the average 
paperwork burden for each SCI entity to comply with Regulation SCI. 
Therefore, some SCI entities may experience more burden than the 
Commission's estimates, while others may experience less. The 
Commission notes that the burden figures set forth in this section are 
the Commission's estimate of the paperwork burden for compliance with 
Regulation SCI based on a variety of sources, including Commission 
staff's experience with the current ARP Inspection Program, other 
similar estimated burdens for analogous rulemakings, and comments 
received on the burden estimates in the SCI Proposal.\1401\
---------------------------------------------------------------------------

    \1401\ The Commission also notes that the allocation of burden 
hours between staff and managers of an SCI entity that are 
identified in this section is intended to reflect the Commission's 
estimate of the broad categories of SCI entity personnel who will be 
involved in compliance with Regulation SCI. The Commission 
recognizes that some SCI entities may have additional subcategories 
of staff or managers who will be involved in compliance with 
Regulation SCI (e.g., information security staff may be a 
subcategory of systems analysts), whereas other SCI entities may not 
have the specific categories of staff or managers that are 
identified in this section.
---------------------------------------------------------------------------

1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    The rules under Regulation SCI that would require an SCI entity to 
establish policies and procedures and to mandate member or participant 
participation in business continuity and disaster recovery plan testing 
are discussed more fully in Sections IV.B.1, IV.B.2, and IV.B.6 above.
a. Policies and Procedures
    In the SCI Proposal, the Commission estimated that an SCI entity 
that has not previously participated in the ARP Inspection Program 
would require an average of 210 burden hours initially to develop and 
draft the policies and procedures required by proposed Rule 1000(b)(1) 
(except for the policies and procedures for standards that result in 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data) \1402\ and 60 hours 
annually to review and update such policies and procedures.\1403\ The 
Commission estimated that an SCI entity that currently participates in 
the ARP Inspection Program would require an average of 105 burden hours 
initially to develop and draft such policies and procedures \1404\ and 
30 hours annually

[[Page 72374]]

to review and update such policies and procedures.\1405\ With respect 
to the requirement in proposed Rule 1000(b)(1) for policies and 
procedures that provide for standards that result in systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data, the Commission estimated that each SCI 
entity would spend 130 hours annually.\1406\ In the SCI Proposal, the 
Commission also estimated that all SCI entities would conduct most of 
the work associated with proposed Rule 1000(b)(1) internally.\1407\ 
However, the Commission estimated that SCI entities would seek outside 
legal and/or consulting services in the initial preparation of the 
policies and procedures at an average cost of $20,000 per SCI 
entity.\1408\
---------------------------------------------------------------------------

    \1402\ See Proposing Release, supra note 13, at 18145. The 210 
burden hours included 80 hours by a Compliance Manager (including 
senior management review), 80 hours by an Attorney, 25 hours by a 
Senior Systems Analyst, and 25 hours by an Operations Specialist. 
See id. at 18146. This estimate was based on Commission staff's 
experience with the ARP Inspection Program and the Commission's 
preliminary estimate in the SB SDR Proposing Release for a similar 
requirement. See id. at 18145, n. 365.
    \1403\ See Proposing Release, supra note 13, at 18146. The 60 
burden hours included 30 hours by a Compliance Manager and 30 hours 
by an Attorney. See id. This estimate was based on Commission 
staff's experience with the ARP Inspection Program and the 
Commission's preliminary estimate in the SB SDR Proposing Release 
for a similar requirement. See id. at 18146, n. 377.
    \1404\ See Proposing Release, supra note 13, at 18145. The 105 
burden hours included 40 hours by a Compliance Manager (including 
senior management review), 40 hours by an Attorney, 12.5 hours by a 
Senior Systems Analyst, and 12.5 hours by an Operations Specialist. 
See id. at 18146. The Commission stated its belief that a fifty 
percent baseline for SCI entities that participate in the ARP 
Inspection Program is appropriate because, although these entities 
already have substantial policies and procedures in place, the rule 
would require these entities to devote substantial time to review 
and revise their existing policies and procedures to ensure that 
they are sufficiently robust. See id. at 18145.
    \1405\ See Proposing Release, supra note 13, at 18146. The 30 
burden hours included 15 hours by a Compliance Manager and 15 hours 
by an Attorney. See id.
    \1406\ See Proposing Release, supra note 13, at 18145. The 130 
burden hours included 30 hours by a Compliance Attorney and 100 
hours by a Senior Systems Analyst. See id. at 18146. This estimate 
was based on Commission staff's experience with the ARP Inspection 
Program. See id. at 18145, n. 371. The Commission noted in the SCI 
Proposal that this proposed requirement was not addressed by the ARP 
Inspection Program. See id. at 18145.
    \1407\ See Proposing Release, supra note 13, at 18145.
    \1408\ See id.
---------------------------------------------------------------------------

    With respect to proposed Rule 1000(b)(2), the Commission estimated 
that each SCI entity would elect to comply with the proposed safe 
harbor provisions.\1409\ The Commission estimated that each SCI entity 
would spend 180 hours initially to design the policies and procedures 
accordingly.\1410\ The Commission estimated that each SCI SRO would 
spend approximately 120 hours annually to review and update such 
policies and procedures,\1411\ and that each SCI entity that is not an 
SRO would spend approximately 60 hours to review and update such 
policies and procedures.\1412\ In the SCI Proposal, the Commission also 
estimated that all SCI entities would conduct most of the work 
associated with proposed Rule 1000(b)(2) internally.\1413\ However, the 
Commission estimated that SCI entities would seek outside legal and/or 
consulting services in the initial preparation of the policies and 
procedures at an average cost of $20,000 per SCI entity.\1414\
---------------------------------------------------------------------------

    \1409\ See id. at 18146, and proposed Rules 1000(b)(2)(ii) and 
(iii).
    \1410\ See id. at 18146. The 180 burden hours included 30 hours 
by a Compliance Attorney and 150 hours by a Senior Systems Analyst. 
See id. This estimate was based on Commission staff's experience 
with the ARP Inspection Program and OCIE examinations, which review 
policies and procedures of registered entities in conjunction with 
examinations of such entities for compliance with the federal 
securities laws. See id. at 18146, n. 383.
    \1411\ See id. at 18146. The 120 burden hours included 20 hours 
by a Compliance Attorney and 100 hours by a Senior Systems Analyst. 
See id. This estimate was based on Commission staff's experience 
with the ARP Inspection Program. See id. at 18146, n. 384.
    \1412\ See id. at 18146. The 60 burden hours included 10 hours 
by a Compliance Attorney and 50 hours by a Senior Systems Analyst. 
See id.
    \1413\ See id. at 18145.
    \1414\ See id.
---------------------------------------------------------------------------

    Several commenters noted that the Commission underestimated the 
paperwork burden of proposed Rules 1000(b)(1) and (b)(2). One commenter 
noted that the systems covered by proposed Rules 1000(b)(1) and (b)(2) 
are very complex and a first draft of the required policies and 
procedures would take far more than the estimated number of hours to 
complete and keep up-to-date.\1415\ With respect to proposed Rule 
1000(b)(2), this commenter stated that the breadth of the rule is 
extremely comprehensive because it requires policies and procedures 
that are designed to ensure that SCI systems ``comply with the federal 
securities laws and rules and regulations thereunder'' and operate ``in 
the manner intended.'' \1416\
---------------------------------------------------------------------------

    \1415\ See Omgeo Letter at 31-32, 34. According to this 
commenter, the implementation of its current information security 
policy framework and related standards took approximately 18 months 
and over 1600 work hours to put in place. See id. This commenter 
noted that proposed Rule 1000(b)(1) would be far more labor and 
resource intensive because security is just one of the proposed 
seven areas of policy and standards development this new rule would 
require. See id.
    \1416\ See id. at 34.
---------------------------------------------------------------------------

    Another commenter noted that the hour burdens did not take into 
account the appropriate level of management review in connection with 
the development of the policies and procedures.\1417\ This commenter 
also noted that policies and procedures developed to achieve compliance 
with Regulation SCI can potentially impact other areas of the SCI 
entity and other SCI entities, and therefore an SCI entity would 
broadly review the policies and procedures to ensure that they do not 
conflict with other policies, procedures, practices, and processes and 
revise the policies and procedures accordingly.\1418\ Therefore, this 
commenter argued that the Commission did not include adequate estimates 
for the substantial amount of time required by senior management and 
others in the organization, as well as the persons identified in the 
SCI Proposal, in: Understanding the breadth and depth of the 
requirements established by proposed Regulation SCI; determining which 
systems of the SCI entity fall into the various categories of systems 
described in proposed Regulation SCI; assessing, growing and 
potentially reorganizing large portions of the SCI entity's workforce 
to align with the requirements of proposed Regulation SCI; and 
establishing and conducting extensive training curriculum to ensure 
appropriate personnel fully understand their new or changed duties; and 
any number of other collateral effects of the new requirements.\1419\ 
This commenter suggested that a more accurate estimate of the paperwork 
burden from proposed Rule 1000(b)(1) would be three to four times the 
estimate in the SCI Proposal, and the allocation of the burden hours 
should be weighted more heavily toward more senior staff of the 
organization.\1420\
---------------------------------------------------------------------------

    \1417\ See MSRB Letter at 28-29. This commenter stated that the 
Commission placed too much reliance on its experience with the ARP 
Inspection Program, which was ``a voluntary program that did not 
create potential legal liabilities for non-compliance, and may not 
take into account the heightened need for high-level supervision 
that a rule-based requirement would entail.'' See id. at 29. See 
also infra Sections IV.B.3.c and VI.C.2.b (discussing the 
Commission's view on the potential for liability resulting from 
requirements under Regulation SCI). See also Omgeo Letter at 32 
(noting that the estimate of 210 hours for proposed Rule 1000(b)(1) 
is unrealistic because the estimate should include not only the 
drafting of the required policies and procedures, but also their 
review and approval by senior management) and 35 (noting that the 
burden estimate of proposed Rule 1000(b)(2) does not reflect the 
review and direction of senior managers); and CME Letter at 3, n. 5.
    \1418\ See MSRB Letter at 29.
    \1419\ See id. at 30.
    \1420\ See id.
---------------------------------------------------------------------------

    One commenter stated that the 50% baseline for SCI entities that 
are currently under the ARP Inspection Program does not account for the 
significant expansion of the requirements if the definition of SCI 
system is construed broadly, and as a result, the burden estimates may 
be too low.\1421\
---------------------------------------------------------------------------

    \1421\ See FINRA Letter at 7.
---------------------------------------------------------------------------

    One commenter agreed with the Commission that ongoing paperwork 
burdens for compliance with proposed Rules 1000(b)(1) and (b)(2) should 
be lower than the initial burden.\1422\ However, this commenter stated 
that the estimated ongoing burden is understated, but likely to a 
lesser extent than with respect to the initial burden.\1423\ Another 
commenter also noted that, given the complexity of the

[[Page 72375]]

underlying systems and the requirements of proposed Rule 1000(b)(1), 
significantly more effort and time will be required on an ongoing basis 
to comply with that rule.\1424\
---------------------------------------------------------------------------

    \1422\ See MSRB Letter at 31.
    \1423\ See id.
    \1424\ See Omgeo Letter at 32, n. 63.
---------------------------------------------------------------------------

    One commenter noted that the establishment of the policies and 
procedures under proposed Rules 1000(b)(1) and (b)(2) would not be 
conducive to outsourcing, although an SCI entity might incur some cost 
for outside counsel for consultation purposes.\1425\ On the other hand, 
another commenter argued that the Commission's burden estimate for 
proposed Rule 1000(b)(1) ``is inaccurate because of its mistaken 
assumption that SCI entities would not seek guidance from outside 
consultants and attorneys.'' \1426\ This commenter noted that, given 
the rates charged by large law firms and consulting firms, an estimate 
of approximately $100,000 for each exempt clearing agency subject to 
ARP is more realistic than the $20,000 estimated in the SCI 
Proposal.\1427\ This commenter similarly noted that the burden estimate 
for proposed Rule 1000(b)(2) failed to account for the costs associated 
with using outside counsel or an outside consulting firm to help draft 
the policies and procedure.\1428\
---------------------------------------------------------------------------

    \1425\ See MSRB Letter at 31.
    \1426\ See Omgeo Letter at 32.
    \1427\ See id. at 32, n. 64.
    \1428\ See id. at 35.
---------------------------------------------------------------------------

    As discussed in detail above in Sections IV.B.1 and IV.B.2, the 
Commission is adopting proposed Rules 1000(b)(1) and (b)(2) as Rules 
1001(a) and (b), respectively, with certain modifications. As adopted, 
Rule 1001(a)(1), consistent with the proposal, requires each SCI entity 
to establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, indirect SCI systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. Adopted Rule 1001(a)(2), consistent with the 
proposal, provides the minimum required elements of such policies and 
procedures. Some of these elements were modified from the 
proposal,\1429\ and one adopted element was not included in the 
proposal.\1430\
---------------------------------------------------------------------------

    \1429\ See, e.g., Rules 1001(a)(2)(i) (requiring policies and 
procedures with respect to the establishment of reasonable current 
and future ``technological infrastructure capacity planning 
estimates'' rather than simply ``capacity planning estimates''); 
1001(a)(2)(iv) (requiring policies and procedures with respect to 
``regular reviews and testing, as applicable,'' of systems to 
identify vulnerabilities rather than ``regular reviews and testing'' 
of systems); and 1001(a)(2)(v) (requiring policies and procedures 
with respect to business continuity and disaster recovery plans that 
are ``reasonably designed to achieve'' next business day resumption 
of trading and two-hour resumption of ``critical SCI systems'' 
rather than ``to ensure'' next business day resumption of trading 
and two-hour resumption of ``clearance and settlement services''). 
See also supra Section IV.B.1.b.ii (discussing modifications from 
the SCI Proposal in adopted Rule 1001(a)(2)).
    \1430\ See Rule 1001(a)(2)(vii) (requiring policies and 
procedures with respect to monitoring of systems to identify 
potential SCI events).
---------------------------------------------------------------------------

    As compared to proposed Rule 1000(b)(2), which required written 
policies and procedures reasonably designed to ensure that SCI systems 
operate ``in the manner intended, including in a manner that complies 
with the federal securities laws,'' adopted Rule 1001(b)(1) requires an 
SCI entity to establish, maintain, and enforce written policies and 
procedures reasonably designed to ensure that its SCI systems operate 
in a manner that complies with the Exchange Act and the rules and 
regulations thereunder, and the entity's rules and governing documents, 
as applicable.\1431\ Further, rather than adopting the proposed safe 
harbor for SCI entities, Rule 1001(b)(2) provides the minimum required 
elements of such policies and procedures. Some of these elements were 
modified from the proposed safe harbor elements,\1432\ and one element 
of the proposed safe harbor is not included in Rule 1001(b)(2).\1433\
---------------------------------------------------------------------------

    \1431\ See supra Section IV.B.2.a.
    \1432\ See Rules 1001(b)(2)(iii) (requiring policies and 
procedures with respect to ``a plan for assessments'' of systems 
compliance rather than both ``ongoing monitoring'' and 
``assessments'' of systems compliance) and 1001(b)(2)(iv) (requiring 
policies and procedures with respect to ``a plan of coordination and 
communication between regulatory and other personnel of the SCI 
entity, including by responsible SCI personnel'' regarding SCI 
systems rather than ``review by regulatory personnel of SCI 
systems''). See also supra Section IV.B.2.c (discussing 
modifications from the SCI Proposal in adopted Rule 1001(b)(2)).
    \1433\ See proposed Rule 1000(b)(2)(ii)(A)(2) (periodic testing 
of all SCI systems and any changes to such systems after their 
implementation).
---------------------------------------------------------------------------

    With respect to the view of a commenter that the systems covered by 
proposed Rules 1000(b)(1) and (2) are very complex and that the 
Commission underestimated the burdens associated with completing and 
updating the required policies and procedures,\1434\ the Commission 
believes that most, if not all, SCI entities already have some policies 
and procedures related to systems capacity, integrity, resiliency, 
availability, security, and compliance, although such policies and 
procedures differ in a variety of respects from the requirements under 
Regulation SCI. Also, in adopting Regulation SCI, the Commission has 
reduced the burdens for proposed Rules 1000(b)(1) and (2) from the SCI 
Proposal in a variety of ways, including by, for example: Refining the 
definition of SCI systems; more explicitly recognizing that some 
systems pose greater risk than others to the maintenance of fair and 
orderly markets and imposing obligations that allow for risk-based 
considerations; and providing that staff guidance on current SCI 
industry standards be characterized as providing examples of 
publications describing processes, guidelines, frameworks, or standards 
for an SCI entity to consider looking to in developing reasonable 
policies and procedures, rather than strictly as listing industry 
standards. At the same time, the Commission acknowledges commenters' 
feedback with respect to the burden of the rules and thus is doubling 
the burden estimates for the policies and procedures under Rules 
1000(b)(1) and (2).\1435\ The Commission notes that, as part of this 
approach, it doubled the ongoing burden estimates in part in response 
to comment stating that significantly more effort and time will be 
required on an ongoing basis to comply with proposed Rule 
1000(b)(1).\1436\
---------------------------------------------------------------------------

    \1434\ See supra note 1415 and accompanying text. As noted 
above, one commenter stated that its current information security 
policy framework and related standards took over 1,600 hours to put 
in place, and that security is just one of the seven areas of 
policies and standards proposed to be required. See supra note 1415. 
The Commission notes that, to the extent an SCI entity already has 
adequate policies and procedures in place with respect to systems 
capacity, integrity, resiliency, availability, security, and 
compliance, Rules 1001(a) and (b) will not impose significant 
additional paperwork burden on the entity.
    \1435\ In response to the commenter that suggested the initial 
burden for proposed Rule 1000(b)(1) would be three to four times 
that estimated in the SCI Proposal, the Commission believes that 
because it further focused the requirements associated with proposed 
Rules 1000(b)(1) and (2) in a variety of ways described above, 
resulting in reduced burden estimates as compared to the SCI 
Proposal, the commenter's estimate based on the proposal is too 
high. See supra note 1420. Based on Commission staff experience, the 
Commission believes it is more appropriate to double the estimated 
initial SCI entity staff burden and also add senior management time.
    \1436\ See supra note 1424.
---------------------------------------------------------------------------

    As noted above, some commenters noted that the policies and 
procedures could potentially impact other areas of the SCI entity and 
other SCI entities, and therefore would result in more burden hours to 
ensure that the policies and procedures do not conflict with other 
policies, procedures, practices, and processes, and would require 
greater involvement of senior management and others in an SCI

[[Page 72376]]

entity.\1437\ Similarly, some commenters noted that the establishment, 
maintenance, and enforcement of the policies and procedures would 
involve senior management review.\1438\ The Commission agrees with 
these comments and is adjusting the estimated paperwork burden. 
Specifically, in the SCI Proposal, the Commission included senior 
management review as part of its estimated burden hours for Compliance 
Managers in connection with the policies and procedures requirements 
under Rules 1001(a) and (b).\1439\ However, in response to comments and 
based on Commission staff experience, the Commission is additionally 
including burden estimates for a Director of Compliance (10 hours 
initially, 5 hours annually) and Chief Compliance Officer \1440\ (20 
hours initially, 10 hours annually) with respect to both Rules 1001(a) 
and (b).\1441\ The Commission reiterates that these estimates are 
averages across all SCI entities--some SCI entities may spend more 
hours in connection with the establishment, maintenance, and 
enforcement of the policies and procedures than the Commission's 
estimates, while others may spend less.\1442\ Each SCI entity is 
required to determine for itself what is required for its staff and 
senior managers to do in order for the SCI entity to comply with Rules 
1001(a) and (b).
---------------------------------------------------------------------------

    \1437\ See supra notes 1418-1419 and accompanying text.
    \1438\ See supra notes 1417, 1419, and 1420 and accompanying 
text. According to one commenter, the Commission's burden estimates 
for the policies and procedures did not account for the time 
required to determine which systems would fall into the various 
categories of systems. See supra note 1419 and accompanying text. 
The Commission disagrees with this view and notes that the burden of 
identifying various types of systems and events are discussed below 
in Section V.D.3. In addition, this commenter expressed concern that 
the Commission's estimates did not account for assessing, growing, 
and reorganizing an SCI entity's workforce; establishing and 
conducting training; and other collateral effects of the new 
requirements. See supra note 1419 and accompanying text. As 
discussed throughout this section, the Commission has increased the 
burden estimates for Rules 1001(a) and (b) in response to comments.
    \1439\ See supra note 1402.
    \1440\ The Chief Compliance Officer burden estimates include the 
time spent by other senior officers, including Chief Information 
Officers and Chief Information Security Officers, as appropriate for 
a particular requirement under Regulation SCI.
    \1441\ In estimating the number of burden hours to be spent by 
senior management, the Commission is not making a distinction 
between SCI entities that currently participate in the ARP 
Inspection Program and SCI entities that do not. In contrast to the 
Commission's estimate with regard to non-senior staff of SCI 
entities that currently participate in the ARP Inspection Program, 
who the Commission believes could be subject to less burden in 
drafting the policies and procedures because these SCI entities 
already have certain policies and procedures in place, the 
Commission believes that all senior management, regardless of 
whether an SCI entity participates in the ARP Inspection Program, 
would require a similar number of hours to review such policies and 
procedures to ensure compliance with Regulation SCI.
    \1442\ For example, some SCI entities have more complex systems 
than others, and current practices of some SCI entities already 
comply with certain requirements of Regulation SCI to some extent.
---------------------------------------------------------------------------

    After considering the views of commenters, and because Rule 1001(a) 
requires an additional element to be included in the policies and 
procedures (i.e., monitoring of systems to identify SCI events), the 
Commission estimates that an SCI entity that has not previously 
participated in the ARP Inspection Program would require an average of 
534 burden hours initially to develop and draft the policies and 
procedures required by that rule (except for the policies and 
procedures for standards that result in systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data, which is discussed below),\1443\ or 7,476 
hours for all such SCI entities.\1444\ The Commission estimates that an 
SCI entity that has not previously participated in the ARP Inspection 
Program would require an average of 159 hours annually to review and 
update such policies and procedures,\1445\ or 2,226 hours for all such 
SCI entities.\1446\
---------------------------------------------------------------------------

    \1443\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 210 hours x 2 = 420 hours. 
420 hours / 5 x 6 = 504 hours to establish policies and procedures 
that contain six elements, as opposed to the five in the SCI 
Proposal. The 504 burden hours include 192 hours by a Compliance 
Manager, 192 hours by an Attorney, 60 hours by a Senior Systems 
Analyst, and 60 hours by an Operations Specialist. This burden hour 
allocation is based on the allocation in the SCI Proposal. See 
Proposing Release, supra note 13, at 18146. As noted above, as 
compared to the proposal, the Commission is estimating an additional 
20 hours by a Chief Compliance Officer and 10 hours by a Director of 
Compliance to reflect the views of commenters that compliance with 
the proposed policies and procedures requirements would require 
greater senior management involvement. See supra notes 1440-1441 and 
accompanying text. 504 hours + Chief Compliance Officer at 20 hours 
+ Director of Compliance at 10 hours = 534 hours.
    \1444\ As noted above, all of the national securities exchanges 
(18), national securities associations (1), registered clearing 
agencies (7), and plan processors (2) currently participate on a 
voluntary basis in the ARP Inspection Program. In addition, 1 ATS 
and 1 exempt clearing agency subject to ARP participate in the ARP 
Inspection Program, for a total of 30 SCI entities that currently 
participate in the ARP Inspection Program. Therefore, 14 SCI 
entities do not participate in the ARP Inspection Program. 534 hours 
x 14 SCI entities that do not participate in the ARP Inspection 
Program = 7,476 hours.
    \1445\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 60 hours x 2 = 120 hours. 
120 hours / 5 x 6 = 144 hours annually to review and update policies 
and procedures that contain six elements, as opposed to the five in 
the SCI Proposal. The 144 burden hours include 57 hours by a 
Compliance Manager, 57 hours by an Attorney, 15 hours by a Senior 
Systems Analyst, and 15 hours by an Operations Specialist. As 
compared to the proposal, the Commission is additionally allocating 
burden hours to Senior Systems Analysts and Operations Specialists. 
Also, as noted above, as compared to the proposal, the Commission is 
estimating an additional 10 hours by a Chief Compliance Officer and 
5 hours by a Director of Compliance to reflect the views of 
commenters that compliance with the proposed policies and procedures 
requirements would require greater senior management involvement. 
See supra notes 1440-1441 and accompanying text. 144 hours + Chief 
Compliance Officer at 10 hours + Director of Compliance at 5 hours = 
159 hours.
    \1446\ 159 hours x 14 SCI entities that do not participate in 
the ARP Inspection Program = 2,226 hours. The Commission believes 
that the increases in the ongoing burden estimates for Rules 1001(a) 
and (b) are consistent with the comment that the Commission 
underestimated the ongoing burdens associated with proposed Rules 
1000(b)(1) and (2), but to a lesser extent than with respect to the 
initial burden. See supra notes 1423-1424 and accompanying text.
---------------------------------------------------------------------------

    With respect to SCI entities that currently participate in the ARP 
Inspection Program, the Commission continues to believe that a 50% 
percent baseline for these SCI entities in terms of staff burden hours 
is appropriate because although these entities already have substantial 
policies and procedures in place, the rule would require these entities 
to devote substantial time to review and revise their existing policies 
and procedures to ensure that they meet all of the rule 
requirements.\1447\ However, the Commission does not believe that a 50% 
baseline would be appropriate for these SCI entities in terms of senior 
management review of the policies and procedures. Specifically, as 
noted above, Commission believes that, although these entities already 
have substantial policies and procedures in place, senior management of 
all SCI entities, regardless of whether an SCI entity currently 
participates in the ARP Inspection Program, would require a similar 
number of hours to review the SCI entity's policies and procedures to 
ensure compliance with the new requirements under Regulation SCI.\1448\
---------------------------------------------------------------------------

    \1447\ With respect to a commenter's view that the 50% baseline 
does not account for the significant expansion of the requirements, 
the Commission notes that the 50% baseline merely indicates the 
difference between the level of burden imposed on SCI entities that 
participate in the ARP Inspection Program and SCI entities that do 
not. See supra note 1421 and accompanying text. As discussed above, 
the Commission has increased its burden estimates in response to 
comments.
    \1448\ See supra note 1441.

---------------------------------------------------------------------------

[[Page 72377]]

    The Commission estimates that an SCI entity that currently 
participates in the ARP Inspection Program would require an average of 
282 burden hours initially to develop and draft the policies and 
procedures required by Rule 1001(a) (except for the policies and 
procedures for standards that result in systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data),\1449\ or 8,460 hours for all such SCI 
entities.\1450\ The Commission estimates that an SCI entity that 
currently participates in the ARP Inspection Program would require an 
average of 87 hours annually to review and update such policies and 
procedures,\1451\ or 2,610 hours for all such SCI entities.\1452\
---------------------------------------------------------------------------

    \1449\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 105 hours x 2 = 210 hours. 
210 hours / 5 x 6 = 252 hours to establish policies and procedures 
that contain six elements, as opposed to the five in the SCI 
Proposal. The 252 burden hours include 96 hours by a Compliance 
Manager, 96 hours by an Attorney, 30 hours by a Senior Systems 
Analyst, and 30 hours by an Operations Specialist. This burden hour 
allocation is based on the allocation in the SCI Proposal. See 
Proposing Release, supra note 13, at 18146. As noted above, as 
compared to the proposal, the Commission is estimating an additional 
20 hours by a Chief Compliance Officer and 10 hours by a Director of 
Compliance to reflect the views of commenters that compliance with 
the proposed policies and procedures requirements would require 
greater senior management involvement. See supra notes 1440-1441 and 
accompanying text. 252 hours + Chief Compliance Officer at 20 hours 
+ Director of Compliance at 10 hours = 282 hours.
    \1450\ 282 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 8,460 hours.
    \1451\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 30 hours x 2 = 60 hours. 60 
hours / 5 x 6 = 72 hours to review and update policies and 
procedures that contain six elements, as opposed to the five in the 
SCI Proposal. The 72 burden hours include 28 hours by a Compliance 
Manager, 28 hours by an Attorney, 8 hours by a Senior Systems 
Analyst, and 8 hours by an Operations Specialist. As compared to the 
proposal, the Commission is additionally allocating burden hours to 
Senior Systems Analysts and Operations Specialists. Also, as noted 
above, as compared to the proposal, the Commission is estimating an 
additional 10 hours by a Chief Compliance Officer and 5 hours by a 
Director of Compliance to reflect the views of commenters that 
compliance with the proposed policies and procedures requirements 
would require greater senior management involvement. See supra notes 
1440-1441 and accompanying text. 72 hours + Chief Compliance Officer 
at 10 hours + Director of Compliance at 5 hours = 87 hours.
    \1452\ 87 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 2,610 hours.
---------------------------------------------------------------------------

    With respect to the requirement in Rule 1001(a)(2)(vi) for policies 
and procedures that provide for standards that result in systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data, the Commission estimates that each SCI 
entity would spend 160 hours initially,\1453\ or 7,040 hours for all 
SCI entities.\1454\ The Commission estimates that each SCI entity would 
spend 145 hours annually,\1455\ or 6,380 hours annually for all SCI 
entities.\1456\
---------------------------------------------------------------------------

    \1453\ This estimate includes 130 hours by staff of an SCI 
entity, as estimated in the SCI Proposal, and 30 hours by senior 
management. The 130 burden hours include 30 hours by a Compliance 
Attorney and 100 hours by a Senior Systems Analyst. See Proposing 
Release, supra note 13, at 18146. This burden hour allocation is 
based on the allocation in the SCI Proposal. See Proposing Release, 
supra note 13, at 18146. As noted above, as compared to the 
proposal, the Commission is estimating an additional 20 hours by a 
Chief Compliance Officer and 10 hours by a Director of Compliance to 
reflect the views of commenters that compliance with the proposed 
policies and procedures requirements would require greater senior 
management involvement. See supra notes 1440-1441 and accompanying 
text. 130 hours + Chief Compliance Officer at 20 hours + Director of 
Compliance at 10 hours = 160 hours. Unlike the burden estimates for 
complying with the rest of Rule 1001(a), the Commission does not 
believe it would be appropriate to double its proposed 130 hour 
staff burden estimate for Rule 1001(a)(2)(vi). Based on Commission 
staff experience, the Commission believes that these policies and 
procedures would not be so complex as to result in doubling the 
proposed burden estimate. The Commission also notes that the burden 
estimate for Rule 1001(a)(2)(vi) is already significantly higher 
than the estimated burden for the other individual policies and 
procedures required under Rule 1001(a)(2). In particular, the 
Commission estimates 160 hours for this one provision and 534 hours 
in total for the six other provisions of Rule 1001(a)(2) for non-ARP 
participants (which results in approximately 89 hours for each of 
those six other provisions).
    \1454\ 160 hours x 44 SCI entities = 7,040 hours.
    \1455\ This estimate includes 130 hours by staff of an SCI 
entity, as estimated in the SCI Proposal, and 15 hours by senior 
management. The 130 burden hours include 30 hours by a Compliance 
Attorney and 100 hours by a Senior Systems Analyst. See Proposing 
Release, supra note 13, at 18146. 130 hours + Chief Compliance 
Officer at 10 hours + Director of Compliance at 5 hours = 145 hours.
    \1456\ 145 hours x 44 SCI entities = 6,380 hours.
---------------------------------------------------------------------------

    As noted above, one commenter argued that, given the rates charged 
by large law firms and consulting firms, an estimate of $100,000 is 
more appropriate for the cost of outsourcing under proposed Rule 
1000(b)(1).\1457\ After considering the view of this commenter and 
because the Commission is increasing its estimated burden hours for 
compliance with Rule 1001(a), the Commission is similarly increasing 
its estimate of the outsourcing cost for complying with Rule 1001(a). 
In particular, because the Commission doubled the non-senior staff 
burden estimate for Rule 1001(a) in response to comments that the 
Commission underestimated the burden in the proposal, the Commission 
believes it is appropriate to similarly double its estimate of the 
outsourcing cost for complying with Rule 1001(a). As noted above in the 
context of the burden estimate for Rule 1001(a), the Commission 
believes that, by doubling its outsourcing cost estimate, the 
Commission has incorporated the views of commenters that the Commission 
underestimated the burden, and at the same time accounted for changes 
to the proposal that reduce the burden from the SCI Proposal. Further, 
the Commission acknowledges that some SCI entities may have more 
complex systems and policies and procedures, may outsource more of the 
work associated with the policies and procedures,\1458\ or may 
outsource the work to more expensive law firms and consulting firms 
than others. Therefore, the Commission believes that while some SCI 
entities may incur more outsourcing cost than the Commission's 
estimate, other SCI entities may incur less than the Commission's 
estimate. The Commission does not believe that a commenter's $100,000 
estimate is more appropriate given that there will be differences among 
SCI entities in the extent of outsourcing and in the rates of outside 
firms.
---------------------------------------------------------------------------

    \1457\ See supra note 1427 and accompanying text. This commenter 
also argued that the Commission mistakenly assumed that SCI entities 
would not seek guidance from outside consultants or attorneys. See 
supra note 1426 and accompanying text. However, the Commission did 
account for outsourcing cost in the SCI Proposal and does so here, 
as well.
    \1458\ For example, smaller SCI entities may not have the same 
level of in-house expertise as larger SCI entities.
---------------------------------------------------------------------------

    Because Rule 1001(a) requires an additional element to be included 
in the policies and procedures as compared to proposed Rule 1000(b)(1) 
(i.e., monitoring of systems to identify SCI events), the Commission 
now estimates that on average, each SCI entity would seek outside legal 
and/or consulting services in the initial preparation of the policies 
and procedures at a cost of approximately $47,000,\1459\ or $2,068,000 
for all SCI entities.\1460\
---------------------------------------------------------------------------

    \1459\ As noted above, the Commission is doubling its estimate 
of the outsourcing cost for SCI entities. $20,000 x 2 = $40,000. The 
Commission is also revising this cost estimate to reflect that Rule 
1001(a) requires seven specific elements to be included in the 
policies and procedures, as opposed to the six in the proposed rule. 
$40,000 / 6 x 7 = $46,667.
    \1460\ $47,000 x 44 SCI entities = $2,068,000.
---------------------------------------------------------------------------

    With respect to the view of a commenter that the Commission 
underestimated the paperwork burden under proposed Rule 1000(b)(2) 
because that rule is extremely extensive,\1461\ the Commission notes 
that, as adopted, Rule 1001(b) requires policies and procedures to be 
reasonably designed to ensure, in part, that SCI systems ``operate in a 
manner that complies with

[[Page 72378]]

the Act and the rules and regulations thereunder.'' As adopted, this 
rule no longer refers to compliance with ``the federal securities laws 
and rules and regulations thereunder'' and operation ``in the manner 
intended.'' Nevertheless, as noted above, after considering the views 
of commenters that the Commission underestimated the paperwork burden 
under proposed Rule 1000(b)(2), the Commission is doubling its 
estimates from the proposal (which were focused on the burden for SCI 
entity staff), and is increasing its estimates to account for senior 
management review of the policies and procedures.
---------------------------------------------------------------------------

    \1461\ See supra note 1416.
---------------------------------------------------------------------------

    The Commission now estimates that each SCI entity would spend 270 
hours initially to design the systems compliance policies and 
procedures,\1462\ or 11,880 hours for all SCI entities.\1463\ The 
Commission estimates that each SCI SRO would spend approximately 175 
hours annually to review and update such policies and procedures,\1464\ 
or 4,725 hours for all SCI SROs.\1465\ The Commission estimates that 
each SCI entity that is not an SRO would spend approximately 95 hours 
to review and update such policies and procedures,\1466\ or 1,615 hours 
for all such SCI entities.\1467\
---------------------------------------------------------------------------

    \1462\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 180 hours x 2 = 360 hours. 
360 hours / 6 x 4 = 240 hours to establish policies and procedures 
that contain four elements at a minimum, as opposed to the six in 
the SCI Proposal. The 240 burden hours include 40 hours by a 
Compliance Attorney and 200 hours by a Senior Systems Analyst. This 
burden hour allocation is based on the allocation in the SCI 
Proposal. See Proposing Release, supra note 13, at 18146. As noted 
above, as compared to the proposal, the Commission is estimating an 
additional 20 hours by a Chief Compliance Officer and 10 hours by a 
Director of Compliance to reflect the views of commenters that 
compliance with the proposed policies and procedures requirements 
would require greater senior management involvement. See supra notes 
1440-1441 and accompanying text. 240 hours + Chief Compliance 
Officer at 20 hours + Director of Compliance at 10 hours = 270 
hours.
    \1463\ 270 hours x 44 SCI entities = 11,880 hours.
    \1464\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 120 hours x 2 = 240 hours. 
240 hours / 6 x 4 = 160 hours to review and update policies and 
procedures that contain four elements at a minimum, as opposed to 
the six in the SCI Proposal. The 160 burden hours include 26 hours 
by a Compliance Attorney and 134 hours by a Senior Systems Analyst. 
This burden hour allocation is based on the allocation in the SCI 
Proposal. See Proposing Release, supra note 13, at 18146. As noted 
above, as compared to the proposal, the Commission is estimating an 
additional 10 hours by a Chief Compliance Officer and 5 hours by a 
Director of Compliance to reflect the views of commenters that 
compliance with the proposed policies and procedures requirements 
would require greater senior management involvement. See supra notes 
1440-1441 and accompanying text. 160 hours + Chief Compliance 
Officer at 10 hours + Director of Compliance at 5 hours = 175 hours.
    \1465\ 175 hours x 27 SCI SROs = 4,725 hours.
    \1466\ As noted above, the Commission is doubling its estimate 
of the burden for staff of SCI entities. 60 hours x 2 = 120 hours. 
120 hours / 6 x 4 = 80 hours to review and update policies and 
procedures that contain four elements at a minimum, as opposed to 
the six in the SCI Proposal. The 80 burden hours include 14 hours by 
a Compliance Attorney and 66 hours by a Senior Systems Analyst. This 
burden hour allocation is based on the allocation in the SCI 
Proposal. See Proposing Release, supra note 13, at 18146. 80 hours + 
Chief Compliance Officer at 10 hours + Director of Compliance at 5 
hours = 95 hours.
    \1467\ 95 hours x 17 non-SRO SCI entities = 1,615 hours.
---------------------------------------------------------------------------

    As noted above, similar to the burden estimates for proposed Rule 
1000(b)(1), one commenter argued that the Commission underestimated the 
outsourcing cost under proposed Rule 1000(b)(2).\1468\ Similar to the 
discussion above related to Rule 1001(a),\1469\ after considering the 
view of this commenter and because the Commission is increasing its 
estimated burden hours for compliance with Rule 1001(b), the Commission 
is doubling its estimate of the outsourcing cost for complying with 
Rule 1001(b). The Commission now estimates that on average, each SCI 
entity would seek outside legal and/or consulting services in the 
initial preparation of the policies and procedures at a cost of 
approximately $27,000,\1470\ or $1,188,000 for all SCI entities.\1471\
---------------------------------------------------------------------------

    \1468\ See supra note 1428 and accompanying text.
    \1469\ See supra notes 1457-1458 and accompanying text.
    \1470\ As noted above, the Commission is doubling its estimate 
of the outsourcing cost for SCI entities. $20,000 x 2 = $40,000. The 
Commission is also revising this cost estimate to reflect that Rule 
1001(b) will result in the inclusion of at least four elements in 
the policies and procedures, as opposed to the six in the proposed 
rule. $40,000 / 6 x 4 = $26,667.
    \1471\ $27,000 x 44 SCI entities = $1,188,000.
---------------------------------------------------------------------------

    Adopted Rules 1001(a)(3) and (b)(3) explicitly require each SCI 
entity to periodically review the effectiveness of the policies and 
procedures required by Rules 1001(a) and (b), respectively, and to take 
prompt action to remedy deficiencies in such policies and procedures. 
The Commission notes that the paperwork burden related to the review of 
the policies and procedures, and remedying deficiencies in policies and 
procedures, is included in the estimated annual ongoing burden of Rules 
1001(a) and (b).
    Rule 1001(c)(1), which was not included in the proposal, requires 
each SCI entity to establish, maintain, and enforce reasonably designed 
written policies and procedures that include the criteria for 
identifying responsible SCI personnel, the designation and 
documentation of responsible SCI personnel,\1472\ and escalation 
procedures to quickly inform responsible SCI personnel of potential SCI 
events. Like adopted Rules 1001(a)(3) and (b)(3), Rule 1001(c) requires 
each SCI entity periodically to review the effectiveness of these 
policies and procedures and to take prompt action to remedy 
deficiencies in policies and procedures. The Commission estimates that 
each SCI entity would require 114 hours initially to establish the 
criteria for identifying responsible SCI personnel and the escalation 
procedures,\1473\ or 5,016 hours for all SCI entities.\1474\ The 
Commission also estimates that each SCI entities would require 39 hours 
annually to review and update the criteria and the escalation 
procedures,\1475\ or 1,716 hours for all

[[Page 72379]]

SCI entities.\1476\ The Commission believes that SCI entities will 
internally establish and maintain the policies and procedures required 
by Rule 1001(c) because these policies and procedures relate to 
internal personnel designations and internal processes.
---------------------------------------------------------------------------

    \1472\ The paperwork burden associated with the documentation of 
responsible SCI personnel is included in the Commission's estimate 
of the recordkeeping burden, as discussed in Section V.D.4 below.
    \1473\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and Rule 1001(c) 
both require policies and procedures or processes. Because Rule 
1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment 
of six policies and procedures at a minimum and Rule 1001(c) 
requires the establishment of two policies and procedures, the 
Commission estimates that the initial burden to draft the policies 
and procedures required by Rule 1001(c) is one-third of the initial 
burden to draft the policies and procedures required by Rule 1001(a) 
(excluding Rule 1001(a)(2)(vi)). Further, the Commission believes 
that, even though Rule 1001(c) will impose paperwork burdens on SCI 
entities, most, if not all, SCI entities, regardless of whether they 
participate in the ARP Inspection Program, already have some 
processes in place for the designation of persons responsible for 
particular systems and escalation procedures. Therefore, the 
Commission believes it is appropriate to assume a 50% baseline for 
all SCI entities (as compared to the burden estimate for Rule 
1001(a) for SCI entities that do not participate in the ARP 
Inspection Program) in terms of the staff burden for compliance with 
Rule 1001(c). 252 hours / 3 = 84 hours. The 84 burden hours include 
32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours 
by a Senior Systems Analyst, and 10 hours by an Operations 
Specialist. This burden hour allocation is based on the allocation 
for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 
1443. The Commission also estimates that a Chief Compliance Officer 
will spend 20 hours and a Director of Compliance will spend 10 hours 
reviewing the policies and procedures required by Rule 1001(c). 84 
hours + Chief Compliance Officer at 20 hours + Director of 
Compliance at 10 hours = 114 hours.
    The Commission notes that, in the SCI Proposal, it also 
estimated the burden hours for other policies and procedures based 
on its burden estimate under proposed Rule 1000(b)(1). See, e.g., 
Proposing Release, supra note 13, at 18152, n. 442. One commenter 
stated that it was appropriate to base the burden estimate for 
proposed Rule 1000(b)(3), which would likely result in SCI entities 
revising their policies, on the burden estimate under proposed Rule 
1000(b)(1). See infra note 1700 and accompanying text.
    \1474\ 114 hours x 44 SCI entities = 5,016 hours.
    \1475\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and Rule 1001(c) 
both require policies and procedures or processes. Because Rule 
1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of 
six policies and procedures at a minimum and Rule 1001(c) requires 
the maintenance of two policies and procedures, the Commission 
estimates that the ongoing staff burden under Rule 1001(c) is one-
third of the ongoing staff burden under Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)). As noted above, the Commission believes it is 
appropriate to assume a 50% baseline for all SCI entities in terms 
of the staff burden for compliance with Rule 1001(c). 72 hours / 3 = 
24 hours. The 24 burden hours include 9.5 hours by a Compliance 
Manager, 9.5 hours by an Attorney, 2.5 hours by a Senior Systems 
Analyst, and 2.5 hours by an Operations Specialist. This burden hour 
allocation is based on the allocation for Rule 1001(a) (excluding 
Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also 
estimates that a Chief Compliance Officer will spend 10 hours and a 
Director of Compliance will spend 5 hours reviewing the policies and 
procedures required by Rule 1001(c). 24 hours + Chief Compliance 
Officer at 10 hours + Director of Compliance at 5 hours = 39 hours.
    \1476\ 39 hours x 44 SCI entities = 1,716 hours.
---------------------------------------------------------------------------

b. Mandate Participation in Certain Testing
    In the SCI Proposal, the Commission estimated that each SCI entity 
(other than plan processors) would spend approximately 130 hours 
initially to meet the requirements of proposed Rules 1000(b)(9)(i) and 
(ii) (i.e., the requirement to mandate participation by designated 
members or participants in testing and the requirement that an SCI 
entity coordinate required testing with other SCI entities).\1477\ The 
130-hour estimate included 35 hours to write a proposed rule, or revise 
a membership/subscriber agreement or participant agreement to establish 
the participation requirement for designated members or 
participants.\1478\ It also included 95 hours of follow-up work (e.g., 
notice and schedule coordination) to ensure implementation.\1479\ The 
Commission estimated that each SCI entity (other than plan processors) 
would spend approximately 95 hours annually to comply with proposed 
Rules 1000(b)(9)(i) and (ii).\1480\
---------------------------------------------------------------------------

    \1477\ See Proposing Release, supra note 13, at 18147.
    \1478\ See id. The 35 burden hours included 10 hours by a 
Compliance Manager, 15 hours by an Attorney, and 10 hours by a 
Compliance Clerk. See id. In establishing this estimate, the 
Commission considered its estimate of the burden for an SRO to file 
an average proposed rule change under Rule 19b-4. See id. at 18147, 
n. 389.
    \1479\ See Proposing Release, supra note 13, at 18147. The 95 
burden hours included 10 hours by a Compliance Manager, 15 hours by 
an Attorney, and 70 hours by an Operations Specialist. See id.
    \1480\ See id. The 95 burden hours included 10 hours by a 
Compliance Manager, 15 hours by an Attorney, and 70 hours by an 
Operations Specialist. See id. The Commission noted that, although 
the initial burden included 35 hours to write a proposed rule, 
revise an agreement, or amend an SCI Plan, the Commission did not 
believe the 35-hour burden would be applicable on an ongoing basis. 
See id. at 18147, n. 393.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission estimated that each SCI entity 
(other than plan processors) would spend approximately 35 hours 
initially to meet the requirements of proposed Rule 1000(b)(9)(iii) 
(i.e., establishing standards for designating members or participants 
and filing such standards with the Commission, and determining, 
compiling, and submitting the list of designated members or 
participants).\1481\ The Commission estimated that each SCI entity 
(other than plan processors) would spend approximately 3 hours annually 
to comply with proposed Rule 1000(b)(9)(iii) (i.e., to review the 
designation standards to ensure that they remain up-to-date and to 
prepare any necessary amendments, to review the list of designated 
members or participants, and to update prior Commission notifications 
with respect to standards for designation and the list of 
designees).\1482\ The Commission also estimated that all SCI entities, 
other than plan processors, would conduct the work associated with 
proposed Rule 1000(b)(9) internally.\1483\
---------------------------------------------------------------------------

    \1481\ See Proposing Release, supra note 13, at 18148. The 35 
burden hours included 10 hours by a Compliance Manager, 15 hours by 
an Attorney, and 10 hours by a Compliance Clerk. See id. In 
establishing this estimate, the Commission considered its estimate 
of the burden for an SRO to file an average proposed rule filing 
under Rule 19b-4. See id. at 18148, n. 397.
    \1482\ See Proposing Release, supra note 13, at 18148. The 3 
burden hours included 1.5 hours by a Compliance Manager and 1.5 
hours by an Attorney. See id. In establishing this estimate, the 
Commission has considered its estimate of the burden for an SRO to 
amend a Form 19b-4 rule filing. See id. at 18148, n. 401.
    \1483\ See id. at 18145.
---------------------------------------------------------------------------

    For plan processors, the Commission estimated that proposed Rules 
1000(b)(9)(i) and (ii) would carry an initial cost of $52,000 per plan 
processor \1484\ and an annual cost of $38,000 per plan 
processor.\1485\ The Commission also estimated that proposed Rule 
1000(b)(9)(iii) would carry an initial cost of $14,000 per plan 
processor \1486\ and an annual cost of $1,200 per plan processor.\1487\
---------------------------------------------------------------------------

    \1484\ 130 hours x $400 per hour for outside legal service = 
$52,000. See Proposing Release, supra note 13, at 18147.
    \1485\ 95 hours x $400 per hour for outside legal service = 
$38,000. See id.
    \1486\ 35 hours x $400 per hour for outside legal service = 
$14,000. See id. at 18148.
    \1487\ 3 hours x $400 per hour for outside legal service = 
$1,200. See id.
---------------------------------------------------------------------------

    With respect to the Commission's estimate of the burdens under 
proposed Rule 1000(b)(9), one commenter noted that the estimate was 
effectively limited to ministerial tasks of producing a rule filing and 
of undertaking follow-up work in connection with implementation and 
does not take into account significant activities relating to the SRO 
rule change process (e.g., board or directors briefing and 
deliberation, potential notice for comment, responses to comment 
letters received on such notice, responses to comment letters received 
by the Commission on a rule filing, etc.) and understates the 
activities necessary to implement testing with industry 
participants.\1488\ Another commenter argued that it has contractual 
relationships with thousands of clients, and contract negotiations 
always require a great deal of time and commitment from its legal 
personnel.\1489\ This commenter also noted that while a certain 
significant percentage of its clients may sign the contracts without 
any negotiation, many do not.\1490\ According to this commenter, the 
requirements under proposed Rule 1000(b)(9) would create for it many 
thousands of burden hours because it would require the commenter to re-
negotiate contracts with ``the many thousands of clients it has already 
signed up.'' \1491\
---------------------------------------------------------------------------

    \1488\ See MSRB Letter at 38.
    \1489\ See Omgeo Letter at 46. This commenter noted that its 
relationships with clients are often based on negotiated agreements 
and that clients do not automatically agree to all terms stated in 
the standard contract. See id. at 45.
    \1490\ See id. at 46.
    \1491\ See id.
---------------------------------------------------------------------------

    One commenter noted that the requirements under proposed Rule 
1000(b)(9) would not be conducive to outsourcing.\1492\
---------------------------------------------------------------------------

    \1492\ See MSRB Letter at 38.
---------------------------------------------------------------------------

    As discussed in detail above in Section IV.B.6, the Commission is 
adopting proposed Rule 1000(b)(9) as Rule 1004, with certain 
modifications. Rule 1004 requires each SCI entity to establish 
standards for the designation of certain members or participants for 
business continuity and disaster recovery plan testing, to designate 
members or participants in accordance with these standards, to require 
participation by designated members or participants in such testing at 
least annually, and to coordinate such testing on an industry- or 
sector-wide basis with other SCI entities. However,

[[Page 72380]]

adopted Rule 1004 does not require an SCI entity to notify and update 
the Commission of its designated members or participants and its 
standards for designation on Form SCI, as proposed.
    Considering commenters' view that the Commission had underestimated 
the burden hours associated with proposed Rule 1000(b)(9), the 
Commission now estimates that the requirements under Rules 1004(a) 
(i.e., establishment of standards for the designation of members and 
participants) and (c) (i.e., coordination of testing on an industry- or 
sector-wide basis) will initially require 360 hours for each SCI entity 
that is not a plan processor (e.g., establishing designation criteria 
by writing a proposed rule; revising a membership/subscriber agreement 
or participant agreement; providing notice to members or participants; 
scheduling the coordinated testing),\1493\ or 15,120 hours for all such 
SCI entities.\1494\ Further, the Commission estimates that the 
requirements under Rules 1004(a) and (c) will require 135 hours 
annually for each SCI entity that is not a plan processor,\1495\ or 
5,670 hours for all such SCI entities.\1496\ The Commission continues 
to believe that SCI entities (other than plan processors) would handle 
internally the work associated with the requirements of Rule 
1004.\1497\
---------------------------------------------------------------------------

    \1493\ This estimate includes 90 hours to comply with Rule 
1004(a) and 270 hours to comply with Rule 1004(c). The 90 hours 
include 30 hours by an Attorney, 20 hours by a Compliance Manager, 
10 hours by an Assistant General Counsel, 6 hours by a Chief 
Compliance Officer, 4 hours by a Director of Compliance, and 20 
hours by a Senior Operations Manager. The Commission is 
substantially increasing the estimated burden over that estimated 
for proposed Rule 1000(b)(9)(i), and is estimating an additional 10 
hours by an Assistant General Counsel, 6 hours by a Chief Compliance 
Officer, 4 hours by a Director of Compliance, and 20 hours by a 
Senior Operations Manager to reflect senior management review of the 
standards for designation. With respect to the comment that the 
estimates in the proposal did not take into account significant 
activities relating to the SRO rule change process, the Commission 
notes that the paperwork burden associated with SRO rule filings are 
included as part of the burden associated with Rule 19b-4. See supra 
note 1488 and accompanying text. The 270 hours include 30 hours by 
an Attorney, 20 hours by a Compliance Manager, 10 hours by an 
Assistant General Counsel, 20 hours by a Chief Compliance Officer, 
10 hours by a Director of Compliance, 140 hours by an Operations 
Specialist, and 40 hours by a Senior Operations Manager. The 
Commission is substantially increasing the estimated burden over 
that estimated for proposed Rule 1000(b)(9)(ii), and is estimating 
an additional 10 hours by an Assistant General Counsel, 20 hours by 
a Chief Compliance Officer, 10 hours by a Director of Compliance, 
and 40 hours by a Senior Operations Manager, in response to the view 
of a commenter that the estimates in the SCI Proposal underestimated 
the activities necessary to implement testing with industry 
participants. See supra note 1488 and accompanying text. The 
estimate of 360 hours includes the burden for designating members or 
participants for testing, as required by Rule 1004(b).
    \1494\ 360 hours x 42 SCI entities other than plan processors = 
15,120 hours.
    \1495\ As noted in the SCI Proposal, the Commission does not 
believe that there would be significant annual burden under Rule 
1004(a), as the Commission believes that the designation standards 
will likely not change substantially on an annual basis. See 
Proposing Release, supra note 13, at 18147, n. 393. The 135 hours 
include 15 hours by an Attorney, 10 hours by a Compliance Manager, 5 
hours by an Assistant General Counsel, 10 hours by a Chief 
Compliance Officer, 5 hours by a Director of Compliance, 70 hours by 
an Operations Specialist, and 20 hours by a Senior Operations 
Manager. As compared to the estimated ongoing burden for proposed 
Rule 1000(b)(9)(ii), the Commission is estimating an additional 5 
hours by an Assistant General Counsel, 10 hours by a Chief 
Compliance Officer, 5 hours by a Director of Compliance, and 20 
hours by a Senior Operations Manager, consistent with the 
Commission's estimate for the initial burden for Rule 1004.
    \1496\ 135 hours x 42 SCI entities other than plan processors = 
5,670 hours.
    \1497\ See supra note 1492 (discussing a commenter's view that 
the requirements under proposed Rule 1000(b)(9) would not be 
conducive to outsourcing).
---------------------------------------------------------------------------

    With respect to a commenter's statement that it has contractual 
relationships with thousands of clients and that proposed Rule 
1000(b)(9) would create many thousands of burden hours,\1498\ the 
Commission notes that adoption of a more focused designation 
requirement is likely to result in a smaller number of SCI entity 
members or participants being designated for participation in testing 
as compared to the SCI Proposal. Specifically, as adopted, Rule 1004(a) 
requires an SCI entity to designate ``members or participants that the 
SCI entity reasonably determines are, taken as a whole, the minimum 
necessary for the maintenance of fair and orderly markets'' in the 
event of the activation of the business continuity and disaster 
recovery plans. On the other hand, proposed Rule 1000(b)(9) required 
participation by members or participants the SCI entity deemed 
necessary ``for the maintenance of fair and orderly markets in the 
event of the activation of its business continuity and disaster 
recovery plans.'' \1499\ The Commission believes that SCI entities have 
an incentive to limit the imposition of the cost and burden associated 
with testing to the minimum necessary to comply with the rule, and it 
also believes that, given the option, most SCI entities would, in the 
exercise of reasonable discretion, prefer to designate few members or 
participants to participate in testing, than to designate more. Thus, 
even if an SCI entity individually negotiates contract modifications 
with certain designated members or participants, the Commission 
believes that the burden would be substantially less than suggested by 
the commenter.\1500\ Moreover, as noted above, taking into account 
commenters' view that the Commission underestimated the burden for 
proposed Rule 1000(b)(9), the Commission increased its estimate for 
initial burden hours from 130 hours for the proposed rule to 360 hours 
for adopted Rule 1004. The average burden estimate associated with Rule 
1004 applies to SCI entities that would need to negotiate contract 
modifications with members or participants.
---------------------------------------------------------------------------

    \1498\ See supra notes 1489-1491 and accompanying text.
    \1499\ The Commission notes that, because Rule 1004 would not 
require all members or participants of an SCI entity to participate 
in business continuity and disaster recovery plan testing, Rule 1004 
will not affect all of an SCI entity's contractual relationships 
with clients or members or participants. Further, the Commission 
notes that its estimated burden for compliance with Rule 1004 is 
intended to reflect the average burden for all SCI entities (other 
than plan processors).
    \1500\ As discussed in the Economic Analysis, the Commission 
estimates that each SCI entity would designate an average of 40 
members or participants to participate in the necessary testing. See 
infra note 2065. Therefore, an SCI entity will not be required to 
re-negotiate contracts with ``the many thousands of clients it has 
already signed up.'' See supra note 1491 and accompanying text. 
Moreover, this commenter recognized that a significant percentage of 
its clients may sign the contracts without any negotiation. See 
supra note 1491 and accompanying text. As a result, the Commission 
does not expect that an SCI entity will need to negotiate with all 
of the estimated 40 members or participants.
---------------------------------------------------------------------------

    Based on its experience with plan processors, the Commission 
continues to believe that plan processors will outsource the work 
related to compliance with Rule 1004. The Commission estimates that 
Rule 1004 will carry an initial cost of $144,000 per plan 
processor,\1501\ or $288,000 for all plan processors.\1502\ The 
Commission estimates that Rule 1004 will carry an annual cost of 
$54,000 per plan processor,\1503\ or $108,000 for all plan 
processors.\1504\
---------------------------------------------------------------------------

    \1501\ 360 hours x $400 per hour for outside legal service = 
$144,000. This is based on an estimated $400 per hour cost for 
outside legal services. This is the same estimate used by the 
Commission for these services in the ``Exemptions for Advisers to 
Venture Capital Funds, Private Fund Advisers with Less Than $150 
Million Under Management, and Foreign Private Advisers'' final rule: 
SEC Release No. IA-3222 (June 22, 2011); 76 FR 39646 (July 6, 2011).
    \1502\ $144,000 x 2 plan processors = $288,000.
    \1503\ 135 hours x $400 per hour for outside legal service = 
$54,000. The Commission increased from its estimate in the proposal 
the estimated hours for the outsourced work for plan processors to 
be equivalent to the number of burden hours it estimated for an SCI 
entity that is not a plan processor (i.e., increasing the initial 
burden estimate from 130 hours to 360 hours and the annual burden 
estimate from 95 to 135 hours).
    \1504\ $54,000 x 2 plan processors = $108,000.
---------------------------------------------------------------------------

2. Notification, Dissemination, and Reporting Requirements for SCI 
Entities
    The rules under Regulation SCI that would require an SCI entity to 
notify the

[[Page 72381]]

Commission of SCI events, disseminate information regarding certain SCI 
events, and notify the Commission of certain systems changes are 
discussed more fully in Sections IV.B.3.c, IV.B.3.d, and IV.B.4 above.
a. Commission Notification of SCI Events
    In the SCI Proposal, the Commission estimated that each SCI entity 
would experience an average of 40 immediate notification SCI events 
\1505\ per year (i.e., 40 notifications under proposed Rule 
1000(b)(4)(i)), and that one-fourth of the notifications under proposed 
Rule 1000(b)(4)(i) would be in writing (i.e., 10 written notifications 
and 30 oral notifications).\1506\ The Commission estimated that each 
written notification would require 0.5 hours to prepare and submit to 
the Commission.\1507\ The Commission also estimated that each SCI 
entity would experience an average of 65 SCI events each year and 
therefore would submit 65 Commission notifications each year under 
proposed Rule 1000(b)(4)(ii).\1508\ The Commission estimated that each 
such notification would require an average of 20 burden hours.\1509\ In 
addition, the Commission estimated that on average, each SCI entity 
would submit 5 updates per year under proposed Rule 1000(b)(4)(iii), 
and that each update would require an average of 3 burden hours.\1510\ 
Finally, the Commission estimated that SCI entities would handle 
internally the work associated with the notification requirement under 
proposed Rule 1000(b)(4).\1511\
---------------------------------------------------------------------------

    \1505\ Immediate notification SCI events included systems 
disruptions that an SCI entity reasonably estimated would have a 
material impact on its operations or on market participants, all 
systems compliance issues, and all systems intrusions.
    \1506\ See Proposing Release, supra note 13, at 18148.
    \1507\ See id. The 0.5 burden hour would be spent by an 
Attorney. See id. at 18149.
    \1508\ See id. at 18148-49.
    \1509\ See id. at 18149. The 20 burden hours included 10 hours 
by an Attorney and 10 hours by a Compliance Manager. See id. This 
estimate was based on Commission staff's experience with the ARP 
Inspection Program. In determining this estimate, the Commission 
also considered its estimate of the burden to complete a Form 19b-4 
filing, although the Commission noted that, unlike a Form 19b-4 
filing, the information contained in Form SCI would only be factual. 
See id. at 18149, n. 410.
    \1510\ See id. at 18149. The 3 burden hours included 1.5 hours 
by an Attorney and 1.5 hours by a Compliance Manager. See id. This 
estimate was based on Commission staff's experience with the ARP 
Inspection Program. In determining this estimate, the Commission 
also considered its estimate of the burden for an SRO to amend a 
Form 19b-4. See id. at 18149, n. 410.
    \1511\ See id. at 18148-49, n. 408, n. 411, and n. 413.
---------------------------------------------------------------------------

    Several commenters stated that the Commission underestimated the 
number of SCI events.\1512\ One commenter stated that, because the 
proposed definition of SCI event was broad and would include minor or 
immaterial events, it is likely that each SCI entity could have 
hundreds if not thousands of SCI events on an annual basis.\1513\ 
Similarly, another commenter stated that each SCI entity could be 
required to report hundreds of systems disruption events each year, 
although the vast majority of such events would be virtually unnoticed 
by market participants.\1514\ Another commenter stated that, based on 
its best reading of the more expansive definitions of disruptions and 
intrusions, a more accurate estimate could be between 200 to 500 events 
per year per exchange.\1515\ Several commenters noted that the 
Commission significantly underestimated the number of updates that 
would be required under Rule 1000(b)(4)(iii).\1516\
---------------------------------------------------------------------------

