Regulation Systems Compliance and Integrity, 23146-23274 [2023-05775]
Download as PDF
<![CDATA[
23146
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
SECURITIES AND EXCHANGE
COMMISSION
17 CFR Parts 242 and 249
[Release No. 34–97143; File No. S7–07–23]
RIN 3235–AN25
Regulation Systems Compliance and
Integrity
Securities and Exchange
Commission.
ACTION: Proposed rule.
AGENCY:
The Securities and Exchange
Commission (‘‘Commission’’ or ‘‘SEC’’)
is proposing amendments to Regulation
Systems Compliance and Integrity
(‘‘Regulation SCI’’) under the Securities
Exchange Act of 1934 (‘‘Exchange Act’’).
The proposed amendments would
expand the definition of ‘‘SCI entity’’ to
include a broader range of key market
participants in the U.S. securities
market infrastructure, and update
certain provisions of Regulation SCI to
take account of developments in the
technology landscape of the markets
since the adoption of Regulation SCI in
2014. The proposed expansion would
add the following entities to the
definition of ‘‘SCI entity’’: registered
security-based swap data repositories
(‘‘SBSDRs’’); registered broker-dealers
exceeding an asset or transaction
activity threshold; and additional
clearing agencies exempted from
registration. The proposed updates
would amend provisions of Regulation
SCI relating to systems classification
and lifecycle management; third party/
vendor management; cybersecurity; the
SCI review; the role of current SCI
industry standards; and recordkeeping
and related matters. Further, the
Commission is requesting comment on
whether significant-volume alternative
trading systems (ATSs) and/or brokerdealers using electronic or automated
systems for trading of corporate debt
securities or municipal securities
should be subject to Regulation SCI.
DATES: Comments should be received on
or before June 13, 2023.
ADDRESSES: Comments may be
submitted by any of the following
methods:
ddrumheller on DSK120RN23PROD with PROPOSALS2
SUMMARY:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/proposed.shtml); or
• Send an email to rule-comments@
sec.gov. Please include File Number S7–
07–23 on the subject line.
Paper Comments
• Send paper comments to, Secretary,
Securities and Exchange Commission,
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to File
Number S7–07–23. This file number
should be included on the subject line
if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method of submission. The
Commission will post all comments on
the Commission’s website (https://
www.sec.gov/rules/proposed.shtml).
Comments are also available for website
viewing and printing in the
Commission’s Public Reference Room,
100 F Street NE, Washington, DC 20549
on official business days between the
hours of 10 a.m. and 3 p.m. Operating
conditions may limit access to the
Commission’s Public Reference Room.
All comments received will be posted
without change. Persons submitting
comments are cautioned that we do not
redact or edit personal identifying
information from comment submissions.
You should submit only information
that you wish to make available
publicly.
Studies, memoranda, or other
substantive items may be added by the
Commission or staff to the comment file
during this rulemaking. A notification of
the inclusion in the comment file of any
materials will be made available on our
website. To ensure direct electronic
receipt of such notifications, sign up
through the ‘‘Stay Connected’’ option at
www.sec.gov to receive notifications by
email.
FOR FURTHER INFORMATION CONTACT:
Heidi Pilpel, Senior Special Counsel;
David Liu, Special Counsel; Sara
Hawkins, Special Counsel; Gita
Subramaniam, Special Counsel; Josh
Nimmo, Special Counsel; An Phan,
Special Counsel, at (202) 551–5500,
Office of Market Supervision, Division
of Trading and Markets, U.S. Securities
and Exchange Commission, 100 F Street
NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The
Commission is proposing amendments
to the following rules under the
Exchange Act and conforming
amendments to Form SCI.
Commission
reference
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
PO 00000
1000 ..................
1001 ..................
1001(a) .............
1001(a)(2) .........
1001(a)(2)(v) .....
1001(a)(2)(vi) ....
1001(a)(2)(vii) ...
1001(a)(4) .........
1002 ..................
1002(b) .............
1002(b)(4)(ii)(B)
Frm 00002
Fmt 4701
CFR citation
(17 CFR)
§ 242.1000
§ 242.1001
§ 242.1001(a)
§ 242.1001(a)(2)
§ 242.1001(a)(2)(v)
§ 242.1001(a)(2)(vi)
§ 242.1001(a)(2)(vii)
§ 242.1001(a)(4)
§ 242.1002
§ 242.1002(b)
§ 242.1002(b)(4)(ii)(B)
Sfmt 4702
Commission
reference
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
Rule
1002(b)(5) .........
1002(b)(5)(i) ......
1002(b)(5)(ii) .....
1002(c) .............
1002(c)(3) .........
1002(c)(4) .........
1002(c)(4)(i) ......
1002(c)(4)(ii) .....
1003 ..................
1003(b) .............
1003(b)(1) .........
1003(b)(2) .........
1003(b)(3) .........
1004 ..................
1004(a) .............
1004(b) .............
1005 ..................
1005(c) .............
CFR citation
(17 CFR)
§ 242.1002(b)(5)
§ 242.1002(b)(5)(i)
§ 242.1002(b)(5)(ii)
§ 242.1002(c)
§ 242.1002(c)(3)
§ 242.1002(c)(4)
§ 242.1002(c)(4)(i)
§ 242.1002(c)(4)(ii)
§ 242.1003
§ 242.1003(b)
§ 242.1003(b)(1)
§ 242.1003(b)(2)
§ 242.1003(b)(3)
§ 242.1004
§ 242.1004(a)
§ 242.1004(b)
§ 242.1005
§ 242.1005(c)
I. Introduction
II. Background and Overview
A. History of Regulation SCI
B. Current Regulation SCI
1. SCI Entities and SCI Systems
2. Reasonably Designed Policies and
Procedures
3. SCI Events
4. Systems Changes and SCI Review
5. Business Continuity and Disaster
Recovery Testing with Members/
Participants
6. Recordkeeping and Other Provisions
(Rules 1005–1007)
C. Overview of Proposed Amendments to
Regulation SCI
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI
Entities
2. New Proposed SCI Entities
3. General Request for Comment on
Proposed Expansion of SCI Entities
B. Request for Comment Regarding
Significant-Volume Fixed Income ATSs
and Broker-Dealers Using Electronic or
Automated Systems for Trading of
Corporate Debt Securities or Municipal
Securities
1. Discussion
2. Request for Comment
C. Strengthening Obligations of SCI
Entities
1. Systems Classification and Lifecycle
Management
2. Third-Party Provider Management
3. Security
4. SCI Review
5. Current SCI Industry Standards
6. Other Changes
D. SCI Entities Subject to the Exchange Act
Cybersecurity Proposal and/or
Regulation S–P
1. Discussion
2. Request for Comment
IV. Paperwork Reduction Act
A. Summary of Collections of Information
B. Proposed Use of Information
1. Rule 1001 of Regulation SCI
2. Rule 1002 of Regulation SCI
3. Rule 1003 of Regulation SCI
4. Rule 1004 of Regulation SCI
5. Rule 1005 and 1007 of Regulation SCI
6. Rule 1006 of Regulation SCI
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
C. Respondents
D. Total Initial and Annual Reporting
Burdens
1. Rule 1001
2. Rule 1002
3. Rule 1003
4. Rule 1004
5. Rule 1005
6. Rule 1006
7. Summary of the Information Collection
Burden
E. Collection of Information Is Mandatory
F. Confidentiality of Responses to
Collection of Information
G. Request for Comment
V. Economic Analysis
A. Introduction
B. Baseline
1. New SCI Entities
2. Existing SCI Entities:
3. Current Market Practice
4. Other Affected Parties
C. Analysis of Benefits and Costs of
Proposed Amendments
1. General Benefits and Costs of Proposed
Amendments
2. Expansion to New SCI Entities
3. Specific Benefits and Costs of Regulation
SCI Requirements for All SCI Entities
D. Efficiency, Competition, and Capital
Formation Analysis
E. Reasonable Alternatives
1. Limiting the Scope of the Regulation SCI
Provisions for New SCI Entities
2. Mandating Compliance with Current SCI
Industry Standards
3. Requiring Diversity of Back-Up Plan
Resources
4. Penetration Testing Frequency
5. Attestation for Critical SCI System
Vendors
6. Transaction Activity Threshold for SCI
Broker-Dealers
7. Limitation on Definition of ‘‘SCI
Systems’’ for SCI Broker-Dealers
VI. Regulatory Flexibility Act Certification
A. ‘‘Small Entity’’ Definitions
B. Current SCI Entities
1. SCI SROs
2. The MSRB
3. SCI ATSs
C. Proposed SCI Entities
1. SBSDRs
2. SCI Broker-dealers
3. Exempt Clearing Agencies
D. Certification
Statutory Authority
ddrumheller on DSK120RN23PROD with PROPOSALS2
I. Introduction
The U.S. securities markets are among
the largest and most liquid in the world,
attracting a wide variety of issuers and
broad investor participation, and are
essential for capital formation, job
creation, and economic growth, both
domestically and across the globe. The
fair and orderly functioning of the U.S.
securities markets is critically important
to the U.S. economy. In 2014,
recognizing the decades-long
transformation of many U.S. securities
markets from primarily manual markets
to those that had become almost entirely
electronic and highly dependent on
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
sophisticated technology, including
complex and interconnected trading,
clearing, routing, market data,
regulatory, surveillance and other
technological systems, the Commission
adopted 17 CFR 242.1000 through
242.1007 (‘‘Regulation SCI’’) to
supersede and replace the Commission’s
voluntary Automation Review Policy
Program (‘‘ARP’’) and certain provisions
of 17 CFR 242.300 through 242.304
(‘‘Regulation ATS’’).1 Regulation SCI,
which applies to ‘‘SCI entities’’ with
respect to their ‘‘SCI systems’’ and
‘‘indirect SCI systems,’’ was the
Commission’s first formal extensive
regulatory framework for oversight of
the core technology of the U.S.
securities markets.
The U.S. securities markets have
demonstrated resilience since the
adoption of Regulation SCI, with some
market observers crediting Regulation
SCI in helping to ensure that markets
and market participants were prepared
for the unprecedented trading volumes
and volatility experienced in March
2020 at the onset of the COVID–19
pandemic.2 The U.S. securities markets
continue to experience changes and new
challenges, however. The growth of
electronic trading allows ever-increasing
volumes of securities transactions in a
broader range of asset classes to take
place at increasing speed by competing
trading platforms, including those
offered by broker-dealers that play
multiple roles in the markets.3 In
1 See Securities Exchange Act Release No. 73639
(Nov. 19, 2014), 79 FR 72252 (Dec. 5, 2014) (‘‘SCI
Adopting Release’’).
2 See, e.g., Shane Remolina, Is Remote Trading
Leading to a Paradigm Shift on the Trading Desk?,
Traders Magazine (May 20, 2020), available at
www.tradersmagazine.com/departments/buyside/
is-remote-trading-leading-to-a-paradigm-shift-onthe-trading-desk (observing ‘‘no outages’’ at the
stock exchanges in Mar. 2020 in contrast to
‘‘glitches’’ experienced in 2000s); Financial
Industry Regulatory Authority, Inc. (‘‘FINRA’’),
Market Structure & COVID–19: Handling Increased
Volatility and Volumes (Apr. 28, 2020), available at
https://www.finra.org/media-center/finraunscripted/market-structure-covid19-coronavirus
(observing that market infrastructure and integrity
held during the challenges in Mar. 2020, and
crediting Regulation SCI, among other regulatory
protections).
3 See, e.g., Securities Industry and Financial
Markets Association (‘‘SIFMA’’), SIFMA Insights:
Electronic Trading Market Structure Primer (Oct.
2019), available at https://www.sifma.org/wpcontent/uploads/2019/10/SIFMA-InsightsElectronic-Trading-Market-Structure-Primer.pdf
(summarizing electronic trading history and trends
in different markets). See also SEC Staff Report on
Algorithmic Trading in U.S. Capital Markets at 16–
19, 37 (Aug. 5, 2020), available at https://
www.sec.gov/files/marketstructure/research/algo_
trading_report_2020.pdf (discussing broker-dealer
ATSs and internalizers, and other in-house sources
of liquidity, such as single-dealer platforms
(‘‘SDPs’’), and central risk books operated by
broker-dealers) (‘‘Algorithmic Trading Report’’).
Staff reports, Investor Bulletins, and other staff
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
23147
addition, new types of registered
entities that are highly dependent on
interconnected technology have entered
the markets.4 The prevalence of remote
workforces, furthered by the COVID–19
pandemic,5 and increased outsourcing
to third-party providers, including
cloud service providers, continue to
drive the markets’ and market
participants’ reliance on new and
evolving technology.6 While these
advances demonstrate the dynamic and
adaptable nature of the U.S. securities
markets and market participants, the
greater dispersal, sophistication, and
interconnection of the technology
underpinning our markets bring
potential new risks. These risks include
not only the heightened risk of exposure
to cybersecurity events from threat
actors intent on doing harm, but also
operational systems problems that can
and do arise inadvertently.
As the Commission has
acknowledged, Regulation SCI is not,
nor can it be, designed to guarantee that
SCI entities have flawless systems.7
Rather, its goals are to strengthen the
technology infrastructure of the U.S.
securities markets and improve its
resilience when technology falls short.8
To help achieve these goals, the
regulation requires that SCI entities
have policies and procedures reasonably
designed to ensure that their systems
have levels of capacity, integrity,
resiliency, availability, and security,
adequate to maintain their operational
capability and promote the maintenance
of fair and orderly markets, and requires
measures that facilitate the
Commission’s oversight of securities
market technology infrastructure.9
Consistent with the goals of addressing
technological vulnerabilities and
improving oversight of the core
documents (including those cited herein) represent
the views of Commission staff and are not a rule,
regulation, or statement of the Commission. The
Commission has neither approved nor disapproved
the content of these staff documents and, like all
staff statements, they have no legal force or effect,
do not alter or amend applicable law, and create no
new or additional obligations for any person.
4 See infra section III.A.2.a (discussing registered
SBSDRs).
5 See FS–ISAC, Navigating Cyber 2021 (Apr.
2021), available at https://www.fsisac.com/
navigatingcyber2021-report. See also Vikki Davis,
Combating the cybersecurity risks of working home,
Cyber Magazine (Dec. 2, 2021), available at https://
cybermagazine.com/cyber-security/combatingcybersecurity-risks-working-home.
6 See, e.g., Angus Loten, Cloud Demand Drives
Data Center Market to New Records, Wall St. J. (Feb.
27, 2020); Angus Loten, CIOs Accelerate PrePandemic Cloud Push, Wall St. J. (Apr. 26, 2021).
7 See SCI Adopting Release, supra note 1, at
72291, 72351.
8 See id. at 72257.
9 See generally SCI Adopting Release, supra note
1, at 72299, 72372, 72402, 72404–05.
E:\FR\FM\14APP2.SGM
14APP2
23148
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
technology of key U.S. securities market
entities, the Commission is proposing
amendments to Regulation SCI that
would expand its application to
additional key market participants and
update certain of its provisions to take
account of the evolution of technology
and trading since the rule’s adoption in
2014. The application of Regulation SCI
to a broader range of entities together
with updates to certain provisions—
including to account for heightened
cybersecurity risks, wider use of cloud
service providers, and the increasingly
complex and interconnected nature of
SCI entities’ systems—should help
ensure that the technology
infrastructure of the U.S. securities
markets remains robust, resilient, and
secure.
The Commission has issued other
proposals related to cybersecurity that
would apply to SCI entities as well as
other entities under the Commission’s
jurisdiction.10 Regulation SCI, currently,
10 These include a proposal to adopt new rules
requiring broker-dealers, major security-based swap
participants, national securities exchanges, national
securities associations, security-based swap data
repositories, security-based swap dealers, transfer
agents, and the Municipal Securities Rulemaking
Board (‘‘MSRB’’) to adopt and implement written
cybersecurity policies and procedures reasonably
designed to address cybersecurity risks to their
‘‘information systems’’ and notify the Commission
and the public of significant cybersecurity incidents
affecting their information systems. See Securities
Exchange Release No. 97142 (Mar. 15, 2023), 88 FR
20212 (April 5, 2023) (proposing 17 CFR 242.10)
(for ease of reference, this proposal is referred to as
the ‘‘Exchange Act Cybersecurity Proposal’’). See
also Securities Exchange Release No. 97141 (Mar.
15, 2023), 88 FR 20616 (April 6, 2023) (proposing
to amend 17 CFR part 248, subpart A (‘‘Regulation
S–P’’), to, among other things, require brokerdealers, investment companies, SEC-registered
investment advisers, and transfer agents to adopt
incident response programs to address
unauthorized access to or use of customer records
and information, including procedures for
providing timely notification to individuals affected
by an information security incident designed to
help affected individuals respond appropriately)
(‘‘Regulation S–P 2023 Proposing Release’’). See
infra section III.D (discussing of how SCI entities
would be affected if the Exchange Act Cybersecurity
Proposal, Regulation S–P 2023 Proposing Release,
and this proposal are all adopted as proposed). In
addition, the Commission has pending proposals to
address cybersecurity risk with respect to
investment advisers, investment companies, and
public companies. See Cybersecurity Risk
Management for Investment Advisers, Registered
Investment Companies, and Business Development
Companies, Release Nos. 33–11028, 34–94917, IA–
5956, IC–34497 (Feb. 9, 2022), 87 FR 13524 (Mar.
9, 2022) (‘‘IA/IC Cybersecurity Proposing Release’’);
Cybersecurity Risk Management, Strategy,
Governance, and Incident Disclosure, Release Nos.
33–11038, 34–94382, IC–34529 (Mar. 9, 2022), 87
FR 16590 (Mar. 23, 2022). The Commission has
reopened the comment period for the IA/IC
Cybersecurity Proposing Release to allow interested
persons additional time to analyze the issues and
prepare their comments in light of other regulatory
developments, including the proposed rules and
amendments regarding this proposal, the Exchange
Act Cybersecurity Proposal and the Regulation S–
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
and as proposed to be amended,
however, differs from these proposals in
terms of its purpose and scope.
Regulation SCI applies to entities
designated as key market participants
because they play a significant role in
the U.S. securities markets and/or have
the potential to impact investors, the
overall market, or the trading of
individual securities in the event of a
systems issue. Regulation SCI requires
key market participants to (i) have
policies and procedures in place to help
ensure the robustness and resiliency of
their market technology systems, and
(ii) provide certain notices and reports
to the Commission, and in some cases,
market participants, to facilitate
Commission oversight of securities
market infrastructure. While Regulation
SCI has cybersecurity aspects and
certain of the proposed amendments to
Regulation SCI would update policies
and procedures requirements designed
to keep SCI systems and indirect SCI
systems secure, the proposed
amendments are designed, more
broadly, to ensure that SCI entities
(current and proposed) have systems
technology adequate to maintain
operational capability of the systems on
which the maintenance of fair and
orderly markets depend.
II. Background and Overview
A. History of Regulation SCI
The Commission adopted Regulation
SCI in 2014 to supersede and replace
the Commission’s legacy voluntary ARP
Program as well as certain provisions of
Regulation ATS.11 In doing so, the
Commission sought to strengthen the
technology infrastructure of the U.S.
securities markets, reduce the
occurrence of systems issues in those
markets, improve their resiliency when
technological issues arise, and establish
an updated and formalized regulatory
framework, thereby helping to ensure
more effective Commission oversight of
such systems.12 Several factors
contributed to the Commission’s
decision to adopt this regulation.
Recognizing the growing importance of
technology in the securities markets, the
Commission issued the ARP I and ARP
II Policy Statements in 1989 and 1991,
respectively.13 In the decades that
P 2023 Proposing Release. The Commission
encourages commenters to review those proposals
to determine whether they might affect their
comments on this proposing release.
11 See generally SCI Adopting Release, supra note
1.
12 See SCI Adopting Release, supra note 1, at
72252–56 (discussing the background of Regulation
SCI).
13 See Securities Exchange Act Release Nos.
27445 (Nov. 16, 1989), 54 FR 48703 (Nov. 24, 1989),
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
followed, key market participants in the
securities industry increasingly relied
on ever more complex technologies for
trading and clearance and settlement of
securities. The increased reliance on
technology introduced challenges for
the securities markets, as evidenced by
a variety of market disruptions
occurring in a relatively short time
period.14 The Commission convened a
roundtable entitled ‘‘Technology and
Trading: Promoting Stability in Today’s
Markets’’ (‘‘Technology Roundtable’’) in
2012.15 Shortly thereafter, following
Superstorm Sandy on the U.S. East
Coast, the U.S. national securities
exchanges closed for two business days
in light of concerns over the physical
safety of personnel and the possibility of
technical issues.16 These and other
developments in U.S. securities markets
led the Commission to consider the
effectiveness of the 1980s and 90s-era
ARP Program. The focus of the ARP
Program was to ensure that the selfregulatory organizations (‘‘SROs’’) had
adequate capacity, security, and
business continuity plans by, among
other things, reporting to the
Commission staff their planned systems
changes 30 days in advance and
reporting outages in trading and related
systems.17 While the ARP Policy
Statements were rooted in Exchange Act
and 29185 (May 9, 1991), 56 FR 22490 (May 15,
1991).
14 See Securities Exchange Act Release No. 69077
(Mar. 8, 2013), 78 FR 18083, 18089 (Mar. 25, 2013)
(‘‘SCI Proposing Release’’) (citing, among other
things, Findings Regarding the Market Events of
May 6, 2010, Report of the Staffs of the Commodity
Futures Trading Commission (‘‘CFTC’’) and SEC to
the Joint Advisory Committee on Emerging
Regulatory Issues (Sept. 30, 2010) (‘‘Staff Report’’)
and discussing hackers penetrating certain Nasdaq
OMX Group, Inc. computer networks in 2011, a
‘‘software bug’’ that hampered the initial public
offerings of BATS Global Markets, Inc. in 2012, and
issues with Nasdaq’s trading systems delaying the
start of trading in the high-profile initial public
offering of Facebook, Inc.).
15 See Securities Exchange Act Release No. 67802
(Sept. 7, 2012), 77 FR 56697 (Sept. 13, 2012) (File
No. 4–652); Technology Roundtable Transcript,
available at https://www.sec.gov/news/
otherwebcasts/2012/ttr100212-transcript.pdf. A
webcast of the Roundtable is available at
www.sec.gov/news/otherwebcasts/2012/
ttr100212.shtml. The Technology Roundtable
examined the relationship between the operational
stability and integrity of the securities market and
the ways in which market participants design,
implement, and manage complex and
interconnected trading technologies. The
Technology Roundtable also highlighted that
quality standards, testing, and improved response
mechanisms were issues ripe for consideration. See
SCI Proposing Release, supra note 14, at 18090–91
(providing for further discussion of the Technology
Roundtable).
16 See SCI Proposing Release, supra note 14, at
18091. See also SCI Adopting Release, supra note
1, at 72254–72255 (summarizing additional
disruptions during the period between publication
of the SCI Proposing and Adopting Releases).
17 See supra note 13.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
requirements, as policy statements
rather than Commission rules,
compliance was voluntary and in many
instances the SROs did not fully
disclose problems that occurred. In the
SCI Proposing Release, the Commission
stated that ‘‘the continuing evolution of
the securities markets to the current
state, where they have become almost
entirely electronic and highly
dependent on sophisticated trading and
other technology (including complex
regulatory and surveillance systems, as
well as systems relating to the provision
of market data, intermarket routing and
connectivity, and a variety of other
member and issuer services), has posed
challenges for the ARP Inspection
Program.’’ 18 Informed by its review of
recent technology problems in the
markets, the discussions at the
Technology Roundtable, and its
evaluation of the ARP Program,19 the
Commission proposed Regulation SCI in
2013 to help address the technological
vulnerabilities, and improve
Commission oversight, of the core
technology of key U.S. securities
markets entities, including national
securities exchanges and associations,
significant-volume ATSs, clearing
agencies, and plan processors.20 After
considering the views of a wide variety
18 SCI
Proposing Release, supra note 14, at 18089.
SCI Proposing Release, supra note 14, at
18085–91 for a further discussion of these
considerations.
20 As further explained in the SCI Adopting
Release, the term ‘‘plan processor’’ means ‘‘any selfregulatory organization or securities information
processor acting as an exclusive processor in
connection with the development, implementation
and/or operation of any facility contemplated by an
effective national market system plan.’’ See SCI
Adopting Release, supra note 1, at 72270 n. 196.
This term refers to the securities information
processors that are exclusive processors (and
frequently referred to as the ‘‘SIPs’’) that collect and
process (for distribution) quotation data and/or
transaction reports on behalf of the Consolidated
Tape Association System (‘‘CTA Plan’’),
Consolidated Quotation System (‘‘CQS Plan’’), Joint
Self-Regulatory Organization Plan Governing the
Collection, Consolidation, and Dissemination of
Quotation and Transaction Information for NasdaqListed Securities Traded on Exchanges on an
Unlisted Trading Privileges Basis (‘‘Nasdaq UTP
Plan’’), and Options Price Reporting Authority
(‘‘OPRA Plan’’). The CTA Plan and Nasdaq UTP
Plan (applicable to national market system (‘‘NMS’’)
stocks) are each a ‘‘transaction reporting plan’’ as
well as a ‘‘national market system plan’’ as defined
in 17 CFR 242.600 (‘‘Rule 600’’ of Regulation NMS).
The OPRA Plan (applicable to exchange-listed
options) is a national market system plan. See infra
note 212. See also text accompanying note 212
(discussing these Plans and how transaction reports
containing the price and volume associated with a
transaction involving the purchase or sale of a
security are currently, and anticipated in the future
to be, readily available to enable SCI ATSs and SCI
broker-dealers to ascertain the total average daily
dollar volume traded in NMS stock and exchangelisted options in a calendar month and self-assess
if they exceed the proposed transaction activity
thresholds discussed below).
ddrumheller on DSK120RN23PROD with PROPOSALS2
19 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
of commenters, the Commission
adopted Regulation SCI in 2014.21 In the
SCI Adopting Release, the Commission
stated that it was taking a ‘‘measured
approach’’ and pursuing an
‘‘incremental expansion from the
entities covered under the ARP
Inspection Program’’ given the potential
costs of compliance with Regulation
SCI.22 It added, however, that this
approach would allow it ‘‘to monitor
and evaluate the implementation of
Regulation SCI, the risks posed by the
systems of other market participants,
and the continued evolution of the
securities markets, such that it may
consider, in the future, extending the
types of requirements in Regulation SCI
to additional categories of market
participants, such as non-ATS brokerdealers, security-based swap dealers,
investment advisers, investment
companies, transfer agents, and other
key market participants.’’ 23 In 2021, the
Commission amended Regulation SCI to
add certain ‘‘competing consolidators’’
to the definition of SCI entity.24
Specifically, a competing consolidator
that exceeds a five percent consolidated
market data gross revenue threshold
over a specified time period is an SCI
competing consolidator because it is a
significant source of consolidated
market data for NMS stocks on which
market participants rely.25
21 See
generally SCI Adopting Release, supra note
1.
22 Id.
at 72259.
See also supra note 10 and accompanying
text (referencing other cybersecurity rules proposed
to apply to Commission registrants).
24 See Securities Exchange Act Release No. 90610
(Dec. 9, 2020), 86 FR 18596, 18659–18676 (Apr. 9,
2021) (‘‘Market Data Infrastructure Adopting
Release’’) (adopting rules with respect to competing
consolidators and defining ‘‘competing
consolidator’’ to mean a securities information
processor required to be registered pursuant to 17
CFR 242.614 (‘‘Rule 614’’) or a national securities
exchange or national securities association that
receives information with respect to quotations for
and transactions in NMS stocks and generates a
consolidated market data product for dissemination
to any person).
25 An ‘‘SCI competing consolidator’’ is any
competing consolidator, which during at least four
of the preceding six calendar months, accounted for
five percent or more of consolidated market data
gross revenue paid to the effective national market
system plan or plans required under 17 CFR
242.603(b) (‘‘Rule 603(b)’’) for NMS stocks (1) listed
on the New York Stock Exchange, (2) listed on The
Nasdaq Stock Market, or (3) listed on national
securities exchanges other than the New York Stock
Exchange or The Nasdaq Stock Market, as reported
by such plan or plans pursuant to the terms thereof.
See Rule 1000. An SCI competing consolidator is
subject to Regulation SCI, and a competing
consolidator for which Regulation SCI does not
apply is subject the systems capability requirement
in 17 CFR 242.614(d)(9) (‘‘Rule 614(d)(9)’’ of
Regulation NMS). See infra note 28 and
accompanying text.
23 Id.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
23149
B. Current Regulation SCI
1. SCI Entities and SCI Systems
Regulation SCI applies to ‘‘SCI
entities.’’ 26 SCI entities are those that
the Commission has determined are
market participants that play a
significant role in the U.S. securities
markets and/or have the potential to
impact investors, the overall market, or
the trading of individual securities in
the event of certain types of systems
problems.27 Today SCI entities comprise
the self-regulatory organizations
(excluding securities futures exchanges)
(‘‘SCI SROs’’), ATSs meeting certain
volume thresholds with respect to NMS
stocks and non-NMS stocks (‘‘SCI
ATSs’’), exclusive disseminators of
consolidated market data (‘‘plan
processors’’), certain competing
disseminators of consolidated market
(‘‘SCI competing consolidators’’ 28), and
certain exempt clearing agencies.29
An SCI entity has obligations with
respect to its ‘‘SCI systems,’’ ‘‘critical
SCI systems,’’ and ‘‘indirect SCI
26 See 17 CFR 242.1000 (defining the term ‘‘SCI
entity’’ and terms included therein).
27 See SCI Adopting Release, supra note 1, at
72259. Although some commenters had urged that
Regulation SCI apply to fewer entities and only the
most systemically important entities, the
Commission disagreed, stating, ‘‘[L]imiting the
applicability of Regulation SCI to only the most
systemically important entities posing the highest
risk to the markets is too limited of a category of
market participants, as it would exclude certain
entities that, in the Commission’s view, have the
potential to pose significant risks to the securities
markets should an SCI event occur.’’ Id.
28 See supra notes 24–25 (stating the definitions
of competing consolidator and SCI competing
consolidator). SCI competing consolidators are
subject to Regulation SCI after a one-year transition
period. See Market Data Infrastructure Adopting
Release, supra note 24, at 18604. Competing
consolidators in the transition period and
competing consolidators below the gross revenue
threshold are subject to a tailored set of operational
capability and resiliency obligations designed to
help ensure that the provision of consolidated
market data products is prompt, accurate, and
reliable. See Market Data Infrastructure Adopting
Release, supra note 24, at 18690–97 (providing for
a full discussion of systems capability requirements
for competing consolidators (that are not subject to
Regulation SCI), but instead subject to Rule
614(d)(9)).
29 See 17 CFR 242.1000 (defining the term SCI
entity to mean ‘‘an SCI self-regulatory organization,
SCI alternative trading system, plan processor,
exempt clearing agency subject to ARP, or SCI
competing consolidator’’ and also separately
defining each of these terms). See also SCI Adopting
Release, supra note 1, at 72258–72 (discussing the
rationale for inclusion of SCI SROs, SCI ATSs, plan
processors, and certain exempt clearing agencies in
the original adopted definition of SCI entity); infra
notes 83–84 and accompanying text (citing the
releases explaining the expansion the definition of
SCI entity to include SCI competing consolidators,
and the recent proposal to further expand the
definition of SCI entity to include certain ATSs that
trade U.S. Treasury Securities or Agency Securities
exceeding specified volume thresholds
(‘‘Government Securities ATSs’’)).
E:\FR\FM\14APP2.SGM
14APP2
23150
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
systems.’’ 30 ‘‘SCI systems’’ are, broadly,
the technology systems of, or operated
by or on behalf of, an SCI entity that,
with respect to securities, directly
support at least one of six market
functions: (i) trading; (ii) clearance and
settlement; (iii) order routing; (iv)
market data; (v) market regulation; or
(vi) market surveillance.31 In addition,
Regulation SCI defines ‘‘critical SCI
systems,’’ which are a subset of SCI
systems,32 and designated as such
because they represent potential single
points of failure in the U.S. securities
markets.33
The term ‘‘indirect SCI systems’’
describes systems of, or operated by or
on behalf of, an SCI entity that, ‘‘if
breached, would be reasonably likely to
pose a security threat to SCI systems.’’ 34
The distinction between SCI systems
and indirect SCI systems seeks to
encourage SCI entities physically and/or
logically to separate systems that
perform or directly support securities
market functions from those that
perform other functions (e.g., corporate
email; general office systems for
member regulation and
recordkeeping).35
Currently, the application of
Regulation SCI is triggered when an
entity meets the definition of SCI entity.
30 See 17 CFR 242.1000 (defining the terms ‘‘SCI
systems,’’ ‘‘critical SCI systems,’’ and ‘‘indirect SCI
systems’’).
31 Id. (defining SCI systems to mean ‘‘all
computer, network, electronic, technical,
automated, or similar systems of, or operated by or
on behalf of, an SCI entity that, with respect to
securities, directly support trading, clearance and
settlement, routing, market data, market regulation,
or market surveillance’’).
32 Id. (defining critical SCI systems to mean any
SCI systems of, or operated by or on behalf of, an
SCI entity that: (1) Directly support functionality
relating to: (i) Clearance and settlement systems of
clearing agencies; (ii) Openings, reopenings, and
closings on the primary listing market; (iii) Trading
halts; (iv) Initial public offerings; (v) The provision
of consolidated market data; or (vi) Exclusively
listed securities; or (2) Provide functionality to the
securities markets for which the availability of
alternatives is significantly limited or nonexistent
and without which there would be a material
impact on fair and orderly markets).
33 As discussed in the SCI Adopting Release,
‘‘critical SCI systems’’ are subject to certain
heightened resilience and information
dissemination provisions of Regulation SCI on the
rationale that, lacking or having limited substitutes,
these systems pose the greatest risks to the
continuous and orderly function of the markets if
they malfunction. See SCI Adopting Release, supra
note 1, at 72277–79 (providing additional
discussion of critical SCI systems).
34 Id. at 72279.
35 See SCI Adopting Release, supra note 1, at
72281 (‘‘[I]f an SCI entity designs and implements
security controls so that none of its non-SCI systems
would be reasonably likely to pose a security threat
to SCI systems, then it will have no indirect SCI
systems. If, however, an SCI entity does have
indirect SCI systems, then certain provisions of
Regulation SCI will apply to those indirect SCI
systems.’’).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
If an entity meets the definition of SCI
entity, Regulation SCI applies to its SCI
systems and indirect SCI systems. The
scope of an SCI entity’s technology
systems is determined by whether they
are operated ‘‘by or on behalf of’’ the
SCI entity and whether they directly
support any of the six market functions
enumerated in the definition. As a
result, the SCI systems and indirect SCI
systems of an SCI entity are neither
limited by the type of security nor by
the type of business in which an SCI
entity primarily conducts its securities
market activities. Thus, if an SCI entity
elects to, or obtains the necessary
approvals to, engage in market functions
in multiple types of securities,
Regulation SCI’s obligations apply to the
relevant functional systems relating to
all such securities.36 Accordingly, the
SCI systems of an SCI entity may
include systems pertaining to any type
of security, whether those securities are
NMS stocks, over-the-counter (OTC)
equity securities, listed options, debt
securities, security-based swaps
(‘‘SBS’’), crypto asset securities,37 or
another type of security.38
36 The current definition of ‘‘SCI systems,’’
includes the clause, ‘‘with respect to securities,’’
without limitation. SCI systems ‘‘means all
computer, network, electronic, technical,
automated, or similar systems of, or operated by or
on behalf of, an SCI entity that, with respect to
securities, directly support trading, clearance and
settlement, order routing, market data, market
regulation, or market surveillance.’’ See 17 CFR
242.1000 (emphasis added). But see infra section
III.A.2.b.iv (discussing the proposed limitation to
the definition of SCI systems for certain SCI brokerdealers).
37 The term ‘‘digital asset’’ refers to an asset that
is issued and/or transferred using distributed ledger
or blockchain technology (‘‘distributed ledger
technology’’), including, but not limited to, socalled ‘‘virtual currencies,’’ ‘‘coins,’’ and ‘‘tokens.’’
See Custody of Digital Asset Securities by Special
Purpose Broker-Dealers, Securities Exchange Act
Release No. 90788 (Dec. 23, 2020), 86 FR 11627,
11627 n.1 (Feb. 26, 2021) (‘‘Crypto Asset Securities
Custody Release’’). A digital asset may or may not
meet the definition of a ‘‘security’’ under the
Federal securities laws. See, e.g., Report of
Investigation Pursuant to Section 21(a) of the
Securities Exchange Act of 1934: The DAO,
Securities Exchange Act Release No. 81207 (July 25,
2017) (‘‘DAO 21(a) Report’’), available at https://
www.sec.gov/litigation/investreport/34-81207.pdf.
See also SEC v. W.J. Howey Co., 328 U.S. 293
(1946). To the extent digital assets rely on
cryptographic protocols, these types of assets also
are commonly referred to as ‘‘crypto assets,’’ and
‘‘digital asset securities’’ can be referred to as
‘‘crypto asset securities.’’ For purposes of this
release, the Commission does not distinguish
between the terms ‘‘digital asset securities’’ and
‘‘crypto asset securities.’’
38 Today, under the current definition of SCI
systems, an SCI entity (current or future) that
engages in market functions for any type of
securities, including crypto asset securities, is
required to assess whether the technological
systems of, or operated by or on its behalf, with
respect to securities, directly support at least one
of six market functions: (i) trading; (ii) clearance
and settlement; (iii) order routing; (iv) market data;
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
2. Reasonably Designed Policies and
Procedures
The foundational principles of
Regulation SCI are set forth in Rule
1001, which requires each SCI entity to
establish, maintain, and enforce written
policies and procedures reasonably
designed to ensure that its SCI systems
and, for purposes of security standards,
indirect SCI systems, have levels of
capacity, integrity, resiliency,
availability, and security adequate to
maintain their operational capability
and promote the maintenance of fair
and orderly markets.39 Rule 1001(a)(2)
of Regulation SCI requires that, at a
minimum, such policies and procedures
include: current and future capacity
planning; periodic stress testing;
systems development and testing
methodology; reviews and testing to
identify vulnerabilities; business
continuity and disaster recovery
planning (inclusive of backup systems
that are geographically diverse and
designed to meet specified recovery
time objectives); standards for market
data collection, processing, and
dissemination; and monitoring to
identify potential systems problems.40
Under 17 CFR 242.1001(a)(3) (‘‘Rule
1001(a)(3)’’ of Regulation SCI), SCI
entities must periodically review the
effectiveness of these policies and
procedures and take prompt action to
remedy any deficiencies.41 Rule
1001(a)(4) of Regulation SCI provides
that an SCI entity’s policies and
procedures will be deemed to be
reasonably designed if they are
consistent with ‘‘current SCI industry
standards,’’ which is defined to be
comprised of information technology
practices that are widely available to
information technology professionals in
the financial sector and issued by an
authoritative body that is a U.S.
governmental entity or agency,
association of U.S. governmental
entities or agencies, or widely
recognized organization; however, Rule
1001(a)(4) of Regulation SCI also makes
clear that compliance with such
‘‘current SCI industry standards’’ is not
the exclusive means to comply with
these requirements.42
Under 17 CFR 242.1001(b)(1) (‘‘Rule
1001(b)(1)’’ of Regulation SCI), each SCI
entity is required to establish, maintain,
(v) market regulation; or (vi) market surveillance.
As discussed below, however, the Commission is
proposing an amendment to the definition of SCI
systems that would limit its scope solely for certain
proposed SCI broker-dealers. See infra section
III.A.2.b.iv.