    \1512\ See Omgeo Letter at 35; BATS Letter at 11; Joint SRO 
Letter at 18; OTC Markets Letter at 6; and NYSE Letter at 18. 
However, commenters did not specify estimates for the number of 
systems compliance issues an SCI entity would experience each year.
    \1513\ See Omgeo Letter at 35. According to this commenter, many 
of these SCI events would require written notification even though 
the vast majority of them would be minor and immaterial. See id.
    \1514\ See BATS Letter at 11. This commenter also noted that the 
Commission did not break down the anticipated reportable events into 
systems disruptions, systems intrusions, and systems compliance 
issues. See id.
    \1515\ See NYSE Letter at 18. See also FINRA Letter at 18, n. 32 
(stating that depending on the interpretation of what constitutes a 
systems intrusion, it would be required to notify the Commission 
either: Several times a day under the broadest interpretation; three 
or four times per month under a narrower interpretation; or one or 
two times per year if limited to intrusions where there is a 
material impact).
    \1516\ See Joint SRO Letter at 19; NYSE Letter at 24 (noting 
that it is not realistic, with respect to over 90% of SCI events, 
that all required activity is complete and reportable on Form SCI 
within 24 hours). See also FINRA Letter at 19 (noting that some 
complex outages can take up to several days to triage, isolate, and 
begin to resolve, and that based on its experience with ARP outage 
reporting, it can take several days to confirm the root cause of an 
outage and even longer to determine the appropriate resolution and 
how long it will take to complete).
---------------------------------------------------------------------------

    With respect to the Commission's estimate of the burden for 
Commission notification generally, one commenter noted that preparation 
of Form SCI will take a fair amount of time, not just to compile 
information about the SCI event, but also to review and edit the 
submission.\1517\ According to this commenter, further impediments to 
timely reporting may arise where an issue requires cross-department 
coordination or coordination with a joint facility or RSA client.\1518\ 
This commenter stated that the Commission notification process will 
take even more time where a third party's technical and data personnel 
are relied on to provide initial drafts or where an RSA client requests 
that it have the opportunity to review all written notices before they 
are submitted.\1519\ Another commenter noted that senior management of 
SCI entities would want an SCI event to be investigated before it is 
reported to the Commission.\1520\ This commenter also noted that any 
responsible Chief Administrative Officer, Chief Financial Officer, 
Chief Operations Officer, Chief Compliance Officer, Chief Information 
Security Officer, General Counsel, and compliance attorneys and 
officers would want to review any report on an SCI event prior to 
submission to the Commission.\1521\ In addition, this commenter noted 
that the SCI entity would need to engage outside counsel and possibly 
other parties to review such reports.\1522\
---------------------------------------------------------------------------

    \1517\ See FINRA Letter at 19. Similarly, another commenter 
noted that notifications to the Commission for SCI events and 
material systems changes would be considered a serious matter, and a 
diligent and properly considered notification would require the time 
and effort of numerous staff in different departments. See UBS 
Letter at 6.
    \1518\ See FINRA Letter at 19.
    \1519\ See id.
    \1520\ See Omgeo Letter at 35.
    \1521\ See id.
    \1522\ See id. at 35-36. This commenter also noted that the 
Commission's estimated cost for consulting outside experts is too 
low. See id. at 35, n. 69.
---------------------------------------------------------------------------

    With respect to the Commission's estimate of the burden for written 
Commission notification under proposed Rule 1000(b)(4)(i), one 
commenter noted that considerable amounts of activities may be 
necessary to gather the information needed, to have appropriate 
confirmations from persons with knowledge and authority with respect to 
the applicable SCI system, to provide for senior management review 
where appropriate, and to otherwise be in a position to draft the 
notification.\1523\ Another commenter noted that Commission 
notification required by proposed Rule 1000(b)(4)(i) would require 
substantive input from personnel outside of the legal and compliance 
departments, including IT analysts and managers as well as impacted 
business analysts and managers.\1524\ This commenter estimated that 
each notification under proposed Rule 1000(b)(4)(i) would require 12 
hours.\1525\ This commenter also noted that the Commission erroneously 
assumed that verbal notifications under proposed Rule

[[Page 72382]]

1000(b)(4)(i) would not consume the time of any employee.\1526\
---------------------------------------------------------------------------

    \1523\ See MSRB Letter at 33.
    \1524\ See UBS Letter at 6. This commenter expressed the same 
concern with respect to proposed Rule 1000(b)(4)(ii). See id.
    \1525\ See id.
    \1526\ See id.
---------------------------------------------------------------------------

    With respect to the estimated burden under proposed Rule 
1000(b)(4)(ii), one commenter noted that the estimate did not take into 
account the considerable amounts of activities to be undertaken by 
other personnel, including persons with knowledge and authority with 
respect to the applicable SCI system and the SCI event as well as 
senior management where appropriate, in order to collect and assess the 
appropriate information and to properly inform the attorney and 
compliance manager of such information in order to allow them to 
produce an accurate notification in compliance with proposed Rule 
1000(b)(4)(ii).\1527\ This commenter had similar concerns with the 
burden estimates for proposed Rule 1000(b)(4)(iii).\1528\ Another 
commenter noted that, with respect to proposed Rule 1000(b)(4)(ii), no 
provision was made for the time burden that would be placed on 
technology personnel in the notification process.\1529\ Similarly, one 
commenter noted that the 20-hour burden estimate failed to take into 
account technology staff and business operations personnel who spend 
considerable time gathering facts and circumstances of a systems 
issue.\1530\ Another commenter estimated that each report under 
proposed Rule 1000(b)(4)(ii) will require approximately 5 hours of 
senior management time (including review and discussions between the 
Chief Administrative Officer, the Chief Compliance Officer, the Chief 
Information Officer, the Chief Operating Officer, and the General 
Counsel).\1531\ In addition, this commenter estimated that middle 
managers from its Compliance, Legal, Technology, Product, and 
Information Security functions would spend on average approximately 31 
hours per report.\1532\ Further, this commenter estimated that 
associates from Compliance, Legal, Technology, Product, and Information 
Security functions would spend approximately 53.5 hours per 
report.\1533\ With respect to the burden estimates for proposed Rule 
1000(b)(4)(iii), this commenter believed that proposed Rule 
1000(b)(4)(iii) could conceivably require it to update the Commission 
approximately half of the time it files Form SCI.\1534\ According to 
this commenter, each update would result in 1 hour of senior management 
time, 17 hours of middle management time, and 9 hours of associate 
time.\1535\
---------------------------------------------------------------------------

    \1527\ See MSRB Letter at 33.
    \1528\ See id. at 33-34.
    \1529\ See Joint SRO Letter at 18. This commenter also opined 
that, in other sections, the Commission either incorrectly assumes 
that no legal or outside counsel would be used, or significantly 
underestimates the amount of legal or outside counsel expenses. See 
id. at 18-19.
    \1530\ See OCC Letter at 12. See also NYSE Letter at 18 and 34 
(stating that a significant number of full time staff, including 
legal, compliance, technical, and operations staff, would be 
required to comply with the Commission notification process under 
proposed Rule 1000(b)(4), and that no estimate is provided for a 
technology staff member under Rule 1000(b)(4)(ii)).
    \1531\ See Omgeo Letter at 36.
    \1532\ See id.
    \1533\ See id.
    \1534\ See id.
    \1535\ See id.
---------------------------------------------------------------------------

    One commenter stated its belief that none of the activities arising 
under proposed Rule 1000(b)(4) would be conducive to outsourcing.\1536\
---------------------------------------------------------------------------

    \1536\ See MSRB Letter at 34-35.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.3.c, the Commission is adopting 
the Commission notification requirements in Rule 1002(b), with certain 
modifications from the proposal. As adopted, the Commission 
notification requirements under Rules 1002(b)(1)-(4) do not apply to 
SCI events that had, or the SCI entity reasonably estimates would have, 
no or a de minimis impact on the SCI entity's operations or on market 
participants.\1537\ Rather, each SCI entity is required to make, keep, 
and preserve records relating to all such SCI events, and submit 
quarterly reports to the Commission regarding such de minimis systems 
disruptions and de minimis systems intrusions.\1538\
---------------------------------------------------------------------------

    \1537\ See Rule 1002(b)(5).
    \1538\ See id.
---------------------------------------------------------------------------

    Rule 1002(b)(1), similar to the proposal, requires immediate 
Commission notification upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred. Rule 
1002(b)(2), similar to the proposal, requires a written Commission 
notification within 24 hours of any responsible SCI personnel having a 
reasonable basis to conclude that the SCI event has occurred. Rule 
1002(b)(2) also specifically states that the 24-hour report is required 
to be made on a good faith, best efforts basis. In addition, the 
information required to be disclosed to the Commission under Rule 
1002(b)(2) is less comprehensive than as proposed.\1539\ Rule 
1002(b)(3), similar to the proposal, requires SCI entities to provide 
updates pertaining to an SCI event on a regular basis, or at such 
frequency as reasonably requested by a representative of the 
Commission, until the event is resolved and the SCI entity's 
investigation of the event is closed. However, Rule 1002(b)(3), unlike 
the proposal, does not require these updates to be in writing. Finally, 
Rule 1002(b)(4) includes requirements for SCI entities to submit 
interim written notifications, as necessary, and final written 
notifications regarding SCI events.\1540\ Specifically, if an SCI event 
is resolved and the SCI entity's investigation of the SCI event is 
closed within 30 calendar days of the occurrence of the SCI event, then 
within five business days after the resolution of the SCI event and 
closure of the investigation regarding the SCI event, the SCI entity is 
required to submit a final written notification. If an SCI event is not 
resolved or the SCI entity's investigation of the SCI event is not 
closed within 30 calendar days of the occurrence of the SCI event, then 
the SCI entity is required to submit an interim written notification 
within 30 calendar days after the occurrence of the SCI event. Within 
five business days after the resolution of such SCI event and closure 
of the investigation regarding such SCI event, the SCI entity is 
required to submit a final written notification.
---------------------------------------------------------------------------

    \1539\ For example, an SCI entity is not required to provide the 
Commission a detailed description of the SCI event; a discussion of 
whether the SCI event is a dissemination SCI event; a description of 
the SCI entity's rules and/or governing documents, as applicable, 
which relate to the SCI event; or an analysis of parties that may 
have experienced a loss due to the SCI event.
    \1540\ The written notification is required to include (i) a 
detailed description of: The SCI entity's assessment of the types 
and number of market participants affected by the SCI event; the SCI 
entity's assessment of the impact of the SCI event on the market; 
the steps the SCI entity has taken, is taking, or plans to take, 
with respect to the SCI event; the time the SCI event was resolved; 
the SCI entity's rule(s) and/or governing document(s), as 
applicable, that relate to the SCI event; and any other pertinent 
information known by the SCI entity about the SCI event; (ii) a copy 
of any information disseminated pursuant to Rule 1002(c) by the SCI 
entity to date regarding the SCI event to any of its members or 
participants; and (iii) an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss. The information required to be included in the 
Rule 1002(b)(4) notifications is similar to the information required 
under proposed Rule 1000(b)(4)(iv)(A), which was related to the 
proposed 24-hour Commission notification.
---------------------------------------------------------------------------

    As noted above, some commenters expressed their view that the 
Commission underestimated the number of SCI events because they 
considered the definition of SCI event to be broad and would include 
minor or immaterial events.\1541\ These commenters estimated hundreds 
and even thousands of SCI events annually for each SCI entity, but 
noted that the majority of such events would have no

[[Page 72383]]

effect on market participants.\1542\ As discussed above in Section 
IV.B.3.c, the Commission notification requirements under adopted Rule 
1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI 
entity reasonably estimates would have, no or a de minimis impact on 
the SCI entity's operations or on market participants.\1543\ Rather, 
each SCI entity would be required to keep records related to such 
events and submit quarterly reports that only contain a summary 
description of such de minimis systems disruptions and de minimis 
systems intrusions.\1544\ Further, as noted above in Section IV.A, the 
Commission has refined the definition of SCI systems and SCI events in 
various respects.\1545\ Therefore, the Commission does not believe that 
the number of SCI events subject to Rules 1002(b)(1)-(4) would be 
substantially higher than the Commission's estimate in the SCI 
Proposal.
---------------------------------------------------------------------------

    \1541\ See supra notes 1513-1515 and accompanying text.
    \1542\ See id.
    \1543\ See Rule 1002(b)(5).
    \1544\ See id.
    \1545\ See Rule 1000 (defining ``SCI systems'' and ``SCI 
event'').
---------------------------------------------------------------------------

    After considering the views of commenters and in light of the more 
focused scope of the immediate Commission notification requirement, the 
Commission now estimates that each SCI entity will experience an 
average of 45 SCI events each year that are not de minimis SCI events, 
resulting in 45 written notifications under Rule 1002(b)(2) and 45 
written notifications under Rule 1002(b)(4). The estimated 45 SCI 
events comprise 24 systems disruptions, 20 systems compliance issues, 
and one systems intrusion. These estimates are derived in part from the 
number of systems incidents reported to the Commission under the ARP 
Inspection Program and the number of compliance-related issues reported 
to the Commission by SROs.\1546\
---------------------------------------------------------------------------

    \1546\ The Commission notes that only one ATS currently 
participates in the ARP Inspection Program and other ATSs generally 
do not self-report system incidents to the Commission. At the same 
time, the Commission acknowledges that, to the extent that some ATSs 
have less complex systems or perform fewer functions than other SCI 
entities, it is possible that these ATSs will experience fewer SCI 
events per year than other SCI entities. Also, as discussed more 
fully below, many ATSs do not have rulebooks and thus may experience 
fewer systems compliance issues than other SCI entities. 
Nevertheless, the Commission believes that an average of 45 SCI 
events per year (excluding de minimis SCI events) is an appropriate 
average across all SCI entities, including ATSs.
---------------------------------------------------------------------------

    In particular, the Commission notes that approximately 360 ARP 
incidents were reported to the Commission in 2013 by 29 entities that 
participated in the ARP Inspection Program.\1547\ Thus, on average, 
each entity reported approximately 12 incidents in 2013, although some 
entities reported fewer than 12 incidents, and some entities reported 
significantly more than 12 incidents (i.e., over 100). By defining 
``systems disruption'' for purposes of Regulation SCI and requiring 
Commission notification of systems disruptions, the Commission expects 
that more incidents will be reported pursuant to Regulation SCI than 
pursuant to the voluntary ARP Inspection Program. Therefore, the 
Commission estimates that each SCI entity will report an average of 24 
systems disruptions each year that are not de minimis systems 
disruptions, which is double the average number of systems incidents 
reported by each participant under the ARP Inspection Program in 2013.
---------------------------------------------------------------------------

    \1547\ In the SCI Proposal, the Commission noted that each 
entity reported an average of approximately 6 incidents under the 
ARP Inspection Program in 2011, and estimated that there would be an 
average of 65 SCI event notices per year for each SCI entity. See 
Proposing Release, supra note 13, at 18148.
---------------------------------------------------------------------------

    Further, based on notifications received by Commission staff 
regarding certain SROs, each of these SROs experienced an average of 17 
systems compliance-related issues in 2013. The notifications received 
by Commission staff indicate that some SROs experienced fewer than 17 
systems compliance-related issues, and others experienced more than 17. 
The Commission believes that very few, if any, of the notifications 
received in 2013 would qualify as de minimis systems compliance issues 
under Regulation SCI. By defining ``systems compliance issue'' for 
purposes of Regulation SCI and requiring Commission notification of 
systems compliance issues, the Commission expects that more issues will 
be reported pursuant to Regulation SCI than pursuant to self-reporting. 
Therefore, the Commission estimates that each SCI entity will 
experience an average of 20 systems compliance issues each year that 
are not de minimis systems compliance issues.\1548\
---------------------------------------------------------------------------

    \1548\ The Commission acknowledges that SCI entities other than 
SCI SROs may experience fewer systems compliance issues than SCI 
SROs because they may not have rulebooks, and thus, one aspect of 
the definition of systems compliance issue would not apply to such 
SCI entities (i.e., operating in a manner that does not comply with 
the entity's rules).
---------------------------------------------------------------------------

    Based on the Commission's experience with the ARP Inspection 
Program, the Commission believes each SCI entity will experience on 
average less than one non-de minimis systems intrusion per year. 
However, for purposes of the PRA, the Commission estimates one non-de 
minimis systems intrusion per SCI entity per year.\1549\
---------------------------------------------------------------------------

    \1549\ This estimate is lower than those provided by commenters 
(see supra note 1515 and accompanying text) because the adopted 
definitions of SCI systems and indirect SCI systems have been 
refined from the proposal, and because de minimis systems intrusions 
are required to be reported in summary format on a quarterly basis.
---------------------------------------------------------------------------

    With respect to the notification requirement under Rule 1002(b)(1), 
the Commission notes that the notification can be made orally or in 
writing. As with the SCI Proposal, the Commission estimates that one-
fourth of the notifications under Rule 1002(b)(1) will be submitted in 
writing (i.e., approximately 11 events per year for each SCI 
entity),\1550\ and three-fourths will be provided orally (i.e., 
approximately 34 events per year for each SCI entity).\1551\ The 
Commission also estimates that each written notification under Rule 
1002(b)(1) will require 2 hours \1552\ for each SCI entity.\1553\ The 
Commission is not

[[Page 72384]]

significantly increasing its burden estimate for proposed Rule 
1000(b)(4)(i) because Rule 1002(b)(1) requires the immediate 
notification of SCI events and does not specify the minimum information 
that must be submitted to the Commission. The Commission believes that, 
for many SCI events, an SCI entity will simply notify the Commission 
that an SCI event has occurred, often in a single phone call, and may 
not provide the Commission with additional information because it is 
not yet available to the SCI entity. For these reasons, contrary to the 
view of some commenters,\1554\ the Commission does not expect that the 
SCI entity will need to gather a considerable amount of information or 
significantly confer with interested parties across the entity. In 
particular, while the Commission estimates some burden for legal and 
technology personnel of SCI entities in complying with Rule 1002(b)(1), 
it does not believe that Rule 1002(b)(1) will result in significant 
burden for such personnel.\1555\
---------------------------------------------------------------------------

    \1550\ 45 SCI events / 4 = 11.25 SCI events reported in writing. 
One commenter noted that most SCI entities would submit a writing to 
document that they had satisfied the notice requirement of proposed 
Rule 1000(b)(4)(i). See Omgeo Letter at 16. However, the Commission 
continues to estimate that one-fourth of the notifications under 
Rule 1002(b)(1) will be submitted in writing and that the rest will 
be provided orally. The Commission believes that it is less 
burdensome for an SCI entity to provide oral notification than to 
provide written notification and, given the requirement of Rule 
1002(b)(2) to provide a written notification to the Commission 
within 24 hours, the Commission believes it is likely that most 
initial notifications submitted under Rule 1002(b)(1) would be done 
orally. Moreover, based on Commission staff experience, ARP 
participants generally provide initial notifications of systems 
issues orally.
    \1551\ 45 SCI events-11 SCI events reported in writing = 34 SCI 
events reported orally.
    \1552\ The burden estimates for each rule under Regulation SCI 
that involves the filing of Form SCI include the burden associated 
with completing and electronically submitting Form SCI, and for 
manually signing a signature page or document, pursuant to the 
requirements of Rule 1006.
    \1553\ The 2 hours include 0.5 hours by an Attorney, 0.5 hours 
by a Compliance Manager, 0.5 hours by a Senior Systems Analyst, and 
0.5 hours by a Senior Business Analyst. As compared to the estimated 
burden for proposed Rule 1000(b)(4)(i), the Commission is estimating 
an additional 0.5 hours by Compliance Managers, 0.5 hours by Senior 
Systems Analysts, and 0.5 hours by Senior Business Analysts to 
reflect that legal personnel may need to confer with technology and 
business personnel before contacting the Commission regarding an SCI 
event, in response to the views of commenters. See supra notes 1523-
1525 and accompanying text. The Commission notes that the General 
Counsel, Director of Compliance, Chief Compliance Officer, or other 
senior employees or officers of certain SCI entities may review 
Commission notifications under Rule 1002(b)(1) before they are 
submitted (orally or in writing) to the Commission. However, the 
Commission estimates that on average, the General Counsel, Director 
of Compliance, Chief Compliance Officer, or other senior employees 
or officers may spend a small amount of time reviewing each Rule 
1002(b)(1) notification. Rather, they will spend more time reviewing 
the other notifications required by Rule 1002(b).
    \1554\ See supra notes 1523-1526 and accompanying text.
    \1555\ Given that there is not a minimum amount of information 
that must be submitted to the Commission, the Commission believes 
its estimated burden hours is more appropriate than the 12 hours 
suggested by a commenter. See supra note 1525 and accompanying text.
---------------------------------------------------------------------------

    The Commission agrees with the view of a commenter that oral 
notifications would also result in burdens on an SCI entity,\1556\ 
although it expects the burden for legal and compliance personnel to be 
lower than in the case of written notifications because they would not 
need to draft and review a written document for submission to the 
Commission. The Commission estimates that the burden for systems and 
business analysts would remain the same as for written notifications 
because the SCI entity will still need to gather the same type of 
information in order to prepare an oral notification. The Commission 
therefore estimates that each oral notification under Rule 1002(b)(1) 
will require 1.5 hours for each SCI entity.\1557\ The Commission 
estimates that each SCI entity would require an average of 73 hours 
annually to comply with Rule 1002(b)(1),\1558\ or 3,212 hours for all 
SCI entities.\1559\
---------------------------------------------------------------------------

    \1556\ See supra note 1526 and accompanying text.
    \1557\ The 1.5 hours include 0.25 hours by an Attorney, 0.25 
hours by a Compliance Manager, 0.5 hours by a Senior Systems 
Analyst, and 0.5 hours by a Senior Business Analyst.
    \1558\ 11 written notifications each year x 2 hours per 
notification + 34 oral notifications each year x 1.5 hours per 
notification = 73 hours.
    \1559\ 73 hours x 44 SCI entities = 3,212 hours.
---------------------------------------------------------------------------

    The Commission estimates that each written notification under Rule 
1002(b)(2) will require 24 hours for each SCI entity.\1560\ Contrary to 
the views of a commenter that each notification under proposed Rule 
1000(b)(4)(ii) would require approximately 90 burden hours between 
senior management, middle managers, and associates from various 
functions (e.g., legal, compliance, technology),\1561\ the Commission 
is not significantly increasing its estimate of the burden hours from 
its estimate for proposed Rule 1000(b)(4)(ii) because Rule 1002(b)(2) 
requires less information than proposed Rule 1000(b)(4)(ii), although 
the Commission has revised its estimated burden hours to account for 
the various functions and multiple levels of review suggested by the 
commenter.\1562\ Also, because Rule 1002(b)(2) explicitly permits 
information to be submitted on a good faith, best efforts basis, the 
Commission believes that SCI entities will be able to expend less 
resources in reviewing each notification. Therefore, the Commission 
estimates that each SCI entity would require an average of 1,080 hours 
annually to comply with Rule 1002(b)(2),\1563\ or 47,520 hours for all 
SCI entities.\1564\
---------------------------------------------------------------------------

    \1560\ The 24 hours include 5 hours by an Attorney, 5 hours by a 
Compliance Manager, 6 hours by a Senior Systems Analyst, 1 hour by 
an Assistant General Counsel, 1 hour by a Chief Compliance Officer, 
and 6 hours by a Senior Business Analyst. Given the modifications 
from proposed Rule 1000(b)(4)(ii) identified below, the Commission 
estimates that legal and compliance personnel will have less work in 
drafting the written notifications under Rule 1002(b)(2), and 
accordingly reduced the burden hours for Attorneys and Compliance 
Managers from 10 to 5. Further, as compared to the estimated burden 
for proposed Rule 1000(b)(4)(ii), the Commission is estimating an 
additional 6 hours by a Senior Systems Analyst, 1 hour by an 
Assistant General Counsel, 1 hour by a Chief Compliance Officer, and 
6 hours by a Senior Business Analyst to reflect that legal personnel 
may need to confer with technology and business personnel and senior 
management, as well as the multiple levels of review (e.g., 
attorney, compliance manager, chief compliance officer), before 
submitting a report regarding an SCI event, in response to the views 
of commenters. See supra notes 1520-1521, 1527, and 1529-1533 and 
accompanying text.
    \1561\ See supra notes 1531-1533 and accompanying text.
    \1562\ See supra notes 1539 and 1560.
    \1563\ 45 written notifications each year x 24 hours per 
notification = 1,080 hours.
    \1564\ 1,080 hours x 44 SCI entities = 47,520 hours.
---------------------------------------------------------------------------

    With respect to the number of updates required under Rule 
1002(b)(3), the Commission estimates that each SCI entity will submit 6 
written updates and 18 oral updates each year under that rule. These 
estimates are based on Commission staff's experience with the ARP 
Inspection Program, systems compliance-related issues at SROs, and 
views of commenters. Specifically, most of the systems incidents 
reported to the Commission in 2013 were reported as resolved within 24 
hours. Further, as discussed above, de minimis SCI events are not 
subject to the update requirement under Rule 1002(b)(3). Moreover, the 
Commission believes that, for some SCI events, an SCI entity will not 
need to provide an update under Rule 1002(b)(3), because the SCI entity 
will be able to quickly submit a final report under Rule 1002(b)(4). 
However, after considering the views of a commenter that some complex 
outages can take up to several days to triage, isolate, and begin to 
resolve,\1565\ and the views of another commenter that proposed Rule 
1000(b)(4)(iii) could conceivably require it to update the Commission 
approximately half the time it files Form SCI,\1566\ the Commission is 
increasing its estimate of the number of updates from 5 to 24.\1567\ 
Because Rule 1002(b)(3) does not require SCI entities to submit updates 
in writing or on Form SCI, the Commission estimates that one-fourth of 
the updates will be submitted in writing, and three-fourths will be 
provided orally.\1568\ Because the SCI entity will still need to gather 
the same type of information in order to prepare an oral or a written 
update, the Commission expects that the burden for systems and business 
analysts will be the same for either type of update. The Commission, 
however, expects that the burden for legal and compliance personnel 
would be less in the case of oral updates because in that case, an SCI 
entity would not need to draft and review a written document for 
submission to the Commission.
---------------------------------------------------------------------------

    \1565\ See supra note 1516.
    \1566\ See also supra note 1534 and accompanying text.
    \1567\ The Commission's estimate of 24 updates is slightly above 
half of the 45 written notifications estimated for Rule 1002(b)(2). 
See supra note 1534 (stating that the rule could conceivably require 
the commenter to update the Commission approximately half of the 
time it files Form SCI).
    \1568\ The Commission similarly estimated one-fourth written 
notifications and three-fourths oral notifications in the SCI 
Proposal for proposed Rule 1000(b)(4)(i). See Proposing Release, 
supra note 13, at 18148; see also supra note 1550 and accompanying 
text.
---------------------------------------------------------------------------

    The Commission estimates that each written update under Rule 
1002(b)(3) will require 6 hours \1569\ and each oral

[[Page 72385]]

update will require 4.5 hours.\1570\ The Commission is not 
significantly increasing its burden estimate from proposed Rule 
1000(b)(4)(iii). The Commission believes that each update will likely 
only reflect some of the information listed under Rules 1002(b)(1) and 
(2) because certain information about SCI events may not yet be 
available at the time the SCI entity submits such update or may not 
need to be updated. Therefore, contrary to one commenter's view that 
each update would require 27 hours,\1571\ the Commission does not 
believe that a Rule 1002(b)(3) update will require significantly more 
time than as estimated in the SCI Proposal. The Commission estimates 
that each SCI entity would require an average of 117 hours annually to 
comply with Rule 1002(b)(3),\1572\ or 5,148 hours for all SCI 
entities.\1573\
---------------------------------------------------------------------------

    \1569\ The 6 hours include 1.5 hours by an Attorney, 1.5 hours 
by a Compliance Manager, 1.5 hours by a Senior Systems Analyst, and 
1.5 hours by a Senior Business Analyst. As compared to the estimated 
burden for proposed Rule 1000(b)(4)(iii), the Commission is 
estimating an additional 1.5 hours by a Senior Systems Analyst and 
1.5 hours by a Senior Business Analyst to reflect that legal 
personnel may need to confer with technology and business personnel 
before contacting the Commission regarding an SCI event, in response 
to the view of a commenter. See supra note 1528 and accompanying 
text. The Commission notes that the General Counsel, Director of 
Compliance, Chief Compliance Officer, or other senior employees or 
officers of certain SCI entities may review the updates under Rule 
1002(b)(3) before they are submitted (orally or in writing) to the 
Commission. However, the Commission estimates that on average, the 
General Counsel, Director of Compliance, Chief Compliance Officer, 
or other senior employees or officers may spend a small amount of 
time reviewing each Rule 1002(b)(3) notification because it is not 
the final report to the Commission on an SCI event, and the SCI 
entity can subsequently submit additional updates. See supra note 
1535 and accompanying text (noting a commenter's burden estimate for 
proposed Rule 1000(b)(4)(iii), which includes estimates for senior 
management review).
    \1570\ The 4.5 hours include 0.75 hours by an Attorney, 0.75 
hours by a Compliance Manager, 1.5 hours by a Senior Systems 
Analyst, and 1.5 hours by a Senior Business Analyst.
    \1571\ See supra note 1535 and accompanying text.
    \1572\ 6 written updates each year x 6 hours per notification + 
18 oral updates each year x 4.5 hours per notification = 117 hours.
    \1573\ 117 hours x 44 SCI entities = 5,148 hours.
---------------------------------------------------------------------------

    The Commission estimates that compliance with Rule 1002(b)(4) for a 
particular SCI event (which includes a final report under Rule 
1002(b)(4)(i)(A) and, as applicable, an interim report under Rule 
1002(b)(4)(i)(B)) will require 35 hours.\1574\ The Commission notes 
that the information required to be provided under Rule 1002(b)(4) is 
similar to the information required to be provided in a notification 
submitted under proposed Rule 1000(b)(4)(ii). As noted above, in the 
SCI Proposal, the Commission estimated that each notification under 
proposed Rule 1000(b)(4)(ii) would require an average of 20 burden 
hours,\1575\ and some commenters argued that the Commission 
underestimated this burden.\1576\ The Commission is estimating a higher 
burden for Rule 1002(b)(4) as compared to proposed Rule 1000(b)(4)(ii) 
(i.e., 35 hours as compared to 20 hours) because the reports under Rule 
1002(b)(4) constitute final reports regarding SCI events, and SCI 
entities will likely confer with technology and business personnel and 
senior management to ensure that the information provided is accurate. 
For the same reason, and because Rule 1002(b)(4) (final report) 
requires more information than Rule 1002(b)(2), the Commission's burden 
estimate for Rule 1002(b)(4) is higher than the burden estimate for 
Rule 1002(b)(2) (i.e., 35 hours as compared to 24 hours).\1577\ 
Nevertheless, the Commission is not substantially increasing the burden 
estimate as compared to proposed Rule 1000(b)(4)(ii) or adopted Rule 
1002(b)(2) because it recognizes that some of the information required 
by Rule 1002(b)(4) may already have been provided in a prior 
notification to the Commission and, thus, its burden has been included 
in the burden estimate for Rule 1002(b)(2). Therefore, the Commission 
estimates that each SCI entity would require an average of 1,575 hours 
annually to comply with Rule 1002(b)(4),\1578\ or 69,300 hours for all 
SCI entities.\1579\
---------------------------------------------------------------------------

    \1574\ The 35 hours include 8 hours by an Attorney, 8 hours by a 
Compliance Manager, 7 hours by a Senior Systems Analyst, 2 hours by 
an Assistant General Counsel, 1 hour by a General Counsel, 2 hours 
by a Chief Compliance Officer, and 7 hours by a Senior Business 
Analyst. As compared to proposed Rule 1000(b)(4)(ii), the Commission 
expects the legal and compliance personnel to have less work in 
drafting the written notifications under Rule 1002(b)(4) because 
some of the information required by Rule 1002(b)(4) may already have 
been provided in a prior notification to the Commission, and 
accordingly reduced the burden hours for Attorneys and Compliance 
Managers from 10 to 8. Further, as compared to the estimated burden 
for proposed Rule 1000(b)(4)(ii), the Commission is estimating an 
additional 7 hours by a Senior Systems Analyst, 2 hours by an 
Assistant General Counsel, 1 hour by a General Counsel, 2 hours by a 
Chief Compliance Officer, and 7 hours by a Senior Business Analyst 
to reflect that legal personnel may need to confer with technology 
and business personnel and senior management before submitting a 
final report regarding an SCI event.
    \1575\ See supra note 1509 and accompanying text.
    \1576\ See supra notes 1527, 1529-1533 and accompanying text.
    \1577\ As compared to the Commission's burden estimate for Rule 
1002(b)(2), the Commission is estimating an additional 3 hours by an 
Attorney, 3 hours by a Compliance Manager, 1 hour by a Senior 
Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a 
General Counsel, 1 hour by a Chief Compliance Officer, and 1 hour by 
a Senior Business Analyst. The type of personnel involved in 
compliance with Rule 1002(b)(4) is the same as those involved in 
compliance with Rule 1002(b)(2), except for the addition of the 
General Counsel.
    \1578\ 45 written notifications each year x 35 hours per 
notification = 1,575 hours.
    \1579\ 1,575 hours x 44 SCI entities = 69,300 hours. The 
Commission notes that this burden estimate includes the burden for 
submitting the one interim Commission notification required under 
Rule 1002(b)(4)(i)(B) (if necessary). In particular, the Commission 
notes that the interim notification requires SCI entities to include 
the same information as required to be included in a final 
notification under Rule 1002(b)(4)(i)(A), except that SCI entities 
are only required to provide the information to the extent known at 
the time of the interim notification. If an SCI entity submits an 
interim notification, it would also be required to submit a final 
notification, which is required to include all of the remaining 
information that was not provided in the interim notification. 
Because all SCI entities are required to provide the same amount of 
information in total for a particular SCI event under Rule 
1002(b)(4), regardless of whether they submit an interim 
notification, the estimated burden for Rule 1002(b)(4) includes the 
burden for both the interim notification and the final notification 
related to a particular SCI event.
---------------------------------------------------------------------------

    Finally, the quarterly notification under Rule 1002(b)(5) is 
required only to include ``a summary description'' of the SCI events. 
The Commission's estimated burden reflects the Commission's belief that 
most, if not all, SCI entities already have some internal documentation 
of de minimis SCI events. Rule 1002(b)(5) would impose more burden on 
SCI entities if they do not already have such internal documentation. 
The Commission estimates that the initial and ongoing burden to comply 
with the quarterly report requirement would be 40 hours per report per 
SCI entity,\1580\ or 160 hours annually per SCI entity,\1581\ and 7,040 
hours annually for all SCI entities.\1582\
---------------------------------------------------------------------------

    \1580\ The 40 burdens hours include 7.5 hours by an Attorney, 
7.5 hours by a Compliance Manager, 2 hours by a Chief Compliance 
Officer, 2 hours by an Assistant General Counsel, 1 hour by a 
General Counsel, 10 hours by a Senior Business Analyst, and 10 hours 
by a Senior Systems Analyst.
    \1581\ 40 hours x 4 reports each year = 160 hours.
    \1582\ 160 hours x 44 SCI entities = 7,040 hours.
---------------------------------------------------------------------------

    The Commission estimates that while SCI entities would handle 
internally most of the work associated with Rule 1002(b), SCI entities 
would seek outside legal advice in the preparation of certain 
Commission notifications, at an average annual cost of $45,000 per SCI 
entity,\1583\ or $1,980,000 for all SCI entities.\1584\
---------------------------------------------------------------------------

    \1583\ See supra note 1522 and accompanying text (discussing the 
view of a commenter that SCI entities would need to engage outside 
parties to review the Commission notifications). But see supra note 
1536 and accompanying text (discussing the view of a commenter that 
none of the activities arising under proposed Rule 1000(b)(4) would 
be conducive to outsourcing). The Commission's estimate represents 
an average of $1,000 of outsourced cost for each SCI event that is 
not a de minimis SCI event. The $1,000 estimate is consistent with 
the Commission's estimated outsourcing cost for each SCI event that 
is subject to the dissemination requirements under Rule 1002(c). 45 
SCI events x $1,000 = $45,000.
    \1584\ $45,000 x 44 SCI entities = $1,980,000.
---------------------------------------------------------------------------

b. Dissemination of Information Regarding SCI Events
    In the SCI Proposal, the Commission estimated that each SCI entity 
would experience an average of 14

[[Page 72386]]

dissemination SCI events \1585\ each year that are not systems 
intrusions, resulting in an average of 14 information disseminations 
per year for each SCI entity under proposed Rule 1000(b)(5)(i).\1586\ 
The Commission estimated that each information dissemination under 
proposed Rule 1000(b)(5)(i)(A) would require an average of 3 hours to 
prepare and make available to members or participants.\1587\ The 
Commission estimated that each information update under proposed Rule 
1000(b)(5)(i)(B) would require an average of 5 hours to prepare and 
make available to members or participants.\1588\ The Commission also 
estimated that, on average, each SCI entity would provide one regular 
update per year per dissemination SCI event under proposed Rule 
1000(b)(5)(i)(C).\1589\ The Commission estimated that each regular 
update would require an average of 1 hour to prepare and make available 
to members or participants.\1590\
---------------------------------------------------------------------------

    \1585\ Dissemination SCI events included systems compliance 
issues, systems intrusions, and systems disruptions that resulted, 
or the SCI entity reasonably estimates would result, in significant 
harm or loss to market participants.
    \1586\ See Proposing Release, supra note 13, at 18149.
    \1587\ See id. The 3 burden hours included 2.67 hours by an 
Attorney and 0.33 hours by a Webmaster. See id. This estimate was 
based on Commission staff's experience with the ARP Inspection 
Program. See id. at 18149, n. 416.
    \1588\ See id. at 18150. The 5 burden hours included 4.67 hours 
by an Attorney and 0.33 hours by a Webmaster. See id. This estimate 
was based on Commission staff's experience with the ARP Inspection 
Program. See id. at 18150, n. 420.
    \1589\ See id. at 18150.
    \1590\ See id. The 1 burden hour included 0.67 hours by an 
Attorney and 0.33 hours by a Webmaster. See id. This estimate was 
based on the estimated burden to complete and submit a written 
update for an SCI event on Form SCI and on Commission staff's 
experience with the ARP Inspection Program. See id. at 18150, n. 422 
and n. 423.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission estimated that each SCI entity 
would experience an average of 1 dissemination SCI event that is a 
systems intrusion each year, resulting in 1 information dissemination 
per year under proposed Rule 1000(b)(5)(ii). The Commission estimated 
that each information dissemination would require an average of 3 hours 
to prepare and make available to members or participants.\1591\ This 
burden estimate included any burden for an SCI entity to document its 
reason for determining that dissemination of information regarding a 
systems intrusion would likely compromise the security of the SCI 
entity's SCI systems or SCI security systems, or an investigation of 
the systems intrusion.\1592\
---------------------------------------------------------------------------

    \1591\ See id. at 18150. The 3 burden hours included 2.67 hours 
by an Attorney and 0.33 hours by a Webmaster. See id. This estimate 
was based on Commission staff's experience with the ARP Inspection 
Program, and the Commission's burden estimate for proposed Rule 
1000(b)(5)(i)(A). See id. at 18150, n. 426.
    \1592\ See id.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission estimated that while SCI 
entities would internally handle most of work associated with 
compliance with proposed Rule 1000(b)(5), SCI entities would seek 
outside legal advice in the preparation of the disseminations at an 
average annual cost of $15,000 per SCI entity.\1593\
---------------------------------------------------------------------------

    \1593\ See id. at 18150-51.
---------------------------------------------------------------------------

    With respect to the estimated burden under proposed Rule 
1000(b)(5), one commenter noted that since most of the work entailed in 
producing a notification relating to a dissemination SCI event would 
occur in connection with the Commission notification requirements under 
proposed Rule 1000(b)(4), the Commission's estimate of the burden of 
proposed Rule 1000(b)(5) is fairly accurate.\1594\
---------------------------------------------------------------------------

    \1594\ See MSRB Letter at 35.
---------------------------------------------------------------------------

    Another commenter stated that the Commission underestimated the 
burden associated with information dissemination.\1595\ In connection 
with expressing its concern that almost any minor or immaterial systems 
issue would fall under the proposed definition of SCI event, this 
commenter estimated that there would be at a minimum a ten-fold 
increase in reportable events from the 175 incidents in 2011 under the 
ARP Inspection Program.\1596\
---------------------------------------------------------------------------

    \1595\ See Omgeo Letter at 37. This commenter argued that the 
Commission mistakenly relied upon experience with the ARP Inspection 
Program as a basis for the estimates. See id.
    \1596\ See id. at 37-38.
---------------------------------------------------------------------------

    With respect to the estimated burden associated with information 
dissemination, this commenter argued that the Commission incorrectly 
assumed that such communications would be drafted only by a single 
attorney and a webmaster.\1597\ This commenter believed that properly 
drafting such communications will require a concerted effort by a 
number of individuals, including subject matter experts and mid-level 
and senior managers.\1598\ This commenter also noted that SCI entities 
would draft different dissemination notices designed to address the 
particular concerns of the different client segments it services (e.g., 
broker-dealers, custodian banks, investment managers, hedge 
funds).\1599\ As such, this commenter estimated that proposed Rule 
1000(b)(5)(i)(A) would result in a burden of approximately 30 hours to 
create the dissemination \1600\ and 100 hours to review.\1601\ Further, 
this commenter disagreed that SCI entities are likely to handle 
internally most of the work associated with information 
dissemination.\1602\ This commenter believed that, to the extent a 
dissemination SCI event raises the possibility of litigation or 
reputational damage for an SCI entity, the SCI entity will likely 
engage outside counsel to review the facts and prepare the required 
materials.\1603\ This commenter also argued that the Commission's 
estimate did not take into account the burden associated with 
addressing responses from an SCI entity's participants, members, or 
clients, which, according to this commenter, would be hundreds of hours 
of SCI entity associate and management time.\1604\ This commenter 
expressed similar concerns respect to the burden estimates for proposed 
Rules 1000(b)(5)(i)(B) and (C) and noted that each follow-up notice 
would impose a burden far greater than 5 hours.\1605\ This commenter 
also noted that the Commission underestimated that each SCI entity 
would only have to provide one update each year under proposed Rule 
1000(b)(5)(i)(C), and that each dissemination would only be prepared by 
an attorney and a webmaster.\1606\
---------------------------------------------------------------------------

    \1597\ See id. at 38.
    \1598\ See id. According to this commenter, subject matter 
experts would include associates from functions such as Technology, 
Client Support, Information Security, Legal, Compliance, Product 
Management, and Sales and Relationship Management. See id. at 38, n. 
75.
    \1599\ See Omgeo Letter at 38.
    \1600\ This commenter noted that major incidents would require 
far more resources. See id.
    \1601\ See id. This commenter noted that the 100-hour estimate 
does not include any follow up communications. See id. at 38, n. 76.
    \1602\ See id. at 39. However, another commenter stated its 
belief that none of the activities arising under proposed Rule 
1000(b)(5) would be conducive to outsourcing. See MSRB Letter at 34-
35.
    \1603\ See Omgeo Letter at 39. This commenter also expressed 
concern that SCI entities would be forced to send their clients and 
participants a constant stream of communications detailing minor, 
inconsequential events that have no impact on them, which would 
cause reputational damage to SCI entities. See id.
    \1604\ See id.
    \1605\ See id. at 40-41.
    \1606\ See id. at 41.

---------------------------------------------------------------------------

[[Page 72387]]

    With respect to the burden estimates for proposed Rule 
1000(b)(5)(ii), this commenter expressed similar concern, and noted 
that each dissemination under proposed Rule 1000(b)(5)(ii) would 
require hundreds of burden hours.\1607\
---------------------------------------------------------------------------

    \1607\ See id. at 41-42.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.3.d, the Commission is adopting 
the information dissemination requirements in Rule 1002(c), with 
certain modifications from the proposal. As adopted, an SCI entity is 
required to disseminate certain information to its members or 
participants that may have been affected by an SCI event.\1608\ 
However, for major SCI events, an SCI entity must disseminate the 
required information to all of its member or participants.\1609\ Rule 
1002(c)(4) further provides that the information dissemination 
requirement does not apply to SCI events to the extent they relate to 
market regulation or market surveillance systems, or any SCI event that 
has had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants.
---------------------------------------------------------------------------

    \1608\ See Rule 1002(c)(3).
    \1609\ See id.
---------------------------------------------------------------------------

    Similar to proposed Rule 1000(b)(5), adopted Rule 1002(c)(1) 
requires SCI entities to promptly disseminate certain information 
regarding systems disruptions and systems compliance issues, to further 
disseminate certain information when such information becomes 
known,\1610\ and to provide regular updates of such information until 
the SCI event is resolved. In addition, similar to proposed Rule 
1000(b)(5), adopted Rule 1002(c)(2) requires SCI entities to promptly 
disseminate certain information regarding systems intrusions,\1611\ and 
provides an exception when the SCI entity determines that dissemination 
of such information would likely compromise the security of its SCI 
systems or indirect SCI systems, or an investigation of the systems 
intrusion, and documents the reasons for such determination.
---------------------------------------------------------------------------

    \1610\ The information required to be disseminated under Rule 
1002(c)(1) remains unchanged from the proposal.
    \1611\ The information required to be disseminated under Rule 
1002(c)(2) remains unchanged from the proposal.
---------------------------------------------------------------------------

    With respect to a commenter's concern that because almost any minor 
or immaterial systems issue would fall under the proposed definition of 
SCI event, there would be at a minimum a ten-fold increase in 
reportable events as compared to the reported incidents under the ARP 
Inspection Program,\1612\ as noted above, Rule 1002(c)(4) provides 
exceptions to certain SCI events from the information dissemination 
requirement. Specifically, SCI events that relate to market regulation 
or market surveillance systems and de minimis SCI events would not be 
subject to the information dissemination requirement.\1613\ Further, as 
noted above in Section IV.A, the Commission has refined the definition 
of SCI systems and SCI event in various respects.\1614\ Given these 
changes, the Commission believes that the commenter's suggestion that 
there would be at a minimum a ten-fold increase in reportable events as 
compared to the reported incidents under the ARP Inspection Program is 
not an appropriate estimate. The Commission now estimates that each SCI 
entity would disseminate information regarding 36 SCI events each year 
under Rule 1002(c),\1615\ including 1 non-de minimis systems intrusion 
each year.\1616\ Therefore, the Commission now estimates that each SCI 
entity would disseminate information regarding 35 SCI events each year 
under Rule 1002(c)(1)(i). The Commission estimates that each SCI entity 
would disseminate 3 updates for each such SCI event under Rules 
1002(c)(1)(ii) and (iii),\1617\ or 105 updates each year.\1618\ 
Further, the Commission estimates that each SCI entity would 
disseminate information regarding 1 systems intrusion each year under 
Rule 1002(c)(2).
---------------------------------------------------------------------------

    \1612\ See supra note 1596 and accompanying text.
    \1613\ These exceptions should address a commenter's concern 
that proposed Rule 1000(b)(5) would result in SCI entities being 
forced to send their clients and participants a constant stream of 
communications detailing minor, inconsequential events that have no 
impact on them. See id.
    \1614\ See Rule 1000 (defining ``SCI systems'' and ``SCI 
event'').
    \1615\ As discussed above, the Commission estimates that each 
SCI entity will experience an average of 45 SCI events each year 
that are not de minimis SCI events. The Commission estimates that 
approximately one-fifth of these SCI events relate to market 
regulation and market surveillance systems. Therefore, the 
Commission estimates that the number of SCI events subject to the 
requirements of Rule 1002(c) would be 36 per year for each SCI 
entity (45 SCI events / 5 x 4 = 36 SCI events).
    \1616\ Based on Commission's experience with the ARP Inspection 
Program, the Commission believes each SCI entity will experience on 
average less than one non-de minimis systems intrusion per year. 
However, for purposes of the PRA, the Commission estimates one non-
de minimis systems intrusion per SCI entity per year.
    \1617\ The Commission notes that Rule 1002(c)(1)(ii) requires 
each SCI entity, when known, to promptly further disseminate for 
each SCI event three types of information: (A) A detailed 
description of the SCI event; (B) the SCI entity's current 
assessment of the types and number of market participants 
potentially affected by the SCI event; and (C) a description of the 
progress of its corrective action for the SCI event and when the SCI 
event has been or is expected to be resolved. The Commission 
believes that one or more of these types of information may become 
known to an SCI entity at different times, and therefore the 
Commission estimates that each SCI entity will submit two updates 
per SCI event under Rule 1002(c)(1)(ii). Rule 1002(c)(1)(iii) 
requires each SCI entity to provide regular updates of any 
information required to be disseminated under Rules 1002(c)(1)(i) 
and (ii). The Commission estimates that each SCI entity will submit 
one regular update under Rule 1002(c)(1)(iii) before the SCI event 
is resolved. The Commission believes that the number of updates 
under Rules 1002(c)(1)(ii) and (iii) will vary depending on how 
quickly information is discovered and how quickly the SCI event is 
resolved, but believes that a total of three updates for the two 
provisions is an appropriate estimate.
    \1618\ 35 SCI events x 3 updates per SCI event = 105 updates.
---------------------------------------------------------------------------

    The Commission estimates that each information dissemination under 
Rule 1002(c)(1)(i) will require 7 hours.\1619\ The Commission is not 
significantly increasing its burden estimate from the proposal because 
the Commission believes that the information required to be 
disseminated under Rule 1002(c)(1)(i) would likely already be collected 
for Commission notification under Rule 1002(b)(1) or (2).\1620\ 
Therefore, contrary to the view of a commenter,\1621\ the Commission 
does not believe that Rule 1002(c)(1)(i) will result in significantly 
higher burden for

[[Page 72388]]

SCI entities than as estimated in the proposal. With respect to the 
view of a commenter that SCI entities would create different 
dissemination notices designed to address the concerns of different 
client segments,\1622\ the Commission notes that Rule 1002(c) only 
specifies the general information that must be disseminated and does 
not require that SCI entities provide different information to 
different clients, even though SCI entities can decide to tailor the 
information dissemination for their clients.\1623\ Based on the 
foregoing, the Commission estimates that each SCI entity would require 
an average of 245 hours annually to comply with Rule 
1002(c)(1)(i),\1624\ or 10,780 hours for all SCI entities.\1625\
---------------------------------------------------------------------------

    \1619\ The 7 hours include 2.67 hours by an Attorney, 1 hour by 
a Compliance Manager, 0.5 hours by a Chief Compliance Officer, 0.5 
hours by a General Counsel, 0.5 hours by a Director of Compliance, 1 
hour by a Senior Systems Analyst, 0.5 hours by a Corporate 
Communications Manager, and 0.33 hours by a Webmaster. As compared 
to the estimated burden for proposed Rule 1000(b)(5)(i)(A), the 
Commission is estimating an additional 1 hour by a Compliance 
Manager, 0.5 hours by a General Counsel, 0.5 hours by a Chief 
Compliance Officer, 0.5 hours by a Director of Compliance, 1 hour by 
a Senior Systems Analyst, and 0.5 hours by a Corporate 
Communications Manager to reflect the view of commenters that the 
preparation for information dissemination would require the 
involvement of subject matter experts and mid-level and senior 
managers. See supra notes 1597-1598 and accompanying text.
    \1620\ See also supra note 1594 and accompanying text 
(discussing the view of a commenter that since most of the work 
entailed in producing a notification relating to a dissemination SCI 
event would occur in connection with the Commission notification 
requirements under proposed Rule 1000(b)(4), the Commission's 
estimate of the burden of proposed Rule 1000(b)(5) is fairly 
accurate).
    \1621\ See supra notes 1600-1601 and 1607 and accompanying text.
    \1622\ See supra notes 1599-1601 and accompanying text.
    \1623\ This commenter also noted that the Commission did not 
take into account the burden associated with addressing responses 
from an SCI entity's participants, members, or clients. See supra 
note 1604 and accompanying text. The Commission believes that 
currently, SCI entities already notify affected members or 
participants of certain systems issues. The Commission also believes 
that information regarding many systems issues that fall under the 
definition of major SCI event is already made available to members 
or participants of an SCI entity, and often to the public through 
the press or otherwise. Therefore, the Commission does not believe 
that the burden to respond to members or participants will be 
significantly higher than SCI entities' current practices in the 
absence of Regulation SCI. The Commission also notes that Rule 
1002(c) does not impose any requirements related to responding to 
inquiries about the information dissemination.
    \1624\ 35 information dissemination each year x 7 hours per 
dissemination = 245 hours.
    \1625\ 245 hours x 44 SCI entities = 10,780 hours.
---------------------------------------------------------------------------

    The Commission estimates that each update under Rules 
1002(c)(1)(ii) and (iii) will require 13 hours.\1626\ The Commission is 
not significantly increasing its burden estimate for proposed Rules 
1000(b)(5)(i)(B) and (C) because the Commission believes that the 
information required to be disseminated under Rules 1002(c)(1)(ii) and 
(iii) would likely already be collected for Commission notification 
under Rules 1002(b)(2)-(4).\1627\ Therefore, contrary to the view of a 
commenter,\1628\ the Commission does not believe that Rules 
1002(c)(1)(ii) and (iii) will result in significantly higher burden for 
SCI entities than as estimated in the SCI Proposal. Based on the 
foregoing, the Commission estimates that each SCI entity would require 
an average of 1,365 hours annually to comply with Rules 1002(c)(1)(ii) 
and (iii),\1629\ or 60,060 hours for all SCI entities.\1630\
---------------------------------------------------------------------------

    \1626\ The 13 hours include 4.67 hours by an Attorney, 2 hours 
by a Compliance Manager, 1 hour by a Chief Compliance Officer, 1 
hour by a General Counsel, 1 hour by a Director of Compliance, 2 
hours by a Senior Systems Analyst, 1 hour by a Corporate 
Communications Manager, and 0.33 hours by a Webmaster. As compared 
to the estimated burden for proposed Rule 1000(b)(5)(i)(B), the 
Commission is estimating an additional 2 hours by a Compliance 
Manager, 1 hour by a General Counsel, 1 hour by a Chief Compliance 
Officer, 1 hour by a Director of Compliance, 2 hours by a Senior 
Systems Analyst, and 1 hour by a Corporate Communications Manager to 
reflect the view of commenters that the preparation for information 
dissemination would require the involvement of subject matter 
experts and mid-level and senior managers. See supra notes 1597-1598 
and accompanying text.
    \1627\ See supra notes 1594 and 1620 accompanying text.
    \1628\ See supra notes 1605-1606 and accompanying text.
    \1629\ 105 updates each year x 13 hours per update = 1,365 
hours.
    \1630\ 1,365 hours x 44 SCI entities = 60,060 hours.
---------------------------------------------------------------------------

    The information required to be disseminated under Rule 1002(c)(2) 
for systems intrusions is similar to the information required to be 
disseminated under Rule 1002(c)(1)(i) in that both provisions require 
the dissemination of a summary description of an SCI event. Therefore, 
the Commission is using the burden estimate for Rule 1002(c)(1)(i) as 
the basis for its estimate for Rule 1002(c)(2). However, the Commission 
believes that Rule 1002(c)(2) will impose more burden than Rule 
1002(c)(1)(i) because it also requires that the SCI entity determine 
whether dissemination of information regarding a particular systems 
intrusion would compromise the security of its SCI systems or indirect 
SCI systems, or an investigation of the systems intrusion, and if the 
SCI entity determines that it would, to document the reason for such 
determination.\1631\ Therefore, the Commission estimates that each SCI 
entity will spend an average of 10 hours to comply with Rule 
1002(c)(2),\1632\ or 440 hours for all SCI entities.\1633\
---------------------------------------------------------------------------

    \1631\ See Rule 1002(c)(2).
    \1632\ The 10 hours include 3.67 hours by an Attorney, 1.5 hours 
by a Compliance Manager, 0.75 hours by a Chief Compliance Officer, 
0.75 hours by a General Counsel, 0.75 hours by a Director of 
Compliance, 1.5 hour by a Senior Systems Analyst, 0.75 hours by a 
Corporate Communications Manager, and 0.33 hours by a Webmaster. See 
supra note 1619. The burden estimate for Rule 1002(c)(2) is 
approximately one and a half times the Commission's burden estimate 
for Rule 1002(c)(1)(i). (7 hours x 1.5 = 10.5 hours.)
    \1633\ 10 hours x 44 SCI entities = 440 hours.
---------------------------------------------------------------------------

    The Commission estimates that while SCI entities would handle 
internally some or most the work associated with compliance with Rule 
1002(c),\1634\ SCI entities would seek outside legal advice in the 
preparation of the information dissemination, at an average annual cost 
of $36,000 per SCI entity,\1635\ or $1,584,000 for all SCI 
entities.\1636\
---------------------------------------------------------------------------

    \1634\ The Commission recognizes that some SCI entities, such as 
certain SCI SROs, may have the in-house expertise to complete the 
work associated with compliance with Rule 1002(c), while other SCI 
entities may not and would therefore need to outsource some of the 
work associated with compliance with Rule 1002(c).
    \1635\ The Commission is increasing its estimate of the 
outsourcing cost for compliance with Rule 1002(c) from its estimate 
in the proposal because its estimate of the number of information 
dissemination is higher than the estimated number in the proposal 
(i.e., from 15 to 36). In the SCI Proposal, the Commission estimated 
an outsourcing cost of $15,000 for 15 SCI events, which results in 
an average cost of $1,000 per SCI event. The Commission is 
continuing to estimate an average cost of $1,000 per SCI event 
subject to information dissemination, but is increasing the total 
outsourcing cost to $36,000 based on the increase in the number of 
estimated SCI events to 36. See also supra notes 1602-1603 and 
accompanying text (discussing the view of a commenter that SCI 
entities will likely engage outside counsel to review the facts and 
prepare the required documents to the extent an SCI event raises the 
possibility of litigation or reputational damage). But see supra 
note 1602 and accompanying text (discussing the view of a commenter 
that none of the activities arising under proposed Rule 1000(b)(5) 
would be conducive to outsourcing).
    \1636\ $36,000 x 44 SCI entities = $1,584,000.
---------------------------------------------------------------------------

c. Commission Notification of Material Systems Changes
    In the SCI Proposal, the Commission estimated that each SCI entity 
would have an average of 60 planned material systems changes each year, 
resulting in 60 advance notifications per year.\1637\ The Commission 
estimated that each notification would require 2 hours to prepare and 
submit.\1638\ For SCI entities that currently participate in the ARP 
Inspection Program, the Commission estimated that these entities would 
start from a baseline of fifty percent.\1639\ The Commission also 
estimated that the initial and ongoing burden to submit semi-annual 
reports to the Commission pursuant to proposed Rule 1000(b)(8)(ii) 
would be 60 hours per report for each SCI entity.\1640\
---------------------------------------------------------------------------

    \1637\ See Proposing Release, supra note 13, at 18151. This 
estimate included instances where the information previously 
provided to the Commission regarding any planned material systems 
change becomes inaccurate. See id. at 18151, n. 431.
    \1638\ See id. at 18151. The 2 burden hours included 0.33 hours 
by an Attorney and 1.67 hours by a Senior Systems Analyst. See id. 
This estimate was based on Commission staff's experience with the 
ARP Inspection Program. In determining this estimate, the Commission 
also considered its burden estimate for the same reporting 
requirement that was proposed for SB SEFs. See id. at 18151, n. 432.
    \1639\ See id. at 18151.
    \1640\ See id. at 18152. The 60 burden hours included 10 hours 
by an Attorney and 50 hours by a Senior Systems Analyst. See id. 
This estimate was based on Commission staff's experience with the 
ARP Inspection Program. See id. at 18152, n. 440.
---------------------------------------------------------------------------

    With respect to the estimated burden under proposed Rule 
1000(b)(6), some commenters noted that the Commission underestimated 
the number of material systems changes.\1641\ For example, one

[[Page 72389]]

commenter stated that, based on the proposed definition of material 
systems changes, each SCI entity could be reporting 60 material systems 
changes each week.\1642\ One commenter noted that the burden estimate 
was effectively limited to ministerial tasks of producing material 
systems change notifications and did not take into account activities 
necessary to gather the information needed, to have appropriate 
confirmations from persons with knowledge of the material systems 
change, to provide for senior management review where appropriate, and 
to otherwise be in a position to draft the notification.\1643\ One 
commenter stated that the Commission's estimate of 2 hours for each 
material systems change notice is too low because describing systems 
changes ``involves the work of a tech-writer, who needs to collaborate 
with multiple groups on a project team, including the project manager, 
application development team and the testing and implementation 
teams.'' \1644\ Similarly, one commenter noted that material systems 
change notifications would require substantial review by IT management, 
relevant business supervisors, as well as compliance staff, which would 
increase the burden estimate at least three-fold.\1645\ One commenter 
noted that, based on its experience under the ARP Inspection Program, 
each notice under proposed Rule 1000(b)(6) would require at least 62 
hours.\1646\ This commenter also opined that the Commission mistakenly 
assumed that only a senior systems analyst and an attorney would be 
involved in the drafting of the notice.\1647\ According to this 
commenter, a number of subject matter experts would need to be involved 
in drafting and reviewing these notices (i.e., Project Management, 
Developments, Quality Assurance, Performance Testing, Systems 
Engineering, Systems Architecture, Capacity Planning, Information 
Security, Business Continuity, Disaster Recovery, Legal, and 
Compliance).\1648\
---------------------------------------------------------------------------

    \1641\ See BATS Letter at 14. See also NYSE Letter at 26 
(stating that if ``material'' were interpreted broadly to cover any 
functional change to an SCI system, the number of material systems 
changes could measure in the thousands); and OTC Markets Letter at 
21 (stating that it estimated it had a minimum of 430 reportable 
changes to its production systems over a ten-month time frame based 
on the proposed notification standards for material systems 
changes).
    \1642\ See BATS Letter at 14.
    \1643\ See MSRB Letter at 35.
    \1644\ See OCC Letter at 15. This commenter stated that a large 
amount of information needs to be assembled from different groups 
and consolidated into a single report, which would include, for 
example: (i) A high-level description of the functionality and 
configuration of the affected systems; (ii) a description of the 
systems development process; (iii) the relationship to other 
systems; (iv) changes to production schedules due to the planned 
system change; (v) any effects on capacity; (vi) a description of 
test results; (vii) a summary of test results; (viii) contingency 
protocols (i.e., fallback options and disaster recovery measures); 
(ix) vulnerability assessments and security measures; and (x) 
whether an SEC rule filing under Rule 19b-4 has been made in 
connection with the system change notification. See id. at 15-16. 
According to this commenter, unless the Commission intends for the 
scope of information provided with these notices to be limited to 
high level descriptions and generally less detailed, the preparation 
of material systems change notices generally requires considerably 
more time than estimated. See id. at 16.
    \1645\ See UBS Letter at 6.
    \1646\ See Omgeo Letter at 42.
    \1647\ See id.
    \1648\ See id. at 42-43.
---------------------------------------------------------------------------

    On the other hand, one commenter stated that the Commission's 
estimate of the burden of proposed rule 1000(b)(8)(ii) is fairly 
accurate.\1649\
---------------------------------------------------------------------------

    \1649\ See MSRB Letter at 37.
---------------------------------------------------------------------------

    One commenter stated its belief that none of the activities arising 
under proposed Rules 1000(b)(6) and (b)(8) would be conducive to 
outsourcing.\1650\
---------------------------------------------------------------------------

    \1650\ See id. at 36-37.
---------------------------------------------------------------------------

    As discussed in detail above in Section IV.B.4, the Commission is 
not adopting the requirement for SCI entities to provide 30-day advance 
notifications or semi-annual reports of material systems changes. Also 
as discussed in detail above in Section IV.B.4, the Commission is not 
adopting the proposed definition of material systems change. Adopted 
Rule 1003(a) requires each SCI entity to submit quarterly reports 
describing completed, ongoing, and planned material changes to its SCI 
systems and security of indirect SCI systems during the prior, current, 
and subsequent calendar quarters. Adopted Rule 1003(b) additionally 
requires each SCI entity to promptly submit a supplemental report 
notifying the Commission of a material error in or material omission 
from a report previously submitted under Rule 1003(a).
    With respect to the comment that, based on the proposed definition 
of material systems change, each SCI entity could be reporting 60 
material systems changes each week (rather than each year), the 
Commission notes that it has not adopted the proposed definition of 
material systems change.\1651\ Rather, as discussed above in Section 
IV.B.4, Rule 1003(a)(1) requires each SCI entity to establish 
reasonable criteria for identifying a change to its SCI systems and the 
security of indirect SCI systems as material. Because Rule 1003(a)(1) 
allows each SCI entity to identify material systems changes, it is 
responsive to commenters' concern that the proposed definition was too 
broad and would result in an excessive number of notifications, and to 
commenters' suggestion that the definition should be revised. In 
particular, an SCI entity will have reasonable discretion in 
establishing the written criteria in order to capture the systems 
changes that it believes are material. Relatedly, with respect to 
commenters who specifically discussed the 30-day advance Commission 
notification requirement for material systems changes,\1652\ the 
Commission notes that it is not adopting a 30-day advance notification 
requirement for each material systems change and is instead adopting a 
quarterly reporting requirement. Therefore, the Commission does not 
believe that it is necessary to estimate the number of material systems 
changes that each SCI entity will experience each year in order to 
estimate the burden associated with Rule 1003(a).
---------------------------------------------------------------------------

    \1651\ See supra notes 1641-1642 and accompanying text.
    \1652\ See supra notes 1643-1648 and accompanying text.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.4, Rule 1003(a) requires 
quarterly reports on material systems changes and supplemental reports 
under certain circumstances. Specifically, the quarterly reports are 
required to include a description of the completed, ongoing, and 
planned material changes to SCI systems and the security of indirect 
SCI systems, during the prior, current, and subsequent calendar 
quarters, including the dates or expected dates of commencement and 
completion.\1653\ The Commission notes that the quarterly reports under 
Rule 1003(a) are required to include similar information as the 
information required under proposed Rule 1000(b)(8)(ii).\1654\

[[Page 72390]]

However, because the Commission is not requiring 30-day advance 
notification of each material systems change, SCI entities may need to 
spend more time to gather the information required to be included in 
the quarterly reports and to prepare the quarterly reports than the 
burden estimated for proposed Rule 1000(b)(8)(ii).\1655\ Therefore, the 
Commission estimates that the initial and ongoing burden to comply with 
the quarterly reporting requirement would be 125 hours per report per 
SCI entity,\1656\ or 500 hours annually per SCI entity \1657\ and 
22,000 hours annually for all SCI entities.\1658\
---------------------------------------------------------------------------

    \1653\ Contrary to the views of a commenter, these quarterly 
reports are limited in scope and do not require a detailed 
description of each systems change that the SCI entity determines to 
be material. See supra note 1644 (discussing the concerns of a 
commenter that a large amount of information would need to be 
assembled and consolidated into a single report, and that unless the 
Commission intends for the scope of the information provided to be 
limited to high level descriptions and generally less detailed, the 
preparation of material systems change notices will require 
considerably more time than estimated). The Commission notes that it 
intends for the quarterly report to only require the information 
necessary to allow the Commission and its staff to gain a sufficient 
understanding of the relevant material systems changes, which would 
aid the Commission and its staff in understanding the operations and 
functionality of the systems of an SCI entity and changes to such 
systems. Specifically, Rule 1003(a)(1) requires the quarterly report 
to ``describe'' the material systems changes and gives each SCI 
entity reasonable flexibility in how to describe it.
    \1654\ Proposed Rule 1000(b)(8)(ii) required semi-annual reports 
that include a summary description of the progress of any material 
systems changes during the six-month period ending on June 30 or 
December 31, and the date, or expected date, of completion of 
implementation of such changes.
    \1655\ At the same time, the Commission believes that most, if 
not all, SCI entities already have some internal procedures for 
documenting all systems changes.
    \1656\ In the SCI Proposal, the Commission preliminarily 
estimated 60 hours per semi-annual report. See Proposing Release, 
supra note 13, at 18152. The Commission believes that, although Rule 
1003(a)(1) requires quarterly reports rather than semi-annual 
reports, the reporting burden should not be reduced because the 
quarterly reports would cover material systems changes during the 
prior, current, and subsequent calendar quarters. On the other hand, 
the proposed semi-annual reports would have only covered material 
systems changes during the previous 6 months. In addition, because 
the Commission is not requiring 30-day advance notification of each 
material systems change, SCI entities may need more time to gather 
the information required to be included in the quarterly reports and 
to prepare the quarterly reports. Therefore, the Commission believes 
that it is appropriate to increase by fifty percent its estimate for 
the proposed semi-annual reporting requirement and to add additional 
personnel in response to comment. But see supra note 1649 and 
accompanying text (discussing a commenter's view that the 
Commission's estimate of the burden under proposed Rule 
1000(b)(8)(ii) is fairly accurate). The 125 burdens hours include 
7.5 hours by an Attorney, 7.5 hours by a Compliance Manager, 5 hours 
by a Chief Compliance Officer, 30 hours by a Senior Business 
Analyst, and 75 hours by a Senior Systems Analyst. In addition to 
adding fifty percent to the estimated burden for proposed Rule 
1000(b)(8)(ii), the Commission is estimating an additional 7.5 hours 
by a Compliance Manager (and decreasing the proposed burden estimate 
for Attorney from 10 hours to 7.5 hours), 5 hours by a Chief 
Compliance Officer, and 30 hours by a Senior Business Analyst to 
address commenters' view that the estimates in the SCI Proposal did 
not take into account the activities to gather the information 
needed, to have appropriate confirmations from persons with 
knowledge of the material systems change, and to provide for senior 
management review where appropriate (even though some of these 
commenters commented on the burden estimate for proposed Rule 
1000(b)(6) only). See supra notes 1643, 1645, 1647, and 1648 and 
accompanying text. The Commission notes that the inclusion of Senior 
Business Analyst and Senior Systems Analyst is intended to cover 
subject matter experts for material systems changes, as suggested by 
a commenter. See supra note 1648 and accompanying text.
    \1657\ 125 hours x 4 reports each year = 500 hours. The 
Commission recognizes that, to the extent an SCI entity develops a 
template for quarterly material systems change reports, the burden 
associated with creating future quarterly reports may be reduced.
    \1658\ 500 hours x 44 SCI entities = 22,000 hours.
---------------------------------------------------------------------------

    With respect to the requirement under Rule 1003(a)(2) for 
supplemental material systems change reports, for purposes of this PRA 
analysis, the Commission estimates that most quarterly reports will not 
contain material errors or material omissions. Therefore, the 
Commission estimates that each SCI entity will submit 2 supplemental 
reports each year under Rule 1003(a)(2), in order to account for the 
few instances where a quarterly report must be corrected. The 
Commission estimates that the initial and ongoing burden to comply with 
the supplemental reporting requirement would be 15 hours per report per 
SCI entity,\1659\ or 30 hours annually per SCI entity \1660\ and 1,320 
hours annually for all SCI entities.\1661\ The Commission believes that 
SCI entities would handle internally the work associated with reports 
required under Rule 1003(a).\1662\
---------------------------------------------------------------------------

    \1659\ The 15 burdens hours include 2 hours by an Attorney, 2 
hours by a Compliance Manager, 1 hour by a Chief Compliance Officer, 
3 hours by a Senior Business Analyst, and 7 hours by a Senior 
Systems Analyst. The Commission believes that the burden associated 
with supplemental material systems change reports will be 
substantially lower than the burden associated with quarterly 
material systems change reports, but the same type of personnel will 
be involved the supplemental report as the quarterly report.
    \1660\ 15 hours x 2 reports each year = 30 hours.
    \1661\ 30 hours x 44 SCI entities = 1,320 hours.
    \1662\ See supra note 1650 and accompanying text,
---------------------------------------------------------------------------

d. SCI Review
    In the SCI Proposal, the Commission estimated that the initial and 
ongoing burden of conducting an SCI review and submitting the SCI 
review to senior management for review would be approximately 625 hours 
for each SCI entity.\1663\ The Commission also estimated that each SCI 
entity would spend 1 hour to submit the SCI review to the Commission 
pursuant to proposed Rule 1000(b)(8)(i).\1664\
---------------------------------------------------------------------------

    \1663\ See Proposing Release, supra note 13, at 18151. The 625 
burden hours included 80 hours by an Attorney, 170 hours by a 
Manager Internal Auditor, and 375 hours by a Senior Systems Analyst. 
See id. This estimate was the Commission's preliminary best estimate 
and was based on Commission staff's experience with the ARP 
Inspection Program. This estimate was also the same as the 
Commission's burden estimate for internal audits of SB SEFs. See id. 
at 18151, n. 437.
    \1664\ See id. at 18151. The 1 burden hour would be spent by an 
Attorney. See id.
---------------------------------------------------------------------------

    With respect to the burden associated with SCI reviews, one 
commenter stated that the Commission's estimate of the burden of 
proposed Rule 1000(b)(7) is fairly accurate.\1665\ According to this 
commenter, although the burden estimate of proposed Rule 1000(b)(7) did 
not require the inclusion of senior management's response, the 
Commission's estimate is sufficient to cover the burden on senior 
management to produce such response.\1666\
---------------------------------------------------------------------------

    \1665\ See MSRB Letter at 36.
    \1666\ See id. at 37.
---------------------------------------------------------------------------

    Another commenter noted that the Commission's estimate of the 
burden associated with SCI review is too low and that the SCI review 
will require over 1,200 burden hours.\1667\ In connection with 
advocating for a risk-based approach for SCI reviews, one commenter 
noted that if it were to attempt to conduct all of the market-related 
technology application reviews that it currently conducts over four 
years during one year (excluding regulatory technology applications 
such as those related to member regulation), it would require 
approximately 6,400 to 8,320 hours.\1668\ According to this commenter, 
significantly more resources would be required to conduct SCI reviews 
if the definition of SCI systems includes non-market regulatory and 
surveillance systems, and development and testing systems.\1669\ One 
commenter noted that significant portions of the SCI review could be 
outsourced and that the Commission's estimate for the overall cost of 
outsourcing is reasonable, although some of the assumed hourly rates 
used in the SCI Proposal appear to be too low in the context of the 
current market environment.\1670\
---------------------------------------------------------------------------

    \1667\ See ISE Letter at 12.
    \1668\ See FINRA Letter at 40. According to this commenter, it 
currently spends approximately 160 hours for each review of a 
technology application in connection with its regulatory audits, and 
currently it reviews between 10 and 13 market-related technology 
applications annually. See id.
    \1669\ See id.
    \1670\ See MSRB Letter at 36.
---------------------------------------------------------------------------

    One commenter noted that the Commission's estimate did not take 
into account the additional work that would be required by many 
different SCI entity associates, including managers and subject matter 
experts, in order to satisfy the requirements of proposed Rule 
1000(b)(7).\1671\ This commenter stated that the Commission incorrectly 
assumed that only an attorney, manager internal audit, and systems 
analyst would be required to work on the SCI review.\1672\ According to 
this commenter, subject matter expertise that would be needed to 
perform such a review includes Product Managers, Project Managers, 
Developers, Quality Assurance staff, Systems Engineers, Systems 
Architects, Capacity Planners, Information Security experts, Business 
Continuity and Disaster Recovery staff, Compliance staff, and 
management.\1673\ This commenter estimated that the

[[Page 72391]]

annual burden under proposed Rule 1000(b)(7) would be 4,670 
hours.\1674\ According to this commenter, if the Commission intended 
SCI entities to conduct a broader scope review beyond those now 
required by the ARP Inspection Program, then the annual burden would be 
11,199 hours.\1675\ With respect to the burden estimate for proposed 
Rule 1000(b)(8)(i), one commenter stated that the estimate did not 
address the burden on senior management for reading, analyzing, and 
perhaps responding to the SCI review.\1676\
---------------------------------------------------------------------------

    \1671\ See Omgeo Letter at 44.
    \1672\ See id.
    \1673\ See id.
    \1674\ See id.
    \1675\ See id.
    \1676\ See id.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.5, the Commission is adopting 
SCI review-related requirements in Rule 1003(b), with some 
modifications from the proposal. Specifically, Rule 1003(b)(1) requires 
each SCI entity to conduct an SCI review of its compliance with 
Regulation SCI not less than once each calendar year, with an exception 
for penetration test reviews, which are required to be conducted not 
less than once every three years.\1677\ As adopted, Rule 1003(b)(1)(ii) 
provides an exception for assessments of SCI systems directly 
supporting market regulation or market surveillance, which are required 
to be reviewed at a frequency based on the risk assessment conducted as 
part of the SCI review, but in no case less than once every three 
years.\1678\ Rules 1003(b)(2) and (3) require each SCI entity to submit 
a report of the SCI review to senior management no more than 30 
calendar days after completion of the review, and to submit the report 
to the Commission and to the board of directors of the SCI entity or 
the equivalent of such board, together with any response by senior 
management, within 60 calendar days after its submission to senior 
management.
---------------------------------------------------------------------------

    \1677\ As proposed, the rule would have required penetration 
test reviews of the SCI entity's network, firewalls and development, 
testing, and production systems. However, consistent with 
modifications to the definition of SCI systems, references to 
development and test systems have been deleted in adopted Rule 
1003(b)(1)(i).
    \1678\ These exceptions, along with the exclusion of development 
and testing systems from the definition of SCI systems, would 
address, at least in part, some commenters' concern regarding the 
scope of the definition of SCI systems and consequently the burden 
of the SCI review requirement. See supra notes 1669 and 1675 and 
accompanying text.
---------------------------------------------------------------------------

    After considering the views of commenters, the Commission is not 
significantly increasing the burden estimate for compliance with Rules 
1003(b)(1) and (2) from its estimates in the SCI Proposal. In 
particular, one commenter noted that the Commission's burden estimate 
for proposed Rule 1000(b)(7) was fairly accurate.\1679\ Further, while 
other commenters advocated higher burden estimates for the SCI review 
requirement,\1680\ the Commission notes that it has refined the 
definition of SCI systems (e.g., by eliminating development and testing 
systems, and focusing on market regulation and market surveillance 
systems) and has incorporated a risk-based approach to the frequency of 
testing for market regulation and market surveillance systems. The 
Commission estimates that the initial and ongoing burden of conducting 
an SCI review and submitting the SCI review to senior management of the 
SCI entity for review would be approximately 690 hours for each SCI 
entity,\1681\ and 30,360 hours annually for all SCI entities.\1682\ The 
Commission estimates that while SCI entities would handle internally 
some or most of the work associated with compliance with Rule 
1003(b),\1683\ SCI entities would outsource some of the work associated 
with an SCI review, at an average annual cost of $50,000 per SCI 
entity,\1684\ or $2,200,000 for all SCI entities.\1685\
---------------------------------------------------------------------------

    \1679\ See supra note 1665 and accompanying text.
    \1680\ See supra notes 1667-1668 and 1675 and accompanying text. 
These commenters estimated a range of 1,200 to 8,320 burden hours. 
In response to the commenter that stated that it currently spends 
approximately 160 hours for each review of a technology application 
and it reviews between 10 and 13 market-related technology 
applications annually, the Commission notes that the burden 
estimates in this section only include the incremental burden 
associated with the rule above what the Commission estimates that 
SCI entities are already performing. To the extent an SCI entity 
already reviews certain of its systems, the additional burden 
imposed by Rule 1003(b) will be lower than for other SCI entities.
    \1681\ The 690 hours include 80 hours by an Attorney, 35 hours 
by a Compliance Manager, 5 hours by a General Counsel, 20 hours by a 
Chief Compliance Officer, 5 hours by a Director of Compliance, 170 
hours by a Manager Internal Audit, and 375 hours by a Senior Systems 
Analyst. As compared to the estimated burden for proposed Rule 
1000(b)(7), the Commission is estimating an additional 35 hours by a 
Compliance Manager, 5 hours by a General Counsel, 20 hours by a 
Chief Compliance Officer, and 5 hours by a Director of Compliance, 
to reflect the view of commenters that managers would be involved in 
satisfying the requirements related to SCI review. See supra notes 
1671-1675 and accompanying text. The Commission notes that the 20-
hour burden estimate for the Chief Compliance Officer includes the 
time spent by other members of the senior management team (other 
than the General Counsel, who has a separate burden estimate). See 
supra Section IV.B.5 (discussing senior management involvement in 
compliance with Rule 1003(b)). The Commission notes that the 
inclusion of Manager Internal Audit and Senior Systems Analyst is 
intended to cover subject matter experts related to systems review 
(e.g., information security experts, systems engineers, quality 
assurance staff). See supra notes 1671-1675 and accompanying text. 
The Commission also believes that some SCI entities already conduct 
annual reviews of its systems, and therefore may incur less burden 
than other SCI entities in complying with Rule 1003(b).
    \1682\ 690 hours x 44 SCI entities = 30,360 hours.
    \1683\ As noted above, one commenter suggested that significant 
portions of the SCI review may be outsourced. This commenter also 
noted that the Commission's estimate of the overall cost of 
outsourcing is reasonable, although it believed some of the assumed 
hourly rates appear to be too low in the context of current market 
environment. See supra note 1670 and accompanying text. The 
Commission acknowledges that some SCI entities may outsource work 
related to SCI review to more expensive outside firms than others. 
On average, the Commission believes its hourly rate of $400 for 
outsourcing continues to be appropriate.
    \1684\ 125 hours x $400 = $50,000. The Commission believes that 
SCI entities may outsource some of the legal and audit work 
associated with an SCI review. In particular, the Commission 
estimates that, on average, an SCI entity will outsource 40 hours of 
legal work and 85 hours of audit work (or half of the hour burden 
estimates for Attorney and Manager Internal Audit). See supra note 
1681.
    \1685\ $50,000 x 44 SCI entities = $2,200,000.
---------------------------------------------------------------------------

    With respect to the comment that the burden estimate for proposed 
Rule 1000(b)(8)(i) failed to account for the burden on senior 
management for reviewing and responding to the report of the SCI 
review,\1686\ the Commission notes that proposed Rule 1000(b)(8)(i) and 
adopted Rule 1003(b)(3) do not require senior management to respond to 
the report of the SCI review. Rather, Rule 1003(b)(3) only requires an 
SCI entity to submit the already prepared report of the SCI review, and 
response by senior management if there was any, to the Commission and 
to the board of directors of the SCI entity or the equivalent of such 
board. Moreover, the Commission is including in its burden estimate for 
Rules 1003(b)(1) and (2) the burden for senior management review of the 
report for the SCI review. Therefore, with respect to Rule 1003(b)(3), 
the Commission estimates that each SCI entity would require 1 hour per 
year to submit the report of the SCI review and any response by senior 
management to the Commission and to the board of directors of the SCI 
entity or the equivalent of such board,\1687\ for a

[[Page 72392]]

burden of 44 hours for all SCI entities.\1688\
---------------------------------------------------------------------------

    \1686\ See supra notes 1666 and 1676 and accompanying text. One 
of these commenters, however, noted that the Commission's estimated 
burden for proposed Rule 1000(b)(7) is fairly accurate, even though 
it did not include senior management's response. See supra notes 
1665-1666 and accompanying text.
    \1687\ The 1 hour would be spent by an Attorney. This estimate 
is unchanged from the burden estimate for proposed Rule 
1000(b)(8)(i), which only required submission of the report and any 
response by senior management to the Commission. The Commission 
believes that the additional burden for submitting the same report 
and response to the SCI entity's board of directors or the 
equivalent of such board would be modest, and thus the estimate of 
one hour remains unchanged from the burden estimate for proposed 
Rule 1000(b)(8)(i), which required submission of the report and 
response by senior management only to the Commission.
    \1688\ 1 hour x 44 SCI entities = 44 hours.
---------------------------------------------------------------------------

e. Access to EFFS
    As noted above, to access EFFS, an SCI entity will submit to the 
Commission an EAUF to register each individual at the SCI entity who 
will access the EFFS system on behalf of the SCI entity. The Commission 
is including in its burden estimates the burden for completing the EAUF 
for each individual at an SCI entity that will request access to EFFS. 
The Commission estimates that initially, on average, two individuals at 
each SCI entity will request access to EFFS through the EAUF, and each 
EAUF would require 0.15 hours to complete and submit. Therefore, each 
SCI entity would initially require 0.3 hours to complete the requisite 
EAUFs,\1689\ or approximately 13 hours for all SCI entities.\1690\ The 
Commission also estimates that annually, on average, one individual at 
each SCI entity will request access to EFFS through EAUF.\1691\ 
Therefore, the ongoing burden to complete the EAUF would be 0.15 hours 
annually for each SCI entity,\1692\ or approximately 7 hours annually 
for all SCI entities.\1693\
---------------------------------------------------------------------------

    \1689\ 0.15 hours per EAUF x 2 individuals = 0.3 hours per SCI 
entity. These estimates are based on Commission staff's experience 
with EFFS and EAUFs pursuant to Rule 19b-4 under the Exchange Act. 
The 0.15 hours would be spent by an Attorney. The Commission 
acknowledges that an SCI SRO may initially submit fewer than two 
EAUFs because certain individuals at SCI SROs currently already have 
access to EFFS, whereas an SCI entity other than an SCI SRO may 
submit more than two EAUFs initially because it has not previously 
submitted filings through EFFS. Therefore, the Commission believes 
it is appropriate to estimate that, on average, each SCI entity will 
submit two EAUFs initially.
    \1690\ 0.30 hours x 44 SCI entities = 13.2 hours.
    \1691\ The Commission estimates that annually, on average, one 
individual at each SCI entity will request access to EFFS through 
EAUF to account for the possibility that an individual who 
previously had access to EFFS may no longer be designated as needing 
such access.
    \1692\ 0.15 hours per EAUF x 1 individual = 0.15 hours.
    \1693\ 0.15 hours x 44 entities = 6.6 hours.
---------------------------------------------------------------------------

    In addition, the Commission estimates that each SCI entity will 
designate two individuals to sign Form SCI each year. An individual 
signing a Form SCI must obtain a digital ID, at the cost of 
approximately $25 each year. Therefore, each SCI entity would require 
approximately $50 annually to obtain digital IDs for the individuals 
with access to EFFS for purposes of signing Form SCI,\1694\ or 
approximately $2,200 for all SCI entities.\1695\
---------------------------------------------------------------------------

    \1694\ $25 per digital ID x 2 individuals = $50 per SCI entity.
    \1695\ $50 x 44 SCI entities = $2,200.
---------------------------------------------------------------------------

3. Requirements To Take Corrective Actions and Identify Critical SCI 
Systems, Major SCI Events, De Minimis SCI Events, and Material Systems 
Changes
    The rules under Regulation SCI that would result in SCI entities 
establishing additional processes for compliance are discussed more 
fully in Sections IV.A, IV.B.3.b, and IV.B.4 above.
a. Corrective Actions
    In the SCI Proposal, the Commission noted that, although SCI 
entities already take corrective action in response to systems issues, 
proposed Rule 1000(b)(3) would likely result in SCI entities revising 
their policies regarding taking corrective actions.\1696\ The 
Commission estimated that the initial burden would be 42 hours per SCI 
entity,\1697\ and the ongoing burden would be 12 hours annually per SCI 
entity.\1698\ The Commission estimated that SCI entities would 
establish the process for compliance with proposed Rule 1000(b)(3) 
internally.\1699\
---------------------------------------------------------------------------

    \1696\ See Proposing Release, supra note 13, at 18152.
    \1697\ See id. The 42 burden hours included 16 hours by a 
Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior 
Systems Analyst, and 5 hours by an Operations Specialist. See id. 
This estimate was based on the Commission's burden estimate for 
proposed Rule 1000(b)(1). See id. at 18152, n. 442.
    \1698\ See id. at 18152. The 12 burden hours included 6 hours by 
a Compliance Manager and 6 hours by an Attorney. See id. This 
estimate was based on the Commission's burden estimate for proposed 
Rule 1000(b)(1). See id. at 18152, n. 443.
    \1699\ See id. at 18152, n. 442.
---------------------------------------------------------------------------

    One commenter stated its belief that basing the estimate for 
proposed Rule 1000(b)(3) on the percentage of the burden estimate under 
proposed Rule 1000(b)(1) is appropriate.\1700\ This commenter also 
noted that while the taking of corrective action might be wholly or 
partially outsourced with regard to systems development activities, the 
establishment of policies and procedures with respect to corrective 
action would not be conducive to outsourcing.\1701\
---------------------------------------------------------------------------

    \1700\ See MSRB Letter at 31-32.
    \1701\ See id. at 32.
---------------------------------------------------------------------------

    As discussed in detail above in Section IV.B.3.b, the Commission 
continues to require each SCI entity to begin to take appropriate 
corrective action in Rule 1002(a), but the corrective action 
requirement is triggered when any responsible SCI personnel has a 
reasonable basis to conclude that an SCI event has occurred.\1702\ The 
Commission continues to believe that all SCI entities, regardless of 
whether they participate in the ARP Inspection Program, already take 
corrective action in response to systems issues and have some internal 
processes with respect to corrective action.\1703\ The Commission also 
continues to believe that Rule 1002(a) will likely result in SCI 
entities revising their policies, which will help to ensure that their 
information technology staff has the ability to access systems in order 
to take appropriate corrective actions.\1704\ The Commission therefore 
believes that Rule 1002(a) may impose a one-time implementation burden 
on SCI entities associated with developing such a process, and periodic 
burdens in reviewing that process. The Commission estimates that the 
initial burden to implement such a process would be 114 hours per SCI 
entity,\1705\ or 5,016 hours for all SCI entities.\1706\ The Commission 
also estimates that the ongoing burden to review such a process would 
be 39 hours annually per SCI entity,\1707\ or

[[Page 72393]]

1,716 hours annually for all SCI entities.\1708\
---------------------------------------------------------------------------

    \1702\ See Rule 1002(a).
    \1703\ See Proposing Release, supra note 13, at 18152.
    \1704\ See id.
    \1705\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and Rule 1002(a) 
both would result in policies and procedures or processes. As noted 
above, one commenter stated that basing the burden estimate for 
proposed Rule 1000(b)(3) on the burden estimate under proposed Rule 
1000(b)(1) is appropriate. See supra note 1700 and accompanying 
text. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires 
the establishment of six policies and procedures at a minimum and 
Rule 1002(a) would result in the establishment of one set of 
policies and procedures, the Commission estimates that the initial 
staff burden to draft the policies and procedures for Rule 1002(a) 
is one-sixth of the initial staff burden to draft the policies and 
procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 
504 hours / 6 = 84 hours. The 84 burden hours include 32 hours by a 
Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior 
Systems Analyst, and 10 hours by an Operations Specialist. This 
burden hour allocation is based on the allocation for Rule 1001(a) 
(excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission 
also estimates that a Chief Compliance Officer will spend 20 hours 
and a Director of Compliance will spend 10 hours reviewing the 
policies and procedures required by Rule 1002(a). 84 hours + Chief 
Compliance Officer at 20 hours + Director of Compliance at 10 hours 
= 114 hours.
    \1706\ 114 hours x 44 SCI entities = 5,016 hours.
    \1707\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and 1002(a) both 
would result in policies and procedures or processes. See supra note 
1700 and accompanying text (stating that basing the burden estimate 
for proposed Rule 1000(b)(3) on the burden estimate under proposed 
1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)) requires the maintenance of six policies and 
procedures at a minimum and 1002(a) would result in the maintenance 
of one set of policies and procedures, the Commission estimates that 
the ongoing staff burden under 1002(a) is one-sixth of the ongoing 
staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 
hours / 6 = 24 hours. The 24 burden hours include 9 hours by a 
Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior 
Systems Analyst, and 3 hours by an Operations Specialist. This 
burden hour allocation is based on the allocation for Rule 1001(a) 
(excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission 
also estimates that a Chief Compliance Officer will spend 10 hours 
and a Director of Compliance will spend 5 hours reviewing the 
policies and procedures required by Rule 1002(a). 24 hours + Chief 
Compliance Officer at 10 hours + Director of Compliance at 5 hours = 
39 hours.
    \1708\ 39 hours x 44 SCI entities = 1,716 hours.
---------------------------------------------------------------------------

    The Commission continues to believe that SCI entities will conduct 
internally most of the work related to their corrective action 
procedures. As noted by a commenter, the establishment of policies and 
procedures with respect to corrective action would not be conducive to 
outsourcing.\1709\
---------------------------------------------------------------------------

    \1709\ See supra note 1701 and accompanying text.
---------------------------------------------------------------------------

b. Identification of Critical SCI Systems, Major SCI Events, De Minimis 
SCI Events, and Material Systems Changes
    In the SCI Proposal, the Commission estimated that requirements 
under the proposal with respect to immediate notification SCI events 
and dissemination SCI events may impose burdens on SCI entities in 
developing and reviewing a process to ensure that they are able to 
quickly and correctly make a determination regarding the nature of an 
SCI event.\1710\ For SCI entities that do not participate in the ARP 
Inspection Program, the Commission estimated that the initial burden 
would be 42 hours per SCI entity \1711\ and the ongoing burden would be 
12 hours annually per SCI entity.\1712\ For SCI entities that currently 
participate in the ARP Inspection Program, the Commission estimated 
that the initial burden would be 21 hours per SCI entity \1713\ and the 
ongoing burden would be 6 hours annually per SCI entity.\1714\ The 
Commission believed that SCI entities would internally establish the 
process for determining whether an SCI event is an immediate 
notification SCI event or dissemination SCI event.\1715\
---------------------------------------------------------------------------

    \1710\ See Proposing Release, supra note 13, at 18152.
    \1711\ See id. at 18153. The 42 burden hours included 16 hours 
by a Compliance Manager, 16 hours by an Attorney, 5 hours by a 
Senior Systems Analyst, and 5 hours by an Operations Specialist. See 
id. This estimate was based on the Commission's burden estimate for 
proposed Rule 1000(b)(1). See id. at 18153, n. 448.
    \1712\ See id. at 18153. The 12 burden hours included 6 hours by 
a Compliance Manager and 6 hours by an Attorney. See id. This 
estimate was based on the Commission's burden estimate for proposed 
Rule 1000(b)(1). See id. at 18153, n. 452.
    \1713\ See id. at 18153. The 21 burden hours included 8 hours by 
a Compliance Manager, 8 hours by an Attorney, 2.5 hours by a Senior 
Systems Analyst, and 2.5 hours by an Operations Specialist. See id.
    \1714\ See id. The 6 burden hours included 3 hours by a 
Compliance Manager and 3 hours by an Attorney. See id.
    \1715\ See id. at 18153, n. 448, n. 450, n. 452, and n. 454.
---------------------------------------------------------------------------

    One commenter stated its belief that the Commission's burden 
estimate for policies and procedures to identify an SCI event as an 
immediate notification SCI event or dissemination SCI event was 
effectively limited to ministerial tasks of producing such policies and 
procedures in isolation from other organizational activities and needs, 
and took into account only minimal supervisory or decision-making 
activities, therefore significantly underestimated the total burden of 
compliance with this provision.\1716\ This commenter urged the 
Commission to adjust the estimate in a manner similar to this 
commenter's suggestion with regard to proposed Rules 1000(b)(1) and 
(2).\1717\
---------------------------------------------------------------------------

    \1716\ See MSRB Letter at 32.
    \1717\ See id.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.4, Rule 1003(a)(1) requires each 
SCI entity to establish reasonable written criteria for identifying a 
change to its SCI systems and the security of indirect SCI systems as 
material. As noted in the SCI Proposal, because the ARP Inspection 
Program already provides for the reporting ``significant systems 
changes'' to Commission staff, the Commission believes that, as 
compared to entities that do not participate in the ARP Inspection 
Program, entities that currently participate in the ARP Inspection 
Program would already have some internal processes for determining the 
significance of a systems issue or systems change. Therefore, the 
Commission continues to estimate a 50% baseline for the staff burden 
estimates for SCI entities that currently participate in the ARP 
Inspection Program.\1718\ However, the Commission does not believe that 
a 50% baseline would be appropriate for these SCI entities in terms of 
senior management review. The Commission believes that, although these 
entities already have some internal processes for determining the 
significance of a systems change, their senior management would require 
the same number of hours as other SCI entities to review and ensure 
that the process is reasonable, as required by Rule 1003(a)(1). The 
Commission continues to believe that SCI entities will internally 
establish and maintain the policies and procedures required by Rule 
1003(a)(1).
---------------------------------------------------------------------------

    \1718\ The 50% baseline for ARP participants is consistent with 
the baseline for the Rule 1001(a) burden estimates.
---------------------------------------------------------------------------

    The Commission estimates that each SCI entity that does not 
participate in the ARP Inspection Program would require 114 hours 
initially to establish the criteria for identifying material systems 
changes,\1719\ or 1,596 hours for all such SCI entities.\1720\ The 
Commission also estimates that each SCI entity that does not 
participate in the ARP Inspection Program would require 39 hours 
annually to review and update the criteria for identifying material 
systems changes,\1721\ or 546 hours for all such SCI entities.\1722\ 
The Commission estimates that each SCI entity that currently 
participates in the

[[Page 72394]]

ARP Inspection Program would require 72 hours initially to establish 
the criteria for identifying material systems changes,\1723\ or 2,160 
hours for all such SCI entities.\1724\ The Commission also estimates 
that each SCI entity that currently participates in the ARP Inspection 
Program would require 27 hours annually to review and update the 
criteria,\1725\ or 810 hours for all such SCI entities.\1726\
---------------------------------------------------------------------------

    \1719\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) 
both require policies and procedures or processes. See supra note 
1700 and accompanying text (stating, in the context of proposed Rule 
1000(b)(3), that basing the burden estimate for a set of policies 
and procedures or processes on the burden estimate under proposed 
1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)) requires the establishment of six policies and 
procedures at a minimum and Rule 1003(a)(1) requires the 
establishment of one set of criteria, the Commission estimates that 
the initial staff burden to draft the criteria required by Rule 
1003(a)(1) is one-sixth of the initial staff burden to draft the 
policies and procedures required by Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)). 504 hours / 6 = 84 hours. The 84 burden hours 
include 32 hours by a Compliance Manager, 32 hours by an Attorney, 
10 hours by a Senior Systems Analyst, and 10 hours by an Operations 
Specialist. This burden hour allocation is based on the allocation 
for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 
1443. The Commission also estimates that a Chief Compliance Officer 
will spend 20 hours and a Director of Compliance will spend 10 hours 
reviewing the policies and procedures required by Rule 1003(a)(1). 
84 hours + Chief Compliance Officer at 20 hours + Director of 
Compliance at 10 hours = 114 hours.
    \1720\ 114 hours x 14 SCI entities that do not participate in 
the ARP Inspection Program = 1,596 hours.
    \1721\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) 
both require policies and procedures or processes. See supra note 
1700 and accompanying text (stating, in the context of proposed Rule 
1000(b)(3), that basing the burden estimate for a set of policies 
and procedures or processes on the burden estimate under proposed 
1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)) requires the maintenance of six policies and 
procedures at a minimum and Rule 1003(a)(1) requires the maintenance 
of one set of criteria, the Commission estimates that the ongoing 
staff burden under 1003(a)(1) is one-sixth of the ongoing staff 
burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours 
/ 6 = 24 hours. The 24 burden hours include 9 hours by a Compliance 
Manager, 9 hours by an Attorney, 3 hours by a Senior Systems 
Analyst, and 3 hours by an Operations Specialist. This burden hour 
allocation is based on the allocation for Rule 1001(a) (excluding 
Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also 
estimates that a Chief Compliance Officer will spend 10 hours and a 
Director of Compliance will spend 5 hours reviewing the policies and 
procedures required by Rule 1003(a)(1). 24 hours + Chief Compliance 
Officer at 10 hours + Director of Compliance at 5 hours = 39 hours.
    \1722\ 39 hours x 14 SCI entities that do not participate in the 
ARP Inspection Program = 546 hours.
    \1723\ 84 hours / 2 = 42 hours. The 42 burden hours include 16 
hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a 
Senior Systems Analyst, and 5 hours by an Operations Specialist. The 
Commission also estimates that a Chief Compliance Officer will spend 
20 hours and a Director of Compliance will spend 10 hours reviewing 
the policies and procedures required by Rule 1003(a)(1). 42 hours + 
Chief Compliance Officer at 20 hours + Director of Compliance at 10 
hours = 72 hours.
    \1724\ 72 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 2,160 hours.
    \1725\ 24 hours / 2 = 12 hours. The 12 burden hours include 4.5 
hours by a Compliance Manager, 4.5 hours by an Attorney, 1.5 hours 
by a Senior Systems Analyst, and 1.5 hours by an Operations 
Specialist. The Commission also estimates that a Chief Compliance 
Officer will spend 10 hours and a Director of Compliance will spend 
5 hours reviewing the policies and procedures required by Rule 
1003(a)(1). 12 hours + Chief Compliance Officer at 10 hours + 
Director of Compliance at 5 hours = 27 hours.
    \1726\ 27 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 810 hours.
---------------------------------------------------------------------------

    As adopted, Regulation SCI requires SCI entities to identify 
certain types of events, systems, and changes. Specifically, Rule 1000 
defines ``critical SCI systems'' as any SCI systems of, or operated by 
or on behalf of, an SCI entity that: (1) Directly support functionality 
relating to (i) clearance and settlement systems of clearing agencies; 
(ii) openings, reopenings, and closings on the primary listing market; 
(iii) trading halts; (iv) initial public offerings; (v) the provision 
of consolidated market data; or (vi) exclusively-listed securities; or 
(2) provide functionality to the securities markets for which the 
availability of alternatives is significantly limited or nonexistent 
and without which there would be a material impact on fair and orderly 
markets. Rule 1000 defines ``major SCI event'' as an SCI event that has 
had, or the SCI entity reasonably estimates would have any impact on a 
critical SCI system or a significant impact on the SCI entity's 
operations or on market participants. Because Rule 1001(a)(2)(v) 
requires business continuity and disaster recovery plans that are 
reasonably designed to achieve two-hour resumption of critical SCI 
systems following a wide-scale disruption, each SCI entity needs to 
identify its critical SCI systems. In addition, each SCI entity needs 
to identify its critical SCI systems because the definition of major 
SCI event includes an SCI event that has had, or the SCI entity 
reasonably estimates would have, any impact on a critical SCI system. 
Further, when an SCI event occurs, an SCI entity needs to determine 
whether the event is a major SCI event, because Rule 1002(c)(3) 
requires an SCI entity to disseminate information regarding major SCI 
events to all of its member or participants. In addition, Rules 1002(b) 
and (c) provide certain exceptions from the Commission notification and 
information dissemination requirements for any SCI event that has had, 
or the SCI entity reasonably estimates would have, no or a de minimis 
impact on the SCI entity's operations or on market participants. 
Therefore, when SCI events occur, an SCI entity needs to determine 
whether they are de minimis SCI events.
    The Commission believes that the identification of critical SCI 
systems, major SCI events, and de minimis SCI events will impose an 
initial one-time implementation burden on SCI entities in developing 
processes to quickly and correctly identify the nature of a system or 
event.\1727\ The identification of these systems and events may also 
impose periodic burdens on SCI entities in reviewing and updating the 
processes. As noted in the SCI Proposal, because the ARP Inspection 
Program already provides for the reporting ``significant systems 
changes'' and ``significant systems outages'' to Commission staff, the 
Commission believes that, as compared to entities that do not 
participate in the ARP Inspection Program, entities that currently 
participate in the ARP Inspection Program would already have some 
internal processes for determining the significance of a systems issue 
or systems change. Therefore, the Commission estimates a 50% baseline 
for the staff burden for SCI entities that currently participate in the 
ARP Inspection Program.\1728\ However, the Commission does not believe 
that a 50% baseline would be appropriate for these SCI entities in 
terms of senior management review. The Commission believes that SCI 
entities will internally establish and maintain the policies and 
procedures regarding the identification of critical SCI systems, major 
SCI events, and de minimis SCI events.
---------------------------------------------------------------------------

    \1727\ The Commission's approach with respect to SCI events and 
SCI systems is responsive to some commenters' suggestion for a risk-
based regime. See, e.g., supra notes 784-789 and accompanying text 
(discussing commenters' suggestions for revising the Commission 
reporting requirement).
    \1728\ The 50% baseline for ARP participants is consistent with 
the baseline for the Rule 1001(a) burden estimates.
---------------------------------------------------------------------------

    The Commission estimates that each SCI entity that does not 
participate in the ARP Inspection Program would require 198 hours 
initially to establish the criteria for identifying certain systems and 
events,\1729\ or 2,772 hours for all such SCI entities.\1730\ The 
Commission also estimates that each SCI entity that does not 
participate in the ARP Inspection Program would require 63 hours 
annually to review and update such criteria,\1731\ or 882 hours

[[Page 72395]]

for all such SCI entities.\1732\ The Commission estimates that each SCI 
entity that currently participates in the ARP Inspection Program would 
require 114 hours initially to establish the criteria for identifying 
certain systems and events,\1733\ or 3,420 hours for all such SCI 
entities.\1734\ The Commission also estimates that each SCI entity that 
currently participates in the ARP Inspection Program would require 39 
hours annually to review and update such criteria,\1735\ or 1,170 hours 
for all such SCI entities.\1736\ The Commission believes that the 
revised burden estimates for establishing policies and procedures to 
identify certain systems and events are responsive to a commenter's 
concern that the estimate in the SCI Proposal only included ministerial 
tasks and minimal supervisory activities.\1737\ Specifically, the 
Commission increased from the proposal the estimated burden hours for 
the personnel involved in establishing such policies and procedures, 
and included senior level review by adding burden estimates for the 
Chief Compliance Officer and Director of Compliance. Moreover, because 
these revised burden estimates are based on the revised burden 
estimates for Rule 1001(a), these estimates are responsive to a 
commenter's suggestion that they be revised in a manner similar to its 
suggestions with respect to proposed Rules 1000(b)(1) and (2).\1738\
---------------------------------------------------------------------------

    \1729\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and the 
identification of certain systems and events both would result in 
policies and procedures or processes. See supra note 1700 and 
accompanying text (stating, in the context of proposed Rule 
1000(b)(3), that basing the burden estimate for a set of policies 
and procedures or processes on the burden estimate under proposed 
1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)) requires the establishment of six policies and 
procedures at a minimum and the identification of certain systems 
and events could result in the establishment of two policies and 
procedures (i.e., one for systems and one for events), the 
Commission estimates that the initial staff burden to draft the 
policies and procedures to identify certain systems and events is 
one-third of the initial staff burden to draft the policies and 
procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 
504 hours / 3 = 168 hours. The 168 burden hours include 64 hours by 
a Compliance Manager, 64 hours by an Attorney, 20 hours by a Senior 
Systems Analyst, and 20 hours by an Operations Specialist. This 
burden hour allocation is based on the allocation for Rule 1001(a) 
(excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission 
also estimates that a Chief Compliance Officer will spend 20 hours 
and a Director of Compliance will spend 10 hours reviewing the 
policies and procedures to identify certain systems and events. 168 
hours + Chief Compliance Officer at 20 hours + Director of 
Compliance at 10 hours = 198 hours.
    \1730\ 198 hours x 14 SCI entities that do not participate in 
the ARP Inspection Program = 2,772 hours.
    \1731\ This estimate is based on the Commission's burden 
estimate for Rule 1001(a), because Rule 1001(a) and the 
identification of certain systems and events both would result in 
policies and procedures or processes. See supra note 1700 and 
accompanying text (stating, in the context of proposed Rule 
1000(b)(3), that basing the burden estimate for a set of policies 
and procedures or processes on the burden estimate under proposed 
1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 
1001(a)(2)(vi)) requires the maintenance of six policies and 
procedures at a minimum and the identification of certain systems 
and events could result in the maintenance of two policies and 
procedures, the Commission estimates that the ongoing staff burden 
to draft the policies and procedures to identify certain systems and 
events is one-third of the ongoing staff burden under Rule 1001(a) 
(excluding Rule 1001(a)(2)(vi)). 144 hours / 3 = 48 hours. The 48 
burden hours include 18 hours by a Compliance Manager, 18 hours by 
an Attorney, 6 hours by a Senior Systems Analyst, and 6 hours by an 
Operations Specialist. This burden hour allocation is based on the 
allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See 
supra note 1445. The Commission also estimates that a Chief 
Compliance Officer will spend 10 hours and a Director of Compliance 
will spend 5 hours reviewing the policies and procedures for 
identifying certain systems and events. 48 hours + Chief Compliance 
Officer at 10 hours + Director of Compliance at 5 hours = 63 hours.
    \1732\ 63 hours x 14 SCI entities that do not participate in the 
ARP Inspection Program = 882 hours.
    \1733\ 168 hours / 2 = 84 hours. The 84 burden hours include 32 
hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by 
a Senior Systems Analyst, and 10 hours by an Operations Specialist. 
The Commission also estimates that a Chief Compliance Officer will 
spend 20 hours and a Director of Compliance will spend 10 hours 
reviewing the policies and procedures for identifying certain 
systems and events. 84 hours + Chief Compliance Officer at 20 hours 
+ Director of Compliance at 10 hours = 114 hours.
    \1734\ 114 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 3,420 hours.
    \1735\ 48 hours / 2 = 24 hours. The 24 burden hours include 9 
hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a 
Senior Systems Analyst, and 3 hours by an Operations Specialist. The 
Commission also estimates that a Chief Compliance Officer will spend 
10 hours and a Director of Compliance will spend 5 hours reviewing 
the policies and procedures for identifying certain systems and 
events. 24 hours + Chief Compliance Officer at 10 hours + Director 
of Compliance at 5 hours = 39 hours.
    \1736\ 39 hours x 30 SCI entities that participate in the ARP 
Inspection Program = 1,170 hours.
    \1737\ See supra note 1716 and accompanying text.
    \1738\ See supra note 1717 and accompanying text.
---------------------------------------------------------------------------

4. Recordkeeping Requirements
    In the SCI Proposal, the Commission noted that it is not proposing 
a new recordkeeping requirement for SCI SROs because the documents 
relating to compliance with proposed Regulation SCI are subject to 
their existing recordkeeping and retention requirements under Rule 17a-
1 under the Act.\1739\ The Commission therefore noted its belief that 
the proposed recordkeeping requirements would not result in any burden 
that is not already accounted for in the Commission's burden estimates 
for Rule 17a-1.\1740\ With respect to SCI entities other than SCI SROs, 
the Commission estimated that the initial and ongoing burdens to make, 
keep, and preserve records relating to compliance with proposed 
Regulation SCI would be approximately 25 hours annually per SCI 
entity.\1741\ The Commission also estimated that each SCI entity other 
than an SCI SRO would incur a one-time burden to set up or modify an 
existing recordkeeping system to comply with the proposed recordkeeping 
requirements.\1742\ Specifically, the Commission estimated that for 
each SCI entity other than an SCI SRO, setting up or modifying a 
recordkeeping system would create an initial burden of 170 hours and 
$900 in information technology costs for purchasing recordkeeping 
software.\1743\ Further, the Commission noted its belief that proposed 
Rule 1000(c)(3), which would require an SCI entity, upon or immediately 
prior to ceasing to do business or ceasing to be registered under the 
Exchange Act, to take all necessary action to ensure that the records 
required to be made, kept, and preserved by Rules 1000(c)(1) and (2) 
remain accessible to the Commission and its representatives in the 
manner and for the remainder of the period required by Rule 1000(c), 
would not result in any additional paperwork burden that is not already 
accounted for in the Commission's burden estimates for proposed Rules 
1000(c)(1) and (2).\1744\
---------------------------------------------------------------------------

    \1739\ See Proposing Release, supra note 13, at 18153.
    \1740\ See id.
    \1741\ See id. at 18154. The 25 burden hours would be spent by a 
Compliance Clerk. See id. This estimate was based on Commission 
staff's experience with examinations of registered entities, the 
Commission's estimated burden for an SRO to comply with Rule 17a-1, 
and the Commission's estimated burden for a SB SEF to keep and 
preserve documents made or received in the conduct of its business. 
See id. at 18154, n. 458.
    \1742\ See id. at 18154.
    \1743\ See id. These estimates were based on the Commission's 
experience with examinations of registered entities and the 
Commission's estimated burden for an SB SEF to keep and preserve 
documents made or received in the conduct of its business. See id. 
at 18154, n. 460.
    \1744\ See id. at 18154.
---------------------------------------------------------------------------

    One commenter noted that while proposed Rule 1000(c) does not 
create new recordkeeping requirements for SCI SROs, the number of 
records to be retained by an SRO would increase due to proposed 
Regulation SCI.\1745\ This commenter stated that such additional 
recordkeeping is not costless and should be considered by the 
Commission.\1746\
---------------------------------------------------------------------------

    \1745\ See MSRB Letter at 39.
    \1746\ See id.
---------------------------------------------------------------------------

    As discussed in detail above in Section IV.C.1.a, the Commission is 
adopting the recordkeeping requirements substantially as proposed. The 
Commission notes that the burden associated with creating such records, 
as required of all SCI entities, including SCI SROs, by Regulation SCI, 
are discussed and accounted for throughout this Section V.
    With respect to SCI SROs, the breadth of Rule 17a-1 under the 
Exchange Act \1747\ is such that it requires SCI SROs to make, keep, 
and preserve records relating to their compliance with Regulation 
SCI.\1748\ SCI entities that participate in the ARP Inspection Program 
(nearly all of whom are SCI SROs) do generally keep and preserve the 
types of records that are subject to the requirements of Rule 1005. 
However, because Regulation SCI imposes new requirements on SROs, as 
noted by a commenter, the number of records to be retained by an SRO 
may increase.\1749\ The Commission believes that existing recordkeeping 
systems and processes of SCI SROs will be used to retain the records 
required to be created pursuant to Regulation SCI. As a result, the 
Commission believes that the burden associated with retaining these 
additional records is an incrementally small increase in the burden 
currently incurred by SROs to retain records as required by Rule 17a-1 
and that the burden associated with retaining records related to 
Regulation SCI is already accounted for in the

[[Page 72396]]

Commission's burden estimates for Rule 17a-1.\1750\
---------------------------------------------------------------------------

    \1747\ ``Every national securities exchange, national securities 
association, registered clearing agency and the Municipal Securities 
Rulemaking Board shall keep and preserve at least one copy of all 
documents, including all correspondence, memoranda, papers, books, 
notices, accounts, and other such records as shall be made or 
received by it in the course of its business as such and in the 
conduct of its self-regulatory activity.'' Exchange Act Rule 17a-
1(a), 17 CFR 240.17a-1(a).
    \1748\ See also Rule 1005(a).
    \1749\ See supra notes 1745-1746 and accompanying text.
    \1750\ See Supporting Statement for the Paperwork Reduction Act 
Information Collection Submissions for Rule 17a-1, available at: 
https://www.reginfo.gov.
---------------------------------------------------------------------------

    The Commission continues to believe that for SCI entities other 
than SCI SROs, the initial and ongoing burden to make, keep, and 
preserve records relating to compliance with Regulation SCI, as 
required by Rule 1005(b), would be approximately 25 hours annually per 
SCI entity that is not an SCI SRO.\1751\ Therefore, the Commission 
estimates a total annual burden of 425 hours for all such SCI 
entities.\1752\ The Commission also continues to estimate that each SCI 
entity other than an SCI SRO would incur a one-time burden to set up or 
modify an existing recordkeeping system to comply with Rule 1005. 
Specifically, the Commission estimates that, for each SCI entity other 
than an SCI SRO, setting up or modifying a recordkeeping system would 
create an initial burden of 170 hours and $900 in information 
technology costs for purchasing software.\1753\ Therefore, the 
Commission estimates a total initial burden of 3,315 hours \1754\ and a 
total initial cost of $15,300 for all such SCI entities.\1755\
---------------------------------------------------------------------------

    \1751\ See Proposing Release, supra note 13, at 18154, n. 458.
    \1752\ 25 hours x 17 non-SRO SCI entities = 425 hours.
    \1753\ See Proposing Release, supra note 13, at 18154, n. 460. 
The Commission believes that this burden estimate includes the 
burden imposed by Rule 1007. Specifically, Rule 1007 provides that, 
if the records required to be filed or kept by an SCI entity under 
Regulation SCI are prepared or maintained by a service bureau or 
other recordkeeping service on behalf of the SCI entity, the SCI 
entity would be required to ensure that the records are available 
for review by the Commission and its representatives by submitting a 
written undertaking, in a form acceptable to the Commission, by such 
service bureau or other recordkeeping service, which is signed by a 
duly authorized person at such service bureau or other recordkeeping 
service.
    \1754\ (170 hours + 25 hours) x 17 non-SRO SCI entities = 3,315 
hours.
    \1755\ $900 x 17 non-SRO SCI entities = $15,300.
---------------------------------------------------------------------------

    Finally, the Commission continues to believe that Rule 1005(c), 
which requires an SCI entity, upon or immediate prior to ceasing to do 
business or ceasing to be registered under the Exchange Act, to take 
all necessary action to ensure that the records required to be made, 
kept, and preserved by Rule 1005 remain accessible to the Commission 
and its representatives in the manner and for the remainder of the 
period required by Rule 1005, would not result in any additional 
paperwork burden that is not already accounted for in the Commission's 
burden estimates for Rule 1005(b).\1756\
---------------------------------------------------------------------------

    \1756\ The Commission believes that SCI entities will comply 
with Rule 1005(c) by, for example, a contractual arrangement with a 
recordkeeping service.
---------------------------------------------------------------------------

5. Total Paperwork Burden Under Regulation SCI
    Based on the foregoing, the Commission estimates that the total 
one-time initial burden for all SCI entities to comply with Regulation 
SCI would be 330,508 hours \1757\ and the total one-time initial cost 
would be approximately $9.3 million.\1758\ The Commission estimates 
that the total annual ongoing burden for all SCI entities to comply 
with Regulation SCI would be 287,722 hours \1759\ and the total annual 
ongoing cost would be approximately $5.9 million.\1760\
---------------------------------------------------------------------------

    \1757\ 330,508 hours = 54,992 hours (policies and procedures, 
mandate participation in certain testing) + 257,237 (notification, 
dissemination, reporting) + 14,964 hours (corrective action, 
identification of certain systems and events, identification of 
material systems changes) + 3,315 hours (recordkeeping).
    \1758\ $9,325,500 = $3,544,000 (policies and procedures, mandate 
participation in certain testing) + $5,766,200 (notification, 
dissemination, reporting) + $15,300 (recordkeeping).
    \1759\ 287,722 hours = 24,942 hours (policies and procedures, 
mandate participation in certain testing) + 257,231 (notification, 
dissemination, reporting) + 5,124 hours (corrective action, 
identification of certain systems and events, identification of 
material systems changes) + 425 hours (recordkeeping).
    \1760\ $5,874,200 = $108,000 (mandate participation in certain 
testing) + $5,766,200 (notification, dissemination, reporting). One 
commenter noted that majority of the estimated paperwork burden in 
the SCI Proposal relate to notifications of SCI events, rather than 
the writing and maintenance of the policies and procedures. See NYSE 
Letter at 18. This commenter noted that creating and maintaining 
reasonable policies and procedure to seek to ensure that important 
market systems have adequate levels of capacity, integrity, 
resiliency, availability, and security should be the main focus of 
the regulation, not the reporting provisions. See NYSE Letter at 18. 
The Commission notes that the burden estimates in this section 
relate solely to the paperwork burden of compliance with Regulation 
SCI. The Commission discusses other costs associated with compliance 
with Regulation SCI in the Economic Analysis section below.
---------------------------------------------------------------------------

E. Collection of Information Is Mandatory

    All collections of information pursuant to Regulation SCI is a 
mandatory collection of information.