39 See 17 CFR 242.1001(a)(1).
40 See 17 CFR 242.1001(a)(2).
41 See 17 CFR 242.1001(a)(3).
42 See 17 CFR 242.1001(a)(4).
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
and enforce written policies and
procedures reasonably designed to
ensure that its SCI systems operate in a
manner that complies with the
Exchange Act and the rules and
regulations thereunder and the entity’s
rules and governing documents, as
applicable, and specifies certain
minimum requirements for such
policies and procedures.43 In addition,
17 CFR 242.1001(b)(2) (‘‘Rule
1001(b)(2)’’) requires that at a minimum,
these policies and procedures must
include: testing of all SCI systems and
any changes to SCI systems prior to
implementation; a system of internal
controls over changes to SCI systems; a
plan for assessments of the functionality
of SCI systems designed to detect
systems compliance issues, including by
‘‘responsible SCI personnel’’ (defined
below) and by personnel familiar with
applicable provisions of the Exchange
Act and the rules and regulations
thereunder and the SCI entity’s rules
and governing documents; and a plan of
coordination and communication
between regulatory and other personnel
of the SCI entity, including by
responsible SCI personnel, regarding
SCI systems design, changes, testing,
and controls designed to detect and
prevent systems compliance issues.44
Under 17 CFR 242.1001(b)(3) (‘‘Rule
1001(b)(3)’’ of Regulation SCI), SCI
entities must periodically review the
effectiveness of these policies and
procedures and take prompt action to
remedy any deficiencies.45 Under 17
CFR 242.1001(b)(4) (‘‘Rule 1001(b)(4)’’
of Regulation SCI), individuals are
provided with a safe harbor from
liability under Rule 1001(b) if certain
conditions are met.46
Further, 17 CFR 242.1001(c) (‘‘Rule
1001(c)’’ of Regulation SCI), requires
SCI entities to establish, maintain, and
enforce reasonably designed written
policies and procedures that include the
criteria for identifying responsible SCI
personnel, the designation and
documentation of responsible SCI
personnel, and escalation procedures to
quickly inform responsible SCI
personnel of potential SCI events.47
Rule 1000 of Regulation SCI defines
‘‘responsible SCI personnel’’ to mean,
for a particular SCI system or indirect
SCI system impacted by an SCI event,
such senior manager(s) of the SCI entity
having responsibility for such system,
and their designee(s).48 Rule 1000 also
defines ‘‘SCI event’’ to mean an event at
an SCI entity that constitutes a systems
disruption, a systems compliance issue,
or a systems intrusion.49 Under 17 CFR
242.1001(c)(2) (‘‘Rule 1001(c)(2)’’ of
Regulation SCI), SCI entities are
required periodically to review the
effectiveness of these policies and
procedures and take prompt action to
remedy any deficiencies.50
3. SCI Events
Under Rule 1002 of Regulation SCI,
SCI entities have certain obligations
regarding SCI events. An ‘‘SCI event’’ is
defined as: (i) a ‘‘systems disruption,’’
which is an event in an SCI entity’s SCI
systems that disrupts, or significantly
degrades, the normal operation of an
SCI system; and/or (ii) a ‘‘systems
intrusion,’’ which is any unauthorized
entry into the SCI systems or indirect
SCI systems of an SCI entity; and/or (iii)
a ‘‘systems compliance issue,’’ which is
an event at an SCI entity that has caused
any SCI system of such entity to operate
in a manner that does not comply with
the Exchange Act and the rules and
regulations thereunder or the entity’s
rules or governing documents, as
applicable.51
When any responsible SCI personnel
has a reasonable basis to conclude that
an SCI event has occurred, the SCI
entity must begin to take appropriate
corrective action which must include, at
a minimum, mitigating potential harm
to investors and market integrity
resulting from the SCI event and
devoting adequate resources to remedy
the SCI event as soon as reasonably
practicable.52 With limited
exceptions,53 Rule 1002(b) provides the
framework for notifying the Commission
of SCI events including, among other
things, requirements to: notify the
Commission of the event immediately;
provide a written notification on Form
SCI within 24 hours that includes a
description of the SCI event and the
system(s) affected, with other
information required to the extent
available at the time; provide regular
updates regarding the SCI event until
the event is resolved; and submit a final
detailed written report regarding the SCI
event.54
Rule 1002(c) of Regulation SCI also
requires that SCI entities disseminate
information to their members or
participants regarding SCI events.55
49 Id.
50 See
17 CFR 242.1001(c)(2).
17 CFR 242.1000.
52 See 17 CFR 242.1002(a).
53 See 17 CFR 242.1002(b)(5) (relating to the
exception for de minimis SCI events).
54 See 17 CFR 242.1002(b).
55 See 17 CFR 242.1002(c).
43 See
17 CFR 242.1001(b)(1).
44 See 17 CFR 242.1001(b)(2).
45 See 17 CFR 242.1001(b)(3).
46 See 17 CFR 242.1001(b)(4).
47 See 17 CFR 242.1001(c).
48 17 CFR 242.1000.
VerDate Sep<11>2014
20:01 Apr 13, 2023
23151
These information dissemination
requirements are scaled based on the
nature and severity of an event. SCI
entities are required to disseminate
certain information about the event to
certain of its members or participants
(i.e., those that are reasonably estimated
to have been affected) promptly after
any responsible SCI personnel has a
reasonable basis to conclude that an SCI
event has occurred. For ‘‘major SCI
events,’’ such dissemination must be
made to all of its members or
participants. In addition, dissemination
of information to members or
participants is permitted to be delayed
for systems intrusions if such
dissemination would likely compromise
the security of the SCI entity’s systems
or an investigation of the intrusion.56 In
addition, 17 CFR 242.1002(c)(4) (‘‘Rule
1002(c)(4)’’ of Regulation SCI) provides
exceptions to the dissemination
requirements under Rule 1002(c) of
Regulation SCI for SCI events to the
extent they relate to market regulation
or market surveillance systems or SCI
events that have had, or the SCI entity
reasonably estimates would have, either
a de minimis or no impact on the SCI
entity’s operations or on market
participants.57
4. Systems Changes and SCI Review
Under 17 CFR 242.1003(a) (‘‘Rule
1003(a)’’ of Regulation SCI), SCI entities
are required to provide reports to the
Commission relating to system changes,
including a report each quarter
describing completed, ongoing, and
planned material changes to their SCI
systems and the security of indirect SCI
systems, during the prior, current, and
subsequent calendar quarters, including
the dates or expected dates of
commencement and completion.58 Rule
1003(b) of Regulation SCI also requires
that an SCI entity conduct an ‘‘SCI
review’’ not less than once each
calendar year.59 ‘‘SCI review’’ is defined
in Rule 1000 of Regulation SCI to mean
a review, following established
procedures and standards, that is
performed by objective personnel
having appropriate experience to
conduct reviews of SCI systems and
indirect SCI systems, and which review
contains: a risk assessment with respect
to such systems of an SCI entity; and an
assessment of internal control design
and effectiveness of its SCI systems and
indirect SCI systems to include logical
and physical security controls,
51 See
Jkt 259001
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
56 See id. The rule also requires that the SCI entity
document its reasons for delayed notification. Id.
57 See 17 CFR 242.1002(c)(4).
58 See 17 CFR 242.1003(a).
59 See 17 CFR 242.1003(b).
E:\FR\FM\14APP2.SGM
14APP2
23152
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
development processes, and information
technology governance, consistent with
industry standards.60 Under Rule
1003(b)(2) and (3), SCI entities are also
required to submit a report of the SCI
review to their senior management, and
must also submit the report and any
response by senior management to the
report, to their board of directors, as
well as to the Commission.61
5. Business Continuity and Disaster
Recovery Testing With Members/
Participants
Rule 1004 of Regulation SCI sets forth
certain requirements for testing an SCI
entity’s business continuity and disaster
recovery plans with its members or
participants. This rule requires that,
with respect to an SCI entity’s business
continuity and disaster recovery plan,
including its backup systems, each SCI
entity shall: (a) establish standards for
the designation of those members or
participants that the SCI entity
reasonably determines are, taken as a
whole, the minimum necessary for the
maintenance of fair and orderly markets
in the event of the activation of such
plans; (b) designate members or
participants pursuant to the standards
established and require participation by
such designated members or
participants in scheduled functional
and performance testing of the operation
of such plans, in the manner and
frequency specified by the SCI entity,
provided that such frequency shall not
be less than once every 12 months; and
(c) coordinate the testing of such plans
on an industry- or sector-wide basis
with other SCI entities.62
6. Recordkeeping and Other Provisions
(Rules 1005–1007)
ddrumheller on DSK120RN23PROD with PROPOSALS2
SCI entities are required by Rule 1005
of Regulation SCI to make, keep, and
preserve certain records related to their
compliance with Regulation SCI.63 In
addition, 17 CFR 242.1006 (‘‘Rule 1006’’
of Regulation SCI), provides for certain
60 See 17 CFR 242.1000. Rule 1003(b)(1) of
Regulation SCI also states that penetration test
reviews of an SCI entity’s network, firewalls, and
production systems must be conducted at a
frequency of not less than once every three years,
and assessments of SCI systems directly supporting
market regulation or market surveillance must be
conducted at a frequency based upon the risk
assessment conducted as part of the SCI review, but
in no case less than once every three years. See 17
CFR 242.1003(b)(1)(i) and (ii) (‘‘Rule 1003(b)(1)(i)
and (ii)’’).
61 See 17 CFR 242.1003(b)(2) and (3).
62 See 17 CFR 242.1004.
63 See 17 CFR 242.1005. Unlike 17 CFR
242.1005(a) (‘‘Rule 1005(a)’’) of Regulation SCI,
which relates to recordkeeping provisions for SCI
SROs, 17 CFR 242.1005(b) (‘‘Rule 1005(b)’’) relates
to the recordkeeping provision for SCI entities other
than SCI SROs.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
requirements relating to the electronic
filing, on Form SCI, of any notification,
review, description, analysis, or report
to the Commission required to be
submitted under Regulation SCI.64
Finally, 17 CFR 242.1007 (‘‘Rule 1007’’
of Regulation SCI) requires a written
undertaking when records required to
be filed or kept by an SCI entity under
Regulation SCI are prepared or
maintained by a service bureau or other
recordkeeping service on behalf of the
SCI entity.65
C. Overview of Proposed Amendments
to Regulation SCI
The Commission is proposing
amendments to Regulation SCI that
would expand the definition of ‘‘SCI
entity’’ to include a broader range of key
market participants in the U.S.
securities market infrastructure and
update certain provisions of Regulation
SCI to take account of developments in
the technology landscape of the markets
and the Commission and its staff’s
oversight experience since the adoption
of Regulation SCI in 2014. As discussed
in section III.A, the Commission is
proposing to expand the definition of
SCI entity to include registered SBSDRs,
registered broker-dealers exceeding a
size threshold (‘‘SCI broker-dealers’’),
and additional clearing agencies exempt
from registration.66 As discussed in
section III.C, the Commission is also
proposing to update several
requirements of Regulation SCI to
acknowledge certain technology
changes in the market, including
cybersecurity and third-party provider
management challenges since the
adoption of Regulation SCI in 2014, and
to account for the experience and
insights the Commission and its staff
have gained with respect to technology
issues surrounding SCI entities and
their systems. These include:
• Amendments to Rule 1001(a) to
require that an SCI entity’s policies and
procedures for SCI systems, critical SCI
systems, and indirect SCI systems,
address with specificity:
Æ Systems classification and life cycle
management; 67
Æ Management of third-party
providers, including cloud service
providers and providers of critical SCI
systems; 68
Æ Access controls; 69 and
64 See
17 CFR 242.1006.
17 CFR 242.1007.
66 See infra section III.A.2.a. through c. (providing
a detailed discussion of each of these categories of
entities and associated proposed definitions).
67 See infra section III.C.1.
68 See infra section III.C.2.
69 See infra section III.C.3.a.
65 See
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
Æ Identification of current SCI
industry standards, if any; 70
• Expansion of the definition of
‘‘systems intrusion’’ in Rule 1000 to
include a wider range of cybersecurity
events; 71
• Amendments to Rule 1002
regarding notice of systems intrusions to
the Commission and affected persons; 72
• Amendments to the definition of
‘‘SCI review’’ and Rule 1003(b) to
specify in greater detail the contents of
the SCI review and associated report,
and to require annual penetration
testing; 73
• Amendments to Rule 1004 to
require that SCI entities designate key
third-party providers for participation in
annual business continuity/disaster
recovery testing; 74
• Amendments to Rule 1001(a)(4) to
address how an SCI entity may avail
itself of the safe harbor provision; 75
• Amendments to Rule 1005 to
address the maintenance of records by
a former SCI entity; and
• Changes to Form SCI consistent
with the proposed changes.76
The amendments to Regulation SCI
are proposed independently of the
proposals discussed in the Exchange
Act Cybersecurity Proposal and
Regulation S–P 2023 Proposing Release.
However, the relationship of all three
proposals, as each may apply to an SCI
entity, is discussed in section III.D.
III. Proposed Amendments to
Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI
Entities
Currently, SCI entities are the SCI
SROs, SCI ATSs, plan processors,
certain exempt clearing agencies, and,
as of 2020, SCI competing
consolidators.77 In 2013, the
Commission proposed to include other
entities: specifically, ATSs trading
corporate debt or municipal securities
(hereafter, ‘‘Fixed Income ATSs’’)
exceeding specified volume
thresholds.78 The Commission did not
include any Fixed Income ATSs as SCI
entities at adoption in 2014, however,
based on consideration of comments
regarding the risk profile of Fixed
70 See
infra section III.C.5.c.
infra section III.C.3.c.
72 See infra section III.C.3.c.
73 See infra sections III.C.3.b and III.C.4.
74 See infra section III.C.2.d.
75 See infra section III.C.5.
76 See infra section III.C.6.
77 See supra notes 27–29 and accompanying text;
infra note 83 and accompanying text.
78 See SCI Proposing Release, supra note 14, at
18097.
71 See
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Income ATSs at that time.79 In 2013, the
Commission also solicited comment on
the inclusion of several other types of
entities, including SBSDRs and brokerdealers (beyond SCI ATSs).80 At
adoption in 2014, comments regarding
these and other entities were
summarized, with specific proposals
deferred for possible future
consideration.81 In sum, the
Commission stated in 2014 that it was
neither limiting the applicability of
Regulation SCI to only the most
systemically important entities as urged
by some commenters, nor taking a broad
approach at the outset, but rather that it
was taking a ‘‘measured’’ approach in
establishing the initial scope of SCI
entities.82 Since the initial adoption of
Regulation SCI, the Commission has
considered expansion of the definition
of SCI entity several times: first to
propose and adopt certain competing
consolidators as SCI entities,83 and more
recently to propose and repropose
adding ATSs that trade U.S. Treasury
Securities or Agency Securities
exceeding specified volume thresholds
(‘‘Government Securities ATSs’’) as SCI
entities.84
79 See SCI Adopting Release, supra note 1, at
72270, 72409 (discussing determination not to
apply Regulation SCI to ATSs trading only
corporate debt and municipal securities at that
time).
80 See SCI Proposing Release, supra note 14, at
18133–41. The Commission also solicited comment
on the inclusion of security-based swap execution
facilities (‘‘SB SEFs’’), which entities are now the
subject of another proposal. See Rules Relating to
Security-Based Swap Execution and Registration
and Regulation of Security-Based Swap Execution
Facilities, Release No. 94615 (Apr. 6, 2022), 87 FR
28872 (May 11, 2022) (proposing that SB SEFs be
subject to 17 CFR 242.800 through 242.835
(‘‘Regulation SE’’) which includes operational
capability requirements closely modeled on a
detailed CFTC rule for SEFs (17 CFR 37.1401)). SB
SEFs are not further discussed herein.
81 See SCI Adopting Release, supra note 1, at
72364–66 (contemplating possible future
proposals).
82 See SCI Adopting Release, supra note 1, at
72259 (stating that this measured approach would
enable the Commission to ‘‘monitor and evaluate
the implementation of Regulation SCI, the risks
posed by the systems of other market participants,
and the continued evolution of the securities
markets, such that it may consider, in the future,
extending the types of requirements in Regulation
SCI to additional categories of [key] market
participants . . . .’’).
83 See Market Data Infrastructure Adopting
Release, supra note 24, at 18659–18676.
84 See Securities Exchange Act Release Nos.
90019 (Sept. 28, 2020), 85 FR 87106 (Dec. 31, 2020)
(‘‘Government Securities ATS Proposing Release’’);
94062 (Jan. 26, 2022), 87 FR 15496 (Mar. 18, 2022)
(‘‘Government Securities ATS Reproposal’’) (among
other things, citing operational similarities between
Government Securities ATSs and NMS stock ATSs).
In the Government Securities ATS Reproposal, the
Commission proposed amendments to 17 CFR
240.3b–16(a) (‘‘Rule 3b–16(a)’’ of the Exchange Act),
which defines certain terms used in the statutory
definition of ‘‘exchange’’ under section 3(a)(1) of
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
The Commission now proposes a
further expansion of the definition of
SCI entity to include SBSDRs, certain
registered broker-dealers (i.e., SCI
broker-dealers), and additional clearing
agencies exempted from registration.
The Commission also solicits comment
on whether, in light of technological
changes in the fixed income markets in
recent years, Fixed Income ATSs should
again be proposed to be subject to
Regulation SCI, rather than 17 CFR
240.301(b)(6) (‘‘Rule 301(b)(6)’’ of
Regulation ATS), and also whether and
how broker-dealers trading corporate
debt and municipal securities should be
considered.85
2. New Proposed SCI Entities
When it adopted Regulation SCI, the
Commission acknowledged that there
may be other categories of entities not
included in the definition of SCI entity
that, given their increasing size and
importance, could pose risks to the
market should an SCI event occur, but
decided to include only certain key
market participants at that time.86 The
Commission proposes to expand the
definition of SCI entity to include
SBSDRs, certain types of broker-dealers,
the Exchange Act, to include systems that offer the
use of non-firm trading interest and provide
communication protocols to bring together buyers
and sellers of securities. Trading systems that may
fall within the criteria of proposed 17 CFR 240.3b–
16 (‘‘Rule 3b–16’’), as proposed to be amended,
would likely operate as ATSs, and possibly SCI
ATSs. Because the proposed amendments to Rule
3b–16(a) could result in a greater number of ATSs,
and the amendments proposed to expand and
update SCI could impact newly designated ATSs,
commenters are encouraged to review both the
Government Securities ATS Reproposal and this
proposal to determine whether it might affect their
comments on this proposal, as well as their
responses to the Commission’s request for comment
on application of Regulation SCI to Fixed Income
ATS contained herein.
85 Currently, Rule 301(b)(6) of Regulation ATS
applies to Fixed Income ATSs exceeding a volume
threshold. Under Rule 301(b)(6), an ATS that trades
only municipal securities or corporate debt at a
threshold of 20% or more of the average daily
volume traded in the United States, during at least
four of the preceding six calendar months, is
required to comply with capacity, integrity, and
security requirements with respect to those systems
that support order entry, order routing, order
execution, transaction reporting, and trade
comparison. See 17 CFR 242.301(b)(6). As
discussed further below, the amendments proposed
in this release do not include amendments to
modify the numerical volume thresholds or to
otherwise modify Rule 301(b)(6) of Regulation ATS,
or move systems requirements for Fixed Income
ATSs from Regulation ATS to Regulation SCI. The
Commission does, however, request comment on
the state of electronic trading and automation in the
corporate debt and municipal securities markets, as
well as the risks associated with entities with
significant activity in these markets. See infra
section III.B.
86 See SCI Adopting Release, supra note 1, at
72259. See also supra note 82 and accompanying
text.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
23153
and additional clearing agencies
exempted from registration as additional
key market participants that would also
have to comply with Regulation SCI
because they play a significant role in
the U.S. securities markets and/or have
the potential to impact investors, the
overall market, or the trading of
individual securities in the event of a
systems issue. If this amendment is
adopted, these new SCI entities would
become subject to all provisions of
Regulation SCI, including the provisions
proposed to be amended as discussed in
section III.C of this release.
a. Registered Security-Based Swap Data
Repositories (SBSDRs)
The Commission proposes to expand
the application of Regulation SCI to
SBSDRs. As registered securities
information processors that disseminate
market data and provide price
transparency in the SBS market, and
centralized trade repositories for SBS
data for use by regulators, SBSDRs play
a key role in the SBS market.87
As noted, the Commission solicited
comment on the inclusion of SBSDRs as
SCI entities when it first proposed
Regulation SCI in 2013.88 At that time,
the Commission anticipated that
SBSDRs would ‘‘play an important role
in limiting systemic risk and promoting
the stability of the SBS market [and]
also would serve as information
disseminators in a manner similar to
plan processors in the equities and
options markets.’’ 89 But it also
acknowledged that there may be
differences between the equities and
options markets and the SBS market,
‘‘including differing levels of
automation and stages of regulatory
development.’’ 90
Comments received on the inclusion
of SBSDRs as SCI entities in the SCI
Proposing Release were limited. One
commenter stated that ‘‘the similarities
between certain SCI entities and SB
SDRs . . . do not provide a clear
justification for a different set of
rules.’’ 91 Another commenter stated
that SBSDRs should have standards that
are consistent with, but not identical to,
those of SCI entities because the
87 Rule 1000 would define the term registered
security-based swap data repository to mean ‘‘a
security-based swap data repository, as defined in
15 U.S.C. 78c(a)(75), and that is registered with the
Commission pursuant to 15 U.S.C. 78m(n) and
§ 240.13n–1,’’ with a proviso that compliance with
Regulation SCI would not be required until six
months after the entity’s registration is effective.
See proposed Rule 1000.
88 See supra text accompanying note 80.
89 SCI Proposing Release, supra note 14, at 18135
(citation omitted).
90 Id.
91 SCI Adopting Release, supra note 1, at 72364.
E:\FR\FM\14APP2.SGM
14APP2
23154
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
functions that SBSDRs perform are
significantly different from those
performed by SCI entities.92 Other
commenters, however, felt the practical
differences between options and
equities and derivatives called for some
form of harmonization of rules, but not
direct application of Regulation SCI to
these entities.93 The Commission
deferred and stated in the SCI Adopting
Release that, ‘‘should [it] decide to
propose to apply the requirements of
Regulation SCI to SB SDRs [it] would
issue a separate release discussing such
a proposal.’’ 94 Taking into account the
role of SBSDRs in the SBS market, their
reliance on technology to perform their
functions, and the current state of
regulatory development in the SBS
market, the Commission is doing so
now.
i. Role of SBSDRs and Associated Risks
Title VII of the Dodd-Frank Act,
enacted in 2010, provided for a
comprehensive, new regulatory
framework for swaps and security-based
swaps, including regulatory reporting
and public dissemination of
transactions in security-based swaps.95
In 2015, the Commission established a
regulatory framework for SBSDRs to
provide improved transparency to
regulators and help facilitate price
discovery and efficiency in the SBS
market.96 Under this framework,
SBSDRs are registered securities
information processors and
disseminators of market data in the SBS
market,97 thereby serving Title VII’s goal
of having public dissemination of price
information for all security-based
swaps, to enhance price discovery for
market participants.98 Like FINRA’s
Trade Reporting and Compliance Engine
92 See
id.
id.
94 SCI Adopting Release, supra note 1, at 72364;
SCI Proposing Release, supra note 14, at 18134.
95 Public Law 111–203, section 761(a) (adding
Exchange Act section 3(a)(75) (defining SBSDR))
and section 763(i) (adding Exchange Act section
13(n) (establishing a regulatory regime for
SBSDRs)).
96 See Security-Based Swap Data Repository
Registration, Duties, and Core Principles, Securities
Exchange Act Release No. 74246 (Feb. 11, 2015), 80
FR 14438, 14441 (Mar. 19, 2015) (‘‘SBSDR Adopting
Release’’); Regulation SBSR—Reporting and
Dissemination of Security-Based Swap Information,
Securities Exchange Act Release No. 74244 (Feb. 11,
2015), 80 FR 14563 (Mar. 19, 2015) (‘‘SBSR
Adopting Release’’).
97 See 17 CFR 242.909 (‘‘A registered securitybased swap data repository shall also register with
the Commission as a securities information
processor on Form SDR.’’); see also Form SDR
(‘‘With respect to an applicant for registration as a
security-based swap data repository, Form SDR also
constitutes an application for registration as a
securities information processor.’’).
98 See, e.g., SBSR Adopting Release, supra note
96, at 14604–05.
ddrumheller on DSK120RN23PROD with PROPOSALS2
93 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
(‘‘TRACE’’) and the MSRB’s Electronic
Municipal Market Access (‘‘EMMA’’),99
SBSDRs serve an important function for
market participants because they
disseminate market data, thereby
providing price transparency in the SBS
market.100 Just as TRACE and EMMA
provide price transparency to market
participants and regulatory information
to regulators, SBSDRs are designed to
meet two purposes as mandated by Title
VII of the Dodd-Frank Act: (1) to
provide SBS data and information to
regulators to surveil the markets and
assess for market risks; and (2) to
enhance price discovery to market
participants.101 As discussed in detail
below, given that SBSDRs rely on
automated systems and are designed to
limit systemic risk and promote the
stability of the markets they serve, the
Commission believes that including
SBSDRs in the definition of SCI entities
would better ensure that SBSDR systems
are robust, resilient, and secure.
Additionally, this approach is
reasonable and consistent as other
entities that play a key price
transparency role in their respective
markets, such as plan processors, SCI
competing consolidators, FINRA and
the MSRB, are SCI entities, and their
systems that directly support market
data, among other functions, are
currently SCI systems.102
As centralized repositories for SBS
data for use by regulators, SBSDRs
provide important infrastructure that
assists relevant authorities in
performing their market oversight.103
Data maintained by SBSDRs may assist
regulators in preventing market abuses,
performing supervision, and resolving
issues and positions if an institution
fails.104 SBSDRs are required to collect
and maintain accurate SBS transaction
data so that relevant authorities can
access and analyze the data from secure,
central locations, thereby putting the
regulators in a better position to monitor
for potential market abuse and risks to
financial stability.105 SBSDRs also have
the potential to reduce operational risk
and enhance operational efficiency,
such as by maintaining transaction
records that would help counterparties
to ensure that their records reconcile on
all of the key economic details.106
Furthermore, SBSDRs themselves are
subject to certain operational risks that
may impede the ability of SBSDRs to
meet the goals set out in Title VII of the
Dodd-Frank Act and the Commission’s
rules.107 For instance, the links
established between an SBSDR and
other entities, including unaffiliated
clearing agencies and other SBSDRs,
may expose the SBSDR to
vulnerabilities outside of its direct
control.108 Without appropriate
99 FINRA members are subject to transaction
reporting obligations under FINRA Rule 6730,
while municipal securities dealers are subject to
transaction reporting obligations under MSRB Rule
G–14. See FINRA Rule 6730(a)(1) (requiring FINRA
members to report transactions in TRACE-Eligible
Securities, which FINRA Rule 6710 defines to
include a range of fixed-income securities). See also
MRSB Rule G–14 (requiring transaction reporting
by municipal bond dealers). EMMA, established by
the MSRB in 2009, serves as the official repository
of municipal securities disclosure providing the
public with free access to relevant municipal
securities data, and is the central database for
information about municipal securities offerings,
issuers, and obligors. Additionally, the MSRB’s
Real-Time Transaction Reporting System (‘‘RTRS’’),
with limited exceptions, requires municipal bond
dealers to submit transaction data to the MSRB
within 15 minutes of trade execution, and such near
real-time post-trade transaction data can be
accessed through the MSRB’s EMMA website.
100 See Committee on Payment and Settlement
Systems and Technical Committee of the
International Organization of Securities
Commissions, Principles for financial market
infrastructures, at 1.14, Box 1 (Apr. 16, 2012)
(‘‘PFMI’’), available at https://www.bis.org/publ/
cpss101a.pdf (stating that ‘‘[a] TR [trade repository]
may serve a number of stakeholders that depend on
having effective access to TR services, both to
submit and retrieve data. In addition to relevant
authorities and the public, other stakeholders can
include exchanges, electronic trading venues,
confirmation or matching platforms, and third-party
service providers that use TR data to offer
complementary services.’’).
101 See, e.g., SBSR Adopting Release, supra note
96, at 14604–05.
102 See SBSDR Adopting Release, supra note 96.
103 See generally PFMI, supra note 100, at 1.14
(stating that ‘‘[b]y centralising the collection,
storage, and dissemination of data, a well-designed
TR that operates with effective risk controls can
serve an important role in enhancing the
transparency of transaction information to relevant
authorities and the public, promoting financial
stability, and supporting the detection and
prevention of market abuse.’’).
104 See Security-Based Swap Data Repository
Registration, Duties, and Core Principles, Exchange
Act Release No. 63347 (Nov. 19, 2010), 75 FR
77306, 77307 (Dec. 10, 2010), corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13,
2011) (‘‘SBSDR Proposing Release’’).
105 See SBSDR Adopting Release, supra note 96,
at 14440 (stating that ‘‘SDRs are required to collect
and maintain accurate SBS transaction data so that
relevant authorities can access and analyze the data
from secure, central locations, thereby putting them
in a better position to monitor for potential market
abuse and risks to financial stability.’’).
106 See SBSDR Proposing Release, supra note 104,
at 77307 (stating that ‘‘[t]he enhanced transparency
provided by an SDR is important to help regulators
and others monitor the build-up and concentration
of risk exposures in the SBS market . . . . In
addition, SDRs have the potential to reduce
operational risk and enhance operational efficiency
in the SBS market.’’).
107 See SBSDR Adopting Release, supra note 96
at 14450 (‘‘SDRs themselves are subject to certain
operational risks that may impede the ability of
SDRs to meet these goals, and the Title VII
regulatory framework is intended to address these
risks.’’).
108 See PFMI, supra note 100, at 3.20.20 (stating
that ‘‘A TR should carefully assess the additional
operational risks related to its links to ensure the
scalability and reliability of IT [information
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
safeguards in place for the systems of
SBSDRs, their vulnerabilities could lead
to significant failures, disruptions,
delays, and intrusions, which could
disrupt price transparency and oversight
of the SBS market. For instance, an
SBSDR processes and disseminates
trade data using electronic systems, and
if these systems fail, public access to
timely and reliable trade data for the
derivatives markets could potentially be
compromised.109 Also, if the data stored
at an SBSDR is corrupted, the SBSDR
would not be able to provide accurate
data to relevant regulatory authorities,
which could hinder the oversight of the
derivatives markets. Moreover, because
SBSDRs receive and maintain
proprietary and sensitive information
(e.g., trading data, non-public personal
information), it is essential that their
systems be capable of ensuring the
security and integrity of this data.
Along with the reliance of SBSDRs on
automated systems to perform their
functions, regulatory development of
the SBS market has proceeded
significantly since 2015. In particular,
security-based swap dealers have
registered with the Commission,110
SBSDRs have registered with the
Commission,111 security-based swap
execution facilities (‘‘SBSEF’’)
technology] and related resources. A TR can
establish links with another TR or with another
type of FMI. Such links may expose the linked FMIs
to additional risks if not properly designed. Besides
legal risks, a link to either another TR or to another
type of FMI may involve the potential spillover of
operational risk. The mitigation of operational risk
is particularly important because the information
maintained by a TR can support bilateral netting
and be used to provide services directly to market
participants, service providers (for example,
portfolio compression service providers), and other
linked FMIs.’’).
109 See PFMI, supra note 100, at 1.14, Box 1
(stating that ‘‘[t]he primary public policy benefits of
a TR, which stem from the centralisation and
quality of the data that a TR maintains, are
improved market transparency and the provision of
this data to relevant authorities and the public in
line with their respective information needs.
Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability
of relevant authorities and the public to identify
and evaluate the potential risks posed to the
broader financial system.’’).
110 See List of Security-Based Swap Dealers and
Major Security-Based Swap Participants,
Commission (last updated Jan. 4, 2023), available
at: https://www.sec.gov/files/list_of_sbsds_msbsps_
1_4_2023locked_final.xlsx.
111 The Commission approved the registration of
two SBSDRs in 2021. See Security-Based Swap Data
Repositories, DTCC Data Repository (U.S.), LLC,
Order Approving Application for Registration as a
Security-Based Swap Data Repository, Securities
Exchange Act Release No. 91798 (May 7, 2021), 86
FR 26115 (May 12, 2021); Security-Based Swap
Data Repositories, ICE Trade Vault, LLC, Order
Approving Application for Registration as a
Security-Based Swap Data Repository, Securities
Exchange Act Release No. 92189 (Jun. 16, 2021), 86
FR 32703 (Jun. 22, 2021).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
registration has been proposed,112 and
straight-through processing has
increased in the market.113 On
November 8, 2021, SBS data began
being reported to SBSDRs, which in
turn began disseminating such data to
the Commission and the public.114 In
light of the important role of SBSDRs in
the markets for security-based swaps,
their level of automation, and the
regulatory development of the SBS
market in recent years, the Commission
believes it is timely to propose
enhanced requirements for registered
SBSDRs with respect to their technology
systems that are central to the
performance of their regulated activities.
ii. Current Regulation
The Commission believes the current
technology regulation framework for
SBSDRs should be strengthened. SBSDR
technology regulation is currently
governed by 17 CFR 240.13n–6 (‘‘Rule
13n–6’’), a broad, principles-based
operational risk rule,115 which the
Commission adopted in 2015 when
regulatory development of the SBS
market was still nascent and SBSDRs
were not yet registered with the
Commission under 17 CFR 240.13n–1
(‘‘Rule 13n–1’’).116 Additionally, Rule
13n–6 was adopted shortly after the
adoption of Regulation SCI, with
modifications that did not include some
of the more detailed proposed
requirements.117 As a result, the two
112 See Rules Relating to Security-Based Swap
Execution and Registration and Regulation of
Security-Based Swap Execution Facilities,
Securities Exchange Act Release No. 94615 (Apr. 6,
2022), 87 FR 28872 (May 11, 2022).
113 See, e.g., Security-Based Swap Data
Repositories, DTCC Data Repository (U.S.), LLC,
Notice of Filing of Application for Registration as
a Security-Based Swap Data Repository, Securities
Exchange Act Release No. 91071 (Feb. 5, 2021), 86
FR 8977 (Feb. 10, 2021) (‘‘[T]he SDR process is an
end-to-end straight through process; from the
receipt of data, processing and maintenance of data,
and dissemination of data, processes are automated
and do not require manual intervention.’’).
114 See SEC Approves Registration of First
Security-Based Swap Data Repository; Sets the First
Compliance Date for Regulation SBSR, Press
Release, Commission (May 7, 2021), available at:
https://www.sec.gov/news/press-release/2021-80.
115 See 17 CFR 240.13n–6.
116 See SBSDR Adopting Release, supra note 96,
at 14499, 14550 (‘‘[T]he Commission may consider
the application of any features of Regulation SCI to
SDRs in the future.’’); SCI Adopting Release, supra
note 1, at 72364.
117 See SBSDR Adopting Release, supra note 96,
at 14499 (stating that ‘‘[t]he Commission is not
adopting Rule 13n–6 as proposed because, after
proposing Rule 13n–6, the Commission considered
the need for an updated regulatory framework for
certain systems of the U.S. securities trading
markets and adopted Regulation Systems
Compliance and Integrity (‘Regulation SCI’).’’).
Specifically, the Commission stated that the rule as
adopted better sets an appropriate core framework
for the policies and procedures of SBSDRs with
respect to automated systems and that the
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
23155
currently-registered SBSDRs (which are
affiliated with registered clearing
agencies that are subject to Regulation
SCI) 118 remain subject to the broad
principles-based rule, Rule 13n–6,
which is the only applicable operational
risk requirement for SBSDRs in the
Commission’s current regulatory
framework.
Rule 13n–6 requires that SBSDRs,
with respect to those systems that
support or are integrally related to the
performance of their activities,
establish, maintain, and enforce written
policies and procedures reasonably
designed to ensure that their systems
provide adequate levels of capacity,
integrity, resiliency, availability, and
framework adopted is ‘‘broadly consistent’’ with
Regulation SCI. See id. Therefore, the Commission
declined to adopt more prescriptive elements of the
rule as proposed, including proposed Rule 13n–
6(b), which would have required that every
security-based swap data repository, with respect to
those systems that support or are integrally related
to the performance of its activities: (1) establish,
maintain, and enforce written policies and
procedures reasonably designed to ensure that its
systems provide adequate levels of capacity,
resiliency, and security. These policies and
procedures shall, at a minimum: (i) establish
reasonable current and future capacity estimates;
(ii) conduct periodic capacity stress tests of critical
systems to determine such systems’ ability to
process transactions in an accurate, timely, and
efficient manner; (iii) develop and implement
reasonable procedures to review and keep current
its system development and testing methodology;
(iv) review the vulnerability of its systems and data
center computer operations to internal and external
threats, physical hazards, and natural disasters; and
(v) establish adequate contingency and disaster
recovery plans; (2) on an annual basis, submit an
objective review to the Commission within thirty
calendar days of its completion. Where the
objective review is performed by an internal
department, an objective, external firm shall assess
the internal department’s objectivity, competency,
and work performance with respect to the review
performed by the internal department. The external
firm must issue a report of the objective review,
which the security-based swap data repository must
submit to the Commission on an annual basis,
within 30 calendar days of completion of the
review; (3) promptly notify the Commission of
material systems outages and any remedial
measures that have been implemented or are
contemplated (prompt notification includes the
following: (i) immediately notify the Commission
when a material systems outage is detected; (ii)
immediately notify the Commission when remedial
measures are selected to address the material
systems outage; (iii) immediately notify the
Commission when the material systems outage is
addressed; and (iv) submit to the Commission
within five business days of the occurrence of the
material systems outage a detailed written
description and analysis of the outage and any
remedial measures that have been implemented or
are contemplated); and (4) notify the Commission
in writing at least thirty calendar days before
implementation of any planned material systems
changes. See SBSDR Proposing Release, supra note
104, at 77370.
118 The two registered SBSDRs, DTCC Data
Repository (U.S.), LLC and ICE Trade Vault, LLC,
are affiliated with the registered clearing agencies,
Depository Trust Company and ICE Clear Credit
LCC, respectively.
E:\FR\FM\14APP2.SGM
14APP2
23156
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
security.119 The operational risk
principles underlying Rule 13n–6 are an
essential part of the rules that comprise
the core framework for SBSDRs that the
Commission established in 2015 at the
opening of its regulatory regime
governing SBSDRs. The core framework
influences all applicable requirements
relevant to SBSDRs that follow. The
core framework not only addresses
SBSDR operational risk, but also other
SBSDR enumerated duties, including
registration, market access to services
and data, governance arrangements,
conflicts of interest, data collection and
maintenance, privacy and disclosure
requirements, and chief compliance
officers,120 thereby implementing the
provisions of Exchange Act section
13(n).121 Therefore, the SBSDR core
framework, which Rule 13n–6 is a part,
is different in focus and broader in
scope than proposed Regulation SCI—as
it relates to SBSDRs—which is focused
on, among things, protecting the
security of SBSDR systems. While Rule
13n–6 may not provide the absolute
requirements relating to SBSDR
operational risk, as the Commission’s
regulatory regime continues to evolve,
Rule 13n–6 sets forth an enumerated
duty for operational risk concerns that
registered SBSDRs must address—at the
time of registration and throughout its
registration with the Commission.
Compliance with the core principles
and requirements in the SBSDR rules,
including Rule 13n–6, is, thus, an
important building block for better
ensuring the integrity of an SBSDR’s
data quality upon which the
Commission and the securities markets
rely. In this regard, the Commission
believes that Rule 13n–6 should be
preserved, with the requirements of this
proposal, if adopted, working to
complement Rule 13n–6.122
119 See
17 CFR 240.13n–6.
17 CFR 240.13n–1 through 240.13n–12;
See SBSDR Adopting Release, supra note 96, at
14440–42.
121 15 U.S.C. 78m(n).
122 When adopting Rule 13n–6, the Commission
acknowledged the potential application of
Regulation SCI provisions to SBSDRs in the future.
See SBSDR Adopting Release, supra note 96, at
14438, 14499 (stating that ‘‘[c]onsistent with this
approach and in recognition of the importance of
SDRs as the primary repositories of SBS trade
information, the Commission may consider the
application of any features of Regulation SCI to
SDRs in the future.’’). Additionally, as guidance, the
Commission stated that, in preparing their policies
and procedures to comply with Rule 13n–6,
SBSDRs may consider whether to incorporate
aspects of Regulation SCI that may be appropriate
for their particular implementation of Rule 13n–6.