F. Confidentiality

    The Commission expects that the written policies and procedures, 
processes, criteria, standards, or other written documents developed or 
revised by SCI entities pursuant to Regulation SCI will be retained by 
SCI entities in accordance with, and for the periods specified in 
Exchange Act Rule 17a-1 and Rule 1005, as applicable. Should such 
documents be made available for examination or inspection by the 
Commission and its representatives, they would be kept confidential 
subject to the provisions of applicable law.\1761\ In addition, the 
information submitted to the Commission pursuant to Regulation SCI that 
is filed on Form SCI, as required by Rule 1006, will be treated as 
confidential, subject to applicable law, including amended Rule 24b-
2.\1762\ The information disseminated by SCI entities pursuant to Rule 
1002(c) under Regulation SCI to their members or participants will not 
be confidential.
---------------------------------------------------------------------------

    \1761\ See, e.g., 15 U.S.C. 78x (governing the public 
availability of information obtained by the Commission); 5 U.S.C. 
552 et seq.
    \1762\ See, e.g., 15 U.S.C. 78x (governing the public 
availability of information obtained by the Commission); 5 U.S.C. 
552 et seq. See also supra Section IV.C.2 (discussing 
confidentiality treatment for Form SCI filings).
---------------------------------------------------------------------------

G. Reduced Burden From Amendment of Rule 301(b)(6) (OMB Control Number 
3235-0509)

    Adopted Regulation SCI amends Rule 301(b)(6) of Regulation 
ATS.\1763\ Amendment of Rule 301(b)(6) would eliminate certain 
collection of information requirements within the meaning of the PRA, 
which the Commission had submitted to OMB in accordance with 44 U.S.C. 
3507 and 5 CFR 1320.11 and OMB had approved. The approved collection of 
information is titled ``Rule 301: Requirements for Alternative Trading 
Systems and Form ATS; ATS-R,'' and the OMB control number for this 
collection of information is 3235-0509.\1764\
---------------------------------------------------------------------------

    \1763\ See 17 CFR 242.301(b)(6). See also Securities Exchange 
Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 
1998) (``ATS Release''). In the SCI Proposal, the Commission 
proposed that Regulation SCI would replace and supersede Rule 
301(b)(6) in its entirety. As discussed above, the Commission is now 
amending Rule 301(b)(6) to remove paragraphs (i)(A) and (i)(B) so 
that Rule 301(b)(6) will no longer apply to ATSs that trade NMS 
stocks and non-NMS stocks. However, as described above, the 
Commission has determined to exclude ATSs that trade only municipal 
securities or corporate debt securities from the scope of Regulation 
SCI, and such ATSs will remain subject to the requirements of Rule 
301(b)(6) if they meet the volume thresholds therein. The Commission 
estimates that no ATS that trade only municipal securities or 
corporate debt securities currently meet the thresholds of Rule 
301(b)(6).
    \1764\ See Rule 301: Requirements for Alternative Trading 
Systems and Form ATS; ATS-R, OMB Control No: 3235-0509 (Rule 301 
supporting statement), available at: https://www.reginfo.gov. This 
approval has an expiration date of April 30, 2017.
---------------------------------------------------------------------------

    Some of the information collection burdens imposed by Regulation 
ATS would be reduced by the amendment of Rule 301(b)(6). Specifically, 
the paperwork burdens that would be eliminated by the amendment of Rule

[[Page 72397]]

301(b)(6) would be: (i) Burdens on ATSs that trade NMS stocks and non-
NMS stocks associated with the requirement to make records relating to 
any steps taken to comply with systems capacity, integrity and security 
requirements under Rule 301(b)(6) (estimated to be 20 hours); \1765\ 
and (ii) burdens on ATSs that trade NMS stocks and non-NMS stocks 
associated with the requirement to provide notices to the Commission to 
report systems outages (estimated to be 2.5 hours).\1766\ The 
Commission received no comments regarding the reduced paperwork burdens 
from the proposal to repeal Rule 301(b)(6) of Regulation ATS.
---------------------------------------------------------------------------

    \1765\ The Commission estimated that two alternative trading 
systems that register as broker-dealers and comply with Regulation 
ATS would trigger this requirement, and that the average compliance 
burden for each response would be 10 hours of in-house professional 
work at $379 per hour. Thus, the total compliance burden per year 
was estimated to be 20 hours (2 respondents x 10 hours = 20 hours). 
See Rule 301: Requirements for Alternative Trading Systems OMB 
Control No: 3235-0509 (Rule 301 supporting statement), available at: 
https://www.reginfo.gov. As discussed above, the Commission is 
amending Rule 301(b)(6) so that it will no longer apply to ATSs that 
trade NMS stocks and non-NMS stocks. ATSs that trade only municipal 
securities or corporate debt securities will remain subject to the 
requirements of Rule 301(b)(6), but the Commission estimates that no 
such ATS currently meets the thresholds of Rule 301(b)(6).
    \1766\ The Commission estimated that two alternative trading 
systems that register as broker-dealers and comply with Regulation 
ATS would meet the volume thresholds that trigger systems outage 
notice obligations approximately 5 times a year, and that the 
average compliance burden for each response would be .25 hours of 
in-house professional work at $379 per hour. Thus, the total 
compliance burden per year was estimated to be 2.5 hours (2 
respondents x 5 responses each x .25 hours = 2.5 hours). See id. As 
discussed above, the Commission is amending Rule 301(b)(6) so that 
it will no longer apply to ATSs that trade NMS stocks and non-NMS 
stocks. ATSs that trade only municipal securities or corporate debt 
securities will remain subject to the requirements of Rule 
301(b)(6), but the Commission estimates that no such ATS currently 
meets the thresholds of Rule 301(b)(6).
---------------------------------------------------------------------------

VI. Economic Analysis

A. Overview

    The Commission is sensitive to the economic effects, including the 
costs and benefits, of its rules. When engaging in rulemaking pursuant 
to the Exchange Act that requires the Commission to consider or 
determine whether an action is necessary or appropriate in the public 
interest, Section 3(f) of the Exchange Act requires the Commission to 
consider, in addition to the protection of investors, whether the 
action will promote efficiency, competition, and capital 
formation.\1767\ In addition, Section 23(a)(2) of the Exchange Act 
requires the Commission in making rules pursuant to the Exchange Act to 
consider the impact any such rule would have on competition. The 
Exchange Act prohibits the Commission from adopting any rule that would 
impose a burden on competition not necessary or appropriate in 
furtherance of the purposes of the Exchange Act.\1768\
---------------------------------------------------------------------------

    \1767\ 15 U.S.C. 78c(f).
    \1768\ 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission solicited comment on the 
economic effects of the proposed rules, including any effects that the 
proposed rules may have on efficiency, competition, and capital 
formation. The Commission also solicited comment on its representation 
of current practices and its characterization of the relevant markets 
in which SCI entities participate. In addition, the Commission 
solicited comment on reasonable alternatives to the proposed rules and 
their economic effects. The Commission encouraged commenters to 
identify, discuss, analyze, and supply relevant data, information, or 
statistics regarding any economic effects.
    The Commission received many comment letters that addressed the 
Commission's economic analysis of the proposed rules.\1769\ As 
described further below, some commenters stated that the Commission 
underestimated the costs (including, for example, the proposed rules' 
potential to impact innovation and create barriers to entry) of 
compliance with Regulation SCI.\1770\ Other commenters believed that 
the costs are justified by the benefits of the rules.\1771\
---------------------------------------------------------------------------

    \1769\ See, e.g., Tellefsen Letter; Angel Letter; MSRB Letter; 
OCC Letter; BIDS Letter; ISE Letter; Leuchtkafer Letter; Better 
Markets Letter; CAST Letter; FINRA Letter; CISQ Letter; Fidelity 
Letter; CME Letter; Omgeo Letter; Lauer Letter; SIFMA Letter; 
SunGard Letter; NYSE Letter; BATS Letter; FIA PTG Letter; ITG 
Letter; KCG Letter; UBS Letter; Joint SROs Letter; and TMC Letter.
    \1770\ See, e.g., BIDS Letter at 2-3; NYSE Letter at 2; UBS 
Letter at 5; and Omgeo Letter at 2.
    \1771\ See, e.g., Lauer Letter at 7 (commenting that cost burden 
should not be an appropriate reason to omit an SCI entity and that, 
if the burden to ensure secure, stable systems is too high for an 
entity, that entity should not be allowed to be in a position to 
impact the market); and Better Markets Letter at 9-12 (commenting 
that the Commission's preeminent duty when promulgating rules is to 
protect investors and the public interest, and these goals should 
not be subordinate to industry concerns over the cost of 
regulation).
---------------------------------------------------------------------------

    As discussed above in Section I, a confluence of factors has 
contributed to the Commission's determination that it is necessary and 
appropriate at this time to address the technological vulnerabilities, 
and improve Commission oversight, of the core technology of key U.S. 
securities markets entities, including national securities exchanges 
and associations, significant ATSs, clearing agencies, and plan 
processors. These considerations include: The evolution of the markets 
to become significantly more dependent on sophisticated, complex, and 
interconnected technology; the current successes and limitations of the 
ARP Inspection Program; the significant number of, and lessons learned 
from, recent systems issues at exchanges and other trading 
venues,\1772\ including increased concerns over ``single points of 
failure'' in the securities markets; and the views of a wide variety of 
commenters received in response to the SCI Proposal.
---------------------------------------------------------------------------

    \1772\ See supra note 15 and accompanying text.
---------------------------------------------------------------------------

    Regulation SCI codifies, updates, and expands the existing ARP 
Inspection Program in an effort to further the goals of the national 
market system. Regulation SCI is intended to help to ensure the 
capacity, integrity, resiliency, availability, and security of the 
automated systems of entities important to the functioning of the U.S. 
securities markets. Regulation SCI is also intended to strengthen the 
U.S. securities market infrastructure and improve the resilience of the 
U.S. securities markets when technological issues arise. Moreover, 
Regulation SCI is intended to reinforce the requirement that SCI 
entities operate their systems in compliance with the Exchange Act and 
the rules and regulations thereunder.
    As adopted, Regulation SCI will apply to SCI SROs (including 
national securities exchanges,\1773\ national securities 
associations,\1774\ registered clearing agencies, and the MSRB), SCI 
ATSs, plan processors, and certain exempt clearing agencies.\1775\ As 
such, Regulation SCI covers the trading of NMS stocks, OTC equities, 
and listed options. As discussed below, Regulation SCI also will impact 
multiple markets for services, including the markets for trading 
services, listing services, regulation and surveillance services, 
clearance and settlement services, and market data.
---------------------------------------------------------------------------

    \1773\ Regulation SCI will not apply to an exchange that lists 
or trades security futures products that is notice-registered with 
the Commission as a national securities exchange pursuant to Section 
6(g) of the Exchange Act, including security futures exchanges. See 
supra note 78 and accompanying text.
    \1774\ Regulation SCI will not apply to limited purpose national 
securities associations registered with the Commission pursuant to 
Section 15A(k) of the Exchange Act. See supra note 78 and 
accompanying text.
    \1775\ See supra Section IV.A.1 (discussing the definition of 
SCI entities).
---------------------------------------------------------------------------

B. Economic Baseline

    The Commission recognizes that any economic effects, including 
costs and benefits and effects on efficiency, competition, and capital 
formation,

[[Page 72398]]

should be compared to a baseline that accounts for current practices. 
The description of current practices below is based, among other 
things, on the Commission's understanding of the current practices 
under the ARP Inspection Program (including current practices 
influenced by staff guidance related to the ARP Inspection Program), 
the requirements under Regulation ATS, rules of SROs, information 
provided by commenters, and current practices and staff guidance 
related to systems compliance-related issues.
    As noted above, all active registered clearing agencies, all 
registered national securities exchanges, FINRA, two plan processors, 
one ATS, and one exempt clearing agency currently participate in the 
ARP Inspection Program. Under the ARP Policy Statements and through the 
ARP Inspection Program, these entities, among other things, are 
expected to establish current and future capacity estimates; conduct 
capacity stress tests; and conduct annual reviews that cover 
significant elements of the operations of the automation process, 
including the capacity planning and testing process, contingency 
planning, systems development methodology, and vulnerability 
assessments. When conducting an ARP inspection, Commission staff also 
evaluates whether an ARP entity's controls over its information 
technology resources in nine general areas, or information technology 
``domains,'' is consistent with ARP and industry guidelines.\1776\ The 
ARP Policy Statements and staff letters also address, among other 
things, the reporting of certain systems changes, intrusions, and 
outages, and the need to comply with relevant laws and rules.\1777\ 
Many participants in the ARP Inspection Program have developed current 
practices that to some extent overlap with the requirements of 
Regulation SCI. These practices are discussed in more detail throughout 
this economic analysis.
---------------------------------------------------------------------------

    \1776\ See supra Section II.A (discussing the ARP Policy 
Statements and Commission staff letters).
    \1777\ See id.
---------------------------------------------------------------------------

    The ARP Policy Statements and the ARP Inspection Program address 
systems that directly support trading, clearance and settlement, order 
routing, and market data, which are a subset of the systems covered by 
Regulation SCI.\1778\ Additionally, Commission staff currently inspects 
all the categories of systems that are included in the adopted 
definition of ``SCI systems'' to varying degrees.\1779\ In general, the 
Commission believes that, to varying degrees, entities participating in 
the ARP Inspection Program establish current and future capacity 
estimates, conduct periodic capacity stress tests, and conduct an 
annual independent assessment of whether their automated systems can 
perform adequately at their estimated capacity levels and whether these 
systems have adequate protection against threats.\1780\ Additionally, 
entities participating in the ARP Inspection Program provide to the 
Commission and its staff reports relating to system changes and 
reviews, as well as information regarding systems outages.
---------------------------------------------------------------------------

    \1778\ See infra note 1900 and accompanying text.
    \1779\ Commission staff inspects systems that are not directly 
related to trading, clearance and settlement, order routing, or 
market data if staff detects red flags. See Proposing Release, supra 
note 13, at 18158.
    \1780\ See ARP I Release and ARP II Release, supra note 1.
---------------------------------------------------------------------------

    In addition, as discussed above, pursuant to Rule 301(b)(6) of 
Regulation ATS, certain aspects of the ARP Policy Statements apply to 
ATSs that meet the thresholds set forth in that rule.\1781\ Currently, 
the Commission believes that only one ATS meets such thresholds and, 
thus, is required by Commission rule to implement systems safeguard 
measures. There is also one ATS that voluntarily participates in the 
ARP Inspection Program. Rule 301(b)(6) of Regulation ATS includes 
requirements that are similar to the requirements underlying the 
policies and procedures required by Rule 1001(a)(2) of Regulation SCI. 
Specifically, Rule 301(b)(6) under Regulation ATS requires relevant 
ATSs to establish certain capacity estimates, conduct periodic capacity 
stress tests of critical systems, develop and implement reasonable 
procedures to review and keep current systems development and testing 
methodology, review the vulnerability of their systems and data center 
computer operations to specified threats, establish adequate 
contingency and disaster recovery plans, conduct an independent review 
of its systems controls annually for ensuring that Rules 
301(b)(6)(ii)(A)-(E) are met and conduct a review by senior management 
of a report of the independent review, and promptly notify the 
Commission of certain systems outages and systems changes. Rule 
301(b)(6) of Regulation ATS, however, applies only to systems that 
support order entry, order routing, order execution, transaction 
reporting, and trade comparison,\1782\ which is more targeted than the 
adopted definition of ``SCI system.''
---------------------------------------------------------------------------

    \1781\ Specifically, Rule 301(b)(6) of Regulation ATS applies to 
ATSs that, during at least four of the preceding six months, had: 
(A) With respect to any NMS stock, 20 percent or more of the average 
daily volume reported by an effective transaction reporting plan; 
(B) with respect to equity securities that are not NMS stocks and 
for which transactions are reported to a self-regulatory 
organization, 20 percent or more of the average daily volume as 
calculated by the self-regulatory organization to which such 
transactions are reported; (C) with respect to municipal securities, 
20 percent or more of the average daily volume traded in the United 
States; or (D) with respect to corporate debt securities, 20 percent 
or more of the average daily volume traded in the United States. See 
17 CFR 242.301(b)(6)(i).
    \1782\ See 17 CFR 242.301(b)(6)(ii).
---------------------------------------------------------------------------

    The Commission recognizes that market participants that do not 
participate in the ARP Inspection Program and are not subject to 
Regulation ATS also take measures consistent with certain aspects of 
Regulation SCI to avoid systems disruptions, compliance issues, and 
intrusions. For example, the Commission believes that many market 
participants document systems events as prudent and standard business 
practice, even when the entity is not an ARP participant or does not 
report the incident as an ARP participant. Additionally, commenters 
provided information about their practices for maintaining suitable 
levels of systems capacity, integrity, resiliency, availability, and 
security. As discussed in Section IV.B.1, the Commission understands 
that some SCI entities are already following technology standards such 
as ISO 27000 and COBIT.\1783\ One commenter also stated that NFPA-1600 
or BS 25999 was useful for contingency planning.\1784\ Commenters also 
provided less specific information on current practices that allow the 
Commission to gauge current practices. For example, one commenter 
stated that SCI entities commonly review a variety of different 
standards for frameworks or best practices, and then adopt a derivative 
of multiple standards, customizing them for the systems at issue.\1785\ 
In addition, another commenter stated that the financial services 
industry currently uses processes for software development that are 
more ``nimble'' than the frameworks listed in Table A, such as the NIST 
publication under the Systems Development Methodology domain.\1786\
---------------------------------------------------------------------------

    \1783\ See text accompanying supra note 606.
    \1784\ See ISE Letter at 11.
    \1785\ See NYSE Letter at 20.
    \1786\ See BATS Letter at 6-7 (commenting that the NIST 
publication reflects a burdensome staged process to software 
development that favors the ``waterfall methodology'' over ``agile'' 
software development).
---------------------------------------------------------------------------

    FINRA members, including ATSs, are also subject to FINRA rules that 
are generally related to certain aspects of Regulation SCI.\1787\ For 
example, NASD

[[Page 72399]]

Rule 3010(b)(1) requires a member to establish, maintain, and enforce 
written procedures to supervise the types of business in which it 
engages and to supervise the activities of registered representatives, 
registered principals, and other associated persons that are reasonably 
designed to achieve compliance with applicable securities laws and 
regulations. However, this NASD rule does not specifically address 
compliance of the systems of FINRA members and does not cover more 
broadly policies and procedures relating to operational capability. 
Additionally, FINRA Rule 3130 requires a member's chief compliance 
officer to certify that the member has in place written policies and 
procedures reasonably designed to achieve compliance with applicable 
FINRA rules, MSRB rules, and federal securities laws and regulations. 
Again, this FINRA rule does not specifically address compliance of the 
systems of FINRA members and does not cover more broadly policies and 
procedures relating to operational capability. Further, FINRA Rule 4530 
imposes a reporting regime for, among other things, compliance issues 
and other events where a member has concluded or should have reasonably 
concluded that a violation of securities or other enumerated law, rule, 
or regulation of any domestic or foreign regulatory body or SRO has 
occurred. However, the reporting requirements of FINRA Rule 4530 are 
different in several respects from the Commission notification 
requirements under Regulation SCI relating to systems compliance issues 
(e.g., scope, timing, content, the recipient of the reports) and would 
not cover reporting of systems disruptions or systems intrusions that 
did not also involve a violation of a securities law, rule, or 
regulation. In addition, FINRA Rule 4370 generally requires that a 
member maintain a written continuity plan identifying procedures 
relating to an emergency or significant business disruption. However, 
as compared to adopted Rules 1001(a)(2)(v) and 1004, this FINRA rule 
does not include a requirement that the business continuity and 
disaster recovery plans be reasonably designed to achieve next business 
day resumption of trading and two-hour resumption of critical SCI 
systems following a wide-scale disruption, nor does it require the 
functional and performance testing and coordination of industry or 
sector-testing of such plans.
---------------------------------------------------------------------------

    \1787\ See supra note 115. As noted above, although these rules 
have some broad relation to certain aspects of Regulation SCI, the 
Commission is not persuaded that the rules, even when taken 
together, are an appropriate substitute for the comprehensive 
approach in Regulation SCI with respect to technology systems and 
system issues. See id.
---------------------------------------------------------------------------

    Commenters addressed the Commission's consideration of current 
practices under the ARP Inspection Program as part of the baseline. 
According to a commenter, the ARP Inspection Program was implemented 
many years ago in a series of policy statements setting out guidance 
for voluntary compliance, and was supplemented with informal Commission 
staff guidance over the years, in many cases before the relevant 
systems existed.\1788\ This commenter also noted that Regulation SCI is 
a mandatory regulation with a more expansive nature, differentiating 
the proposed regulation from the voluntary, targeted scope of the ARP 
Inspection Program.\1789\ Some commenters believed that the Commission 
performed the economic analysis from a faulty premise by assuming that 
SCI entities that participate in the ARP Inspection Program have been 
in compliance with the voluntary standards and that the cost of 
compliance with Regulation SCI would merely be incremental as compared 
with the current baseline cost of voluntary compliance with the ARP 
regime.\1790\ One commenter noted that there is no publicly available 
information on voluntary compliance under the ARP Inspection Program, 
and the Commission should calculate the actual cost based on its 
knowledge of the extent to which SCI entities currently participating 
in the ARP Inspection Program are actually in compliance with ARP, 
rather than simply assuming full compliance.\1791\
---------------------------------------------------------------------------

    \1788\ See NYSE Letter at 2, 6-7. This commenter noted that the 
ARP Inspection Program was never subject to Commission rulemaking, 
including notice and public comment, and a cost-benefit analysis. 
See id. at 6. This commenter further stated that if the Commission 
were to move forward with Regulation SCI, it should first engage in 
a detailed public analysis of the costs and benefits of the existing 
ARP Inspection Program. See id. at 2.
    \1789\ See id. at 6.
    \1790\ See ISE Letter at 11; and Joint SROs Letter at 18.
    \1791\ See ISE Letter at 11.
---------------------------------------------------------------------------

    In response to these comments, the Commission believes that current 
practices under the ARP Inspection Program continue to be relevant in 
an economic assessment of Regulation SCI and the current baseline. In 
particular, as described in more detail throughout the economic 
analysis, based on comments and staff experience, the Commission 
believes that ARP entities have developed practices that to some extent 
overlap with the requirements of Regulation SCI. Accordingly, the 
Commission believes that, for some entities, the economic effects 
associated with compliance with Regulation SCI will be less significant 
as these entities will need to make incremental adjustments to their 
current practices to comply with many of the requirements.
    The Commission recognizes that there is no publicly available 
information on voluntary compliance under the ARP Inspection Program. 
At the same time, the Commission and its staff have overseen the ARP 
Inspection Program for over two decades and notes that participants in 
the ARP Inspection Program generally follow the ARP Policy Statements. 
The Commission also notes that, in the ARP II Release, it stated that 
Commission staff and the SROs have discussed the independent review 
process, ``taking into account that the SROs already engage in testing 
and quality assurance reviews of new or modified systems, and that 
there are other significant controls in place to prevent, detect or 
correct problems in such areas as capacity planning, testing, systems 
development, vulnerability and contingency planning.'' \1792\ The 
Commission is not assuming in the economic analysis that each SCI 
entity is fully in compliance with the ARP Inspection Program. Rather, 
the Commission's and its staff's experience informs the Commission's 
view regarding the range of existing practices of SCI entities. The 
Commission recognizes that some participants in the ARP Inspection 
Program may also have adopted practices that are not precisely in line 
with the standards articulated in the ARP Policy Statements and other 
Commission policy statements. As discussed throughout this economic 
analysis, the Commission has considered what the economic effects, 
including the costs and benefits of complying with Regulation SCI, will 
be for those entities that may not have practices consistent with the 
standards articulated in the ARP Policy Statements. For example, some 
SRO backup facilities may be less geographically dispersed from the 
primary facilities than articulated in the 2003 BCP Policy 
Statement.\1793\ Further, some SROs may report systems issues or 
changes to the Commission in a manner different from what is 
articulated in the ARP Policy Statements and Commission staff letters. 
Instead of assuming full compliance with the ARP Inspection Program, 
throughout the economic analysis the Commission notes that some SCI 
entities that participate in the ARP Inspection Program have current

[[Page 72400]]

practices that already satisfy some of the requirements of Regulation 
SCI and considers the details of those current practices when assessing 
the economic effects of the rules.
---------------------------------------------------------------------------

    \1792\ See ARP II, supra note 1, at 22491.
    \1793\ See 2003 BCP Policy Statement, supra note 504, at 56658.
---------------------------------------------------------------------------

    Finally, in using the ARP Inspection Program as a component of the 
baseline, the Commission also recognizes that Regulation SCI is more 
expansive than the ARP Inspection Program and has taken this fact into 
consideration throughout the economic analysis. For example, among 
other things, Regulation SCI includes more expansive requirements 
compared to the ARP Inspection Program for the establishment of 
policies and procedures regarding systems capacity, integrity, 
resiliency, availability, security, and compliance; and annual business 
continuity and disaster recovery plans testing. In addition, the 
Commission is aware that more entities will be subject to Regulation 
SCI than are currently participating in the ARP Inspection Program, 
including a higher number of ATSs. The Commission has considered these 
differences in the economic analysis.
    The sections below describe in more detail the Commission's 
understanding of current practices related to areas covered by 
Regulation SCI, as informed by its experience with the ARP Inspection 
Program, the OCIE examination program, as well as by commenters. In 
particular, the sections below provide an overview of the frequency and 
the types of systems issues addressed by Regulation SCI (i.e., systems 
disruptions, systems intrusions, and systems compliance issues) and 
current practices related to these events, as well as current practices 
related to business continuity and disaster recovery, and material 
systems changes notifications. Additionally, the sections below include 
a summary of the current competitive landscape in various markets for 
services related to Regulation SCI and why the markets for these 
services do not provide an adequate competitive incentive to prevent 
the occurrence of these market events and reduce the duration and 
severity when they occur.\1794\ Details regarding the baseline for 
certain specific current practices relevant to specific provisions of 
Regulation SCI are discussed throughout the consideration of costs and 
benefits and the effect on efficiency, competition, and capital 
formation below.
---------------------------------------------------------------------------

    \1794\ Throughout this Economic Analysis, the general concept of 
a reduction of SCI events may refer to fewer events, shorter 
duration of events, and/or less severe events.
---------------------------------------------------------------------------

1. SCI Events
a. Systems Disruptions and Intrusions
    Currently, market participants use an array of preventive and 
corrective measures to avoid systems disruptions and to restore systems 
when disruptions occur, including escalation procedures to notify 
management of disruptions. The range of preventive and corrective 
measures varies among market participants and SCI entities, and also 
differs among the systems employed by SCI entities. For instance, 
clearing systems and order matching engines generally are given higher 
priority by SCI entities than other SCI entity systems.
    Also, as noted by a commenter, exchanges, member firms, and ATSs 
conduct regular and ad hoc testing of mission critical systems for the 
introduction of new software releases, new features and functions, and 
systems upgrades, among other things.\1795\ This commenter also noted 
that the internal IT staff of exchanges, ATSs, trading platform 
providers, and clearing houses conduct regular systems testing, 
regression testing, stress testing, and failover testing to ensure the 
availability, capacity, resilience, and readiness of newly introduced 
systems, applications, products, and system functions.\1796\ However, 
industry practices are not codified as requirements for SCI entities 
and systems, except as may be the case in an entity's rulebook or 
subscriber agreement.
---------------------------------------------------------------------------

    \1795\ See Tellefsen Letter at 11.
    \1796\ See id.
---------------------------------------------------------------------------

    Market participants also employ a wide variety of measures to 
prevent and respond to systems intrusions, including escalation 
procedures to notify management of intrusions. Generally, market 
participants use measures such as firewalls to prevent systems 
intrusions, and use detection software to identify systems intrusions. 
Once an intrusion has been identified, the affected systems typically 
would be isolated and quarantined, and forensics would be performed.
    While there have been instances in which SCI entities revealed 
systems issues (including disruptions and intrusions) to their members 
or participants and to the public in the past,\1797\ there currently is 
no requirement applicable to SCI entities that includes the level of 
specificity in Regulation SCI for dissemination of information 
regarding systems disruptions and systems intrusions, as those terms 
are defined in Regulation SCI, to affected members or participants or 
to all members or participants of an SCI entity.
---------------------------------------------------------------------------

    \1797\ One instance of a publicly reported systems intrusion at 
an SCI entity occurred in February 2011, when NASDAQ OMX Group, Inc. 
revealed that hackers had penetrated certain of its computer 
networks, though Nasdaq reported that at no point did this intrusion 
compromise Nasdaq's trading systems. See Proposing Release, supra 
note 13, at 18089. One commenter also stated that when systems 
issues arise that impact subscriber access, functionality, or 
security, each potential SCI entity informs its subscribers of the 
problem and the expected solution, and generally follows with a post 
mortem. According to this commenter, some entities provide this 
notice pursuant to a contract or general agreement with subscribers, 
while others do so in order to maintain and grow their subscriber 
base. See OTC Markets Letter at 19. See also supra Section II.B 
(describing recent events involving systems-related issues, which 
have been made public).
---------------------------------------------------------------------------

    In 2013, entities that participated in the ARP Inspection Program, 
including at least one of each type of such participants (i.e., 
national securities exchange, national securities association, 
registered clearing agency, plan processor, ATS, and exempt clearing 
agency), reported a total of approximately 357 systems disruptions to 
the Commission.\1798\ These incidents had durations ranging from under 
one hour to well over several hours, with most incidents having a 
duration of less than three hours.\1799\ The Commission has also 
tracked the percentage of market outages at SROs and electronic 
communications networks, which were self-reported to the Commission or 
identified by Commission staff, that were corrected within targeted 
timeframes. Specifically, in fiscal year 2013, 80% of outages were 
resolved within 2 hours, 86% were resolved within 4 hours, and 98% were 
resolved within 24 hours.\1800\
---------------------------------------------------------------------------

    \1798\ One commenter believes that ATSs have not contributed to 
the recent major systems issues that have impacted the market. See 
ITG letter at 4. However, as the Commission has noted, FINRA halted 
trading for over 3\1/2\ hours in all OTC equity securities due to a 
lack of availability of quotation information resulting from a 
connectivity issue experienced by OTC Markets Group Inc.'s OTC Link 
ATS. See supra note 33 and accompanying text.
    \1799\ The Commission acknowledges that the number of systems 
incidents reported to the Commission by entities that participated 
in the ARP Inspection Program represents the lower end of expected 
SCI events under Regulation SCI because the definition of ``SCI 
event'' is broader than the types of events covered by the current 
ARP Inspection Program. See supra Section V.D.2.a.
    \1800\ See U.S. Securities and Exchange Commission FY 2015 
Annual Performance Plan, at 26 (March 7, 2014), available at: https://www.sec.gov/about/reports/secfy15congbudgjust.pdf.
---------------------------------------------------------------------------

b. Systems Compliance Issues
    Currently, systems compliance issues are not covered by the ARP 
Inspection Program. However, the Commission notes that all SROs are 
required to comply with the Exchange Act, the rules

[[Page 72401]]

and regulations thereunder, and their own rules and governing 
documents, as applicable,\1801\ and securities information processors 
and ATSs are subject to similar requirements.\1802\
---------------------------------------------------------------------------

    \1801\ See, e.g., 15 U.S.C. 78s(g) (requiring each SRO to comply 
with the Exchange Act, the rules and regulations thereunder, and its 
own rules).
    \1802\ See, e.g., 15 U.S.C. 78k-1(b)(6); 15 U.S.C. 78k-1(c)(1); 
and FINRA Rule 3130. Moreover, ATSs are registered broker-dealers 
and may be subject to Commission sanctions if they fail to comply 
with relevant federal securities laws and rules and regulations 
thereunder.
---------------------------------------------------------------------------

    Further, SROs currently take steps to ensure that their systems' 
operations are consistent with the federal securities laws and rules 
and their own rules, and some SROs notify Commission staff of certain 
systems compliance issues.\1803\ In particular, the Commission 
understands that SCI SROs generally have procedures to escalate a 
compliance issue upon discovery, to include legal and compliance 
personnel in the review of systems changes, and to periodically review 
rulebooks. However, although some SCI entities currently notify the 
Commission of certain systems compliance issues, the Commission does 
not receive comprehensive data regarding such issues.
---------------------------------------------------------------------------

    \1803\ See Proposing Release, supra note 13, at 18087, n. 36. As 
part of the Commission's oversight of SROs, OCIE reviews systems 
compliance issues reported to Commission staff.
---------------------------------------------------------------------------

    Similar to systems disruptions and systems intrusions, while there 
have been instances in which SCI entities revealed systems compliance-
related issues to their members or participants and to the public in 
the past,\1804\ there currently is no requirement applicable to SCI 
entities that includes the level of specificity in Regulation SCI for 
dissemination of information regarding systems compliance issues, as 
that term is defined in Regulation SCI, to affected members or 
participants, or to all members or participants of an SCI entity.
---------------------------------------------------------------------------

    \1804\ See supra Section II.B (describing recent events 
involving systems-related issues, which have been made public).
---------------------------------------------------------------------------

    In the SCI Proposal, based on Commission staff's experience with 
SROs and the rule filing process, the Commission estimated that there 
are likely approximately seven systems compliance issues per SCI entity 
per year. No commenter provided additional information regarding the 
frequency of systems compliance issues. However, Commission staff 
received notifications indicating that certain SROs experienced an 
average of 17 systems compliance-related issues in 2013. The Commission 
believes that its staff received notification of a larger number of 
systems compliance issues in 2013 for a variety of reasons, including 
the proposal of Regulation SCI, recent Commission enforcement actions 
relating to systems compliance issues, as well as related press 
reports, all of which the Commission believes increased attention on 
systems compliance issues.\1805\
---------------------------------------------------------------------------

    \1805\ See id.
---------------------------------------------------------------------------

2. Business Continuity and Disaster Recovery
    The Commission recognizes that SCI entities already have business 
continuity and disaster recovery plans. For example, nearly all 
national securities exchanges already have backup facilities that do 
not rely on the same infrastructure components as those used by their 
primary facility.\1806\ Additionally, most participants in the ARP 
Inspection Program have strived to adhere to the recovery timeframes in 
the Interagency White Paper and the 2003 BCP Policy Statement.\1807\ 
Some SCI entities also already require some of their members or 
participants to connect to their backup systems.\1808\ Further, some 
SCI entities already provide their members or participants with the 
opportunity to test the SCI entity's business continuity and disaster 
recovery plans, including its backup systems.\1809\ However, because 
participation in BC/DR testing, including backup systems, is not always 
required by SCI entities, the Commission understands that not all 
market participants participate in testing.\1810\ In addition, based on 
the discussions between Commission staff and market participants in the 
months following Superstorm Sandy, the Commission understands that many 
market participants had previously engaged in connectivity testing with 
backup facilities, and yet remained uncomfortable about switching to 
the use of backup facilities in advance of the storm.
---------------------------------------------------------------------------

    \1806\ See, e.g., CBOE Regulatory Circular RG14-001 (Back-Up 
Data Center Test on January 25, 2014).
    \1807\ See supra note 504 and accompanying text.
    \1808\ See, e.g., CBOE Regulatory Circular RG13-110 
(Connectivity to the CBOE Back-Up Data Center). See also Proposing 
Release, supra note 13, at n. 641.
    \1809\ For example, SIFMA organizes industry-wide business 
continuity tests. See Industry Testing, https://www.sifma.org/services/bcp/industry-testing/.
    \1810\ See, e.g., Angel Letter at 9-10.
---------------------------------------------------------------------------

    Commenters also provided information regarding current practices 
surrounding business continuity and disaster recovery. One commenter 
noted that the major equity and options exchanges and numerous ATSs 
already regularly augment IT testing with other business continuity 
management exercises (e.g., they conduct annual business continuity and 
disaster recovery plan updates, building evacuation drills, and 
business disruption scenario planning workshops).\1811\ This commenter 
also noted that all of the U.S. exchanges and clearinghouses have 
participated in the planning and execution of the annual disaster 
recovery test initiative conducted and coordinated by the FIA and 
SIFMA.\1812\ This commenter noted that, in 2012, for example, the 
annual FIA industry test involved 18 exchanges and clearinghouses, 68 
futures commission merchants, and 46 trading participant firms.\1813\ 
This commenter also noted that the exchanges reported that the firms 
engaged in testing represented approximately 80% of their clearing 
members and that these firms reflected approximately 85% of the 
exchanges' 2012 volumes.\1814\
---------------------------------------------------------------------------

    \1811\ See Tellefsen Letter at 7.
    \1812\ See id.
    \1813\ See id. at 8.
    \1814\ See id. See also CME Letter at 12.
---------------------------------------------------------------------------

3. Material Systems Changes Notifications
    Many entities that participate in the ARP Inspection Program 
already voluntarily provide material systems change notifications to 
the Commission on an annual and ad hoc basis. In particular, the ARP II 
Release stated that SROs should notify Commission staff of significant 
additions, deletions, or other changes to their automated 
systems.\1815\ Moreover, in the 2001 Staff ARP Interpretive Letter, 
Commission staff provided guidance to ARP entities on how they should 
report planned systems changes to the Commission.\1816\ In addition, 
Rule 301(b)(6) under Regulation ATS requires that ATSs that meet the 
thresholds in that rule notify Commission staff of significant systems 
changes,\1817\ and Rule 301(b)(2) under Regulation ATS requires each 
ATS that is subject to Rule 301, regardless of activity level, to file 
an amendment on Form ATS at least 20 days prior to implementing a 
material change to the operation of the ATS.\1818\
---------------------------------------------------------------------------

    \1815\ See ARP II Release, supra note 1, at 22491.
    \1816\ See supra note 21 and accompanying text. The 2001 Staff 
ARP Interpretive Letter provided guidance on what Commission staff 
considers significant systems changes to include.
    \1817\ 17 CFR 242.301(b)(6)(ii)(G).
    \1818\ 17 CFR 242.301(b)(2)(ii) (requiring an amendment to Form 
ATS not solely for material systems changes, but also for any 
material change to the operation of an ATS).

---------------------------------------------------------------------------

[[Page 72402]]

4. Potential for Market Solutions
    The current competitive landscape in various markets for services 
related to Regulation SCI affect current incentives to prevent the 
occurrence of SCI events in these markets.\1819\ The Commission 
outlined and examined this competitive landscape and potential for 
market solutions to reduce SCI events and their shortcomings in the SCI 
Proposal.\1820\ In particular, the Commission evaluated current 
limitations to competition and potential market solutions in the 
markets for trading services, listing services, regulatory services, 
clearance and settlement services, and market data.
---------------------------------------------------------------------------

    \1819\ This section evaluates competition as it currently 
exists. The Commission analyzes the economic effects of Regulation 
SCI, including potential effects on competition, in Section VI.C.
    \1820\ See Proposing Release, supra note 13, at 18159-61.
---------------------------------------------------------------------------

    The discussion below responds to comments received regarding the 
Commission's discussion of the potential for market solutions in the 
markets for trading services and market data. The Commission did not 
receive specific comments regarding its analysis of the markets for 
listing services, regulatory services, and clearance and settlement 
services. Therefore, the Commission believes that its analysis of these 
markets in the SCI Proposal continues to apply. Specifically, the 
Commission believes that, while the market for listing services 
provides some discipline, it has limitations related to a disconnect 
between trading location and listing market (i.e., while a company can 
be listed on a certain exchange, trading does not necessarily occur on 
that exchange), to switching costs if an issuer wishes to change its 
listing exchange, and to market power deriving from the ``prestige'' of 
a listing exchange.\1821\ Further, the Commission believes that the 
market for regulatory and surveillance services is concentrated in a 
few competitors and that the market for clearance and settlement 
services is currently characterized by specialization and limited 
competition.\1822\
---------------------------------------------------------------------------

    \1821\ See id. at 18160.
    \1822\ See id. at 18160-61.
---------------------------------------------------------------------------

    The Commission has considered the views of commenters and the 
Commission's analysis of markets not addressed by commenters, and 
continues to believe that market forces alone are insufficient to 
significantly reduce SCI events in the markets that it evaluated and 
that a regulatory solution is needed. In particular, the Commission 
continues to believe that SCI entities do not fully internalize the 
costs associated with systems issues, SCI events pose significant 
negative externalities on the market--i.e., systems issues have 
ramifications on the securities markets beyond the impact on the entity 
responsible for the systems issues--and, as discussed above, 
significant technology issues continue to occur in the absence of 
regulation.
    Some commenters broadly addressed the potential for market 
solutions evaluated in the SCI Proposal. According to one commenter, 
SCI entities (e.g., ATSs) are highly motivated to provide uninterrupted 
order matching services for economic reasons.\1823\ On the other hand, 
another commenter noted that, as indicated by the 2008 financial crisis 
and the technology incidents over the past few years, market 
participants do not have the right economic incentives to protect 
themselves.\1824\ Another commenter stated that, in the past, 
``disruptive or deviant behavior in the markets was disciplined not 
just by regulators but also by trading crowds,'' but anonymity and 
fully automated price/time matching made it impossible for the trading 
crowd to attribute and sanction disruptive behavior.\1825\ This 
commenter also noted that market incentives can drive the industry in 
the opposite direction (i.e., short-term market incentives can drive 
the industry to minimize risk controls).\1826\ According to this 
commenter, the only practical source of discipline left is government 
regulation.\1827\
---------------------------------------------------------------------------

    \1823\ See ITG Letter at 4 (stating also that sponsors of ATSs 
have a ``compelling business incentive to avoid systems issues''). 
See also Angel Letter at 5-6 (commenting that firms have sufficient 
motivation to take every precaution against catastrophic failures, 
although the interaction between firms may result in a catastrophic 
event).
    \1824\ See Lauer Letter at 3-4.
    \1825\ See Leuchtkafer Letter at 1-2.
    \1826\ See id. at 6. This commenter stated that it is far 
cheaper for firms to implement new trading strategies ``in a matter 
of minutes'' than it is for them to rigorously test a new strategy 
before deployment, and that it is more profitable for firms to skimp 
on risk controls because controls take time. See id. Further, this 
commenter noted that the exchanges know, or should know, who 
``misbehaves,'' but they are tangled in mixed incentives of their 
own, dependent on firms for the next quarter's profits and, at the 
same time, expected to moderate the firms' behavior. See id.
    \1827\ See id. at 6-7.
---------------------------------------------------------------------------

    The Commission believes that all SCI entities have some incentives 
to maintain robust systems in order to maximize long-term revenue. 
However, as evidenced by the various systems issues that have occurred 
prior to and since publication of the SCI Proposal, economic 
motivations alone have not been sufficient to significantly reduce 
systems issues.\1828\ In addition, although SCI entities may suffer an 
economic and reputational burden if a systems issue becomes apparent to 
the trading community or the public, the Commission believes that SCI 
entities are not sufficiently incentivized to improve the robustness of 
these systems to prevent systems issues, as described in more detail 
below.\1829\ Further, SCI entities may fail to internalize the risk of 
catastrophic failure associated with systems issues.
---------------------------------------------------------------------------

    \1828\ See supra Section II.B (discussing recent events 
involving systems-related issues).
    \1829\ As noted above, the Commission acknowledges that the 
nature of technology and the level of sophistication and automation 
of current market systems prevent any measure, regulatory or 
otherwise, from completely eliminating all systems disruptions, 
intrusions, or other systems issues. See supra Section III.
---------------------------------------------------------------------------

    As noted above, systems issues have ramifications on the securities 
markets beyond the impact on the entity responsible for or experiencing 
the systems issues (an ``economic externality''). That is, a systems 
issue not only affects the entity responsible for the issue, but also 
directly affects other entities that use that entity. Often, when an 
SCI entity experiences a systems issue, all market participants that 
use that entity incur costs. For example, if market data systems fail, 
it affects anyone requiring such market data to make informed 
decisions. Also, when a matching engine fails, securities cannot be 
traded via that functionality. As discussed in greater detail below, 
the failure of a trading system not only forces the venue to forgo 
revenue, but also can diminish trading in financial instruments during 
the disruption. Additionally, the failure of a trading system can 
impose costs on market participants that have optimized their strategy 
so that trading costs are minimized. If the strategy of these market 
participants assumes that all trading venues are fully operational, 
then the failure of a trading system could impose additional 
transaction costs. The Commission believes that, in part because the 
costs of such externalities are not fully borne by SCI entities in the 
form of lost business, market forces alone are insufficient to 
significantly reduce SCI events.
Market for Trading Services
    In the proposing release, the Commission identified many 
competitors in the market for trading services, including equities 
exchanges, options exchanges, ATSs, OTC market makers, and broker-
dealers.\1830\ Competitors for listed-equity (NMS)

[[Page 72403]]

trading services include 11 national securities exchanges, none having 
an overall market share of 20 percent,\1831\ 44 ATSs, which account for 
18% of dollar volume, and several hundred OTC market makers and broker-
dealers, which account for 15.8% of dollar volume.\1832\ In the SCI 
Proposal, the Commission recognized that all providers of trading 
services compete and have incentives to avoid systems disruptions, 
systems compliance issues, and systems intrusions because, for example, 
brokers and other entities will be inclined to route orders away from 
trading venues that have frequent systems problems. However, the 
Commission noted several limitations on competition, including market 
participants misjudging the quality of trading services because of 
incomplete information regarding SCI events and the limited number of 
competitors (in some cases only one competitor) that may offer trading 
services in a particular product.\1833\
---------------------------------------------------------------------------

    \1830\ See Proposing Release, supra note 13, at 18159.
    \1831\ See supra note 106 and accompanying text.
    \1832\ Calculated by Commission staff using market volume 
statistics reported by BATS and data from Form ATS-R for the second 
quarter of 2014. See supra notes 106 and 150. In 2012, 255 OTC 
market makers and broker-dealers accounted for 17% of volume. See 
DERA staff white papers, ``Alternative Trading Systems: Description 
of ATS Trading in National Market System Stocks'' by Laura Tuttle 
(https://www.sec.gov/marketstructure/research/alternative-trading-systems-march-2014.pdf) and ``OTC Trading: Description of Non-ATS 
OTC Trading in National Market System Stocks'' by Laura Tuttle 
(https://www.sec.gov/marketstructure/research/otc_trading_march_2014.pdf).
    \1833\ For example, a number of listed options and NMS stocks 
trade on only one venue.
---------------------------------------------------------------------------

    With respect to the market for trading services, one commenter 
stated that the current competitive market for trading services 
provides sufficient redundancies that make a disruption at any 
particular service provider minor.\1834\ Another commenter noted that 
exchanges compete vigorously with one another and against broker-dealer 
execution platforms and cannot afford to develop a reputation for 
technology problems.\1835\ This commenter also noted that the incidence 
of self-help declarations \1836\ has been reduced, which reflects 
technology enhancements by exchanges that are a direct result of the 
competitive environment in which exchanges operate.\1837\ Similarly, 
another commenter stated that, apart from any regulatory standards, no 
organization has a greater stake in assuring the effective operation of 
its systems than the owners and operators of the entities that 
participate in the market structure.\1838\ Moreover, one commenter 
stated that ATSs already have incentives to avoid any systems 
disruptions for competitive reasons and also perform numerous tests and 
employ best practices.\1839\
---------------------------------------------------------------------------

    \1834\ See KCG Letter at 6-8.
    \1835\ See BATS Letter at 2.
    \1836\ Rule 611(b) under Regulation NMS provides a number of 
exceptions from the general requirement to prevent trade-throughs of 
protected quotations. In particular, Rule 611(b)(1) provides the 
``self-help'' exception, which applies when the ``transaction that 
constituted the trade-through was effected when the trading center 
displaying the protected quotation that was traded through was 
experiencing a failure, material delay, or malfunction of its 
systems or equipment.'' See 17 CFR 242.611(b)(1).
    \1837\ See BATS Letter at 2-3.
    \1838\ See BIDS Letter at 2.
    \1839\ See ITG Letter at 4.
---------------------------------------------------------------------------

    Again, the Commission acknowledges that all providers of trading 
services compete and have some incentives to avoid systems issues. 
However, the Commission continues to believe that there are limits to 
the extent to which competition mitigates systems problems associated 
with trading services because providers of trading services compete on 
a variety of measures--for example, providing the best prices, deep 
quotes, and fast executions--not just the quality of their systems. As 
a result, an issue with trading systems might not significantly harm 
the SCI entity that experienced the issue. Additionally, competition in 
the market for trading services may also not sufficiently mitigate the 
occurrence and effects of SCI events because market participants may 
lack information about SCI events. The Commission believes that it is 
important for affected SCI entity members or participants and, in some 
cases, all members or participants of an SCI entity, to know about SCI 
events at a particular service provider.\1840\ Moreover, even in 
markets where significant competition exists--such as the market for 
trading NMS securities, which has many competitors including exchanges 
and ATSs--entities that experience significant outages may temporarily 
lose market share, but may quickly regain the lost market share.\1841\ 
The Commission believes that this further suggests that competition 
alone will not significantly reduce systems issues.
---------------------------------------------------------------------------

    \1840\ See supra Section VI.B.1 (discussing current practices of 
SCI entities regarding dissemination of information on systems-
related issues).
    \1841\ For example, on November 12, 2012, the NYSE experienced a 
failure in a matching engine that forced it to stop trading 216 
stocks. See NYSE Market Status Alert, https://markets.nyx.com/nyse/market-status/view/11558. The NYSE lost market share on the day of 
the outage but regained its market share the next day. See generally 
https://www.batstrading.com/market_summary/ (compiling data on market 
share).
---------------------------------------------------------------------------

    In addition, some entities that face little competition in one 
security may impose significant externalities on the market with little 
competitive recourse. For example, even though there may be multiple 
trading venues for the majority of securities, trading service 
providers may have limited means to transact in particular securities 
(e.g., certain index options exclusively traded on one options 
exchange) and thus, if systems issues persist at certain venues, 
brokers, investors, and other entities will not be able to trade the 
security until the venue that lists the security recovers. In this 
particular case, not only does the venue lose revenue from forgone 
volume, but market participants also incur costs because they are not 
able to trade the security. As a result, the Commission believes that 
competition alone in the market for trading services is not sufficient 
to reduce SCI events at entities providing these services.
    As mentioned by one commenter,\1842\ competitive forces among 
trading venues may also lead to ``underinvestment and cutting 
corners.'' For example, the incentive to migrate software from testing 
to the production environment to improve trading services (and thereby 
the entity's profitability) may promote an environment where software 
that has not been adequately tested is launched into production, thus 
increasing the potential for systems issues to develop.
---------------------------------------------------------------------------

    \1842\ See Lauer Letter at 4 (stating that ``[e]very firm in 
every industry is constantly balancing the cost of safety with 
scarcity of resources . . . [and t]he Commission's job in this 
regard is to compel these firms to act in their own long-term 
interests, and the interests of the public at-large, rather than any 
short-term interests that may be better served by underinvestment 
and cutting corners'').
---------------------------------------------------------------------------

Market for Market Data
    One commenter stated that Regulation SCI, as applied to market 
data, is unnecessary and will have ``zero benefits'' because the 
revenue from the sale of market data is an important revenue source for 
an SRO.\1843\ Therefore, according to this commenter, SROs already have 
the right incentives to successfully collect, process, and disseminate 
market data.\1844\
---------------------------------------------------------------------------

    \1843\ See Angel Letter at 18-19.
    \1844\ See id.
---------------------------------------------------------------------------

    As noted above, the Commission has, on numerous occasions, 
emphasized the importance of market data, including the consolidated 
data feed.\1845\ The Commission believes that consolidated market data 
is an important part of the investment and trading process as it helps 
market participants to make well-informed investment and trading 
decisions, and also helps investors to monitor the quality of execution 
of orders by their brokers. In addition,

[[Page 72404]]

exchanges rely on accurate consolidated market data for many of their 
real-time functions. Even though demand is great, a total of only two 
SIPs collect, process, and distribute consolidated market data in NMS 
securities, and only a single SIP collects, processes, and distributes 
consolidated market data for any given security. Further, other 
providers of market data in markets other than NMS securities (e.g., 
municipal securities) may also be the sole providers of their data. 
Therefore, the Commission believes that the market data consolidators 
are not subject to significant competitive market forces. Further, 
because the demand for market data from the SIPs is inelastic,\1846\ 
there is little incentive to improve reliability as few alternatives 
exist. Thus, the Commission believes that competition alone is not 
sufficient to reduce SCI events for market data consolidators. Because 
an SCI event in connection with market data can significantly disrupt 
markets, the Commission believes that regulation is needed and, as 
discussed below, will provide significant benefits.\1847\
---------------------------------------------------------------------------

    \1845\ See supra note 249 and accompanying text.
    \1846\ Demand is inelastic when demand does not diminish as 
price increases.
    \1847\ For example, as discussed above, on August 22, 2013, 
Nasdaq halted trading in all Nasdaq-listed securities for more than 
three hours after the Nasdaq SIP, the single source of consolidated 
market data for Nasdaq-listed securities, became unable to process 
quotes from exchanges for dissemination to the public. See supra 
note 32 and accompanying text.
---------------------------------------------------------------------------

C. Consideration of Costs and Benefits and the Effect on Efficiency, 
Competition, and Capital Formation

1. Broad Economic Considerations
    The Commission has considered the economic effects of Regulation 
SCI as a whole as well as the specific effect of each rule. This 
section provides an overview of the broad economic considerations 
relevant to Regulation SCI and the economic effects, including the 
costs, benefits, and effects on efficiency, competition, and capital 
formation that are attributable to Regulation SCI as a whole. 
Additional economic effects, including benefits and costs, related to 
specific requirements in Regulation SCI and reasonable alternatives are 
discussed in Section VI.C.2 below.
    The Commission has attempted, where possible, to quantify the 
benefits and costs anticipated to flow from Regulation SCI. The 
Commission notes, however, that many of the costs and benefits of 
Regulation SCI are difficult to quantify with any degree of certainty, 
especially as the current practices of market participants vary and are 
expected to evolve and adapt to changes in technology and market 
developments. For example, in some cases, quantification depends 
heavily on factors outside of the control of the Commission, 
particularly because Regulation SCI provides flexibility to an SCI 
entity to tailor its policies and procedures to the nature of its 
business, technology, and the relative criticality of each of its SCI 
systems. Additionally, in some cases, the Commission is unable to 
quantify the benefits and costs associated with Regulation SCI because 
the Commission lacks the information necessary to provide a reasonable 
estimate. For example, the Commission does not have sufficient 
information upon which to base an estimate of all costs associated with 
the various specific systems changes that may be required as the result 
of Regulation SCI. Accordingly, much of the discussion of economic 
effects is qualitative in nature but, again, where possible, the 
Commission has provided quantified information.
a. Benefits
    The Commission believes that the adoption of, and compliance by SCI 
entities with Regulation SCI, will further the goals of the national 
market system as a result of each SCI entity establishing, maintaining, 
and enforcing written policies and procedures reasonably designed to 
ensure that its SCI systems and, for purposes of security standards, 
indirect SCI systems, have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance of fair and orderly 
markets. In this respect, Regulation SCI will promote the capacity, 
integrity, resiliency, availability, and security of the automated 
systems of entities important to the functioning of the U.S. securities 
markets, as well as reinforce the requirement that such systems operate 
in compliance with the Exchange Act and rules and regulations 
thereunder, thus strengthening the infrastructure of the U.S. 
securities markets and improving their resilience when technological 
issues arise. Regulation SCI also establishes an updated and formalized 
regulatory framework, thereby helping to ensure more effective 
Commission oversight of such systems. Although the Commission 
acknowledges that Regulation SCI likely will not eliminate all systems 
issues, the Commission believes that Regulation SCI will change and 
strengthen the practices of SCI entities, and should result in a number 
of benefits, including those summarized below.\1848\
---------------------------------------------------------------------------

    \1848\ As noted above, in the SCI Proposal, the Commission 
encouraged commenters to identify, discuss, analyze, and supply 
relevant data, information, or statistics regarding benefits. The 
Commission notes that it is unable to quantify the benefits 
associated with Regulation SCI as a whole because quantitative data 
regarding each of the benefits is not readily available to the 
Commission, and commenters did not provide sufficient quantitative 
data to allow the Commission to do so.
---------------------------------------------------------------------------

    The Commission believes that adopting Regulation SCI will result in 
fewer market disruptions due to systems issues, which could lead to 
fewer interruptions in the price discovery process \1849\ and liquidity 
flows and, thus, may result in fewer periods with pricing 
inefficiencies. Specifically, the Commission believes that Regulation 
SCI would improve systems up-time for SCI entities and also would 
promote more robust systems that directly support execution facilities, 
order matching, and the dissemination of market data. Systems issues 
that directly inhibit execution facilities, order matching, and 
dissemination of market data could cause slow executions and result in 
delaying the incorporation of information into prices, and thus could 
harm price efficiency and price discovery. System issues could also 
result in unfilled orders, depriving traders of an execution. The 
Commission believes that Regulation SCI would reduce the frequency, 
severity, and duration of such effects resulting from systems issues. 
Moreover, decreasing the number of trading interruptions could improve 
price discovery and liquidity because interruptions in trading 
interfere with the process in which relevant information gets 
incorporated into security prices and, thus, temporarily disrupt 
liquidity flows and lower the quality of the price discovery process. 
Further, because interruptions in liquidity flows and the price 
discovery process in one security can affect securities trading in 
other markets, reducing trading interruptions could have broad effects. 
For example, an interruption in the market for securities that underlie 
derivative securities (e.g., index options and futures) would harm the 
price discovery process for those products and potentially restrict 
liquidity flows between the stock market and the derivative markets.
---------------------------------------------------------------------------

    \1849\ The price discovery process involves trading--buyers and 
sellers arriving at a transaction price for a specific asset at a 
given time. Thus, generally, any trading interruptions would 
interfere with the price discovery process.
---------------------------------------------------------------------------

    The Commission also believes that Regulation SCI has the potential 
to reduce widespread SCI events. Given

[[Page 72405]]

the speed and interconnected nature of the U.S. securities markets, a 
seemingly minor systems problem at a single entity can quickly create 
losses and liability for market participants, and spread rapidly across 
the national market system, potentially creating widespread damage and 
harm to market participants, including investors. By reducing systems 
issues, Regulation SCI also has the potential to decrease the risk of 
these catastrophic events.
    In addition, other benefits may derive from the additional 
information provided to the Commission and to members or participants 
of an SCI entity resulting from Regulation SCI. In particular, the 
information provided to the Commission should enhance the Commission's 
review and oversight of U.S. securities market infrastructure and 
foster cooperation between the Commission and SCI entities in 
responding to SCI events. Also, as noted in Section IV.B.3.c, the 
Commission believes that the aggregated data that will result from the 
reporting of SCI events will enhance its ability to comprehensively 
analyze the nature and types of various SCI events and identify more 
effectively areas of persistent or recurring problems across the 
systems of all SCI entities. Moreover, as discussed in Section IV.A.3, 
the Commission notification requirements for SCI events will help to 
focus the Commission's and SCI entities' resources on the more 
significant SCI events, as the Commission has determined to distinguish 
the timing of its receipt of information regarding SCI events based on 
their impact, with SCI events estimated to have a greater impact being 
subject to ``immediate'' Commission notification, and SCI events having 
no or a de minimis impact being subject to recordkeeping obligations, 
and for de minimis systems disruptions and de minimis systems 
intrusions, a quarterly summary notification. Moreover, the increased 
dissemination of information about SCI events to SCI entity members or 
participants could reduce search costs for market participants when 
they are gathering information to make a decision with respect to the 
use of an entity's services. As discussed more thoroughly below, by 
lowering search costs, the information dissemination requirement could 
provide SCI entities additional competitive incentives to ensure and 
maintain robust policies and procedures to promote systems capacity, 
integrity, resiliency, availability, security and compliance.
    Some commenters addressed how the availability of Commission 
resources may affect the benefits and costs of Regulation SCI. One 
commenter argued that Regulation SCI would result in misallocation of 
Commission resources.\1850\ This commenter stated that it is likely 
that Regulation SCI would not reduce in a material manner the 
occurrence of systems issues at SCI entities, and Commission staff 
resources would be better devoted to working with the industry to 
develop best practices (not legal requirements) for all regulated 
entities in the areas of systems capacity, security, and 
integrity.\1851\ Similarly, one commenter noted that unless the 
Commission and Congress devote sufficient resources to hiring enough 
skilled technical staff, Regulation SCI will devolve into a paperwork 
exercise with little added benefit to the markets.\1852\ Another 
commenter stated that there is insufficient evidence regarding the 
resources and capacity of Commission staff to assess and analyze the 
data required to be provided under Regulation SCI.\1853\ This commenter 
urged the Commission to consider its resources as the Commission 
accommodates new initiatives.\1854\
---------------------------------------------------------------------------

    \1850\ See ITG Letter at 6-7. This commenter noted that 
Commission staff resources used to oversee Regulation SCI compliance 
would dwarf those used for the ARP Inspection Program and that 
Commission staff would have to analyze and act upon notifications 
from SCI entities, including systems change notifications. See id. 
This commenter also noted that substantial examination resources 
from the Commission and FINRA would be assigned to Regulation SCI 
oversight. See id. Similarly, another commenter noted that proposed 
Regulation SCI would result in a dramatic increase in the number of 
Commission notifications and would require substantial resources for 
Commission staff to process them in a responsible fashion. See Omgeo 
Letter at 8, n. 14.
    \1851\ See ITG Letter at 7.
    \1852\ See Angel Letter at 2.
    \1853\ See SunGard Letter at 2.
    \1854\ See id. at 5.
---------------------------------------------------------------------------

    As described throughout this release, the Commission believes that 
Regulation SCI will have significant benefits and that a regulatory 
solution is necessary because market forces alone are insufficient to 
significantly reduce SCI events in the relevant markets. The Commission 
has significant experience with the ARP Inspection Program, and thus 
has developed expertise in this area that it will apply to implementing 
and monitoring compliance with Regulation SCI. In light of this 
experience, the Commission believes that it can devote sufficient 
resources to carry out its obligations associated with Regulation SCI 
so that the benefits of Regulation SCI can be realized.
b. Costs
    Some of the costs associated with Regulation SCI are compliance 
costs. Compliance costs include, for example, documentation and 
mandatory reporting and dissemination of SCI events, and reports that 
include material systems changes. SCI entities will also incur costs in 
complying with the SCI review requirement, as well as in implementing 
the policies and procedures related to systems capacity, integrity, 
resiliency, availability, security, and compliance. Moreover, SCI 
entities will incur costs related to recordkeeping. Additional costs 
will also result from member/participant participation in the testing 
of SCI entity business continuity and disaster recovery plans. Also, 
market participants (including institutional and retail investors) in 
the securities markets may face increased transaction costs from SCI 
entities, to the extent that increased compliance costs are passed on 
to market participants.
    Many, but not all, of the quantifiable costs of Regulation SCI 
involve a collection of information, and these costs and burdens are 
discussed in the Paperwork Reduction Act section of this release.\1855\ 
When the PRA burdens are monetized, the estimated paperwork related 
compliance burdens for SCI entities as a result of Regulation SCI total 
approximately $117 million initially and approximately $100 million 
annually.\1856\ The Commission notes that the monetized PRA burdens 
have increased from those contained in the SCI Proposal. Although many 
of the adopted rules are more targeted and impose fewer requirements on 
SCI entities than the proposed rules, the monetized PRA burdens have 
changed in part due to modifications made to the PRA estimates as a 
result of recommendations from commenters, revisions to the rule text, 
and the revised estimate of the number of SCI events, which resulted 
from incorporating the Commission's review of the number of systems 
compliance-related issues and ARP incidents reported to Commission 
staff in 2013.
---------------------------------------------------------------------------

    \1855\ See supra Section V. The Commission provides below 
quantified estimates of other costs imposed by Regulation SCI beyond 
the PRA burdens, to the extent the Commission can quantify such 
costs.
    \1856\ The monetized PRA cost reflects the paperwork cost 
estimated for all of Regulation SCI, as discussed in Section V.
---------------------------------------------------------------------------

    In addition, the Commission has quantified non-paperwork related 
costs for SCI entities that total between approximately $14 million 
\1857\ and $106 million \1858\ in initial costs and between

[[Page 72406]]

$9 million \1859\ and $70 million \1860\ in annual ongoing costs. In 
addition to the costs to SCI entities, the Commission also estimates 
the total connectivity costs to members or participants of SCI entities 
associated with the testing of business continuity and disaster 
recovery plans to be $18 million annually.\1861\ Thus, the Commission 
estimates total quantified costs for SCI entities and members or 
participants of SCI entities to be between approximately $149 million 
\1862\ and $241 million \1863\ in initial costs and between $127 
million \1864\ and $188 million \1865\ in annual ongoing costs.
---------------------------------------------------------------------------

    \1857\ See infra note 1943 (estimating cost for complying with 
the policies and procedures required by Rules 1001(a) and (b)).
    \1858\ See infra note 1944 (estimating cost for complying with 
the policies and procedures required by Rules 1001(a) and (b)).
    \1859\ See infra note 1945 (estimating cost for complying with 
the policies and procedures required by Rule 1001(a) and (b)).
    \1860\ See infra note 1946 (estimating cost for complying with 
the policies and procedures required by Rule 1001(a) and (b)).
    \1861\ See infra note 2065.
    \1862\ $149 million = $117 million (PRA cost) + $14 million 
(other costs for SCI entities) + $18 million (connectivity costs for 
members or participants of SCI entities).
    \1863\ $241 million = $117 million (PRA cost) + $106 million 
(other costs for SCI entities) + $18 million (connectivity costs for 
members or participants of SCI entities).
    \1864\ $127 million = $100 million (PRA cost) + $9 million 
(other costs for SCI entities) + $18 million (connectivity costs for 
members or participants of SCI entities).
    \1865\ $188 million = $100 million (PRA cost) + $70 million 
(other costs for SCI entities) + $18 million (connectivity costs for 
members or participants of SCI entities).
---------------------------------------------------------------------------

    Several commenters provided broad comments regarding the costs of 
proposed Regulation SCI.\1866\ According to one commenter, Regulation 
SCI as proposed is ``too universal in its application, too ambitious in 
its scope and too costly in its implementation to achieve the hoped for 
reduction in risk to the markets without simultaneously diminishing 
other important SEC accomplishments, such as increased competition, 
improved innovation, increased consumer choice, lower barriers to entry 
into the industry and reduced transaction costs to the customer.'' 
\1867\ Another commenter noted that proposed Regulation SCI would 
impose an unreasonably burdensome technology and controls standard on 
automated systems of SCI entities, which could lead to allocative 
inefficiencies in the marketplace and therefore have a stifling effect 
on innovation in the U.S. equity markets.\1868\ Another commenter 
stated that the ultimate result of proposed Regulation SCI will be to 
limit or suppress the execution choice of buy-side investors, meaning 
investors will have less ability to effectively manage their trading 
strategies and diminished opportunities to seek better execution, lower 
transaction costs, and achieve price improvement and investment 
performance.\1869\
---------------------------------------------------------------------------

    \1866\ One commenter provided ``conservative and preliminary'' 
estimates for the cost of compliance with Regulation SCI. See FINRA 
Letter at 42-43. This commenter estimated that its one-time cost to 
comply with Regulation SCI would be between approximately $1.1 
million and $1.3 million, and its ongoing annual costs would be 
between approximately $4.5 million and $5.5 million, if Regulation 
SCI is adopted as proposed (e.g., if SCI systems is defined to apply 
to non-market regulatory and surveillance systems, and development 
and testing environments). See id. at 42. As discussed above, the 
definition of SCI systems does not include non-market regulation and 
non-market surveillance systems, or development and testing systems. 
Therefore, the Commission believes these estimates are too high. 
This commenter estimated that, under a narrower Regulation SCI 
(e.g., if non-market systems and development and testing 
environments are excluded from the definition of SCI systems), its 
one-time compliance costs would be between approximately $675,000 
and $825,000 and its annual costs would be between approximately 
$2.2 million and $2.6 million. See id. This commenter also stated 
that, monetizing its hour estimates for annual SCI reviews, its 
compliance costs would increase by between approximately $600,000 
and $900,000, and higher if more systems than currently in scope 
under ARP would be subject to annual SCI reviews. See id. at 42. The 
Commission notes that, other than the costs for SCI reviews, these 
estimates do not distinguish paperwork costs from non-paperwork 
costs. If the commenter's estimates are intended to include all 
costs for compliance with Regulation SCI, these estimates are close 
to or within the Commission's estimated total quantified cost ranges 
for SCI entities. See supra notes 1862-1865 and accompanying text.
    \1867\ See BIDS Letter at 2-3.
    \1868\ See ITG Letter at 2.
    \1869\ See UBS Letter at 7-8.
---------------------------------------------------------------------------