See id., at 14499, n.826 (stating that ‘‘[i]n preparing
their policies and procedures, SDRs may consider
whether to incorporate aspects of Regulation SCI
that may be appropriate for their particular
implementation of Rule 13n–6, including where an
ddrumheller on DSK120RN23PROD with PROPOSALS2
120 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Specifically, the proposed requirements
of Regulation SCI on SBSDRs would
exist and operate in conjunction with
Rule 13n–6 and would prescribe certain
key features and more detailed
functional requirements to help ensure
that SBSDR market systems are robust,
resilient, and secure.123
Regulation SCI, among other things,
defines the scope of systems covered,
and requires: the establishment,
maintenance, and enforcement of
written policies and procedures to
ensure that SCI systems have levels of
capacity, integrity, resiliency,
availability, and security adequate to
maintain operational capacity and
promote the maintenance of fair and
orderly markets, with minimum
elements that include, among others,
standards designed to facilitate the
successful collection, processing, and
dissemination of market data and robust
business continuity and disaster
recovery plans; policies and procedures
designed to ensure compliance with the
federal securities laws; corrective action
and reporting and dissemination of SCI
events, quarterly reporting of material
systems changes, and an annual SCI
review; and participation of key
members in SCI entity’s business
continuity and disaster recovery plans.
The Commission believes that
SBSDRs operate with similar
complexity and in a similar fashion as
other registered securities information
processors that are currently subject to
Regulation SCI and that they play an
SDR is related by virtue of its corporate structure
to an entity subject to Regulation SCI.’’).
123 In 2014, the SEC’s SBSDR regulatory
framework was subject to a Level 2 assessment by
the Bank for International Settlements’ Committee
on Payments and Market Infrastructures (‘‘CPMI’’)
and the International Organization of Securities
Commissions (‘‘IOSCO’’), which concluded that
‘‘the U.S. jurisdiction has developed rules or
proposed rules that completely and consistently
implement the majority of Principles that are
applicable to CCPs [central counterparties] [but
that] [t]he progress of the U.S. jurisdiction towards
completely and consistently implementing the
Principles for [trade repositories] has been more
limited.’’ See CPMI–IOSCO, Implementation
Monitoring of PFMIs: Level 2 assessment report for
central counterparties and trade repositories—
United States (Feb. 26, 2015), available at https://
www.iosco.org/library/pubdocs/pdf/
IOSCOPD477.pdf. Additionally, CPMI–IOSCO
issued guidance for cyber resilience for financial
market infrastructures (‘‘FMIs’’), including trade
repositories. See CPMI–IOSCO, Guidance on cyber
resilience for financial market infrastructures (June
2016), available at https://www.iosco.org/library/
pubdocs/pdf/IOSCOPD535.pdf; see also CPMI–
IOSCO, Implementation monitoring of the PFMI:
Level 3 assessment on Financial Market
Infrastructures’ Cyber Resilience (Nov. 2022),
available at https://www.iosco.org/library/pubdocs/
pdf/IOSCOPD723.pdf (presenting the results of an
assessment of the state of cyber resilience (as of Feb.
2021) at 37 FMIs from 29 jurisdictions that
participated in this exercise in 2020 to 2022).
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
important role in the SBS market and
face similar technological
vulnerabilities as existing SCI entities,
such as FINRA’s TRACE and MSRB’s
EMMA. For example, were an SBSDR to
experience a systems issue, market
participants could be prevented from
receiving timely information regarding
accurate prices for individual SBSs.
Given SBSDRs’ reliance on automated
systems and their dual Dodd-Frank
mandated role of providing price
transparency to market participants and
SBS data to regulators to surveil markets
to better ensure that systemic risk is
limited and market stability is
enhanced, the Commission believes it
appropriate to include SBSDRs into the
scope of the Regulation SCI proposal.
Currently, there are two registered
SBSDRs that would become subject to
Regulation SCI should the Regulation
SCI amendments be adopted.124
iii. Request for Comment
1. The Commission requests comment
generally on the inclusion of SBSDRs as
SCI entities. Is their inclusion
appropriate? Why or why not? Please be
specific and provide examples, if
possible, to illustrate your points.
2. Should all or some aspects of
Regulation SCI apply to SBSDRs? Why
or why not? If only a portion, please
specify which portion(s) and explain
why. If all, explain why.
3. Are the definitions of SCI systems
and indirect SCI systems appropriate for
SBSDRs? Why or why not? Are there
any systems of SBSDRs that should be
included but would not be covered by
these definitions? Please explain. Are
there any systems of SBSDRs that
should be excluded by these
definitions? Please explain. Do SBSDRs
have any systems that would or should
be covered by the definition of critical
SCI systems? Please explain.
4. Is current Rule 13n–6 sufficient to
govern the technology of SBSDRs? If
not, why not? Would the Regulation SCI
proposed requirements, together with
Rule 13n–6, be sufficient to address
operational risk concerns posed by
SBSDRs? Why or why not? Should Rule
13n–6 serve as an operational risk
requirement for new SBSDR registrants
during the first year registered with the
Commission, with Regulation SCI
proposed requirements imposed after
the first year of registration? Why or
why not? Please be specific and respond
with examples, if possible.
5. Given the current practices of
SBSDRs, would the proposed
Regulation SCI requirements pose
unreasonable or unworkable difficulties
124 See
E:\FR\FM\14APP2.SGM
supra note 118.
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
for them, technologically, legally,
operationally, or procedurally? Why or
why not? Please be specific and respond
with examples, if possible.
6. Should Regulation SCI distinguish
among different types of SBSDRs such
that some requirements of Regulation
SCI might be appropriate for some
SBSDRs but not others? Why or why
not? If so, what are those distinctions
and what are those requirements? For
example, should any requirements be
based on criteria such as number of
transactions or notional volume
reported to a SBSDR? If so, what would
be an appropriate threshold for any such
criteria, and why? Please be specific and
provide examples, if possible.
7. Because proposed Regulation SCI
would include SBSDRs as ‘‘SCI
entities,’’ SBSDRs that share systems
with affiliated clearing agencies could
be required to classify those shared
systems as SCI systems of the SBSDR
and indirect SCI systems of the clearing
agency, and vice versa. Is this outcome
appropriate? Why or why not? Please be
specific and provide examples, if
possible.
8. Is Regulation SCI, including as
proposed to be amended,
comprehensive and robust enough to
address SBSDRs that rely on third-party
providers to support core SBSDR
operations? Why or why not? Please be
specific and provide examples, if
possible.
ddrumheller on DSK120RN23PROD with PROPOSALS2
b. SCI Broker-Dealers
The Commission further proposes to
expand the application of Regulation
SCI by including certain brokerdealers—to be referred to as ‘‘SCI
broker-dealers’’—in the definition of SCI
entity. An SCI broker-dealer would be a
broker or dealer registered with the
Commission pursuant to section 15(b) of
the Exchange Act that exceeds one or
more size thresholds. An SCI brokerdealer would be a broker-dealer that
meets or exceeds: (i) a total assets
threshold, or (ii) one or more transaction
activity thresholds.
The proposed thresholds are designed
to identify the largest U.S. brokerdealers by size, as measured in two
different ways. The first is analysis of
broker-dealer size based on total assets
reported on Form X–17A–5 (Financial
and Operational Combined Uniform
Single (‘‘FOCUS’’) Report Part II, Item
940),125 which reveals the largest firms
based on their balance sheets at a point
in time, and which is a measure used by
125 See Form X–17A–5, FOCUS Report, Part II, at
3, available at https://www.sec.gov/files/formx-17a5_2_2.pdf (requiring broker-dealers to report their
total assets in Item 940).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
the Board of Governors of the Federal
Reserve System (‘‘Federal Reserve
Board’’) to calculate and provide to the
public on a quarterly basis a measure of
total assets of all security brokerdealers.126 The second is a measure of
broker-dealer size using transaction
activity to identify significant firms
active in certain enumerated types of
securities. As discussed further below,
the total assets threshold is expressed in
terms of the broker-dealer’s total assets
at specified points in time as a
percentage of the ‘‘total assets of all
security broker-dealers’’ with ‘‘total
assets of all security-broker-dealers’’
being calculated and made publicly
available by the Federal Reserve Board
for the associated preceding calendar
quarter, or any subsequent provider of
such information.127 The trading
activity threshold is expressed in terms
of the sum of buy and sell transactions
that the broker-dealer transacted during
a specified time period as a percentage
of reported total average daily dollar
volume in one or more enumerated
types of securities. The proposed total
assets threshold is broadly similar to the
approach banking regulators use to
assess the appropriate capital and
liquidity requirements for banks.128 The
proposed transaction activity thresholds
are similar to, but distinguishable from,
the market share thresholds for SCI
ATSs.129 The proposed threshold
approaches in the proposed definition
of SCI broker-dealer are designed to
identify entities that play key roles in
the U.S. securities markets due to the
126 See
infra note 127.
additional detail on the calculation of total
assets of all security broker-dealers, see Z.1:
Financial Accounts of the United States, available
at https://www.federalreserve.gov/apps/fof/Guide/
z1_tables_description.pdf; ((i) stating that the term
‘‘security broker-dealers’’ refers to firms that buy
and sell securities for a fee, hold an inventory of
securities for resale, or do both; and firms that make
up this sector are those that submit information to
the Commission on one of two reporting forms,
either the Financial and Operational Combined
Uniform Single Report of Brokers and Dealers
(FOCUS) or the Report on Finances and Operations
of Government Securities Brokers and Dealers
(FOGS); and (ii) describing the major assets of the
security brokers and dealers sector). Currently, this
information is readily accessible on the Federal
Reserve Economic Data (‘‘FRED’’) website. See
Board of Governors of the Federal Reserve System
(US), Security Brokers and Dealers; Total Assets
(Balance Sheet), Level [BOGZ1FL664090663Q],
retrieved from FRED, Federal Reserve Bank of St.
Louis, available at: https://fred.stlouisfed.org/series/
BOGZ1FL664090663Q (making publicly available
the total assets of all security brokers and dealers,
as calculated and updated quarterly by the Federal
Reserve Board).
128 See infra notes 178–180 and accompanying
text.
129 See infra section III.A.b.iii.
127 For
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
23157
magnitude of their activity in these
markets.130
i. Background
There are approximately 3,500 brokerdealers registered with the Commission
pursuant to section 15(b) of the
Exchange Act, and these entities
encompass a broad range of sizes,
business activities, and business
models.131 In 2013, the Commission
proposed to include significant volume
ATSs in the definition of SCI entity but
at that time did not propose to include
any other aspects of broker-dealer
operations.132 Rather, the Commission
solicited comment on whether certain
classes of broker-dealers should be
covered. In particular, the Commission
sought comment on whether Regulation
SCI should apply, for example, to OTC
market makers 133 (either all or those
130 See infra text accompanying notes 138–142
(summarizing comments on the SCI Proposing
Release from commenters urging that application of
Regulation SCI to broker-dealers should be limited
to those with substantial transaction volume or
having a large ‘‘footprint’’).
131 This estimate is derived from information on
broker-dealer FOCUS Report Form X–17A–5
Schedule II filings as of Dec. 31, 2021, as well as
the third quarter of 2022. See also FINRA, 2022
FINRA Industry Snapshot (Mar. 2022), available at
https://www.finra.org/sites/default/files/2022-03/
2022-industry-snapshot.pdf. Section 15(b)(8) of the
Exchange Act prohibits any broker-dealer from
effecting transactions in securities unless it is a
member of a registered national securities
association (i.e., FINRA) or effects securities
transactions solely on a national securities
exchange of which it is a member. See 15 U.S.C.
78o(b)(8); see also 17 CFR 240.15b9–1 (‘‘Rule 15b9–
1’’) (exempting proprietarily trading dealers from
section 15(b)(8)’s national securities association
membership requirement if they are a member of a
national securities exchange and meet certain other
requirements). But see Securities Exchange Act
Release No. 95388 (July 29, 2022), 87 FR 49930
(Aug. 12, 2022) (proposing amendments to
Exchange Act Rule 15b9–1 that would generally
require proprietary trading firms that are registered
broker-dealers to become a registered member of a
national securities association (i.e., FINRA) if they
effect securities transactions otherwise than on an
exchange of which they are a member). See also
Securities Exchange Act Release No. 94524 (Mar.
28, 2022), 87 FR 23054 (Apr. 18, 2022) (‘‘DealerTrader Release’’) (proposing to further define
‘‘dealer’’ and ‘‘government securities dealer’’ to
identify certain activities that would constitute a
‘‘regular business’’ requiring a person engaged in
those activities to register as a ‘‘dealer’’ or a
‘‘government securities dealer,’’ absent an exception
or exemption). Because the proposed amendments
to further define the definition of dealer could
result in a greater number of dealers and the
amendments proposed to expand and update
Regulation SCI could impact these newly
designated dealers, commenters also are encouraged
to review the Dealer-Trader Release to determine
whether it might affect their comments on this
proposal.
132 See SCI Proposing Release, supra note 14, at
18138–42.
133 An OTC market maker is a dealer that holds
itself out as willing to buy and sell NMS stocks on
a continuous basis in amounts of less than block
E:\FR\FM\14APP2.SGM
Continued
14APP2
23158
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
that execute a significant volume of
orders), exchange market makers 134
(either all or those that trade a
significant volume on exchanges), orderentry firms that handle and route order
flow for execution (either all or those
that handle a significant volume of
investor orders), clearing broker-dealers
(either all or those that engage in a
significant amount of clearing
activities), and/or large multi-service
broker-dealers that engage in a variety of
order handling, trading, and clearing
activities.135 Although OTC market
makers and clearing broker-dealers were
noted specifically as examples of
categories of broker-dealers that could
pose significant risk to the market if a
large portion of the order flow they
handle or process were disrupted due to
a systems issue, the Commission
broadly solicited commenters’ views on
the importance of different categories of
broker-dealers to the stability of overall
securities market infrastructure and the
risks posed by their systems.136
As summarized in the SCI Adopting
Release, commenters’ views varied.137
One commenter opined that market
makers and brokers or dealers that
execute orders internally by trading as
a principal or crossing orders as an
agent and handle market share that
exceeds that of certain SCI ATSs should
be subject to Regulation SCI.138 Others
stated that market makers, high
frequency trading firms, or any firm
with market access should be included,
arguing that these market participants
could present systemic risks to the
market and had ‘‘a significant footprint
in the markets.’’ 139 Others stated that
broker-dealers should be SCI entities
because 17 CFR 240.15c3–5 (‘‘Rule
15c3–5’’ or ‘‘Market Access Rule’’),140
requiring the implementation of risk
management and supervisory controls to
limit risk associated with routing orders
size otherwise than on an exchange. See 17 CFR
242.600(b)(64).
134 An exchange market maker is any member of
a national securities exchange that is registered as
a specialist or market maker pursuant to the rules
of such exchange. See 17 CFR 242.600(b)(32).
135 See SCI Proposing Release, supra note 14, at
18139–40.
136 See SCI Proposing Release, supra note 14, at
18138–40 (including questions 194–196 soliciting
comment on whether and how to distinguish
between and among categories of broker-dealers,
such as OTC market makers, order entry firms that
handle and route order flow for execution, clearing
broker-dealers, and large multi-service brokerdealers that engage in a variety of order handling,
trading, and clearing activities).
137 See SCI Adopting Release, supra note 1, at
72365.
138 See id. (citing letter from the New York Stock
Exchange, Inc. (‘‘NYSE’’)).
139 See id. (citing letters from Liquidnet, Inc.,
David Lauer, and R.T. Leuchtkafer).
140 See 17 CFR 240.15c3–5.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
to exchanges or ATSs, was not sufficient
by itself, as it does not address the
reliability or integrity of the systems
that implement such controls.141 One
commenter stated that Regulation SCI
should be extended to any trading
platforms that transact significant
volume, including systems that are not
required to register as an ATS because
all executions are against the bids and
offers of a single dealer.142 In contrast,
other commenters argued that brokerdealers should not be subject to
Regulation SCI because they must
comply with other Exchange Act and
FINRA rules and the proposed
Regulation SCI requirements would be
‘‘duplicative and unduly
burdensome.’’ 143 At adoption, the
Commission stated that ‘‘should [it]
decide to propose to apply the
requirements of Regulation SCI to
[broker-dealer operations other than
ATSs, it] would issue a separate release
discussing such a proposal and would
take these comments into account.’’ 144
In considering expansion of
Regulation SCI to broker-dealers or
broker-dealer operations beyond SCI
ATSs, the Commission has considered
the extent to which current Commission
and FINRA rules affect how brokerdealers design and review their systems
for capacity, integrity, resiliency,
availability, and/or security adequate to
maintain operational capability and
promote the maintenance of fair and
orderly markets and compliance with
federal securities laws and regulations,
and whether additional technology
oversight is appropriate for certain
broker-dealers based on the magnitude
of their activity in the markets today.145
The Commission proposes to apply
Regulation SCI to a limited number of
the approximately 3,500 broker-dealers
registered with the Commission. The
proposed thresholds are designed to
identify firms that, by virtue of their
total assets or level of transaction
activity over a period of time and on a
consistent basis, play a significant role
in the orderly functioning of U.S.
securities markets. The thresholds are
141 See SCI Adopting Release, supra note 1, at
72365 (citing letters from David Lauer and the
NYSE).
142 See id. (citing letter from BlackRock at 4, in
which BlackRock stated that trading systems that
‘‘transact significant volume’’ are ‘‘venues that have
a meaningful role and impact on the equity
market’’).
143 See id.
144 SCI Adopting Release, supra note 1, at 72366.
145 As noted above, the concurrently issued
Exchange Act Cybersecurity Proposal would
establish minimum ‘‘cybersecurity rules’’ for all
broker-dealers. That proposal does not, however,
independently address weaknesses in broker-dealer
operational capacity or resiliency not attributable to
cybersecurity breaches.
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
designed to identify firms that, if
adversely affected by a technology
event, could disrupt or impede orderly
and efficient market operations more
broadly.
ii. Current Regulatory Oversight of
Broker-Dealer Systems Technology
There are a number of Commission
and FINRA rules that affect how brokerdealers design and maintain their
technology and promote business
continuity and regulatory
compliance.146 Although these rules
may support the goal of more resilient
broker-dealer systems, they are not
designed to address the same concerns
that Regulation SCI addresses and are
not a substitute for Regulation SCI.147
As some commenters on the SCI
Proposing Release stated, the Market
Access Rule is relevant to certain
broker-dealer systems. The Market
Access Rule requires broker-dealers
with market access to implement, on a
market-wide basis, effective financial
and regulatory risk management
controls and supervisory procedures
reasonably designed to limit financial
exposure and ensure compliance with
applicable regulatory requirements, and
thus seeks to address, among other
things, certain risks posed to the
markets by broker-dealer systems.148
Pursuant to the Market Access Rule, a
broker or dealer with market access, or
that provides a customer or any other
146 17 CFR 240.3a1–1(a)(2) (‘‘Rule 3a1–1(a)(2)’’),
exempts from the Exchange Act section 3(a)(1)
definition of ‘‘exchange’’ an organization,
association, or group of persons that complies with
Regulation ATS. All such exempted ATSs must be
a registered broker-dealer and become a member of
an SRO, which typically is FINRA. Accordingly,
FINRA rules applicable to broker-dealers apply to
ATSs. A similar discussion of FINRA rules
applicable to ATSs appears in the SCI Adopting
Release, supra note 1, at 72263.
147 See infra notes 148–166 and accompanying
text. See also SCI Adopting Release, supra note 1,
at 72263 (n. 115 and accompanying text), 72365
(discussing comments received).
148 See Securities Exchange Act Release No.
63241 (Nov. 3, 2010), 75 FR 69792 (Nov. 15, 2010)
(‘‘Market Access Release’’). Under 17 CFR
240.15c3–5(a)(1) (‘‘Rule 15c3–5(a)(1)’’), ‘‘market
access’’ is defined to mean: (i) access to trading in
securities on an exchange or ATS as a result of
being a member or subscriber of the exchange or
ATS, respectively; or (ii) access to trading in
securities on an ATS provided by a broker-dealer
operator of an ATS to a non-broker-dealer. See 17
CFR 240.15c3–5(a)(1). In adopting Rule 15c3–
5(a)(1), the Commission stated that ‘‘the risks
associated with market access . . . are present
whenever a broker-dealer trades as a member of an
exchange or subscriber to an ATS, whether for its
own proprietary account or as agent for its
customers, including traditional agency brokerage
and through direct market access or sponsored
access arrangements.’’ See Market Access Release at
69798. As such, the Commission stated that ‘‘to
effectively address these risks, Rule 15c3–5 must
apply broadly to all access to trading on an
Exchange or ATS.’’ Id.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
person with access to a national
securities exchange or ATS through use
of its market participant identifier or
otherwise, must establish, document,
and maintain a system of risk
management controls and supervisory
procedures reasonably designed to
manage the financial, regulatory, and
other risks of this business activity.149
The Market Access Rule specifies
standards for financial and regulatory
risk management controls and
supervisory procedures.150 It requires
that the financial risk management
controls and supervisory procedures
must be reasonably designed to limit
systematically the financial exposure of
the broker or dealer that could arise
from market access.151 In addition, the
Market Access Rule requires that
regulatory risk management controls
and supervisory procedures be
reasonably designed to ensure
compliance with all regulatory
requirements.152 As such, the focus of
the Market Access Rule requires
controls to prevent technology and other
errors that can create some of the more
significant risks to broker-dealers and
the markets, namely those that arise
when a broker-dealer enters orders into
a national securities exchange or ATS,
including when it provides sponsored
or direct market access to customers or
other persons, where the consequences
of such an error can rapidly magnify
and spread throughout the markets.
Further, the Market Access Rule
requires specific controls and
procedures around a broker-dealer
entering orders on a national securities
exchange or ATS that Regulation SCI
does not and would not prescribe.
In contrast, the policies and
procedures required by Regulation SCI
apply broadly to technology that
supports trading, clearance and
settlement, order routing, market data,
market regulation, and market
surveillance and, among other things,
address their overall capacity, integrity,
resilience, availability, and security
independent of market access. Whereas
the Market Access Rule prescribes
specific controls and procedures around
a broker-dealer entering orders on an
exchange or ATS, it is not designed to
ensure that the key technology
pervasive and important to the
functioning of the U.S. securities
149 See
17 CFR 240.15c3–5(b).
17 CFR 240.15c3–5(c).
151 See 17 CFR 240.15c3–5(c)(1).
152 See 17 CFR 240.15c3–5(c)(2). See also 17 CFR
240.15c3–5(a)(2) (defining ‘‘regulatory
requirements’’ to mean all Federal securities laws,
rules and regulations, and rules of self-regulatory
organizations, that are applicable in connection
with market access).
150 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
markets is robust, resilient, and
secure.153 Among other requirements,
the policies and procedures
requirements of Regulation SCI are
designed to help ensure that the systems
of SCI entities are adequate to maintain
operational capability independent of
any specific SCI event (i.e., a systems
issue such as a systems disruption,
systems intrusion, or systems
compliance issue). Further, the SCI
review requirement obligates an SCI
entity to assess the risks of its systems
and effectiveness of its technology
controls at least annually, identify
weaknesses, and ensure compliance
with the safeguards of Regulation SCI.
The Market Access Rule and Regulation
SCI, therefore, have different
requirements and would operate in
conjunction with each other to help
ensure that SCI broker-dealer SCI
systems, whether used for access to the
national securities exchanges or ATSs or
not, are robust, resilient, and secure.
Broker-dealers are also subject to the
Commission’s financial responsibility
rules (17 CFR 240.15c3–1 (‘‘Rule 15c3–
1’’) and 17 CFR 240.15c3–3 (‘‘Rule
15c3–3’’)) under the Exchange Act. Rule
15c3–1 requires broker-dealers to
maintain minimum amounts of net
capital, ensuring that the broker-dealer
at all times has enough liquid assets to
promptly satisfy all creditor claims if
the broker-dealer were to go out of
business.154 Rule 15c3–3 imposes
requirements relating to safeguarding
customer funds and securities.155 These
rules provide protections for brokerdealer counterparties and customers and
can help to mitigate the risks to, and
impact on, customers and other market
participants by protecting them from the
consequences of financial failure that
may occur because of a systems issue at
a broker-dealer, and thus have a
different scope and purpose from
Regulation SCI.156
153 See
also supra note 141 and accompanying
text.
154 See
17 CFR 240.15c3–1.
17 CFR 240.15c3–3.
156 Similarly, 17 CFR 248.30 (‘‘Rule 30’’ of
Regulation S–P), which requires registered brokers
and dealers to have written policies and procedures
that are reasonably designed to safeguard customer
records and information—to insure their security
and confidentiality, protect against threats or
hazards to their security and integrity and protect
against unauthorized access or use that could result
in substantial harm or inconvenience to any
customer—is not designed to help ensure
operational capability of market related systems. In
addition, 17 CFR 248.201 (‘‘Regulation S–ID’’)
requires financial institutions or creditors (defined
to include registered broker-dealers) that have one
or more covered accounts, as defined in 17 CFR
248.201(b)(3) (e.g., brokerage account), to develop
and implement a written identity theft prevention
program to detect, prevent, and mitigate identity
theft in connection with covered accounts that
155 See
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
23159
Pursuant to 17 CFR 240.17a–3 (‘‘Rule
17a–3’’ under the Exchange Act) and 17
CFR 240.17a–4 (‘‘Rule 17a–4’’ under the
Exchange Act), broker-dealers are
required to make and keep current
records detailing, among other things,
securities transactions, money balances,
and securities positions.157 A systems
issue at a broker-dealer would not
excuse the broker-dealer for
noncompliance with these
requirements.158 Further, a brokerdealer that fails to make and keep
current the records required by Rule
17a–3 must give notice to the
Commission of this fact on the same day
and, thereafter, within 48 hours transmit
a report to the Commission stating what
the broker-dealer has done or is doing
to correct the situation.159 Regulation
SCI, however, more directly addresses
mitigating the impact of technology
failures with respect to SCI systems and
indirect SCI systems (which include
systems that are not used to make and
keep current the records required by
Rule 17a–3). Specifically, it requires
notifications to the Commission for a
different set of events—systems
intrusions, systems compliance issues,
and systems disruptions—than the
notification requirements of 17 CFR
240.17a–11 (‘‘Rule 17a–11’’), and is
therefore not duplicative of Rule 17a–
11. In addition, it requires that, when an
SCI event has occurred, an SCI entity
must begin to take appropriate
corrective action which must include, at
a minimum, mitigating potential harm
to investors and market integrity
resulting from the SCI event and
devoting adequate resources to remedy
the SCI event as soon as reasonably
practicable.
FINRA also has several rules that are
similar to, but take a different approach
from, Regulation SCI. For example,
FINRA Rule 4370 requires that each
broker-dealer create and maintain a
written business continuity plan
identifying procedures relating to an
emergency or significant business
disruption that are reasonably designed
to enable them to meet their existing
obligations to customers. The
procedures must also address the
broker-dealer’s existing relationships
includes policies and procedures to identify and
incorporate red flags into the program, detect and
respond to red flags, and incorporate periodic
updates to the program. This rule, however, is also
not designed to ensure operational capability of
market related systems.
157 See 17 CFR 240.17a–3; 17 CFR 240.17a–4.
158 See, e.g., Securities Exchange Act Release No.
40162 (July 2, 1998), 63 FR 37668 (July 13, 1998)
(stating that computer systems with ‘‘Year 2000
Problems’’ may be deemed not to have accurate and
current records and be in violation of Rule 17a–3).
159 See 17 CFR 240.17a–11.
E:\FR\FM\14APP2.SGM
14APP2
23160
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
with other broker-dealers and
counterparties. A broker-dealer is
required to update its plan in the event
of any material change to the member’s
operations, structure, business, or
location and must conduct an annual
review of its business continuity plan to
determine whether any modifications
are necessary in light of changes to the
member’s operations, structure,
business, or location. The rule sets forth
general minimum elements that a
broker-dealer’s business continuity plan
must address.160
This rule is akin to Regulation SCI’s
Rule 1001(a)(2)(v) requiring policies and
procedures for business continuity and
disaster recovery plans.161 However,
unlike Regulation SCI, the FINRA rule
does not include the requirement that
the business continuity and disaster
recovery plans be reasonably designed
to achieve next business day resumption
of trading and two-hour resumption of
critical SCI systems following a widescale disruption, nor does it require the
functional and performance testing and
coordination of industry or sectortesting of such plans, which are
instrumental in achieving the goals of
Regulation SCI with respect to SCI
entities.162 In addition, FINRA Rule
4370 contains certain provisions that
Regulation SCI does not.163 For
example, a broker-dealer must disclose
to its customers through public
disclosure statements how its business
continuity plan addresses the possibility
of a future significant business
disruption and how the member plans
to respond to events of varying scope.164
Accordingly, FINRA Rule 4370 and
Regulation SCI would operate in
conjunction with one another to help
ensure that an SCI broker-dealer has
business continuity and disaster
recovery plans to achieve the goals of
each rule.
FINRA Rule 3110(b)(1) requires each
broker-dealer to establish, maintain, and
enforce written procedures to supervise
the types of business in which it
ddrumheller on DSK120RN23PROD with PROPOSALS2
160 Specifically,
FINRA Rule 4370 requires that
each plan must, at a minimum, address: data backup and recovery; all mission critical systems;
financial and operational assessments; alternate
communications between customers and the
member; alternate communications between the
member and its employees; alternate physical
location of employees; critical business constituent,
bank, and counter-party impact; regulatory
reporting; communications with regulators; and
how the member will assure customers’ prompt
access to their funds and securities in the event that
the member determines that it is unable to continue
its business.
161 See SCI Adopting Release, supra note 1, at
72263–64.
162 Id.
163 See supra note 160.
164 See FINRA Rule 4370(e).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
engages and to supervise the activities
of registered representatives, registered
principals, and other associated persons
that are reasonably designed to achieve
compliance with applicable securities
laws and regulations.
This supervisory obligation extends to
member firms’ outsourcing of certain
‘‘covered activities’’—activities or
functions that, if performed directly by
a member firm, would be required to be
the subject of a supervisory system and
written supervisory procedures
pursuant to FINRA Rule 3110.165 This
rule is broadly similar to Rule 1001(b)
of Regulation SCI regarding policies and
procedures to ensure systems
compliance. However, unlike Rule
1001(b), which focuses on ensuring that
an entity’s systems operate in
compliance with the Exchange Act, the
rules and regulations thereunder, and
the entity’s rules and governing
documents, this FINRA rule does not
specifically address compliance of
broker-dealers’ systems. Further, this
provision does not cover more broadly
policies and procedures akin to those in
Rule 1001(a) of Regulation SCI regarding
ensuring the SCI entity’s operational
capability. FINRA Rule 3110(b)(1) and
Regulation SCI would operate in
conjunction to help ensure that the SCI
systems of SCI broker-dealers, including
those operated by third parties, are
robust, resilient, and operate as
intended.
FINRA Rule 3130 requires a brokerdealer’s chief compliance officer to
certify annually that the member has in
place processes to establish, maintain,
review, test, and modify written policies
and procedures reasonably designed to
achieve compliance with applicable
FINRA rules, MSRB rules, and federal
securities laws and regulations. This
rule is similar to Rule 1001(b) of
Regulation SCI regarding policies and
procedures to ensure systems
compliance; however, like FINRA Rule
3130(b)(1), it does not specifically
address compliance of broker-dealers’
systems, and does not require similar
policies and procedures to those in Rule
1001(a) of Regulation SCI regarding
operational capability of SCI entities.
Therefore, FINRA Rule 3130 and
Regulation SCI would operate in
conjunction with each other to help
ensure compliance with applicable law.
FINRA Rule 4530 imposes a regime
for reporting certain events to FINRA,
165 See FINRA, Regulatory Notice 21–29: Vendor
Management and Outsourcing (Aug. 13, 2021),
available at https://www.finra.org/sites/default/
files/2021-08/Regulatory-Notice-21-29.pdf; FINRA,
Notice to Members 05–48: Outsourcing (July 2005),
available at https://www.finra.org/sites/default/
files/NoticeDocument/p014735.pdf.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
including, among other things,
compliance issues and other events
where a broker-dealer has concluded, or
should have reasonably concluded, that
a violation of securities or other
enumerated law, rule, or regulation of
any domestic or foreign regulatory body
or SRO has occurred. This requirement
is similar to Regulation SCI’s reporting
requirements under Rule 1002 with
respect to systems compliance issues;
however, it does not cover reporting of
systems disruptions and systems
intrusions that did not also involve a
violation of a securities law, rule, or
regulation. Further, the FINRA reporting
rule differs from the Commission
notification requirements with respect
to the scope, timing, content and
required recipient of the reports. FINRA
Rule 4530 addressing reporting of
certain issues to FINRA is thus not
duplicative of Regulation SCI, which,
among other things, was designed to
enhance direct Commission oversight of
entities designated as key entities
because they play a significant role in
the U.S. securities markets.
Additionally, while regulations and
associated guidance applicable to bank
holding companies promulgated by the
Federal Reserve Board and other bank
regulators address operational
resilience, their direct application is to
bank holding companies rather than
broker-dealers registered with the
Commission. For example, a 2020
interagency paper issued by the Federal
Reserve Board, the Office of the
Comptroller of the Currency, and the
Federal Deposit Insurance Corporation
sets forth ‘‘sound practices’’ for the
largest, most complex firms, including
U.S. bank holding companies, to follow
to strengthen their operational
resilience. While this publication offers
key strategies for covered entities to
follow to remain resilient, many of
which are similar to what Regulation
SCI requires, they are not mandatory for
registered broker-dealers.166 Thus,
166 See Federal Reserve Board, SR 20–24:
Interagency Paper on Sound Practices to Strengthen
Operational Resilience (Nov. 2, 2020), (‘‘Banking
Interagency Paper’’), available at https://
www.federalreserve.gov/supervisionreg/srletters/
SR2024.htm (‘‘To help large and complex domestic
firms address unforeseen challenges to their
operational resilience, the sound practices are
drawn from existing regulations, guidance, and
statements as well as common industry standards
that address operational risk management, business
continuity management, third-party risk
management, cybersecurity risk management, and
recovery and resolution planning.’’). The paper
applies to national banks, state member banks, state
nonmember banks, savings associations, U.S. bank
holding companies, and savings and loan holding
companies that have average total consolidated
assets greater than or equal to (a) $250 billion or (b)
$100 billion and have $75 billion or more in
average cross-jurisdictional activity, average
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
although some Exchange Act and
FINRA rules other than Regulation SCI
support the goal of robust and resilient
broker-dealer systems, the Commission
believes that additional protections,
reporting of systems problems, and
direct Commission oversight of brokerdealer technology is appropriate for the
largest broker-dealers.
iii. Proposed Thresholds for an ‘‘SCI
Broker-Dealer’’
Overview
ddrumheller on DSK120RN23PROD with PROPOSALS2
As proposed, Regulation SCI would
apply to a limited number of brokerdealers that satisfy: (i) a total assets
threshold, or (ii) one or more transaction
activity thresholds.
The Commission preliminarily
believes that a broker-dealer that meets
the proposed thresholds for assets or
transaction activity, whether operating
in multiple markets or predominantly in
a single market, that becomes unreliable
or unavailable due to a systems issue,
risks disrupting fair and orderly market
functioning.
Current Regulation SCI applies to all
national securities exchanges and
certain significant-volume ATSs, all of
which are highly dependent on
sophisticated automated and
interconnected systems. As electronic
trading has grown, and continues to
grow in some asset classes, many
broker-dealers are similarly dependent
on sophisticated and interconnected
automated systems.167 These brokerdealer systems contribute to the orderly
functioning of U.S. securities markets,
encompassing, for example, systems for
trading and quoting, order handling,
dissemination and processing of market
data, and the process of clearance and
settlement.
An ‘‘SCI broker-dealer’’ would be a
broker or dealer registered with the
Commission pursuant to section 15(b) of
the Exchange Act which:
• In at least two of the four preceding
calendar quarters, ending March 31,
June 30, September 30, and December
31, reported to the Commission, on
Form X–17A–5 (§ 249.617),168 total
weighted short-term wholesale funding, average
nonbank assets, or average off-balance sheet
exposure. As discussed below, the Commission’s
proposed approach to identifying SCI brokerdealers similarly takes into account the size of the
firm, as measured by a total assets threshold and/
or market activity thresholds.
167For example, see Algorithmic Trading Report,
supra note 3 (discussing many uses of computer
systems in contemporary markets, particularly with
respect to the trading of equity and debt securities).
168 Broker-dealers that file Form X–17A–5 on a
monthly basis would use their total assets, as
reported on Item 940 of Form X–17A–5, for the
months ending Mar. 31, June 30, Sept. 30, and Dec.
31. Broker-dealers that file Form X–17A–5 on a
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
assets in an amount that equals five
percent (5%) or more of the total assets
of all security brokers and dealers; or 169
• During at least four of the preceding
six calendar months:
Æ With respect to transactions in NMS
stocks, transacted average daily dollar
volume in an amount that equals ten
percent (10%) or more of the average
daily dollar volume 170 reported by or
pursuant to applicable effective
transaction reporting plans, provided,
however, that for purposes of
calculating its activity in transactions
effected otherwise than on a national
securities exchange or on an alternative
trading system, the broker-dealer shall
exclude transactions for which it was
not the executing party; or
Æ With respect to transactions in
exchange-listed options contracts,
transacted average daily dollar volume
in an amount that equals ten percent
(10%) or more of the average daily
dollar volume 171 reported by an
applicable effective national market
system plan; or
Æ With respect to transactions in U.S.
Treasury Securities, transacted average
daily dollar volume in an amount that
equals ten percent (10%) or more of the
total average daily dollar volume 172
made available by the self-regulatory
organizations 173 to which such
transactions are reported; or
Æ With respect to transactions in
Agency Securities, transacted average
daily dollar volume in an amount that
equals ten percent (10%) or more of the
total average daily dollar volume 174
quarterly basis would use their total assets, as
reported on Item 940 of Form X–17A–5, for the
quarters ending Mar. 31, June 30, Sept. 30, and Dec.
31.
169 See definition of SCI broker-dealer in
proposed amended Rule 1000. The term ‘‘total
assets of all security brokers and dealers’’ would,
for purposes of this threshold, mean the total assets
calculated and made publicly available by the
Board of Governors of the Federal Reserve, or any
subsequent provider of such information, for the
associated preceding calendar quarter. Id. See supra
note 127; infra text accompanying notes 181–185.
170 For June 2022, the average daily dollar volume
in NMS stocks, as reported by applicable effective
transaction reporting plans, was approximately
$560 billion, with 10% of that reflecting
approximately $56 billion.
171 For June 2022, the average daily dollar volume
in exchange-listed options contracts, as reported by
an applicable effective national market system plan,
was approximately $23.8 billion, with 10% of that
reflecting approximately $2.4 billion.
172 For June 2022, the average daily dollar volume
in U.S Treasury Securities, according to FINRA
TRACE data, was approximately $634.1 billion,
with 10% of that reflecting approximately $63.4
billion.
173 Currently, there is one self-regulatory
organization to which transactions in U.S Treasury
Securities are reported (i.e., FINRA).
174 For June 2022, the average daily dollar volume
in Agency Securities, according to FINRA TRACE
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
23161
made available by the self-regulatory
organizations 175 to which such
transactions are reported.
An SCI broker-dealer would be
required to comply with the
requirements of Regulation SCI six
months after the SCI broker-dealer
satisfied either threshold for the first
time.
The proposed thresholds are designed
to identify the largest U.S. brokerdealers. To assess which broker-dealers
should be subject to Regulation SCI,176
the Commission has taken into account
the size of registered broker-dealers
based on analyses of: (i) total assets
reported on Form X–17A–5 (Financial
and Operational Combined Uniform
Single (‘‘FOCUS’’) Report Part II, Item
940),177 and (ii) transaction activity in
certain asset classes.
Proposed Total Assets Threshold
A broker-dealer would be an SCI
broker-dealer and included in the
definition of SCI entity if, in at least two
of the four preceding calendar quarters
ending March 31, June 30, September
30, and December 31, it reported to the
Commission on Form X–17A–5, FOCUS
Report Part II, Item 940 total assets in an
amount that equals five percent or more
of the total assets of all security brokers
and dealers. Congress and multiple
regulators have used total assets as a
factor in assessing whether an entity
warrants heightened oversight. For
example, under the Dodd-Frank Act, the
Financial Stability Oversight Council
(‘‘FSOC’’) considers financial assets as
one factor to determine whether a U.S.
non-bank financial services company is
supervised by the Federal Reserve Board
and subject to enhanced prudential
standards.178 Furthermore, the DoddFrank Act requires the Federal Reserve
Board to establish enhanced prudential
standards for bank holding companies
over a certain threshold of total
assets.179 Additionally, the Federal
data was approximately $223 billion, with 10% of
that reflecting approximately $22.3 billion.