    As discussed throughout this release, the Commission believes that 
Regulation SCI will change and strengthen the practices of SCI 
entities, and should result in a number of benefits. Further, the 
Commission believes that these benefits should result without 
diminishing the Commission's accomplishments in other areas, stifling 
innovation, or suppressing the execution choice of investors. In 
particular, although costs associated with Regulation SCI could 
adversely impact competition and increase barriers to entry, the 
Commission believes that the adverse effect on competition and 
heightened barriers for SCI entities that provide venues for trading, 
including ATSs and exchanges, would be mitigated and therefore the 
Commission does not expect that investor choice on trading venues would 
be significantly limited.\1870\ The Commission also believes that any 
such effects would be warranted in light of the expected benefits of 
Regulation SCI. Additionally, as discussed below, the dissemination of 
information regarding certain major SCI events to all members or 
participants of an SCI entity can promote competitive incentives to 
prevent systems issues. The Commission also believes that the reduction 
in systems issues resulting from Regulation SCI could result in fewer 
interruptions in the price discovery process and liquidity flows and 
thus result in fewer periods with pricing inefficiencies. Furthermore, 
Regulation SCI could improve system uptime for SCI entities, and 
therefore reduce latency as market participants will not be forced to 
reroute orders or change execution strategies associated with 
situations in which an SCI entity is not operational.
---------------------------------------------------------------------------

    \1870\ See infra Section VI.C.1.c (addressing potential effects 
on efficiency, competition, and capital formation, including effects 
on other SCI entities).
---------------------------------------------------------------------------

    Moreover, the Commission notes that it has revised the proposed 
rules after considering the comments received. The Commission believes 
that many of the revisions to the proposed rules would reduce burdens 
on SCI entities and significantly address commenters' concerns 
regarding potential negative effects on allocative inefficiency and 
innovation. For example, because the Commission is adopting a quarterly 
reporting requirement for material systems changes instead of the 
proposed 30-day advance notification requirement, adopted Regulation 
SCI would impose lower burdens on SCI entities compared to the proposal 
and allow SCI entities more flexibility when they implement material 
systems changes.\1871\
---------------------------------------------------------------------------

    \1871\ See supra Section IV.B.4.b.i.
---------------------------------------------------------------------------

c. Effects on Efficiency, Competition, and Capital Formation
    Along with the effects on efficiency, competition, and capital 
formation discussed below with regard to specific provisions of 
Regulation SCI, the Commission believes that Regulation SCI as a whole 
could affect efficiency, competition, and capital formation in several 
ways.
    By increasing the robustness of SCI systems and indirect SCI 
systems of SCI entities, Regulation SCI may improve efficiency--in 
particular, price efficiency--and the improvement in pricing efficiency 
could promote capital formation. In particular, as discussed in VI.C.1, 
disruptions to SCI systems and the resulting trading interruptions can 
degrade pricing efficiency, price discovery, and liquidity. Regulation 
SCI may reduce the frequency, severity, and duration of market 
disruptions (e.g., trading interruptions) that may otherwise prevent 
market participants from impounding information into security prices 
through market activity (e.g., order submission) and, thus,

[[Page 72407]]

improve price efficiency in the markets. Such disruptions also impose 
liquidity costs and harm the price discovery process. The quality of 
the price discovery process has important implications for efficiency 
and capital formation, as prices that accurately convey information 
about fundamental value improve the efficiency with which capital is 
allocated across projects and firms.
    The Commission also believes that Regulation SCI could affect 
competition in several ways. The Commission believes that the existing 
competition among the markets has not sufficiently mitigated the 
occurrence of SCI events.\1872\ Regulation SCI requires SCI entities to 
disseminate information regarding certain SCI events to affected 
members or participants or to all members or participants of an SCI 
entity. As discussed more thoroughly in Section VI.C.2.b.iv below, the 
Commission believes that requiring the dissemination of information 
regarding certain SCI events could further incentivize SCI entities to 
maintain more robust SCI systems and indirect SCI systems and would 
enhance competition among SCI entities with respect to the maintenance 
of robust SCI systems and indirect SCI systems.
---------------------------------------------------------------------------

    \1872\ See supra Section VI.B.4.
---------------------------------------------------------------------------

    Additionally, the Commission believes that Regulation SCI may have 
an impact on competition among SCI entities, in part because the 
compliance costs of Regulation SCI will be different among SCI 
entities. Specifically, some SCI entities already satisfy some of the 
requirements of Regulation SCI because those provisions codify certain 
aspects of the ARP Policy Statements. The Commission believes that 
these current ARP participants will incur direct compliance costs that 
are incremental relative to the current cost of participating in the 
ARP Inspection Program and current practices outside of the scope of 
ARP. But Regulation SCI also applies to some entities that currently do 
not participate in the ARP Inspection Program such as the MSRB and most 
SCI ATSs. These SCI entities may incur higher initial compliance costs, 
compared to current ARP participants, in modifying their current 
practices to comply with Regulation SCI.\1873\ To the extent that SCI 
entities with different initial compliance costs compete, Regulation 
SCI could alter the competitive relationship and give SCI entities that 
are currently in compliance with certain provisions of Regulation SCI a 
competitive advantage.\1874\
---------------------------------------------------------------------------

    \1873\ The Commission notes that the SCI entities incurring the 
lower initial compliance costs previously incurred such costs to 
participate in the ARP Inspection Program.
    \1874\ However, given the voluntary nature of the current ARP 
Inspection Program, the extent of current compliance with the 
requirements of adopted Regulation SCI by entities subject to the 
ARP Inspection Program varies.
---------------------------------------------------------------------------

    In addition to competition among SCI entities, the compliance costs 
imposed by Regulation SCI could have an effect on competition between 
SCI entities and non-SCI entities in the markets for trading services. 
Specifically, in part because non-SCI entities do not have to incur the 
compliance costs associated with Regulation SCI, these entities may 
have a competitive advantage in the markets for trading services over 
SCI entities that they compete with. The adverse competitive effects, 
however, are likely to be minor when considering only ATSs because an 
SCI ATS is likely to be larger and have more of an established customer 
base than other ATSs. The Commission recognizes that broker-dealers 
also compete with SCI entities in the market for trading services and 
that some broker-dealers are larger than some ATSs and exchanges. 
However, broker-dealers cannot offer the same services as ATSs or 
exchanges without becoming ATSs or exchanges.
    The costs imposed by Regulation SCI could also affect barriers to 
entry for new ATSs and exchanges and, thus, could adversely affect 
competition.\1875\ Specifically, the Commission acknowledges that 
Regulation SCI will increase the costs for those that meet the 
definition of SCI entity. This will increase the expected costs of 
market entrants who expect to eventually be SCI entities. If an 
increase in these costs reduces the number of potential new entrants, 
the potential competition from new entrants will be lower.
---------------------------------------------------------------------------

    \1875\ While Regulation SCI could also increase start-up costs 
for SIPs and registered clearing agencies, SIPs provide exclusive 
services and registered clearing agencies are currently 
characterized by specialization and limited competition. Clearing 
and settlement services exhibit high barriers to entry and economies 
of scale. See Clearing Agency Standards Release, supra note 76, at 
66263 and 66265.
---------------------------------------------------------------------------

    As noted above, however, the Commission believes that the 
heightened barriers to entry for ATSs would be mitigated to some degree 
because the compliance period would provide a new ATS entrant the 
opportunity to initiate and develop its business before the ATS would 
need to comply with Regulation SCI.\1876\ In particular, the Commission 
believes that few new ATSs would likely initially meet the threshold to 
be covered under Regulation SCI and a new ATS could trade for at least 
three months (i.e., less than four of the preceding six months) and 
conduct such trading at any level without being subject to Regulation 
SCI. The Commission also notes that ATSs meeting the volume thresholds 
in the definition of ``SCI ATS'' for the first time will also be 
provided six months from the time that the ATS first meets the 
applicable thresholds to comply with the requirements of Regulation 
SCI.\1877\ This compliance period should also provide such ATSs with 
time to plan on how they would meet the requirements of Regulation SCI, 
and could also potentially allow SCI ATSs to become more equipped to 
bear the cost of Regulation SCI once compliance is required, and thus 
not significantly discourage new ATSs from entering the market and 
growing. For newly registered exchanges, the Commission believes the 
costs associated with Regulation SCI would not represent a significant 
increased barrier to entry, as the costs would represent a small 
portion of total costs associated with creating and registering an 
exchange.
---------------------------------------------------------------------------

    \1876\ See supra note 152.
    \1877\ See supra Section IV.F (discussing effective date and 
compliance dates for Regulation SCI).
---------------------------------------------------------------------------

    The compliance costs associated with participating in business 
continuity and disaster recovery plan testing may affect competition 
among members or participants of SCI entities and also could raise 
barriers to entry for new members or participants. In particular, 
Regulation SCI imposes compliance costs on certain members or 
participants of SCI entities that are designated to participate in 
business continuity and disaster recovery plans testing. Because some 
members or participants may incur compliance costs associated with Rule 
1004 and others may not, it could negatively impact the ability for 
some to compete and could raise barriers to entry. As discussed more 
thoroughly in Section VI.C.2.b.vii below, the Commission expects the 
compliance costs associated with the business continuity and disaster 
recovery plans testing requirements in Rule 1004 to be limited for 
larger members or participants who already maintain connections to 
backup facilities, including for testing purposes, than for smaller 
members or participants. Furthermore, the Commission believes that new 
members or participants are less likely to be designated immediately to 
participate in business continuity and disaster recovery plan testing 
than existing significant members or participants because new members 
may not initially satisfy the SCI entity's designation standards as 
they establish their businesses. Thus, the Commission

[[Page 72408]]

believes the adverse effect on competition may be mitigated to some 
extent as the most likely members or participants to be designated for 
testing are those comprising the largest market share as ranked by 
volume by the SCI entity, and that these firms will have more limited 
compliance costs.\1878\
---------------------------------------------------------------------------

    \1878\ The Commission also notes that SCI entities have an 
incentive to limit the imposition of the cost and burden associated 
with testing to the minimum necessary to comply with Rule 1004, and 
that, given the option, most SCI entities would, in the exercise of 
reasonable discretion, prefer to designate fewer members or 
participants to participate in testing, than to designate more. See 
supra Section IV.B.6.b.
---------------------------------------------------------------------------

2. Analysis of Final Rules
a. Definitions--Rule 1000
    In general, the definitions in Rule 1000 either clarify a provision 
or circumscribe the scope of a provision in Regulation SCI. Therefore, 
many of the costs and benefits associated with the impacts of the 
definitions are incorporated in the discussion of the substantive 
requirements of Regulation SCI. This section contains a discussion of 
the economic effects of the scope of Regulation SCI resulting from the 
definitions adopted by the Commission.
i. SCI Entities
    The Commission estimates that the definition of SCI entity in Rule 
1000 currently covers 44 entities. This includes 30 current 
participants in the ARP Inspection Program (i.e., 18 registered 
national securities exchanges, seven registered clearing agencies, 
FINRA, two plan processors, one ATS trading NMS stocks, and one exempt 
clearing agency). The definition of SCI entity also includes one ATS 
that currently exceeds the relevant threshold in Rule 301(b)(6)(i) of 
Regulation ATS and is subject to the systems safeguard requirements of 
Regulation ATS. In addition to these entities, the definition of SCI 
entity includes the MSRB and an estimated 12 additional SCI ATSs.
    Generally, by including certain entities that do not currently 
participate in the ARP Inspection Program or meet the current threshold 
for the systems safeguard requirements of Regulation ATS in the 
definition of SCI entity, the Commission believes that Regulation SCI 
will not only enhance systems resiliency at such entities, but also 
reduce the potential for incidents at these entities to have broader, 
disruptive effects across the securities markets more generally on 
other SCI entities, and attendant costs to investors. Although the 
Commission believes that the requirements of Regulation SCI will reduce 
the impact of SCI events, the Commission is unable to quantify the 
economic effects of the reduction because the degree to which adherence 
to the requirements of Regulation SCI will reduce the impact of SCI 
events is unknown.
    As discussed throughout the economic analysis, the Commission also 
expects that SCI entities will incur costs for complying with the 
requirements of Regulation SCI and that these costs could affect the 
competitiveness of entities incurring such costs. For example, the 
section summarizing the effects of Regulation SCI on efficiency, 
competition, and capital formation, Section VI.C.1.c, discusses several 
ways that Regulation SCI might affect the competitiveness of SCI 
entities, including the competitiveness of SCI entities versus non-SCI 
entities, the relative initial competitiveness of SCI entities needing 
to make more changes to comply with Regulation SCI, and barriers to 
entry for SCI entities.
    As discussed in detail in Section IV.A.1, many commenters addressed 
the scope of the definition of SCI entity. Many of these comments 
related to the inclusion of certain ATSs in the definition.\1879\ 
Commenters presented mixed views on the inclusion of ATSs, with some 
commenters believing that all ATSs should be covered by Regulation 
SCI,\1880\ and other commenters arguing that no ATSs should be covered 
by Regulation SCI.\1881\ The commenters who supported including all 
ATSs in the scope of the definition of SCI entity argued that any ATS 
can impact the market and one of these commenters also stated that any 
participant on any ATS can have disproportionate impact on the 
market.\1882\ One of the main points of commenters that suggested no 
ATSs should be covered was that ATSs are redundant of exchanges and 
other ATSs and that, in case an ATS fails, other ATSs or exchanges can 
service investors and absorb trading volume.\1883\ Additionally, some 
commenters suggested applying higher thresholds in the definition of 
SCI ATS such that fewer ATSs would be covered under Regulation 
SCI.\1884\ Many of these commenters who advocated for applying higher 
thresholds in the definition of SCI ATS stated that the inclusion of 
smaller ATSs in the definition of SCI ATS does not justify what they 
believed to be the significant compliance costs imposed by Regulation 
SCI.\1885\
---------------------------------------------------------------------------

    \1879\ See supra Section IV.A.1.b.
    \1880\ See, e.g., NYSE Letter at 8-10; and Lauer Letter at 4.
    \1881\ See, e.g., BIDS Letter at 3; ITG Letter at 2-4; and OTC 
Markets Letter at 9.
    \1882\ See, e.g., NYSE Letter at 8-10; and Lauer Letter at 4.
    \1883\ See, e.g., BIDS Letter at 7-8; and ITG Letter at 3.
    \1884\ See, e.g., Direct Edge Letter at 2; ITG Letter at 10.
    \1885\ See, e.g., ITG Letter at 9-10.
---------------------------------------------------------------------------

    The Commission believes that certain ATSs should be required to 
comply with rules regarding systems capacity, integrity, resiliency, 
availability, security, and compliance. ATSs now collectively represent 
a significant source of liquidity for NMS stocks.\1886\ Given this 
level of activity on ATSs, coupled with the increasingly inter-
connected and complex nature of the markets and heavy reliance on 
automated systems, the Commission recognizes that a systems issue even 
at one ATS could result in a market-wide impact. Further, some ATSs 
execute a larger portion of consolidated volume than smaller exchanges. 
In this respect, an outage at one or more of these ATSs, which serve as 
markets to bring buyers and sellers together in the national market 
system, could disrupt the entire market and could pose even greater 
risks to the market as a whole than certain smaller exchanges. 
Accordingly, the Commission believes that the exclusion of all ATSs 
from the definition of SCI entity would significantly reduce the 
benefits of Regulation SCI discussed in Section VI.C.1. On the other 
hand, the Commission believes that including all ATSs in the definition 
of SCI entity would heighten barriers to entry and restrict competition 
in the markets for trading services and, thus, could stifle 
innovations. As discussed in Section IV.A.1.b, the Commission believes 
that the adopted thresholds for SCI ATSs result in the inclusion of 
ATSs that can play a significant role in the securities markets and, 
given their heavy reliance on automated systems, have the potential to 
impact investors, the overall market, and the trading of individual 
securities should an SCI event occur. With respect to comments calling 
for higher or lower volume thresholds, the Commission believes that 
higher thresholds would increase the risk of significant market 
disruptions due to SCI events relative to the adopted thresholds and 
lower thresholds would serve to increase barriers to entry. In setting 
the levels in the thresholds for SCI ATS, the Commission has considered 
the trade-offs between barriers to entry and the risk of significant 
market disruptions.
---------------------------------------------------------------------------

    \1886\ See supra note 148 and accompanying text. See also text 
accompanying supra note 1832.
---------------------------------------------------------------------------

    In adopting the thresholds in the definition of SCI ATS, the 
Commission also considered alternative thresholds,

[[Page 72409]]

including the threshold used in Regulation ATS. The adopted thresholds 
in the definition of SCI ATS differ from the thresholds that subject an 
ATS to the systems safeguard requirements under Rule 301(b)(6) of 
Regulation ATS in several ways.\1887\ First, for ATSs that trade NMS 
stocks or non-NMS stocks, the adopted thresholds are based on dollar 
trading volume instead of share trading volume. The Commission believes 
that the application of dollar trading volume thresholds better 
reflects the potential economic impact of a systems issue at a 
significant ATS as it more accurately measures the value of trading 
activity compared to a threshold based on share trading volume.\1888\ 
Second, the adopted volume thresholds for NMS stocks and non-NMS stocks 
are lower than the volume thresholds in Rule 301(b)(6) of Regulation 
ATS. As discussed in IV.A.1.b, securities trading has evolved 
significantly since the adoption of Regulation ATS; today, trading 
activity in stocks is more dispersed among a larger number of trading 
venues. Because trading activity in stocks is now dispersed among a 
larger number of trading venues and markets today are so inter-
connected and complex, the Commission believes that the application of 
lower volume thresholds would more effectively capture multiple sources 
of potential systems issues that could significantly disrupt the market 
for a single security or for the market as a whole. Third, with respect 
to ATSs that trade NMS stocks, the Commission is adopting the two-fold 
dollar volume thresholds in the first prong--a single NMS stock 
threshold and an all NMS stocks threshold. The Commission believes that 
such thresholds would appropriately account for the significance of an 
ATS in both overall trading of NMS stocks and for a single NMS stock.
---------------------------------------------------------------------------

    \1887\ See also supra Section IV.A.1.b.
    \1888\ See text accompanying supra note 161; see also Proposing 
Release, supra note 13, at 18094 (stating that the use of dollar 
thresholds may better reflect the economic impact of trading 
activity).
---------------------------------------------------------------------------

    With regard to commenters that stated no ATSs should be covered 
because ATSs are redundant of exchanges and other ATS, the Commission 
acknowledges that, to some extent, certain services provided by any 
trading venue, including exchanges and ATSs, are redundant in the sense 
that these facilities execute and process trades. However, the 
Commission notes that each ATS provides different services in terms of, 
among other things, order types, matching rules, and the speed of 
execution to meet investors' specific needs. If an ATS outage 
interferes with the supply of certain services that investors demand, 
it would impose costs on investors. For example, market participants 
may program their routing algorithms assuming that all market centers 
are operational. If one of those venues is not available, rerouting 
order flow may increase costs to the market participant seeking 
execution as time required for executing orders may increase, order 
fill rates may decrease, and slippage \1889\ may also increase, which 
would further increase transaction costs.\1890\
---------------------------------------------------------------------------

    \1889\ Slippage refers to the difference between the expected 
price of a trade and the actual trade price due to the passage of 
time.
    \1890\ See supra Section VI.B.4 for a discussion of why market 
incentives do not seem to reduce these costs.
---------------------------------------------------------------------------

    The Commission also received comments regarding the inclusion of 
fixed-income ATSs. One commenter suggested the use of par value traded 
rather than volume.\1891\ Further, in noting that fixed-income ATSs 
should not be subject to Regulation SCI, this commenter noted that 
retail fixed-income ATSs operate on a vastly different scale than 
institutional equity markets.\1892\ According to this commenter, the 
costs of compliance for a retail fixed-income ATS would be several 
orders of magnitude higher than for an exchange in the equity market, 
and would overwhelm revenues for retail fixed-income ATSs.\1893\
---------------------------------------------------------------------------

    \1891\ See TMC Letter at 1-3.
    \1892\ See id. at 2.
    \1893\ See id.
---------------------------------------------------------------------------

    The Commission, after considering the views of commenters, has 
determined to exclude ATSs that trade only municipal securities or 
corporate debt securities from the definition of SCI ATS at this 
time.\1894\ Accordingly, such fixed-income ATSs will not be subject to 
the requirements of Regulation SCI. Rather, fixed-income ATSs will 
continue to be subject to the existing requirements in Rule 301(b)(6) 
of Regulation ATS regarding systems capacity, integrity and security if 
they meet the twenty percent threshold for municipal securities or 
corporate debt securities provided by that rule.\1895\ Because no such 
ATS is subject to Regulation SCI at this time, it is possible that the 
municipal security and corporate debt markets may be affected by SCI 
events that otherwise may have been prevented with more robust systems 
that would result from Regulation SCI. However, the Commission believes 
that this loss in potential benefit relative to the proposed approach 
would be minimal as fixed-income securities trading is generally 
significantly less automated than trading in equities.\1896\ Further, 
as commenters pointed out, the cost of the requirements of Regulation 
SCI could be significant for fixed-income ATSs relative to their size, 
scope of operations, and more limited potential for systems risk. 
Therefore, lowering the current threshold applicable to fixed-income 
ATSs in Regulation ATS and subjecting such ATSs to the requirements of 
Regulation SCI could have potentially discouraged the growth of 
automation that could benefit investors in these markets. However, as 
the Commission monitors the evolution of automation in this market, the 
Commission may reconsider the benefits and costs of extending the 
requirements of Regulation SCI to fixed-income ATSs in the future.
---------------------------------------------------------------------------

    \1894\ See supra Section IV.A.1.b.
    \1895\ See 17 CFR 242.301(b)(6).
    \1896\ The Commission notes that the corporate debt and 
municipal securities markets are primarily voice markets with little 
automation. See also supra note 185 (discussing the view of 
commenters that the inclusion of fixed-income ATSs and/or the 
adoption of the proposed thresholds would impose unduly high costs 
on these entities given their size, scope of operations, lack of 
automation, low speed, and resulting low potential to pose risk to 
systems).
---------------------------------------------------------------------------

    The adopted definition of SCI SRO includes all national securities 
exchanges regardless of their volume share. The Commission received one 
comment letter stating that the rule should also include volume 
thresholds for exchanges.\1897\ The Commission is not persuaded that 
applying a volume threshold is appropriate for SCI SROs that are 
exchanges, but instead believes that Regulation SCI should cover all 
exchanges. In particular, the Commission recognizes that all exchanges 
play an important role in the securities markets. As discussed above in 
Section IV.A.1.a, all stock exchanges are subject to a variety of 
specific public obligations under the Exchange Act, including the 
requirements of Regulation NMS which, among other things, designates 
the best bid or offer of such exchanges to be protected quotations. 
Accordingly, every exchange may have a protected quotation that can 
obligate market participants to send orders to that exchange if such 
exchange is displaying the best bid or offer. Among other reasons, 
given that market participants may be required to send orders to any 
one of the exchanges at any given time if such exchange is displaying 
the best bid or offer, the Commission believes that it is important 
that the safeguards of Regulation SCI apply equally to all exchanges 
irrespective of trading volume. As

[[Page 72410]]

market participants may be required to send orders to the exchange 
displaying the best prices, systems issues at such exchange could force 
market participants to re-route their orders and, thus, could increase 
execution time and slippage, imposing additional transaction costs to 
investors.
---------------------------------------------------------------------------

    \1897\ See supra note 81 and accompanying text.
---------------------------------------------------------------------------

    With respect to options exchanges, the Commission additionally 
believes that it would be inappropriate to exclude them from the 
definition of SCI SRO because technology risks are equally applicable 
to such exchanges, as evidenced by recent technology incidents 
affecting the options markets.\1898\ While there are many options that 
trade on multiple venues, systems issues resulting in trading 
disruptions at an options exchange could lower the quality of pricing 
efficiency and disrupt the price discovery process for singly-listed 
options (e.g., certain index options only trade on one options 
exchange). As such, systems issues at options exchanges can pose 
significant risks to the markets, and the Commission believes that the 
inclusion of options exchanges within the scope of Regulation SCI is 
necessary to achieve the goals of Regulation SCI.
---------------------------------------------------------------------------

    \1898\ See supra note 84.
---------------------------------------------------------------------------

    The definition of SCI entity also includes the MSRB. The Commission 
believes that the inclusion of the MSRB as an SCI entity will provide 
several significant benefits. In particular, the MSRB collects and 
consolidates municipal securities data and makes it available to market 
participants. The Commission believes that any event that could affect 
the market data collected and consolidated by the MSRB could 
significantly disrupt the municipal bond market. Also, the municipal 
securities data collected by the MSRB is provided to FINRA and made 
available to the Commission and the bank regulators, and serves as a 
key resource for monitoring the municipal bond market. Therefore, the 
inclusion of the MSRB will help ensure the robustness of the MSRB's 
systems and reduce the likelihood of systems issues that could harm 
investors in the municipal bond market.
    As discussed above in Section IV.A.1, several commenters advocated 
the adoption of a ``risk-based'' approach in the definition of SCI 
entity based on the criticality of the functions performed.\1899\ In 
effect, these commenters suggested that the Commission apply provisions 
of Regulation SCI based on the entity's risk to the operations of the 
U.S. securities markets based on the entity's functional role in the 
market (e.g., a primary listing market, the sole venue of the security, 
a monopoly or utility type role with no redundancy). The Commission has 
considered these factors in developing the definition of SCI entity and 
believes that the adopted definition, in part, captures the intent of 
the commenters' suggestions in that it includes entities in the 
definition that play a significant role in the securities markets. In 
particular, as discussed in Section IV.A.1.a in detail, the Commission 
included all exchanges in the definition of SCI SRO because exchanges 
play a significant role in the functioning of securities markets. With 
respect to the comments that suggested including only those entities 
that are essential to continuous market-wide operation, the Commission 
believes that the specific criteria suggested by commenters, in effect, 
could lead to the exclusion of significant ATSs. As discussed above, 
the Commission continues to believe that significant ATSs that trade 
NMS and non-NMS stocks should be included in Regulation SCI. ATSs 
collectively represent a significant source of liquidity for stocks. 
Furthermore, as today's markets are increasingly inter-connected and 
complex with heavy reliance on automated systems, the Commission 
recognizes that a systems issue at an ATS could result in a market-wide 
impact. Consequently, the Commission believes that re-defining SCI 
entities according to commenters' ``risk-based'' approach could exclude 
certain entities that the Commission believes have the potential to 
pose significant risks to the securities markets should an SCI event 
occur, and thus limit the potential benefits from Regulation SCI, which 
are discussed throughout this economic analysis.
---------------------------------------------------------------------------

    \1899\ See supra notes 53-57 and accompanying text.
---------------------------------------------------------------------------

ii. SCI Systems
    Regulation SCI expands on current practice, and applies to a 
broader range of systems than the current ARP Inspection Program. In 
particular, the ARP Policy Statements are focused on specific types of 
automated systems.\1900\ The ARP Policy Statements and the ARP 
Inspection Program address systems that directly support trading, 
clearance and settlement, order routing, and market data. The 
definition of ``SCI systems'' would include these systems, as well as 
those that directly support market regulation and market surveillance, 
systems that serve an essential function for investor protection and 
market integrity.
---------------------------------------------------------------------------

    \1900\ See supra Section II.A and Proposing Release, supra note 
13, at Section I.A (discussing in more detail the ARP Policy 
Statements and the ARP Inspection Program). According to the ARP I 
Release, the term ``automated systems'' or ``automated trading 
systems'' means computer systems for listed and OTC equities, as 
well as options, that electronically route orders to applicable 
market makers and systems that electronically route and execute 
orders, including the data networks that feed the systems. These 
terms also encompass systems that disseminate transaction and 
quotation information and conduct trade comparisons prior to 
settlement, including the associated communication networks. See ARP 
I Release, supra note 1, at 48706, n. 21.
---------------------------------------------------------------------------

    The inclusion of market regulation and market surveillance systems 
under Regulation SCI could reduce systems compliance issues that result 
from disruptions in systems that support market regulation and market 
surveillance. The Commission believes that including market regulation 
and market surveillance systems under the definition of SCI systems 
should help ensure the robustness of the systems used by SCI entities 
to monitor compliance with relevant laws, rules, and their own rules, 
and detect any violations of such laws or rules by members or 
participants. The reduction in market regulation and market 
surveillance systems issues could help ensure investor protection and 
preserve market integrity.
    The Commission also believes that the inclusion of market data 
systems in the definition of SCI systems will benefit the market. 
Currently, SIAC, Nasdaq, and the MSRB \1901\ process, collect, and 
disseminate market data on equities, options, and municipal securities 
to investors. While SIAC and Nasdaq are part of the ARP Inspection 
Program, the MSRB is not. The Commission believes that consolidated 
market data is an important part of the investing and trading process 
as it helps market participants to make well-informed investment and 
trading decisions, and also helps investors to monitor the quality of 
execution of orders by their brokers. Thus, any SCI events that affect 
market data processed, collected, and disseminated by the MSRB could 
reduce

[[Page 72411]]

pricing efficiency and, consequently, could significantly disrupt the 
municipal bond market. Further, with respect to NMS securities, the 
Commission understands that many trading algorithms make trading 
decisions based primarily on market data and rely on that data being 
current and accurate.
---------------------------------------------------------------------------

    \1901\ As discussed above, in 2008, the Commission amended Rule 
15c2-12 to designate the MSRB as the single centralized disclosure 
repository for continuing municipal securities disclosure. In 2009, 
the MSRB established EMMA, which serves as the official repository 
of municipal securities disclosure and provides the public with free 
access to relevant municipal securities data, and is the central 
database for information about municipal securities offerings, 
issuers, and obligors. Additionally, the MSRB's RTRS, with limited 
exceptions, requires municipal bond dealers to submit transaction 
data to the MSRB within 15 minutes of trade execution, and such near 
real-time post-trade transaction data can be accessed through the 
MSRB's EMMA Web site. See supra note 77. The MSRB is an SCI entity 
by virtue of being an SRO, rather than a plan processor.
---------------------------------------------------------------------------

    In addition, as noted in Section IV.A.2.b, market data as used in 
the definition of ``SCI systems'' does not refer exclusively to 
consolidated market data, but also includes proprietary market data 
generated by SCI entities as well. The Commission notes that 
proprietary market data is widely used and relied upon by a broad array 
of market participants, including institutional investors, to make 
trading decisions. Therefore, if a proprietary market data feed became 
unavailable or otherwise unreliable, it could interfere with market 
participants making trading decisions and impose additional transaction 
costs on market participants.
    The Commission has limited information on the extent to which the 
ARP Policy Statements guide ARP participants' practices with respect to 
their proprietary market data systems because this information is not 
reported to the Commission. To the extent that the ARP Policy 
Statements guide ARP participants with respect to certain of their 
proprietary market data systems, the potential benefits from including 
proprietary market data systems in Regulation SCI could be incremental 
given current practice. The Commission also notes that entities have 
competitive incentives to limit the number of systems issues with their 
proprietary market data systems, as those SCI entities with minimum 
latency and the most robust proprietary market data systems may attract 
more trading volume. While proprietary market data systems have 
experienced systems issues, because these issues are not reported to 
the Commission, the Commission has limited information on the frequency 
and severity of such systems issues and, in addition, does not have 
information about how proprietary market data systems issues affect the 
demand to subscribe to a particular proprietary market data feed. 
Although the Commission is unable to estimate the benefits and costs of 
subjecting proprietary market data systems to Regulation SCI, the 
Commission believes that if a proprietary market data feed became 
unavailable or otherwise unreliable, it could have a significant impact 
on the trading of the securities to which it pertains, and could 
interfere with the maintenance of fair and orderly markets.\1902\
---------------------------------------------------------------------------

    \1902\ See supra Section IV.A.2.b.
---------------------------------------------------------------------------

    To the extent that proprietary market data systems and consolidated 
market data systems share common infrastructure, the compliance costs 
associated with proprietary market data systems could be incremental to 
those costs associated with consolidated market data systems. In 
addition, to the extent the ARP Policy Statements guide ARP 
participants with respect to their proprietary market data systems, the 
initial compliance costs associated with proprietary market data 
systems will be lower for these participants with respect to the 
relevant proprietary market data systems.
    As adopted, a subset of SCI systems are defined as critical SCI 
systems. Critical SCI systems are defined as SCI systems of, or 
operated by or on behalf of, an SCI entity that directly support 
functionality relating to clearance and settlement systems of clearing 
agencies; openings, reopenings, and closings on the primary listing 
exchange; trading halts; initial public offerings; the provision of 
consolidated market data; and exclusively listed securities.\1903\ In 
addition, critical SCI systems include systems that provide 
functionality to the securities markets for which the availability of 
alternatives is significantly limited or nonexistent, and without which 
there would be a material impact on fair and orderly markets.\1904\ 
Critical SCI systems include systems that represent potential ``single 
points of failure'' in the securities markets--if they were to 
experience systems issues, the Commission believes they would be the 
most likely to have a widespread and significant impact on the U.S. 
securities markets. Critical SCI systems are subject to certain 
heightened resilience and information dissemination requirements under 
Regulation SCI. In addition, because an SCI entity may tailor its 
policies and procedures based on the relative criticality of a given 
system to the SCI entity and to the securities markets generally, an 
SCI entity may subject its critical SCI systems to higher standards 
than other SCI systems.
---------------------------------------------------------------------------

    \1903\ See Rule 1000.
    \1904\ See id.
---------------------------------------------------------------------------

    By adopting a defined term ``critical SCI systems'' (which is not 
defined for purposes of the ARP Inspection Program or Regulation ATS), 
along with the heightened requirements associated with critical SCI 
systems, the Commission expects fewer disruptions in critical SCI 
systems, and therefore fewer SCI events involving potential ``single 
points of failure'' that could cause wide-scale disruptions across the 
securities markets. As explained in Section VI.C.1, this could reduce 
the likelihood and duration of systems issues, thereby helping to avoid 
pricing inefficiencies and reduce interruptions in liquidity flow, 
which may occur during times when systems disruptions can make systems 
unavailable or unreliable.
    The Commission also notes that, by distinguishing critical SCI 
systems from other SCI systems, and because an SCI entity may tailor 
its policies and procedures based on the relative criticality of a 
given system to the SCI entity and to the securities markets generally, 
an SCI entity may subject its critical SCI systems to higher standards 
than other SCI systems. In addition, critical SCI systems are subject 
to a goal of two-hour recovery following a wide-scale disruption, and a 
requirement for information dissemination to all members or 
participants of an SCI entity in the case of an SCI event impacting 
critical SCI systems (unless the SCI event qualifies as a de minimis 
SCI event). As result, the designation of critical SCI systems may 
result in additional costs as compared to the proposal. However, by 
distinguishing critical systems, Regulation SCI is consistent with a 
risk-based approach that targets areas that would generate the most 
benefits.
    Regulation SCI defines ``indirect SCI systems'' \1905\ to mean any 
systems of, or operated by or on behalf of, an SCI entity that, if 
breached, would be reasonably likely to pose a security threat to SCI 
systems.\1906\ As discussed above in Section IV.A.2.d, the adopted 
definition excludes systems that are effectively physically or 
logically separated from SCI systems because the Commission believes 
that the benefit of including systems that can effectively be ``walled 
off'' may be limited, as ``walled off'' systems are less likely to 
serve as potential vulnerable entry points to SCI systems in the event 
of a security

[[Page 72412]]

breach.\1907\ Regulation SCI will expressly impose new requirements on 
systems that fall within the definition of ``indirect SCI systems'' 
(which is not defined for purposes of the ARP Inspection Program or 
Regulation ATS). These new requirements for indirect SCI systems should 
help ensure the robustness and resiliency of SCI systems by reducing 
the occurrence of security-related issues at SCI systems. Moreover, the 
application of Regulation SCI to indirect SCI systems could encourage 
SCI entities to isolate certain non-SCI systems from SCI systems 
(thereby removing these non-SCI systems from the scope of indirect SCI 
systems), which would decrease the risk that non-SCI systems provide 
vulnerable points of entry into SCI systems and cause security-related 
issues at SCI systems. The reduction in security-related SCI systems 
issues could lead to fewer interruptions in the price discovery process 
and liquidity flows and thus result in fewer periods with pricing 
inefficiencies as discussed in Section VI.C.1.
---------------------------------------------------------------------------

    \1905\ As discussed in Section IV.A.2.d, ``SCI security 
systems'' have been renamed ``indirect SCI systems'' and its 
definition has been revised in response to commenters who expressed 
concern about the breadth of the proposed definition. Because the 
definition of indirect SCI systems has been refined from the 
proposal, the compliance costs associated with indirect SCI systems 
(discussed below) would be lower relative to the compliance costs 
associated with the proposed rules.
    \1906\ As proposed, ``SCI security systems'' means any systems 
that share network resources with SCI systems that, if breached, 
would be reasonably likely to pose a security threat to SCI systems.
    \1907\ Some SCI entities currently employ a wide variety of 
means to separate their systems, including logical and physical 
separation.
---------------------------------------------------------------------------

    Regulation SCI specifies the obligations SCI entities would have 
with respect to SCI systems and indirect SCI systems. As mentioned 
above, the definition of SCI systems includes more systems than the ARP 
Inspection Program traditionally covered, and ``indirect SCI systems'' 
is not defined for purposes of the ARP Inspection Program or Regulation 
ATS. Because Regulation SCI applies to SCI systems and indirect SCI 
systems, SCI entities will incur compliance costs, discussed in detail 
further below in Section VI.C.2, which include, among other things, 
costs associated with policies and procedures related to such systems. 
Furthermore, as mentioned above, the definition of SCI systems includes 
systems that directly support trading, clearance and settlement, order 
routing, and market data, which are covered by the ARP Inspection 
Program. Accordingly, the Commission believes that initial compliance 
costs associated with SCI systems will be higher for SCI entities that 
are not currently participating in the ARP Inspection Program (e.g., 
some SCI ATSs) as compared to ARP Inspection Program participants that 
have established practices consistent with the ARP Policy Statements. 
Although the Commission believes that some SCI ATSs will generally 
incur higher initial compliance costs associated with the requirements 
of Rule 1001 compared to other SCI entities that are current 
participants in the ARP Inspection Program, the difference in initial 
compliance costs could be limited because, as currently constituted, 
relative to the systems of SCI SROs, the systems of SCI ATSs generally 
would not fall within the category of critical SCI systems, and thus 
such SCI ATSs would not be subject to the more stringent requirements 
that would be applicable to the critical SCI systems of other SCI 
entities. Further, as discussed in Section VI.C.1, the Commission 
believes that Regulation SCI could have an impact on competition among 
SCI entities in part because the initial compliance costs associated 
with SCI systems and indirect SCI systems will vary across SCI 
entities.
    In the SCI Proposal, the Commission defined SCI systems more 
broadly than it has in the adopted rule. Specifically, the proposed 
definition of SCI systems would have included all regulation and 
surveillance systems, as well as development and testing systems. As 
discussed above in Section IV.A.2.b, after considering, among other 
things, the views of commenters that the definition of SCI systems was 
overbroad and, thus, could cover nearly all systems of an SCI entity, 
the Commission refined the definition of SCI systems.\1908\ 
Specifically, the scope of adopted Regulation SCI does not cover member 
regulation or member surveillance systems such as those, for example, 
relating to member registration, capital requirements, or dispute 
resolution, because issues relating to such systems are unlikely to 
have the same level of impact on the maintenance of fair and orderly 
markets or an SCI entity's operational capability as those systems 
identified in the definition of SCI systems. Consequently, the 
Commission does not believe that the exclusion of member regulation and 
member surveillance systems will significantly reduce the benefits of 
Regulations SCI discussed in Section VI.C.1. Furthermore, the 
Commission believes that the exclusion of member regulation and member 
surveillance systems from the adopted definition of SCI systems will 
substantially reduce the costs of compliance with Regulation SCI 
relative to the proposal because it reduces the potential number of SCI 
events that would be subject to the Commission notification 
requirements compared to the proposal.
---------------------------------------------------------------------------

    \1908\ See supra Section IV.A.2.b (discussing the definition of 
SCI systems).
---------------------------------------------------------------------------

    As discussed above in Section IV.A.2.b, many commenters also 
opposed the inclusion of development and testing systems in the 
definition of SCI system, stating that issues in development and 
testing systems would have little or no impact on the operations of SCI 
entities.\1909\ The Commission agrees that issues with development and 
testing systems generally have less of an impact on the SCI entity's 
operations than production systems that directly support trading, 
clearance and settlements, order routing, market data, market 
regulation, and market surveillance. In response to comment letters, 
the adopted definition of SCI systems is limited to systems that 
directly support trading, clearance and settlement, order routing, 
market data, market regulation, and market surveillance, and does not 
include development and testing systems. Consequently, the requirements 
of Regulation SCI that are triggered by the definition of SCI systems 
do not apply to development and testing systems. However, the 
Commission recognizes that there would be benefits from maintaining 
robust development and testing systems because these systems are 
important in ensuring the reliability and resiliency of systems of SCI 
entities. As discussed in Section IV.A.2.b, in order to have policies 
and procedures reasonably designed to ensure capacity, integrity, 
resiliency, availability, and security for SCI systems (and indirect 
SCI systems, as applicable) in accordance with adopted Rule 1001(a), an 
SCI entity will be required to have policies and procedures that 
include a program to review and keep current systems development and 
testing methodology for such systems.\1910\
---------------------------------------------------------------------------

    \1909\ See supra note 234 and accompanying text.
    \1910\ Further, as discussed above, the definition of SCI review 
and the corresponding requirement for an annual SCI review require 
an assessment of internal control design and effectiveness, which 
includes development processes. In addition, if development and 
testing systems are not appropriately walled off from production 
systems, such systems could be captured under the definition of 
indirect SCI systems and be subject to the requirements of 
Regulation SCI.
---------------------------------------------------------------------------

    A few commenters advocated that SCI entities should be permitted to 
conduct their own risk-based assessment in determining the scope of SCI 
systems.\1911\ As discussed in Section IV.A.2.b, rather than limiting 
the definition of SCI systems to systems that pose a greater risk to 
the markets in the event of a systems issue or that are of paramount 
importance to the functioning of the U.S. securities market, the 
Commission is subjecting those systems that meet the definition of 
``critical SCI systems'' to certain heightened requirements under

[[Page 72413]]

Regulation SCI. The Commission continues to believe that any systems 
issues involving systems that directly support one of the six functions 
(trading, clearance and settlement, order routing, market data, market 
regulation, or market surveillance) listed in the definition of SCI 
systems could also cause significant market disruptions and, thus, 
including such systems and imposing heightened requirements on a subset 
of such systems--critical SCI systems--should help realize the benefits 
of Regulation SCI discussed in Section VI.C.1.a.
---------------------------------------------------------------------------

    \1911\ See DTCC Letter at 3-5; Omgeo Letter at 5-6; and OCC 
Letter at 3-4.
---------------------------------------------------------------------------

    As discussed above in Section IV.A.2.b, the definition of SCI 
systems includes any system that is operated by a third-party on behalf 
of an SCI entity and directly supports one of the six key functions 
(trading, clearance and settlement, order routing, market data, market 
regulation, or market surveillance) listed in the definition of SCI 
systems. The Commission understands that many SCI entities and many 
SROs, in particular, rely heavily on outsourcing to help test, operate, 
and run various systems in their daily operations and that they 
outsource networks, data center operations, and many of the products 
and systems that support their trading and/or clearing systems. The 
Commission also notes that its staff already discusses with ARP 
entities their use of certain third-party systems as necessary under 
the ARP Inspection Program. Because of this reliance on outsourcing to 
third party systems, the Commission believes that including any system 
that directly supports one of the six functions listed in the 
definition of SCI system, regardless of whether it is operated by the 
SCI entity directly or by a third party, is important in reducing 
systems issues and, thus, promoting pricing efficiency and price 
discovery process.
    Several commenters stated that the definition of SCI systems should 
not include systems operated on behalf of an SCI entity by a third-
party.\1912\ These commenters expressed concerns about potential 
difficulties with meeting the requirements of Regulation SCI with 
regard to third-party systems.\1913\ Another commenter questioned 
whether the Commission considered the costs and benefits of including 
third-party systems within the definition.\1914\ This commenter also 
noted that the inclusion of third-party systems may force SCI entities 
to insource functions that are more efficiently performed by vendors, 
and the cost of insourcing will be passed along to members and market 
participants and may degrade competition.\1915\
---------------------------------------------------------------------------

    \1912\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4.
    \1913\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4.
    \1914\ See BATS Letter at 4-5.
    \1915\ See id. at 5.
---------------------------------------------------------------------------

    As discussed above, the Commission believes that, among other 
reasons, allowing systems operated on behalf of an SCI entity by a 
third-party to be excluded from the requirements of Regulation SCI 
would reduce the effectiveness of the regulation in promoting the 
national market system by ensuring the capacity, integrity, resiliency, 
availability, and security of those systems important to the 
functioning of the U.S. securities markets.\1916\ The Commission 
acknowledges that ensuring compliance of systems operated by a third-
party with Regulation SCI may be more costly than ensuring compliance 
of internal systems with Regulation SCI because of search costs 
associated with employing adequate third-party systems or services and 
the additional communication needed with the third-party service 
provider. The Commission acknowledges that higher compliance costs 
associated with managing third-party systems could be passed on to 
market participants.
---------------------------------------------------------------------------

    \1916\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems'').
---------------------------------------------------------------------------

    Moreover, the Commission recognizes that the inclusion of systems 
operated by a third-party on behalf of an SCI entity in the scope of 
SCI systems may in certain cases make it more difficult for an SCI 
entity to utilize third parties because the SCI entity is required to 
ensure that SCI systems and indirect SCI systems operated on its behalf 
by a third party are operated in compliance with Regulation SCI. In 
particular, the SCI entity might not be able to ensure that systems 
operated by certain third parties are in compliance with Regulation SCI 
and therefore might not be able to utilize such third-party service 
providers. Limitations on the choice of third-party systems could lower 
the quality of employable third-party systems because the employable 
third-party systems may not be best suited for the SCI entity or be the 
best available of its type. At this time, however, it is difficult to 
estimate the extent to which inclusion of systems operated by third 
parties on behalf of an SCI entity in the definition of SCI systems 
will alter outsourcing arrangements in a manner that would result in 
reducing an SCI entity's ability to maintain its operational capability 
and promote the maintenance of fair and orderly markets. While the 
Commission understands that SROs outsource some systems, the Commission 
lacks sufficient information regarding the specific contractual 
relationships between SCI entities and third-party service providers.
    Furthermore, if--due to limited options on employable third-
parties--an SCI entity decides to insource systems that could be more 
cost-effectively provided by third parties with relevant expertise, the 
quality of such systems may be adversely affected, while the cost to 
the SCI entity may be increased. As such, Regulation SCI could impose 
higher costs on SCI entities that are currently more dependent on 
third-party systems for their operations than SCI entities that 
primarily employ their own systems and therefore could potentially have 
adverse effects on competition among SCI entities. In addition, the 
requirements of Regulation SCI could force some third-party vendors out 
of the market for SCI systems or indirect SCI systems. In this respect, 
Regulation SCI could negatively impact such vendors and reduce the 
ability for some third-party vendors to compete in the market for SCI 
systems and indirect SCI systems, with attendant costs to SCI entities. 
However, Regulation SCI, over time, could result in quality 
improvements for systems or services provided by such third-party 
vendors as vendors that primarily provide services to SCI entities may 
compete in part on the quality of their systems in light of the 
requirements of Regulation SCI.
iii. SCI Events
    Rule 1000 defines SCI events to include systems disruptions, 
systems compliance issues, and systems intrusions. Further, for 
purposes of the information dissemination requirement under Rule 
1002(c), the Commission defines the new term, major SCI event, to mean 
an SCI event that has had, or the SCI entity reasonably estimates would 
have, any impact on a critical SCI system, or a significant impact on 
the SCI entity's operations or on market participants. As discussed 
further below, Regulation SCI requires SCI entities to take appropriate 
corrective actions in response to SCI events (Rule 1002(a)), notify the 
Commission of SCI events (Rule 1002(b)), and disseminate information 
regarding certain major SCI events to all members or participants of an 
SCI entity and certain other SCI events to affected members or 
participants (Rule 1002(c)).
    Prior to the adoption of Regulation SCI, ``systems disruption'' was 
not defined by Commission rule. Rather, in the 2001 Staff ARP 
Interpretive Letter, Commission staff provided guidance on

[[Page 72414]]

examples of significant systems outages that should be reported to 
Commission staff.\1917\ The Commission understands that ARP 
participants currently exercise a level of discretion in determining 
what systems issues constitute significant systems outages.
---------------------------------------------------------------------------

    \1917\ See 2001 Staff ARP Interpretive Letter, supra note 21.
---------------------------------------------------------------------------

    As adopted, ``systems disruption'' is defined to mean an event in 
an SCI entity's SCI systems that disrupts, or significantly degrades, 
the normal operation of an SCI system. The Commission believes the 
revised definition sets forth a standard that SCI entities can apply in 
a wide variety of circumstances to determine in their discretion 
whether a systems issue should be appropriately categorized as a 
systems disruption. The adopted definition of systems disruption 
potentially covers types of events that were not articulated as part of 
Commission staff guidance regarding significant systems outages, and at 
the same time potentially excludes types of systems events that were 
articulated as part of such guidance. The Commission, however, believes 
that the adopted definition of systems disruptions would more 
appropriately capture material or significant systems issues than the 
2001 Staff ARP Interpretive Letter. Accordingly, the inclusion of 
systems disruptions in the definition of SCI event, along with the 
requirements of taking timely corrective actions, Commission 
notification, information dissemination, and recordkeeping on these 
systems issues, should help effectively reduce the severity and 
duration of events that harm pricing efficiency, price discovery, and 
liquidity and help Commission oversight of the securities markets. The 
Commission also acknowledges that SCI entities will incur some costs to 
determine whether a systems disruption has occurred. The Commission 
notes that these costs should be lower compared to the proposed 
definition, in part, because the adopted definition of systems 
disruption sets forth a standard that permits SCI entities to more 
effectively identify such systems issues.
    As discussed in Section IV.A.3.a, after considering the views of 
commenters that the proposed definition of systems disruption was too 
prescriptive, insufficiently flexible, and should be limited to 
material systems disruptions, the Commission has taken a different 
approach. Instead of the proposed seven-prong prescriptive definition 
representing the effects caused by a disruption of an SCI entity's 
systems, the adopted definition focuses on whether a system is halted 
or degraded in a manner that is outside of its normal operation. The 
proposed definition had the potential to incorporate certain types of 
minor events that should more appropriately fall outside the purview of 
the regulation. Similarly, the prescriptive approach of the proposed 
definition also had the potential to exclude certain types of events 
that were significant enough to warrant inclusion, but may otherwise 
have gone unreported because they were not one of the seven enumerated 
types of systems malfunctions.
    Currently, ``systems intrusion'' is not defined by Commission rule 
or Commission staff guidance. The Commission believes that regulated 
entities exercise a level of discretion in determining what systems 
intrusions to report to Commission staff. By adopting a definition of 
systems intrusion, the Commission is specifying the criteria for SCI 
entities to use to identify systems intrusions that would be subject to 
Regulation SCI. The definition of systems intrusion covers successful 
unauthorized entry to SCI systems and indirect SCI systems. 
Unauthorized access, destruction, and manipulation of SCI systems and 
indirect SCI systems could adversely affect the markets and market 
participants because intruders could force systems to operate in 
unintended ways that could create significant disruptions in securities 
markets. Therefore, the inclusion of systems intrusions in the 
definition of SCI events can help reduce the risk of such adverse 
effects. The Commission believes that the inclusion of systems 
intrusion in the definition of SCI event should help ensure consistent 
compliance with the requirements of taking timely corrective actions, 
Commission notification, information dissemination, and recordkeeping 
and, thus, should help realize the benefits of those requirements 
discussed in sections below. The Commission also acknowledges that SCI 
entities will incur some costs to determine whether a systems intrusion 
has occurred.
    Currently, ``systems compliance issue'' is also not defined by 
Commission rule or Commission staff guidance and the Commission 
believes that regulated entities exercise a level of discretion in 
determining what systems compliance-related issues to report to 
Commission staff. While the ARP Policy Statements do not address 
systems compliance issues, some SCI entities notify the Commission of 
certain systems compliance-related issues.\1918\ As noted above, 
however, the Commission does not receive comprehensive data regarding 
such issues. By adopting a definition of systems compliance issue, the 
Commission is specifying the criteria for SCI entities to use to 
identify systems compliance issues that would be subject to Regulation 
SCI.
---------------------------------------------------------------------------

    \1918\ See supra note 1803 and accompanying text. As part of the 
Commission's oversight of SROs, OCIE reviews systems compliance 
issues reported to Commission staff.
---------------------------------------------------------------------------

    By defining SCI events to include systems compliance issues, the 
Commission believes Regulation SCI should further assist the Commission 
in its oversight of SCI entities and in the protection of investors. 
Specifically, the Commission believes that inclusion of systems 
compliance issues in the definition of SCI event and the resulting 
applicability of the Commission reporting, information dissemination, 
and recordkeeping requirements are important to help ensure that SCI 
systems are operated by SCI entities in compliance with the Exchange 
Act, rules thereunder, and their own rules and governing 
documents.\1919\ In addition, the Commission believes that, as part of 
its oversight of the securities markets, it should learn of a non-de 
minimis systems compliance issue immediately upon an SCI entity having 
a reasonable basis to conclude that such a systems compliance issue has 
occurred so that the Commission may consider whether there has been any 
resulting harm to investors or market participants. The Commission also 
acknowledges that SCI entities could incur some costs to determine 
whether a systems compliance issue has occurred.
---------------------------------------------------------------------------

    \1919\ See supra Section IV.A.3.b.
---------------------------------------------------------------------------

    The Commission notes that it has refined the definition of systems 
compliance issue as compared to the proposal by replacing the phrase 
``federal securities laws'' with ``the Act.'' \1920\ Accordingly, the 
number of systems compliance issues subject to Regulation SCI could be 
no greater and possibly lower than if the Commission adopted the 
definition of systems compliance issue as proposed and there could be a 
corresponding reduction in benefits, compared to the proposal, as a 
result of adopting a targeted definition.\1921\
---------------------------------------------------------------------------

    \1920\ See id.
    \1921\ For example, the adopted definition of systems compliance 
issue makes explicit that the requirements of Regulation SCI do not 
apply to any obligations that an SCI entity has under the Securities 
Act of 1933.
---------------------------------------------------------------------------

    Regulation SCI also defines ``major SCI event.'' The addition of 
the definition of major SCI event allows the requirement for 
dissemination of

[[Page 72415]]

information to all members or participants of an SCI entity to be 
consistent with a tiered, risk-based approach. As discussed in Section 
VI.C.2.b.iv below and in Section VI.C.1 above, dissemination of 
information regarding SCI events to all members or participants of an 
SCI entity can result in benefits and affect competitive incentives to 
prevent systems issues. The Commission acknowledges, however, that the 
benefits of information dissemination to all members or participants of 
an SCI entity would not be realized if SCI entities were required to 
disseminate too many events, creating confusion about which events are 
meaningful, or if SCI entities were required to disseminate too few 
events. The definition of major SCI events provides a targeted approach 
to determining which events are appropriately disseminated to all 
members or participants of an SCI entity. The Commission also 
acknowledges that, as discussed in Section VI.C.2.b.iv below, SCI 
entities would incur compliance costs associated with developing a 
process for determining major SCI events and de minimis SCI events.
    SCI entities will incur compliance costs with regard to the 
requirements of Regulation SCI. As noted above, the definition of SCI 
event includes systems disruptions and systems intrusions, terms that 
are not defined under the ARP Inspection Program, but which are 
contemplated by the ARP Inspection Program's attention to systems 
failures, disruptions, and other systems problems, including systems 
vulnerability.\1922\ To this extent, the initial compliance costs 
associated with SCI events may be higher for SCI entities that are not 
currently participating in the ARP Inspection Program than for those 
currently participating in the ARP Inspection Program. Similarly, the 
initial compliance costs associated with SCI events will be higher for 
SCI entities that do not currently self-report systems compliance-
related issues to the Commission than those that do. As discussed in 
Section VI.C.1, the Commission believes that Regulation SCI will have 
an impact on competition among SCI entities because the initial 
compliance costs stemming from the definition of SCI events will be 
different among SCI entities. However, all SCI entities, regardless of 
current participation in the ARP Inspection Program or self-reporting 
of systems compliance-related issues, could incur costs associated with 
the inclusion of major SCI events as a definition.
---------------------------------------------------------------------------

    \1922\ See supra Section II.A (discussing the ARP Inspection 
Program).
---------------------------------------------------------------------------

    As an alternative to the adopted definitions of SCI event, several 
commenters suggested that the definition of SCI event include a 
materiality threshold such that certain Regulation SCI requirements 
would apply only to events that exceed the threshold, as determined by 
the SCI entity.\1923\ The Commission is not persuaded that 
incorporating a materiality threshold into the definition of SCI event 
would appropriately capture SCI events. Some systems issues, which may 
initially seem insignificant to an SCI entity, may later prove to be 
the source of significant systems issues at the SCI entity. 
Furthermore, there could be incidences in which systems issues cause 
minor disruptions for one particular SCI entity but result in 
significant disruptions for another SCI entity or market participant. 
Under the use of the suggested materiality threshold, such systems 
issues could be overlooked and timely corrective action may not be 
taken.
---------------------------------------------------------------------------

    \1923\ See supra note 334 and accompanying text.
---------------------------------------------------------------------------

b. Requirements for SCI Entities--Rules 1001-1004
i. Policies and Procedures--Rules 1001(a), (b), and (c)
    Rules 1001(a), (b), and (c) set forth requirements relating to the 
written policies and procedures that SCI entities are required to 
establish, maintain, and enforce. Rule 1001(a) requires an SCI entity 
to establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, indirect SCI systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. Rule 1001(b) requires an SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in a manner 
that complies with the Exchange Act and the rules regulations 
thereunder and the entity's rules and governing documents, as 
applicable. Rule 1001(c) requires an SCI entity to establish, maintain, 
and enforce reasonably designed written policies and procedures that 
include the criteria for identifying responsible SCI personnel, the 
designation and documentation of responsible SCI personnel, and 
escalation procedures to quickly inform responsible SCI personnel of 
potential SCI events. This section discusses the economic effects of 
requiring these policies and procedures, both individually and as a 
whole.
    The Commission believes the policies and procedures requirements as 
a whole should reduce the risk and incidences of SCI events because 
they are requirements under Commission rules rather than voluntary 
guidelines, and require SCI entities to establish, maintain, and 
enforce written policies and procedures related to capacity, integrity, 
resiliency, availability, security, compliance, responsible SCI 
personnel, and escalation. Also, policies and procedures requirements 
as a whole should reduce the risk and incidences of SCI events by 
imposing requirements on entities that are not currently participating 
in the ARP Inspection Program, and by covering areas not currently 
within the scope of the ARP Inspection Program, such as policies and 
procedures regarding systems compliance.\1924\ The policies and 
procedures requirements in Regulation SCI should help ensure faster 
recoveries from systems disruptions, systems compliance issues, and 
systems intrusions. As discussed in Section VI.C.1, reducing the risk, 
incidence, and duration of SCI events could reduce interruptions in the 
price discovery process and liquidity flows and thus result in reduced 
periods with pricing inefficiencies.
---------------------------------------------------------------------------

    \1924\ With respect to NASD and FINRA rules identified by 
commenters, although they have some broad relation to certain 
aspects of the policies and procedures provisions under Regulation 
SCI, the Commission is not persuaded that these rules, even when 
taken together, are an appropriate substitute for the comprehensive 
approach in Regulation SCI with respect to technology systems and 
system issues. See NASD Rule 3010(b)(1) and FINRA Rule 3130. See 
also supra note 115.
---------------------------------------------------------------------------

    The Commission also recognizes that the policies and procedures 
requirements of Regulation SCI will impose certain costs. In general, 
the Commission believes that some SCI entities that participate in the 
ARP Inspection Program already comply with some of the requirements of 
Rule 1001 and thus would incur lower initial costs to comply with the 
requirements of Rule 1001 than SCI entities that do not participate in 
the ARP Inspection Program. Additionally, some SCI entities that 
currently participate in the ARP Inspection Program are large and have 
complex systems and, therefore, will incur more costs to comply with 
Rule 1001 than others. Furthermore, SCI entities that do not currently 
participate in the ARP Inspection Program will also face costs to 
comply with Rule 1001 if they do not already have policies and 
procedures similar to those required by

[[Page 72416]]

Rule 1001. These costs are discussed further below.
Quantifiable Costs
    In the SCI Proposal, based on discussion with industry 
participants, the Commission estimated that, to comply with all 
requirements underlying the policies and procedures required by 
proposed Rules 1000(b)(1) and (2) other than paperwork burdens, on 
average, each SCI entity would incur an initial cost of between 
approximately $400,000 and $3 million.\1925\ Based on this estimated 
range in costs, the Commission estimated that in the aggregate SCI 
entities would incur a total initial cost of between approximately 
$17.6 million \1926\ and $132 million \1927\ to comply with proposed 
Rules 1000(b)(1) and (2). In addition, the Commission estimated that, 
to comply with the policies and procedures required by proposed Rules 
1000(b)(1) and (2), on average, each SCI entity would incur an ongoing 
annual cost of between approximately $267,000 \1928\ and $2 
million.\1929\ Based on this estimated range, the Commission estimated 
that in the aggregate SCI entities would incur a total annual ongoing 
cost of between approximately $11.7 million \1930\ and $88 
million.\1931\
---------------------------------------------------------------------------

    \1925\ See Proposing Release, supra note 13, at 18171. As 
explained in the SCI proposal, the Commission preliminarily 
estimated a range of cost for complying with the policies and 
procedures required by proposed Rules 1000(b)(1) and (2) because 
some SCI entities are already in compliance with some of these 
requirements and thus would likely need to incur less costs to 
comply with the rules. For example, the Commission believed that 
many SCI SROs (e.g., certain national securities exchanges and 
registered clearing agencies) already have or have begun 
implementation of business continuity and disaster recovery plans 
that include maintaining backup and recovery capabilities 
sufficiently resilient and geographically diverse to ensure next 
business day resumption of trading and two-hour resumption of 
clearance and settlement services following a wide-scale disruption. 
See id. at 18171, n. 633.
    \1926\ See id. at 18171, n. 634.
    \1927\ See id. at 18171, n. 635.
    \1928\ See id. at 18172, n. 637.
    \1929\ See id. at 18172, n. 638.
    \1930\ See id.
    \1931\ See id. at 18172, n. 640.
---------------------------------------------------------------------------