175 Currently, there is one self-regulatory
organization to which transactions in U.S Treasury
Securities are reported (i.e., FINRA) and one
organization to which transactions in Agency
securities are reported (i.e., FINRA).
176 See supra note 82 and accompanying text.
177 See Form X–17A–5, FOCUS Report, Part II, at
3, available at https://www.sec.gov/files/formx-17a5_2_2.pdf (requiring broker-dealers to report their
total assets in Item 940).
178 See Dodd-Frank Act section 113(a)(2), 12
U.S.C. 5323(a)(2).
179 See Dodd-Frank Act section 165, 12 U.S.C.
5365(a)(1). See also Federal Reserve Board,
Prudential Standards for Large Bank Holding
Companies, Savings and Loan Holding Companies,
and Foreign Banking Organizations, 84 FR 59032
(Nov. 1, 2019), and Federal Reserve Board, Changes
E:\FR\FM\14APP2.SGM
Continued
14APP2
23162
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Deposit Insurance Corporation (‘‘FDIC’’)
increases its Deposit Insurance Fund
assessment for large and highly complex
institutions as compared to small
banks.180
Although a broker-dealer’s total assets
alone could be used as the proposed
rule’s measure of an entity’s size and
significance, to ensure that a total assets
measure reflects significant activity in
relative terms, the Commission proposes
to scale each broker-dealer’s total assets
(the numerator) to a quarterly measure
of ‘‘total assets of all security brokers
and dealers,’’ as calculated by the
Federal Reserve Board (the
denominator).181 The firm’s total assets
filed on FOCUS reports (of which each
firm has current and direct knowledge)
would be divided by the broader
measure of total assets for all securities
brokers and dealers calculated and
made publicly available by the Federal
Reserve Board, or any subsequent
provider of such information, for the
purpose of comparing the size of a
broker-dealer to the group of entities
tracked by the Federal Reserve Board.182
The Commission understands that the
Federal Reserve Board publishes total
assets for all security brokers and
dealers approximately ten weeks after
the end of the quarter (e.g., 2022 third
quarter results ((for quarter ending
September 30, 2022)) were published on
December 13, 2022). Therefore, the
information for the preceding quarter
should be available prior to the date on
which the firm’s FOCUS report is
required to be filed with the
Commission for the relevant quarter. To
enable each firm to calculate whether it
exceeds the threshold at the time it files
its FOCUS report (which is due 17 days
after the end of the quarter/month),183
to Applicability Thresholds for Regulatory Capital
and Liquidity Requirements, 84 FR 59230 (Nov. 1,
2019). See SCI Adopting Release, supra note 1, at
72259, and also definition of ‘‘critical SCI systems’’
in 17 CFR 142.1000.
180 See FDIC, Deposit Insurance Fund,
Assessment Rates & Methodology (last updated July
20, 2021), available at https://www.fdic.gov/
resources/deposit-insurance/deposit-insurancefund/dif-assessments.html.
181 See supra note 127. This figure has been
calculated by the Federal Reserve Board and made
available on the Federal Reserve Economic Data
(FRED) website for many years. As stated above, the
total assets figure calculated by the Federal Reserve
Board is based on the information reported to the
Commission by ‘‘security broker-dealers’’ on either
the FOCUS report or the FOGS report. See id.
182 Id.
183 Form X–17A–5 must be filed within 17
business days after the end of each calendar quarter,
within 17 business days after the end of the fiscal
year where that date is not the end of a calendar
quarter, and/or monthly, in accordance with 17 CFR
240.17a–5, 240.17a–12, or 240.18a–7, as applicable.
See Instructions to Form X–17A–5, FOCUS Report,
Part II, at 2, available at https://www.sec.gov/files/
formx-17a-5_22.pdf.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
broker-dealers would compare their
total assets to the previous quarter on or
before the FOCUS report filing deadline.
Accordingly, to assess whether it
exceeds the threshold for a relevant
calendar quarter, a broker-dealer would
divide its total assets reported on Form
X–17A–5, FOCUS Report Part II, Item
940 for that quarter by the total assets
of all security brokers and dealers for
the preceding quarter, as made available
by the Federal Reserve.184 Although it is
possible that the total assets of all
security brokers and dealers could
increase or decrease sharply from one
quarter to the next, the FRED data
shows that this has occurred rarely and
that the asset totals in the Federal
Reserve Board’s data generally do not
change significantly from quarter to
quarter.185 The Commission therefore
believes that overall, the data made
available by the Federal Reserve Board
is an appropriate and consistent figure
for use as a denominator in the
proposed threshold.186
If a firm meets or exceeds the
threshold in two of the four preceding
184 See supra note 127. For example, to assess
whether it exceeds the threshold for the calendar
quarter ending Dec. 31, a broker-dealer would
divide its total assets reported Form X–17A–5,
FOCUS Report Part II, Item 940 for the quarter
ending Dec. 31, and divide that by the total assets
of security brokers and dealers for the third quarter
(ending Sept. 30) of the same year, as obtained from
the Federal Reserve Board. If a broker-dealer
reported $350 billion, $385 billion, $359 billion,
and $386 billion in total assets on its FOCUS
reports for Q4 2022, Q3 2022, Q2 2022, and Q1
2022, respectively, the broker-dealer would divide
its total assets for each quarter by 5.07 trillion (for
Q3 2022), $5.07 trillion (for Q2 2022), $5.23 trillion
(for Q1 2022), and $4.96 trillion (for Q1 2021),
respectively. See infra note 185. The broker-dealer’s
total assets as a percentage of the total assets of all
security broker-dealers would be 6.9% for Q4 2022,
7.6% for Q3 2022. 6.9% for Q2 2022, and 7.8% for
Q1 2022. In all four quarters, the broker-dealer
would exceed the 5% threshold and therefore meet
the definition of SCI broker-dealer.
185 See Board of Governors of the Federal Reserve
System (US), Security Brokers and Dealers; Total
Assets (Balance Sheet), Level
[BOGZ1FL664090663Q], retrieved from FRED,
Federal Reserve Bank of St. Louis; https://
fred.stlouisfed.org/series/BOGZ1FL664090663Q.
The total assets data from the Federal Reserve
shows a sharp drop at the time of the financial
crisis, from Q3 2008 to Q4 2008. See id. More recent
data show total assets for all security-broker dealers
for purpose of the proposed denominator in recent
quarters in trillion dollars as follows: Q3 2022: 5.07
trillion; Q2 2022: $5.07 trillion; Q1 2022: $5.23
trillion; Q4 2021: $4.96 trillion; Q3 2021: $5.05
trillion; Q2 2021: $4.94 trillion. See id.
186 The Federal Reserve Board data includes total
assets reported on both FOCUS and FOGS forms.
Its use would result in a conservative number of
broker-dealers meeting the total assets threshold
(i.e., because elimination of FOGS data would
reduce the size of the denominator). The
Commission solicits comment below on whether
another figure would be a more appropriate and
useful measure for determining if a broker-dealer is
in the top 5% of all broker-dealers in terms of its
total assets, and if a percentage threshold is better
measure than a dollar measure.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
calendar quarters, it would be required
to comply with Regulation SCI
beginning six months after the end of
the quarter in which the SCI brokerdealer satisfied the proposed asset
threshold for the first time. Based on
data from recent quarters, at the
proposed threshold, a broker-dealer
registered with the Commission
pursuant to section 15(b) of the
Exchange Act and having total assets on
its balance sheet in excess of
approximately $250 billion in two of the
preceding four calendar quarters would
be an SCI broker-dealer for as long as it
continued to satisfy the threshold.187
The Commission believes that the
proposed threshold of five percent of
total assets is a reasonable approach to
identifying the largest broker-dealers. In
addition to its broad consistency with
the approach taken by banking
regulators,188 this approach takes into
consideration the multiple roles that the
largest broker-dealers play in the U.S.
securities markets. Not only do the
largest broker-dealers generate liquidity
in multiple types of securities, but many
also operate multiple types of trading
platforms.189 Further, entities with
assets at this level also take risk that
they seek to hedge, in some cases using
‘‘central risk books’’ for that and other
purposes, and engage in routing
substantial order flow to other trading
venues.190 For these reasons, the
187 As a specific example, based on totals
retrieved from FRED (see supra note 127) a brokerdealer assessing its total assets in Dec. 2022 would
determine if that level exceeded 5% of total assets
in two of the preceding four quarters
(approximately $253 billion, $253 billion, $261
billion, and $248 billion, for Q3 of 2022, Q2 of
2022, Q1 of 2022, and Q4 of 2021, respectively). See
also Banking Interagency Paper, supra note 166
(applicable to banking institutions having in excess
of an average of $250 billion in total assets).
188 See, e.g., supra notes 166 and 187 (discussing
Banking Interagency Paper).
189 For a broad discussion of these roles, see, e.g.,
Rosenblatt Securities, 2022 US Equity Trading
Venue Guide (May 24, 2022) (discussing among
other things the features of single-dealer platforms
for equity securities that are operated by brokerdealers); Regulation of NMS Stock Alternative
Trading Systems, Securities Exchange Act Release
No. 83663 (July 18, 2018), 83 FR 38768 at 38770–
72 (Aug. 7, 2018) (discussing among other things
the operational complexity of multi-service brokerdealer with significant brokerage and dealing
activity apart from operation of one or more ATSs).
190 See, e.g., Rosenblatt Securities, Central Risk
Books: What the Buy Side Needs to Know (Oct. 18,
2018) (stating that all of the biggest bank-affiliated
broker-dealers have some form of central risk book
and that the ‘‘critical mass of order flow or
principal activity, spread across asset classes and
regions’’ may not justify the operation of these
books for smaller more focused firms). See also
Algorithmic Trading Report, supra note 3, at 41–42
(describing central risk books as an important
source of block liquidity). All of the firms that
satisfy the proposed total assets threshold also
satisfy at least one of the proposed trading activity
thresholds. See infra text accompanying note 219.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Commission believes that systems
issues at firms having assets at this level
would have the potential to impact
investors, the overall market, and the
trading of individual securities, and that
therefore their market technology
should be subject to the requirements
and safeguards of Regulation SCI. The
threshold is designed to be
appropriately high enough to ensure
that only the largest broker-dealers are
subject to the obligations, and
associated burdens and costs, of
Regulation SCI. It is also designed to be
a relative measure that does not become
outdated over time, as the size of the
overall market expands or contracts.
As noted, the proposed total assets
threshold for SCI broker-dealers would
include a proposed time period
measurement of ‘‘at least two of the four
preceding calendar quarters.’’ Requiring
that the threshold is met in two out of
the four preceding quarters would help
mitigate the effect of a steep increase/
decrease in total assets in any
individual quarter.
Further, this measurement is designed
to capture only the broker-dealers that
are consistently at or above the
proposed five percent threshold, and
would not include a broker-dealer that
may have had an anomalous quarterly
increase, so that a short-term spike in
total assets uncharacteristic of the
broker-dealer’s overall total asset history
would not cause it to become subject to
Regulation SCI. Although the
Commission is also proposing a time
period measurement of ‘‘at least four of
the preceding six calendar months’’ for
the trading activity thresholds discussed
below (consistent with the time period
measurement for SCI ATSs),191 using a
quarterly measure for the total asset
threshold is appropriate because FOCUS
reports are required at least quarterly for
all broker-dealers and the proposed
scaling measure is one that is updated
quarterly. Based on its analysis of
FOCUS reports during the period from
Q4 2021 through Q3 2022, the
Commission estimates that five entities
would exceed the proposed threshold
(with the fifth-ranked firm in each
quarter reporting total assets in excess of
$300 billion, and all firms ranging from
approximately seven to 14 percent of
the total assets reported by the Federal
Reserve Board for the previous quarter),
and further anticipates that this
threshold would result in little, if any,
variation in which firms exceed the
191 See Rule 1000 (definition of ‘‘SCI ATS’’)
(providing a time period measurement of ‘‘at least
four of the preceding six calendar months’’).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
threshold over the course of four
calendar quarters.192
Proposed Transaction Activity
Threshold
In the Commission’s view, a brokerdealer’s transaction activity is another
reasonable measure for estimating the
significance of a broker-dealer’s role in
contributing to fair and orderly markets.
In several asset classes, the transaction
activity of each of a relatively small
number of broker-dealers constitutes a
share of trading that could, if affected by
a systems issue, negatively impact fair
and orderly markets. For example, in
NMS stocks, some broker-dealers
constitute significant concentrations of
on-exchange trading, and some brokerdealers execute off-exchange
transactions at levels that rival or
exceed the volume of trading on current
SCI entities.193 For listed options, which
are required to execute on a national
securities exchange, a small number of
firms participate in a high proportion of
trades.194 Similarly, transaction
reporting data for U.S. Treasury
Securities and Agency Securities reveal
that a handful of broker-dealers each
represent a significant percentage of the
average weekly (for U.S. Treasury
Securities) or daily (for Agency
Securities) dollar volume reported by
FINRA (currently the only SRO to
which such transactions are
reported).195
Accordingly, the Commission is
proposing to include as an SCI entity
any registered broker-dealer that,
irrespective of the size of its balance
sheet, consistently engages in
transaction activity at a substantially
high level in certain enumerated asset
classes, scaled as a percentage of total
average daily dollar volume over a
192 As with other entities that are SCI entities
because they satisfy a threshold (e.g., SCI ATSs), an
SCI broker-dealer would no longer be an SCI brokerdealer, and thus no longer be subject to Regulation
SCI, in the quarter when it no longer satisfies the
total assets test (i.e., it does not meet the threshold
in two of the previous four quarters). This assumes
the broker-dealer also does not meet or no longer
satisfies the proposed transaction activity threshold.
193 For example, in Sept. 2022, one broker-dealer
executed a greater proportion of shares in NMS
stocks than all but two national securities
exchanges. See, e.g., FINRA, OTC Transparency
Data, available at https://otctransparency.finra.org/
otctransparency; CBOE, Historical Market Volume
Data, available at https://www.cboe.com/us/
equities/market_statistics/historical_market_
volume/.
194 As discussed further below in this section, the
Commission estimates that six firms would satisfy
the 10% options transaction activity threshold.
195 As discussed further below in this section, the
Commission estimates that four firms would satisfy
the 10% U.S. Treasury Security transaction activity
threshold, and six firms would satisfy the 10%
Agency Security transaction activity threshold.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
23163
specified time period.196 If a significant
systems issue at a broker-dealer that
meets the proposed thresholds were to
occur, the concern is that its effect
would have widespread impact, for
example, by impeding the ability of
other market participants to trade
securities in one or more of the
identified asset classes, interrupting the
price discovery process, or contributing
to capacity issues at other brokerdealers. Further, if executions were
delayed by a systems disruption in an
SCI broker-dealer’s trading, order
routing, clearance and settlement, or
market data system, due to the
magnitude of the proposed covered
transaction activity in which these firms
consistently engage, the delay could
have cascading effects disruptive to the
broader market.197
The proposed transaction thresholds
are broadly similar across different
types of securities. However, because of
differences in market structure, there are
notable differences in the application of
the thresholds across types of securities.
Regulation SCI currently applies to,
among other entities, national securities
exchanges for both listed equities and
listed options, and to ATSs trading
significant volume in NMS stocks. A
national securities exchange and an
ATS are a type of ‘‘trading center,’’ as
that term is defined in 17 CFR 242.600
through 242.614 (‘‘Regulation
NMS’’).198 For purposes of counting
196 As discussed further below, the Commission
proposes that average daily dollar volume be the
denominator used as the scaling measure for each
relevant asset class. See infra notes 211–217 and
accompanying text (discussing entities that
currently and may in the future receive and make
available transaction reports, or aggregated volume
statistics in NMS stocks, exchange-listed options,
U.S. Treasury Securities, and Agency Securities).
197 For example, capacity constraints, whether
due to risk management, or operational capability
limitations of systems, could limit how much one
broker-dealer could handle a sudden increase in
order flow from a large broker-dealer. For context,
based on analysis of data from the Consolidated
Audit Trail, in 2022, two large market makers in
NMS stocks engaged in over-the counter
transactions (all purchases and all sales effected
otherwise than on a national securities exchange or
ATS) having a total dollar volume of at least $37
billion on most trading days; with at least a quarter
of trading days in 2022 having total dollar volume
of $42.3 billion or more, and all trading days having
an average total dollar volume of $37.3 billion.
Counting volume across all venues (all purchases
and all sales effected over-the counter, on a national
securities exchange, or on ATS), these figures for
the same two firms, respectively, are: at least $82.2
billion, ($67.6 marked as principal/riskless
principal) on most trading days; at least $97.1
billion ($83.7 billion marked as principal/riskless
principal) on at least a quarter of the trading days;
and $83.5 billion ($69.4 billion marked as
principal/riskless principal) as the average for all
trading days.
198 Rule 600 of Regulation NMS defines the term
trading center to mean: a national securities
E:\FR\FM\14APP2.SGM
Continued
14APP2
23164
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
transaction activity in NMS stocks, the
proposed thresholds are anchored to
broker-dealer activity conducted on or
as a trading center. Therefore, the
Commission is proposing, with respect
to the transaction thresholds for NMS
stocks, to include broker-dealer activity
on national securities exchanges and
NMS Stock ATSs, as well as brokerdealer activity as a trading center.
Broker-dealer activity ‘‘as a trading
center’’ refers in this context to trading
activity in NMS stocks not effected on
a national securities exchange or on an
ATS, but by the broker-dealer, where
the broker-dealer is the executing party,
either as principal or as agent.199 A
similar distinction is not made for
exchange-listed options contracts
because those transactions are executed
on a national securities exchange.200
The ‘‘trading center’’ term in
Regulation NMS applies only to NMS
securities; however, there exist today
electronic venues for fixed income
securities that perform similar functions
as trading centers and that are equally
important to investors to execute trades
in fixed income securities. Such
electronic trading venues, particularly
for U.S. Treasury Securities and Agency
Securities (where electronic trading is
prevalent 201), have developed from a
market structure in which electronic
bilateral trading was and continues to be
important. For this reason, the
Commission is proposing to include
under the SCI broker-dealer threshold
all trades for U.S. Treasury Securities
and Agency Securities in which a
broker-dealer may participate.
As proposed, an ‘‘SCI broker-dealer’’
would include a broker-dealer that,
during at least four of the preceding six
calendar months: (i) with respect to
transactions in NMS stocks, transacted
average daily dollar volume in an
amount that equals ten percent (10%) or
more of the average daily dollar volume
reported by or pursuant to applicable
effective transaction reporting plans,
provided, however, that for purposes of
calculating its activity in transactions
effected otherwise than on a national
exchange or national securities association that
operates an SRO trading facility, an alternative
trading system, an exchange market maker, an OTC
market maker, or any other broker or dealer that
executes orders internally by trading as principal or
crossing orders as agent. 17 CFR 242.600(b)(95).
199 See 17 CFR 242.600(a)(95), defining ‘‘trading
center’’ to include, among other entities, ‘‘an OTC
market maker, or any other broker or dealer that
executes orders internally by trading as principal or
crossing orders as agent.’’
200 In some cases, matching of orders for
exchange-listed options occur on an ATS, with
matches then routed to one or more national
securities exchange for execution.
201 See Government Securities ATS Reproposal,
supra note 84.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
securities exchange or on an alternative
trading system, the broker-dealer shall
exclude transactions for which it was
not the executing party; (ii) with respect
to transactions in exchange-listed
options contracts, transacted average
daily dollar volume in an amount that
equals ten percent (10%) or more of the
average daily dollar volume reported by
an applicable effective national market
system plan; (iii) with respect to
transactions in U.S. Treasury Securities,
transacted average daily dollar volume
in an amount that equals ten percent
(10%) or more of the total average daily
dollar volume made available by the
self-regulatory organizations to which
such transactions are reported; or (iv)
with respect to transactions in Agency
securities, transacted average daily
dollar volume in an amount that equals
ten percent (10%) or more of the total
average daily dollar volume made
available by the self-regulatory
organizations to which such
transactions are reported.202
The Commission proposes to add a
definition of ‘‘U.S. Treasury Security’’
and ‘‘Agency Security’’ to clarify how
the transaction activity threshold for
these asset classes would operate.203 A
‘‘U.S. Treasury Security’’ would mean a
security issued by the U.S. Department
of the Treasury. ‘‘Agency Security’’
would mean a debt security issued or
guaranteed by a U.S. executive agency,
as defined in 5 U.S.C. 105, or
government-sponsored enterprise, as
defined in 2 U.S.C. 622(8). These
definitions are designed to provide the
scope of securities an SCI broker-dealer
must include when assessing whether it
has satisfied the proposed transaction
activity threshold. The proposed
definitions are similar to and consistent
with those in FINRA’s rules,204 to avoid
202 The proposed definition of SCI broker-dealer
does not include a transaction activity threshold for
equity securities that are not NMS stocks and for
which transactions are reported to an SRO as a
category in the proposed transaction activity
threshold. The size of this market, as currently
measured, is substantially smaller than the other
asset classes enumerated. Based on its analysis of
data from the Consolidated Audit Trail, between
Oct. 2021 and Sept. 2022, for example, the average
daily dollar volume for this market segment was
approximately $2.6 billion. Nor do the proposed
amendments to Regulation SCI include Fixed
Income ATSs or broker-dealers that exceed a
transaction activity threshold in corporate debt or
municipal securities. But see infra section III.A.3
(requesting comment on the matter).
203 The Commission believes that the terms NMS
stock and exchange-listed options are currently well
understood. See Rule 600 of Regulation NMS
(defining the terms NMS stock and NMS security
and distinguishing NMS stocks from listed options
on the basis of how transaction reports are made
available).
204 See FINRA Rules 6710(l) and 6710(p). FINRA
Rule 6710 also establishes which securities are
eligible for transaction reporting to the ‘‘Trade
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
confusion and facilitate the comparison
between data used to create the
numerator and denominator when
assessing whether a broker-dealer
surpassed the U.S. Treasury Security or
Agency Security transaction thresholds.
As is the case currently for the
thresholds applicable to SCI ATSs,205
the proposed thresholds for SCI brokerdealers would include a proposed time
period measurement of ‘‘at least four of
the preceding six calendar months.’’
Specifically, the proposed time
measurement period is designed to
capture broker-dealers that consistently
meet the proposed thresholds and not
capture broker-dealers with relatively
low transaction activity that may have
had an anomalous increase in trading on
a given day or few days. In other words,
a short-term spike in transaction activity
uncharacteristic of a broker-dealer’s
overall activity should not cause it to
become subject to Regulation SCI; using
the proposed time period of at least four
of the preceding six calendar months
would help ensure this.
The proposed thresholds would
generally take into account all of a
broker-dealer’s transactions.206 The
thresholds proposed are designed to
identify firms whose transaction activity
is of such a magnitude that a systems
issue negatively impacting that activity
could contribute to a disruption in fair
and orderly markets, and for which the
application of Regulation SCI is
therefore appropriate.
With respect to NMS stocks, only
transactions which the broker-dealer (i)
trades on a national securities exchange
or an ATS, or (ii) executes off of a
national securities exchange or an ATS
would be counted. When a brokerdealer is the non-executing counterparty
to an off-exchange, non-ATS transaction
that transaction would not be counted
for that broker-dealer.207 The purpose of
this approach is to count towards the
threshold for NMS stocks broker-dealer
activity on or as a trading center.
To assess whether it satisfies the
proposed thresholds, a broker-dealer
would need to determine its average
daily dollar volume in an enumerated
asset class each calendar month, and
Reporting and Compliance Engine’’ (TRACE),
which is the automated system developed by
FINRA that, among other things, accommodates
reporting and dissemination of transaction reports
where applicable.
205 See Rule 1000 (definition of ‘‘SCI ATS’’).
206 As described further above and below, the
proposed threshold for NMS stocks would operate
slightly differently.
207 The volume for that trade, as reported through
an effective transaction reporting plan, would still
be included in the overall calculation of market
volume used as the denominator in threshold
calculations.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
divide that figure by the total reported
average daily dollar volume for that
month. More specifically, its numerator
would be the average daily dollar
volume during the calendar month,
taking into account all relevant
purchase and sale transactions 208 in
which the broker-dealer engaged during
that calendar month, as determined by
the broker-dealer from information in its
books and records, as required to be
kept pursuant to Exchange Act Rule
17a–3.209 The denominator would be
the total average daily dollar volume for
each calendar month, as that total is
determined from one or more sources
that receive and make available
transaction reports, or, as the case may
be, aggregated price and volume
statistics.
With respect to NMS stocks,
information necessary to calculate the
denominator currently is available from
the plan processors (i.e., the SIPs) of the
CTA/CQ Plans and Nasdaq UTP Plan.
These Plans are effective transaction
reporting plans, and effective national
market systems plans.210 Following
implementation of the Market Data
Infrastructure rules, the information
necessary to calculate the denominator
would be available from a competing
consolidator or may be self-determined
by a self-aggregator that obtains the
information pursuant to effective
208 For NMS stocks, this would exclude those
purchases or sales off-exchange and not effected
through an ATS, in which the broker-dealer was not
the executing party. As specific examples, when
broker-dealer A routes a customer order to brokerdealer B for routing and execution, and brokerdealer B executes the customer order as principal
or crosses it against another order it is holding, the
volume for that order would contribute towards the
threshold for broker-dealer B but not for brokerdealer A. Similarly, if broker-dealer A sends an
order to the single-dealer platform operated by
broker-dealer B, and broker-dealer B executes a
trade against that order, the volume would
contribute towards the threshold for broker-dealer
B but not for broker-dealer A. For any asset class,
the proposed definition of SCI broker-dealer would
not exclude from a broker-dealer operator’s
transaction tally transactions executed on its own
ATS. For example, if the broker-dealer operator
trades as a participant on its ATS, or where a
broker-dealer operator acts as a counterparty to
every trade on its own ATS, its volume would be
counted as trading activity of the broker-dealer.
209 See 17 CFR 240.17a–3(a)(6) (requiring a
broker-dealer to keep a memorandum of each
brokerage order given or received for the purchase
or sale of a security, to include the price at which
the order executed); 17 CFR 240.17a–3(a)(7)
(requiring a memorandum of purchases and sales of
a security for its own account, to include the price).
210 See supra note 20 and infra note 211. See also
infra note 262 (stating that an ATS that trades NMS
stocks is subject to Regulation SCI if its trading
volume reaches: (i) 5% or more in any single NMS
stock and 0.25% or more in all NMS stocks of the
average daily dollar volume reported by applicable
transaction reporting plans; or (ii) 1% or more in
all NMS stocks of the average daily dollar volume
reported by applicable transaction reporting plans).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
transaction reporting plans, as required
by 17 CFR 242.601 (‘‘Rule 601’’ of
Regulation NMS) and 17 CFR 242.603(b)
(‘‘Rule 603(b)’’ of Regulation NMS).211
For listed options, total average daily
dollar volume may be determined from
consolidated information made
available by the plan processor of the
OPRA Plan.212
With respect to U.S. Treasury
Securities and Agency Securities, total
average daily dollar volume may be
determined from information made
available by SROs to which transactions
in U.S. Treasury Securities and Agency
Securities are reported. Currently there
is only one SRO to which this
information is reported: FINRA.213 In
211 With respect to NMS stocks, Rule 601 of
Regulation NMS (17 CFR 242.601) requires national
securities exchanges and national securities
associations to report transactions and last sale data
pursuant to an effective transaction reporting plan
filed with the Commission in accordance with 17
CFR 242.608 (‘‘Rule 608’’ of Regulation NMS). See
17 CFR 242.601. The national securities exchanges
and FINRA comply with Rule 601 by satisfying the
requirements of Rule 603(b) of Regulation NMS
(which requires the national securities exchanges
and FINRA to act jointly pursuant to one or more
effective national market system plans, to
disseminate consolidated information, including
transactions, in NMS stocks). Currently, transaction
information is consolidated by the (exclusive) plan
processor of each effective national market system
plan (i.e., the CTA/CQ Plan and Nasdaq UTP Plan
for NMS stocks). See CTA Plan, available at https://
www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com. After the
implementation of the Market Data Infrastructure
rules (see Market Data Infrastructure Adopting
Release, supra note24) national securities
exchanges and FINRA will be required to provide
transaction reports to competing consolidators and/
or self-aggregators pursuant to new effective
national market system plans that satisfy the
requirements of Rule 603(b). Pursuant to 17 CFR
242.600(a)(14) (Rule 600(a)(14) of Regulation NMS)
the term ‘‘competing consolidator’’ means a
securities information processor required to be
registered pursuant to Rule 614 of Regulation NMS
or a national securities exchange or national
securities association that receives information with
respect to quotations for and transactions in NMS
stocks and generates a consolidated market data
product for dissemination to any person. Pursuant
to 17 CFR 242.600(a)(83) (Rule 600(a)(83) of
Regulation NMS) the term ‘‘self-aggregator’’ means
a broker, dealer, national securities exchange,
national securities association, or investment
adviser registered with the Commission that
receives information with respect to quotations for
and transactions in NMS stocks, including all data
necessary to generate consolidated market data, and
generates consolidated market data solely for
internal use (with a proviso that a self-aggregator
may make consolidated market data available to its
affiliates that are registered with the Commission
for their internal use). See Market Data
Infrastructure Adopting Release, supra note 24
(providing a full discussion of these terms).
Following implementation of the Market Data
Infrastructure rules, a broker-dealer may obtain
consolidated average daily dollar volume from its
chosen competing consolidator, or independently
calculate that figure itself, as a ‘‘self-aggregator.’’
212 See OPRA Plan, available at https://
www.opraplan.com.
213 However, should a national securities
exchange (an SRO) trade U.S. Treasury or Agency
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
23165
connection with its TRACE system,
FINRA is currently the most complete
source of aggregate volume in U.S.
Treasury Securities and Agency
Securities.214 Specifically, FINRA Rule
6750(a) requires FINRA to disseminate
information on Agency Securities,
immediately upon receipt of the
transaction report.215 With respect to
U.S. Treasury Securities, information in
TRACE regarding individual
transactions is for regulatory purposes
only and is not disseminated publicly.
However, pursuant to FINRA Rule 6750,
on March 10, 2020, FINRA began
posting on its website weekly, aggregate
data on the trading volume of U.S.
Treasury Securities reported to TRACE,
and the Commission recently approved
website posting of aggregate data more
frequently (i.e., daily).216
Notwithstanding the transparency
provided by FINRA/TRACE, aggregate
trading volume in U.S. Treasury and
Agency securities does not purport to
reflect the whole of these markets, as
aggregate volume statistics are limited to
volume reported by TRACE reporters,
including ATSs, registered-broker
dealers that are members of FINRA, and
Securities in the future, if transaction reports are
made available by that SRO, they would be relevant
to determining consolidated average daily dollar
volume.
214 See FINRA, Trade Reporting and Compliance
Engine (TRACE), available at https://www.finra.org/
filing-reporting/trace. FINRA Rule 6730(a)(1)
requires FINRA members to report transactions in
TRACE-Eligible Securities, which FINRA Rule 6710
defines to include U.S. Treasury Securities and
Agency Securities. For each transaction in U.S.
Treasury Securities and Agency Securities, a FINRA
member would be required to report the CUSIP
number or similar numeric identifier or FINRA
symbol; size (volume) of the transaction; price of
the transaction (or elements necessary to calculate
price); symbol indicating whether transaction is a
buy or sell; date of trade execution (‘‘as/of’’ trades
only); contra-party’s identifier; capacity (principal
or agent); time of execution; reporting side
executing broker as ‘‘give-up’’ (if any); contra side
introducing broker (in case of ‘‘give-up’’ trade); the
commission (total dollar amount), if applicable;
date of settlement; if the member is reporting a
transaction that occurred on an ATS pursuant to
FINRA Rule 6732, the ATS’s separate Market
Participant Identifier (‘‘MPID’’); and trade modifiers
as required. For when-issued transactions in U.S.
Treasury Securities, a FINRA member would be
required to report the yield in lieu of price. See
FINRA Rule 6730(c).
215 See FINRA Rule 6750(a).
216 See Securities Exchange Act Release No.
95438 (Aug. 5, 2022), 87 FR 49626 (Aug. 11, 2022)
(Order Approving a Proposed Rule Change to
Amend FINRA Rule 6750 Regarding the Publication
of Aggregated Transaction Information on U.S.
Treasury Securities). The implementation date for
these TRACE enhancements for U.S. Treasury
Securities was Feb. 13, 2023, at which point the
weekly data reports were replaced with daily and
monthly reports. Using daily reports of U.S.
Treasury Security data, broker-dealers should have
the information necessary to complete the
calculations needed to assess if they satisfy the
proposed threshold.
E:\FR\FM\14APP2.SGM
14APP2
23166
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
depository institutions meeting
transaction volume thresholds in U.S.
Treasury Securities, agency-issued debt
and mortgage-backed securities.217
Counting all relevant purchases and
sales from all broker-dealers may result
in counting a transaction more than
once across the market, and would sum
to total volume across broker-dealers
that exceeds what is reported pursuant
to the relevant plans or SRO. Similarly,
summing the percentages that result
from dividing the total activity of each
broker-dealer by the total volume
reported by the relevant plans or SRO
would result in a value greater than 100
percent.218 Accordingly, the proposed
ten percent (10%) transaction activity
thresholds for measuring a brokerdealer’s significance in the markets are
not market share thresholds analogous
to the current SCI ATS volume
thresholds. However, because the types
of transactions proposed to be counted
are a measure of a broker-dealer’s size
and significance, it is particularly useful
if that measure continues to reflect
significant activity as the size of the
overall market expands or contracts and
remains stable relative to a recognizable
measure so that it does not become
outdated over time. Therefore, the
Commission proposes as a denominator
a measure that would scale each brokerdealer’s average daily dollar transaction
volume to consolidated average daily
dollar transaction volume, the latter
217 See Federal Reserve Board, Agency
Information Collection Activities: Announcement of
Board Approval Under Delegated Authority and
Submission to OMB (Oct. 21, 2021) 86 FR 59716
(Oct. 28, 2021).
218 Transaction reporting systems generally report
volume for trades, rather than volume for purchase
and sales separately. Consequently, adding up the
total purchase and sale activity for all brokerdealers will not equal the total volume reported
through these systems. For example, a trade for 100
shares of an NMS stock between two broker-dealers
on a national securities exchange would be reported
by the effective transaction reporting plan as 100
shares, even though one broker-dealer bought 100
shares and another sold 100 shares. Similarly,
because broker-dealers often trade with customers,
doubling the transaction volume reported through
these systems does not provide an accurate measure
of total broker-dealer purchase and sale activity.
After the implementation of the Market Data
Infrastructure rules (see Market Data Infrastructure
Adopting Release, supra note 24) national securities
exchanges on which NMS stocks are traded and
FINRA, each of which is required by Rule 601 of
Regulation NMS to file a transaction reporting plan
in accordance with Rule 608 of Regulation NMS,
will be further required, pursuant to Rule 603(b) of
Regulation NMS, to make available to all competing
consolidators and self-aggregators its information
with respect to quotations for and transactions in
NMS stocks, including all data necessary to
generate consolidated market data. Following
implementation of the Market Data Infrastructure
rules, a broker-dealer may determine average daily
dollar volume from information provided by its
chosen competing consolidator, or independently
calculate that figure itself, as a ‘‘self-aggregator.’’
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
being determinable from information
reported by, or made available by or
pursuant to, applicable effective
transaction reporting or national market
system plans or self-regulatory
organizations, as described above.
Any broker-dealer that transacts, as
proposed, ten percent (10%) or more of
the average daily dollar volume in an
enumerated asset class, during at least
four of the preceding six calendar
months would be an SCI broker-dealer.
The proposed trading activity
thresholds are designed to measure the
size of a broker-dealer’s footprint in the
market in terms that provide a method
for assessing the size of its footprint as
the market grows (or shrinks). In this
way, the proposed thresholds identify
broker-dealers by their transaction
activity as compared to a consistent
measure of market volume, and give a
sense of the size and significance of a
broker-dealer activity in the markets in
a manner that should not become
outdated over time.
The Commission also believes that a
threshold of ten percent (10%) or more
in the identified asset classes is
appropriately high enough to apply
Regulation SCI only to the large brokerdealers on which the maintenance of
fair and orderly markets depend. The
Commission estimates that 17 entities
would satisfy one or more of the
proposed transaction activity thresholds
(the same five entities identified by the
total assets threshold plus 12 additional
entities).219 In sum, the Commission
believes that the proposed total assets
threshold and transaction activity
thresholds are appropriate measures for
identifying broker-dealers that would
pose a substantial risk to the
maintenance of fair and orderly markets
in the event of a systems issue.
SCI broker-dealers would not have to
comply with the requirements of
Regulation SCI until six months after
the end of the quarter in which the SCI
broker-dealer satisfied the proposed
asset threshold for the first time, or six
months after the end of the month in
which the SCI broker-dealer satisfied
one of the proposed activity thresholds
for the first time. The Commission
believes this is an appropriate amount
of time for firms to come into
compliance with Regulation SCI.
iv. Proposed Revision to Definition of
‘‘SCI Systems’’ for Certain SCI BrokerDealers; SCI Entities Trading Multiple
Asset Classes, Which May Include
Crypto Asset Securities
In conjunction with the proposed
inclusion of SCI broker-dealers as SCI
219 See
PO 00000
supra text accompanying notes 189–190.
Frm 00022
Fmt 4701
Sfmt 4702
entities, the Commission proposes to
limit the definition of ‘‘SCI systems’’ for
an SCI broker-dealer that qualifies as an
SCI entity only because it satisfies a
transaction activity threshold.
Specifically, the Commission is
proposing to revise the definition of
‘‘SCI systems’’ to add a limitation that
states, ‘‘provided, however, that with
respect to an SCI broker-dealer that
satisfies only the requirements of
paragraph (2) of the definition of ‘SCI
broker-dealer,’ such systems shall
include only those systems with respect
to the type of securities for which an
SCI broker-dealer satisfies the
requirements of paragraph (2) of the
definition.’’
The current definition of ‘‘SCI
systems’’ does not contain the limitation
that is proposed for SCI broker-dealers.
For example, an SCI ATS that exceeds
the average daily dollar volume
threshold for NMS stocks is subject to
Regulation SCI requirements for all of
its SCI systems (i.e., that meet the
definition of SCI systems discussed in
section II.B.1 above) and indirect SCI
systems. Thus, to the extent that the SCI
systems and indirect SCI systems of an
SCI ATS (or any other SCI entity) relate
to equity securities that are non-NMS
stocks, exchange-listed options, debt
securities, security-based swaps, or any
other securities, including crypto asset
securities, such systems are subject to
the Regulation SCI requirements.220
As it considers the expansion of
Regulation SCI to broker-dealers, many
of which operate multiple business lines
and transact in different types of
securities, the Commission
preliminarily believes that an SCI
broker-dealer that qualifies as an SCI
entity based only on a transaction
activity threshold for a particular type of
security should have its obligations
limited to systems with respect to that
type of security. If a broker-dealer meets
only the transaction activity threshold
for NMS stocks, for example, its systems
that directly support trading, clearance
and settlement, order routing, market
data, market regulation, or market
surveillance for NMS stocks are those
that raise the concerns Regulation SCI is
meant to address. If the broker-dealer’s
activity with respect to other classes of
securities is nominal, it is unlikely to
pose risk to the maintenance of fair and
orderly markets if the systems with
respect to those types of securities were
unavailable (assuming the systems for
the distinct asset class are separate). If
a system of the broker-dealer is used for
220 See supra notes 37–38 and 36 and
accompanying text (discussing the scope of the
current definition of ‘‘SCI systems’’).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
more than one type of securities (i.e., an
asset class that triggered the threshold
and an asset class that did not or is not
subject to SCI thresholds), such system
would still meet the definition of ‘‘SCI
system.’’ 221 Current SCI entities are and
will continue to be, and proposed SCI
entities other than SCI broker-dealers
that satisfy a transaction activity
threshold would be, required to assess
whether the technology systems of, or
operated by or on their behalf, with
respect to any type of security
(including crypto asset securities,
discussed further below) are SCI
systems covered by Regulation SCI
because they directly support: (i)
trading; (ii) clearance and settlement;
(iii) order routing; (iv) market data; (v)
market regulation; or (vi) market
surveillance.
ddrumheller on DSK120RN23PROD with PROPOSALS2
v. Crypto Asset Securities
Public information about the size and
characteristics of the crypto asset
securities market is limited.222
221 For example, if a broker-dealer operator of an
SCI ATS uses an SCI system to trade both a type
of security that triggered the SCI threshold and a
type of security that did not trigger the threshold,
that system will be an SCI system for both types of
securities. A broker-dealer operator of such SCI
ATS could wish to use the SCI system only for
trading the type of security that triggered the SCI
threshold and create a separate system only to trade
the type of security that did not trigger the SCI
threshold.
222 See, e.g., Fin. Stability Oversight Council,
Report on Digital Asset Financial Stability Risks
and Regulation 119 (2022) (‘‘FSOC Report’’),
available at https://home.treasury.gov/system/files/
261/FSOC-Digital-Assets-Report-2022.pdf (‘‘The
crypto-asset ecosystem is characterized by opacity
that creates challenges for the assessment of
financial stability risks.’’); U.S. Dep’t of the
Treasury, Crypto-Assets: Implications for
Consumers, Investors, and Businesses 12 (Sept.
2022) (‘‘Crypto-Assets Treasury Report’’), available
at https://home.treasury.gov/system/files/136/
CryptoAsset_EO5.pdf (finding that data pertaining
to ‘‘off-chain activity’’ is limited and subject to
voluntary disclosure by trading platforms and
protocols, with protocols either not complying with
or not subject to obligations ‘‘to report accurate
trade information periodically to regulators or to
ensure the quality, consistency, and reliability of
their public trade data’’); Fin. Stability Bd.,
Assessment of Risks to Financial Stability from
Crypto-assets 18–19 (Feb. 16, 2022) (‘‘FSB Report’’),
available at https://www.fsb.org/wp-content/
uploads/P160222.pdf (finding that the difficulty in
aggregating and analyzing available data in the
crypto asset space ‘‘limits the amount of insight that
can be gained with regard to the [crypto asset]
market structure and functioning,’’ including who
the market participants are and where the market’s
holdings are concentrated, which, among other
things, limits regulators’ ability to inform policy
and supervision); Raphael Auer et al., Banking in
the Shadow of Bitcoin? The Institutional Adoption
of Cryptocurrencies 4, 9 (Bank for Int’l Settlements,
Working Paper No. 1013, May 2022), available at
https://www.bis.org/publ/work1013.pdf (stating that
data gaps, which can be caused by limited
disclosure requirements, risk undermining the
ability for holistic oversight and regulation of
cryptocurrencies); Int’l Monetary Fund, The Crypto
Ecosystem and Financial Stability Challenges, in
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
However, the Commission, currently
understands that only a small portion of
crypto asset security trading activity is
occurring within Commission registered
entities, and particularly, registered
broker-dealers. This may be due in part
to the fact that there are currently no
special purpose broker-dealers
authorized to maintain custody of
crypto asset securities.223 Without the
ability to custody a customer’s cryptoasset securities, a broker-dealer is
limited in the amount of agency
business in crypto-asset securities that it
could do. Similarly, today, only a
limited amount of crypto asset security
volume occurs on ATSs operating
pursuant to the Regulation ATS
exemption.224 This may be due in part
Global Financial Stability Report 41, 47 (Oct. 2021),
available at https://www.imf.org/-/media/Files/
Publications/GFSR/2021/October/English/ch2.ashx
(finding that crypto asset service providers provide
limited, fragmented, and, in some cases, unreliable
data, as the information is provided voluntarily
without standardization and, in some cases, with an
incentive to manipulate the data provided).
223 For background on Rule 15c3–3 as it relates
to digital asset securities, see Commission, Joint
Staff Statement on Broker-Dealer Custody of Digital
Asset Securities (July 8, 2019), available at https://
www.sec.gov/news/public-statement/joint-staffstatement-broker-dealer-custody-digital-assetsecurities; FINRA, SEC Staff No-Action Letter, ATS
Role in the Settlement of Digital Asset Security
Trades (Sept. 25, 2020), available at https://
www.sec.gov/divisions/marketreg/mr-noaction/
2020/finra-ats-role-in-settlement-of-digital-assetsecurity-trades-09252020.pdf. To date, five offerings
of crypto asset securities have been registered or
qualified under the Securities Act of 1933, and five
classes of crypto asset securities have been
registered under the Exchange Act. The
Commission issued a statement describing its
position that, for a period of five years, special
purpose broker-dealers operating under the
circumstances set forth in the statement will not be
subject to a Commission enforcement action on the
basis that the broker-dealer deems itself to have
obtained and maintained physical possession or
control of customer fully paid and excess margin
digital asset securities for purposes of 17 CFR
240.15c3–3(b)(1) (‘‘Rule 15c3–3(b)(1)’’ under the
Exchange Act). See Crypto Asset Securities Custody
Release, supra note 37. To date, no such special
purpose broker-dealer registration applications have
been granted by FINRA.
224 ATSs that do not trade NMS stocks file with
the Commission a Form ATS notice, which the
Commission does not approve. Form ATS requires,
among other things, that ATSs provide information
about: classes of subscribers and differences in
access to the services offered by the ATS to
different groups or classes of subscribers; securities
the ATS expects to trade; any entity other than the
ATS involved in its operations; the manner in
which the system operates; how subscribers access
the trading system; procedures governing entry of
trading interest and execution; and trade reporting,
clearance, and settlement of trades on the ATS. In
addition, all ATSs must file quarterly reports on
Form ATS–R with the Commission. Form ATS–R
requires, among other things, volume information
for specified categories of securities, a list of all
securities traded in the ATS during the quarter, and
a list of all subscribers that were participants. To
the extent that an ATS trades crypto asset
securities, the ATS must disclose information
regarding its crypto asset securities activities as
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
23167
to the significant trading activity in
crypto asset securities that may be in
non-compliance with the federal
securities laws.225 Nonetheless, if an
SCI entity (current or proposed) trades
crypto asset securities, the systems used
for trading crypto asset securities may
currently and in the future be subject to
the requirements of Regulation SCI.226
SCI Broker-Dealer Activity in Crypto
Asset Securities
As discussed above, the Commission
is proposing to include as SCI entities
large broker-dealers: those that satisfy a
total assets threshold or a transaction
activity threshold. The total assets
threshold applies to broker-dealers
irrespective of asset classes in which
they conduct significant transaction
activity. In contrast, the proposed
transaction activity threshold specifies
four enumerated asset classes: NMS
stocks, exchange-listed options, U.S.
required by Form ATS and Form ATS–R. Form ATS
and Form ATS–R are deemed confidential when
filed with the Commission. Based on information
provided on these forms, a limited number of ATSs
have noticed on Form ATS their intention to trade
certain crypto asset securities and a subset of those
ATSs have reported transactions in crypto asset
securities on their Form ATS–R. See also supra note
223, referencing, Commission, Joint Staff Statement
on Broker-Dealer Custody of Digital Asset Securities
(July 8, 2019), available at https://www.sec.gov/
news/public-statement/joint-staff-statement-brokerdealer-custody-digital-asset-securities; FINRA, SEC
Staff No-Action Letter, ATS Role in the Settlement
of Digital Asset Security Trades (Sept. 25, 2020),
available at https://www.sec.gov/divisions/
marketreg/mr-noaction/2020/finra-ats-role-insettlement-of-digital-asset-security-trades09252020.pdf.
225 See also FSOC Report, supra note 222, at 5,
87, 94, 97 (emphasizing the importance of the
existing financial regulatory structure while stating
that certain digital asset platforms may be listing
securities while not in compliance with exchange,
broker-dealer, or other registration requirements,
which may impose additional risk on banks and
investors and result in ‘‘serious consumer and
investor protection issues’’); Crypto-Assets Treasury
Report, supra note 222, at 26, 29, 39, 40 (stating that
issuers and platforms in the digital asset ecosystem
may be acting in non-compliance with statutes and
regulations governing traditional capital markets,
with market participants that actively dispute the
application of existing laws and regulations,
creating risks to investors from non-compliance
with, in particular, extensive disclosure
requirements and market conduct standards); FSB
Report, supra note 222, at 4, 8, 18 (stating that some
trading activity in crypto assets may be failing to
comply with applicable laws and regulations, while
failing to provide basic investor protections due to
their operation outside of or in non-compliance
with regulatory frameworks, thereby failing to
provide the ‘‘market integrity, investor protection or
transparency seen in appropriately regulated and
supervised financial markets’’).
226 But see supra section II.B.1 (discussing how
current SCI entities that trade crypto asset securities
must assess whether their systems for trading
crypto asset securities are SCI systems). As a
specific example, if an SCI SRO were to obtain
Commission approval to add a crypto asset security
trading facility, that facility would be part of an SCI
SRO that is subject to Regulation SCI.
E:\FR\FM\14APP2.SGM
14APP2
23168
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Treasury Securities, and Agency
Securities.
The proposal would affect an SCI
broker-dealer that engages in crypto
asset security activity as follows: for
purposes of assessing whether it meets
a transaction activity threshold, a
broker-dealer would need to consider if
it trades crypto asset securities that are
NMS stocks, exchange-listed options,
U.S. Treasury Securities, or Agency
securities, and if so, include those
transactions in its transaction tally of
NMS stocks, exchange-listed options,
U.S. Treasury Securities, or Agency
securities, to assess if it satisfies one or
more of the proposed thresholds. In
addition, as proposed, the SCI systems
and indirect SCI systems pertaining to
crypto asset securities that are NMS
stocks, exchange-listed options, U.S.
Treasury Securities, or Agency
securities would be subject to
Regulation SCI, including as it is
proposed to be amended, as discussed
in section III.C, with respect to the asset
class for which the SCI broker-dealer
satisfies the transaction activity
threshold.
Furthermore, as proposed, an SCI
broker-dealer that meets the proposed
total assets threshold would need
consider its crypto asset security
activities and assess whether any
systems pertaining to crypto asset
securities meet the current definition of
SCI systems or indirect SCI systems.
Any such systems would be subject to
Regulation SCI, including as it is
proposed to be amended, as discussed
in section III.C.227
ddrumheller on DSK120RN23PROD with PROPOSALS2
vi. Request for Comment
9. Should Regulation SCI apply to
broker-dealers? If not, why not? If so,
should Regulation SCI apply to all
broker-dealers, or just a subset? Please
explain. At what size or level of a
broker-dealer’s activity would market
integrity or the protection of investors
be affected if the broker-dealer were no
longer able to operate due to a systems
disruption, systems compliance issue,
or a systems intrusion? Are brokerdealers subject to more market
227 Likewise, an ATS currently is an SCI ATS if
it satisfies a trading volume threshold for NMS
stocks or equity securities that are not NMS stocks.
For purposes of assessing whether it meets an SCI
ATS trading volume threshold, an ATS needs to
consider if it trades crypto asset securities that are
equity securities; and if it does trade such
securities, those transactions need to be included in
its transaction tally as (i) NMS stocks or (ii) equity
securities that are not NMS stocks, as they case may
be, in order to calculate the volume threshold.
Additionally, the definition of SCI systems and
indirect SCI systems do not contain an asset class
limitation with respect to SCI SROs (or any other
current SCI entity). See supra note 36 and
accompanying text.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
discipline than current SCI entities?
Please explain. Conversely, does a lack
of transparency regarding events like
SCI events limit this market discipline?
Why or why not?
10. Would it be more appropriate to
define an SCI broker-dealer using an
approach that identifies a broker-dealer
by category, rather than by size? For
example, what are commenters’ views
on the impact to overall market integrity
or the protection of investors if an OTC
market maker was no longer able to
operate due to a systems disruption,
systems compliance issue, or a systems
intrusion? Or an exchange market
maker? Or a clearing broker-dealer?
What are commenters’ views on the
importance of different categories of
broker-dealers to the stability of the
overall U.S. securities market
infrastructure, in the context of
requiring them to comply with
Regulation SCI? What risks do the
systems of broker-dealers pose to the
U.S. securities markets?
11. If the Commission were to identify
an SCI broker-dealer by category, rather
than by size, which categories should be
covered and how should they be
defined? For example, if commenters
believe that Regulation SCI should
apply to significant ‘‘OTC market
makers,’’ how should they be defined?
Is it sufficiently clear which entities are
‘‘OTC market makers,’’ as that term is
defined under the Exchange Act? If not,
why not? If so, should a threshold be
used to identify those that are the most
significant? What should that threshold
be and how should it be calculated?
12. Is the current broker-dealer
regulatory regime, including the Market
Access Rule and other Commission and
FINRA rules, sufficient to reasonably
ensure the operational capability of the
technological systems of the proposed
SCI broker-dealers?
13. As discussed above, an SCI
broker-dealer would be a broker-dealer
registered with the Commission
pursuant to section 15(b) of the
Exchange Act, which: (1) in at least two
of the four preceding calendar quarters,
ending March 31, June 30, September
30, and December 31, reported to the
Commission on Form X–17A–5 total
assets in an amount that equals five
percent (5%) or more of the quarterly
total assets level of all security brokers
and dealers; or (2) during at least four
of the preceding six calendar months: (i)
with respect to transactions in NMS
stocks, transacted average daily dollar
volume in an amount that equals ten
percent (10%) or more of the average
daily dollar volume reported by or
pursuant to applicable effective
transaction reporting plans, provided,
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
however, that for purposes of
calculating its activity in transactions
effected otherwise than on a national
securities exchange or on an ATS, the
broker-dealer shall exclude transactions
for which it was not the executing party;
(ii) with respect to transactions in
exchange-listed options contracts,
transacted average daily dollar volume
reported by an applicable effective
national market system plan; (iii) with
respect to transactions in U.S. Treasury
Securities, transacted average daily
dollar volume in an amount that equals
ten percent (10%) or more of the total
average daily dollar volume made
available by the self-regulatory
organization to which such transactions
are reported; or (iv) with respect to
transactions in Agency Securities,
transacted average daily dollar volume
in an amount that equals ten percent
(10%) or more of the total average daily
dollar volume made available by the
self-regulatory organization to which
such transactions are reported. The
Commission solicits comment with
respect to all aspects of the proposed
definition, including those aspects
identified in the succeeding questions.
14. Is the proposed total assets
threshold an appropriate way to identify
broker-dealers that would pose a
substantial risk to the maintenance of
fair and orderly markets in the event of
a systems issue?
15. Should the proposed total assets
threshold be scaled using the proposed
sources as the denominator? Why or
why not? Is use of data made available
by the Federal Reserve Board
appropriate as the denominator for the
measure of all security broker-dealer
total assets? If not, what metric, if any,
would be appropriate for the
Commission to use as the denominator?
Should the denominator be different in
the event that such data is no longer
made available by the Federal Reserve
Board? Recognizing that the proposed
numeric thresholds ultimately represent
a matter of judgment by the Commission
as it proposes to apply Regulation SCI
to the largest broker-dealers, the
Commission solicits comment on the
proposed thresholds levels. Is the
proposed five percent numeric
threshold appropriate? Why or why not?
Is the proposed two of the preceding
four quarter methodology, with
lookback to the previous quarter for the
denominator appropriate? Why or why
not?
16. Are the proposed transaction
activity thresholds an appropriate way
to identify broker-dealers that would
pose a substantial risk to the
maintenance of fair and orderly markets
in the event of a systems issue?
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
17. With respect to the proposed
transaction activity thresholds, are the
asset classes identified appropriate? Are
there asset classes that are included that
should be excluded, or asset classes that
are excluded that should be included?
Which ones and why? For example,
should U.S. Treasury Securities and
Agency Securities be included? Why or
why not? Should OTC equity securities
be included? Or security-based swaps?
Is the size of the market in each asset
class relevant? Why or why not?
18. With respect to the proposed
transaction activity thresholds,
recognizing that the proposed numeric
thresholds ultimately represent a matter
of judgment by the Commission as it
proposes to apply Regulation SCI to the
largest broker-dealers, the Commission
solicits comment on the proposed
threshold levels. Are the 10 percent
transaction activity threshold levels
proposed appropriate? Would higher or
lower thresholds be appropriate?
Should thresholds vary based on asset
class? Is there a different approach that
would be more appropriate?
19. For purposes of the numerator in
each transaction activity threshold, is
use of average daily dollar volume of all
purchase and sale transactions, as
proposed appropriate? If not, why not?
Is there an alternative measure of market
activity that could be consistently
determined by broker-dealers, as well as
the Commission, and that would
identify large broker-dealer activity that,
if disrupted, could disrupt market
functioning more broadly? Would share
volume be more appropriate for any of
the proposed asset classes?
20. Is it clear what average daily
dollar volume, as made available by or
pursuant to applicable effective
transaction reporting plans, would be
following implementation of the Market
Data Infrastructure rules? Why or why
not?
21. Should the transaction activity
thresholds denominator have a
minimum, so that if the market for a
particular product shrinks significantly,
entities that have a significant portion of
that small market would not be scoped
into the test? For example, should an
options trading activity threshold
specify that the threshold is exceeded if
average daily dollar volume equals the
greater of ten percent (10%) or more of
the average daily dollar volume reported
by or pursuant to an applicable effective
transaction reporting plan, applicable
national market system plan, applicable
SRO, or $x billion? Why or why not?
What would be an appropriate
minimum dollar threshold and why?
Please be specific.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
22. Is the four out of the preceding
six-month measurement period an
appropriate timeframe for the
transaction activity thresholds? Why or
why not? Is there a different timeframe
or approach that would be more
appropriate? Please explain.
23. Do commenters believe that six
months after the end of the quarter in
which the broker-dealer satisfies the
total assets threshold and six months
after the end of the month in which the
broker-dealer satisfies the transaction
activity threshold constitute an
appropriate amount of time to allow
them to come into compliance with the
requirements of Regulation SCI? Why or
why not? Is there a different time period
that would be more appropriate? Please
explain.
24. What are the differences between
the current practices of broker-dealers
and the practices that would be
necessary if the proposed changes to
Regulation SCI are adopted? Please
describe and be specific.
25. Should all of the current or newly
proposed requirements set forth in
Regulation SCI apply to SCI brokerdealers? If only a portion, please specify
which portion(s) and explain why. If all,
explain why.
26. Is it appropriate to limit the
application of the definition of ‘‘SCI
systems’’ for SCI broker-dealers that
meet the definition of an SCI brokerdealer only because of a transaction
activity threshold only to those systems
related to the types of securities for
which the entity has triggered the
threshold, as the Commission is
proposing? Why or why not?
27. Should the definition of SCI
systems as it applies to SCI brokerdealers be modified further than as
proposed? Is the limitation of the
definition of SCI systems as proposed to
apply to SCI broker-dealers (and not
applicable to broker-dealers that satisfy
the total assets threshold) appropriate?
Should the Commission instead provide
a unique definition of SCI systems and
indirect SCI systems for broker-dealers?
If so, what should it be and why? For
example, in the context of brokerdealers, would systems that ‘‘directly
support trading’’ be a category of
systems that is overbroad, or too
narrow? Why or why not? Please
explain. Are there any types of systems
of broker-dealers to which Regulation
SCI would apply that should not be
covered? Which ones and why? Are
there any types of systems of brokerdealers that would not be covered by the
definitions of SCI systems and indirect
SCI systems as proposed that should be
covered? Which types and why? Please
be specific.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
23169
28. Is it clear how Regulation SCI
would apply to proposed new SCI
entities that trade crypto asset
securities? Why or why not? Please be
specific.
29. Are any of the proposed
amendments to Regulation SCI (as
discussed in section III.C below)
inappropriate for broker-dealers? If so,
which ones? As discussed in section
III.C.6 below, the Commission proposes
to add language to Rule 1002(c) of
Regulation SCI regarding dissemination
of information about SCI events by an
SCI broker-dealer to its ‘‘customers,’’ as
a broker-dealer does not have ‘‘members
and participants.’’ Should the
Commission require an SCI brokerdealer to notify its customers of an SCI
event in the same manner as other SCI
entities? Why or why not? Should the
term ‘‘customers’’ be defined? If so,
how? Should Rule 1002(c) be
specifically tailored to SCI brokerdealers in a way that differs from the
current rule? If so, how? Please be
specific. Is the proposed requirement
that, pursuant to Rule 1002(b)(4)(ii)(B),
notices to the Commission include a
copy of the information disseminated to
customers appropriate? Why or why
not?
30. Do commenters believe that
different or unique requirements should
apply to an SCI broker-dealer or systems
of broker-dealers? What should they be,
and why?
31. What effect, if any, would there be
of having the largest broker-dealers
subject to Regulation SCI, while others
are not? Should the Commission
include additional broker-dealers as SCI
entities, based on size or function? Why
or why not? For example, should the
largest carrying broker-dealers, based on
a size threshold, be subject to
Regulation SCI? If so, should the size
threshold be based on total assets or
number of customer accounts, or some
other metric? If application of all of
Regulation SCI is not appropriate for
these entities, should they be required
to adopt and implement reasonably
designed policies and procedures to
address their ability to continue to
process customer and account
transactions in a timely manner during
reasonably anticipated surges in
demand?
32. Should the proposed thresholds
take into account whether a brokerdealer is affiliated with another brokerdealer? For example, should the
Commission aggregate the transaction
activity of affiliated broker-dealers for
purposes of determining whether the
transaction activity threshold test has
been satisfied and, if it has, apply
Regulation SCI to each broker-dealer?
E:\FR\FM\14APP2.SGM
14APP2
23170
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Why or why not? Should it aggregate
total assets of affiliated broker-dealers?
Why or why not?
33. Is the proposed six-month period
during which a broker-dealer that meets
the threshold to become an SCI brokerdealer does not have to comply with
Regulation SCI appropriate? Should the
Commission adopt a different time
period? If so, how long should the
period be and why?
34. Are there characteristics specific
to SCI broker-dealers that would make
applying Regulation SCI, either broadly
or by specific existing/proposed
provision(s), unduly burdensome or
inappropriate for SCI broker-dealers?
How much time would an SCI brokerdealer reasonably need to come into
compliance with Regulation as
proposed?
ddrumheller on DSK120RN23PROD with PROPOSALS2
c. Exempt Clearing Agencies (Deletion
of ‘‘Subject to ARP’’)
The Commission proposes to include
all ‘‘exempt clearing agencies’’ as SCI
entities. This proposed approach would
expand the scope of exempt clearing
agencies covered by Regulation SCI,
which currently covers certain exempt
clearing agencies—those that are
‘‘subject to ARP.’’ 228 The technology
systems that underpin operations of
both registered clearing agencies and
exempt clearing agencies are critical
systems that drive the global financial
markets. Further, the activities of
exempt clearing agencies subject to ARP
and those not subject to ARP are similar.
For example, for covered clearing
agencies in particular,229 such systems
228 See Rule 1000; SCI Adopting Release, supra
note 1, at 72271 (an ‘‘exempt clearing agency
subject to ARP’’ is an entity that has received from
the Commission an exemption from registration as
a clearing agency under section 17A of the
Exchange Act, and whose exemption contains
conditions that relate to the Commission’s
Automation Review Policies, or any Commission
regulation that supersedes or replaces such policies
(such as Regulation SCI)).
229 17 CFR 240.17Ad–22 (‘‘Rule 17Ad–22’’ under
the Exchange Act) provides for two categories of
registered clearing agencies and contains a set of
rules that apply to each category. The first category
is covered clearing agencies, which are subject to
17 CFR 240.17Ad–22(e) (Rule 17Ad–22(e)), which
includes requirements intended to address the
activity and risks that their size, operation, and
importance pose to the U.S. securities markets, the
risks inherent in the products they clear, and the
goals of both the Exchange Act and the Dodd-Frank
Act. See Securities Exchange Act Release No. 78961
(Sept. 28, 2016), 81 FR 70786, 70793 (Oct. 13, 2016)
(‘‘CCA Standards Adopting Release’’). Covered
clearing agencies are registered clearing agencies
that provide central counterparty (‘‘CCP’’) or central
securities depository (‘‘CSD’’) services. See 17 CFR
240.17Ad–22(a)(5). A CCP is a type of registered
clearing agency that acts as the buyer to every seller
and the seller to every buyer, providing a trade
guaranty with respect to transactions submitted for
clearing by the CCP’s participants. See 17 CFR
240.17Ad–22(a)(2); Securities Exchange Act Release
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
include those that set and calculate
margin obligations and other charges,
perform netting and calculate payment
obligations, facilitate the movement of
funds and securities, or effectuate endof-day settlement. Increasingly, the
technology behind these systems are
subject to both rapid innovation and
interconnectedness.230 For the exempt
clearing agencies not subject to ARP,
they also provide CSD functions for
transactions in U.S. securities between
U.S. and non-U.S. persons, using similar
technologies.231 More generally, all
exempt clearing agencies offer services
that centralize a variety of technology
functions, increasing access to services
that help improve the efficiency of the
clearance and settlement process by, for
example, standardizing and automating
functions necessary to complete
No. 88616 (Apr. 9, 2020), 85 FR 28853, 28855 (May
14, 2020) (‘‘CCA Definition Adopting Release’’). A
CCP may perform a variety of risk management
functions to manage the market, credit, and
liquidity risks associated with transactions
submitted for clearing. If a CCP is unable to perform
its risk management functions effectively, however,
it can transmit risk throughout the financial system.
A CSD is a type of registered clearing agency that
acts as a depository for handling securities,
whereby all securities of a particular class or series
of any issuer deposited within the system are
treated as fungible. Through use of a CSD, securities
may be transferred, loaned, or pledged by
bookkeeping entry without the physical delivery of
certificates. A CSD also may permit or facilitate the
settlement of securities transactions more generally.
See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad–
22(a)(3); CCA Definition Adopting Release, at
28856. If a CSD is unable to perform these
functions, market participants may be unable to
settle their transactions, transmitting risk through
the financial system. Currently, all clearing agencies
registered with the Commission that are actively
providing clearance and settlement services are
covered clearing agencies. They are The Depository
Trust Company (‘‘DTC’’), FICC, NSCC, ICE Clear
Credit (‘‘ICC’’), ICE Clear Europe (‘‘ICEEU’’), The
Options Clearing Corporation (‘‘OCC’’), and LCH
SA.
230 The second category includes registered
clearing agencies other than covered clearing
agencies; such clearing agencies must comply with
17 CFR 240.17Ad–22(d) (‘‘Rule 17Ad–22(d)’’). See
17 CFR 240.17Ad–22(d). Rule 17Ad–22(d)
establishes a regulatory regime to govern registered
clearing agencies that do not provide CCP or CSD
services. See CCA Standards Adopting Release, at
70793. Although subject to Rule 17Ad–22(d), the
Boston Stock Exchange Clearing Corporation
(‘‘BSECC’’) and Stock Clearing Corporation of
Philadelphia (‘‘SCCP’’) are currently registered with
the Commission as clearing agencies but conduct no
clearance or settlement operations. See Securities
Exchange Act Release No. 63629 (Jan. 3, 2011), 76
FR 1473, 1474 (Jan. 10, 2011) (‘‘BSECC Notice’’);
Securities Exchange Act Release No. 63268 (Nov. 8,
2010), 75 FR 69730, 69731 (Nov. 15, 2010) (‘‘SCCP
Notice’’).
231 See, e.g., Release No. 79577 (Dec. 16, 2016),
81 FR 93994 (Dec. 22, 2016) (‘‘Euroclear
Exemption’’); Release No. 38328 (Feb. 24, 1997), 62
FR 9225 (Feb. 28, 1997) (‘‘Clearstream Exemption’’).
To manage the potential risks associated with these
functions, the Commission’s exemptions impose
volume limits on the amount of transactions in U.S.
Government securities for which each entity may
perform clearance and settlement.
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
clearance and settlement.232 Over time,
the increasing availability of, and access
to, such technologies has also increased
the dependence that market participants
have on such services, raising the
potential that such services could
become single points of failure for U.S.
market participants.233 Further, as the
services that exempt clearing agencies
provide have evolved over time, they
have become increasingly reliant on the
provision of new technologies to market
participants, and so the Commission has
increasingly focused its oversight of
exempt clearing agencies on the ways
that such services might introduce
operational risk to U.S. market
participants.234 Therefore, the
Commission proposes to expand the
scope of SCI entities to cover all exempt
clearing agencies. As a result, there
would no longer be a difference in how
exempt clearing agencies are addressed
by Regulation SCI.
i. Current Regulatory Framework for
Exempt Clearing Agencies
The registration and supervisory
framework for clearing agencies under
the Exchange Act provides the
Commission with broad authority to
provide exemptive relief from certain of
the Commission’s regulatory
requirements under the Exchange Act.
Specifically, section 17A(b)(1) of the
Exchange Act provides the Commission
with authority to exempt a clearing
agency or any class of clearing agencies
from any provision of section 17A or the
232 See, e.g., Euroclear Exemption, supra note 231
(adding services for collateral management); Release
No. 44188 (Apr. 17, 2001), 66 FR 20494 (Apr. 23,
2001) (granting an exemption to provide a central
matching service to Global Joint Venture Matching
Services US LLC, now known as DTCC ITP
Matching US LLC, to facilitate the settlement of
transactions between broker-dealers and their
institutional customers) (‘‘ITPM Exemption’’).
233 See Securities Exchange Act Release No.
76514 (Nov. 25, 2015), 80 FR 75387, 75401 (Dec.
1, 2015) (granting an exemption to provide
matching services to each of Bloomberg STP LLC
and SS&C Technologies, Inc. and stating that ‘‘[o]n
balance, the Commission believes that the
redundancy created by more interfaces and linkages
within the settlement infrastructure increases
resiliency’’); SEC Division of Trading and Markets
and Office of Compliance Inspections and
Examinations, Staff Report on the Regulation of
Clearing Agencies (Oct. 1, 2020) (‘‘Staff Report on
Clearing Agencies’’), available at https://
www.sec.gov/files/regulation-clearing-agencies100120.pdf (staff stating that ‘‘consolidation among
providers of clearance and settlement services
concentrates clearing activity in fewer providers
and has increased the potential for providers to
become single points of failure.’’).
234 For example, in 2016 the Commission
approved modifications to the Euroclear Exemption
that included, among other things, a new set of
conditions for the reporting of service outages. See
Euroclear Exemption, supra note 231, at 94003
(setting forth eight ‘‘Operational Risk Conditions
Applicable to the Clearing Agency Activities’’).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
rules or regulations thereunder.235 Such
an exemption may be effected by rule or
order, upon the Commission’s own
motion or upon application, either
conditionally or unconditionally. The
Commission’s exercise of authority to
grant exemptive relief must be
consistent with the public interest, the
protection of investors, and the
purposes of section 17A, including the
prompt and accurate clearance and
settlement of securities transactions and
the safeguarding of securities and
funds.236 The Commission has granted
exemptions from clearing agency
registration to three entities that provide
matching services. These exempt
clearing agencies are DTCC ITP
Matching US, LCC (successor in name to
Omgeo and Global Joint Venture
Matching Services US, LLC), Bloomberg
STP LLC (‘‘BSTP’’), and SS&C
Technologies, Inc. (‘‘SS&C’’).237 In
certain instances, non-U.S. clearing
agencies also have received exemptions
from registration as a clearing agency.
These exempt clearing agencies include
Euroclear Bank SA/NV (successor in
name to Morgan Guaranty Trust
Company of NY) 238 and Clearstream
235 The Commission has also provided temporary
relief from registration to certain clearing agencies
under section 36 of the Exchange Act. On July 1,
2011, the Commission published a conditional,
temporary exemption from clearing agency
registration for entities that perform certain posttrade processing services for security-based swap
transactions. See, e.g., Release No. 64796 (July 1,
2011), 76 FR 39963 (July 7, 2011) (providing an
exemption from registration under section 17A(b) of
the Exchange Act, and stating that ‘‘[t]he
Commission is using its authority under section 36
of the Exchange Act to provide a conditional
temporary exemption [from clearing agency
registration], until the compliance date for the final
rules relating to registration of clearing agencies
that clear security-based swaps pursuant to sections
17A(i) and (j) of the Exchange Act, from the
registration requirement in section 17A(b)(1) of the
Exchange Act to any clearing agency that may be
required to register with the Commission solely as
a result of providing Collateral Management
Services, Trade Matching Services, Tear Up and
Compression Services, and/or substantially similar
services for security-based swaps’’). The order
facilitated the Commission’s identification of
entities that operate in that area and that
accordingly may fall within the clearing agency
definition. Recently, the Commission indicated that
the 2011 Temporary Exemption may no longer be
necessary. See Securities Exchange Act Release No.
94615 (Apr. 6, 2022), 87 FR 28872, 28934 (May 11,
2022) (stating that the ‘‘Commission preliminarily
believes that, if it adopts a framework for the
registration of [security-based swap execution
facilities (‘‘SBSEFs’’)], the 2011 Temporary
Exemption would no longer be necessary because
entities carrying out the functions of SBSEFs would
be able to register with the Commission as such,
thereby falling within the exemption from the
definition of ‘clearing agency’ in existing [17 CFR
240.17Ad–24 (Rule 17Ad–24)]’’).
236 See 15 U.S.C. 78q–1(b)(1).
237 See exemption, supra note 233 (granting an
exemption to provide matching services to each of
BSTP and SS&C).
238 See Euroclear Exemption, supra note 231.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Banking, S.A. (successor in name to
Cedel Bank, socie´te´ anonyme,
Luxembourg).239 Each has an exemption
to provide clearance and settlement for
U.S. Government and agency securities
for U.S. participants, subject to
limitations on the volume of
transactions set forth in their
exemptions. The Euroclear Exemption
also provides an exemption from
registration to provide collateral
management services for transactions in
U.S. equity securities between U.S.
persons and non-U.S. persons.
As previously discussed, each of these
exempt clearing agencies makes
available to market participants an
increasingly wide array of technology
services that help centralize and
automate the clearance and settlement
of securities transactions for market
participants. This increasing reliance on
new technologies has focused the
Commission’s attention on the potential
for such services to introduce
operational risk or introduce single
points of failure into the national system
for clearance and settlement. Given this
important role of exempt clearing
agencies in helping to ensure the
functioning, resilience, and stability of
U.S. securities markets, and their
growing technological innovations and
interconnectedness, the Commission
proposes to expand the scope of ‘‘SCI
entity’’ to cover all exempt clearing
agencies, rather than only those ‘‘subject
to ARP’’ to help ensure that the risks
associated with the greater dispersal,
sophistication, and interconnection of
such technologies are appropriately
mitigated.240 In this regard, pursuant to
the terms and conditions of the clearing
agency exemptive orders, the
Commission may modify by order the
terms, scope, or conditions if the
Commission determines that such
239 See
Clearstream Exemption, supra note 231.
supra note 228. Pursuant to the
Commission’s statement on CCPs in the European
Union (‘‘EU’’) authorized under the European
Markets Infrastructure Regulation (‘‘EMIR’’), an EU
CCP may request an exemption from the
Commission where it has determined that the
application of SEC requirements would impose
unnecessary, duplicative, or inconsistent
requirements in light of EMIR requirements to
which it is subject. See Statement on Central
Counterparties Authorized under the European
Markets Infrastructure Regulation Seeking to
Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the
Securities Exchange Act of 1934, Securities
Exchange Act Release No. 90492 (Nov. 23, 2020),
85 FR 76635, 76639 (Nov. 30, 2020), available at
https://www.govinfo.gov/content/pkg/FR-2020-1130/pdf/FR-2020-11-30.pdf (stating that in seeking an
exemption, an EU CCP could provide ‘‘a selfassessment. . . [to] explain how the EU CCP’s
compliance with EMIR corresponds to the
requirements in the Exchange Act and applicable
SEC rules thereunder, such as Rule 17Ad–22 and
Regulation SCI’’).
240 See
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
23171
modification is necessary or appropriate
in the public interest, for the protection
of investors, or otherwise in furtherance
of the purposes of the Exchange Act.241
ii. Request for Comment
35. Is expanding the scope of ‘‘SCI
entity’’ to cover all exempt clearing
agencies, not just those exempt clearing
agencies subject to ARP, appropriate?
Why or why not? Please be specific and
provide examples, if possible, to
illustrate your points.
36. Should all or some aspects of
Regulation SCI apply to all exempt
clearing agencies? Why or why not? If
only a portion, please specify which
portion(s) and explain why. If all,
explain why.
37. Would the Regulation SCI
proposed requirements, together with
the conditions under which the exempt
clearing agency is subject in the
Commission exemptive order, be
sufficient to address operational risk
concerns posed by exempt clearing
agencies? Why or why not? Please be
specific and respond with examples, if
possible.
38. Given the proposed new
requirements of Regulation SCI, should
exempt clearing agencies be subject to a
revised Commission exemptive order?
Why or why not?
39. In support of the public interest
and the protection of investors, the
Commission is proposing to amend the
clearing agency exemptive orders to
replace all operational risk conditions
with a condition that each exempt
clearing agency must comply with
Regulation SCI requirements. Should
the ordering language provide that the
exempt clearing agency must comply
with all requirements in Regulation SCI?
If so, explain why. If not, explain why
not.
40. Should proposed Regulation SCI
distinguish among different types of
exempt clearing agencies such that some
requirements of Regulation SCI might be
appropriate for some exempt clearing
agencies, but not others? Why or why
not? If so, what are those distinctions
and what are those requirements? Please
be specific and provide examples, if
possible.
41. To what extent do exempt clearing
agencies rely on third-party providers to
provide systems that support their
clearance and settlement functions? Do
such third-party providers introduce
operational or other risks that would be
subject to the requirements of
Regulation SCI? Are there any
241 See ITPM Exemption, supra note 231;
Euroclear Exemption, supra note 231; Clearstream
Exemption, supra note 231.
E:\FR\FM\14APP2.SGM
14APP2
23172
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
circumstances in which the use of a
third-party provider would prevent
compliance with Regulation SCI? Why
or why not? Please be specific and
provide examples, if possible.
42. For EU CCPs authorized under
EMIR, the Commission stated that
exemptive relief may be considered
under section 17A(b)(1) of the Exchange
Act in scenarios where SEC
requirements are unnecessary,
duplicative, or inconsistent relative to
EMIR requirements. The Commission
recognizes that the EU and other
jurisdictions may have requirements
similar those being proposed in
Regulation SCI. Should the Commission
provide foreign CCPs with exemptive
relief from newly proposed Regulation
SCI? Why or why not? In the context of
exemptive requests for newly proposed
Regulation SCI, what factors should the
Commission take into account in
assessing whether SEC requirements
may be ‘‘unnecessary, duplicative, or
inconsistent’’ relative to home
jurisdiction requirements for foreign
CCPs, including EU CCPs authorized
under EMIR? Please be specific and
provide examples, if possible.
3. General Request for Comment on
Proposed Expansion of SCI Entities
43. The Commission requests
comment generally on the proposed
expansion of the definition of SCI
entity. Are there are other entities that
should be included as SCI entities? If so,
which entities and why? Further, are
there any entities, which if included as
SCI entities, would have critical SCI
systems? Please explain.
ddrumheller on DSK120RN23PROD with PROPOSALS2
B. Request for Comment Regarding
Significant-Volume Fixed Income ATSs
and Broker-Dealers Using Electronic or
Automated Systems for Trading of
Corporate Debt Securities or Municipal
Securities
1. Discussion
As stated above, the Commission did
not include Fixed Income ATSs as SCI
entities when it adopted Regulation SCI
based on consideration of comments
regarding the risk profile of these ATSs
at that time.242 In light of the evolution
of technology since then, and
specifically, the technology for trading
corporate debt and municipal securities,
the Commission requests comment on
whether significant-volume ATSs and/
or broker-dealers with significant
transaction activity in corporate debt or
municipal securities should be subject
to Regulation SCI.243
242 See
supra text accompanying note 79.
purposes of this release, the term Fixed
Income ATSs refers only to ATSs trading corporate
243 For
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Currently, an ATS is subject to Rule
301(b)(6) of Regulation ATS if its
trading volume reaches ‘‘20 percent or
more of the average daily volume traded
in the United States’’ in either corporate
debt or municipal securities.244 Among
other things, Rule 301(b)(6) requires
such a significant-volume Fixed Income
ATS to notify the Commission staff of
material systems outages and significant
systems changes and to establish
adequate contingency and disaster
recovery plans.245 The requirements of
Rule 301(b)(6) applicable to significantvolume Fixed Income ATSs, which date
to 1998 and have not been updated
since that time, are less rigorous than
the requirements of Regulation SCI.246
The Commission explained in the SCI
Adopting Release that it adopted
Regulation SCI to expand upon, update,
and modernize the requirements of Rule
301(b)(6) for those ATSs trading NMS
stocks and equity securities that are not
NMS stocks that it had identified as
debt and municipal securities and excludes
Government Securities ATSs, which are the subject
of a separate proposal. See supra notes 84–85 and
accompanying text.