    One commenter noted that the Commission did not provide sufficient 
discussion of the basis for the cost estimates for complying with the 
policies and procedures required by proposed Rules 1000(b)(1) and 
(2).\1932\ However, this commenter was cautiously confident that its 
initial cost for full implementation of proposed Rules 1000(b)(1) and 
(2) would not exceed $3 million plus four times the estimated burden 
under the Paperwork Reduction Act analysis, although the commenter 
believed that such cost would not be less than half of such $3 million 
plus at least three times the Paperwork Reduction Act estimate.\1933\ 
This commenter further noted that the approach taken by the Commission 
in the proposal with regard to federal securities law liabilities and 
the safe harbors likely will result in increased insurance costs for 
SCI entities and higher salaries for employees.\1934\
---------------------------------------------------------------------------

    \1932\ See MSRB Letter at 30.
    \1933\ See id. at 31. According to this commenter, if as a 
result of the restrictive listing of industry standards in Table A, 
it determines that it should adhere to one of the listed standards 
rather than the standards to which it currently adheres, its cost of 
compliance with proposed Rule 1000(b)(1) would be considerably 
increased and its total cost for compliance with proposed Rules 
1000(b)(1) and (2) would likely be at or near $3 million plus four 
times the estimated burden under the Paperwork Reduction Act 
analysis. See id. As noted above in Section IV.B.1.b.iii, the 
Commission believes that staff guidance should be characterized as 
listing examples of publications describing processes, guidelines, 
frameworks, and/or standards for an SCI entity to consider looking 
to in developing reasonable policies and procedures, rather than 
strictly as listing examples of ``standards.'' As such, nothing that 
the staff may include in its guidance precludes an SCI entity from 
adhering to standards such as ISO 27000, COBIT, or others referenced 
by commenters to the extent they result in policies and procedures 
that comply with the requirements of Rule 1001(a).
    \1934\ See id. The commenter did not provide an estimate of the 
anticipated increased insurance costs for SCI entities and higher 
salaries for employees. The Commission acknowledges that SCI 
entities may incur increased insurance and personnel costs because 
of the potential additional liability associated with Regulation 
SCI, although the Commission is unable to estimate these costs given 
it lacks specific information regarding current personnel and 
insurance costs and the amount of any potential increases associated 
with changes in liability. The Commission also notes that many 
entities that fall within the definition of SCI entity could already 
be subject to liability for systems issues and thus may already 
largely be incurring these insurance and personnel costs.
---------------------------------------------------------------------------

    Another commenter noted that, without further clarification, the 
broad scope of the policies and procedures requirement under Regulation 
SCI could be burdensome, in terms of the cost of developing and 
implementing new (or enhancing existing) policies and procedures, and 
in terms of complying and documenting compliance under such policies 
and procedures.\1935\ According to this commenter, these requirements 
could significantly increase technology project costs (e.g., for 
testing, monitoring, and compliance staff) and would significantly 
prolong the systems development lifecycle and time to market.\1936\ 
With respect to the Commission's cost estimate for proposed Rules 
1000(b)(1) and (2), another commenter noted that the Commission's 
estimates do not adequately account for the opportunity costs of delays 
in systems innovation.\1937\ This commenter stated that the Commission 
did not address the significant costs of complying with the 
requirements concerning the capacity, integrity, resiliency, 
availability, and security of systems.\1938\
---------------------------------------------------------------------------

    \1935\ See FINRA Letter at 32. The estimated burden associated 
with the development and maintenance of policies and procedures is 
discussed in the Paperwork Reduction Act section above. See supra 
Section V.D.1.a.
    \1936\ See FINRA Letter at 32.
    \1937\ See ITG Letter at 7. This commenter also noted that the 
estimates do not adequately account for the monitoring and 
notification costs that would be engendered by the proposal. See id.
    \1938\ See id.
---------------------------------------------------------------------------

    After considering the views of these commenters and in light of the 
changes to the proposed rules, the Commission now estimates that, to 
comply with all requirements underlying the policies and procedures 
required by Rules 1001(a) and (b),\1939\ other than paperwork burdens, 
on average, each SCI entity will incur an initial cost of between 
approximately $320,000 and $2.4 million and an ongoing annual cost of 
between approximately $213,600 and $1.6 million.\1940\ The Commission 
notes that it has reduced the cost for complying with the policies and 
procedures required by Rules 1001(a) and (b) in a variety of ways, 
including by, for example: Refining the definition of SCI systems; more 
explicitly allowing SCI entities to tailor policies and procedures 
consistent with a risk-based approach; having separate staff guidance 
on current SCI industry standards rather than Commission guidance 
through proposed Table A, with staff guidance characterized as listing 
examples of publications describing processes, guidelines, frameworks, 
and/or standards for an SCI entity to consider looking to in developing 
reasonable policies and procedures, rather than strictly as listing 
examples of

[[Page 72417]]

``standards;'' and focusing compliance on the Exchange Act rather than 
federal securities laws generally.
---------------------------------------------------------------------------

    \1939\ These include, for example, establishing current and 
future capacity planning estimates, capacity stress testing, 
reviewing and keeping current systems development and testing 
methodology, regular reviews and testing to detect vulnerabilities, 
testing of all SCI systems and changes to SCI systems prior to 
implementation, implementing a system of internal controls, 
implementing a plan for assessments of the functionality of SCI 
systems, implementing a plan of coordination and communication 
between regulatory and other personnel of the SCI entity, including 
by responsible SCI personnel, designed to detect and prevent systems 
compliance issues, and hiring additional staff.
    \1940\ The Commission estimates an average range of cost for 
complying with the policies and procedures required by Rules 1001(a) 
and (b) because some SCI entities are already in compliance with 
some of these requirements. The Commission recognizes that, for SCI 
entities that do not currently comply with the policies and 
procedures required by Rules 1001(a) and (b), their cost of 
compliance may, depending on their nature, size, technology, 
business model, and other aspects of their business, be at the upper 
end of the estimated average cost range.
---------------------------------------------------------------------------

    At the same time, the Commission acknowledges that other aspects of 
the compliance costs could potentially be higher for the adopted rules 
than the proposed rules. For example, the requirement for a goal of 
two-hour resumption for all critical SCI systems (rather than only 
clearance and settlement systems) could increase compliance costs for 
SCI entities with critical SCI systems as compared to the proposal. 
However, as discussed above, the Commission has specified that the 
stated recovery timeframes in Regulation SCI are goals, rather than 
inflexible requirements.\1941\ In addition, for some SCI entities that 
would have chosen to not use the proposed SCI entity safe harbor, the 
Commission's adoption of non-exhaustive, general minimum elements for 
systems compliance policies and procedures in Rule 1001(b)(2) could 
increase compliance costs as compared to the proposal. Based on the 
foregoing, the Commission believes that it is reasonable to revise the 
estimate to reflect the more targeted scope and increased flexibility 
of the adopted regulation, as compared to the proposal, in combination 
with potential increased costs associated with compliance with Rules 
1001(a)(2)(v) and 1001(b)(2), and new costs associated with compliance 
with Rule 1001(a)(2)(vii).\1942\ Therefore, the Commission believes 
that on balance overall, the costs will be reduced, and in its best 
judgment, each SCI entity is likely to incur an initial cost of between 
approximately $320,000 and $2.4 million and an ongoing annual cost of 
between approximately $213,600 and $1.6 million for complying with the 
policies and procedures required by Rules 1001(a) and (b). However, the 
Commission acknowledges that its cost estimates reflect a high degree 
of uncertainty. As noted above, the compliance costs of Rule 1001 may 
depend on the complexity of SCI entities' systems (e.g., the compliance 
costs will be higher for SCI entities with more complex systems). The 
initial compliance costs associated with Rule 1001 may also vary across 
SCI entities depending on the degree of current practices' compliance 
with the requirements of Rule 1001. Because it is difficult to gauge 
the precise degree of current compliance for each SCI entity in 
estimating potential costs with respect to Rule 1001 at this time, the 
Commission is estimating a range of compliance costs above.
---------------------------------------------------------------------------

    \1941\ See supra note 504 and accompanying text.
    \1942\ Rule 1001s(a)(2)(v), 1001(a)(2)(vii), and 1001(b)(2) are 
discussed further below.
---------------------------------------------------------------------------

    The Commission estimates that, in the aggregate, SCI entities will 
incur a total initial cost of between approximately $14 million \1943\ 
and $106 million \1944\ to comply with the policies and procedures 
required by Rules 1001(a) and (b). In addition, the Commission 
estimates that, in the aggregate, SCI entities will incur total annual 
ongoing cost of between approximately $9 million \1945\ and $70 
million.\1946\ These cost estimates are intended to cover the cost of 
complying with all substantive requirements under Rules 1001(a) and (b) 
other than paperwork related burdens.
---------------------------------------------------------------------------

    \1943\ $320,000 x 44 SCI entities = $14.1 million.
    \1944\ $2.4 million x 44 SCI entities = $105.6 million.
    \1945\ $213,600 x 44 SCI entities = $9.4 million.
    \1946\ $1.6 million x 44 SCI entities = $70.4 million.
---------------------------------------------------------------------------

    The Commission acknowledges that, for SCI entities, the 
requirements of Rules 1001(a) and (b) could increase technology project 
costs, prolong the systems development lifecycle and time to market, 
and result in opportunity costs because of potential delays in systems 
innovation.\1947\ On the other hand, as discussed throughout this 
release, the Commission believes that entities that are important to 
the functioning of the U.S. securities markets should be required to 
have policies and procedures reasonably designed to ensure systems 
capacity, integrity, resiliency, availability, security, and 
compliance. Further, as discussed above in Sections IV.B.1 and IV.B.2, 
the Commission has focused the scope of Rules 1001(a) and (b) as 
compared to the SCI Proposal. Moreover, in tandem with the adoption of 
a definition of critical SCI systems, the Commission is making more 
clear that Rule 1001(a) permits SCI entities to tailor policies and 
procedures consistent with a risk-based approach. With respect to Rule 
1001(b), the Commission is adopting non-exhaustive, general minimum 
elements that an SCI entity must include in its systems compliance 
policies and procedures.\1948\
---------------------------------------------------------------------------

    \1947\ See supra note 1936 and accompanying text (discussing a 
commenter's view regarding the potential economic effects of the 
policies and procedures requirements).
    \1948\ See supra note 1935 and accompanying text (discussing a 
commenter's views that, without clarification, the policies and 
procedures requirement under Regulation SCI could be burdensome).
---------------------------------------------------------------------------

Benefits and Qualitative Costs
Capacity, Integrity, Resiliency, Availability, and Security
    Rule 1001(a)(1) requires that each SCI entity establish, maintain, 
and enforce written policies and procedures reasonably designed to 
ensure that its SCI systems and, for purposes of security standards, 
indirect SCI systems, have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance of fair and orderly 
markets. Rule 1001(a)(2)(i)-(iv) provides that an SCI entity's policies 
and procedures under Rule 1001(a) must include, at a minimum: (i) The 
establishment of reasonable current and future technological 
infrastructure capacity planning estimates; (ii) periodic capacity 
stress tests of systems to determine their ability to process 
transactions in an accurate, timely, and efficient manner; (iii) a 
program to review and keep current systems development and testing 
methodology of such systems; and (iv) regular reviews and testing, as 
applicable, of systems, including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters.\1949\
---------------------------------------------------------------------------

    \1949\ See Rule 1001(a)(2) and supra Section IV.B.1.
---------------------------------------------------------------------------

    Rules 1001(a)(1) and (2)(i)-(iv) codify and expand certain 
provisions of the ARP Policy Statements. They also expand on the 
requirements under Rule 301(b)(6) of Regulation ATS for ATSs that trade 
NMS stocks and non-NMS stocks. In particular, under the ARP Policy 
Statements and through the ARP Inspection Program, ARP participants, 
among other things, are expected to establish current and future 
capacity estimates; conduct capacity stress tests; and conduct annual 
reviews that cover significant elements of the operations of the 
automation process, including the capacity planning and testing 
process, contingency planning, systems development methodology, and 
vulnerability assessments. Further, Rule 301(b)(6) requires certain 
ATSs, with respect to those systems that support order entry, order 
routing, order execution, transaction reporting, and trade comparison, 
to establish certain capacity estimates, conduct periodic capacity 
stress tests of critical systems, develop and implement reasonable 
procedures to review and keep current systems development and testing 
methodology, review the vulnerability of their systems and data center 
computer operations to specified threats, establish adequate 
contingency and disaster recovery plans, conduct an independent review 
of their systems controls annually for ensuring that Rule 
301(b)(6)(ii)(A)-(E) are met and conduct a review by senior management 
of a report of the independent review, and

[[Page 72418]]

promptly notify the Commission of certain systems outages and systems 
changes.\1950\
---------------------------------------------------------------------------

    \1950\ See 17 CFR 242.301(b)(6)(ii).
---------------------------------------------------------------------------

    As mentioned above, Rules 1001(a)(1) and (2)(i)-(iv) codify certain 
aspects of the ARP Policy Statements. For SCI entities that are current 
participants in the ARP Inspection Program, codifying these aspects 
into requirements to establish policies and procedures should help 
ensure more robust systems that help realize the benefits of Regulation 
SCI discussed in Section VI.C.1.\1951\
---------------------------------------------------------------------------

    \1951\ Likewise, the relocation and modification of certain 
requirements in Rule 301(b)(6) of Regulation ATS applicable to 
significant-volume ATSs that trade NMS stocks and non-NMS stocks 
will help ensure that SCI ATSs create and maintain policies and 
procedures to support robust systems. See supra note 2 and 
accompanying text (noting that Regulation SCI, in addition to 
codifying the ARP Policy Statements, also supersedes and replaces 
aspects of those policy statements codified in Rule 301(b)(6) under 
the Exchange Act for significant-volume ATSs that trade NMS stocks 
and non-NMS stocks).
---------------------------------------------------------------------------

    In addition to the effects of the codification of aspects of the 
ARP Inspection Program, the Commission believes that the rules would 
further reduce the risk and incidences of systems issues affecting the 
markets by imposing requirements on entities that are not currently 
participating in the ARP Inspection Program, and by covering systems 
and events not currently within the scope of the ARP Inspection 
Program. For example, Rules 1001(a)(2)(i)-(iv) will help maintain 
robust systems at SCI entities that currently do not have the policies 
and procedures in place required by the rule. In particular, the 
Commission believes that, taken together, Rules 1001(a)(2)(i)-(iv) will 
benefit the securities markets by leading to the establishment, 
maintenance, and enforcement of policies and procedures that will 
reduce the risks and incidences of systems disruptions and systems 
intrusions. As noted above in Section VI.C.1, a reduction in the risk 
and incidences of systems issues could reduce interruptions in the 
price discovery process and liquidity flows.
    Because current ARP participants will change their current 
practices to comply with Rules 1001(a)(2)(i)-(iv), the Commission 
recognizes that these entities will incur compliance costs that are 
incremental relative to the current compliance costs of the ARP 
Inspection Program.\1952\ Furthermore, SCI entities that are not 
currently participating in the ARP Inspection Program may incur higher 
initial compliance costs to meet the requirements of Rules 
1001(a)(2)(i)-(iv), compared to SCI entities that are current 
participants of the ARP Inspection Program. The paperwork burdens are 
discussed in Section V, and other costs are included as part of the 
quantified costs estimated above related to all requirements associated 
with Rules 1001(a) and (b) other than paperwork burdens.\1953\
---------------------------------------------------------------------------

    \1952\ See supra Section VI.B (discussing current practices of 
SCI entities).
    \1953\ See supra note 1940 and accompanying text.
---------------------------------------------------------------------------

    A few commenters discussed in detail how setting forth policies and 
procedures with regard to systems development could yield benefits, 
such as efficient pricing of securities, to markets. One commenter 
noted that preventing defects from entering in software construction is 
the most cost effective approach to quality assurance.\1954\ This 
commenter stated that it is ten times cheaper to find a defect in 
development than it is during systems testing, and it is one hundred 
times cheaper to fix a defect in development than in production (and 
this is not accounting for the impact on business).\1955\ In addition, 
this commenter noted that software of higher quality is cheaper to 
maintain and easier to enhance, and that testing schedules for low 
quality, large software projects are two to three times longer and more 
than twice as costly as testing for high quality projects.\1956\ 
According to information submitted by this commenter of large, mission 
critical systems across several industries, improving overall 
structural quality by 10 percent reduces ``ticket volume'' by over 30 
percent.\1957\ This commenter believed that this would be an 
inadvertent benefit of controlling integrity at the structural level 
that may even compensate for the cost of other aspects of Regulation 
SCI.\1958\ Another commenter noted that the cost of a serious 
operational problem can rise to eight digits, and in extreme cases nine 
digits.\1959\ This commenter noted that these costs are often shared 
with market participants beyond the owners of the disrupted 
systems.\1960\ This commenter believed that the proposed Rule 
1000(b)(1) requirements are reasonable and their cost can be balanced 
against the losses associated with the operational risks they 
address.\1961\
---------------------------------------------------------------------------

    \1954\ See CAST Letter at 10.
    \1955\ See id.
    \1956\ See id. (quoting Capers Jones and Olivier Bonsignour, The 
Economics of Software Quality (2012)).
    \1957\ See id. at 10-11.
    \1958\ See id. at 11.
    \1959\ See CISQ Letter at 2.
    \1960\ See id. at 2.
    \1961\ See id. at 2. See also CISQ2 Letter at 6 (stating, 
``[t]he cost of recent outages in SCI systems easily justifies the 
additional effort in quality assurance. However, empirical evidence 
from software industry improvement programs demonstrates that the 
additional time added into quality assurance is more than 
compensated for by a reduction in rework to produce [return on 
investments] of 5:1 or greater'').
---------------------------------------------------------------------------

    The Commission generally agrees with commenters that setting forth 
policies and procedures with regard to systems development could yield 
benefits to market participants and SCI entities, including a potential 
reduction in losses due to SCI events. Rule 1001(a)(2)(iii) requires 
SCI entities to establish a program to review and keep current systems 
development and testing methodology for SCI systems and, for purposes 
of security standards, indirect SCI systems. The Commission believes 
that development and testing systems are important in ensuring the 
reliability and resiliency of SCI systems. More reliable and resilient 
systems should help reduce the occurrences of SCI events and improve 
systems uptime for SCI entities, and thus possibly result in a 
reduction in losses due to SCI events. Furthermore, the Commission 
recognizes that the use of inadequately tested software in production 
could result in substantial losses to market participants if it does 
not function as intended. For instance, if software malfunctions, it 
may not route orders as intended and also could result in mispricing of 
securities. Additionally, if a system's capacity thresholds are 
improperly estimated, it may become congested, resulting in higher 
indirect transaction costs due to lower execution quality (e.g., 
decrease in order fill rates). The Commission believes that costs 
associated with Rule 1001(a)(2)(iii) are appropriate in light of the 
reduction in losses due to SCI events and other benefits discussed 
throughout this Economic Analysis.
Business Continuity and Disaster Recovery Plans
    Rule 1001(a)(2)(v) requires SCI entities' policies and procedures 
to set forth business continuity and disaster recovery plans that 
include maintaining backup and recovery capabilities sufficiently 
resilient and geographically diverse and that are reasonably designed 
to achieve next business day resumption of trading and two-hour 
resumption of critical SCI systems following a wide-scale 
disruption.\1962\ Therefore, as

[[Page 72419]]

adopted, Rule 1001(a)(2)(v) puts an emphasis on trading and critical 
SCI systems with respect to resumption following a wide-scale 
disruption. As discussed above, the definition of critical SCI systems 
is intended to capture those systems that are critical to the operation 
of the securities markets, including systems that are potential single 
points of failure in the securities markets. The Commission understands 
that some SCI entities already have, to an extent, policies and 
procedures that are required by Rule 1001(a)(2)(v), while others would 
need to make more significant changes to their current practices.\1963\
---------------------------------------------------------------------------

    \1962\ FINRA Rule 4370 generally requires that a FINRA member 
maintain a written continuity plan identifying procedures relating 
to an emergency or significant business disruption, which is akin to 
adopted Rule 1001(a)(2)(v) requiring policies and procedures for 
business continuity and disaster recovery plans. However, the FINRA 
rule does not include the requirement that the business continuity 
and disaster recovery plans be reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of 
critical SCI systems following a wide-scale disruption, nor does it 
require the functional and performance testing and coordination of 
industry or sector-testing of such plans. See supra note 115.
    \1963\ See infra note 1973 and accompanying text (discussing the 
estimated range of cost per SCI entity to comply with the policies 
and procedures required by Rules 1001(a) and (b)).
---------------------------------------------------------------------------

    Rule 1001(a), among other things, is expected to help ensure prompt 
resumption of all critical SCI systems, which in turn is expected to 
help minimize interruptions in trading and liquidity after a wide-scale 
disruption. In addition, in the case of a wide-scale disruption, 
multiple SCI entities may be affected by the same incident at the same 
time. Given that U.S. securities market infrastructure is concentrated 
in relatively few areas, such as New York City, New Jersey, and 
Chicago, maintaining backup and recovery capabilities that are 
geographically diverse could facilitate resumption in trading and 
critical SCI systems following wide-scale market disruptions. As 
discussed in detail in Section VI.C.1, the Commission expects the 
reduction in the occurrence of trading interruptions and the duration 
of trading interruptions would promote pricing efficiency, price 
discovery, and liquidity flows in markets.
    One commenter noted that the Commission's cost-benefit analysis in 
the SCI Proposal did not take into consideration the already existing 
industry excess capacity as backup.\1964\ With respect to this 
commenter, the Commission understands, based on staff expertise, that 
systems are sized to adequately handle message traffic with excess 
capacity under normal conditions and in those situations that 
moderately exceed the norm. The Commission also understands, however, 
that exchanges periodically receive escalated levels of message traffic 
due to unanticipated events and must make real-time adjustments to 
manage the capacity of their systems, such as queuing and/or 
throttling. Therefore, the Commission is not persuaded that excess 
capacity is a reasonable alternative to backup systems because systems 
may reach their capacity periodically. Also, as noted above, in the 
case of a wide-scale disruption, multiple SCI entities may be affected 
by the same incident at the same time. Given that U.S. securities 
market infrastructure is concentrated in relatively few areas, 
maintaining backup and recovery capabilities that are geographically 
diverse could facilitate resumption in trading and critical SCI systems 
following wide-scale market disruptions.
---------------------------------------------------------------------------

    \1964\ See Angel Letter at 14.
---------------------------------------------------------------------------

    The Commission also received comments regarding the costs of 
maintaining geographically diverse backup facilities under proposed 
Rule 1000(b)(1). One commenter stated that the Commission did not 
appropriately consider the costs and benefits of maintaining 
geographically diverse data centers to meet the next-day readiness 
requirement.\1965\ This commenter believed that the cost of 
establishing and maintaining geographically diverse data centers alone 
will dwarf the estimated overall compliance cost of $400,000 to $3 
million.\1966\ This commenter estimated that the incremental all-in, 
five-year cost to it to relocate its backup site would be $17 
million.\1967\ This commenter noted that the geographically diverse 
backup center requirement could also result in costs on members and 
users of the SCI entity.\1968\ Another commenter noted that it 
maintains robust redundant and backup systems that exceed regulatory 
requirements and provide adequate capacity, security, and resiliency 
for its trading operations; however, the manpower and financial capital 
required to maintain and staff a geographically diverse backup site 
would easily push its annual and recurring compliance cost beyond the 
higher estimates provided by the Commission.\1969\
---------------------------------------------------------------------------

    \1965\ See ISE Letter at 12. See also FIF Letter at 3.
    \1966\ See ISE Letter at 12.
    \1967\ See id.
    \1968\ See id. The cost to members or participants of SCI 
entities in connection with business continuity and disaster 
recovery plan testing is discussed in Section VI.C.2.b.vii below.
    \1969\ See ITG Letter at 7-8.
---------------------------------------------------------------------------

    The Commission notes that the potential cost for maintaining 
geographically diverse backup and recovery capabilities is likely less 
than those estimated by commenters given the scope of the adopted rule. 
Specifically, because Rule 1001(a)(2)(v) does not require an SCI entity 
to require its members or participants to use an SCI entity's backup 
facility in the same way they use the primary facility (i.e., does not 
require members or participants to co-locate their systems at backup 
sites to replicate the speed and efficiency of the primary site), the 
requirement for geographically diverse backup systems does not mean 
that the backup systems are required to be identical (e.g., same speed 
and efficiency) to the primary facility. Nevertheless, the Commission 
believes it is critical that SCI entities and their designated members 
or participants be able to operate with the SCI entities' backup 
systems in the event of a wide-scale disruption. In addition, the 
Commission notes that Rule 1001(a) does not specify any particular 
minimum distance or geographic location that would be necessary to 
achieve geographic diversity, although the Commission believes that 
backup sites should not rely on the same infrastructure components, 
such as for transportation, telecommunications, water supply, and 
electric power. Further, Regulation SCI does not require an SCI entity 
to have a geographically diverse backup facility so distant from the 
primary facility that the SCI entity may not rely primarily on the same 
labor pool to staff both facilities if it believed it to be 
appropriate.
    With respect to commenters who expressed concern regarding the 
potential cost for maintaining geographically diverse backup and 
recovery capabilities, the Commission cannot estimate with confidence 
the precise costs for the creation of a new, geographically diverse 
backup facility, given the wide range of message traffic that various 
exchanges, ATSs, and other entities receive and the reasonable 
flexibility in the design of the backup facility. Given that Rule 
1001(a)(2)(v) does not require an SCI entity to require its members or 
participants to use an SCI entity's backup facility in the same way 
they use the primary facility, however, the Commission believes that 
the upper bound of building a new backup facility is equal to the cost 
of building a new primary facility. Given the Commission's response to 
commenters' concerns regarding the requirement to maintain 
geographically diverse backup and recovery capabilities, and the degree 
of flexibility within Regulation SCI to determine the precise nature 
and location of its backup site,\1970\ the Commission believes that the 
commenter's estimate of $17 million over five years (or $3.4 million 
per

[[Page 72420]]

year),\1971\ is high. Based on the Commission's best judgment, 
including taking into account Commission staff experience with SCI 
entities that have invested in geographically diverse backup facilities 
in recent years, the Commission believes that the average cost is more 
likely to be approximately $1.5 million annually for an SCI entity 
(that does not already have geographically diverse backup facilities). 
Nevertheless, even were the costs to be at the upper amount suggested 
by the commenter, the Commission believes the costs are appropriate 
given that individual SCI entity resilience is fundamental to achieving 
the goal of improving U.S. securities market infrastructure 
resilience.\1972\
---------------------------------------------------------------------------

    \1970\ See supra notes 541-544 and accompanying text.
    \1971\ See supra note 1967 and accompanying text.
    \1972\ See supra notes 499-544 and accompanying text.
---------------------------------------------------------------------------

    The Commission recognizes that SCI entities may encounter 
significantly different costs in complying with the geographic 
diversity requirement underlying Rule 1001(a)(2)(v). As noted in 
Section VI.B.2, nearly all national securities exchanges already have 
backup facilities that do not rely on the same infrastructure 
components as those used by their primary facility. For those national 
securities exchanges that do not have such backup facilities, the cost 
to build such backup facilities will result in higher initial 
compliance costs than for national securities exchanges that do. For 
other SCI entities (e.g., some SCI ATSs), the compliance costs to meet 
the geographic diversity requirement would depend on the nature, size, 
technology, business model, and other aspects of their business.\1973\ 
Because SCI entities may encounter significantly different costs in 
complying with the geographic diversity requirement, the Commission 
believes that the initial compliance costs could have impact on 
competition among SCI entities.
---------------------------------------------------------------------------

    \1973\ The Commission notes that its average estimated range of 
initial cost of approximately $320,000 to $2.4 million per SCI 
entity to comply with Rules 1001(a) and (b), other than paperwork 
burdens, includes the cost to build and maintain a geographically 
diverse backup facility. The Commission estimates that the costs for 
SCI entities that do not currently have a geographically diverse 
backup facility would be at the higher end of this range.
---------------------------------------------------------------------------

    The requirement to have policies and procedure to meet a goal of 
next day resumption in trading and two-hour resumption in critical SCI 
systems will impose compliance costs for SCI entities. The Interagency 
White Paper sets forth sound practices for core clearing and settlement 
organizations and firms that play significant roles in critical 
financial markets,\1974\ and the 2003 BCP Policy Statement discusses 
the resumption of certain trading markets following a wide-scale 
disruption.\1975\ As noted in Section VI.B.1, the Commission believes 
that SCI entities currently use an array of measures to restore systems 
when disruptions occur. However, the two-hour resumption goal for all 
critical SCI systems differs from the goals set forth in the 
Interagency White Paper insofar as the goal for Regulation SCI applies 
to critical SCI systems generally.\1976\ To this extent, Rule 
1001(a)(2)(v) would impose additional costs for SCI entities that 
currently have practices that are consistent with the Interagency White 
Paper for clearance and settlement systems but not all critical SCI 
systems. The next business day resumption goal for certain trading 
markets set forth in the 2003 BCP Policy Statement is consistent with 
the resumption goal for trading in Rule 1001(a)(2)(v). For some SCI 
entities that do not have policies and procedures with respect to 
critical SCI systems consistent with the Interagency White Paper and 
the 2003 BCP Policy Statement, the Commission believes that the initial 
compliance costs associated with establishing policies and procedures 
with respect to next day resumption in trading and two-hour resumption 
in all critical SCI systems would be larger than those that do. The 
costs associated with designing and modifying policies and procedures 
with respect to systems resumption requirements are included in the 
costs related to paperwork burdens in Section V. Furthermore, as 
discussed in Section VI.C.1, the Commission believes that the systems 
resumption requirements of Rule 1001(a)(2)(v) will have an impact on 
competition among SCI entities in part because the associated initial 
compliance costs will be different among SCI entities.
---------------------------------------------------------------------------

    \1974\ According to the Interagency White Paper, core clearing 
and settlement organizations should develop the capacity to recover 
and resume clearing and settlement activities within the business 
day on which the disruption occurs with the overall goal of 
achieving recovery and resumption within two hours after an event. 
See Interagency White Paper, supra note 504, at 17812.
    \1975\ The 2003 BCP Policy Statement states that each SRO market 
and ECN should have a business continuity plan that anticipates the 
resumption of trading, in the securities traded by that market, no 
later than the next business day following a wide-scale disruption. 
See 2003 BCP Policy Statement, supra note 504, at 56658.
    \1976\ See supra Section IV.A.2.c (discussing the definition of 
critical SCI systems) and supra Section IV.B.1 (discussing the 
Commission's rationale for applying the two hour recovery goal to 
critical SCI systems generally instead of clearance and settlement 
services specifically).
---------------------------------------------------------------------------

Market Data
    Rule 1001(a)(2)(vi) provides that an SCI entity's policies and 
procedures must include standards that result in systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data.\1977\ Unlike the other provisions of Rule 
1001(a)(2) discussed above, Rule 1001(a)(2)(vi) is not addressed in 
Regulation ATS or the ARP Policy Statements.
---------------------------------------------------------------------------

    \1977\ See Rule 1001(a)(2) and supra Section IV.B.1.
---------------------------------------------------------------------------

    The Commission believes that Rule 1001(a)(2)(vi) should help ensure 
that timely and accurate market data is available to all market 
participants. Given that market participants rely on consolidated 
market data in a variety of ways, including making markets, formulating 
trading algorithms, and placing orders, the Commission believes that 
this is an important benefit of Regulation SCI, although the Commission 
recognizes that SCI entities currently already take measures to 
facilitate the successful collection, processing, and dissemination of 
market data. As discussed in Section VI.C.1, the Commission believes 
that the further improvements in timeliness and accuracy of market data 
would help further ensure pricing efficiencies and uninterrupted 
liquidity flows in markets. As Rule 1001(a)(2)(vi) will be a new 
requirement for SCI entities, it will impose incremental compliance 
costs on SCI entities in setting aside additional resources to satisfy 
the requirements of the rule. These costs are included as part of the 
quantified costs estimated above related to all requirements underlying 
Rules 1001(a) and (b) other than paperwork burdens.\1978\
---------------------------------------------------------------------------

    \1978\ See supra note 1940 and accompanying text.
---------------------------------------------------------------------------

Monitoring
    Rule 1001(a)(2)(vii) provides that an SCI entity's policies and 
procedures must include monitoring of systems to identify potential SCI 
events. Rule 1001(a)(2)(vii) imposes a new requirement that is not 
addressed in Regulation ATS or the ARP Policy Statements.
    The Commission believes that SCI entities, particularly those that 
participate in the ARP Inspection Program, already monitor their 
systems in order to identify potential systems issues. Nevertheless, by 
defining ``SCI event'' and requiring policies and procedures for 
monitoring systems to identify potential SCI events, the Commission 
believes that Rule

[[Page 72421]]

1001(a)(2)(vii) should further help ensure that SCI entities identify 
potential SCI events, which could allow them to prevent some SCI events 
from occurring or to take timely appropriate corrective action after 
the occurrence of SCI events. As discussed above, the Commission 
believes the reduction in the occurrence of SCI events or the reduction 
in the duration of SCI events that disrupt markets would reduce pricing 
inefficiencies and promote price discovery and liquidity. Although the 
Commission believes that SCI entities already monitor their systems in 
order to identify potential systems issues, the Commission believes 
that SCI entities will have to allocate additional resources to comply 
with the requirements of Rule 1001(a)(2)(vii), including potentially 
hiring additional staff, and thus will incur costs. These costs are 
included as part of the quantified costs estimated above related to all 
requirements underlying Rules 1001(a) and (b) other than paperwork 
burdens.
Current SCI Industry Standards
    Rule 1001(a)(4) deems an SCI entity's policies and procedures under 
Rule 1001(a) to be reasonably designed if they are consistent with 
current SCI industry standards.\1979\ However, Rule 1001(a)(4) 
specifically states that compliance with current SCI industry standards 
is not the exclusive means to comply with the requirements of Rule 
1001(a). Therefore, as adopted, Rule 1001(a)(4) provides flexibility to 
allow each SCI entity to determine how to best meet the requirements in 
Rule 1001(a), taking into account, for example, its nature, size, 
technology, business model, and other aspects of its business. Thus, 
Rule 1001(a)(4) allows SCI entities to choose the technology standards 
that best fit with their business, promoting efficiency. Furthermore, 
as discussed in Section IV.B.1, staff guidance lists examples of 
publications describing processes, guidelines, frameworks, or standards 
for an SCI entity to consider looking to in developing reasonable 
policies and procedures under Rule 1001(a). The reference to the 
publications which the staff may include, and which the Commission 
believes should be general and flexible enough to be compatible with 
many widely-recognized technology standards, will help SCI entities to 
implement and comply with Regulation SCI.\1980\
---------------------------------------------------------------------------

    \1979\ Current SCI industry standards are required to be 
comprised of information technology practices that are widely 
available to information technology professionals in the financial 
sector and issued by an authoritative body that is a U.S. 
governmental entity or agency, association of U.S. governmental 
entities or agencies, or widely recognized organization. See Rule 
1001(a)(4).
    \1980\ See supra Section IV.B.1.b (discussing the role of staff 
guidance on current SCI industry standards).
---------------------------------------------------------------------------

    Some commenters expressed concern that SCI entities would closely 
adhere to the publications listed in Table A rather than take advantage 
of the flexibility built into the proposed rule out of concern that, if 
they did not, they would expose themselves to potential regulatory 
action for failure to comply with Regulation SCI.\1981\ As discussed 
above in Section IV.B.1, Rule 1001(a) allows for flexibility in 
choosing standards or guidelines when an SCI entity is designing 
policies and procedures required by that rule. Moreover, the staff 
guidance lists examples of publications describing processes, 
guidelines, frameworks, or standards for an SCI entity to consider 
looking to in developing reasonable policies and procedures under Rule 
1001(a). As noted in Section IV.B.1, the Commission understands that 
many SCI entities are already following other technology standards, 
such as ISO 27000 and COBIT. The staff guidance would not preclude SCI 
entities from adhering to standards such as ISO 27000, COBIT, or 
others, to the extent they result in policies and procedures that 
comply with the requirements of Rule 1001(a).\1982\ Because there is no 
requirement for SCI entities to follow the publications listed as staff 
guidance, there is no separate compliance cost associated with the 
staff guidance in addition to the cost of complying with Rule 1001(a). 
As discussed throughout this section, the Commission recognizes that, 
in general, there will be costs associated with designing policies and 
procedures required by Rule 1001(a). Such costs to SCI entities that 
already set forth their policies and procedures based on industry 
standards, or that follow the publications listed in the staff guidance 
or comparable publications as a guide, would be minimal. On the other 
hand, other SCI entities that decide to modify their policies and 
procedures and those that do not have such policies and procedures in 
place may incur greater costs in designing policies and procedures 
required by Rule 1001(a). The costs associated with modifying and 
designing policies and procedures are included in the costs related to 
paperwork burdens in Section V.
---------------------------------------------------------------------------

    \1981\ See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS 
Letter at 6; and NYSE Letter at 20-21.
    \1982\ Likewise, the staff guidance would not preclude an SCI 
entity from adopting a derivative of multiple standards, and/or 
customizing one or more standards for the particular system at 
issue. In assessing whether an SCI entity's use of such an approach 
in designing its policies and policies and procedures would be 
``deemed'' to be reasonably designed, the Commission's inquiry would 
be into whether its policies and procedures were consistent with 
standards meeting the criteria in adopted Rule 1001(a)(4).
---------------------------------------------------------------------------

Systems Compliance
    Rule 1001(b)(1) requires each SCI entity to establish, maintain, 
and enforce written policies and procedures reasonably designed to 
ensure that its SCI systems operate in a manner that complies with the 
Exchange Act and the rules and regulations thereunder, and the entity's 
rules and governing documents, as applicable. Rule 1001(b)(2)(i)-(iv) 
provides that an SCI entity's policies and procedures under Rule 
1001(b)(1) must include, at a minimum: (i) Testing of all SCI systems 
and any changes to SCI systems prior to implementation; (ii) a system 
of internal controls over changes to SCI systems; (iii) a plan for 
assessments of the functionality of SCI systems designed to detect 
systems compliance issues, including by responsible SCI personnel and 
by personnel familiar with applicable provisions of the Act and the 
rules and regulations thereunder and the SCI entity's rules and 
governing documents; and (iv) a plan of coordination and communication 
between regulatory and other personnel of the SCI entity, including by 
responsible SCI personnel, regarding SCI systems design, changes, 
testing, and controls designed to detect and prevent systems compliance 
issues. The Commission recognizes that SCI entities currently take 
varying measures to ensure that their systems operate in a manner that 
complies with relevant laws and rules. These practices at SCI entities 
may include escalating a compliance issue upon discovery, including 
legal and compliance personnel in the review of systems changes, and 
periodically reviewing rulebooks.
    The Commission believes that Rule 1001(b) should help to ensure 
that SCI entities operate their SCI systems in compliance with the 
Exchange Act and relevant rules and should help to reduce the 
occurrence of systems compliance issues. For example, the tests under 
Rule 1001(b)(2)(i) should help SCI entities to identify potential 
compliance issues before new systems or systems changes are 
implemented; the internal controls under Rule 1001(b)(2)(ii) should 
help to ensure that SCI entities remain vigilant against compliance 
issues when changing their systems and resolve potential compliance 
issues before the changes are implemented; and the systems assessment 
plans under Rule 1001(b)(2)(iii) and the coordination

[[Page 72422]]

and communication plans under Rule 1001(b)(2)(iv) should help 
technology, regulatory, and other relevant personnel (including 
responsible SCI personnel) of SCI entities to work together to prevent 
compliance issues, and to promptly identify and address compliance 
issues if they occur. To the extent that compliance with Rule 1001(b) 
reduces the occurrence of systems compliance issues, Rule 1001(b) 
should help ensure investor protection. Because SCI entities will need 
to allocate their resources towards establishing, maintaining, and 
enforcing policies and procedures with regard to systems compliance, 
Rule 1001(b) will impose compliance costs on SCI entities. These costs 
are included as part of the quantified costs estimated above related to 
all requirements underlying Rules 1001(a) and (b) other than paperwork 
burdens.\1983\
---------------------------------------------------------------------------

    \1983\ See supra note 1940 and accompanying text. However, the 
costs associated with establishing and maintaining policies and 
procedures are included in the costs related to paperwork burdens in 
Section V.
---------------------------------------------------------------------------

    One commenter suggested that the Commission follow the Federal 
Aviation Administration's and NASA's approach, where, according to this 
commenter, individuals are encouraged to report safety issues and 
penalties are waived where there is self-reporting.\1984\ As discussed 
above in Section IV.B.2.b, the Commission is not persuaded that it 
would be appropriate to provide a safe harbor for all problems that are 
self-reported by SCI entities and individuals because the Commission is 
not persuaded that the suggested self-report safe harbor will 
effectively further the intent of Regulation SCI.\1985\ The extent to 
which regulators' reporting rules offer safe harbor protection is 
determined by particular circumstances and regulatory objectives. For 
purposes of Regulation SCI, a blanket safe harbor provision of the type 
proposed by the commenter would reduce incentives for SCI entities to 
take the proactive actions required to ensure the compliance of their 
SCI systems and, thus, could undermine the benefits of Regulation SCI 
discussed in Section IV.C.1.
---------------------------------------------------------------------------

    \1984\ See Angel Letter at 3-4. This commenter also stated that, 
in the SCI Proposal, the Commission did not analyze how other 
government regulatory agencies in the U.S. and elsewhere address 
technology risks (e.g., in the aviation, nuclear power, electricity, 
telecommunications, medical, and banking sectors). See Angel Letter 
at 3 and 15. The Commission notes that, in considering the adoption 
of Regulation SCI, it has considered some of the current practices 
in other industries, such as those discussed by panelists at the 
Technology Roundtable (e.g., aviation, nuclear power). See supra 
note 15 and Transcript of the Technology Roundtable, at 42-45.
    \1985\ The Commission notes that, in addition to dealing with a 
different problem in different industries, the ``waiving of 
penalties'' cited by the commenter has limitations (e.g., the ASRS 
system cited by the comment suspends safe harbor protection for 
repeat violators and does not offer safe harbor for certain types of 
violations). Safe harbor protection for self-reporters may be 
appropriate in some circumstances. However, the Commission believes 
that in the specific context of Regulation SCI, such safe harbor 
protections would not further the intent of the regulation.
---------------------------------------------------------------------------

Responsible SCI Personnel
    Rule 1001(c) requires an SCI entity to establish, maintain, and 
enforce reasonably designed written policies and procedures that 
include the criteria for identifying responsible SCI personnel, the 
designation and documentation of responsible SCI personnel, and 
escalation procedures to quickly inform responsible SCI personnel of 
potential SCI events. Rule 1001(c) imposes a requirement that is not 
addressed in Regulation ATS or the ARP Policy Statements.
    The Commission believes that requiring policies and procedures to 
identify and designate responsible SCI personnel and to establish 
escalation procedures to quickly inform responsible SCI personnel of 
potential SCI events should help to effectively alert responsible SCI 
personnel of potential SCI events, in order for such personnel to 
determine whether an SCI event has occurred so that any appropriate 
actions can be taken in accordance with the requirements of Regulation 
SCI without unnecessary delay. As such, Rule 1001(c) should help reduce 
the duration of SCI events as SCI entities should become aware of 
potential SCI events and take appropriate corrective actions more 
quickly. The reduction in the duration of SCI events would benefit 
markets as it would promote pricing efficiency and price discovery as 
discussed in Section VI.C.1.
    The Commission believes that the costs associated with Rule 1001(c) 
are attributed to paperwork burdens, which are discussed in Section 
V.D.1.a above.\1986\ The Commission does not believe that Rule 1001(c) 
will impose significant other costs on SCI entities because these 
entities already identify and designate responsible SCI personnel and 
have escalation procedures.\1987\
---------------------------------------------------------------------------

    \1986\ When monetized, the paperwork burden would result in 
approximately $1.7 million initially and $611,000 annually for all 
SCI entities in the aggregate.
    \1987\ As noted above, several commenters emphasized the 
importance of escalation procedures at SCI entities, pursuant to 
which technology staff or junior employees could assess a systems 
problem and escalate the issue up the chain of command to management 
as well as legal and/or compliance personnel. See supra note 740 and 
accompanying text.
---------------------------------------------------------------------------

Periodic Review
    Rules 1001(a)(3), (b)(3), and (c)(2) require each SCI entity to 
periodically review the effectiveness of the policies and procedures 
required under Rules 1001(a), (b), and (c), respectively, and to take 
prompt action to remedy deficiencies in such policies and procedures. 
Regulation ATS and the ARP Policy Statements do not explicitly address 
the periodic review of policies and procedures and remediation of 
deficient policies and procedures.
    The Commission believes that requiring periodic review of the 
policies and procedures and remedial actions to address any 
deficiencies in the policies and procedures will help to ensure that 
SCI entities maintain robust policies and procedures and update them 
when necessary so that the benefits of Rules 1001(a), (b), and (c) 
should continue to be realized. As such, the Commission believes that 
Rules 1001(a)(3), (b)(3), and (c)(2) will help realize the benefits of 
Regulation SCI, and would facilitate price discovery and liquidity 
flow, as discussed in Section VI.C.1. These requirements, however, will 
impose costs on SCI entities because they will have to use resources to 
review the policies and procedures required by Rules 1001(a), (b), and 
(c) beyond the resources currently expended for this purpose or will 
have to take more prompt remedial action to remedy any identified 
deficiencies. The Commission expects that these costs generally will 
arise following an SCI entity's periodic review of the effectiveness of 
its policies and procedures and as a result of SCI events. The 
Commission believes that the costs associated with the review and 
update requirements are attributed to paperwork burdens, which are 
discussed in Section V.D.1.a above.\1988\ However, the Commission 
recognizes that, if an SCI entity takes prompt or unplanned remedial 
action following the discovery of deficiencies in its policies and 
procedures, this may result in indirect costs (i.e., opportunity costs) 
to SCI entities because they may need to delay or shift their resources 
away from profitable projects and reallocate their resources towards 
taking prompt or unplanned remedial actions required by the rules. 
However, it is difficult to assess such indirect costs imposed on SCI 
entities because the Commission lacks information necessary to provide 
a reasonable estimate. For example, the Commission does not have

[[Page 72423]]

comprehensive and detailed information on the value of the potential 
forgone projects of SCI entities.
---------------------------------------------------------------------------

    \1988\ As noted in Section V.D.1.a above, the paperwork burden 
related to the review of the policies and procedures is included in 
the estimated annual ongoing burden of Rules 1001(a), (b), and (c).
---------------------------------------------------------------------------

ii. Corrective Action--Rule 1002(a)
    Rule 1002(a) requires an SCI entity to begin to take appropriate 
corrective action upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred. Rule 
1002(a) also requires corrective action to include, at a minimum, 
mitigating potential harm to investors and market integrity resulting 
from the SCI event and devoting adequate resources to remedy the SCI 
event as soon as reasonably practicable. Thus, it would not be 
appropriate for an SCI entity to unnecessarily delay the start of 
corrective action once its responsible SCI personnel have a reasonable 
basis to conclude that an SCI event has occurred, and the SCI entity 
would be required to focus on mitigating potential harm to investors 
and market integrity resulting from the SCI event and devoting adequate 
resources to remedy the SCI event as soon as reasonably practicable. 
The Commission believes that SCI entities already have a variety of 
procedures in place to take corrective actions when system issues 
occur. However, Rule 1002(a) will likely require modifications to those 
existing practices in part because the rule specifies the timing and 
enumerates certain goals for corrective action.\1989\
---------------------------------------------------------------------------

    \1989\ For example, although the Commission believes that market 
participants already take corrective actions when system issues 
occur, currently, when taking corrective action, market participants 
may not always focus on mitigating potential harm to investors and 
market integrity or devoting adequate resources to remedy the issues 
as soon as reasonably practicable, as SCI entities are required to 
do under Rule 1002(a).
---------------------------------------------------------------------------

    The Commission believes that the corrective action requirement will 
reduce the length of systems disruptions, systems compliance issues, 
and systems intrusions, and thus, as noted in Section VI.C.1, reduce 
the negative effects of those interruptions on the SCI entity and 
market participants. Additionally, to the extent that corrective action 
could involve wide-scale systems upgrades, some SCI entities may 
potentially seek to accelerate capital expenditures, for example, by 
updating their systems with newer technology earlier than they might 
have otherwise to comply with Regulation SCI. As such, Rule 1002(a) 
could further help ensure that SCI entities invest sufficient resources 
as soon as reasonably practicable to address systems issues.
    The Commission recognizes that Rule 1002(a) may require SCI 
entities to undertake corrective action sooner and/or to increase 
investments in newer and more updated systems earlier than they might 
have otherwise. The Commission thus believes that Rule 1002(a) could 
impose modestly higher costs for SCI entities in responding to SCI 
events relative to their current practice.\1990\ But, given the wide 
variety of current practices, the Commission is unable to estimate the 
incremental costs associated with the required changes. Furthermore, if 
Regulation SCI reduces the frequency and severity of SCI events in the 
future, the cost of corrective action could similarly decline over 
time. However, the Commission cannot estimate these costs because the 
degree to which Regulation SCI will reduce the frequency and severity 
of SCI events is unknown. The Commission also believes that, if an SCI 
entity takes corrective action sooner than they might have without the 
requirements of Regulation SCI, this may impose indirect costs (i.e., 
opportunity costs) to SCI entities because they may have to delay or 
reallocate their resources away from profitable projects and direct 
their resources toward taking corrective action required by the rule. 
However, the Commission acknowledges that it is difficult to assess 
such indirect costs imposed on SCI entities. For instance, the 
Commission does not have comprehensive and detailed information on the 
value of the potential foregone projects of SCI entities. Consequently, 
the Commission is, at this time, unable to estimate the costs of Rule 
1002(a) of Regulation SCI because the Commission lacks information 
necessary to provide a reasonable cost estimate.
---------------------------------------------------------------------------

    \1990\ See also MSRB Letter at 32 (commenting that under most 
circumstances, any increased cost due to proposed Rule 1000(b)(3) 
would be modest since corrective action normally would already be 
taken).
---------------------------------------------------------------------------

    Several commenters stated that the requirements of proposed Rule 
1000(b)(3) put too great an emphasis on immediate corrective action at 
the expense of thoroughly analyzing the SCI event and its cause, 
considering potential remedies, and/or acting in accordance with 
internal policies and procedures before committing to a plan to take 
corrective action.\1991\ Partly in response to this concern, the 
Commission has modified the rule as adopted from the proposal. The 
Commission agrees that an SCI entity should be given appropriate time 
to perform an initial analysis and preliminary investigation into a 
potential systems issue before the corrective obligations are 
triggered. If a corrective action were to be applied without such 
analysis or investigation, then the impact of an SCI event could 
persist, exacerbating or prolonging its negative effects on markets and 
market participants. The Commission notes that Rule 1002(a) does not 
use the term ``immediate.'' Rather, Rule 1002(a) requires that 
corrective action be taken ``as soon as reasonably practicable'' once 
the triggering standard has been met. The Commission believes that, 
because the facts and circumstances of each specific SCI event will be 
different, this standard would help ensure that an SCI entity takes 
necessary corrective action soon after an SCI event, but not without 
sufficient time to first consider what is the appropriate action to 
remedy the SCI event in a particular situation and how such corrective 
action should be implemented.\1992\
---------------------------------------------------------------------------

    \1991\ See SIFMA Letter at 3; OCC Letter at 14; Joint SROs 
Letter at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct 
Edge Letter at 7.
    \1992\ See also supra Section IV.B.3.a (discussing in more 
detail the triggering standard for corrective action, Commission 
notification, and information dissemination) and Section IV.B.3.b 
(discussing the corrective action requirement).
---------------------------------------------------------------------------

iii. Commission Notification--Rule 1002(b)
    As discussed above in Section IV.B.3.c, Rule 1002(b) requires SCI 
entities to provide notifications to the Commission regarding SCI 
events. Specifically, upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, an SCI 
entity is required to notify the Commission of the SCI event 
immediately. Within 24 hours of any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, an SCI 
entity is required to submit a more detailed written notification, on a 
good faith, best efforts basis, pertaining to the SCI event. Until such 
time as the SCI event is resolved and the SCI entity's investigation of 
the SCI event is closed, the SCI entity is required to provide updates 
regularly, or at such frequency as requested by a representative of the 
Commission. The SCI entity is also required to submit a detailed final 
written notification after the SCI event is resolved and the SCI 
entity's investigation of the event is closed (and an additional 
interim written notification, if the SCI event is not resolved or the 
investigation is not closed within a specified period of time). 
Finally, SCI entities are required to notify the Commission of 
information regarding de minimis systems disruptions and de minimis 
systems intrusions on a quarterly basis.
    The Commission believes that most, if not all, major systems 
incidents are

[[Page 72424]]

reported by ARP entities to the Commission and that many ``de minimis'' 
systems issues are documented internally by SCI entities as part of 
their incident management systems. For those entities that do not 
participate in the ARP Inspection Program, the Commission also believes 
that some internal documentation of systems incidents exists. In 
addition, the Commission notes that some SCI entities currently notify 
the Commission of certain systems compliance issues.
    Rule 1002(b) will apply to more entities (e.g., some SCI ATSs), 
more systems (e.g., market regulation and market surveillance systems, 
additional market data systems), and more types of systems issues 
(e.g., systems compliance issues) than the ARP Policy Statements, and 
also require more detailed reporting to the Commission.\1993\ The 
Commission believes that Rule 1002(b) will enhance the effectiveness of 
Commission oversight of the operation of SCI entities. For example, one 
commenter suggested that SCI events notification results in greater 
transparency for the Commission, with multiple benefits, including 
ensuring that the Commission has a view into problems at particular SCI 
entities for regulatory purposes as well as perspective on the effect 
of a single problem to the market at-large.\1994\ Further, the 
Commission believes that providing written notifications to the 
Commission could help prevent systems failures from being dismissed as 
momentary issues, because notification would help focus the SCI 
entity's attention on the issue and encourage allocation of SCI entity 
resources to resolve the issue as soon as reasonably practicable.
---------------------------------------------------------------------------

    \1993\ See supra Section IV.B.3.c (discussing in detail the 
requirements of Rule 1002(b)).
    \1994\ See Lauer Letter at 8.
---------------------------------------------------------------------------

    As noted in Section IV.B.3.c, the Commission received comment 
letters that discuss the resource and efficiency demands of the 
Commission notification requirement.\1995\ Some commenters expressed 
concern that SCI entities may feel compelled to characterize and report 
a greater number of systems anomalies as disruptions to comply with 
Regulation SCI,\1996\ and that the proposal would result in SCI 
entities having ``shadow staff'' on hand solely for reporting SCI 
events so as to not divert staff away from working to resolve SCI 
events.\1997\ While the Commission is adopting the definitions of 
systems disruptions, systems compliance issues, and systems intrusions, 
and providing discussions of these definitions in this release, the 
Commission acknowledges that some SCI entities could be overly cautious 
in seeking to be in compliance with Regulation SCI and therefore over-
report systems issues to the Commission. Furthermore, the Commission 
notes that some SCI entities currently notify the Commission of systems 
related issues under the ARP Inspection Program or as part of their 
current business practice, but the Commission believes that SCI 
entities will have to allocate additional resources to meet the 
Commission notification requirement. Although the estimated cost to 
comply with the adopted notification provisions is greater than the 
estimate in the SCI Proposal, the Commission is not persuaded that the 
adopted rule, with its more targeted scope, will require SCI entities 
to have a ``shadow staff'' on hand solely for reporting SCI events. As 
discussed in Section IV.B.3.c, the Commission believes that concerns 
with respect to resource demands regarding the Commission notification 
requirements have been substantially mitigated by the numerous changes 
from the proposal, such as the adoption of a quarterly reporting 
framework for de minimis systems disruptions and de minimis systems 
intrusions; the adoption of an exception from the Commission 
notification requirements for de minimis systems compliance issues; the 
revised definitions of SCI systems, indirect SCI systems, systems 
disruption, and systems compliance issue; and the reduction in the 
obligations SCI entities have with respect to reporting requirements. 
In addition, the Commission is not persuaded that the burden of the 
Commission notification requirement will significantly reduce SCI 
entities' ability to adequately respond to SCI events. It is the 
Commission's experience that the staff engaging in corrective action to 
resolve an SCI event is generally distinct from the staff that has been 
charged with notifying the Commission of systems issues.
---------------------------------------------------------------------------

    \1995\ See, e.g., UBS Letter at 3; Omgeo Letter at 16; MSRB 
Letter at 19; OCC Letter at 14; SunGard Letter at 5; Joint SROs 
Letter at 7; and NYSE Letter at 22.
    \1996\ See Joint SROs Letter at 9-10.
    \1997\ See FINRA Letter at 19.
---------------------------------------------------------------------------

    The compliance costs associated with Rule 1002(b) are attributed to 
the paperwork burden of Commission notifications of SCI events, 
including recordkeeping and submission of quarterly reports with 
respect to de minimis SCI events, as applicable.\1998\ As discussed in 
the PRA, with respect to SCI events that are not de minimis, the 
Commission has estimated the total annual hourly burden to comply with 
Rules 1002(b)(1)-(4) to be 125,180 hours for all SCI entities 
(monetized to be approximately $40 million), or 2,845 hours per SCI 
entity.\1999\ This estimate is greater than that estimated in the SCI 
Proposal (which estimate was 58,080 hours for all SCI entities, or 
1,320 hour per SCI entity to comply with proposed Rules 1000(b)(4)(i)-
(iii)). As more fully explained in the PRA, the Commission has 
increased its estimate to comply with the Commission notification 
provisions in Rules 1002(b)(1)-(4), notwithstanding the more targeted 
scope of the adopted rule, as compared to the proposed rule. These 
increased estimates are in response to comment that the estimates in 
the SCI Proposal were too low, particularly with respect to the time 
necessary for an SCI entity to prepare, review, and submit the required 
notifications.\2000\ In addition, for Rule 1002(b)(5), which requires 
recordkeeping of all de minimis SCI events and quarterly reporting of 
de minimis systems disruptions and de minimis systems intrusions, the 
Commission has estimated a total of 7,040 hours for all SCI entities 
(monetized to be approximately $2 million), or 160 hours per SCI 
entity, for Commission notification. The number of SCI events (de 
minimis and otherwise), and the burdens to comply with notification 
requirements will likely vary among individual SCI entities, based on 
the nature of their business, technology, and the relative criticality 
of each of their SCI systems.
---------------------------------------------------------------------------

    \1998\ When monetized, the paperwork burden would result in 
approximately $42 million, in addition to approximately $2 million 
in outsourcing cost, annually for all SCI entities in the aggregate.
    \1999\ See supra Section V.D.2.a (discussing the Commission's 
estimate of the hours required to comply with Rule 1002(b)).
    \2000\ See id.
---------------------------------------------------------------------------

    In addition, the Commission believes that most, if not all, SCI 
entities already have some internal procedures for determining the 
severity of a systems issue. Nevertheless, to the extent that an SCI 
entity must determine whether an SCI event is a de minimis SCI event, 
Rule 1002(b) may impose one-time implementation costs on SCI entities 
associated with developing a process for ensuring that they are able to 
quickly and correctly make such determinations, as well as ongoing 
costs in reviewing the adopted process. The initial and ongoing burden 
associated with identifying certain systems and SCI events is discussed 
in Section V.D.3.b.\2001\
---------------------------------------------------------------------------

    \2001\ When monetized, the paperwork burden would result in 
approximately $1.1 million initially and $413,000 annually for all 
ARP entities in the aggregate, and approximately $885,000 initially 
and $292,000 annually for all non-ARP entities in the aggregate. 
These estimates include the identification of critical SCI systems, 
major SCI events, and de minimis SCI events.

---------------------------------------------------------------------------

[[Page 72425]]

    Proposed Rule 1000(b)(4) did not distinguish de minimis SCI events 
from other SCI events in terms of the timing or type of Commission 
notifications. The Commission believes that the adopted quarterly 
Commission reporting requirement for de minimis systems disruptions and 
de minimis systems intrusions, and the exception from the Commission 
reporting requirement for de minimis systems compliance issues, will 
reduce costs related to Commission reporting (as compared to the costs 
of complying with the proposed Commission notification requirements) 
for SCI entities, and could facilitate more efficient allocation of SCI 
entities' resources toward more significant systems issues because de 
minimis SCI events would be subject to a recordkeeping requirement and 
de minimis systems disruptions and de minimis systems intrusions would 
be subject to a quarterly reporting requirement, rather than a 
requirement to report such events to the Commission more immediately. 
As de minimis SCI events are defined to have no or a de minimis impact 
on the SCI entity's operations or on market participants, the 
Commission believes that the recordkeeping requirement and quarterly 
reporting requirement, as applicable, will allow both the SCI entity 
and its personnel, as well as the Commission and its staff, to focus 
more of their attention and resources on other, more significant SCI 
events. Moreover, the quarterly Commission notification requirement for 
de minimis systems disruptions and de minimis systems intrusions will 
help SCI entities and the Commission to gather information on the 
nature, types, and frequency of de minimis SCI events and, thus, help 
identify potential weaknesses in systems across SCI entities and 
Commission's ability to monitor market events. The Commission believes 
that the quarterly reporting requirement for de minimis systems 
disruptions and de minimis systems intrusions balances the interest of 
SCI entities in having a limited reporting burden for de minimis 
systems disruptions and de minimis systems intrusions with the 
Commission's interest in oversight of the information technology 
programs of SCI entities.
    Furthermore, proposed Rule 1000(b)(4)(iii) would have required an 
SCI entity to submit written updates pertaining to an SCI event until 
the SCI event is resolved. The Commission has revised the update 
requirement from the proposal in adopted Rule 1002(b)(3) so that the 
submission of updates may be provided either orally or in written 
form.\2002\ This revision should reduce costs as compared to proposed 
Rule 1000(b)(4) by providing flexibility to SCI entities and because 
oral notifications will likely result in a lower burden than written 
notifications.
---------------------------------------------------------------------------

    \2002\ See supra Section IV.B.3.c.
---------------------------------------------------------------------------

    The Commission has also modified the 24-hour written notification 
requirement in adopted Rule 1002(b) to make clear that the written 
notification provided within 24 hours be submitted on a good faith, 
best effort basis. Compared to the proposed rule, the Commission 
believes the adopted rules will help provide certainty to SCI entities 
that they will not be accountable for unintentional inaccuracies or 
omissions contained in these submissions. The ``best efforts'' standard 
will also help to ensure that SCI entities will make a diligent and 
timely attempt to provide all the information required by the written 
notification requirement, thus permitting the Commission to effectively 
monitor SCI events.
    As discussed in Section IV.B.3.c, with respect to submitting final 
written notifications, proposed Rule 1000(b)(4)(ii) would have required 
the submission of the information required to be included in the final 
written notification within a shorter time frame. By requiring that the 
final written notification be submitted after resolution of an SCI 
event, the Commission believes that the adopted rule will encourage SCI 
entities to allocate their resources efficiently in resolving the SCI 
event.
    One commenter expressed concern that, without a safe harbor and a 
guarantee of immunity, the disclosures to the Commission required under 
Regulation SCI would provide a roadmap for litigation against non-SRO 
entities.\2003\ As discussed in Section IV.B.2.b, the occurrence of a 
systems compliance issue does not necessarily mean that the SCI entity 
will be subject to an enforcement action. Rather, the Commission will 
exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation. Moreover, the 
Commission recognizes that compliance with Regulation SCI will increase 
the amount of information about SCI events available to the Commission 
and SCI entities' members and participants, and that the greater 
availability of this information has some potential to increase 
litigation risks for SCI entities, including the risk of private civil 
litigation. Commenters did not provide estimates of potential 
litigation costs and Commission staff were unable to find readily-
available public information from which to estimate specific costs of 
possible litigation associated with the increased information available 
about SCI events, but based on staff experience, depending on the 
complexity, scope, and length of the litigation, the costs to defend an 
individual case could be quite significant. The Commission notes, 
however, that it is not clear that the incremental increase in costs 
due to Regulation SCI will be significant in the aggregate. Regulation 
SCI does not alter the elements of any available private cause of 
action, and the elements of such actions are likely to limit the 
potential for recovery. Moreover, to the extent members and 
participants suffer damages when SCI events occur, SCI entities are 
already subject to litigation risk.
---------------------------------------------------------------------------

    \2003\ See OTC Markets Letter at 15-16 (stating that ``entities 
that do not have SRO immunity, such as ATSs, may be subject to 
liability based on information reported under Reg. SCI's Rule 
1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of 
immunity, this kind of disclosure provides a roadmap for litigation 
against non-SRO SCI entities''). See also FIF Letter at 5.
---------------------------------------------------------------------------

    As an alternative to the adopted rule, some commenters suggested 
that non-material systems intrusions not be reported to the Commission 
at all, and only be recorded by the SCI entity to reduce the instances 
in which notice of systems intrusions would be required.\2004\ The 
Commission continues to believe that reporting intrusions in SCI 
systems and indirect SCI systems will help the Commission and its staff 
to detect patterns or understand trends over time and the nature of 
systems intrusions that may be occurring at multiple SCI entities and, 
thus, help ensure effective Commission oversight. As discussed in 
Section IV.B.3.c in detail, to reduce the burden associated with the 
Commission notification requirement, the Commission established 
separate reporting requirements (e.g., quarterly reporting) for de 
minimis systems disruptions and de minimis systems intrusions and 
provided an exception from the Commission reporting requirement for de 
minimis systems compliance issues.
---------------------------------------------------------------------------

    \2004\ See Omgeo Letter at 12; and DTCC Letter at 8.
---------------------------------------------------------------------------

iv. Information Dissemination--Rule 1002(c)
    Rule 1002(c) requires an SCI entity to disseminate information 
regarding

[[Page 72426]]

certain major SCI events to all of its members or participants and 
certain other SCI events to affected members or participants. 
Specifically, promptly after any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, an SCI 
entity is required to disseminate certain information regarding the SCI 
event. When certain additional information becomes known, the SCI 
entity is required to promptly disseminate such information. Until the 
SCI event is resolved, the SCI entity is required to provide regular 
updates on the required information.\2005\ As adopted, the information 
dissemination requirement does not apply to SCI events to the extent 
they relate to market regulation or market surveillance systems and de 
minimis SCI events. Rule 1002(c) imposes new requirements that are not 
currently part of the ARP Inspection Program. However, some entities 
currently provide their members or participants and, in some cases, 
market participants or the public more generally, with notices of 
systems issues.
---------------------------------------------------------------------------

    \2005\ Rule 1002(c)(2) provides an exception to the information 
dissemination requirement for systems intrusions when an SCI entity 
determines that dissemination of information would likely compromise 
the security of the SCI entity's systems, or an investigation of the 
systems intrusion, and documents the reasons for such determination.
---------------------------------------------------------------------------

    As discussed in Section IV.B.3.d, a major SCI event is defined to 
mean an SCI event that has any impact on a critical SCI system or a 
significant impact on the SCI entity's operations or on market 
participants. The Commission believes that, in the context of a major 
SCI event, where the impact of the SCI event is most likely to be felt 
by many market participants, the goal of aiding market participants in 
evaluating the impact of the event would be efficiently served by 
dissemination of information to all members or participants of the SCI 
entity.\2006\
---------------------------------------------------------------------------

    \2006\ At the same time, the Commission recognizes that some SCI 
events that meet the definition of ``major SCI event'' could also 
qualify as de minimis SCI events. Like other de minimis SCI events, 
they are excepted from the information dissemination requirement. In 
particular, because major SCI events are a subset of SCI events, the 
exception under Rule 1002(c)(4)(ii) applies to major SCI events that 
meet the requirements of that rule.
---------------------------------------------------------------------------

    The Commission believes that Rule 1002(c) will help market 
participants--specifically the members or participants of SCI entities 
estimated to be affected by an SCI event and any additional members or 
participants subsequently estimated to be affected by an SCI event and, 
in some cases, all members or participants of an SCI entity--to better 
evaluate the operations of SCI entities by requiring certain 
information to be disclosed. Furthermore, increased awareness of SCI 
events through information disseminated to members or participants 
should provide SCI entities additional incentives to maintain robust 
systems and minimize the occurrence of SCI events. More robust SCI 
systems and the reduction in the occurrence of SCI events could reduce 
interruptions in price discovery process and liquidity flows as 
discussed above in Section VI.C.1.
    One commenter provided information about the benefits of the 
proposed information dissemination requirements. Specifically, 
according to this commenter, one of the major benefits of Regulation 
SCI could be better sharing of information about technology 
problems.\2007\ According to this commenter, sharing information about 
hardware failures, systems intrusions, and software glitches will alert 
others in the industry about such problems and help reduce system-wide 
costs of diagnosing problems, as well as result in improved responses 
to technology problems.\2008\ This commenter also believed that the 
information will serve as warnings to other SCI entities to stay 
vigilant to prevent similar problems.\2009\ The Commission believes 
that benefits identified by the commenter could be benefits of Rule 
1002(c).
---------------------------------------------------------------------------

    \2007\ See Angel Letter at 5.
    \2008\ See id.
    \2009\ See id. However, this commenter also disagreed with the 
Commission that SCI entities may be reluctant to admit publicly to 
their glitches. See id. at 14. According to this commenter, market 
participants interact repeatedly with each other on a real-time 
basis and are acutely aware of glitches when they occur. See id.
---------------------------------------------------------------------------

    As discussed above, while some entities currently provide their 
members or participants and, in some cases, market participants or the 
public more generally, with notices of certain systems issues (e.g., 
system outages), Rule 1002(c) imposes new requirements that are not 
currently part of the ARP Inspection Program. As such, the requirements 
of Rule 1002(c) will impose costs--which are attributed to paperwork 
burdens--on SCI entities with respect to preparing, drafting, 
reviewing, and making the information available to members or 
participants. These costs are discussed in more detail in Section 
V.D.2.b.\2010\
---------------------------------------------------------------------------

    \2010\ When monetized, the paperwork burden would result in 
approximately $26 million, in addition to approximately $1.6 million 
in outsourcing cost, annually for all SCI entities in the aggregate.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission recognized that SCI entities 
incur costs to determine whether an event needs to be disseminated. 
While the SCI events subject to the adopted information dissemination 
requirements are different from those that would have been subject to 
the proposed requirements, the Commission continues to recognize that 
the determination imposes costs. Specifically, identifying major SCI 
events may impose one-time implementation costs on SCI entities 
associated with developing a process for ensuring that they are able to 
quickly and correctly make such determinations, as well as periodic 
costs in reviewing the adopted process. These costs are discussed in 
more detail in Section V.D.3.b.\2011\
---------------------------------------------------------------------------

    \2011\ See also supra note 2001.
---------------------------------------------------------------------------

    One commenter expressed concern that SCI entities may over-report 
issues out of an abundance of caution if SCI entities are not given 
clear guidelines as to what and to whom they are required to provide 
information.\2012\ This commenter believed that a flood of 
notifications, taken out of context, may create investor impression 
based on the quantity, not the quality, of the notifications 
disseminated, that certain counterparties pose serious risks to the 
market, when that is not the case.\2013\ For the reasons discussed in 
Section IV.B.3.d, the Commission believes that information about SCI 
events (other than major SCI events and de minimis SCI events) should 
be disseminated to affected members or participants, and information 
about major SCI events (other than those that qualify as de minimis SCI 
events) should be disseminated to all members or participants of an SCI 
entity. At the same time, as compared to proposed Rule 1000(b)(5), the 
Commission is limiting the requirement for information dissemination to 
all members or participants of an SCI entity to major SCI events; 
limiting other information dissemination to members or participants 
affected by the SCI event; and excluding de minimis SCI events and SCI 
events related to market regulation or market surveillance systems from 
the information dissemination requirement. These changes would limit 
the compliance cost for Rule 1002(c), and are responsive to the 
commenter's concern that SCI entities may over-disclose systems issues.
---------------------------------------------------------------------------

    \2012\ See Fidelity Letter at 5.
    \2013\ See id.
---------------------------------------------------------------------------

    As an alternative to the adopted rule, one commenter suggested 
broadening the proposed rule to require an SCI entity to disseminate 
information on SCI events to the public, and not just to its

[[Page 72427]]

members or participants.\2014\ This commenter believed that public 
dissemination of the facts of an SCI event would help enhance investor 
confidence by preventing speculation and misinformation, and would 
provide important learning opportunities for the industry and other SCI 
entities.\2015\ The Commission acknowledges that there can be 
additional benefits from disseminating major SCI events to the public 
as noted by the commenter. Under the adopted rule, an SCI entity is 
required to disseminate information on major SCI events (other than 
those that qualify as de minimis SCI events) to all of its members and 
participants. The Commission believes that these market participants 
are the most likely to act on this information and, thus, induce 
additional competitive incentives for SCI entities to avoid systems 
issues. As such, the Commission believes that it can achieve the 
purposes of the rule without requiring public dissemination, and also 
believes any additional gain in benefits from public dissemination 
would be minimal.
---------------------------------------------------------------------------

    \2014\ See MFA Letter at 7.
    \2015\ See id.
---------------------------------------------------------------------------

v. Material Systems Changes--Rule 1003(a)
    Rule 1003(a)(1) requires an SCI entity to provide quarterly reports 
to the Commission, describing completed, ongoing, and planned material 
systems changes to its SCI systems and the security of indirect SCI 
systems, during the prior, current, and subsequent calendar quarters. 
Rule 1003(a)(1) also requires an SCI entity to establish reasonable 
written criteria for identifying a change to its SCI systems and the 
security of its indirect SCI systems as material. Rule 1003(a)(2) 
requires an SCI entity to promptly submit a supplemental report to 
notify the Commission of a material error in or material omission from 
a previously submitted report.
    Entities that participate in the ARP Inspection Program currently 
provide some material systems change notifications to the Commission 
and the Commission believes that all SCI entities have some internal 
processes for documenting systems changes as a matter of prudent 
business practice. For example, consistent with the ARP Policy 
Statements, certain entities provide annual reports on significant 
systems changes and notify the Commission on an as-needed basis 
regarding certain significant systems changes. In addition, ATSs are 
required notify the Commission of certain systems changes pursuant to 
Rule 301(b)(2)(ii) and Rule 301(b)(6)(ii)(G) of Regulation ATS, as 
applicable. Rule 1003(a) changes some of the current practices and sets 
forth more detailed requirements for these notifications. For example, 
Rule 1003(a) covers material changes on a broader set of systems than 
the ARP Inspection Program or Regulation ATS. Rule 1003(a) also 
requires an SCI entity to submit quarterly reports on Form SCI 
regarding material systems changes, but does not require separate 
notification for each material systems change. Further, Rule 1003(a) 
requires an SCI entity to promptly notify the Commission (by submitting 
Form SCI) of a material error in or material omission from a previously 
submitted report. To the extent that Rule 1003(a) requires SCI entities 
to notify the Commission of material systems changes for more types of 
systems and to the extent that it requires notification at a higher 
frequency than current practice (quarterly reports vs. annual reports), 
the Commission believes that Rule 1003(a) should enhance the 
Commission's oversight of the operation of SCI entities.
    The compliance costs of Rule 1003(a) primarily entail costs 
associated with preparing and submitting Form SCI in accordance with 
the instructions thereto. The initial and ongoing cost estimates 
associated with preparing and submitting Form SCI with regard to 
material systems changes under Rules 1003(a)(1) and (2) are discussed 
in detail in Section V.D.2.c.\2016\ The Commission does not expect Rule 
1003(a) will impose significant costs on SCI entities other than those 
discussed in Section V.D.2.c.
---------------------------------------------------------------------------

    \2016\ When monetized, the paperwork burden would result in 
approximately $6.8 million annually for all SCI entities in the 
aggregate.
---------------------------------------------------------------------------

    According to one commenter, ``[t]he larger market participants 
[that will be subject to Regulation SCI] are generally experienced and 
circumspect with regards to significant infrastructure changes, such as 
data center migrations and major platform upgrades.'' \2017\ This 
commenter expected that, for these larger entities, integrating 
Regulation SCI compliance into their existing programs can occur 
without crippling disruption or exorbitant cost, and expected that 
insight from the implementation of Regulation SCI would contribute to 
overall stability and resiliency of the markets over time.\2018\ 
However, this commenter expressed concern that compliance with the 
Commission notification requirement will result in incremental costs 
that may in some cases delay or discourage innovation.\2019\ Another 
commenter similarly expressed concern about the compliance burden and 
the resulting impact on competition and innovation associated with the 
30-day advance Commission notification requirement for material systems 
changes.\2020\ In addition, one commenter noted that the Commission 
underestimated the cost of lost business opportunities and the 
inability to swiftly deploy corrective solutions that would result from 
the 30-day advance systems change notification requirements.\2021\ This 
commenter noted that most ATS operators with advanced systems 
purposefully implement frequent agile modifications instead of major 
episodic changes in order to continuously improve their systems and 
minimize the impact of the changes.\2022\ This commenter expressed 
concern that a built-in 30-day delay in implementing changes would 
encourage the deployment of larger, riskier changes more infrequently, 
thereby creating longer periods of time during which a systems issue 
and/or erroneous configuration would continue without correction.\2023\ 
This commenter also stated that the 30-day advance notification process 
has the potential to delay the deployment of corrective solutions that 
are necessary to ensure the provision of uninterrupted and efficient 
order matching services at the best available prices.\2024\
---------------------------------------------------------------------------

    \2017\ See SunGard Letter at 3.
    \2018\ See id.
    \2019\ See id..
    \2020\ See BATS Letter at 15. See also, e.g., supra notes 999-
1000 (discussing the views of commenters that the proposed 30-day 
advance notification requirement would stifle innovation and 
interfere with an SCI entity's natural planning and development 
process).
    \2021\ See ITG Letter at 8.
    \2022\ See id.
    \2023\ See id.
    \2024\ See id.
---------------------------------------------------------------------------

    As noted above, as adopted, Regulation SCI does not include the 
proposed 30-day advance Commission notification requirement for 
material systems changes. Rather, Rule 1003(a)(1) requires quarterly 
reports of material systems changes. Elimination of the proposed 30-day 
advance Commission notification requirement addresses the concern of 
some commenters that the rule would impede agile development 
methodology and favor the waterfall development methodology, or delay 
the implementation of systems changes or innovations, particularly for 
smaller SCI entities. The quarterly reports will also provide the 
Commission and its staff with a more efficient framework to review 
material systems changes,

[[Page 72428]]

because including all relevant material systems changes in a single 
report will allow the Commission to more easily and clearly understand 
an SCI entity's framework for systems changes, including how certain 
material systems changes are related.\2025\
---------------------------------------------------------------------------

    \2025\ As discussed above, Commission staff will not use 
material systems change reports to require any approval of planned 
systems changes in advance of their implementation pursuant to any 
provision of Regulation SCI, or to delay implementation of material 
systems changes pursuant to any provision of Regulation SCI. See 
supra Section IV.B.4.b.
---------------------------------------------------------------------------

vi. SCI Review--Rule 1003(b)
    Rule 1003(b) requires an SCI entity to conduct an SCI review of its 
compliance with Regulation SCI not less than once each year,\2026\ and 
submit a report of the SCI review to senior management of the SCI 
entity for review no more than 30 calendar days after completion of 
such SCI review. Rule 1003(b) also requires an SCI entity to submit a 
report of the SCI review to the Commission and to the board of 
directors of the SCI entity or the equivalent of such board, together 
with any response by senior management, within 60 calendar days after 
its submission to senior management of the SCI entity.
---------------------------------------------------------------------------

    \2026\ However, penetration test reviews of the network, 
firewalls, and production systems are required to be conducted not 
less than once every three years. See Rule 1003(b)(i). Assessments 
of SCI systems directly supporting market regulation or market 
surveillance are required to be conducted at a frequency based upon 
the risk assessment conducted as part of the SCI review, but also 
not less than once every three years. See Rule 1003(b)(1)(ii).
---------------------------------------------------------------------------

    Systems reviews have been part of the ARP Inspection Program, and 
through this program, the Commission understands that many SCI entities 
currently undertake annual systems reviews and that senior management 
and/or the board of directors or a committee thereof reviews reports of 
such reviews. However, the Commission believes that the scope of the 
systems reviews, and the level of senior management and/or board 
involvement in such reviews, varies among ARP entities. The Commission 
expects that the SCI review requirement would produce greater 
consistency in the approach that SCI entities take in systems reviews, 
which would help improve the efficiency of the Commission's oversight 
(e.g., inspection) of SCI entities' systems. In addition, the 
Commission believes that the SCI review requirement would result in SCI 
entities having an improved awareness of the relative strengths and 
weaknesses of their systems independent of the assessment of Commission 
staff, which should, in turn, improve systems and reduce the number of 
SCI events. As discussed in Section VI.C.1, the reduction in occurrence 
of SCI events could reduce interruptions in the price discovery process 
and liquidity flows.
    The initial and ongoing paperwork burden associated with conducting 
an SCI review, submitting a report of the SCI review to senior 
management of the SCI entity for review, and submitting a report of the 
SCI review and any response by senior management to the Commission and 
to the board of directors of the SCI entity or the equivalent of such 
board is discussed in Section V.D.2.d.\2027\ SCI entities will also 
incur costs in addition to the paperwork burden to comply with the SCI 
review requirement. Although the Commission understands that most SCI 
entities currently undertake annual systems reviews, Rule 1003(b) sets 
forth specific requirements related to the SCI review. In particular, 
an SCI review is required to include a risk assessment with respect to 
SCI systems and indirect SCI systems of an SCI entity, an assessment of 
internal control design and effectiveness of SCI systems and indirect 
SCI systems, and penetration testing reviews. Moreover, Rule 1003(b) 
specifies that the SCI review is to determine the SCI entity's 
compliance with Regulation SCI. Rule 1003(b) also requires a report of 
the SCI review and any senior management response to be submitted to 
the board of directors of the SCI entity or the equivalent of such 
board and thus SCI entities may incur an additional cost as a result of 
additional time the board allocates to evaluate the review. The 
Commission cannot estimate costs other than paperwork burdens because 
the Commission does not have the information necessary to provide a 
reasonable estimate. In particular, the Commission lacks information on 
how SCI entities will structure their reviews.
---------------------------------------------------------------------------

    \2027\ When monetized, the paperwork burden would result in 
approximately $9.7 million, in addition to approximately $2.2 
million in outsourcing cost, annually for all SCI entities in the 
aggregate.
---------------------------------------------------------------------------

    As discussed above in Section IV.B.5, the Commission is not 
adopting a requirement that SCI reviews be conducted by an independent 
third party because the Commission believes that the goals of 
Regulation SCI can be achieved through reviews by either internal 
objective personnel or external objective personnel. The Commission 
acknowledges that, in some cases, there could be potential benefits 
from requiring third party reviews. However, as noted in Section 
IV.B.5, third parties can also have conflicts of interest that prevent 
a particular entity or personnel from meeting the objectivity standard 
required for an SCI review. In addition, during the Technology 
Roundtable in which participants discussed third party review, some 
panelists suggested that the use of an external third party is 
unnecessary because, for example, the training for a third party as 
well as the costs involved with third party evaluations would be large 
with little additional benefit.\2028\ The Commission agrees that SCI 
entities would likely need to provide significant guidance to third-
party reviewers on the specific features of the entity's systems. The 
Commission recognizes that a third-party review requirement could 
impose additional costs on SCI entities, and believes that it is 
appropriate at this time to allow SCI entities to decide whether to 
incur such costs instead of mandating third-party review.
---------------------------------------------------------------------------

    \2028\ See Transcript of the Technology Roundtable, at 86-91.
---------------------------------------------------------------------------

vii. Business Continuity and Disaster Recovery Plan Testing--Rule 1004
    Rule 1004(b) requires the testing of an SCI entity's business 
continuity and disaster recovery plans at least once every 12 months. 
Rules 1004(a) and (b) require participation in such testing by those 
members or participants that an SCI entity reasonably determines are, 
taken as a whole, the minimum number necessary for the maintenance of 
fair and orderly markets in the event of the activation of its business 
continuity and disaster recovery plans. Rule 1004(c) requires an SCI 
entity to coordinate such testing on an industry- or sector-wide basis 
with other SCI entities.
    The requirements under Rule 1004 are not a part of the ARP 
Inspection Program. As discussed above in Section VI.B.2, the 
securities industry generally has a voluntary system for testing 
business continuity and disaster recovery plans and market 
participants, including exchanges, members of exchanges, clearing 
agencies, clearing members, and ATSs, already coordinate certain 
business continuity and disaster recovery plan testing to some extent. 
For example, some SCI entities already require some of their members or 
participants to connect to their backup systems. Further, although 
participation is not always mandatory, some SCI entities already 
provide their members or participants with the opportunity to test the 
SCI entity's business continuity and disaster recovery plans. However, 
because not all SCI entities require member or participant 
participation in business continuity and disaster recovery plans 
testing, the Commission

[[Page 72429]]

understands that not all market participants participate in such 
testing. Moreover, the Commission understands that, to the extent such 
participation occurs, it may in many cases be limited in nature (e.g., 
testing for connectivity to backup systems).\2029\
---------------------------------------------------------------------------

    \2029\ See Proposing Release, supra note 13, at 18164.
---------------------------------------------------------------------------

    The Commission believes that, for SCI entities, voluntary testing 
is insufficient, and that business continuity and disaster recovery 
planning for market centers and certain members or participants must be 
an integral component of business continuity and disaster recovery 
preparedness. The Commission further believes that the requirements 
under Rule 1004 should help ensure that the securities markets will 
have improved backup infrastructure and fewer market-wide shutdowns. As 
discussed in detail in Section VI.C.1, fewer market-wide shutdowns 
should help facilitate continuous liquidity flows in markets, reduce 
pricing errors, and thus improve the quality of the price discovery 
process.
    With respect to these benefits, one commenter suggested measuring 
benefits of reducing outages and technical issues by looking at, for 
example, loss of trading commissions due to outages.\2030\ This 
commenter estimated that the potential loss of equity commissions by 
broker-dealers over the two-day market closure from Superstorm Sandy 
may have been approximately $374 million.\2031\ The Commission believes 
that measuring potential benefits in terms of transaction costs 
(commission revenue) does not fully account for other benefits, such as 
uninterrupted liquidity flows and price discovery.\2032\ Furthermore, 
the Commission believes that the estimated commission loss noted by the 
commenter likely overstates the actual losses in commissions because 
some of the ``lost'' trading may have only been delayed until the 
markets re-opened after Superstorm Sandy. Accordingly, the Commission 
is not persuaded that the estimate provided by the commenter represents 
the quantified benefit associated with this component of Regulation 
SCI. The Commission is unable to estimate the benefit of this component 
of Regulation SCI because the Commission does not have quantified 
information on the extent that a reduction in SCI events will help 
facilitate liquidity flows in markets, reduce pricing errors, and thus 
improve the quality of the price discovery process. Furthermore, the 
Commission is unable to quantify the impact of ``delayed'' trading 
because it lacks the information necessary to provide a reasonable 
estimate. In particular, data on the trading activity lost as opposed 
to ``delayed'' due to the two-day market closure would be extremely 
difficult to piece together in a meaningful way.
---------------------------------------------------------------------------

    \2030\ See Angel Letter at 15-16. The Commission also notes that 
this commenter and others expressed the view that enhanced BC/DR 
testing would have substantial benefits. See, e.g., id. at 9-10 
(stating that the ``ability of SROs to require their members to 
participate in testing is an important step forward in making sure 
that testing is as realistic as possible . . . [and] is one of the 
most valuable parts of Regulation SCI and will do the most to ensure 
improved market network reliability''); and UBS Letter at 5 (stating 
that the ``critical task of BCP testing should not be undertaken in 
isolated silos by individual firms. Individual BCP testing that does 
not involve realistic scenarios with connected participants may mask 
gaps and/or be insufficient from a systems integrity standpoint'' 
and that the benefits of a ``new and more comprehensive BCP testing 
paradigm'' would be ``broad and considerable'').
    \2031\ This commenter based this estimate on FINRA member equity 
commissions in 2010 obtained from SIFMA. See Angel Letter at 16. In 
addition, this commenter referred to the losses and legal and 
administrative costs associated with the Facebook IPO, as well as 
the losses associated with the May 6, 2010 incident. See id. at 15-
16. This commenter also more generally stated that the benefits of 
reducing outages and major technical issues are pretty 
straightforward--catastrophic failures in exchange systems are 
extremely costly, both in terms of direct losses to participants and 
in reduced investor confidence in the markets. See id. at 15. 
According to this commenter, even a modest reduction in the overall 
risk of a meltdown is quite cost effective to the economy as a 
whole. See id.
    \2032\ As noted by this commenter, the $374 million loss does 
not include lost trading profits to investors, or loss of utility 
from being able to hedge risk, monetize holdings, or otherwise 
trade. See id. at 16.
---------------------------------------------------------------------------

Costs to SCI Entities
    The mandatory testing of SCI entity business continuity and 
disaster recovery plans, including backup systems, as required under 
Rule 1004, will result in additional costs to SCI entities. The 
Commission notes that some SCI entities already offer availability for 
their members or participants to test business continuity and disaster 
recovery plans. Furthermore, as mentioned above, market participants, 
including SCI entities, already coordinate certain business continuity 
plan testing to an extent. However, Rule 1004 mandates participation in 
testing for some entities that do not currently participate, requires 
more rigorous testing than currently required, and requires greater 
coordination than SCI entities and market participants currently engage 
in. In particular, Rule 1004 requires SCI entities to designate their 
members or participants to participate in business continuity and 
disaster recovery plan testing and to coordinate such testing with 
other SCI entities on an industry- or sector-wide basis. The 
requirement of member or participant designation in business continuity 
and disaster recovery plan testing under Rule 1004 imposes additional 
costs as an SCI would have to allocate resources towards initially 
establishing and later updating standards for the designation of its 
members and participants for testing. Furthermore, the requirement to 
coordinate industry- or sector-wide testing will impose additional 
administrative costs because an SCI entity would be required to notify 
its members or participants and also organize, schedule, and manage the 
coordinated testing.\2033\
---------------------------------------------------------------------------

    \2033\ Administrative costs associated with coordinating testing 
are included as part of the PRA burden of Rule 1004. See supra 
Section V.D.1.b. As discussed in Section V.D.1.b, the Commission 
continues to believe that plan processors will outsource the work 
related to compliance with Rule 1004.
---------------------------------------------------------------------------

    Some commenters stated that the scope of the proposed testing 
requirement would impose costs on SCI entities that the Commission did 
not account for, including the cost to reconfigure their systems to 
engage in functional and performance testing, the cost of establishing 
effective coordinated test scripts for the testing, and time necessary 
to conduct the required testing.\2034\ Another commenter stated that 
testing will be costly to ATSs and their subscribers, and that the 
aggregate cost for all would be higher than the $66 million estimated 
in the SCI Proposal.\2035\ This commenter noted that the cost includes 
the time, resources, and professional staff that would be devoted to 
the testing process, and the resulting lost business opportunities 
associated with the ability to focus on revenue generating 
projects.\2036\ In addition, this commenter stated that, while 
connectivity between an ATS and its subscribers may already be 
established, additional configurations and build out of systems may be 
required to create a testing environment that simulates live market 
conditions.\2037\
---------------------------------------------------------------------------

    \2034\ See supra Section IV.B.6.b (discussing comments on 
proposed Rule 1000(b)(9)).
    \2035\ See ITG Letter at 15-16.
    \2036\ See id.
    \2037\ See id.
---------------------------------------------------------------------------

    Another commenter stated that there are dozens of man-days of pre-
test planning, preparation, pre-testing testing, testing, and post-
mortem reviews for SCI entities associated with the industry test 
initiatives.\2038\ According to this commenter, there are anywhere from 
tens to hundreds of business and technology staff engaged

[[Page 72430]]

in this initiative.\2039\ This commenter estimated the following staff 
levels required to support testing: Exchanges--175-200+ man-days; 
member firms--80-85 man-days; and ATSs--12-25 man-days.\2040\ Based on 
the commenter's upper estimates measured in man-days, the Commission 
estimated monetary values by allocating hours among the traders, 
technologists, programmers/system administrators, exchange personnel, 
and analysts necessary for implementation of disaster recovery testing. 
This estimation yields implied annual average total cost estimates of 
$500,000 and $60,000 for exchanges and ATSs, respectively.\2041\ For 
the reasons discussed below, the Commission believes that this 
commenter's cost estimate does not accurately reflect the costs to SCI 
entities.
---------------------------------------------------------------------------

    \2038\ See Tellefsen Letter at 11.
    \2039\ See id.
    \2040\ See id.
    \2041\ The allocations are based on Commission staff experience 
that exchanges would divide their personnel as 85% technologists, 5% 
exchange rule enforcement personnel, and 10% business analysts, and 
ATSs are assumed to divide their personnel as 90% technologists and 
10% business analysts based on staff experience. The hourly rates 
are from SIFMA's Management & Professional Earnings in the 
Securities Industry 2012, modified by Commission staff to account 
for an 1800-hour work-year and multiplied by 5.35 to account for 
bonuses, firm size, employee benefits and overhead. The calculation 
for ATSs was as follows: 25 days x (10% time required by analysts x 
$245/hour + 90% time required by technologists x $282/hour) = 
$55,660 per ATS. For each exchange: 200 days x (85% time required by 
technologists x $282/hour + 10% time required by analysts x $245/
hour + 5% time required by supervisors x $446/hour) = $458,400 per 
exchange. The Commission has rounded up because the breakdown 
between analysts, supervisors, and technologists may vary between 
ATSs and Exchanges.
    In the absence of a specific estimate provided by the commenter 
for plan processors or clearing agencies, the estimate for exchanges 
is assumed to apply to these types of SCI entities. Estimates for 
members and participants are discussed separately below.
---------------------------------------------------------------------------

    The Commission recognizes that the factors described by commenters 
will contribute to costs for SCI entities associated with business 
continuity and disaster recovery plans testing. For example, as 
discussed in Section IV.B.6.b, the Commission acknowledges that systems 
reconfiguration for functional and performance testing and establishing 
an effective coordinated test script could be a complex process and 
result in costs. At the same time, the Commission believes that systems 
reconfiguration and the establishment of an effective coordinated test 
script is an important first step in establishing robust and effective 
business continuity and disaster continuity plans testing. The 
Commission also notes that costs of Rule 1004 are likely to be lower 
than those estimated by commenters because of changes made to the 
proposed rule. For example, although Rule 1004 would require testing of 
BC/DR plans that is more rigorous than some types of testing urged by 
some commenters, the adopted rule includes a more targeted member and 
participant designation provision than the proposed rule. As discussed 
above in Section IV.B.6.b, compared to proposed Rule 1000(b)(9), the 
Commission believes that the adoption of a more targeted designation 
requirement is likely to result in a smaller number of SCI entity 
members or participants being designated to participate in business 
continuity and disaster recovery plans testing and thus should result 
in lower costs for SCI entities to coordinate testing.\2042\
---------------------------------------------------------------------------

    \2042\ See supra Section IV.B.6.b (discussing the designation 
requirement in adopted Rule 1004).
---------------------------------------------------------------------------

    The Commission is unable to provide a quantified estimate of the 
specific costs for SCI entities associated with the mandatory testing 
of SCI entity business continuity and disaster recovery plans, 
including backup systems. Although several commenters provided general 
estimates as to the costs of compliance with Rule 1004, these 
commenters did not provide their assumptions or a description of the 
quantified costs associated with each potential source of costs. Given 
the lack of information provided by commenters and that these costs 
could vary significantly based on the specific systems of each SCI 
entity, the Commission is unable to determine whether the costs 
provided by commenters are representative. Additionally, the Commission 
notes that commenters appeared to focus on costs as if assuming there 
is no testing today. Because SCI entities currently engage in some 
coordinated BC/DR testing, the Commission believes that the average 
incremental cost to SCI entities, in addition to the burden estimated 
in the PRA, would be lower than these commenters' cost estimates. The 
Commission also believes that costs would be significantly lower in the 
year following the initial year of testing. Because the Commission does 
not have detailed information regarding the current level of BC/DR 
testing and coordination of such testing by each SCI entity, and the 
cost associated with such testing and coordination, however, the 
Commission cannot at this time provide a quantified estimate of the 
cost for SCI entities to comply with Rule 1004.
Costs to SCI Entity Members and Participants
    The Commission believes that Rule 1004 will also impose costs on 
SCI entity designated members and participants. In the SCI Proposal, 
based on discussions with market participants, the Commission estimated 
that the cost of business continuity and disaster recovery plan testing 
would range from immaterial administrative costs (for SCI entity 
members and participants that currently maintain connections to SCI 
entity backup systems) to a range of $24,000 to $60,000 per year per 
member or participant in connection with each SCI entity.\2043\ As 
noted in the SCI Proposal and also above, the Commission understood 
that most of the larger members or participants of SCI entities already 
maintain connectivity with the backup systems of SCI entities and, 
thus, the additional connectivity costs imposed by proposed Rule 
1000(b)(9) to these larger members or participants may be 
minimal.\2044\ However, among smaller members or participants of SCI 
entities, the number of members or participants who maintain such 
connectivity is lower.\2045\ Therefore, costs at the higher end of the 
estimated range would accrue for members or participants who would need 
to invest in additional infrastructure and to maintain connectivity 
with an SCI entity's backup systems in order to participate in testing.
---------------------------------------------------------------------------

    \2043\ See Proposing Release, supra note 13, at 18172.
    \2044\ See id. at 18172 and n. 642.
    \2045\ See id. at 18172.
---------------------------------------------------------------------------

    Furthermore, in the SCI Proposal, the Commission acknowledged that 
it is difficult to provide an estimate for the total aggregate cost to 
SCI entity members or participants under proposed Rule 
1000(b)(9).\2046\ Because each SCI entity had discretion in determining 
its standards for designating members or participants for the testing 
required by proposed Rule 1000(b)(9)(i), the Commission did not have 
enough information to estimate the number of members or participants at 
each SCI entity that would be designated as required to participate in 
testing and to determine whether such designated members or 
participants are those that already maintain connections to SCI entity 
backup systems. With limited information, the Commission provided a 
total aggregate annual cost estimate in the SCI Proposal of 
approximately $66 million for designated members and participants to 
participate in business continuity and disaster recovery plans 
testing.\2047\
---------------------------------------------------------------------------

    \2046\ See id.
    \2047\ See id. at 18172 and n.643.
---------------------------------------------------------------------------

    Several commenters stated that the Commission underestimated the 
cost of

[[Page 72431]]

business continuity and disaster recovery plan testing under proposed 
Rule 1000(b)(9). One commenter noted that the Commission failed to take 
into account those SCI entities that engage in systems-specific testing 
upon implementation or initial connection by a market participant, but 
do not engage in business continuity and disaster recovery testing with 
the participation of market participants.\2048\ One commenter noted 
that the average cost for a broker-dealer to maintain fully redundant 
systems at all relevant exchange backup facilities would be 
approximately $3 million annually, according to one of its informal 
surveys.\2049\ Further, this cost would not include the initial capital 
costs related to the infrastructure or the labor/employment necessary 
for the maintenance and monitoring of backup connection and 
facilities.\2050\
---------------------------------------------------------------------------

    \2048\ See MSRB Letter at 38.
    \2049\ See FIA PTG Letter at 3. See also BIDS Letter at 8 
(commenting that testing and backup connections are expensive, and 
the expense of the connections could outweigh the value or the 
utilization of the value that certain venues provide).
    \2050\ See FIA PTG Letter at 3. This commenter noted that the 
costs vary widely among members and exchanges but are not 
insubstantial. See id.
---------------------------------------------------------------------------

    Other commenters stated that the Commission underestimated other 
aspects of the cost of business continuity and disaster recovery plan 
testing under proposed Rule 1000(b)(9). One commenter believed that the 
requirement for members to connect to an SCI entity's backup site could 
pose significant economic burden and provide little benefit to the 
market.\2051\ This commenter believed that the cost of such connections 
would be well over the $10,000 per connection that the Commission 
estimated.\2052\ According to this commenter, establishing and 
maintaining a connection with comparable trading capability and latency 
could cost a broker-dealer that co-locates at an SCI entity's data 
center between $15,000 and $20,000 monthly simply for the necessary 
communication lines.\2053\ In addition, this commenter noted that such 
members would need additional hardware (estimated to be up to $500,000) 
to establish an appropriate presence at the backup site to ensure that 
they could trade in an efficient manner with low latency.\2054\ This 
commenter believed that compliance with the Rule 1000(b)(9) 
requirements could cause broker-dealers to reduce the number of SCI 
entities through which they trade.\2055\ This commenter suggested that 
the standard for designating members should be those members ``critical 
to the operation of the SCI entity.'' \2056\
---------------------------------------------------------------------------

    \2051\ See ISE Letter at 9.
    \2052\ See id.
    \2053\ See id.
    \2054\ See id.
    \2055\ See id.
    \2056\ See id. According to this commenter, under the suggested 
standard, its focus would be on its seven Primary Market Makers who 
provide continuous liquidity, and these members would provide a 
baseline of liquidity for trading. See id. However, this commenter 
believed that, in order to satisfy the standard to provide ``fair 
and orderly trading,'' it may need to require some or all of its 145 
Electronic Access Members who access liquidity. See id.
---------------------------------------------------------------------------

    Another commenter estimated that the costs to a market making firm 
to support fully redundant exchange and ATS backup facilities would be 
approximately $7 million to $10 million in initial capital, with annual 
costs of between $5 million and $9 million.\2057\ According to this 
commenter, this cost is not justified by the benefits because backup 
facilities would not be used in the event of an outage at the primary 
site,\2058\ and would lead firms to reconsider their ability to make 
markets on as many trading platforms and potentially reduce price 
competition.\2059\
---------------------------------------------------------------------------

    \2057\ See KCG Letter at 4, 12. This commenter stated that the 
cost of supporting a backup facility of an SCI entity would be 
reduced, if the backup facility of an SCI entity were at the primary 
site of another SCI entity where the market maker traded. See id. at 
12.
    \2058\ See id. at 4.
    \2059\ See id. at 12.
---------------------------------------------------------------------------

    The same commenter who provided an estimate of burdens for SCI 
entities expressed the view that there are also dozens of man-days of 
pre-test planning, preparation, pre-testing testing, testing, and post-
mortem reviews for members and participants that would be associated 
with industry test initiatives.\2060\ Based on the commenter's upper 
estimates for member firms, measured in man-days, the Commission 
assigned monetary values using appropriate hours allocation among the 
traders, technologists, programmers/system administrators, exchange 
personnel, and analysts necessary for implementation of disaster 
recovery testing. This procedure yields an annual average total cost 
estimate of about $200,000 for each member firm.\2061\ For the reasons 
discussed below, the Commission believes that this commenter's cost 
estimate does not accurately reflect the costs to members or 
participants.
---------------------------------------------------------------------------

    \2060\ See also supra note 2038 and accompanying text 
(discussing this commenter's cost estimate for SCI entities).
    \2061\ The allocations are based on the staff experience that 
member firms divide their personnel as 45% traders, 45% 
technologists, and 10% business analysts. The hourly rates are from 
SIFMA's Management & Professional Earnings in the Securities 
Industry 2012, modified by Commission staff to account for an 1800-
hour work-year and multiplied by 5.35 to account for bonuses, firm 
size, employee benefits and overhead. The calculation for member 
firms was as follows: 85 days x (10% time required by analysts x 
$245/hour + 45% time required by technologists x $282/hour + 45% 
time required by traders x $312/hour) = $198,424 per member firm.
---------------------------------------------------------------------------

    The Commission acknowledges that members or participants will incur 
costs as a result of Rule 1004. However, the Commission believes that 
the members or participants likely to be designated to participate in 
such testing are those that conduct a high level of activity with the 
SCI entity, or that play an important role for the SCI entity (such as 
market makers), and who are more likely to have already established 
connections to the SCI entity's backup site. The Commission believes 
that many of these members or participants already have established 
connectivity with the SCI entity's backup site and already monitor and 
maintain such connectivity, and thus the additional connectivity costs 
imposed by Rule 1004 would be modest to these members or participants.
    For members or participants that currently do not have 
connectivity, the Commission recognizes the requirements of Rule 1004 
will impose costs on members or participants in establishing, 
maintaining, and monitoring backup connection and facilities. The 
Commission believes that a few commenters who stated that the 
Commission underestimated these costs may have based their cost 
estimates for proposed Rule 1000(b)(9) on the assumption that member 
connections to SCI entities' backup systems need to be the same as 
those at the primary site.\2062\ However, as discussed above in Section 
IV.B.6, Rule 1004 does not require SCI entity members or participants 
to maintain the same level of connectivity with the backup sites of an 
SCI entity as they do with the primary sites. In the event of a wide-
scale disruption in the securities markets, the Commission acknowledges 
that an SCI entity and its members or participants may not be able to 
provide the same level of liquidity as on a normal trading day. In 
addition, the Commission recognizes that the concept of ``fair and 
orderly markets'' does not require that trading on a day when business 
continuity and disaster recovery plans are in effect reflect the same 
level of liquidity, depth, volatility, and other characteristics of 
trading on a normal trading day.
---------------------------------------------------------------------------

    \2062\ See supra notes 2049, 2050, 2052-2054, and 2057 and 
accompanying text (discussing commenters' estimates of the cost to 
maintain fully redundant systems at relevant SCI entity backup 
facilities).
---------------------------------------------------------------------------

    The Commission, however, is unable to provide a quantified estimate 
of the

[[Page 72432]]

specific costs for SCI entity members or participants associated with 
the mandatory testing required by Rule 1004. Although several 
commenters provided general estimates as to the costs of compliance 
with Rule 1004, these commenters did not provide their assumptions or a 
description of the quantified costs associated with each potential 
source of costs. Given the lack of information provided by commenters 
and that these costs could vary significantly based on the specific 
systems of each SCI entity and member or participant, the Commission is 
unable to determine whether the costs provided by commenters are 
representative. Additionally, the Commission notes that some commenters 
appeared to focus on costs as if assuming there is no testing today. 
Because some members and participants of SCI entities currently 
participate in SCI entities' BC/DR testing, these members and 
participants would not incur the full costs estimated by the 
commenters. Thus the Commission believes that the average incremental 
cost to members or participants would be lower than these commenter's 
estimates because the estimates do not account for current practices. 
The Commission also believes that costs will be highly variable among 
member firms, and will be significantly lower in the year following the 
initial year of testing. Because the Commission does not have detailed 
information regarding the current level of engagement by members or 
participants in BC/DR testing and the associated costs, or the details 
of the BC/DR testing that SCI entities will implement pursuant to Rule 
1004, the Commission cannot at this time provide a precise quantified 
estimate of the cost for SCI entities' designated members or 
participants to comply with Rule 1004.\2063\ The Commission also notes 
that it is critical that SCI entities and their designated members or 
participants be able to operate with the SCI entities' backup systems 
in the event of a wide-scale disruption, and believes that the costs 
that would be incurred by essential market participants are appropriate 
in light of the benefits discussed above.\2064\
---------------------------------------------------------------------------

    \2063\ Although the Commission cannot at this time precisely 
estimate the total cost of compliance with Rule 1004, the Commission 
believes that $10,000 on average per SCI entity is a reasonable 
estimate solely for the incremental cost of connectivity associated 
with the requirements of Rule 1004. As noted above, the Commission 
continues to believe that it is reasonable to estimate that the 
members or participants of SCI entities that are most likely to be 
designated as required to participate in testing are those that 
conduct a high level of activity with the SCI entity, or that play 
an important role for the SCI entity (such as market makers), and 
that such members or participants are likely to already maintain 
connectivity with an SCI entity's backup systems. Therefore, the 
Commission is not persuaded that its estimate of the average 
connectivity cost for each member or participant of an SCI entity 
should be modified from $10,000.
    \2064\ Further, in response to comment that the added benefit of 
requiring fully redundant backup systems is almost impossible to 
measure while the cost of implementation is significant, the 
Commission acknowledges that testing of a BC/DR plan does not 
guarantee flawless execution of that plan, but still believes 
testing is warranted because a tested plan is likely to be more 
reliable and effective than an inadequately tested plan.
---------------------------------------------------------------------------

    Although the Commission generally believes that the aggregate cost 
to SCI entity members or participants under Rule 1004 will be lower 
than the cost estimated for proposed Rule 1000(b)(9), the Commission 
continues to believe it is difficult to provide an estimate for the 
aggregate cost to SCI entity members or participants because under Rule 
1004, each SCI entity has reasonable discretion in designating its 
members or participants for the required testing, and, as noted above, 
the Commission does not possess necessary information to estimate the 
number of designated members or participants and to determine whether 
such designated members or participants are those that already have 
established and maintained connectivity to the SCI entity's backup 
systems. Accordingly, the Commission cannot at this time provide a 
quantified estimate of the total aggregate cost to SCI entity members 
or participants under Rule 1004.\2065\
---------------------------------------------------------------------------

    \2065\ The Commission believes that it can reasonably estimate 
connectivity costs but not all costs associated with BC/DR testing. 
With respect to connectivity, the Commission now estimates that Rule 
1004 will impose a total aggregate annual cost of approximately $18 
million for designated members and participants. This estimate 
assumes that each of the 44 SCI entities will designate between 10 
and 20 percent of its members or participants to participate in the 
necessary testing. This 10-20 percent estimate is based on staff 
experience and takes into consideration comment that typically 20 
percent of an SCI entity's members might provide 80 percent of the 
order flow or liquidity (see Tellefsen Letter at 9), and balances it 
against another commenter's view that if the standard for 
designation was to identify those firms ``critical to the operation 
of the SCI entity'' (which is more targeted than the adopted 
standard), this commenter would designate approximately five percent 
of its members to participate in testing (see ISE Letter at 9). The 
Commission understands that many SCI entities have between 200 and 
400 members or participants, although some have more and some have 
fewer. Therefore, the Commission estimates that on average, each SCI 
entity will designate approximately 40 members or participants in 
such testing. Based on these assumptions, the Commission estimates 
the total aggregate cost for connectivity to all designated members 
or participants of all SCI entities to be approximately $17.6 
million (44 SCI entities x 40 members or participants x $10,000 = 
$17.6 million).
---------------------------------------------------------------------------

    Moreover, as noted above in Section IV.B.6.b, the Commission 
believes that adoption of a designation requirement that requires SCI 
entities to exercise reasonable discretion to identify those members or 
participants that, taken as a whole, are the ``minimum necessary'' for 
the maintenance of fair and orderly markets in the event of the 
activation of such plans is likely to result in a smaller number of SCI 
entity members or participants being designated for participation in 
testing as compared to the SCI Proposal, thus reducing total costs to 
all members or participants combined. Because the Commission believes 
that SCI entities have an incentive to limit the imposition of the cost 
and burden associated with testing to the minimum necessary to comply 
with the rule, it also believes that, given the option, most SCI 
entities would, in the exercise of reasonable discretion, prefer to 
designate fewer members or participants to participate in testing, than 
to designate more. On balance, the Commission believes that the adopted 
rule will incentivize SCI entities to designate those members and 
participants that are in fact the minimum necessary for the maintenance 
of fair and orderly markets in the event of the activation of their BC/
DR plans, and that this should reduce the number of designations to 
which any particular member or participant would be subject, compared 
to the SCI Proposal.
    It remains possible, as some commenters noted, that firms that are 
members of multiple SCI entities will be the subject of multiple 
designations, and that multiple designations could require certain 
firms to maintain connections to backup sites and participate in 
testing of the BC/DR plans of multiple SCI entities. As discussed in 
Section IV.B.6.b, the Commission believes this possibility, though 
real, may be mitigated by the fact that designations are likely to be 
made to firms that are already connected to one or more SCI entity 
backup facilities, because they are more likely to be significant 
members or participants of the applicable SCI entities; and that, 
because some SCI entity backup facilities are located in close 
proximity to each other, multiple connections to such backup facilities 
may be less costly than if SCI entity backup facilities were not so 
located. The Commission recognizes that there would be greater costs to 
a firm being designated by multiple SCI entities to participate in the 
testing of their business continuity and disaster recovery plans, but 
believes that these greater costs are warranted for such firms, as they 
represent significant participants in each of the SCI entities for 
which they are designated, and their participation in the testing of 
each such

[[Page 72433]]

SCI entity's business continuity and disaster recovery plans is 
necessary to evaluate whether such plans are reliable and effective. 
The Commission recognizes that a firm that is designated to participate 
in testing with multiple SCI entities may assess the costs and burdens 
of participating in every test to be too great, and make business 
decisions to withdraw its membership or participation from one or more 
such SCI entities so as to avoid the costs and burdens of such testing. 
The Commission believes such a scenario is unlikely because such firm 
is likely to be a larger firm with a significant level of participation 
in such SCI entity and is likely to already have connections to backup 
facilities of the SCI entity.
    The Commission believes that the cost associated with Rule 1004 is 
unlikely to induce the designated members or participants to reduce the 
number of SCI entities through which they trade and adversely affect 
price competitiveness in markets.\2066\ As noted above, the Commission 
also recognizes that costs to some SCI entity members or participants 
associated with Rule 1004 could be significant, and also highly 
variable depending on the business continuity and disaster recovery 
plans being tested. Based on industry sources, the Commission 
understands that most of the larger members or participants of SCI 
entities already maintain connectivity with the backup systems of SCI 
entities. However, the Commission understands that there is a lower 
incidence of smaller members or participants maintaining connectivity 
with the backup sites of SCI entities.\2067\ As such, the Commission 
believes that the compliance costs associated with Rule 1004 would be 
higher for those members or participants that are designated for 
testing by SCI entities who would need to invest in additional 
infrastructure to maintain connectivity with an SCI entity's backup 
systems to participate in testing, which the Commission believes is 
more likely to be the case for smaller members or participants 
designated for testing.
---------------------------------------------------------------------------

    \2066\ See supra notes 2055 and 2059 and accompanying text.
    \2067\ See Proposing Release, supra note 13, at 18172, n. 642.
---------------------------------------------------------------------------

    The Commission acknowledges that the compliance costs associated 
with Rule 1004 could raise barriers to entry and affect competition 
among members or participants of SCI entities. Specifically, to the 
extent that members or participants could be subject to designation in 
business continuity and disaster recovery plan testing and could incur 
additional compliance costs, the member or participant designation 
requirement of Rule 1004 could raise barriers to entry. Also, as 
discussed above, the compliance costs of the rule will likely be higher 
for smaller members or participants of SCI entities compared to larger 
members or participants of SCI entities. However, the Commission 
believes the adverse effect on competition may be mitigated to some 
extent as the most likely members or participants to be designated for 
testing are larger members or participants who already maintain 
connectivity with an SCI entity's backup systems. Further, the adverse 
effect on competition could be partially mitigated to the extent that 
larger firms, which are members of multiple SCI entities, could incur 
additional compliance costs as these larger member firms could be 
subject to multiple designations for business continuity and disaster 
recovery plan testing.
    One commenter noted that mere network connectivity to an exchange 
or ATS would be insufficient for a market maker to provide meaningful 
liquidity on an SCI entity.\2068\ This commenter noted that, if the 
Commission does not intend for SCI entities to be able to trade in the 
same way from a backup facility as it trades from the primary site, 
then market makers could maintain a more limited remote connectivity to 
the backup site and incur less cost, although this commenter believed 
that such an approach would not facilitate the posting of competitive 
quotes.\2069\ This commenter believed that this alternative approach 
would result in unusually wide markets, and would not result in any 
benefits.\2070\
---------------------------------------------------------------------------

    \2068\ See KCG Letter at 12.
    \2069\ See id. at 13.
    \2070\ See id. at 13.
---------------------------------------------------------------------------

    As discussed in Section IV.B.6, Rule 1001(a) does not require that 
backup facilities of SCI entities fully duplicate the features of 
primary facilities. Further as discussed in Section IV.B.6, SCI entity 
members or participants are not required by Regulation SCI to maintain 
the same level of connectivity with the backup sites of an SCI entity 
as they do with the primary sites. In the event of a wide-scale 
disruption in the securities markets, the Commission acknowledges that 
SCI entities and their members or participants may not be able to 
provide the same level of liquidity as on a normal trading day. 
However, the Commission expects that, on a day when business continuity 
and disaster recovery plans are in effect due to a wide-scale 
disruption in the securities markets, the requirements of Rule 1004 
will help ensure adequate levels of liquidity and pricing efficiency to 
facilitate trading and maintain fair and orderly markets without 
imposing excessive costs on SCI entities and market participants by 
requiring them to maintain the same connectivity with the backup 
systems as with the primary sites.
Alternatives
    Several commenters suggested alternatives to the proposed BC/DR 
testing requirements.\2071\ Two commenters suggested that few ATSs are 
critical enough to warrant inclusion in the BC/DR testing 
requirement.\2072\ One commenter suggested that only SCI entities that 
provide market functions on which other market participants depend be 
subject to the requirements for separate backup and recovery 
capabilities.\2073\ Furthermore, one commenter urged that BC/DR testing 
coordination only be required among providers of singular services in 
the market (i.e., exchange that lists securities, exclusive processors 
under NMS plans, and clearing and settlement agencies).\2074\
---------------------------------------------------------------------------

    \2071\ See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter 
at 15.
    \2072\ See BIDS Letter at 8; and ITG Letter at 15.
    \2073\ See KCG Letter at 8.
    \2074\ See Direct Edge Letter at 9.
---------------------------------------------------------------------------

    The Commission is not persuaded that SCI ATSs should be excluded 
from the requirements of BC/DR testing plans. In today's market, as 
discussed in Section IV.A.1.b, ATSs collectively represent a 
significant source of liquidity for stock trading. Although the concept 
of ``fair and orderly markets'' when BC/DR plans are in effect does not 
require the same level of liquidity, depth, volatility, and other 
characteristics of trading on a normal trading day, the Commission 
believes that excluding significant ATSs from BC/DR testing could harm 
liquidity, depth, and volatility when BC/DR plans are in effect and, 
thus, could significantly reduce the benefits of Rule 1004. 
Furthermore, with respect to the commenter that urged the Commission 
only to include providers of singular services in BC/DR testing 
coordination, as mentioned in Section IV.A.1.b, because trading in the 
U.S. securities markets today is dispersed among exchanges, ATSs, and 
other trading venues, and often involves trading strategies that 
require access to multiple trading venues, including ATSs, 
simultaneously, including all SCI entities, the Commission believes 
that requiring SCI entities to coordinate testing would result in 
testing under

[[Page 72434]]

more realistic market conditions and help ensure that securities 
markets have improved backup infrastructure, fewer market shutdowns, 
and fair and orderly markets in the event of the activation of BC/DR 
plans.
    Furthermore, one commenter stated that coordinated BC/DR testing is 
a good aspirational goal, but expressed concern that too much is 
outside of the control of an individual SCI entity, and therefore the 
rule should, at most, require SCI entities to attempt to coordinate 
such testing.\2075\ With respect to the comment suggesting that BC/DR 
testing coordination should be an aspirational goal rather than a 
requirement, the Commission believes that voluntary BC/DR testing is 
insufficient and will not further the goal of Regulation SCI as 
evidenced by Superstorm Sandy discussed in Section IV.B.6. As discussed 
above, the Commission acknowledges that there could be potential 
difficulties, including communicating with other SCI entities, in 
coordinating BC/DR testing on an industry- or sector-wide basis.
---------------------------------------------------------------------------

    \2075\ See CME Letter at 13.
---------------------------------------------------------------------------

c. Recordkeeping and Electronic Filing--Rules 1005-1007
    Entities that participate in the ARP Inspection Program currently 
keep records related to the ARP Inspection Program. However, the 
recordkeeping requirements of Rules 1005-1007 would apply to more 
entities, systems, and types of systems issues than the ARP Inspection 
Program. In addition, SCI entities are already subject to certain 
Commission recordkeeping requirements.\2076\ However, records relating 
to Regulation SCI may not be specifically addressed in the 
recordkeeping requirements of certain rules.\2077\ The Commission 
believes that the recordkeeping requirements specifically related to 
Regulation SCI would enhance the ability of the Commission to evaluate 
SCI entities' compliance with Regulation SCI.
---------------------------------------------------------------------------

    \2076\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 
CFR 240.17a-3 and 17a-4, applicable to broker-dealers; and 17 CFR 
242.301-303, applicable to ATSs.
     It has been the experience of the Commission that SCI entities 
presently subject to the ARP Inspection Program (nearly all of whom 
are SCI SROs that are also subject to the recordkeeping requirements 
of Rule 17a-1(a)) do generally keep and preserve the types of 
records that would be subject to the requirements of Rule 1005. 
Nevertheless, the Commission continues to believe that Regulation 
SCI's codification of these preservation practices will support an 
accurate, timely, and efficient inspection and examination process 
and help ensure that all types of SCI entities keep and preserve 
such records.
    \2077\ See Proposing Release, supra note 13, at 18128.
---------------------------------------------------------------------------

    With respect to SCI SROs in particular, the Commission notes that 
they are subject to the recordkeeping requirements of Rule 17a-1 under 
the Exchange Act, and the breadth of Rule 17a-1 is such that it would 
require SCI SROs to make, keep, and preserve records relating to their 
compliance with Regulation SCI. Therefore, Rule 1005(a) requires each 
SCI SRO to make, keep, and preserve all documents relating to its 
compliance with Regulation SCI as prescribed in Rule 17a-1 under the 
Exchange Act.\2078\
---------------------------------------------------------------------------

    \2078\ See supra Section IV.C.1.a (discussing recordkeeping 
requirements for SROs under Rule 17a-1).
---------------------------------------------------------------------------

    Rule 1005(b) requires each SCI entity that is not an SCI SRO to 
make, keep, and preserve at least one copy of all documents relating to 
its compliance with Regulation SCI. Each such SCI entity is required to 
keep all such documents for a period of not less than five years, the 
first two years in a place that is readily accessible to the Commission 
or its representatives for inspection and examination. Each such SCI 
entity is also required to promptly furnish copies of such documents to 
Commission representatives upon request. Rule 1005(c) requires each 
such SCI entity, upon or immediately prior to ceasing to do business or 
ceasing to be registered under the Exchange Act, to take all necessary 
action to ensure that the records required to be made, kept, and 
preserved by Rule 1005 shall be accessible to the Commission and its 
representatives in the manner required by Rule 1005 and for the 
remainder of the period required by Rule 1005.
    According to Rule 1007, if the records required to be filed or kept 
by an SCI entity under Regulation SCI are prepared or maintained by a 
service bureau or other recordkeeping service on behalf of the SCI 
entity, the SCI entity is required to ensure that such records are 
available for review by the Commission and its representatives by 
submitting a written undertaking, in a form acceptable to the 
Commission, by such service bureau or other recordkeeping service to 
that effect.
    For SCI entities other than SCI SROs, Rule 1005 specifically 
addresses recordkeeping requirements with respect to records relating 
to Regulation SCI compliance. The Commission believes that Rules 1005 
and 1007 would allow Commission staff to perform efficient inspections 
and examinations of SCI entities for their compliance with Regulation 
SCI, and would increase the likelihood that Commission staff can 
identify conduct inconsistent with Regulation SCI at earlier stages in 
the inspection and examination process. Furthermore, as discussed in 
Section IV.C.1.a, although many SCI events may be resolved in a short 
time frame, there may be other SCI events that may not be discovered 
for an extended period of time after their occurrences, or may take 
significant periods of time to fully resolve. In such cases, having an 
SCI entity's records available for a longer period of time or even 
after it has ceased to do business or be registered under the Exchange 
Act would be beneficial. Preserved information should provide the 
Commission with an additional source to help determine the causes and 
consequences of one or more SCI events and better understand how such 
events may have impacted trade execution, price discovery, liquidity, 
and investor participation. Consequently, the Commission believes that 
the requirements of Rules 1005 and 1007 would help ensure compliance 
with Regulation SCI and help realize the potential benefits (e.g., 
better pricing efficiency, price discovery, and liquidity flows) of the 
regulation.
    As noted above, the breadth of Rule 17a-1 under the Exchange Act is 
such that it would require SCI SROs to make, keep, and preserve records 
relating to their compliance with Regulation SCI. Therefore, for SCI 
SROs, the incremental compliance costs associated with Rules 1005 and 
1007 will be modest.\2079\ On the other hand, for SCI entities that are 
not SCI SROs, the recordkeeping requirements of Rules 1005 and 1007 
will impose additional costs, including one-time cost to set up or 
modify an existing recordkeeping system to comply with Rules 1005 and 
1007. The initial and ongoing compliance costs associated with the 
recordkeeping requirements are attributed to paperwork burdens, which 
are discussed in Section V.D.4 above.\2080\
---------------------------------------------------------------------------

    \2079\ As noted above, it has been the experience of the 
Commission that SCI entities presently subject to the ARP Inspection 
Program generally keep and preserve the types of records that would 
be subject to the requirements of Rule 1005. Nearly all of these ARP 
participants are SCI SROs that are also subject to the recordkeeping 
requirements of Rule 17a-1.
    \2080\ When monetized, the paperwork burden associated with all 
recordkeeping requirements would result in approximately $857,000 
initially for all non-SRO SCI entities in the aggregate, and $27,000 
annually for all non-SRO SCI entities in the aggregate.
---------------------------------------------------------------------------

    Rule 1006 requires SCI entities to electronically file all written 
information to the Commission on Form SCI (except for notifications 
submitted pursuant to Rules 1002(b)(1) and (b)(3)).