244 See 17 CFR 242.301(b)(6). Until Regulation
SCI was adopted, Rule 301(b)(6) applied to an ATS
trading NMS stocks, equity securities that are not
NMS stocks, corporate debt securities, or municipal
securities exceeding a 20% volume threshold. Since
the adoption of Regulation SCI, Rule 301(b)(6) has
applied only to ATSs trading corporate debt
securities or municipal securities exceeding a 20%
volume threshold. Rule 301(b)(6) currently does not
specify whether the thresholds refer to share, dollar,
or transaction volume. In the Government
Securities ATS Reproposal, the Commission has
proposed to specify that these thresholds refer to
‘‘average daily dollar volume.’’ See Government
Securities ATS Reproposal, supra note 84, at 15572.
245 More specifically, with regard to systems that
support order entry, order routing, order execution,
transaction reporting, and trade comparison, Rule
301(b)(6)(ii) of Regulation ATS requires significantvolume ATSs to: establish reasonable current and
future capacity estimates; conduct periodic capacity
stress tests of critical systems to determine their
ability to accurately, timely and efficiently process
transactions; develop and implement reasonable
procedures to review and keep current system
development and testing methodology; review
system and data center vulnerability to threats;
establish adequate contingency and disaster
recovery plans; perform annual independent
reviews of systems to ensure compliance with the
above listed requirements and perform review by
senior management of reports containing the
recommendations and conclusions of the
independent review; and promptly notify the
Commission of material systems outages and
significant systems changes. See 17 CFR
242.301(b)(6)(ii). As discussed in the SCI Adopting
Release, the application of Rule 301(b)(6) to Fixed
Income ATSs is in addition to various Exchange Act
and FINRA rules applicable to broker-dealers
operating ATSs. See SCI Adopting Release, supra
note 1, at 72263. See also supra notes 146–166 and
accompanying text (providing an updated
discussion of various Exchange Act, FINRA, and
certain other regulations applicable to brokerdealers, including those operating ATSs).
246 See Securities Exchange Act Release No.
40760 (Dec. 8, 1998), 63 FR 70844, (Dec. 22, 1998)
(‘‘Regulation ATS Adopting Release’’).
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
playing a significant role in the U.S.
securities markets.247 Regulation SCI
did this by, for example, moving from
the Commission’s 1980s and 90s-era
technology precepts to a framework that
speaks to a broader set of systems that
are subject to an overarching standard:
that they be subject to policies and
procedures reasonably designed to
maintain operational capability and
promote the maintenance of fair and
orderly markets. Regulation SCI also
requires tested business continuity and
disaster recovery plans that include
geographic diversity to achieve
specified recovery time objectives. In
addition, Regulation SCI requires notice
and dissemination of information
regarding a wider range of systems
problems (i.e., SCI events) to the
Commission and affected market
participants, and also requires that
corrective action be taken with respect
to such problems.248
When proposing Regulation SCI in
2013, the Commission sought to include
as SCI entities those ATSs that are
reliant on automated systems and
represent a significant pool of liquidity
in certain asset classes.249 Regarding
Fixed Income ATSs, the Commission
proposed to include those exceeding
five percent or more of either average
daily dollar volume or average daily
transaction volume traded in the United
States, but it did not adopt that
proposal.250 Instead, for ATSs trading
corporate debt or municipal securities
247 See SCI Adopting Release, supra note 1, at
72264.
248 As discussed further below, the Commission
is now proposing updates to Regulation SCI that are
designed to take account of new and emerging
technology challenges. If adopted, these changes to
Regulation SCI will render Rule 301(b)(6) even
more outdated by comparison. Below the
Commission solicits comment on whether, in lieu
of applying Regulation SCI to these entities, Rule
301(b)(6) should be updated instead.
249 See SCI Proposing Release, supra note 14, at
18094–96.
250 See SCI Proposing Release, supra note 14, at
18093, 18095. At adoption, the Commission
included only ATSs that trade NMS stocks and
equity securities that are not NMS stocks exceeding
a specified volume threshold. Rule 1000 of
Regulation SCI defines SCI ATS to mean an ATS,
which, during at least four of the preceding six
calendar months, had: (1) With respect to NMS
stocks: (i) 5% or more in any single NMS stock, and
0.25% or more in all NMS stocks, of the average
daily dollar volume reported by an effective
transaction reporting plan, or (ii) 1% or more, in all
NMS stocks, of the average daily dollar volume
reported by an effective transaction reporting plan;
or (2) with respect to equity securities that are not
NMS stocks and for which transactions are reported
to an SRO, 5% or more of the average daily dollar
volume as calculated by the SRO to which such
transactions are reported. See 17 CFR 242.1000.
Rule 1000 also states that an ATS that meets one
of these thresholds is not required to comply with
Regulation SCI until six months after satisfying the
threshold for the first time. See id.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
exceeding a 20 percent ‘‘average daily
volume’’ threshold, it left in place the
older, more limited technology
regulations in Rule 301(b)(6) of
Regulation ATS.251 In support of that
determination, the Commission
distinguished the equity markets from
the corporate debt and municipal
securities markets, stating that the latter
markets generally relied much less on
automation and electronic trading than
markets that trade NMS stocks or equity
securities that are not NMS stocks, and
also tended to be less liquid than the
equity markets, with slower execution
times and less complex routing
strategies.252
Due to changes in the market and
updates to technology, the Commission
again requests comment on applying
Regulation SCI to significant-volume
Fixed Income ATSs, and further
requests comment regarding brokerdealers trading significant volume in
corporate debt or municipal
securities.253 In particular, the
Commission is soliciting comment on
whether the distinctions drawn by the
Commission in its original adoption of
Regulation SCI, between equities
markets on the one hand, and the
corporate debt and municipal securities
markets on the other, based on
differences in their reliance on
automation and electronic trading
strategies have diminished such that
Fixed Income ATSs or broker-dealers
with significant activity in corporate
debt and municipal securities should be
subject to increased technology
oversight pursuant to Regulation SCI.
As noted above, the Commission
proposed and then recently re-proposed
to extend Regulation SCI to ATSs that
trade U.S. Treasury Securities or Agency
Securities (i.e., Government Securities
ATSs) exceeding a five percent dollar
volume threshold in at least four out of
the preceding six months, citing the
increased reliance on technology in the
government securities markets in recent
years and the resulting operational
similarities and technological
vulnerabilities and risks of such ATSs to
existing SCI entities.254 In the
251 See SCI Adopting Release, supra note 1, at
72270.
252 See id. The Commission also acknowledged
comments stating that lowering the 20% threshold
in Rule 301(b)(6) could have the unintended effect
of discouraging technology evolution in these
markets. Id.
253 See SCI Adopting Release, supra note 1, at
72409 (stating, ‘‘[A]s the Commission monitors the
evolution of automation in this market, the
Commission may reconsider the benefits and costs
of extending the requirements of Regulation SCI to
fixed-income ATSs in the future.’’).
254 See Government Securities ATS Proposing
Release, supra note 84, at 87152–54. See also
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Government Securities ATS Reproposal,
the Commission discussed ways in
which the government securities
markets have become increasingly
dependent on electronic trading in
recent years.255 The Commission solicits
comment on whether trading in
corporate debt securities or municipal
securities by ATSs and/or brokerdealers has evolved similarly.
The growth in electronic trading in
the corporate debt and municipal
securities markets in recent years
appears to be substantial,256 and
accelerating.257 Although traditional
methods of bilateral corporate bond
trading conducted through either dealerto-dealer or dealer-to-customer
negotiations (often using telephone
calls) remain important (with an
estimated 71.4 percent of trading in
corporate bonds facilitated via bilateral
voice trading during the first half of
2021),258 more recent data suggest that
Government Securities ATS Reproposal, supra note
84, at 15527–29. Specifically, in the Government
Securities ATS Reproposal, the Commission
discussed how advances in technology have
resulted in the increased use of systems that use
protocols and non-firm trading interest to bring
together buyers and sellers of securities and how
these systems functioned as market places similar
to market places provided by registered exchanges
and ATSs. See Government Securities ATS
Reproposal, supra note 84, at 15497–98.
255 See Government Securities ATS Reproposal,
supra note 84, at 15526.
256 See Government Securities ATS Reproposal,
supra note 84, at 15528 at n. 389, 15606, and 15609.
See also SIFMA Insights: Electronic Trading Market
Structure Primer, supra note 3 (outlining and
comparing electronification trends in different
markets); SIFMA, SIFMA Insights: US Fixed Income
Market Structure Primer (July 2018), available at
https://www.sifma.org/wp-content/uploads/2018/
07/SIFMA-Insights-FIMS-Primer_FINAL.pdf
(discussing several different types of fixed-income
markets, noting that the historically quote-driven
voice broker market structure has moved to
accommodate limit order book protocols in the
intradealer markets and request-for-quote (‘‘RFQ’’)
protocols in the dealer-to-client markets; and
assessing that ‘‘Current growth [in the dealer-toclient markets] is enabling the total growth in
overall electronification percentages: UST 70%,
Agency 50%, Repos 50%, IG Corporates 40% and
HY Corporates 25%’’).
257 See Annabel Smith, Pandemic sees electronic
fixed income trading skyrocket in 2021, the Trade
(Mar. 3, 2021), available at https://
www.thetradenews.com/pandemic-sees-electronicfixed-income-trading-skyrocket-in-2021/; Municipal
Securities Rulemaking Board, Characteristics of
Municipal Securities Trading on Alternative
Trading Systems and Broker’s Broker Platforms
(Aug. 2021), available at https://msrb.org/
MarketTopics/-/media/27E4F111D18246C6B9
DA849082230CD0.ashx (discussing volume on
ATSs and broker’s broker platforms from 2016–
2021).
258 See Government Securities ATS Reproposal,
supra note 84, at 15606–07. Market observers also
note increased use of electronic trading in the
growth of all-to-all trading and portfolio trading.
See Greenwich Associates, All-to-All Trading Takes
Hold in Corporate Bonds (Q2 2021), available at
https://content.marketaxess.com/sites/default/files/
2021-04/All-to-All-Trading-Takes-Hold-in-
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
23173
dependencies on electronic protocols
have increased in the last year alone.259
In the municipal securities markets, a
majority (56.4%) of all inter-dealer
trades and 26% of inter-dealer par value
traded were executed on ATSs during
the period from August 2016 through
April 2021.’’ 260 Moreover, as recently
reported by the MSRB, the number of
transactions with a dealer on an ATS
Corporate-Bonds.pdf#:∼:text=In%20all-%20toall%20markets%2C%20where
%20asset%20managers%20provide,
of%20the%20corporate%20bond%20market
%E2%80%99s%20growth%20and%20evolution
(stating that all-to-all trading, which allows asset
managers to provide liquidity to dealers and each
other and for dealers to trade with one another
electronically, has increased from 8% of investment
grade volume in 2019 to 12% of investment grade
volume in 2020); see also Li Renn Tsai,
Understanding Portfolio Trading, Tradeweb (Sept.
6, 2022), available at https://www.tradeweb.com/
newsroom/media-center/in-the-news/
understanding-portfolio-trading/#:∼:
text=Portfolio%20Trading%20
is%20a%20solution%20that%20gives%20asset,
savings%2C%20mitigate%20operational%20risk
%2C%20and%20reduce%20market%20slippage
(discussing that portfolio trading, a process similar
to program trading for equities which allows asset
managers to buy/sell a basket of bonds to trade
together as a single package, increased from 2% of
total corporate bond trades in Jan. 2020 to 5% in
Sept. 2021); Kate Marino, Algorithms have arrived
in the bond market, Axios (Sept. 3, 2021), available
at https://www.axios.com/2021/09/03/bond-markettrading-algorithms (discussing the increase in
portfolio trading in the bond market).
259 See Jack Pitcher, Record E-Trading Brings
More Liquidity to Corporate Bond Market,
Bloomberg (Oct. 31, 2022), available at https://
www.bloomberg.com/news/articles/2022-10-31/
electronic-credit-trading-surges-to-record-boostingliquidity (citing a Sept. 2022 Coalition Greenwich
report stating that ‘‘Investment-grade electronic
trading accounted for 42% of volume in September,
up 9 percentage points from the same month last
year, and high yield was 34%, up 10 percentage
points’’ and about one third of trading volume on
junk bonds was through online trading in Sept.
2022, up from about a quarter of trading volume in
the same period last year); but see Maureen O’Hara
and Xing Alex Zhou, The electronic evolution of
corporate bond dealers, Journal of Financial
Economics (Jan. 5, 2021), available at https://
www.sciencedirect.com/science/article/pii/
S0304405X21000015 (discussing that any eventual
domination of electronic bond trading may
ultimately be limited because of the particular
nature of bond trading, which includes bond
illiquidity, the inability for larger trades to be
broken into smaller trade sizes that can trade
electronically, dealer unwillingness to trade more
information-sensitive high-yield bonds
electronically, and the lack of new dealers in bond
market structure).
260 See Simon Z. Wu, Characteristics of Municipal
Securities Trading on Alternative Trading Systems
and Broker’s Broker Platforms, Municipal Securities
Rulemaking Board (Aug. 2021), available at https://
www.msrb.org/sites/default/files/MSRB-Trading-onAlternative-Trading-Systems.pdf. See also
Government Securities ATS Reproposal, supra note
84, at 15609 (discussing use of electronic trading
protocols in the municipal securities markets, and
noting that ‘‘one MSRB report found that
technological advancements in this market and the
movement away from voice trading and towards
electronic trading have helped reduce transaction
costs for dealer-customer trades by 51 percent
between 2005 and 2018’’).
E:\FR\FM\14APP2.SGM
14APP2
23174
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
more than tripled from 2015 to 2021; the
average daily number of municipal
securities trades increased more than
550% from 2015 to 2022 and also
increased more than 75% in 2022; and
the average daily par amount traded
increased more than 400% since 2015
and more than doubled in 2022
compared to 2021.261
While technological developments
provide many benefits to the U.S.
securities markets and investors, they
also increase the risk of operational
problems that have the potential to
cause a widespread impact on the
securities markets and market
participants. The trend in electronic
trading in these markets and recent data
on the volume of Fixed Income ATSs
suggest that there is likely to be one or
more Fixed Income ATSs (or brokerdealers) that both rely on electronic
trading technology and represent or
generate significant sources of liquidity
in these asset classes. In light of these
developments, the Commission believes
that it is appropriate to request
comment on whether ATSs and brokerdealers that trade significant volume in
corporate debt securities or municipal
securities should also be subject to some
or all of the requirements of Regulation
SCI, and if so, what an appropriate
threshold would be.262
ddrumheller on DSK120RN23PROD with PROPOSALS2
2. Request for Comment
The Commission is requesting
comment on whether to apply
Regulation SCI to Fixed Income ATSs
on the basis of volume, or to broker261 See John Bagley and Marcelo Vieira, Customer
Trading with Alternative Trading Systems,
Municipal Securities Rulemaking Board (Aug.
2022), available at https://www.msrb.org/sites/
default/files/2022-08/MSRB-Customer-Tradingwith-Alternative-Trading-Systems.pdf.
262 An ATS that trades NMS stocks is subject to
Regulation SCI if its trading volume reaches: (i) 5%
or more in any single NMS stock and 0.25% or
more in all NMS stocks of the average daily dollar
volume reported by applicable transaction reporting
plans; or (ii) 1% or more in all NMS stocks of the
average daily dollar volume reported by applicable
transaction reporting plans. An ATS that trades
equity securities that are not NMS stocks is subject
to Regulation SCI if its trading volume is 5% or
more of the average daily dollar volume (across all
equity securities that are not NMS stocks) as
calculated by the SRO to which such transactions
are reported. As stated in the SCI Adopting Release,
the higher threshold for equity securities that are
not NMS stocks versus NMS stocks was selected
taking into account the lower degree of automation,
electronic trading, and interconnectedness in the
market for equity securities that are not NMS stocks
and assessment that those ATSs would present
lower risk to the market in the event of a systems
issue, but not necessarily no risk. See SCI Adopting
Release, supra note 1, at 72269. As stated above, a
5% average daily dollar volume threshold is
proposed for Government Securities ATSs (i.e.,
ATSs that that trade Agency Securities and/or U.S.
Treasury Securities), where electronic trading is
prevalent.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
dealers that trade corporate debt or
municipal securities on or above a
trading activity threshold. Specifically:
44. Should significant volume ATSs
and/or broker-dealers with significant
transaction activity in corporate debt or
municipal securities be subject, in
whole or in part, to Regulation SCI? 263
45. Do commenters agree that the
corporate debt and municipal securities
markets have become increasingly
electronic in recent years? Why or why
not? Please provide data to support your
views. If electronic trading in the
corporate debt and municipal securities
markets has increased, are these markets
sufficiently different or unique to
warrant an approach to technology
oversight that differs from the approach
taken in Regulation SCI? Why or why
not?
46. What are the risks associated with
systems issues at Fixed Income ATSs or
broker-dealers that trade corporate debt
or municipal securities today? What
impact would a systems issue at a Fixed
Income ATS or such broker-dealer have
on the trading of corporate debt or
municipal securities and the
maintenance of fair and orderly
markets?
47. Do electronic systems used to
trade corporate debt or municipal
securities markets today have linkages
to any trading venues, including to U.S.
Treasury markets? Are these linkages
developing or likely to develop? If not,
are there interconnections with thirdparty or other types of systems? How do
any interconnections impact the risk of
an SCI event at a Fixed Income ATS or
broker-dealer that trades corporate debt
or municipal securities on the market
and/or market participants?
48. If commenters believe that
Regulation SCI should apply, in whole
or in part, to Fixed Income ATSs or
broker-dealers that trade corporate debt
or municipal securities, should there be
a volume threshold? For example,
should the definition of SCI ATS
include those ATSs which, during at
least four of the preceding six calendar
months had: (1) with respect to
municipal securities, five percent or
more of the average daily dollar volume
traded in the United States, as provided
by the self-regulatory organization to
which such transactions are reported; or
(2) with respect to corporate debt
securities, five percent or more of the
average daily dollar volume traded in
the United States as provided by the
self-regulatory organization to which
263 The Commission notes that ATSs may also
trade crypto asset securities. See section II.A.3.b.v.
(discussing obligations of ATSs trading crypto asset
securities).
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
such transactions are reported?
Similarly, should the definition of SCIbroker-dealer include a similar
threshold to that proposed for registered
broker-dealers trading Treasury or
Agency securities (during at least four of
the preceding six calendar months
reported to the self-regulatory
organization(s) to which such
transactions are reported, average daily
dollar volume in an amount that equals
ten percent (10%) or more of the total
average daily dollar volume as made
available by the self-regulatory
organization to which such transactions
are reported)?
49. Is basing a threshold on a
percentage of average daily dollar
volume appropriate? Should there be an
alternative threshold based on average
daily share volume? Or par value? Or
transaction volume?
50. Would commenters have a
different view on what an appropriate
threshold would be for Fixed Income
ATSs if additional entities become
Fixed Income ATSs as a result of
adoption of the amendments to Rule 3b–
16(a) that the Commission has proposed
in the Government Securities ATS
Reproposal?
51. If the Commission proposes to
apply Regulation SCI to Fixed Income
ATSs, should it propose a similar
approach for broker-dealers that trade
corporate debt or municipal securities?
Why or why not?
52. Would four out of the preceding
six months be an appropriate period to
measure the volume thresholds for
corporate debt and municipal securities
for purposes of Regulation SCI? Why or
why not? Would Fixed Income ATSs or
broker-dealers that trade corporate debt
or municipal securities have available
appropriate data with which to
determine whether a proposed
threshold has been met? If not, what
data or information is missing? Does the
answer depend on whether the
Government Securities ATS Reproposal
(proposing to expand the definition of
exchange in Rule 3b–16(a)) is adopted
as proposed?
53. Should any or all Fixed Income
ATSs that meet a volume threshold be
subject to Rule 301(b)(6) of Regulation
ATS instead of Regulation SCI (i.e.,
should Rule 301(b)(6) be retained)? Why
or why not? Alternatively, should any or
all Fixed Income ATSs or broker-dealers
that trade corporate debt or municipal
securities be subject to only certain
provisions of Regulation SCI? Which
ones and why? Please explain.
Alternatively, should Rule 301(b)(6) of
Regulation ATS be updated to be more
similar to Regulation SCI in certain
respects? If so, how?
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
54. If commenters believe Rule
301(b)(6) should continue to apply to
Fixed Income ATSs, is the 20 percent
average daily volume threshold an
appropriate threshold? Should it be
amended to specify what the 20 percent
average daily volume refers to (e.g.,
share? dollar? par? transaction?)?
Should the Commission amend Rule
301(b)(6) to subject all Fixed Income
ATSs, or certain Fixed Income ATSs, to
the requirements of the rule if the Fixed
Income ATS reaches a 5 percent, 10
percent, 15 percent or another volume
threshold? If so, please explain why
such a threshold would be appropriate.
Alternatively, should Rule 301(b)(6) be
superseded and replaced by Regulation
SCI?
55. Are there characteristics specific
to the corporate debt and municipal
securities markets that would make
applying Regulation SCI broadly or any
specific provision of Regulation SCI to
Fixed Income ATSs or broker-dealers
that trade corporate debt or municipal
securities unduly burdensome or
inappropriate? Please explain. For
example, if an ATS that fits the
description of a Communication
Protocol System (as described in the
Government Securities ATS Proposal)
were to be become an SCI ATS, would
there be certain features or functions of
that system that would not meet the
definition of SCI systems, but that
should be subject to Regulation SCI as
SCI systems? Would there be any
features or functions of that system that
would meet the definition of SCI
systems, but that should not be subject
to Regulation SCI? Commenters that
recommend that the Commission
propose that ATSs and/or broker-dealers
with significant transaction activity in
corporate debt or municipal securities
be subject to Regulation SCI are
requested to specifically address the
expected benefits and costs of their
recommendations, above the current
baseline of Rule 301(b)(6) of Regulation
ATS, and the expected effects of their
recommendations on efficiency,
competition, and capital formation.
C. Strengthening Obligations of SCI
Entities
In adopting Regulation SCI, the
Commission recognized that technology,
standards, and threats would continue
to evolve and that the regulation would
need to be flexible so as to develop
alongside such changes. Thus, 17 CFR
242.1001(a)(1) (‘‘Rule 1001(a)(1)’’ of
Regulation SCI) requires that each SCI
entity have ‘‘written policies and
procedures reasonably designed to
ensure that its SCI systems and, for
purposes of security standards, indirect
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
SCI systems, have levels of capacity,
integrity, resiliency, availability, and
security, adequate to maintain the SCI
entity’s operational capability and
promote the maintenance of fair and
orderly markets.’’ 264 While Rule
1001(a)(2) itemizes certain minimum
requirements such policies and
procedures must include, they are
generally broad areas that must be
covered (e.g., requiring capacity
planning estimates, stress tests, systems
development and testing programs,
reviews and testing for threats, business
continuity and disaster recovery plans,
standards with respect to market data,
and monitoring for potential SCI
events), Rule 1001(a) does not prescribe
in detail how they should be
addressed.265
Since the adoption and
implementation of Regulation SCI,
technology and the ways SCI entities
employ such technology have continued
to evolve, as have the potential
vulnerabilities of, and threats posed to,
SCI entities. In addition, the
Commission and its staff have gained
valuable experience and insights with
respect to technology issues
surrounding SCI entities and their
systems. Given the important role SCI
entities play in our markets, it is
appropriate to strengthen the
requirements Regulation SCI imposes on
SCI entities to help ensure that their SCI
systems and indirect SCI systems
continue to remain robust, resilient, and
secure.
1. Systems Classification and Lifecycle
Management
a. Discussion
The terms ‘‘SCI systems,’’ ‘‘indirect
SCI systems,’’ and ‘‘critical SCI
systems’’ are foundational definitions
within Regulation SCI. These terms map
out the scope of Regulation SCI’s
applicability to an SCI entity. If an SCI
entity does not classify its systems
pursuant to these defined terms, it
cannot fully understand how it should
apply Regulation SCI’s requirements
and where its obligations under the
regulation start and end. Specifically,
‘‘SCI systems’’ is defined to mean ‘‘all
computer, network, electronic,
technical, automated, or similar systems
of, or operated by or on behalf of, an SCI
entity that, with respect to securities,
directly support trading, clearance and
settlement, order routing, market data,
market regulation, or market
surveillance.’’ The definition of ‘‘SCI
systems’’ does not scope in every system
264 See
17 CFR 242.1001(a)(1).
265 Id.
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
23175
of an SCI entity; rather, it is limited to
those functions the Commission
believed were of particular significance
for the purposes of Regulation SCI,
namely systems that, with respect to
securities, directly support trading,
clearance and settlement, order routing,
market data, market regulation, or
market surveillance. ‘‘Indirect SCI
systems’’ come into play with respect to
security standards and systems
intrusions and include ‘‘any systems of,
or operated by or on behalf of, an SCI
entity that, if breached, would be
reasonably likely to pose a security
threat to SCI systems.’’ Importantly,
both definitions include systems
operated by an SCI entity as well as
systems operated by third parties on
behalf of a given SCI entity.
Except as discussed above,266 the
proposed rule amendments would not
change the definition of SCI systems,
indirect SCI systems, or critical SCI
systems. However, the Commission is
proposing to modify certain existing,
and add a number of additional,
requirements to the policies and
procedures required of SCI entities with
respect to their SCI systems (and
indirect SCI systems or critical SCI
systems, as the case may be), under Rule
1001(a), as discussed in further detail
below.
One of the first steps many SCI
entities take to comply with Regulation
SCI is developing a classification of
their systems in accordance with these
definitions; i.e., a documented
inventory of the specific systems of the
SCI entity that fall within each type of
systems (i.e., SCI system, indirect SCI
system, and critical SCI system).
However, not all SCI entities maintain
such a list. A foundational and essential
step for an SCI entity to be able to meet
its obligations under Regulation SCI is
to be able to identify clearly the systems
that are subject to obligations under
Regulation SCI. Therefore, the
Commission is proposing a new
provision to ensure that SCI entities
develop and maintain a written
inventory of their systems and
classification. Specifically, new
paragraph (a)(2)(viii) in Rule 1001
would require each SCI entity to include
in their policies and procedures the
maintenance of a written inventory and
classification of all of its SCI systems,
critical SCI systems, and indirect SCI
systems.
In addition, 17 CFR
242.1001(a)(2)(viii) (‘‘proposed Rule
1001(a)(2)(viii)’’) would require that the
266 See supra section III.A.2.b.iv (discussing the
proposed limitation to the definition of SCI systems
for certain SCI broker-dealers).
E:\FR\FM\14APP2.SGM
14APP2
23176
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
SCI entity’s policies and procedures
include a program with respect to the
lifecycle management of such systems,
including the acquisition, integration,
support, refresh, and disposal of such
systems, as applicable. This provision
would require SCI entities to consider
how a system subject to Regulation SCI
moves through its lifecycle, from initial
acquisition to eventual disposal. The
purpose of this provision is to help
ensure that an SCI entity is able to
identify risks an SCI system may face
during its various lifecycle phases.
Importantly, SCI entities would need to
address the refresh of such systems in
their lifecycle management program.
Generally, systems that are properly
refreshed and updated include up-todate software and security patches. In
addition, the lifecycle management
program required in their policies and
procedures must address disposal of
such systems. Disposal generally should
include sanitization of end-of-life
systems to help ensure that systems that
are no longer intended as SCI systems
or indirect SCI systems do not contain
sensitive information (e.g., relating to
the operations or security of the SCI
entity or its systems architecture) that
might be unintentionally revealed if
such end-of-life systems fall into the
wrong hands.267 Thus, this generally
would require SCI entities to pinpoint
precisely when a given system
‘‘becomes’’ an SCI system (or an indirect
SCI system), as well as the point at
which it is officially ‘‘no longer’’ an SCI
system (or an indirect SCI system).
b. Request for Comment
56. Do commenters agree with the
proposed requirement in proposed Rule
1001(a)(2)(viii) to require SCI entities to
include in their policies and procedures
the maintenance of a written inventory
and classification of all of its SCI
systems, critical SCI systems, and
indirect SCI systems? Why or why not?
57. Do commenters believe that
Regulation SCI should require that SCI
entities have a program with respect to
the lifecycle management of such
systems, including the acquisition,
integration, support, refresh, and
disposal of such systems, as applicable?
Why or why not? Do SCI entities
currently maintain such lifecycle
management programs? Are there other
aspects of lifecycle management that
commenters believe should be included
267 For example, such policies generally should
not simply require mere disposal of end-of-life SCI
systems but should ensure their effective disposal
such that sensitive information (including software,
configuration info, middleware, etc.) that could
compromise the security of an SCI entity’s data and
network is not inadvertently revealed.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
in the proposed requirement? If so,
please describe.
2. Third-Party Provider Management
a. Third-Party Provider Management
Issues
When it adopted Regulation SCI, the
Commission recognized that an SCI
entity may choose to use third parties to
assist it in running its SCI systems and
indirect SCI systems. The Commission
took into account such scenarios by
including the phrase ‘‘or operated by or
on behalf of ’’ 268 in key definitions such
as ‘‘SCI systems,’’ ‘‘critical SCI
systems,’’ and ‘‘indirect SCI systems.’’
The inclusion of the phrase ‘‘or on
behalf of’’ was intended to make clear
that outsourced systems are not
excluded and that any such systems
were within the scope of Regulation
SCI, even when operated not by the SCI
entity itself but rather by a third party.
In the SCI Adopting Release, the
Commission made clear that it was the
responsibility of the SCI entity to
manage its relationships with such third
parties through due diligence, contract
terms, and monitoring of third-party
performance.269 In addition, as the
Commission stated when adopting
Regulation SCI, ‘‘[i]f an SCI entity is
uncertain of its ability to manage a
third-party relationship . . . to satisfy
the requirements of Regulation SCI, then
it would need to reassess its decision to
outsource the applicable system to such
third party. (footnotes omitted)’’ 270
An SCI entity may decide to
outsource certain functionality to, or
utilize the support or services of, a
third-party provider (which would
include both affiliated providers as well
as vendors unaffiliated with the SCI
entity) for a variety of reasons. In
selecting a third-party provider to
operate an SCI system on its behalf, an
SCI entity may be attracted to the
potential benefits that it may believe the
third-party provider would bring, which
could range from cost efficiencies and
increased automation to particular
expertise the vendor may provide in
areas such as security and data latency.
Third-party providers may also provide
services that an SCI entity may not
currently have in-house, such as a
particular type of software required to
run or monitor a given SCI system, or
a data or pricing feed.
The Commission believes that the use
of third-party providers by SCI entities
can be appropriate and even
advantageous and preferable in certain
268 Emphasis
269 See
added.
SCI Adopting Release, supra note 1, at
72276.
270 Id.
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
instances, given the benefits they may
provide when employed appropriately.
However, as the Commission discussed
in the SCI Adopting Release, when
utilizing a third-party provider, an SCI
entity is ‘‘responsible for having in
place processes and requirements to
ensure that it is able to satisfy the
requirements of Regulation SCI for
systems operated on behalf the SCI
entity by a third party.’’ 271 Thus, an SCI
entity generally should be aware of the
potential costs and risks posed by this
choice including, for example:
cybersecurity risks (e.g., a compromise
in a third-party provider’s systems
impacting the systems of the SCI entity);
operational risks (e.g., a disruption or
shutdown of a third-party provider’s
service, or a bankruptcy or cessation of
operation of a third-party provider,
negatively impacting or disrupting the
operation of an SCI system);
reputational risks (e.g., a faulty or
incorrect input from a third-party
provider causing an SCI entity’s output
to be incorrect); and legal and regulatory
risks (e.g., a third-party provider’s lack
of responsiveness or unwillingness to
provide the SCI entity necessary
information or detail results in an SCI
entity missing a reporting or compliance
deadline, such as a deadline for
reporting an SCI event or taking
corrective action on an SCI event). With
the continued and increasing use of
third-party providers by SCI entities
and, in some cases, with third-party
providers playing increasingly
important and even critical roles in
ensuring the reliable, resilient, and
secure operation of SCI systems and
indirect SCI systems, the Commission
believes that it is appropriate to
strengthen Regulation SCI’s
requirements with respect to SCI
entities’ use of third-party providers and
the management of such relationships,
as described in detail below.272
In recent years, many types of
businesses have turned to cloud service
providers (‘‘CSPs’’) to take advantage of
their services.273 Today, CSPs can
provide a range of support to a wide
variety of businesses, with deployment
models ranging from public cloud,
private cloud, hybrid cloud, and multicloud, and service models including
Infrastructure as a Service (‘‘IaaS’’),
Platform as a Service (‘‘PaaS’’), and
271 See SCI Adopting Release, supra note 1, at
72276.
272 See infra sections III.C.2.b. through d
(discussing the proposed rule changes with respect
to third-party management programs, third-party
providers for critical SCI systems, and third-party
provider participation in BC/DR testing).
273 See, e.g., Angus Loten, CIOs Accelerate PrePandemic Cloud Push Wall St. J. (Apr. 26, 2021).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Software as a Service (‘‘SaaS’’).274 SCI
entities are also engaging with CSPs to
assist in operating their SCI systems and
some utilize, or have announced their
intention to utilize, CSPs for all or
nearly all of their applicable systems,275
others have begun moving towards
employing CSPs at a more deliberate
pace,276 and others continue to explore
and consider whether or not to use such
services. A decision to move their
systems from an ‘‘on-premises,’’ 277
internally run data center to ‘‘the cloud’’
is a significant one, often with potential
benefits that may include cost
efficiencies, automation, increased
security, and resiliency, and entities
may also take advantage of such an
opportunity to reengineer or otherwise
update their systems and applications to
run even more efficiently than before.
In deciding whether to utilize a CSP,
an SCI entity generally should take into
account the various factors it would as
with any other third-party providers.278
274 Additional information relating to the services
provided by CSPs is widely available online from
CSPs as well as firms that provide consulting
services for potential clients of CSPs. FINRA, Cloud
Computing in the Securities Industry 3–4 (Aug.
2021), available at https://www.finra.org/sites/
default/files/2021-08/2021-cloud-computing-in-thesecurities-industry.pdf (providing a summary
description of these services). For a discussion of
considerations and risks relevant to the use of cloud
service providers by entities in the financial
services sector, see the Financial Services Sector’s
Adoption of Cloud Services, U.S. Dept. of the
Treasury (issued February 8, 2023), available at:
https://home.treasury.gov/system/files/136/
Treasury-Cloud-Report.pdf.
275 See, e.g., FINRA, Podcast: How the Cloud has
Revolutionized FINRA Technology (July 30, 2018),
available at www.finra.org/media-center/finraunscripted/how-cloud-has-revolutionized-finratechnology; Securities Exchange Act Release No.
93433 (Oct. 27, 2021), 86 FR 60503 (Nov. 2, 2021)
(SR–OCC–2021–802) (Notice of Filing and
Extension of Review Period of Advance Notice
Relating to OCC’s Adoption of Cloud Infrastructure
for New Clearing, Risk Management, and Data
Management Applications). See also, Huw Jones,
Microsoft invests $2 billion in London Stock
Exchange, Reuters (Dec. 12, 2022).
276 See, e.g., Nasdaq, Press Release: Nasdaq and
AWS Partner to Transform Capital Markets (Nov.
30, 2021), available at www.nasdaq.com/pressrelease/nasdaq-and-aws-partner-to-transformcapital-markets-2021-12-01; Nasdaq, Press Release:
Nasdaq Completes Migration of the First U.S.
Options Market to AWS (Dec. 5, 2022), available at
https://www.nasdaq.com/press-release/nasdaqcompletes-migration-of-the-first-u.s.-optionsmarket-to-aws-2022-12-05.
277 In using the term ‘‘on-premises,’’ the
Commission means that the data center’s hardware
(e.g., the servers, switches, and other physical
machines) is generally under the control of and
operated by the SCI entity, even if the data center
is physically located in a facility operated by a third
party and for which such third party provides or
arranges for certain services including, but not
limited to, power, water, and physical security.
278 See SCI Adopting Release, supra note 1, at
72275–76. In this section, the Commission
discusses many issues that may be relevant for SCI
entities to consider in relation to their use of thirdparty vendors generally, and with respect to cloud
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
However, given the degree to which CSP
services may be integral to the operation
of SCI systems, SCI entities generally
should examine closely any potential
relationship and utilization of CSP
services. Importantly, regardless of the
CSP and service model an SCI entity
may be considering, it is the SCI entity’s
responsibility to ensure that it can and
does comply with Regulation SCI. For
example, in describing the services they
provide, CSP marketing materials
typically describe their service models
as ‘‘shared responsibilities’’ between the
CSP and client. With respect to an SCI
entity’s obligations under Regulation
SCI, however, the SCI entity bears
responsibility for compliance with the
requirements of Regulation SCI,
including for SCI systems operated on
its behalf by third-party providers. As
with other third-party providers that
operate SCI systems on behalf of an SCI
entity, if an SCI entity is uncertain of its
ability to manage a CSP relationship
(whether through appropriate due
diligence, contract terms, monitoring, or
other methods) to satisfy the
requirements of Regulation SCI, the SCI
entity would need to reassess its
decision to outsource the applicable
system to such CSP. As with any thirdparty provider, the SCI entity generally
should not rely solely on the reputation
of or attestations from a given CSP. In
addition, an SCI entity that utilizes a
CSP should not view the usage of a CSP
from the perspective of being able to
turn over its Regulation SCI-related
responsibilities to the CSP; instead, an
SCI entity generally should ensure that
its own personnel have the requisite
skills to properly manage and oversee
such a relationship, and understand the
issues—including technical ones—that
may arise from the utilization of a CSP
and are relevant to ensure its
compliance with Regulation SCI.279
Rule 1001(a)(2)(v) of Regulation SCI
requires that an SCI entity’s policies and
procedures include business continuity
and disaster recovery plans that include
maintaining backup and recovery
capabilities sufficiently resilient and
geographically diverse and that are
reasonably designed to achieve next
business day resumption of trading and
two-hour resumption of critical SCI
service providers specifically. These issues include
those that the Commission and its staff have
encountered with respect to SCI entities since the
adoption and implementation of Regulation SCI;
however, this is not meant to be a comprehensive
list of all potential issues and considerations, and
the Commission welcomes comment on other
applicable issues and considerations that
commenters believe are relevant for SCI entities
with respect to third-party providers.
279 See SCI Adopting Release, supra note 1, at
72276.
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
23177
systems following a wide-scale
disruption.280 When the Commission
adopted this provision it did not
specifically discuss its application to
CSPs. Whereas ‘‘on-premises’’ systems
are installed and run at a site under the
control of an SCI entity, the systems of
an SCI entity that reside ‘‘in the public
cloud’’ may not be tied to any specific
geographic location. However, SCI
entities must ensure that their SCI
systems, whether ‘‘on-premises’’ or ‘‘in
the public cloud,’’ comply with the
requirement in Regulation SCI to have
backup and recovery capabilities
sufficiently resilient and geographically
diverse and that are reasonably designed
to achieve next business day resumption
of trading and two-hour resumption of
critical SCI systems following a widescale disruption. These provisions of
Regulation SCI exist to help limit the
downtime caused by wide-scale
disruptions. Thus, for example, in
determining whether any SCI-related
systems ‘‘in the public cloud’’ can meet
this requirement, SCI entities generally
should understand where its systems
will reside (i.e., the locations of the CSP
data center site(s) that may be used),
and should consider whether those sites
provide sufficient geographical diversity
and operational resiliency to achieve the
resumption requirements of Rule
1001(a)(2)(v).281
As discussed in section III.C.2.b.2
below, the Commission’s proposal
includes a requirement that every SCI
entity undertake a risk-based assessment
of the criticality of each of its thirdparty providers, including analyses of
third-party provider concentration, of
key dependencies if the third-party
provider’s functionality, support, or
service were to become unavailable or
materially impaired, and of any
potential security, including
cybersecurity, risks posed. This thirdparty provider assessment may be
particularly relevant with respect to
CSPs utilized by SCI entities, and an SCI
entity may want to take into
consideration the degree to which it
may be ‘‘locked-in’’ to any given CSP it
is considering engaging. As with any
third-party provider, it could consider
its exit strategies with respect to any
potential CSP it might choose and may
consider architectural decisions that
would enable a quick re-deployment to
another CSP if needed. Even when tools,
280 See SCI Adopting Release, supra note 1, at
72295. See also infra section III.C.2.c, including
notes 292–294 and accompanying text (discussing
the proposed modifications to Rule 1001(a)(2)(v)).
281 While CSPs may use slightly different
nomenclature, typically, a CSP’s region contains
multiple availability zones, and an availability zone
contains multiple data centers.
E:\FR\FM\14APP2.SGM
14APP2
23178
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
such as containerization,282 exist that
are designed to automate and simplify
the deployment of systems to CSPs, and
which appear at first glance to allow for
greater portability among CSPs, SCI
entities may want to consider any lockin effects that utilizing CSP-specific
tools might have. In addition, it may be
useful for SCI entities to consider the
relative benefits and costs of potential
alternatives that could reduce
dependence on any single CSP. In cases
where the use of CSPs is being
considered for both primary and backup
systems, an SCI entity, taking into
account the nature of its systems, may
want to consider whether it is
appropriate to utilize different CSPs, for
such systems, as well as whether an
‘‘on-premises’’ backup may be
appropriate. Similarly, SCI entities
should generally engage their CSPs to
ensure that they can meet the business
continuity and disaster recovery
requirements of Regulation SCI, which
may not apply to the vast majority of a
CSP’s other clients.
More broadly, an SCI entity should
ensure that it is able to meet its
regulatory obligations under Regulation
SCI, including the notice and
dissemination requirements of Rule
1002. When there is a systems issue
(including, for example, an outage or a
cybersecurity event) at a CSP, a wide
swath of CSP clients may be affected.
SCI entities have regulatory
requirements under Regulation SCI that
other CSP clients may not have, and an
SCI entity must have information
regarding such issues within the time
requirements of Regulation SCI to
comply with its notice and
dissemination requirements.283
An SCI entity should also be
cognizant of its data security and
recordkeeping obligations under
Regulation SCI,284 and generally should
282 Containerization allows developers to deploy
applications more quickly by bundling an
application with its required frameworks,
configuration files, and libraries such that it may be
run in different computing environments. Container
orchestrators allow for automated deployment of
identical applications across different
environments, and simplify the process for
management, scaling, and networking of containers.
283 See, e.g., Rule 1002 (relating to an SCI entity’s
obligations with respect to SCI events). See also
Rule 1001(c) (which include requirements that an
SCI entity’s policies and procedures include
escalation procedures to quickly inform responsible
SCI personnel of potential SCI events).
284 See 17 CFR 242.1001(a)(2)(iv) (‘‘Rule
1001(a)(2)(iv)’’) (relating to, among other things,
vulnerabilities pertaining to internal threats) and
Rule 1005 (relating to recordkeeping requirements
related to compliance with Regulation SCI). See
also infra section III.C.3.a (discussing newly
proposed 17 CFR 242.1001(a)(2)(x) (‘‘proposed Rule
1001(a)(2)(x)’’), relating to unauthorized access to
systems and information).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
consider how the CSP and its employees
or contractors would secure confidential
information, how and where it would
retain information (including all records
required to be kept under Regulation
SCI), how the information would be
accessed by the personnel of the SCI
entity, or others, such as those
conducting SCI reviews and
Commission staff, as well as ensure that
such information access will be
provided in a manner that provides for
its compliance with the requirements of
Regulation SCI.
While the discussion above is focused
on CSPs, they are only one of many
types of third-party providers an SCI
entity may utilize. The discussion above
is not an exhaustive list of issues SCI
entities generally should consider with
respect to utilizing CSPs; in addition,
while the discussion provides some
illustrative examples of areas of
potential concern in an SCI entity’s
relationship with a CSP, similar issues
may be applicable to the relationships
between SCI entities and other types of
third parties. In addition, some thirdparty providers may provide key
functionality that may not have been
widely utilized by SCI entities when
Regulation SCI was adopted,285 and the
Commission anticipates that third-party
providers will likely arise to provide
other types of functionality, service, or
support to SCI entities that are not
contemplated yet today. All the same,
the Commission believes that any thirdparty provider that an SCI entity uses
with respect to its SCI systems and
indirect SCI systems should be managed
appropriately by the SCI entity to help
ensure that such utilization of the thirdparty provider is consistent with the SCI
entity’s obligations under Regulation
SCI.
As discussed above, when the
Commission adopted Regulation SCI in
2014, it had accounted for the
possibility that an SCI entity might
utilize third-party providers to operate
its SCI systems or indirect SCI systems
by incorporating the phrase ‘‘on behalf
of’’ in certain key definitions of
Regulation SCI.286 In addition,
‘‘outsourcing’’ is one of the ‘‘domains’’
identified by the Commission and its
staff.287 Based on the experience of
Commission staff, all SCI entities that
285 One example of this are the services of shadow
infrastructure providers, such as edge cloud
computing, content delivery networks, and DNS
providers.
286 See supra notes 268–270 and accompanying
text (discussing ‘‘on behalf of’’).
287 See SCI Adopting Release, supra note 1, at
72302. See also Staff Guidance on Current SCI
Industry Standards 5, 8 (Nov. 19, 2014), available
at https://www.sec.gov/rules/final/2014/staffguidance-current-sci-industry-standards.pdf.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
utilize third-party providers have some
level of third-party provider oversight in
place. However, given the growing role
they are playing with respect to SCI
systems and indirect SCI systems, and
because the myriad of issues that may
arise with respect to third-party
providers (including, but not limited to
oversight, access, speed of information
flow, security and unauthorized access,
loss of expertise internally, and lock-in)
may become even more amplified when
taking into account the regulatory
obligations of SCI entities, the
Commission believes that it is
appropriate to delineate more clearly
requirements with respect to the
oversight and management of thirdparty providers, and thus is proposing
to revise Regulation SCI to include
additional requirements relating to
third-party providers.288
b. Third-Party Provider Management
Program
The Commission is proposing new 17
CFR 242.1001(a)(2)(ix) (‘‘proposed Rule
1001(a)(2)(ix)’’) regarding third-party
provider management. While some SCI
entities may already have a formal
vendor management program, the
Commission is proposing to require that
SCI entities have a third-party provider
management program that includes
certain elements. Specifically, proposed
Rule 1001(a)(2)(ix) would require each
SCI entity to include in its policies and
procedures required under Rule
1001(a)(1) a program to manage and
288 The Commission proposed the Clearing
Agency Governance rules in Aug. 2022, which
contains, among other proposed requirements,
proposed new 17 CFR 240.17Ad–25(i) (‘‘Rule
17Ad–25(i)’’). See Clearing Agency Governance and
Conflicts of Interest, Securities Exchange Act
Release No. 95431 (Aug. 8, 2022), 87 FR 51812
(Aug. 23, 2022) (proposing policy and procedure
requirements for clearing agency board of directors
to oversee relationships with service providers for
critical services to, among other things, confirm and
document that risks related to relationships with
service providers for critical services are managed
in a manner consistent with its risk management
framework, and review senior management’s
monitoring of relationships with service providers
for critical services, and to review and approve
plans for entering into third-party relationships
where the engagement entails being a service
provider for critical services to the registered
clearing agency). Registered clearing agencies that
would be subject to proposed Rule 17Ad–25(i), if
adopted, would also be subject to Regulation SCI,
as proposed to be amended. However, the scope of
proposed Rule 17Ad–25(i) is meant to address not
only service providers providing technology or
systems-based services, but also service providers
that would include the clearing agency’s parent
company under contract to staff the registered
clearing agency, as well as service providers that are
investment advisers under contract to help facilitate
the closing out of a defaulting participant’s
portfolio. See id. at 51836. Commenters are
encouraged to review the Clearing Agency
Governance proposed rules to determine whether
they might affect their comments on this proposal.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
oversee third-party providers that
provide functionality, support or
service, directly or indirectly, for its SCI
systems and, for purposes of security
standards, indirect SCI systems. The
Commission is proposing this new
provision to help ensure that an SCI
entity that elects to utilize a third-party
provider will be able to meet its
obligations under Regulation SCI.
ddrumheller on DSK120RN23PROD with PROPOSALS2
i. Third-Party Provider Contract Review
First, the program would be required
to include initial and periodic review of
contracts with such third-party
providers for consistency with the SCI
entity’s obligations under Regulation
SCI. The Commission believes that it is
critical that each SCI entity carefully
analyze and understand the impact any
third-party providers it chooses to
utilize may have on its ability to satisfy
its obligations under Regulation SCI. As
discussed above,289 the Commission
recognizes that many SCI entities may
seek to and, in practice, do outsource
certain of its SCI-related functionality,
support, or service to third parties. As
key entities in our securities markets,
SCI entities have regulatory obligations
that are not placed upon non-SCI
entities, and third-party providers SCI
entities may utilize may not be familiar
with the requirements of Regulation
SCI. As the Commission stated in
adopting Regulation SCI, if an SCI entity
determines to utilize a third party for an
applicable system, ‘‘it is responsible for
having in place processes and
requirements to ensure that it is able to
satisfy the applicable requirements of
Regulation SCI for such system.’’ 290
And, if an SCI entity is uncertain of its
ability to manage a third-party
relationship (including through contract
terms, among other methods) to satisfy
the requirements of Regulation SCI,
‘‘then it would need to reassess its
decision to outsource the applicable
system to such third party.’’ 291 Thus, it
is incumbent on SCI entities to review
their relationships with such third-party
providers to ensure that the SCI entities
are able to satisfy their obligations
under Regulation SCI. In addition,
consistent with the current requirement
that an SCI entity periodically review
the effectiveness of its policies and
procedures, this provision would
require an SCI entity to review contracts
with such third-party providers
periodically for consistency with the
289 See
290 See
supra section III.C.2.a.
SCI Adopting Release, supra note 1, at
72276.
291 See id.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
SCI entity’s obligations under
Regulation SCI.
A foundational part of this review is
to ensure that any contracts that the SCI
entity has with such third-party
providers are consistent with the
requirements of Regulation SCI. These
documents govern the obligations and
expectations as between an SCI entity
and a third-party provider it utilizes,
and the SCI entity is responsible for
assessing if these agreements allow it to
comply with the requirements of
Regulation SCI. For example, an SCI
entity generally should consider
whether or not it is appropriate to rely
on a third-party provider’s standard
contract or standard service level
agreement (‘‘SLA’’), particularly if such
contract or SLA has not been drafted
with Regulation SCI’s requirements in
mind. For example, regardless of
whether an SCI entity is negotiating
with the dominant provider in the field,
has made its best efforts in negotiating
contract or SLA terms, or has extracted
what it believes to be ‘‘the best terms’’
it (or any client of the third party) could
get, if the SCI entity determines that any
term in such agreements are
inconsistent with such SCI entity’s
obligations under Regulation SCI, the
SCI entity should reassess whether such
outsourcing arrangement is appropriate
and will allow it to meet its obligations
under Regulation SCI. In addition, in
some cases, particularly where the
third-party provider would play a
significant role in the operation of an
SCI entity’s SCI systems or indirect SCI
systems, or provide functionality,
support, or service to such systems
without which there would be a
meaningful impact, an SCI entity and its
third-party provider may find it useful
to negotiate an addendum to any
standard contract to separate and
highlight the contractual understanding
of the parties with respect to SCI-related
obligations.
While each contract’s specific terms
and circumstances will likely differ,
there are several considerations that SCI
entities generally should take into
consideration when entering into such a
contract. For example, SCI entities
generally should consider whether a
contract raises doubt on its consistency
with the SCI entity’s obligations under
Regulation SCI (e.g., the contract terms
are vague regarding the third-party
provider’s obligations to the SCI entity
to enable the SCI entity to meets its SCI
obligations). Generally, contractual
terms should not be silent or lack
substance on key aspects of Regulation
SCI that would need the third-party
provider’s cooperation (e.g., SCI event
notifications and information
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
23179
dissemination, and business continuity
and disaster recovery for an SCI entity
seeking to move its SCI systems to a
cloud service provider). Nor should they
undermine the ability of the SCI entity
to oversee and manage the third party
(e.g., by limiting the SCI entity’s
personnel ability to assess whether
systems operated by a third-party
provider on behalf of the SCI entity
satisfy the requirements of Regulation
SCI). The SCI entity may want to
consider and, if appropriate, negotiate
provisions that provide priority to the
SCI entity’s systems, such as for failover
and/or business continuity and disaster
recovery (‘‘BC/DR’’) scenarios, if needed
to meet the SCI entity’s obligations
under Regulation SCI. In addition, an
SCI entity generally should review the
contract for provisions that, by their
terms, are inconsistent with Regulation
SCI or would otherwise fail to satisfy
the requirements of Regulation SCI (e.g.,
restricting information flow to the SCI
entity and/or Commission and its staff
pursuant to a non-disclosure agreement
in a manner inconsistent with the
requirements of Regulation SCI;
specifying response times that are
inconsistent with (i.e., slower than)
those required by Regulation SCI with
respect to notifications regarding SCI
events under Rule 1002). The
Commission also believes that, to the
extent possible, SCI entities may want to
avoid defining terms in a contract with
a third-party provider differently from
how they are used in Regulation SCI, as
this may introduce confusion as to the
scope and applicability of Regulation
SCI. In addition, although it is a term
that may be common in many
commercial contracts, provisions that
provide the third-party provider with
the contractual right to be able to make
decisions that would negatively impact
an SCI entity’s obligations in its
‘‘commercially reasonable discretion’’
should be carefully considered, as what
may be considered ‘‘commercially
reasonable’’ for many entities that are
not subject to Regulation SCI may not be
appropriate for an SCI entity and its SCI
systems and indirect SCI systems when
taking into consideration the regulatory
obligations of Regulation SCI.
ii. Risk-Based Assessment of ThirdParty Providers
The Commission is also proposing in
proposed Rule 1001(a)(2)(ix) to require
each SCI entity to undertake a riskbased assessment of each third-party
provider’s criticality to the SCI entity,
including analyses of third-party
provider concentration, of key
dependencies if the third-party
provider’s functionality, support, or
E:\FR\FM\14APP2.SGM
14APP2
23180
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
service were to become unavailable or
materially impaired, and of any
potential security, including
cybersecurity, risks posed. The
Commission believes that specifically
requiring each SCI entity to undertake a
risk-based assessment of each of its
third-party providers’ criticality to the
SCI entity will help them more fully
understand the risks and vulnerabilities
of utilizing each third-party provider,
and provide the opportunity for the SCI
entity to better prepare in advance for
contingencies should the provider’s
functionality, support, or service
become unavailable or materially
impaired. In performing this risk-based
assessment, SCI entities would be
required to consider third-party
provider concentration, which would
help ensure that they properly account
and prepare contingencies or
alternatives for an overreliance on a
given third-party provider by the SCI
entity or by its industry. In addition,
each SCI entity would be required to
assess any potential security, including
cybersecurity, risks posed by its thirdparty provider, to help ensure that the
SCI entity does not only take into
consideration the benefits it believes a
third-party provider can provide it, but
the security risks involved in utilizing a
given provider as well.
c. Third-Party Providers for Critical SCI
Systems
ddrumheller on DSK120RN23PROD with PROPOSALS2
The newly proposed provisions of
proposed Rule 1001(a)(2)(ix) discussed
above would apply to all SCI entities for
all of their SCI systems. However, given
the essential nature of critical SCI
systems,292 the Commission believes
that it is appropriate to require SCI
entities to have even more robust
policies and procedures with respect to
any third-party provider that supports
such systems. In adopting Regulation
SCI, the Commission stated that critical
SCI systems are those SCI systems
‘‘whose functions are critical to the
operation of the markets, including
those systems that represent potential
single points of failure in the securities
markets [and] . . . are those that, if they
were to experience systems issues, the
292 Critical SCI systems include systems that
directly support functionality relating to: (i)
clearance and settlement systems of clearing
agencies; (ii) openings, reopenings, and closings on
the primary listing market; (iii) trading halts; (iv)
initial public offerings; (v) the provision of market
data by a plan processor; or (vi) exclusively listed
securities. In addition, the definition of critical SCI
systems includes a catchall provision for systems
that provide functionality to the securities markets
for which the availability of alternatives is
significantly limited or nonexistent and without
which there would be a material impact on fair and
orderly markets.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Commission believes would be most
likely to have a widespread and
significant impact on the securities
market.’’ 293 Therefore, the Commission
is proposing to revise Rule 1001(a)(2)(v),
which relates to the business continuity
and disaster recovery plans of SCI
entities. Currently, Rule 1001(a)(2)(v)
requires their policies and procedures to
include business continuity and disaster
recovery plans that include maintaining
backup and recovery capabilities
sufficiently resilient and geographically
diverse and that are reasonably designed
to achieve next business day resumption
of trading and two-hour resumption of
critical SCI systems following a widescale disruption. To help ensure that
SCI entities are appropriately prepared
for any contingency relating to a thirdparty provider with respect to critical
SCI systems, the Commission is
proposing to revise Rule 1001(a)(2)(v) to
also require the BC/DR plans of SCI
entities to be reasonably designed to
address the unavailability of any thirdparty provider that provides
functionality, support, or service to the
SCI entity without which there would
be a material impact on any of its
critical SCI systems.
As discussed above, the Commission
is proposing under proposed Rule
1001(a)(2)(ix) to require each SCI entity
to conduct a risk-based assessment of
the criticality of each of its third-party
providers to the SCI entity. With respect
to an SCI entity’s critical SCI systems,
the Commission believes the revised
provisions of Rule 1001(a)(2)(v) are
appropriate to ensure that an SCI entity
has considered and addressed in its BC/
DR plans how it would deal with a
situation in which a third-party
provider that provides any
functionality, support, or service for any
of its critical SCI systems has an issue
that would materially impact any such
system. For example, such BC/DR plans
generally should not only take into
account and address temporary losses of
functionality, support, or service—such
as a momentary outage that causes a
feed to be interrupted or extended
cybersecurity event on the third-party
provider—but also consider more
extended outage scenarios, including if
the third-party provider goes into
bankruptcy or dissolves, or if it breaches
its contract and decides to suddenly,
unilaterally, and/or permanently cease
to provide the SCI entity’s critical SCI
systems with functionality, support, or
service.294 In determining how to satisfy
293 See SCI Adopting Release, supra note 1, at
72277.
294 While such scenarios may appear to be
improbable, given the criticality of the critical SCI
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
the requirement that policies and
procedures be reasonably designed to
address the unavailability of any thirdparty provider that provides
functionality, support, or service to the
SCI entity without which there would
be a material impact on any of its
critical SCI systems, an SCI entity could
consider if use of a CSP for its critical
SCI systems also warrants maintaining
an ‘‘on-premises’’ backup data center or
other contingency plan which could be
employed in the event of the scenarios
noted above.
d. Third-Party Provider Participation in
BC/DR Testing
With respect to an SCI entity’s
business continuity and disaster
recovery plans, including its backup
systems, Rule 1004 of Regulation SCI
requires SCI entities to: (a) establish
standards for the designation of those
members or participants that the SCI
entity reasonably determines are, taken
as a whole, the minimum necessary for
the maintenance of fair and orderly
markets in the event of the activation of
such plans; (b) designate members or
participants pursuant to such standards
and require participation by such
designated members or participants in
scheduled functional and performance
testing of the operation of such plans, in
the manner and frequency specified by
the SCI entity, provided that such
frequency shall not be less than once
every 12 months; and (c) coordinate the
testing of such plans on an industry- or
sector-wide basis with other SCI
entities.295
Because the Commission believes that
some third-party providers may be of
such importance to the operations of an
SCI entity, the Commission is proposing
to include certain third-party providers
in the BC/DR testing requirements of
Rule 1004. In the same way SCI entities
currently are required to establish
standards for and require participation
by their members or participants in the
annual industry-wide testing required of
all SCI entities, the Commission is
adding third-party providers as another
category of entities. Thus, pursuant to
revised paragraph (a) of Rule 1004, an
SCI entity would be required also to
establish standards for the designation
of third-party providers (in addition to
members or participants) that it
determines are, taken as a whole, the
minimum necessary for the
systems to the SCI entity and U.S. securities
markets, SCI entities should have plans in place to
account for such scenarios, however remote.
295 See 17 CFR 242.1004. See also SCI Adopting
Release, supra note 1, at 72347–55 (providing a
more detailed discussion of the BC/DR testing
requirements under Rule 1004).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
maintenance of fair and orderly markets
in the event of the activation of the SCI
entity’s BC/DR plans. In addition,
paragraph (b) of Rule 1004 would
require each SCI entity to designate
such third-party providers (in addition
to members or participants) pursuant to
such standards and require their
participation in the scheduled
functional and performance testing of
the operation of such BC/DR plans,
which would occur not less than once
every 12 months and which would be
coordinated with other SCI entities on
an industry- or sector-wide basis.
As discussed above, SCI entities often
employ a wide array of third-party
providers which perform a multitude of
different functions, support, or services
for them. While many of these thirdparty providers may provide relatively
minor functions, support, or services for
an SCI entity, there may be one or more
third-party providers of such
significance to the operations of an SCI
entity that, without the functions,
support, or services of such provider(s),
the maintenance of fair and orderly
markets in the event of the activation of
the SCI entity’s BC/DR plans would not
be possible. For example, the
Commission believes it likely that, for
an SCI entity that utilizes a cloud
service provider for all, or nearly all, of
its operations, such CSP would be of
such importance to the operations of the
SCI entity and the maintenance of fair
and orderly markets in the event of the
activation of the SCI entity’s BC/DR
plans that it would be required to
participate in the BC/DR testing
required by Rule 1004.296
ddrumheller on DSK120RN23PROD with PROPOSALS2
e. Third-Party Providers of Certain
Registered Clearing Agencies
The Commission may examine the
provision of services by third-party
providers of certain registered clearing
agencies. The Financial Stability
Oversight Council (‘‘FSOC’’) has
designated certain financial market
utilities (‘‘FMUs’’) 297 as systemically
296 Contractual arrangements with applicable
third-party providers that require such providers to
engage in BC/DR testing could help ensure
implementation of this requirement. See also SCI
Adopting Release, supra note 1, at 72350
(discussing how contractual arrangements by SCI
entities that are not SROs would enable such SCI
entities to implement the BC/DR testing
requirement for their members or participants).
297 See 12 U.S.C. 5462(6). The definition of
‘‘financial market utility’’ in section 803(6) of the
Clearing Supervision Act contains a number of
exclusions that include, but are not limited to,
certain designated contract markets, registered
futures associations, swap data repositories, swap
execution facilities, national securities exchanges,
national securities associations, alternative trading
systems, security-based swap data repositories,
security-based swap execution facilities, brokers,
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
important or likely to become
systemically important financial market
utilities (‘‘SIFMUs’’).298 The Payment,
Clearing, and Settlement Supervision
Act of 2010 (‘‘Clearing Supervision
Act’’), enacted in Title VIII of the DoddFrank Wall Street Reform and Consumer
Protection Act of 2010 (‘‘Dodd-Frank
Act’’), provides for the enhanced
regulation of certain FMUs.299 FMUs
include clearing agencies that manage or
operate a multilateral system for the
purpose of transferring, clearing, or
settling payments, securities, or other
financial transactions among financial
institutions or between financial
institutions and the FMU.300 For
SIFMUs, the Clearing Supervision Act
provides for enhanced coordination
between the Commission and Federal
Reserve Board by allowing for regular
on-site examinations and information
sharing,301 and further provides that the
Commission and CFTC shall coordinate
with the Federal Reserve Board to
develop risk management supervision
programs for SIFMUs jointly.302 In
dealers, transfer agents, investment companies, and
futures commission merchants. See 12 U.S.C.
5462(6)(B).
298 See 12 U.S.C. 5463. An FMU is systemically
important if the failure of or a disruption to the
functioning of such FMU could create or increase
the risk of significant liquidity or credit problems
spreading among financial institutions or markets
and thereby threaten the stability of the U.S.
financial system. See 12 U.S.C. 5462(9). On July 18,
2012, the FSOC designated as systemically
important the following then-registered clearing
agencies: CME Group (‘‘CME’’), DTC, FICC, ICC,
NSCC, and OCC. The Commission is the
supervisory agency for DTC, FICC, NSCC, and OCC,
and the CFTC is the supervisory agency for CME
and ICE. The Commission jointly regulates ICC and
OCC with the CFTC. The Commission also jointly
regulates ICE Clear Europe (‘‘ICEEU’’), which has
not been designated as systemically important by
FSOC, with the CFTC and Bank of England. The
Commission also jointly regulated CME with the
CFTC until 2015, when the Commission published
an order approving CME’s request to withdraw from
registration as a clearing agency. See Securities
Exchange Act Release No. 76678 (Dec. 17, 2015), 80
FR 79983 (Dec. 23, 2015).
299 The objectives and principles for the risk
management standards prescribed under the
Clearing Supervision Act shall be to (i) promote
robust risk management; (ii) promote safety and
soundness; (iii) reduce systemic risks; and (iv)
support the stability of the broader financial system.
Further, the Clearing Supervision Act states that the
standards may address areas such as risk
management policies and procedures; margin and
collateral requirements; participant or counterparty
default policies and procedures; the ability to
complete timely clearing and settlement of financial
transactions; capital and financial resources
requirements for designated FMUs; and other areas
that are necessary to achieve the objectives and
principles described above. See 12 U.S.C. 5464(b),
(c).
300 See 12 U.S.C. 5462(6).
301 See 12 U.S.C. 5466.
302 See 12 U.S.C. 5472; see also Federal Reserve
Board, et al., Risk Management Supervision of
Designated Clearing Entities (July 2011), available
at https://www.federalreserve.gov/publications/
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
23181
addition, section 807 of the Clearing
Supervision Act provides that
‘‘[w]henever a service integral to the
operation of a designated financial
market utility is performed for the
designated financial market utility by
another entity, whether an affiliate or
non-affiliate and whether on or off the
premises of the designated financial
market utility, the Supervisory Agency
may examine whether the provision of
that service is in compliance with
applicable law, rules, orders, and
standards to the same extent as if the
designated financial market utility were
performing the service on its own
premises.’’ 303 Given the importance of
the provision of services by SIFMUs to
the U.S. financial system and global
financial stability, SIFMU third-party
providers may be integral to the
operation of the SIFMU and thus be
examined by the Commission.
f. Request for Comment
58. Do SCI entities employ third-party
providers to operate SCI systems or
indirect SCI systems on their behalf? If
so, what types of systems are most
frequently operated by third parties?
59. Please describe SCI entities’ use of
third-party providers generally, even if
they do not operate SCI systems or
indirect SCI systems on behalf of an SCI
entity. What types of functionality,
support, or service do such entities
provide to SCI entities? Please describe.
60. The Commission requests
commenters’ views on significant issues
that they believe SCI entities should
take into account with respect to their
use of third-party providers and the
requirements of Regulation SCI. Are
there common or important issues that
commenters believe the Commission
should focus on in addition to those
discussed above? If so, please describe.
61. Do commenters believe it is
appropriate to require, as in proposed
Rule 1001(a)(2)(ix), that each SCI entity
have a program to manage and oversee
third-party providers that provide
functionality, support or service,
directly or indirectly, for its SCI systems
and, for purposes of security standards,
indirect SCI systems? Do commenters
believe that such a program should
require an initial and periodic review of
contracts with such providers for
consistency with the SCI entity’s
obligations under Regulation SCI? Why
or why not?
62. Do commenters believe that it is
appropriate to require each SCI entity to
other-reports/files/risk-management-supervisionreport-201107.pdf (describing the joint supervisory
framework of the Commission, CFTC, and Federal
Reserve Board).
303 12 U.S.C. 5466.
E:\FR\FM\14APP2.SGM
14APP2
23182
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
include a risk-based assessment of each
third-party provider’s criticality to the
SCI entity, including analyses of thirdparty provider concentration, of key
dependencies if the third-party
provider’s functionality, support, or
service were to become unavailable or
materially impaired, and of any
potential security, including
cybersecurity, risks posed? Why or why
not?
63. Are there any third-party
providers, or types of third-party
providers, that commenters believe an
SCI entity or SCI entities rely on in a
manner that creates, from the
commenters’ point of view, undue
concentration risk? If so, please
describe.
64. Are there other aspects of thirdparty provider management that
commenters believe should be included
in the proposed rule provision? If so,
please describe.
65. Do commenters agree with the
proposed revisions to Rule 1001(a)(2)(v)
to require the BC/DR plans of SCI
entities to be reasonably designed to
address the unavailability of any thirdparty provider that provides
functionality, support, or service to the
SCI entity without which there would
be a material impact on any of its
critical SCI systems? Why or why not?
Do commenters believe that any such
providers exist today for the critical SCI
systems of SCI entities? If so, please
describe. Should the Commission
require third-party provider diversity for
critical systems of an SCI entity, for
example, requiring an SCI entity that
utilizes a third-party provider for its
critical SCI systems to use a different
party (i.e., another third-party provider
or operate the critical SCI system itself)
for its backup for such systems? Why or
why not?
66. Do commenters agree with the
proposed revisions to Rule 1004 to
require that SCI entities establish
standards and designate third-party
providers that must participate in BC/
DR testing in the annual industry-wide
BC/DR testing required by Rule 1004?
Why or why not?
3. Security
The Commission recognized the
importance of security for the
technology systems of SCI entities and
included various requirements and
provisions in Regulation SCI relating to
the security of an SCI entity’s SCI
systems. For example, the rules provide
that minimum policies and procedures
must provide for, among other things,
regular reviews and testing of systems,
including backup systems, to identify
vulnerabilities from internal and
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
external threats.304 In addition,
penetration testing is required as part of
the SCI review.305 Recognizing that SCI
systems may be vulnerable if other types
of systems are not physically or
logically separated (or ‘‘walled off’’),
Regulation SCI also specifies that
‘‘indirect systems’’—defined as systems
that if breached, are reasonably likely to
pose a security threat to SCI systems—
are also subject to the provisions of
Regulation SCI relating to security
standards and systems intrusions.306
Thus, the application of Regulation SCI
to indirect SCI systems could encourage
SCI entities to establish effective
controls that result in the core SCI
systems being logically or physically
separated from other systems that could
provide vulnerable entry points into SCI
systems, thereby removing these nonSCI systems from the scope of indirect
SCI systems.307
Regulation SCI also includes ‘‘systems
intrusions’’ 308 as one of three types of
SCI events for which SCI entities are
required to take corrective action,
provide notification to the Commission,
and disseminate information to their
members and participants.309 Since the
adoption of Regulation SCI in 2014,
cybersecurity has continued to be a
significant concern for SCI entities and
non-SCI entities alike. Various studies
and surveys have noted significant
increases in cybersecurity events 310
across all types of companies in recent
years.311 Among these are targeted
304 See
17 CFR 242.1001(a)(2)(iv).
17 CFR 242.1003(b)(1)(i).
306 See 17 CFR 242.1000.
307 See SCI Adopting Release, supra note 1, at
72287–89 (discussing systems intrusions).
308 A ‘‘systems intrusion’’ is defined as ‘‘any
unauthorized entry into the SCI systems or indirect
SCI systems of an SCI entity.’’ See 17 CFR 242.1000.
309 See 17 CFR 242.1002.
310 Cybersecurity events can span a wide variety
of types of threats. For example, FINRA
summarized common cybersecurity threats faced by
broker-dealers to include phishing, imposter
websites, malware, ransomware, distributed denialof-service attacks, and vendor breaches, among
others. See FINRA, Common Cybersecurity Threats,
available at www.finra.org/rules-guidance/
guidance/common-cybersecurity-threats.
311 See, e.g., Financial Services Information
Sharing and Analysis Center, Navigating Cyber
2022 (Mar. 2022), available at www.fsisac.com/
navigatingcyber2022-report (detailing cyber threats
that emerged in 2021 and predictions for 2022);
Bree Fowler, Number and cost of cyberattacks
continue to grow, new survey says, CNET (Jan. 21,
2022), available at https://www.cnet.com/news/
privacy/cyberattacks-continue-to-increase-newsurvey-says (citing, among other things, Anomali’s
poll of cybersecurity decision makers that 87% of
their companies had experienced a cyberattack in
the past three years that resulted in damage,
disruption, or data breach); Accenture, Triple digit
increase in cyberattacks: What next? (Aug. 4, 2021),
available at www.accenture.com/us-en/blogs/
security/triple-digit-increase-cyberattacks; Chris
Morris, Cyberattacks and ransomware hit a new
305 See
PO 00000
Frm 00038
Fmt 4701
Sfmt 4702
ransomware attacks that lock access to
a victim’s data unless a ransom is paid,
and have included certain high-profile
incidents involving the local
government of a major U.S. city 312 as
well as one of the largest oil pipelines
in the United States.313 Cybersecurity
events have also included hacks that
have had widespread impacts across
many industries and types of entities.314
Financial sector entities have been
vulnerable to cybersecurity events as
well, including the Society for
Worldwide Interbank Financial
Telecommunication (‘‘SWIFT’’), an
international cooperative of financial
institutions that provides safe and
secure financial transactions for its
members, which was the target of a
series of cybersecurity events in 2015
and 2016, including one incident in
which $81 million was stolen.315
Given the continued and increasing
risks associated with cybersecurity for
SCI entities, the Commission believes it
is appropriate to enhance the
cybersecurity provisions of Regulation
SCI to help ensure that SCI systems and
indirect SCI systems of the most
important entities in our securities
markets remain secure.
a. Unauthorized Access to Systems and
Information
While Rule 1001(a)(1) already
requires an SCI entity to have policies
and procedures reasonably designed to
ensure that its SCI systems and indirect
SCI systems have levels of security
adequate to maintain operational
capabilities and promote the
record in 2021, says report, Fast Company (Jan. 25,
2022), available at https://www.fastcompany.com/
90715622/cyberattacks-ransomware-data-breachnew-record-2021 (citing report by Identity Theft
Resource Center stating that the number of security
compromises was up more than 68% in 2021).
312 See, e.g., Stephen Deere, Cost of City of
Atlanta’s cyber attack: $2.7 million—and rising,
The Atlanta Journal-Constitution (Apr. 12, 2018),
available at https://www.ajc.com/news/cost-cityatlanta-cyber-attack-million-and-rising/
nABZ3K1AXQYvY0vxqfO1FI/ (describing the costs
relating to a five-day ransomware attack on the City
of Atlanta in Mar. 2018).
313 See, e.g., Clare Duffy, Colonial Pipeline attack:
A ‘wake up call’ about the threat of ransomware,
CNN Business (May 16, 2021), available at https://
www.cnn.com/2021/05/16/tech/colonialransomware-darkside-what-to-know/
(describing the ransomware attack on a pipeline
and concerns regarding the potential for similar
attacks on critical US infrastructure).
314 See, e.g., David Uberti, et al., The Log4j
Vulnerability: Millions of Attempts Made Per Hour
to Exploit Software Flaw, Wall Street Journal (Dec.
21, 2021), available at https://www.wsj.com/
articles/what-is-the-log4j-vulnerability11639446180 (discussing the Log4j hack).
315 See, e.g., Kim Zetter, That Insane, $81M
Bangladesh Bank Heist? Here’s What We Know,
WIRED (May 17, 2016), available at https://
www.wired.com/2016/05/insane-81m-bangladeshbank-heist-heres-know/.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
maintenance of fair and orderly markets,
and Rule 1001(a)(4) specifies that
policies and procedures will be deemed
reasonable if consistent with current SCI
industry standards, Rule 1001(a)(2) is
not specific in terms of the need for an
SCI entity to have access controls
designed to protect both the security of
the systems and the information
residing therein. Limiting access to SCI
systems and indirect SCI systems and
the information residing therein to
authorized purposes and users is
particularly important given that these
systems include the core technology of
key U.S. securities markets entities, and
would help ensure that such systems
and information remain safeguarded
and protected from unauthorized uses.
Proposed Rule 1001(a)(2)(x) would
specify that the Rule 1001(a)(1) policies
and procedures of SCI entities include
a program to prevent the unauthorized
access to such systems and information
residing therein. An SCI entity’s policies
and procedures generally should specify
appropriate access controls to ensure
that its applicable systems and
information is protected. Such policies
and controls generally should be
designed to prevent both unauthorized
external intruders as well as
unauthorized internal personnel from
access to these systems and information.
For example, this would also include
personnel that may be inappropriately
accessing certain systems and/or
information residing on such systems,
though they may have authorized access
to other systems, portions of systems, or
certain information residing in such
systems at the SCI entity. Thus, for
example, the procedures and access
controls at the SCI entity generally
should provide for an appropriate patch
management cycle for systems software,
to ensure that known software
vulnerabilities are identified and
patches are deployed and validated in a
timely manner. The procedures and
access controls generally should also be
calibrated sufficiently to account for
such different levels of access for each
person granted access to any part of the
SCI entity’s systems or information. In
addition, this requirement would make
clear that an SCI entity’s policies and
procedures are required to address not
only protection of its technology
systems, but also of the information
residing on such systems.
In developing and implementing such
policies and procedures, SCI entities
generally should develop a clear
understanding of the need for access to
systems and data, including identifying
which users should have access to
sensitive systems or data. In general,
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
such policies and procedures should
include: requiring standards of behavior
for individuals authorized to access SCI
systems and indirect SCI systems and
information residing therein, such as an
acceptable use policy; identifying and
authenticating individual users;
establishing procedures for timing
distribution, replacement, and
revocation of passwords or methods of
authentication; restricting access to
specific SCI systems or components
thereof or information residing therein
only to individuals requiring access to
such systems or information as is
necessary for them to perform their
responsibilities or functions for the SCI
entity; and securing remote access
technologies used to interface with SCI
systems.316 Access to systems and data
can be controlled through a variety of
means, including but not limited to the
issuance of user credentials, digital
rights management with respect to
proprietary hardware and copyrighted
software, authentication methods
including multifactor authentication as
appropriate, tiered access to sensitive
information and network resources, and
security and access measures that are
regularly monitored not only to provide
access to authorized users, but also to
remove access for users that are no
longer authorized (e.g., due to
termination of employment).317 As with
other policies and procedures required
under Rule 1001, SCI entities may, if
they choose, look to SCI industry
standards in developing their policies
and procedures to prevent unauthorized
access to information and systems.318
b. Penetration Testing
Penetration tests can help entities
understand how effective their security
policies and controls are in the face of
attempted and successful systems
intrusions, and assist in revealing the
potential threats and vulnerabilities to
the entity’s network and controls that
might be exploited by malicious
attackers to disrupt the operation of
their systems, result in stolen
confidential information, and damage
their reputations. When the Commission
adopted Regulation SCI in 2014, it
required that SCI entities conduct
penetration testing as part of its SCI
review 319 but, because of the costs
316 See Exchange Act Cybersecurity Proposal,
supra note 10.
317 See Exchange Act Cybersecurity Proposal,
supra note 10 (similarly discussing examples of
access controls).
318 See Rule 1001(a)(4) of Regulation SCI
(defining current SCI industry standards), which is
discussed further in infra section III.C.5.