[[Page 72435]]

Rule 1006 should provide a uniform manner in which the Commission would 
receive--and SCI entities would provide--written notifications, 
reviews, descriptions, analyses, or reports required by Regulation 
SCI.\2081\ Rule 1006 should add efficiency for SCI entities in drafting 
and submitting the required reports, and for the Commission in 
reviewing, analyzing, and responding to the information provided.\2082\ 
All costs associated with Form SCI are attributed to paperwork burdens 
discussed in Section V.
---------------------------------------------------------------------------

    \2081\ See Proposing Release, supra note 13, at 18129-30.
    \2082\ See id. at 18130.
---------------------------------------------------------------------------

    Every SCI entity will be required to have the ability to 
electronically submit Form SCI through the EFFS system, and every 
person designated to sign Form SCI will be required to have an 
electronic signature and a digital ID. Each SCI entity will also be 
required to submit documents attached as exhibits through the EFFS 
system in a text-searchable format, subject to a limited 
exception.\2083\ The Commission believes that requiring documents to be 
submitted in a text-searchable format, subject to a limited exception, 
is necessary to allow Commission staff to efficiently review and 
analyze information provided by SCI entities. Additionally, the 
Commission believes that this requirement will not impose an additional 
burden on SCI entities, as SCI entities likely already prepare 
documents in an electronic format that is text searchable or can 
readily be converted into a format that is text searchable. The 
Commission also believes that many SCI entities currently have the 
ability to access the EFFS system and electronically submit Form SCI 
such that the requirement to submit Form SCI electronically will not 
impose significant new implementation or ongoing costs.\2084\ The 
Commission also believes that some of the persons who will be 
designated to sign Form SCI already have digital IDs and the ability to 
provide an electronic signature. To the extent that some persons do not 
have digital IDs, the additional cost to obtain and maintain digital 
IDs is accounted for in the paperwork burden.\2085\
---------------------------------------------------------------------------

    \2083\ As noted in Section IV.C.2, the General Instructions to 
Form SCI, Item A. specify that documents filed through the EFFS 
system must be in a text-searchable format without the use of 
optical character recognition, with a limited exception to allow for 
a portion of a Form SCI submission (e.g., an image or diagram) that 
cannot be made available in a text-searchable format to be submitted 
in a non-text-searchable format.
    \2084\ The initial and ongoing costs associated with various 
electronic submissions of Form SCI are discussed in the Paperwork 
Reduction Act section above. See supra Section V.
    \2085\ See supra Section V.D.2.e.
---------------------------------------------------------------------------

    As an alternative to the adopted electronic submission requirement, 
the Commission considered requiring data to be submitted in a tagged 
data format such as XBRL. Requiring reports to be filed in a tagged 
data format such as XBRL would likely permit faster and more efficient 
analysis of information disclosed in reports but would also likely 
impose additional compliance costs associated with tagging information 
in the narrative responses.
    Rather than requiring the use of XBRL formatting for Form SCI, the 
Commission notes that certain fields in Sections I-III of Form SCI will 
require information provided by SCI entities to be in a format that 
will allow the Commission to gather information in a structured manner 
(e.g., the submission type and SCI event type in Section I). By 
collecting information on Form SCI in a way that allows the Commission 
to gather key information in a structured manner, the Commission 
believes it will be able to more efficiently review and process filings 
made on Form SCI. Moreover, gathering certain information in Sections 
I-III of Form SCI in a structured format should not result in an 
additional cost to SCI entities.

VII. Regulatory Flexibility Act Certification

    The Regulatory Flexibility Act (``RFA'') \2086\ requires Federal 
agencies, in promulgating rules, to consider the impact of those rules 
on small entities. The Commission certified in the SCI Proposal, 
pursuant to Section 605(b) of the Regulatory Flexibility Act of 1980 
(``RFA''),\2087\ that proposed Regulation SCI would not, if adopted, 
have a significant impact on a substantial number of small entities. 
The Commission received no comments on this certification.
---------------------------------------------------------------------------

    \2086\ 5 U.S.C. 601 et seq.
    \2087\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------

A. SCI Entities

    Paragraph (a) of Rule 0-10 provides that for purposes of the RFA, a 
small entity when used with reference to a ``person'' other than an 
investment company means a person that, on the last day of its most 
recent fiscal year, had total assets of $5 million or less.\2088\ With 
regard to broker-dealers, small entity means a broker or dealer that 
had total capital of less than $500,000 on the date in the prior fiscal 
year as of which its audited financial statements were prepared 
pursuant to Rule 17a-5(d) under the Exchange Act, or, if not required 
to file such statements, had total capital of less than $500,000 on the 
last business day of the preceding fiscal year (or in the time that it 
has been in business, if shorter), and that is not affiliated with any 
person (other than a natural person) that is not a small business or 
small organization.\2089\ With regard to clearing agencies, small 
entity means a clearing agency that compared, cleared, and settled less 
than $500 million in securities transactions during the preceding 
fiscal year (or in the time that it has been in business, if shorter), 
had less than $200 million of funds and securities in its custody or 
control at all times during the preceding fiscal year (or in the time 
that it has been in business, if shorter), and is not affiliated with 
any person (other than a natural person) that is not a small business 
or small organization.\2090\ With regard to exchanges, small entity 
means an exchange that has been exempt from the reporting requirements 
of Rule 601 under Regulation NMS, and is not affiliated with any person 
(other than a natural person) that is not a small business or small 
organization.\2091\ With regard to securities information processors, 
small entity means a securities information processor that had gross 
revenue of less than $10 million during the preceding fiscal year (or 
in the time it has been in business, if shorter), provided service to 
fewer than 100 interrogation devices or moving tickers at all times 
during the preceding fiscal year (or in the time it has been in 
business, if shorter), and is not affiliated with any person (that is 
not a natural person) that is not a small business or small 
organization.\2092\ Under the standards adopted by the Small Business 
Administration (``SBA''), entities engaged in financial investments and 
related activities are considered small entities if they have $35.5 
million or less in average annual receipts.\2093\
---------------------------------------------------------------------------

    \2088\ See 17 CFR 240.0-10(a).
    \2089\ See 17 CFR 240.0-10(c).
    \2090\ See 17 CFR 240.0-10(d).
    \2091\ See 17 CFR 240.0-10(e).
    \2092\ See 17 CFR 240.0-10(g).
    \2093\ See SBA's Table of Small Business Size Standards, 
Subsector 523 and 13 CFR 121.201. Such entities include firms 
engaged in investment banking and securities dealing, securities 
brokerage, commodity contracts dealing, commodity contracts 
brokerage, securities and commodity exchanges, miscellaneous 
intermediation, portfolio management, investment advice, trust, 
fiduciary and custody activities, and miscellaneous financial 
investment activities.
---------------------------------------------------------------------------

    Based on the Commission's existing information about the entities 
that will be subject to Regulation SCI, the Commission believes that 
SCI entities that are self-regulatory organizations

[[Page 72436]]

(national securities exchanges, national securities associations, 
registered clearing agencies, and the MSRB) or exempt clearing agencies 
subject to ARP would not fall within the Commission's definition of 
small entity as described above. With regard to plan processors, which 
are defined under Rule 600(b)(55) of Regulation NMS to mean a self-
regulatory organization or securities information processor acting as 
an exclusive processor in connection with the development, 
implementation and/or operation of any facility contemplated by an 
effective NMS plan,\2094\ the Commission's definition of small entity 
as it relates to self-regulatory organizations and securities 
information processors would apply. The Commission does not believe 
that any plan processor would be a small entity as defined above. With 
regard to SCI ATSs, because they are registered as broker-dealers, the 
Commission's definition of small entity as it relates to broker-dealers 
would apply. The Commission does not believe that any of the SCI ATSs 
would be a small entity as defined above.
---------------------------------------------------------------------------

    \2094\ See 17 CFR 242.600(b)(55).
---------------------------------------------------------------------------

B. Certification

    For the foregoing reasons, the Commission again certifies that 
Regulation SCI will not have a significant economic impact on a 
substantial number of small entities.

VIII. Statutory Authority and Text of Amendments

    Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and 
particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, 23(a), and 24 
thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, 
78x, and 78w(a), the Commission adopts Regulation SCI under the 
Exchange Act and Form SCI under the Exchange Act, and amends Regulation 
ATS and Rule 24b-2 under the Exchange Act.

List of Subjects in 17 CFR Parts 240, 242, and 249

    Brokers; Confidential business information; Reporting and 
recordkeeping requirements; and Securities.

    In accordance with the foregoing, Title 17, Chapter II of the Code 
of Federal Regulations is amended as follows:

PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 
1934

0
1. The authority citation for part 240 continues to read in part as 
follows:

    Authority:  15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f, 
78g, 78i, 78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78n-1, 78o, 78o-4, 
78o-10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78ll, 78mm, 80a-20, 
80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 7201 et seq., and 
8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350, 
unless otherwise noted.
* * * * *

0
2. Amend Sec.  240.24b-2 by:
0
a. After the words PRELIMINARY NOTE: Adding the words ``Except as 
otherwise provided in this rule,'' and revising the word 
``Confidential'' to read ``confidential''.
0
b. Adding at the beginning of paragraph (b) introductory text the words 
``Except as otherwise provided in paragraph (g) of this section,'' and 
revising the word ``The'' to read ``the''.
0
c. Adding paragraph (g).
    The addition reads as follows:


Sec.  240.24b-2.  Nondisclosure of information filed with the 
Commission and with any exchange.

* * * * *
    (g) An SCI entity (as defined in Sec.  242.1000 of this chapter) 
shall not omit the confidential portion from the material filed in 
electronic format on Form SCI pursuant to Regulation SCI, Sec.  
242.1000 et. seq., and, in lieu of the procedures described in 
paragraph (b) of this section, may request confidential treatment of 
all information provided on Form SCI by completing Section IV of Form 
SCI.

PART 242--REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER 
MARGIN REQUIREMENTS FOR SECURITY FUTURES

0
3. The authority citation for part 242 continues to read as follows:

    Authority:  15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 
78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a23, 80a-29, and 
80a-37.
* * * * *

0
4. The heading of part 242 is revised to read as set forth above.


Sec.  242.301  [Amended]

0
5. Amend Sec.  242.301 by removing paragraphs (b)(6)(i)(A) and (B) and 
redesignating paragraphs (b)(6)(i)(C) and (D) as paragraphs 
(b)(6)(i)(A) and (B), respectively.

0
6. Add Sec. Sec.  242.1000 through 242.1007 to read as follows:
Sec.
Regulation SCI--Systems Compliance and Integrity
242.1000 Definitions.
242.1001 Obligations related to policies and procedures of SCI 
entities.
242.1002 Obligations related to SCI events.
242.1003 Obligations related to systems changes; SCI review.
242.1004 SCI entity business continuity and disaster recovery plans 
testing requirements for members or participants.
242.1005 Recordkeeping requirements related to compliance with 
Regulation SCI.
242.1006 Electronic filing and submission.
242.1007 Requirements for service bureaus.


Sec.  242.1000  Definitions.

    For purposes of Regulation SCI (Sec. Sec.  242.1000 through 
242.1007), the following definitions shall apply:
    Critical SCI systems means any SCI systems of, or operated by or on 
behalf of, an SCI entity that:
    (1) Directly support functionality relating to:
    (i) Clearance and settlement systems of clearing agencies;
    (ii) Openings, reopenings, and closings on the primary listing 
market;
    (iii) Trading halts;
    (iv) Initial public offerings;
    (v) The provision of consolidated market data; or
    (vi) Exclusively-listed securities; or
    (2) Provide functionality to the securities markets for which the 
availability of alternatives is significantly limited or nonexistent 
and without which there would be a material impact on fair and orderly 
markets.
    Electronic signature has the meaning set forth in Sec.  240.19b-
4(j) of this chapter.
    Exempt clearing agency subject to ARP means an entity that has 
received from the Commission an exemption from registration as a 
clearing agency under Section 17A of the Act, and whose exemption 
contains conditions that relate to the Commission's Automation Review 
Policies (ARP), or any Commission regulation that supersedes or 
replaces such policies.
    Indirect SCI systems means any systems of, or operated by or on 
behalf of, an SCI entity that, if breached, would be reasonably likely 
to pose a security threat to SCI systems.
    Major SCI event means an SCI event that has had, or the SCI entity 
reasonably estimates would have:
    (1) Any impact on a critical SCI system; or

[[Page 72437]]

    (2) A significant impact on the SCI entity's operations or on 
market participants.
    Plan processor has the meaning set forth in Sec.  242.600(b)(55).
    Responsible SCI personnel means, for a particular SCI system or 
indirect SCI system impacted by an SCI event, such senior manager(s) of 
the SCI entity having responsibility for such system, and their 
designee(s).
    SCI alternative trading system or SCI ATS means an alternative 
trading system, as defined in Sec.  242.300(a), which during at least 
four of the preceding six calendar months:
    (1) Had with respect to NMS stocks:
    (i) Five percent (5%) or more in any single NMS stock, and one-
quarter percent (0.25%) or more in all NMS stocks, of the average daily 
dollar volume reported by applicable transaction reporting plans; or
    (ii) One percent (1%) or more in all NMS stocks of the average 
daily dollar volume reported by applicable transaction reporting plans; 
or
    (2) Had with respect to equity securities that are not NMS stocks 
and for which transactions are reported to a self-regulatory 
organization, five percent (5%) or more of the average daily dollar 
volume as calculated by the self-regulatory organization to which such 
transactions are reported;
    (3) Provided, however, that such SCI ATS shall not be required to 
comply with the requirements of Regulation SCI until six months after 
satisfying any of paragraphs (a) or (b) of this section, as applicable, 
for the first time.
    SCI entity means an SCI self-regulatory organization, SCI 
alternative trading system, plan processor, or exempt clearing agency 
subject to ARP.
    SCI event means an event at an SCI entity that constitutes:
    (1) A systems disruption;
    (2) A systems compliance issue; or
    (3) A systems intrusion.
    SCI review means a review, following established procedures and 
standards, that is performed by objective personnel having appropriate 
experience to conduct reviews of SCI systems and indirect SCI systems, 
and which review contains:
    (1) A risk assessment with respect to such systems of an SCI 
entity; and
    (2) An assessment of internal control design and effectiveness of 
its SCI systems and indirect SCI systems to include logical and 
physical security controls, development processes, and information 
technology governance, consistent with industry standards.
    SCI self-regulatory organization or SCI SRO means any national 
securities exchange, registered securities association, or registered 
clearing agency, or the Municipal Securities Rulemaking Board; provided 
however, that for purposes of this section, the term SCI self-
regulatory organization shall not include an exchange that is notice 
registered with the Commission pursuant to 15 U.S.C. 78f(g) or a 
limited purpose national securities association registered with the 
Commission pursuant to 15 U.S.C. 78o-3(k).
    SCI systems means all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity that, with respect to securities, directly support trading, 
clearance and settlement, order routing, market data, market 
regulation, or market surveillance.
    Senior management means, for purposes of Rule 1003(b), an SCI 
entity's Chief Executive Officer, Chief Technology Officer, Chief 
Information Officer, General Counsel, and Chief Compliance Officer, or 
the equivalent of such employees or officers of an SCI entity.
    Systems compliance issue means an event at an SCI entity that has 
caused any SCI system of such entity to operate in a manner that does 
not comply with the Act and the rules and regulations thereunder or the 
entity's rules or governing documents, as applicable.
    Systems disruption means an event in an SCI entity's SCI systems 
that disrupts, or significantly degrades, the normal operation of an 
SCI system.
    Systems intrusion means any unauthorized entry into the SCI systems 
or indirect SCI systems of an SCI entity.


Sec.  242.1001  Obligations related to policies and procedures of SCI 
entities.

    (a) Capacity, integrity, resiliency, availability, and security. 
(1) Each SCI entity shall establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure that its SCI 
systems and, for purposes of security standards, indirect SCI systems, 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain the SCI entity's operational capability 
and promote the maintenance of fair and orderly markets.
    (2) Policies and procedures required by paragraph (a)(1) of this 
section shall include, at a minimum:
    (i) The establishment of reasonable current and future 
technological infrastructure capacity planning estimates;
    (ii) Periodic capacity stress tests of such systems to determine 
their ability to process transactions in an accurate, timely, and 
efficient manner;
    (iii) A program to review and keep current systems development and 
testing methodology for such systems;
    (iv) Regular reviews and testing, as applicable, of such systems, 
including backup systems, to identify vulnerabilities pertaining to 
internal and external threats, physical hazards, and natural or manmade 
disasters;
    (v) Business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse and that are reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of critical 
SCI systems following a wide-scale disruption;
    (vi) Standards that result in such systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data; and
    (vii) Monitoring of such systems to identify potential SCI events.
    (3) Each SCI entity shall periodically review the effectiveness of 
the policies and procedures required by this paragraph (a), and take 
prompt action to remedy deficiencies in such policies and procedures.
    (4) For purposes of this paragraph (a), such policies and 
procedures shall be deemed to be reasonably designed if they are 
consistent with current SCI industry standards, which shall be 
comprised of information technology practices that are widely available 
to information technology professionals in the financial sector and 
issued by an authoritative body that is a U.S. governmental entity or 
agency, association of U.S. governmental entities or agencies, or 
widely recognized organization. Compliance with such current SCI 
industry standards, however, shall not be the exclusive means to comply 
with the requirements of this paragraph (a).
    (b) Systems compliance. (1) Each SCI entity shall establish, 
maintain, and enforce written policies and procedures reasonably 
designed to ensure that its SCI systems operate in a manner that 
complies with the Act and the rules and regulations thereunder and the 
entity's rules and governing documents, as applicable.
    (2) Policies and procedures required by paragraph (b)(1) of this 
section shall include, at a minimum:
    (i) Testing of all SCI systems and any changes to SCI systems prior 
to implementation;
    (ii) A system of internal controls over changes to SCI systems;
    (iii) A plan for assessments of the functionality of SCI systems 
designed to

[[Page 72438]]

detect systems compliance issues, including by responsible SCI 
personnel and by personnel familiar with applicable provisions of the 
Act and the rules and regulations thereunder and the SCI entity's rules 
and governing documents; and
    (iv) A plan of coordination and communication between regulatory 
and other personnel of the SCI entity, including by responsible SCI 
personnel, regarding SCI systems design, changes, testing, and controls 
designed to detect and prevent systems compliance issues.
    (3) Each SCI entity shall periodically review the effectiveness of 
the policies and procedures required by this paragraph (b), and take 
prompt action to remedy deficiencies in such policies and procedures.
    (4) Safe harbor from liability for individuals. Personnel of an SCI 
entity shall be deemed not to have aided, abetted, counseled, 
commanded, caused, induced, or procured the violation by an SCI entity 
of this paragraph (b) if the person:
    (i) Has reasonably discharged the duties and obligations incumbent 
upon such person by the SCI entity's policies and procedures; and
    (ii) Was without reasonable cause to believe that the policies and 
procedures relating to an SCI system for which such person was 
responsible, or had supervisory responsibility, were not established, 
maintained, or enforced in accordance with this paragraph (b) in any 
material respect.
    (c) Responsible SCI personnel. (1) Each SCI entity shall establish, 
maintain, and enforce reasonably designed written policies and 
procedures that include the criteria for identifying responsible SCI 
personnel, the designation and documentation of responsible SCI 
personnel, and escalation procedures to quickly inform responsible SCI 
personnel of potential SCI events.
    (2) Each SCI entity shall periodically review the effectiveness of 
the policies and procedures required by paragraph (c)(1) of this 
section, and take prompt action to remedy deficiencies in such policies 
and procedures.


Sec.  242.1002  Obligations related to SCI events.

    (a) Corrective action. Upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, each SCI 
entity shall begin to take appropriate corrective action which shall 
include, at a minimum, mitigating potential harm to investors and 
market integrity resulting from the SCI event and devoting adequate 
resources to remedy the SCI event as soon as reasonably practicable.
    (b) Commission notification and recordkeeping of SCI events. Each 
SCI entity shall:
    (1) Upon any responsible SCI personnel having a reasonable basis to 
conclude that an SCI event has occurred, notify the Commission of such 
SCI event immediately;
    (2) Within 24 hours of any responsible SCI personnel having a 
reasonable basis to conclude that the SCI event has occurred, submit a 
written notification pertaining to such SCI event to the Commission, 
which shall be made on a good faith, best efforts basis and include:
    (i) A description of the SCI event, including the system(s) 
affected; and
    (ii) To the extent available as of the time of the notification: 
The SCI entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; the potential 
impact of the SCI event on the market; a description of the steps the 
SCI entity has taken, is taking, or plans to take, with respect to the 
SCI event; the time the SCI event was resolved or timeframe within 
which the SCI event is expected to be resolved; and any other pertinent 
information known by the SCI entity about the SCI event;
    (3) Until such time as the SCI event is resolved and the SCI 
entity's investigation of the SCI event is closed, provide updates 
pertaining to such SCI event to the Commission on a regular basis, or 
at such frequency as reasonably requested by a representative of the 
Commission, to correct any materially incorrect information previously 
provided, or when new material information is discovered, including but 
not limited to, any of the information listed in paragraph (b)(2)(ii) 
of this section;
    (4)(i)(A) If an SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed within 30 calendar days of the 
occurrence of the SCI event, then within five business days after the 
resolution of the SCI event and closure of the investigation regarding 
the SCI event, submit a final written notification pertaining to such 
SCI event to the Commission containing the information required in 
paragraph (b)(4)(ii) of this section.
    (B)(1) If an SCI event is not resolved or the SCI entity's 
investigation of the SCI event is not closed within 30 calendar days of 
the occurrence of the SCI event, then submit an interim written 
notification pertaining to such SCI event to the Commission within 30 
calendar days after the occurrence of the SCI event containing the 
information required in paragraph (b)(4)(ii) of this section, to the 
extent known at the time.
    (2) Within five business days after the resolution of such SCI 
event and closure of the investigation regarding such SCI event, submit 
a final written notification pertaining to such SCI event to the 
Commission containing the information required in paragraph (b)(4)(ii) 
of this section.
    (ii) Written notifications required by paragraph (b)(4)(i) of this 
section shall include:
    (A) A detailed description of: The SCI entity's assessment of the 
types and number of market participants affected by the SCI event; the 
SCI entity's assessment of the impact of the SCI event on the market; 
the steps the SCI entity has taken, is taking, or plans to take, with 
respect to the SCI event; the time the SCI event was resolved; the SCI 
entity's rule(s) and/or governing document(s), as applicable, that 
relate to the SCI event; and any other pertinent information known by 
the SCI entity about the SCI event;
    (B) A copy of any information disseminated pursuant to paragraph 
(c) of this section by the SCI entity to date regarding the SCI event 
to any of its members or participants; and
    (C) An analysis of parties that may have experienced a loss, 
whether monetary or otherwise, due to the SCI event, the number of such 
parties, and an estimate of the aggregate amount of such loss.
    (5) The requirements of paragraphs (b)(1) through (4) of this 
section shall not apply to any SCI event that has had, or the SCI 
entity reasonably estimates would have, no or a de minimis impact on 
the SCI entity's operations or on market participants. For such events, 
each SCI entity shall:
    (i) Make, keep, and preserve records relating to all such SCI 
events; and
    (ii) Submit to the Commission a report, within 30 calendar days 
after the end of each calendar quarter, containing a summary 
description of such systems disruptions and systems intrusions, 
including the SCI systems and, for systems intrusions, indirect SCI 
systems, affected by such systems disruptions and systems intrusions 
during the applicable calendar quarter.
    (c) Dissemination of SCI events. (1) Each SCI entity shall:
    (i) Promptly after any responsible SCI personnel has a reasonable 
basis to conclude that an SCI event that is a systems disruption or 
systems compliance issue has occurred, disseminate the following 
information about such SCI event:
    (A) The system(s) affected by the SCI event; and

[[Page 72439]]

    (B) A summary description of the SCI event; and
    (ii) When known, promptly further disseminate the following 
information about such SCI event:
    (A) A detailed description of the SCI event;
    (B) The SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; and
    (C) A description of the progress of its corrective action for the 
SCI event and when the SCI event has been or is expected to be 
resolved; and
    (iii) Until resolved, provide regular updates of any information 
required to be disseminated under paragraphs (c)(1)(i) and (ii) of this 
section.
    (2) Each SCI entity shall, promptly after any responsible SCI 
personnel has a reasonable basis to conclude that a SCI event that is a 
systems intrusion has occurred, disseminate a summary description of 
the systems intrusion, including a description of the corrective action 
taken by the SCI entity and when the systems intrusion has been or is 
expected to be resolved, unless the SCI entity determines that 
dissemination of such information would likely compromise the security 
of the SCI entity's SCI systems or indirect SCI systems, or an 
investigation of the systems intrusion, and documents the reasons for 
such determination.
    (3) The information required to be disseminated under paragraphs 
(c)(1) and (2) of this section promptly after any responsible SCI 
personnel has a reasonable basis to conclude that an SCI event has 
occurred, shall be promptly disseminated by the SCI entity to those 
members or participants of the SCI entity that any responsible SCI 
personnel has reasonably estimated may have been affected by the SCI 
event, and promptly disseminated to any additional members or 
participants that any responsible SCI personnel subsequently reasonably 
estimates may have been affected by the SCI event; provided, however, 
that for major SCI events, the information required to be disseminated 
under paragraphs (c)(1) and (2) of this section shall be promptly 
disseminated by the SCI entity to all of its members or participants.
    (4) The requirements of paragraphs (c)(1) through (3) of this 
section shall not apply to:
    (i) SCI events to the extent they relate to market regulation or 
market surveillance systems; or
    (ii) Any SCI event that has had, or the SCI entity reasonably 
estimates would have, no or a de minimis impact on the SCI entity's 
operations or on market participants.


Sec.  242.1003  Obligations related to systems changes; SCI review.

    (a) Systems changes. Each SCI entity shall:
    (1) Within 30 calendar days after the end of each calendar quarter, 
submit to the Commission a report describing completed, ongoing, and 
planned material changes to its SCI systems and the security of 
indirect SCI systems, during the prior, current, and subsequent 
calendar quarters, including the dates or expected dates of 
commencement and completion. An SCI entity shall establish reasonable 
written criteria for identifying a change to its SCI systems and the 
security of indirect SCI systems as material and report such changes in 
accordance with such criteria.
    (2) Promptly submit a supplemental report notifying the Commission 
of a material error in or material omission from a report previously 
submitted under this paragraph (a).
    (b) SCI review. Each SCI entity shall:
    (1) Conduct an SCI review of the SCI entity's compliance with 
Regulation SCI not less than once each calendar year; provided, 
however, that:
    (i) Penetration test reviews of the network, firewalls, and 
production systems shall be conducted at a frequency of not less than 
once every three years; and
    (ii) Assessments of SCI systems directly supporting market 
regulation or market surveillance shall be conducted at a frequency 
based upon the risk assessment conducted as part of the SCI review, but 
in no case less than once every three years; and
    (2) Submit a report of the SCI review required by paragraph (b)(1) 
of this section to senior management of the SCI entity for review no 
more than 30 calendar days after completion of such SCI review; and
    (3) Submit to the Commission, and to the board of directors of the 
SCI entity or the equivalent of such board, a report of the SCI review 
required by paragraph (b)(1) of this section, together with any 
response by senior management, within 60 calendar days after its 
submission to senior management of the SCI entity.


Sec.  242.1004  SCI entity business continuity and disaster recovery 
plans testing requirements for members or participants.

    With respect to an SCI entity's business continuity and disaster 
recovery plans, including its backup systems, each SCI entity shall:
    (a) Establish standards for the designation of those members or 
participants that the SCI entity reasonably determines are, taken as a 
whole, the minimum necessary for the maintenance of fair and orderly 
markets in the event of the activation of such plans;
    (b) Designate members or participants pursuant to the standards 
established in paragraph (a) of this section and require participation 
by such designated members or participants in scheduled functional and 
performance testing of the operation of such plans, in the manner and 
frequency specified by the SCI entity, provided that such frequency 
shall not be less than once every 12 months; and
    (c) Coordinate the testing of such plans on an industry- or sector-
wide basis with other SCI entities.


Sec.  242.1005  Recordkeeping requirements related to compliance with 
Regulation SCI.

    (a) An SCI SRO shall make, keep, and preserve all documents 
relating to its compliance with Regulation SCI as prescribed in Sec.  
240.17a-1 of this chapter.
    (b) An SCI entity that is not an SCI SRO shall:
    (1) Make, keep, and preserve at least one copy of all documents, 
including correspondence, memoranda, papers, books, notices, accounts, 
and other such records, relating to its compliance with Regulation SCI, 
including, but not limited to, records relating to any changes to its 
SCI systems and indirect SCI systems;
    (2) Keep all such documents for a period of not less than five 
years, the first two years in a place that is readily accessible to the 
Commission or its representatives for inspection and examination; and
    (3) Upon request of any representative of the Commission, promptly 
furnish to the possession of such representative copies of any 
documents required to be kept and preserved by it pursuant to 
paragraphs (b)(1) and (2) of this section.
    (c) Upon or immediately prior to ceasing to do business or ceasing 
to be registered under the Securities Exchange Act of 1934, an SCI 
entity shall take all necessary action to ensure that the records 
required to be made, kept, and preserved by this section shall be 
accessible to the Commission and its representatives in the manner 
required by this section and for the remainder of the period required 
by this section.


Sec.  242.1006  Electronic filing and submission.

    (a) Except with respect to notifications to the Commission made 
pursuant to Sec.  242.1002(b)(1) or updates to the Commission made 
pursuant to paragraph Sec.  242.1002(b)(3), any notification, review, 
description, analysis, or report to the Commission

[[Page 72440]]

required to be submitted under Regulation SCI shall be filed 
electronically on Form SCI (Sec.  249.1900 of this chapter), include 
all information as prescribed in Form SCI and the instructions thereto, 
and contain an electronic signature; and
    (b) The signatory to an electronically filed Form SCI shall 
manually sign a signature page or document, in the manner prescribed by 
Form SCI, authenticating, acknowledging, or otherwise adopting his or 
her signature that appears in typed form within the electronic filing. 
Such document shall be executed before or at the time Form SCI is 
electronically filed and shall be retained by the SCI entity in 
accordance with Sec.  242.1005.


Sec.  242.1007  Requirements for service bureaus.

    If records required to be filed or kept by an SCI entity under 
Regulation SCI are prepared or maintained by a service bureau or other 
recordkeeping service on behalf of the SCI entity, the SCI entity shall 
ensure that the records are available for review by the Commission and 
its representatives by submitting a written undertaking, in a form 
acceptable to the Commission, by such service bureau or other 
recordkeeping service, signed by a duly authorized person at such 
service bureau or other recordkeeping service. Such a written 
undertaking shall include an agreement by the service bureau to permit 
the Commission and its representatives to examine such records at any 
time or from time to time during business hours, and to promptly 
furnish to the Commission and its representatives true, correct, and 
current electronic files in a form acceptable to the Commission or its 
representatives or hard copies of any or all or any part of such 
records, upon request, periodically, or continuously and, in any case, 
within the same time periods as would apply to the SCI entity for such 
records. The preparation or maintenance of records by a service bureau 
or other recordkeeping service shall not relieve an SCI entity from its 
obligation to prepare, maintain, and provide the Commission and its 
representatives access to such records.

PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934

0
7. The general authority citation for part 249 continues to read in 
part as follows:

    Authority:  15 U.S.C. 78a et seq. and 7201; and 18 U.S.C. 1350 
unless otherwise noted.
* * * * *
0
8. Add subpart T, consisting of Sec.  249.1900 to read as follows:

Subpart T--Form SCI, for filing notices and reports as required by 
Regulation SCI.


Sec.  249.1900.  Form SCI, for filing notices and reports as required 
by Regulation SCI.

    Form SCI shall be used to file notices and reports as required by 
Regulation SCI (Sec. Sec.  242.1000 through 242.1007).

    Note:  The text of Form SCI does not, and the amendments will 
not, appear in the Code of Federal Regulations.

BILLING CODE P

[[Page 72441]]

[GRAPHIC] [TIFF OMITTED] TR05DE14.000


[[Page 72442]]


[GRAPHIC] [TIFF OMITTED] TR05DE14.001


[[Page 72443]]


[GRAPHIC] [TIFF OMITTED] TR05DE14.002


------------------------------------------------------------------------
 
------------------------------------------------------------------------
Exhibit 1: Rule 1002(b)(2)             Within 24 hours of any
 Notification of SCI Event.             responsible SCI personnel having
Add/Remove/View......................   a reasonable basis to conclude
                                        that the SCI event has occurred,
                                        the SCI entity shall submit a
                                        written notification pertaining
                                        to such SCI event to the
                                        Commission, which shall be made
                                        on a good faith, best efforts
                                        basis and include:
                                       (a) a description of the SCI
                                        event, including the system(s)
                                        affected; and
                                          (b) to the extent available as
                                           of the time of the
                                           notification: The SCI
                                           entity's current assessment
                                           of the types and number of
                                           market participants
                                           potentially affected by the
                                           SCI event; the potential
                                           impact of the SCI event on
                                           the market; a description of
                                           the steps the SCI entity has
                                           taken, is taking, or plans to
                                           take, with respect to the SCI
                                           event; the time the SCI event
                                           was resolved or timeframe
                                           within which the SCI event is
                                           expected to be resolved; and
                                           any other pertinent
                                           information known by the SCI
                                           entity about the SCI event.
Exhibit 2: Rule 1002(b)(4) Final or    When submitting a final report
 Interim Report of SCI Event.           pursuant to either Rule
Add/Remove/View......................   1002(b)(4)(i)(A) or Rule
                                        1002(b)(4)(i)(B)(2), the SCI
                                        entity shall include:
                                       (a) a detailed description of:
                                        The SCI entity's assessment of
                                        the types and number of market
                                        participants affected by the SCI
                                        event; the SCI entity's
                                        assessment of the impact of the
                                        SCI event on the market; the
                                        steps the SCI entity has taken,
                                        is taking, or plans to take,
                                        with respect to the SCI event;
                                        the time the SCI event was
                                        resolved; the SCI entity's
                                        rule(s) and/or governing
                                        document(s), as applicable, that
                                        relate to the SCI event; and any
                                        other pertinent information
                                        known by the SCI entity about
                                        the SCI event;
                                          (b) a copy of any information
                                           disseminated pursuant to Rule
                                           1002(c) by the SCI entity to
                                           date regarding the SCI event
                                           to any of its members or
                                           participants; and
                                          (c) an analysis of parties
                                           that may have experienced a
                                           loss, whether monetary or
                                           otherwise, due to the SCI
                                           event, the number of such
                                           parties, and an estimate of
                                           the aggregate amount of such
                                           loss.
 
                                       When submitting an interim report
                                        pursuant to Rule
                                        1002(b)(4)(i)(B)(1), the SCI
                                        entity shall include such
                                        information to the extent known
                                        at the time.
Exhibit 3: Rule 1002(b)(5)(ii)         The SCI entity shall submit a
 Quarterly Report of De Minimis SCI     report, within 30 calendar days
 Events.                                after the end of each calendar
Add/Remove/View......................   quarter, containing a summary
                                        description of systems
                                        disruptions and systems
                                        intrusions that have had, or the
                                        SCI entity reasonably estimates
                                        would have, no or a de minimis
                                        impact on the SCI entity's
                                        operations or on market
                                        participants, including the SCI
                                        systems and, for systems
                                        intrusions, indirect SCI
                                        systems, affected by such SCI
                                        events during the applicable
                                        calendar quarter.

[[Page 72444]]

 
Exhibit 4: Rule 1003 (a) Quarterly     When submitting a report pursuant
 Report of Systems Changes.             to Rule 1003(a)(1), the SCI
Add/Remove/View......................   entity shall provide a report,
                                        within 30 calendar days after
                                        the end of each calendar
                                        quarter, describing completed,
                                        ongoing, and planned material
                                        changes to its SCI systems and
                                        the security of indirect SCI
                                        systems, during the prior,
                                        current, and subsequent calendar
                                        quarters, including the dates or
                                        expected dates of commencement
                                        and completion. An SCI entity
                                        shall establish reasonable
                                        written criteria for identifying
                                        a change to its SCI systems and
                                        the security of indirect SCI
                                        systems as material and report
                                        such changes in accordance with
                                        such criteria.
                                       When submitting a report pursuant
                                        to Rule 1003(a)(2), the SCI
                                        entity shall provide a
                                        supplemental report of a
                                        material error in or material
                                        omission from a report
                                        previously submitted under Rule
                                        1003(a)(1).
Exhibit 5: Rule 1003(b)(3) Report of   The SCI entity shall provide a
 SCI review.                            report of the SCI review,
Add/Remove/View......................   together with any response by
                                        senior management, within 60
                                        calendar days after its
                                        submission to senior management
                                        of the SCI entity.
Exhibit 6: Optional Attachments......  This exhibit may be used in order
Add/Remove/View......................   to attach other documents that
                                        the SCI entity may wish to
                                        submit as part of a Rule
                                        1002(b)(1) initial notification
                                        submission or Rule 1002(b)(3)
                                        update submission.
------------------------------------------------------------------------

General Instructions for Form SCI

A. Use of the Form

    Except with respect to notifications to the Commission made 
pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant 
to Rule 1002(b)(3), any notification, review, description, analysis, or 
report required to be submitted pursuant to Regulation SCI under the 
Securities Exchange Act of 1934 (``Act'') shall be filed in an 
electronic format through an electronic form filing system (``EFFS''), 
a secure Web site operated by the Securities and Exchange Commission 
(``Commission''). Documents attached as exhibits filed through the EFFS 
system must be in a text-searchable format without the use of optical 
character recognition. If, however, a portion of a Form SCI submission 
(e.g., an image or diagram) cannot be made available in a text-
searchable format, such portion may be submitted in a non-text 
searchable format.

B. Need for Careful Preparation of the Completed Form, Including 
Exhibits

    This form, including the exhibits, is intended to elicit 
information necessary for Commission staff to work with SCI self-
regulatory organizations, SCI alternative trading systems, plan 
processors, and exempt clearing agencies subject to ARP (collectively, 
``SCI entities'') to ensure the capacity, integrity, resiliency, 
availability, security, and compliance of their automated systems. An 
SCI entity must provide all the information required by the form, 
including the exhibits, and must present the information in a clear and 
comprehensible manner. A filing that is incomplete or similarly 
deficient may be returned to the SCI entity. Any filing so returned 
shall for all purposes be deemed not to have been filed with the 
Commission. See also Rule 0-3 under the Act (17 CFR 240.0-3).

C. When To Use the Form

    Form SCI is comprised of six types of required submissions to the 
Commission pursuant to Rules 1002 and 1003. In addition, Form SCI 
permits SCI entities to submit to the Commission two additional types 
of submissions pursuant to Rules 1002(b)(1) and 1002(b)(3); however, 
SCI entities are not required to use Form SCI for these two types of 
submissions to the Commission. In filling out Form SCI, an SCI entity 
shall select the type of filing and provide all information required by 
Regulation SCI specific to that type of filing.
    The first two types of required submissions relate to Commission 
notification of certain SCI events:
    (1) ``Rule 1002(b)(2) Notification of SCI Event'' submissions for 
notifications regarding systems disruptions, systems compliance issues, 
or systems intrusions (collectively, ``SCI events''), other than any 
systems disruption or systems intrusion that has had, or the SCI entity 
reasonably estimates would have, no or a de minimis impact on the SCI 
entity's operations or on market participants; and
    (2) ``Rule 1002(b)(4) Final or Interim Report of SCI Event'' 
submissions, of which there are two kinds (a final report under Rule 
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or an interim status 
report under Rule 1002(b)(4)(i)(B)(1)).
    The other four types of required submissions are periodic reports, 
and include:
    (1) ``Rule 1002(b)(5)(ii)'' submissions for quarterly reports of 
systems disruptions and systems intrusions which have had, or the SCI 
entity reasonably estimates would have, no or a de minimis impact on 
the SCI entity's operations or on market participants (``de minimis SCI 
events'');
    (2) ``Rule 1003(a)(1)'' submissions for quarterly reports of 
material systems changes;
    (3) ``Rule 1003(a)(2)'' submissions for supplemental reports of 
material systems changes; and
    (4) ``Rule 1003(b)(3)'' submissions for reports of SCI reviews.
Required Submissions for SCI Events
    For 1002(b)(2) submissions, an SCI entity must notify the 
Commission using Form SCI by selecting the appropriate box in Section I 
and filling out all information required by the form, including Exhibit 
1. 1002(b)(2) submissions must be submitted within 24 hours of any 
responsible SCI personnel having a reasonable basis to conclude that an 
SCI event has occurred.
    For 1002(b)(4) submissions, if an SCI event is resolved and the SCI 
entity's investigation of the SCI event is closed within 30 calendar 
days of the occurrence of the SCI event, an SCI entity must file a 
final report under Rule 1002(b)(4)(i)(A) within five business days 
after the resolution of the SCI event and closure of the investigation 
regarding the SCI event. However, if an SCI event is not resolved or 
the SCI entity's investigation of the SCI event is not closed within 30 
calendar days of the occurrence of the SCI event, an SCI entity must 
file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 
calendar days after the occurrence of the SCI event. For SCI events in 
which an interim status report is required to be filed, an SCI entity 
must file a final report under Rule 1002(b)(4)(i)(B)(2) within five 
business days after the resolution of the SCI event and closure of the 
investigation regarding the SCI event. For 1002(b)(4) submissions, an 
SCI entity must notify the Commission using Form SCI by selecting the 
appropriate box in Section I and filling out all information required 
by the form, including Exhibit 2.
Required Submissions for Periodic Reporting
    For 1002(b)(5)(ii) submissions, an SCI entity must submit quarterly 
reports of systems disruptions and systems intrusions which have had, 
or the SCI entity reasonably estimates would have, no or a de minimis 
impact on the SCI entity's operations or on market participants. The 
SCI entity must select

[[Page 72445]]

the appropriate box in Section II and fill out all information required 
by the form, including Exhibit 3.
    For 1003(a)(1) submissions, an SCI entity must submit its quarterly 
report of material systems changes to the Commission using Form SCI. 
The SCI entity must select the appropriate box in Section II and fill 
out all information required by the form, including Exhibit 4.
    Filings made pursuant to Rule 1002(b)(5)(ii) and Rule 1003(a)(1) 
must be submitted to the Commission within 30 calendar days after the 
end of each calendar quarter (i.e., March 31st, June 30th, September 
30th and December 31st) of each year.
    For 1003(a)(2) submissions, an SCI entity must submit a 
supplemental report notifying the Commission of a material error in or 
material omission from a report previously submitted under Rule 
1003(a). The SCI entity must select the appropriate box in Section II 
and fill out all information required by the form, including Exhibit 4.
    For 1003(b)(3) submissions, an SCI entity must submit its report of 
its SCI review, together with any response by senior management, to the 
Commission using Form SCI. A 1003(b)(3) submission is required within 
60 calendar days after the report of the SCI review has been submitted 
to senior management of the SCI entity. The SCI entity must select the 
appropriate box in Section II and fill out all information required by 
the form, including Exhibit 5.
Optional Submissions
    An SCI entity may, but is not required to, use Form SCI to submit a 
notification pursuant to Rule 1002(b)(1). If the SCI entity uses Form 
SCI to submit a notification pursuant to Rule 1002(b)(1), it must 
select the appropriate box in Section I and provide a short description 
of the SCI event. Documents may also be attached as Exhibit 6 if the 
SCI entity chooses to do so. An SCI entity may, but is not required to, 
use Form SCI to submit an update pursuant to Rule 1002(b)(3). Rule 
1002(b)(3) requires an SCI entity to, until such time as the SCI event 
is resolved and the SCI entity's investigation of the SCI event is 
closed, provide updates pertaining to such SCI event to the Commission 
on a regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, to correct any materially incorrect 
information previously provided, or when new material information is 
discovered, including but not limited to, any of the information listed 
in Rule 1002(b)(2)(ii). If the SCI entity uses Form SCI to submit an 
update pursuant to Rule 1002(b)(3), it must select the appropriate box 
in Section I and provide a short description of the SCI event. 
Documents may also be attached as Exhibit 6 if the SCI entity chooses 
to do so.

D. Documents Comprising the Completed Form

    The completed form filed with the Commission shall consist of Form 
SCI, responses to all applicable items, and any exhibits required in 
connection with the filing. Each filing shall be marked on Form SCI 
with the initials of the SCI entity, the four-digit year, and the 
number of the filing for the year (e.g., SCI Name-YYYY-XXX).

E. Contact Information; Signature; and Filing of the Completed Form

    Each time an SCI entity submits a filing to the Commission on Form 
SCI, the SCI entity must provide the contact information required by 
Section III of Form SCI. Space for additional contact information, if 
appropriate, is also provided.
    All notifications and reports required to be submitted through Form 
SCI shall be filed through the EFFS. In order to file Form SCI through 
the EFFS, SCI entities must request access to the Commission's External 
Application Server by completing a request for an external account user 
ID and password. Initial requests will be received by contacting (202) 
551-5777. An email will be sent to the requestor that will provide a 
link to a secure Web site where basic profile information will be 
requested. A duly authorized individual of the SCI entity shall 
electronically sign the completed Form SCI as indicated in Section IV 
of the form. In addition, a duly authorized individual of the SCI 
entity shall manually sign one copy of the completed Form SCI, and the 
manually signed signature page shall be preserved pursuant to the 
requirements of Rule 1005.

F. Withdrawals of Commission Notifications and Periodic Reports

    If an SCI entity determines to withdraw a Form SCI, it must 
complete Page 1 of the Form SCI and indicate by selecting the 
appropriate check box to withdraw the submission.

G. Paperwork Reduction Act Disclosure

    This collection of information will be reviewed by the Office of 
Management and Budget in accordance with the clearance requirements of 
44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a currently valid control number. The Commission estimates 
that the average burden to respond to Form SCI will be between one and 
125 hours, depending upon the purpose for which the form is being 
filed. Any member of the public may direct to the Commission any 
comments concerning the accuracy of this burden estimate and any 
suggestions for reducing this burden.
    Except with respect to notifications to the Commission made 
pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant 
to Rule 1002(b)(3), it is mandatory that an SCI entity file all 
notifications, reviews, descriptions, analyses, and reports required by 
Regulation SCI using Form SCI. The Commission will keep the information 
collected pursuant to Form SCI confidential to the extent permitted by 
law. Subject to the provisions of the Freedom of Information Act, 5 
U.S.C. 522 (``FOIA''), and the Commission's rules thereunder (17 CFR 
200.80(b)(4)(iii)), the Commission does not generally publish or make 
available information contained in any reports, summaries, analyses, 
letters, or memoranda arising out of, in anticipation of, or in 
connection with an examination or inspection of the books and records 
of any person or any other investigation.

H. Exhibits

    List of exhibits to be filed, as applicable:
    Exhibit 1: Rule 1002(b)(2)--Notification of SCI Event. Within 24 
hours of any responsible SCI personnel having a reasonable basis to 
conclude that the SCI event has occurred, the SCI entity shall submit a 
written notification pertaining to such SCI event to the Commission, 
which shall be made on a good faith, best efforts basis and include: 
(a) A description of the SCI event, including the system(s) affected; 
and (b) to the extent available as of the time of the notification: the 
SCI entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; the potential 
impact of the SCI event on the market; a description of the steps the 
SCI entity has taken, is taking, or plans to take, with respect to the 
SCI event; the time the SCI event was resolved or timeframe within 
which the SCI event is expected to be resolved; and any other pertinent 
information known by the SCI entity about the SCI event.
    Exhibit 2: Rule 1002(b)(4)--Final or Interim Report of SCI Event. 
When submitting a final report pursuant to either Rule 1002(b)(4)(i)(A) 
or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall include: (a) A 
detailed description of:

[[Page 72446]]

The SCI entity's assessment of the types and number of market 
participants affected by the SCI event; the SCI entity's assessment of 
the impact of the SCI event on the market; the steps the SCI entity has 
taken, is taking, or plans to take, with respect to the SCI event; the 
time the SCI event was resolved; the SCI entity's rule(s) and/or 
governing document(s), as applicable, that relate to the SCI event; and 
any other pertinent information known by the SCI entity about the SCI 
event; (b) a copy of any information disseminated pursuant to Rule 
1002(c) by the SCI entity to date regarding the SCI event to any of its 
members or participants; and (c) an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss. When submitting an interim report pursuant to Rule 
1002(b)(4)(i)(B)(1), the SCI entity shall include such information to 
the extent known at the time.
    Exhibit 3: Rule 1002(b)(5)(ii)--Quarterly Report of De Minimis SCI 
Events. The SCI entity shall submit a report, within 30 calendar days 
after the end of each calendar quarter, containing a summary 
description of systems disruptions and systems intrusions that have 
had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants, including the SCI systems and, for systems intrusions, 
indirect SCI systems, affected by such SCI events during the applicable 
calendar quarter.
    Exhibit 4: Rule 1003(a)--Quarterly Report of Systems Changes. When 
submitting a report pursuant to Rule 1003(a)(1), the SCI entity shall 
provide a report, within 30 calendar days after the end of each 
calendar quarter, describing completed, ongoing, and planned material 
changes to its SCI systems and the security of indirect SCI systems, 
during the prior, current, and subsequent calendar quarters, including 
the dates or expected dates of commencement and completion. An SCI 
entity shall establish reasonable written criteria for identifying a 
change to its SCI systems and the security of indirect SCI systems as 
material and report such changes in accordance with such criteria. When 
submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall 
provide a supplemental report of a material error in or material 
omission from a report previously submitted under Rule 1003(a); 
provided, however, that a supplemental report is not required if 
information regarding a material systems change is or will be provided 
as part of a notification made pursuant to Rule 1002(b).
    Exhibit 5: Rule 1003(b)(3)--Report of SCI Review. The SCI entity 
shall provide a report of the SCI review, together with any response by 
senior management, within 60 calendar days after its submission to 
senior management of the SCI entity.
    Exhibit 6: Optional Attachments. This exhibit may be used in order 
to attach other documents that the SCI entity may wish to submit as 
part of a Rule 1002(b)(1) initial notification submission or Rule 
1002(b)(3) update submission.

I. Explanation of Terms

    Critical SCI systems means any SCI systems of, or operated by or on 
behalf of, an SCI entity that: (1) directly support functionality 
relating to: (i) clearance and settlement systems of clearing agencies; 
(ii) openings, reopenings, and closings on the primary listing market; 
(iii) trading halts; (iv) initial public offerings; (v) the provision 
of consolidated market data; or (vi) exclusively-listed securities; or 
(2) provide functionality to the securities markets for which the 
availability of alternatives is significantly limited or nonexistent 
and without which there would be a material impact on fair and orderly 
markets.
    Indirect SCI systems means any systems of, or operated by or on 
behalf of, an SCI entity that, if breached, would be reasonably likely 
to pose a security threat to SCI systems.
    Major SCI event means an SCI event that has had, or the SCI entity 
reasonably estimates would have: (1) Any impact on a critical SCI 
system; or (2) a significant impact on the SCI entity's operations or 
on market participants.
    Responsible SCI personnel means, for a particular SCI system or 
indirect SCI system impacted by an SCI event, such senior manager(s) of 
the SCI entity having responsibility for such system, and their 
designee(s).
    SCI entity means an SCI self-regulatory organization, SCI 
alternative trading system, plan processor, or exempt clearing agency 
subject to ARP.
    SCI event means an event at an SCI entity that constitutes: (1) A 
systems disruption; (2) a systems compliance issue; or (3) a systems 
intrusion.
    SCI review means a review, following established procedures and 
standards, that is performed by objective personnel having appropriate 
experience to conduct reviews of SCI systems and indirect SCI systems, 
and which review contains: (1) A risk assessment with respect to such 
systems of an SCI entity; and (2) an assessment of internal control 
design and effectiveness of its SCI systems and indirect SCI systems to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards.
    SCI systems means all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity that, with respect to securities, directly support trading, 
clearance and settlement, order routing, market data, market 
regulation, or market surveillance.
    Systems Compliance Issue means an event at an SCI entity that has 
caused any SCI system of such entity to operate in a manner that does 
not comply with the Act and the rules and regulations thereunder or the 
entity's rules or governing documents, as applicable.
    Systems Disruption means an event in an SCI entity's SCI systems 
that disrupts, or significantly degrades, the normal operation of an 
SCI system.
    Systems Intrusion means any unauthorized entry into the SCI systems 
or indirect SCI systems of an SCI entity.

    By the Commission.

    Dated: November 19, 2014.
Brent J. Fields,
Secretary.

Exhibit A

Key to Comment Letters Cited in Regulation SCI Adopting Release 
(File No. S7-01-13)
Letter from Charles V. Rossi, President, The Securities Transfer 
Association, Inc. to Elizabeth Murphy, Secretary, Commission, dated 
April 3, 2013 (``STA Letter'')
Letter from John J. Rapa, President/Chief Executive Officer, 
Tellefsen and Company, L.L.C., Northborough, Massachusetts to 
Elizabeth Murphy, Commission, dated April 19, 2013 (``Tellefsen 
Letter'')
Letter from Cynthia Fuller, Executive Director, on behalf of 
Accredited Standards Committee X9, Inc. Financial Industry Standards 
to the Commission, dated May 23, 2013 (``X9 Letter'')
Letter from Scott Cooper, Vice President, Government Relations and 
Public Policy, American National Standards Institute to the 
Commission, dated May 23, 2013 (``ANSI Letter'')
Letter from James J. Angel, Ph.D., CFA, Visiting Associate 
Professor, The Wharton School, University of Pennsylvania to the 
Commission, dated June 3, 2013 (``Angel Letter'')
Letter from Raymond M. Tierney III, President and Chief Executive 
Officer, Bloomberg Tradebook LLC to Elizabeth Murphy, Secretary, 
Commission, dated June 19, 2013 (``Tradebook Letter'')
Letter from Jay M. Goldstone, Chairman, Municipal Securities 
Rulemaking Board, Alexandria, Virginia to Elizabeth Murphy, 
Secretary, Commission, dated June 28, 2013 (``MSRB Letter'')

[[Page 72447]]

Letter from Thomas V. D'Ambrosio, Chairman, Committee on Futures and 
Derivatives, New York City Bar Association to Elizabeth Murphy, 
Secretary, Commission, dated July 1, 2013 (``NYC Bar Letter'')
Letter from Richard M. Whiting, Executive Director and General 
Counsel, The Financial Services Roundtable to Elizabeth Murphy, 
Secretary, Commission, dated July 5, 2013 (``FSR Letter'')
Letter from Rob Flatley, Chief Executive Officer and President, 
CoreOne Technologies to Elizabeth Murphy, Secretary, Commission, 
dated July 8, 2013 (``CoreOne Letter'')
Letter from Manisha Kimmel, Executive Director, Financial 
Information Forum to Elizabeth Murphy, Secretary, Commission, dated 
July 8, 2013 (``FIF Letter'')
Letter from Larry E. Thompson, Managing Director and General 
Counsel, The Depository Trust Clearing Corporation to Elizabeth 
Murphy, Secretary, Commission, dated July 8, 2013 (``DTCC Letter'')
Letter from Raymond Tamayo, Chief Information Officer, Options 
Clearing Corporation to Elizabeth Murphy, Secretary, Commission, 
dated July 8, 2013 (``OCC Letter'')
Letter from Timothy J. Mahoney, CEO, BIDS Trading, L.P., New York, 
New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 
2013 (``BIDS Letter'')
Letter from Michael Simon, Secretary, International Securities 
Exchange, LLC to Elizabeth Murphy, Secretary, Commission, dated July 
8, 2013 (``ISE Letter'')
Letter from Courtney D. McGuinn, Operations Director, FIX Protocol 
Ltd., New York, New York to Elizabeth Murphy, Secretary, Commission, 
dated July 8, 2013 (``FIX Letter'')
Letter from R.T. Leuchtkafer to Elizabeth Murphy, Secretary, 
Commission, dated July 8, 2013 (``Leuchtkafer Letter '')
Letter from Dennis M. Kelleher, President & CEO; Stephen W. Hall, 
Securities Specialist; Katelynn O. Bradley, Attorney; and David 
Frenk, Director of Research; Better Markets, Inc. to Elizabeth 
Murphy, Secretary, Commission, dated July 8, 2013 (``Better Markets 
Letter'')
Letter from Lev Lesokhin, Executive Vice President, Strategy and 
Markets, CAST, Inc., New York, New York to the Commission, dated 
July 8, 2013 (``CAST Letter'')
Letter from Robert J. McCarthy, Director of Regulatory Policy, Wells 
Fargo Advisors to Elizabeth Murphy, Secretary, Commission, dated 
July 8, 2013 (``Wells Fargo Letter'')
Letter from Marcia E. Asquith, Senior Vice President and Corporate 
Secretary, FINRA to Elizabeth Murphy, Secretary, Commission, dated 
July 8, 2013 (``FINRA Letter'')
Letter from Dr. Bill Curtis, Director, Consortium for IT Software 
Quality to Elizabeth Murphy, Secretary, Commission, dated July 8, 
2013 (``CISQ Letter'')
Letter from Howard Meyerson, General Counsel, Liquidnet, Inc., New 
York, New York to the Commission, dated July 8, 2013 (``Liquidnet 
Letter'')
Letter from David T. Bellaire, Esq., Executive Vice President and 
General Counsel, Financial Services Institute, Washington, District 
of Columbia to Elizabeth Murphy, Secretary, Commission, dated July 
8, 2013 (``FSI Letter'')
Letter from Scott C. Goebel, General Counsel, Fidelity Management 
and Research Co., Boston, Massachusetts to Elizabeth Murphy, 
Secretary, Commission, dated July 8, 2013 (``Fidelity Letter'')
Letter from Joseph Adamczyk, Executive Director, Associate General 
Counsel, CME Group Inc. to Elizabeth Murphy, Secretary, Commission, 
dated July 8, 2013 (``CME Letter'')
Letter from Norman M. Reed, Omgeo LLC, New York, New York to 
Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Omgeo 
Letter'')
Letter from David Lauer, Market Structure and Technology 
Architecture Consultant, Step Ahead Technologies, LLC to Elizabeth 
Murphy, Secretary, Commission, dated July 8, 2013 (``Lauer Letter'')
Letter from Theodore R. Lazo, Managing Director and Associate 
General Counsel, SIFMA to Elizabeth Murphy, Secretary, Commission, 
dated July 8, 2013 (``SIFMA Letter'')
Letter from Jeffrey Wallis, Managing Partner, SunGard Consulting 
Services, New York, New York to Elizabeth Murphy, Secretary, 
Commission, dated July 8, 2013 (``SunGard Letter'')
Letter from Janet McGinness, EVP & Corporate Secretary, NYSE 
Euronext to Elizabeth Murphy, Secretary, Commission, dated July 9, 
2013 (``NYSE Letter'')
Letter from Eric J. Swanson, Secretary, BATS Global Markets to 
Elizabeth Murphy, Secretary, Commission, dated July 10, 2013 (``BATS 
Letter'')
Letter from Mary Ann Burns, Futures Industry Association Principal 
Traders Group, Washington, District of Columbia to Elizabeth Murphy, 
Secretary, Commission, dated July 11, 2013 (``FIA PTG Letter'')
Letter from James P. Selway, III, P. Mats Goebels and Sudhanshu 
Arya, ITG Inc. to Elizabeth Murphy, Secretary, Commission, dated 
July 11, 2013 (``ITG Letter'')
Letter from Karrie McMillan, General Counsel, Investment Company 
Institute to Elizabeth Murphy, Secretary, Commission, dated July 12, 
2013 (``ICI Letter'')
Letter from Stuart J. Kaswell, Executive Vice President & Managing 
Director, Managed Funds Association, and Jir[iacute] Kr[oacute]l, 
Deputy CEO, Head of Government and Regulatory Affairs, Alternative 
Investment Management Association to Elizabeth Murphy, Secretary, 
Commission, dated July 17, 2013 (``MFA Letter'')
Letter from Anthony J. Saliba, Chief Executive Officer, LiquidPoint, 
LLC to Elizabeth Murphy, Secretary, Commission, dated July 22, 2013 
(``LiquidPoint Letter'')
Letter from Elizabeth K. King, Global Head of Regulatory Affairs, 
KCG Holdings, Inc., Jersey City, New Jersey to Elizabeth Murphy, 
Secretary, Commission, dated July 25, 2013 (``KCG Letter'')
Letter from Roger Anerella, Managing Director, Global Head of 
Securities Execution Services, UBS Investment Bank to Elizabeth 
Murphy, Secretary, Commission, dated July 26, 2013 (``UBS Letter'')
Letter from Eric Swanson, SVP, General Counsel and Secretary, BATS 
Global Markets, Inc., et al. to Elizabeth Murphy, Secretary, 
Commission, dated July 30, 2013 (``Joint SROs Letter'')
Letter from Thomas S. Vales, Chief Executive Officer, TMC Bonds LLC 
to Elizabeth Murphy, Secretary, Commission, dated August 6, 2013 
(``TMC Bonds Letter'')
Letter from James J. Angel, Ph.D., CFA, Visiting Associate 
Professor, The Wharton School, University of Pennsylvania to the 
Commission, dated September 3, 2013 (``Angel2 Letter'')
Letter from Benjamin R. Londergan, Chief Executive Officer, Group 
One Trading L.P. to Elizabeth Murphy, Secretary, Commission, dated 
September 3, 2013 (``Group One Letter'')
Letter from Ari Gabinet, Executive Vice President and General 
Counsel, OFI Global Asset Management to Elizabeth Murphy, Secretary, 
Commission, dated September 9, 2013 (``Oppenheimer Letter'')
Letter from Daniel Zinn, General Counsel, OTC Markets Group Inc. to 
Elizabeth Murphy, Secretary, Commission, dated September 12, 2013 
(``OTC Markets Letter'')
Letter from Dr. Bill Curtis, Director, Consortium for IT Software 
Quality to Elizabeth Murphy, Secretary, Commission, dated September 
17, 2013 (``CISQ2 Letter'')
Letter from William O'Brien, Chief Executive Officer, Direct Edge 
Holdings to Elizabeth M. Murphy, Secretary, Commission, dated 
September 25, 2013 (``Direct Edge Letter'')
Letter from Richie Prager, Managing Director, Head of Trading & 
Liquidity Strategies, Hubert De Jesus, Managing Director, Co-Head of 
Market Structure & Electronic Trading, Supurna Vedbrat, Managing 
Director, Co-Head of Market Structure & Electronic Trading, and 
Joanne Medero, Managing Director, Government Relations & Public 
Policy, BlackRock, Inc. to Mary Jo White, Chair, Commission, dated 
September 12, 2014 (``BlackRock Letter'').

[FR Doc. 2014-27767 Filed 12-4-14; 8:45 am]
BILLING CODE P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.