319 Specifically, paragraph (b)(1) of Rule 1003
currently requires that ‘‘[p]enetration test reviews of
PO 00000
Frm 00039
Fmt 4701
Sfmt 4702
23183
associated with penetration testing at
the time, only required that such tests
be conducted once every three years.320
In the time since the adoption of
Regulation SCI, cybersecurity has
become an even greater and more
pervasive concern for all types of
businesses, including SCI entities. At
the same time, best practices of
businesses with respect to penetration
testing have evolved such that such tests
occur on a much more frequent basis, as
businesses confront the threat of
cybersecurity events on a wider scale.321
Given this, the Commission is
proposing to increase the frequency of
penetration testing by SCI entities such
that they are conducted at least
annually, rather than once every three
years. The Commission believes that
such tests are a critical component of
ensuring the cybersecurity health of an
SCI entity’s technology systems and that
such a frequency would help to ensure
that robust measures are in place to
protect an SCI entity’s systems from
cybersecurity events. In addition, the
proposed annual frequency would only
be a minimum frequency and SCI
entities may choose to adopt even more
frequent penetration tests if they feel it
appropriate to do so.322
In addition, the Commission is
proposing to require that the conduct of
such penetration testing include testing
by the SCI entity of any vulnerabilities
of its SCI entity’s SCI systems and
indirect SCI systems identified pursuant
to § 242.1001(a)(2)(iv). Currently, the
requirement in Rule 1003 with respect
to penetration testing does not include
this phrase. However, Rule
1001(a)(2)(iv) requires an SCI entity’s
policies and procedures to include,
the network, firewalls, and production systems
shall be conducted at a frequency of not less than
once every three years . . .’’. Rule 1003(b)(1).
320 See SCI Adopting Release, supra note 1, at
72344.
321 See, e.g., Fortra, 2022 Penetration Testing
Report 14 (July 7, 2022), available at https://
static.fortra.com/core-security/pdfs/guides/cs-2022pen-testing-report.pdf (stating that 42% of
respondents conducted penetration testing one or
two times a year, and 45% of respondents
conducted penetration testing at a more frequent
pace); PCI Security Standards Council, Information
Supplement: Penetration Testing Guidance 6 (Sept.
2017), available at https://listings.pcisecurity
standards.org/documents/Penetration-TestingGuidance-v1_1.pdf (‘‘at least annually and upon
significant changes’’).
322 As discussed further below, as part of the
proposed revisions to the SCI review requirement,
the Commission is also moving rule provisions
relating to the substantive requirements of the SCI
review to Rule 1000 under the definition of ‘‘SCI
review,’’ while timing requirements relating to the
SCI review and the report of the SCI review would
be contained in Rule 1003(b). Thus, although
currently the requirement relating to penetration
test reviews is in Rule 1003, it is now proposed to
be in Rule 1000.
E:\FR\FM\14APP2.SGM
14APP2
23184
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
among other things, ‘‘regular reviews
and testing . . . to identify
vulnerabilities pertaining to internal
and external threats . . .’’ The new
language with respect to penetration
testing (which is proposed to be located
in the definition of SCI review in Rule
1000) would require SCI entities to
include testing of the vulnerabilities
identified pursuant to its regular review
and testing requirement in designing its
penetration testing. Thus, rather than,
for example, running a static annual test
against a portion of its SCI systems, this
proposed language would require an SCI
entity’s penetration testing program to
include any identified relevant threats
and then conduct penetration testing
accordingly, which should help ensure
the security and resiliency of SCI
systems.
c. Systems Intrusions
Rule 1000 of Regulation SCI defines a
‘‘systems intrusion’’ as any
unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity.
Systems intrusions are one of three
types of SCI events that each SCI entity
must monitor for and, when they occur,
subject to certain exceptions, an SCI
entity must: take corrective action; 323
immediately notify the Commission and
maintain certain records with respect to
the event; 324 and promptly disseminate
information about the event to
applicable members and participants of
each SCI entity.325 As discussed in the
SCI Adopting Release,326 the definition
of systems intrusion has several
important characteristics to it, two of
which are relevant to the changes
proposed. First, because the term
‘‘entry’’ is used in the current definition,
the term systems intrusions only applies
to ‘‘successful’’ intrusions, thus
excluding attempted (i.e., unsuccessful)
intrusions. In addition, the term ‘‘entry
into’’ implies that the intrusion is
limited to events that result in an
intruder entering into the SCI entity’s
SCI systems or indirect SCI systems, and
thus does not include any types of
attacks on systems outside of the SCI
entity’s SCI systems or indirect SCI
systems that nonetheless impacts such
systems.
As discussed above, cybersecurity has
become ever more increasingly
important for all types of entities, and
the same is true for SCI entities. The
Commission believes that it is
323 See
17 CFR 242.1002(a).
17 CFR 242.1002(b) (setting forth the
notification and follow-up reporting that is required
for a systems intrusion that is not de minimis).
325 See 17 CFR 242.1002(c).
326 See SCI Adopting Release, supra note 1, at
72288.
324 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
appropriate to expand the definition of
systems intrusion to include two
additional types of cybersecurity events.
The first additional type of systems
intrusion would include certain types of
incidents that are currently considered
to be cybersecurity events that are not
included in the current definition, as
discussed below. In addition, the
revised definition would ensure that the
Commission and its staff are made
aware when an SCI entity is the subject
of a significant cybersecurity threat,
including those that may be ultimately
unsuccessful, which would provide
important information regarding threats
that may be posed to other entities in
the securities markets, including other
SCI entities. By requiring SCI entities to
submit SCI filings for these new types
of systems intrusions, the Commission
believes that the revised definition of
systems intrusion would provide the
Commission and its staff more complete
information to assess the security status
of the SCI entity, and also assess the
impact or potential impact that
unauthorized activity could have on the
security of the SCI entity’s affected
systems as well on other SCI entities
and market participants.
The proposed definition would have
three prongs, the first of which would
contain the current requirement that
defines any ‘‘unauthorized entry into
the SCI systems or indirect SCI systems
of an SCI entity’’ as a systems intrusion,
and would continue to include a wide
range of cybersecurity events. As stated
in the SCI Adopting Release, the current
definition describes ‘‘any unauthorized’’
entry or ‘‘breach’’ into SCI systems or
indirect SCI systems, and includes
unauthorized access, whether
intentional or inadvertent, by employees
or agents of the SCI entity that resulted
from weaknesses in the SCI entity’s
access controls and/or procedures.327
For example, data breaches are included
under the first prong, as are instances in
which an employee of an SCI entity
accessed an SCI system without proper
authorization. It also includes instances
in which an employee, such as a
systems administrator, was authorized
to access a system, but where the
employee improperly accessed
confidential information within such
system. Similarly, an instance in which
members of an SCI entity were properly
accessing a system but were
inadvertently exposed to the
confidential information of other
327 See
SCI Adopting Release, supra note 1, at
72887–89 (providing a more detailed discussion of
the current definition of systems intrusions).
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
members would also likewise fall
within this prong.328
The new second prong would expand
the definition of systems intrusion to
include any cybersecurity event that
disrupts, or significantly degrades, the
normal operation of an SCI system. This
prong is intended to include
cybersecurity events on the SCI entity’s
SCI systems or indirect SCI systems that
cause disruption to such systems,
regardless of whether the event resulted
in an entry into or access to them. For
example, in distributed denial-of-service
attacks, the attacker, often using
malware-infected machines, typically
seeks to overwhelm or drain the
resources of the target with illegitimate
requests to prevent the target’s systems
from providing services to those seeking
to access or use them. Unlike
cybersecurity events that would qualify
under the current definition of systems
intrusions (i.e., the first prong of the
proposed definition), the objective of
these attacks is often simply to disrupt
or disable the target’s operations,
rendering them unable to run
efficiently, or run at all. For example,
given the essential role hypervisors play
in supporting cloud computing, an
attack on a CSP’s hypervisor, which
enables the sharing of physical compute
and memory resources across multiple
virtual machines, could also
significantly disrupt or even disable,
albeit indirectly, the SCI systems of an
SCI entity that is utilizing such CSP,
and thus constitute a systems intrusion
under the proposed second prong.
Likewise, these systems intrusions
could include certain command and
control attacks where a malicious actor
is able to infiltrate a system to install
malware to enable it to send commands
to infected devices remotely. Similarly,
supply chain attacks that enter a SCI
entity’s systems through an apparently
authorized means, such as through
regular maintenance software updates
that—unbeknownst to the software
provider and the recipient—contain
malicious code and could also be
systems intrusions under this
proposal.329 Because such cybersecurity
events can cause serious harm and
disruption to an SCI entity’s operations,
the Commission believes that the
definition of systems intrusion should
be broadened to include cybersecurity
events that may not entail actually
entering or accessing the SCI entity’s
SCI systems or indirect SCI systems, but
still cause disruption or significant
328 See id. (providing a more detailed discussion
of the current definition of systems intrusions).
329 See supra note 314 and accompanying text
(discussing the Log4j hack).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
degradation. For this second prong, the
Commission believes it is appropriate to
utilize language similar to that used in
the definition of systems disruption
(i.e., ‘‘disrupts, or significantly
degrades, the normal operation of an
SCI system’’).330 Similar to a systems
disruption that occurs within the SCI
systems or indirect SCI systems, if a
cybersecurity event disrupts, or
significantly degrades, an SCI entity’s
normal operations,331 it would
constitute a systems intrusion under the
proposed revised definition, and the
obligations and reporting requirements
of Rule 1002 would apply.332
The third prong would include any
significant attempted unauthorized
entry into the SCI systems or indirect
SCI systems of an SCI entity, as
determined by the SCI entity pursuant
to established reasonable written
criteria. In contrast to the types of
systems intrusions that are part of the
first prong of the proposed definition,
the third prong is intended to capture
unsuccessful, but significant, attempts
to enter an SCI entity’s SCI systems or
indirect SCI systems. The Commission
recognizes that it would be inefficient,
inappropriate, and undesirable (for both
SCI entities as well as the Commission
and its staff) to require that all
attempted entries be considered systems
intrusions. Rather, the Commission is
seeking to include only attempts that an
SCI entity believes to be significant
attempts to its systems, even if
successfully prevented.
The term ‘‘significant attempted
unauthorized entry’’ would not be
defined in the rule. Rather, the proposed
rule would require each SCI entity to
establish reasonable written criteria for
it to use to determine whether a
significant attempted unauthorized
entry has occurred, because the
Commission believes that each SCI
entity should be granted some degree of
discretion and flexibility in determining
what constitutes a significant attempted
330 The Commission believes that the term
‘‘cybersecurity event,’’ as used here, would
generally be understood to mean ‘‘an unauthorized
activity that disrupts or significantly degrades the
normal operation of an SCI system.’’
331 See SCI Adopting Release, supra note 1, at
72284 (‘‘SCI entities would likely find it helpful to
establish parameters that can aid them and their
staff in determining what constitutes the ‘normal
operation’ of each of its SCI systems and when such
‘normal operation’ has been disrupted or
significantly degraded because those parameters
have been exceeded.’’ (footnotes omitted)).
332 Such events may, in some cases, first appear
to an SCI entity to be a ‘‘systems disruption’’ but,
upon further investigation and understanding of the
true cause of the SCI event, may turn out to be both
a ‘‘systems intrusion’’ as well as a ‘‘systems
disruption.’’ In such cases, the applicable SCI entity
should mark the SCI event as both types on its
submissions to the Commission on Form SCI.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
unauthorized entry for its purposes,
given that SCI entities differ in nature,
size, technology, business model, and
other aspects of their businesses.333
However, the Commission believes that
certain characteristics of attempted
unauthorized entries would generally
weigh in favor of such attempted
unauthorized entries being considered
significant and constituting systems
intrusions that should be considered
SCI events subject to the requirements
of Regulation SCI, including: when an
SCI entity becomes aware of
reconnaissance that may be leveraged by
a threat actor; a targeted campaign that
is customized to the SCI entity’s
system; 334 an attempted cybersecurity
event that required the SCI entity’s
personnel to triage, even if it was
ultimately determined to have no
impact; an attempted attack from a
known sophisticated advanced threat
actor; the depth of the breach in terms
of proximity to SCI systems and critical
SCI systems; and a cybersecurity event
that, if successful, had meaningful
potential to result in widespread
damage and/or loss of confidential data
or information.
As with all SCI events, SCI entities
would be required under 17 CFR
242.1002(a) (‘‘Rule 1002(a)’’) to take
corrective action with respect to any
events that were determined to be
systems intrusions under the proposed
revised definition. In addition, the
Commission is proposing to make a
revision to the Commission reporting
requirements relating to systems
intrusions under Rule 1002(b) such that
all systems intrusions would be
required to be immediately reported to
the Commission pursuant to the
requirements of Rule 1002(b). Currently,
333 Under 17 CFR 242.1003(a)(1) (‘‘Rule
1003(a)(1)’’), each SCI entity is similarly required to
establish reasonable written criteria for identifying
a material change to its SCI systems for quarterly
reporting to the Commission. See also SCI Adopting
Release, supra note 1, at 72341–42 (discussing the
definition of material systems change).
334 A wide variety of entities engage in web
scanning, which may be in a targeted manner (e.g.,
looking at certain IP address ranges) or broadly
across the internet. Often, such scanning may be for
non-malicious purposes such as, for example,
indexing website content (for search engines) or
mapping networks. Others may engage in such
scanning to identify vulnerable systems or websites,
which could be to inform vulnerability management
identification and remediation efforts or identify
opportunities for exploitation. Because of the wide
range of possible uses of scanning and the nature
of scanning tools’ interactions with systems, such
scanning activity alone is not necessarily indicative
of malicious intent or even a vulnerable system
capable of being exploited. However, evidence of
further, follow-on activity indicative of a precursor
to unauthorized entry may be a factor that an SCI
entity should consider in weighing whether a
significant attempted unauthorized entry has
occurred.
PO 00000
Frm 00041
Fmt 4701
Sfmt 4702
23185
paragraph (b)(5) of Rule 1002 states that
the Commission notification
requirements under paragraphs (b)(1)
through (4) do not apply to any SCI
event that has had, or the SCI entity
reasonably estimates would have, no or
a de minimis impact on the SCI entity’s
operations or on market participants
(‘‘de minimis SCI events’’).335 Instead,
SCI entities are currently required to
make, keep and preserve records
relating to all such SCI events, and
provide a quarterly report of de minimis
systems intrusions and systems
disruptions pursuant to Rule
1002(b)(5).336 The Commission is
proposing to eliminate the de minimis
exception’s applicability to systems
intrusions, thus requiring all systems
intrusions, whether de minimis or nonde minimis, to be reported pursuant to
the requirements of 17 CFR
242.1002(b)(1) through (4) (‘‘Rule
1002(b)(1) through (4)’’).337 By their
very nature, systems intrusions may be
difficult to identify, and assessing the
impact of any systems intrusion is often
complex and could potentially require a
lengthy investigation before any
conclusions may be reached with any
degree of certainty. Because of this, the
Commission recognizes that it may be
difficult for SCI entities to make a clear
determination in a timely manner of
whether a systems intrusion is de
minimis. At the same time, the
Commission believes that it is important
for the Commission and its staff to
receive notification of systems
intrusions to be aware of potential and
actual security threats to individual SCI
entities, particularly given that such
threats may extend to other market
participants in the securities markets,
including other SCI entities. Thus, the
Commission believes it is appropriate to
eliminate systems intrusions from the
types of SCI events that may make use
of the exception for de minimis SCI
events and be quarterly reported, and
instead require that each systems
intrusion be reported under the
335 Rule
1002(b)(5).
336 Id.
337 To conform to the proposed elimination of de
minimis systems intrusions from the quarterly
report, Rule 1002(b)(5)(i) would be amended by
replacing the phrase ‘‘all such SCI events’’ with the
phrase ‘‘all such systems disruptions or systems
compliance issues,’’ and Rule 1002(b)(5)(ii) would
be amended to no longer include references to
systems intrusions and instead read: ‘‘Submit to the
Commission a report, within 30 calendar days after
the end of each calendar quarter, containing a
summary description of such systems disruptions,
including the SCI systems affected by such systems
disruptions during the applicable calendar quarter.’’
E:\FR\FM\14APP2.SGM
14APP2
23186
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
framework in Rule 1002(b)(1) through
(4).338
Rule 1002(c) sets forth the
requirements with respect to
disseminating information regarding SCI
events to applicable members or
participants of SCI entities, and the
Commission believes that it would be
appropriate that information about
systems intrusions under the proposed
second prong of the systems intrusion
definition (a ‘‘cybersecurity event that
disrupts, or significantly degrades, the
normal operation of an SCI system’’) be
disseminated pursuant to Rule 1002(c)’s
requirements. However, importantly, in
contrast to the more detailed
information dissemination requirements
for SCI entities in paragraph (c)(1) of
Rule 1002 for systems disruptions and
systems compliance issues, in
recognition of the more sensitive nature
of systems intrusions (disclosure of
which may alert threat actors of an
existing or potential weakness in an SCI
entity’s systems, or alert them of an
ongoing investigation of a systems
intrusion), the Commission’s
information dissemination requirements
for systems intrusions contained in
paragraph (c)(2) of Rule 1002 only
requires SCI entities to provide a
‘‘summary description’’ for such
events.339 In addition, paragraph (c)(2)
also permits an SCI entity to delay
disclosure of a systems intrusion in
cases where the SCI entity ‘‘determines
that dissemination of such information
would likely compromise the security of
the SCI entity’s SCI systems or indirect
SCI systems, or an investigation of the
systems intrusion, and documents the
reasons for such determination.’’ 340
With respect to information
dissemination to an SCI entity’s
members or participants, however, the
Commission believes that information
338 The Commission notes that systems
intrusions, as currently defined in Rule 1000 of
Regulation SCI, have been relatively infrequent as
compared to other types of SCI events, and thus the
burden of this proposed change in reporting for
systems intrusions under the current definition
(which is the first prong of the proposed revised
definition of systems intrusions) should be
relatively low for SCI entities. For example, in the
three-year period from 2019 to 2021, systems
intrusions only accounted for 27 of the 10,501 SCI
events in total (including both de minimis and nonde minimis SCI events). The Commission requests
comment below regarding the frequency of systems
intrusions as defined by the second and third
prongs of the proposed revised definition of
systems intrusion.
339 The information dissemination requirements
described here for systems intrusions differ from
the analogous requirements for the other two types
of SCI events (systems disruptions and systems
compliance issues), which require SCI entities to
also, among other things, further provide a more
detailed description of such SCI events when
known. See 17 CFR 242.1002(c)(1).
340 See 17 CFR 242.1002(c)(2) (‘‘Rule 1002(c)(2)’’).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
regarding significant attempted
unauthorized entries should not be
required to be disseminated to an SCI
entity’s members or participants, as any
benefits associated with disseminating
information about unsuccessful
attempted unauthorized entries to
members or participants of an SCI entity
would likely not be justified due to
distractions that such information
would bring, particularly since the SCI
entity’s security controls were able, in
fact, to repel the cybersecurity event. In
addition, disseminating information
regarding unsuccessful intrusions could
result in the threat actors being
unnecessarily alerted that they have
been detected, which could make it
more difficult to identify the attackers
and halt their efforts on an ongoing,
more permanent basis. Thus, the
Commission is proposing to new 17 CFR
242.1002(c)(4)(iii) (‘‘proposed Rule
1002(c)(4)(iii)’’) which would exclude
systems intrusions that are significant
attempted unauthorized entries into the
SCI systems or indirect SCI systems of
an SCI entity from the information
dissemination requirements of 17 CFR
242.1002(c)(1) through (3) (‘‘Rule
1002(c)(1) through (3)’’).
d. Request for Comment
67. Do commenters agree that
cybersecurity is an area that the
Commission should enhance as part of
Regulation SCI? Is it necessary to help
ensure that SCI entities maintain a
robust technology infrastructure for the
SCI systems and indirect SCI systems?
Why or why not?
68. Do commenters agree with the
proposed addition of Rule 1001(a)(2)(x),
to enumerate that the policies and
procedures of SCI entities shall include
a program to prevent the unauthorized
access to SCI systems and, for purposes
of security standards, indirect SCI
systems, and information residing
therein? Why or why not?
69. Do commenters agree that SCI
entities should be required to have an
increased frequency of penetration test
reviews? Why or why not? Do
commenters feel that the requirement to
have such tests at least annually is
appropriate? How frequently do SCI
entities conduct penetration testing
today? Do commenters agree with the
proposed requirement that the
penetration testing include testing of
any identified vulnerabilities? Why or
why not?
70. Do commenters believe that it is
appropriate to modify the definition of
systems intrusion as proposed in Rule
1000? Do commenters believe that it
would be useful (for example, for SCI
entities and the Commission and its
PO 00000
Frm 00042
Fmt 4701
Sfmt 4702
staff) to include other types of scenarios
in the definition of systems intrusion? If
so, which scenarios should be included
and why? If not, why not?
71. Do commenters agree with the
proposed revisions to the definition of
systems intrusions to include the
second prong, (i.e., for any cybersecurity
event that disrupts, or significantly
degrades, the normal operation of an
SCI system)? Why or why not? Could
such events put the security or
operational capability of an SCI system
at risk? How frequently do commenters
believe systems intrusions, as defined
by the proposed second prong, occur at
SCI entities? The Commission does not
define the term ‘‘cybersecurity event’’ in
the proposed rule text but, as noted,
believes it would generally be
understood to mean ‘‘an unauthorized
activity that disrupts or significantly
degrades the normal operation of an SCI
system.’’ Do commenters agree? Do
commenters believe it is necessary to
provide a definition of the term
‘‘cybersecurity event’’ in the proposed
rule text? If so, do commenters agree
with the meaning above? If not, how
should it be defined? Please be specific.
72. Do commenters believe that
significant attempted unauthorized
entries into the SCI systems or indirect
SCI systems of an SCI entity should be
included in the definition of systems
intrusions, as under the proposed third
prong? Why or why not? Do
commenters believe that the
Commission should define the term
‘‘significant attempted unauthorized
entry,’’ or do commenters believe it is
appropriate to require an SCI entity to
establish reasonable written criteria to
make such determinations to provide
SCI entities some degree of discretion
and flexibility in determining what
constitutes a significant attempted
unauthorized entry for its purposes,
given differences as between SCI? What
types of criteria or scenarios do
commenters believe should constitute a
significant attempted unauthorized
entry? Please describe and be specific.
How frequently do commenters believe
systems intrusions, as defined by the
proposed third prong, occur at SCI
entities?
73. Do commenters agree with the
proposed removal of systems intrusions
from the types of de minimis SCI events
permitted to be reported quarterly under
Rule 1002(b)(5)? Why or why not?
Should there be a requirement that SCI
events that are systems intrusions, as
proposed to be defined, be reported to
senior management of an SCI entity?
Why or why not?
74. Do commenters agree with
proposed addition of Rule
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
1002(c)(4)(iii), which would exclude
systems intrusions that are significant
attempted unauthorized entries from the
information dissemination requirements
of Rule 1002(c)(1) through (3)? Why or
why not?
ddrumheller on DSK120RN23PROD with PROPOSALS2
4. SCI Review
a. Discussion
Rule 1000 currently defines the SCI
review to be a review, following
established procedures and standards,
that is performed by objective personnel
having appropriate experience to
conduct reviews of SCI systems and
indirect SCI systems, and which review
contains: (a) a risk assessment with
respect to such systems of an SCI entity;
and (b) an assessment of internal control
design and effectiveness of its SCI
systems and indirect SCI systems to
include logical and physical security
controls, development processes, and
information technology governance,
consistent with industry standards.
Paragraph (b)(1) of Rule 1003 requires
each SCI entity to conduct an SCI
review of the SCI entity’s compliance
with Regulation SCI not less than once
each calendar year; however,
penetration test reviews of the network,
firewalls, and production systems may
be conducted at a frequency of not less
than once every three years, and
assessments of SCI systems directly
supporting market regulation or market
surveillance may be conducted at a
frequency based upon the risk
assessment conducted as part of the SCI
review, but in no case less than once
every three years. Paragraph (b)(2) of
Rule 1003 requires SCI entities to
submit a report of the SCI review to
senior management of the SCI entity for
review no more than 30 calendar days
after completion of such SCI review,
and paragraph (b)(3) requires SCI
entities to submit to the Commission,
and to the board of directors of the SCI
entity or the equivalent of such board,
a report of the SCI review, together with
any response by senior management,
within 60 calendar days after its
submission to senior management of the
SCI entity.
The SCI review is an important part
of Regulation SCI because it is a
periodic evaluation by objective
personnel of an SCI entity’s compliance
with SCI and helps the SCI entity to
identify weaknesses and vulnerabilities
in its systems and controls. In addition,
because of Rule 1003(b)’s reporting
requirements, the SCI review and the
report of the SCI review helps to ensure
that the senior management and board
of the SCI entity are involved in and
aware of the SCI entity’s compliance
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
with the regulation. Finally, the report
provides the Commission and its staff
insight into the SCI entity’s compliance
with Regulation SCI as well and assists
the staff in determining how to follow
up with the SCI entity in reviewing and
addressing any identified weaknesses
and vulnerabilities.
The SCI review is currently required
to be conducted by ‘‘objective
personnel,’’ and the Commission
believes that this requirement continues
to be appropriate. Thus, as the
Commission discussed in the SCI
Adopting Release, SCI reviews may be
performed by personnel of the SCI
entity (such as internal audit function)
or an external firm, provided that such
personnel are, in fact, objective and, as
required by rule, have the appropriate
experience to conduct reviews of SCI
systems and indirect SCI systems.341
As described below, the Commission
is proposing a number of revisions to
the requirements relating to SCI reviews
and for the reports SCI entities submit
(both to their board of directors as well
as to the Commission).342 The definition
of SCI review in Rule 1000 is proposed
to be amended to contain the
substantive requirements for an SCI
review, which would be required to be
‘‘a review, following established and
documented procedures and standards,
that is performed by objective personnel
having appropriate experience to
conduct reviews of SCI systems and
indirect SCI systems . . .’’ The revised
definition of SCI review in Rule 1000
would go on to detail what an SCI
review would be required to include
and would require the use of
appropriate risk management
methodology. Specifically, paragraph (1)
of the definition would require, with
341 See SCI Adopting Release, supra note 1, at
72343. The Commission continues to believe that
persons who were not involved in the process for
development, testing, and implementation of the
systems being reviewed would generally be in a
better position to identify weaknesses and
deficiencies that were not identified in the
development, testing, and implementation stages.
Thus, any personnel with conflicts of interest that
have not been adequately mitigated to allow for
objectivity should be excluded from serving in this
role, and a person or persons conducting an SCI
review should not have a conflict of interest that
interferes with their ability to exercise judgment,
express opinions, and present recommendations
with impartiality. See id.
342 Rule 1000 (definition of SCI review) and Rule
1003(b) both currently contain requirements
relating to SCI reviews. As described in this section,
the Commission is proposing to focus the definition
of SCI review in Rule 1000 on requirements relating
to the SCI review itself, whereas Rule 1003(b)’s
proposed language would be focused on the
required contents of the report of the SCI review,
as well as the timelines for when the SCI review
is required to be conducted and when the report of
the SCI review is required to be provided to senior
management and the Commission.
PO 00000
Frm 00043
Fmt 4701
Sfmt 4702
23187
respect to each SCI system and indirect
SCI system of the SCI entity, three
assessments to be performed by
objective personnel conducting the SCI
review. The first required assessment
would be of the risks related to the
capacity, integrity, resiliency,
availability, and security. The second
assessment would be of internal control
design and operating effectiveness to
include logical and physical security
controls, development processes,
systems capacity and availability,
information technology service
continuity, and information technology
governance, consistent with industry
standards. The third assessment would
be of third-party provider management
risks and controls. As discussed above,
the Commission is also proposing to
update the requirement for penetration
testing, from the current requirement of
at least once every three years to at least
annually.343 Finally, the definition of
SCI review in Rule 1000 would provide
that assessments of SCI systems directly
supporting market regulation or market
surveillance would be required to be
conducted at a frequency based upon
the risk assessment conducted as part of
the SCI review, but in no case less than
once every three years.
It has been the experience of the
Commission and its staff that the SCI
reviews and their reports of such SCI
reviews vary among SCI entities in
content and detail. To help ensure that
every SCI review and report of such
reviews contain the assessments and
related information the Commission and
its staff believes is necessary for an SCI
entity to be able to assess its compliance
with Regulation SCI, the Commission
proposes adding certain additional
requirements and details with respect to
each SCI review and the report of the
SCI review that are submitted to the SCI
entity’s board and to the Commission. In
the lead-in provision for the definition,
the words ‘‘and documented’’ are
proposed to be added to ensure that SCI
entities and the objective personnel
conducting SCI reviews document the
work that is done during the SCI review.
Documentation is necessary as evidence
that the requirements relating to the SCI
review are being complied with, and
would help ensure that policies and
procedures are followed.
Documentation is also critical to any
follow-on reviews of the work that may
be required, such as follow-up on the
work of the SCI review by SCI entity
personnel (including by its senior
management or board of directors) or by
the Commission or its staff. In addition,
343 See supra section III.C.3.b (discussing the
frequency of required penetration test reviews).
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23188
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
such documentation would facilitate
follow-up required to address
deficiencies and weaknesses that may
be identified during the SCI review,
such as through mitigation and
remediation plans.
The proposed definition of SCI review
would also require that the SCI review
use ‘‘appropriate risk management
methodology.’’ The objective personnel
conducting the SCI review would be
required to establish, document, and
utilize a given risk methodology in
conducting the SCI review that is
appropriate for the SCI entity being
reviewed. The Commission is not
specifying a particular methodology that
a given SCI entity and its objective
personnel must use, but rather is
providing the flexibility to such
objective personnel to determine the
risk management methodology that
should be utilized, so long as it is
appropriate given the SCI entity’s
characteristics and risks.
The requirements of the SCI review
would apply to each individual SCI
system and indirect SCI system, and
would require that the SCI review
include three specific assessments to be
performed by objective personnel. This
language is intended to require that each
of these assessments be performed by
objective personnel—either by those
conducting the SCI review or others that
those conducting the SCI review engage
for such purposes—rather than utilizing,
for example, enterprise or IT risk
assessments as the basis for the SCI
review after deeming them
‘‘reasonable.’’ The proposed
requirement would not specify a
particular control framework to be
applied for such assessments, but rather
would provide flexibility to those
conducting the SCI review to choose the
methodology they believe to be most
appropriate given the particular
characteristics and risks of the SCI
entity’s systems being assessed, and
undertake the assessments themselves,
or oversee and direct other objective
personnel on how the assessments
should be performed. The Commission
considers the SCI reviews to be an
important window into the strength of
the technological infrastructure of SCI
entities, and whether the controls
implemented by the SCI entity are
appropriate and employed properly. In
addition, the Commission requires that
objective personnel be used to help
ensure the impartiality of the review
and that the reviewers examine what
they believe to be most appropriate for
such a review.344 The Commission
344 See supra note 341 and accompanying text
(discussing ‘‘objective personnel’’).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
believes that, by requiring that these
assessments be performed by objective
personnel, these assessments and tests
will be able to provide the SCI entity,
its senior management, its board of
directors, and the Commission, an
appropriately impartial and accurate
assessment of the risks associated with
the SCI entity’s SCI systems and indirect
SCI systems.
In the definition of SCI review in Rule
1000, the phrase ‘‘a risk assessment with
respect to such systems of an SCI
entity’’ would be replaced with an
assessment of ‘‘the risks related to the
capacity, integrity, resiliency,
availability, and security’’ of each such
system. The Commission believes that
the additional detail in the proposed
language would tie the required risk
assessment more closely with the key
principles of Regulation SCI (found in
Rule 1001(a)(1)) relating to the
‘‘capacity, integrity, resiliency,
availability and security’’ of each SCI
entity’s systems, while maintaining the
focus of the assessment on the overall
risks associated with such systems.
Further, in the definition of SCI
review he phrase ‘‘internal control
design and effectiveness’’ would be
revised to read ‘‘internal control design
and operating effectiveness’’ to clarify
that the associated assessment must
examine how well the internal controls
performed in actual operations, i.e., in
practice. Thus, this assessment would
look not only at how the controls
worked in theory (i.e., as designed), but
also in practice (i.e., in operations).345
In addition, the definition of SCI review
in Rule 1000 would expand on the list
of controls to be assessed, adding
‘‘systems capacity and availability’’ and
‘‘information technology service
continuity’’ to the current list of ‘‘logical
and physical security controls,
development processes, and information
technology governance.’’ The
Commission believes that systems
capacity and availability and
information technology service
continuity are important areas for SCI
entities to consider when conducting
their SCI reviews, and is proposing to
include them on the list of controls
345 See, e.g., Sunil Bakshi, Tips for Effective
Control Design, ISACA (Feb. 9, 2022), available at
https://www.isaca.org/resources/news-and-trends/
newsletters/atisaca/2022/volume-6/tips-foreffective-control-design; PCAOB, AS2201: An Audit
of Internal Controls Over Financial Reporting That
is Integrated with An Audit of Financial
Statements, available at https://pcaobus.org/
oversight/standards/auditing-standards/details/
AS2201; and AICPA, AU–C Section 94), An Audit
of Internal Controls Over Financial Reporting That
is Integrated With an Audit of Financial Statements,
available at https://us.aicpa.org/content/dam/
aicpa/research/standards/auditattest/downloadable
documents/au-c-00940.pdf.
PO 00000
Frm 00044
Fmt 4701
Sfmt 4702
reviewed by objective personnel
performing the SCI reviews to ensure
that these additional areas of controls
are assessed during each SCI review. As
stated above, the foundational
principles of Regulation SCI are set forth
in Rule 1001 and require in part that
each SCI entity establish, maintain, and
enforce written policies and procedures
reasonably designed to ensure that their
SCI systems and, for purposes of
security standards, indirect SCI systems,
have levels of capacity, integrity,
resiliency, availability, and security
adequate to maintain their operational
capability and promote the maintenance
of fair and orderly markets.346 The
proposed addition of ‘‘systems capacity
and availability’’ relates to this
requirement with respect to ‘‘capacity’’
and ‘‘availability,’’ and ‘‘information
technology service continuity’’ relates to
this requirement with respect to
‘‘resiliency’’ and ‘‘availability,’’ and
would require that objective personnel
consider whether an SCI entity’s
internal controls have been designed
and implemented in a manner to
achieve these objectives of Regulation
SCI, rather than only those currently
enumerated regarding security,
development processes, and
governance.
New paragraph (1)(C) of the definition
of SCI review in Rule 1000 would
require an assessment of third-party
provider management risks and controls
with respect to each of its SCI systems
and indirect SCI systems. As discussed
in detail above,347 third-party provider
management is an important part of
managing the risks posed when an SCI
entity uses a third-party for
functionality, support, or services.
Importantly, the proposed amended
definition of SCI review under Rule
1000 uses the phrase ‘‘with respect to
each’’ when referencing SCI systems
and indirect SCI systems. This wording
clarifies that the associated assessments
are required to be made for each
applicable system for each SCI review
(i.e., every year). Thus, the Commission
believes it to be appropriate to conduct
these assessments for each and every
SCI system or, as applicable, indirect
SCI system annually, rather than, for
example, rotating control testing across
several years such that not all systems
and/or relevant controls are tested each
year. However, in adopting Regulation
SCI, the Commission determined to
allow assessments of SCI systems
directly supporting market regulation or
market surveillance to be conducted,
based upon a risk-assessment, at least
346 See
347 See
E:\FR\FM\14APP2.SGM
supra note 39 and accompanying text.
supra section III.C.2.
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
once every three years, rather than
annually, and the Commission is not
amending this provision.348
Proposed paragraph (2) would contain
the requirement that penetration test
reviews be performed by objective
personnel, conducted at least once each
year. As discussed above, the revised
requirements relating to SCI reviews
would change the frequency of required
penetration testing provision (currently
located in Rule 1003(b)(1) but proposed
to be relocated to the definition of ‘‘SCI
review’’ in Rule 1000) from ‘‘not less
than once every three years’’ to at least
annually with each SCI review, and
require that they include testing of any
identified vulnerabilities of its SCI
systems and indirect SCI systems.349 In
addition, the language relating to the
frequency of assessments of SCI systems
directly supporting market regulation or
market surveillance, proposed to be in
paragraph (3), would remain
unchanged.350
Proposed Rule 1003(b) would
continue to include requirements
relating to the timeframes for
conducting the SCI review (unchanged
at ‘‘not less than once each calendar
year’’) 351 and submitting reports of the
SCI review to senior management
(unchanged at ‘‘no more than 30
calendar days after completion of such
SCI review’’) 352 and the Commission
(unchanged at ‘‘within 60 calendar days
after its submission to senior
management’’).353 However, proposed
Rule 1003(b)(1) would add the phrase
‘‘for each calendar year during which it
was an SCI entity for any part of such
calendar year’’ to clarify that, if an SCI
entity is an SCI entity for any part of the
calendar year, it must conduct the SCI
review and submit the associated report
of the SCI review to the SCI entity’s
senior management and board, as well
as to the Commission. Thus, an SCI
review would be required for a new SCI
entity, even in its first year as an SCI
entity and even if its starting date as an
348 See
17 CFR 242.1003(b)(1)(ii).
supra section III.C.3.b. and proposed
paragraph (2) of the definition of SCI review in Rule
1000, (relating to cybersecurity revisions, including
penetration testing). Of course, while SCI entities
would be required to conduct penetration test
reviews at least annually as part of the SCI review,
nothing in the proposed rule would prevent them
from conducting penetration testing more
frequently if warranted.
350 As noted above, while the substance of the
provision relating to the frequency of assessments
of SCI systems directly supporting market
regulation or market surveillance would remain
unchanged, the provision would be moved from
current Rule 1003(b)(1)(ii) to proposed paragraph
(3) of the definition of SCI review in Rule 1000.
351 See proposed Rule 1003(b)(1).
352 See proposed Rule 1003(b)(2).
353 See proposed Rule 1003(b)(3).
ddrumheller on DSK120RN23PROD with PROPOSALS2
349 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
SCI entity were not until late in the
year. Similarly, if an SCI entity ceased
to be an SCI entity during the middle of
a calendar year (e.g., an SCI ATS that
falls out of the SCI ATS thresholds in
July of a given year), it would still be
required to submit an SCI review for
that portion of the calendar year during
which it was an SCI entity. The
Commission believes this is appropriate,
as the SCI review and the report of the
SCI review contain, among other things,
assessments of the SCI entity’s
compliance with the requirements of
Regulation SCI which help to confirm,
through objective personnel, that the
capacity, integrity, resiliency,
availability and security requirements of
Regulation SCI have been met by the
entity for the period during which it
was an SCI entity.
Rule 1003(b) would also add
additional detail on what the report of
the SCI review is required to contain.
Currently, the rule does not provide any
specific requirements with respect to
the contents of the report of the SCI
review. In the experience of
Commission staff, this has resulted in a
wide range in the types and quality of
SCI reports the Commission receives
from SCI entities. In reviewing the
reports, the Commission staff has found
certain information particularly
important in assessing the SCI review,
and as a result the Commission is now
revising the rule to require this
information to be included in all reports
on SCI reviews. Rule 1003(b)(2) would
be revised to require the report of the
SCI review to include: (i) the dates the
SCI review was conducted and the date
of completion; (ii) the entity or business
unit of the SCI entity performing the
review; (iii) a list of the controls
reviewed and a description of each such
control; (iv) the findings of the SCI
review with respect to each SCI system
and indirect SCI system, which must
include, at a minimum, assessments of:
the risks related to the capacity,
integrity, resiliency, availability, and
security; internal control design and
operating effectiveness; and vendor
management risks and controls; (v) a
summary, including the scope of testing
and resulting action plan, of each
penetration test review conducted as
part of the SCI review; and (vi) a
description of each deficiency and
weakness identified by the SCI review.
Items (i) and (ii) contain basic
administrative information (relating to
dates and the entity/unit conducting the
SCI review) about the SCI review to
identify the period over which the SCI
review was conducted and the entity/
unit responsible for such review that
Commission staff may contact for any
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
23189
questions regarding the SCI review or
the report of the SCI review. Item (iii),
relating to controls reviewed as part of
the SCI review, would assist
Commission staff in understanding the
scope of the review and, if applicable,
also allow staff to identify and request
additional information regarding any of
the controls listed or any controls it
believed to be missing. Item (iv) would
contain the substantive findings of the
SCI review and relate to the three
assessments that are required to be part
of the SCI review under paragraph (1) of
the definition of SCI review in Rule
1000. Similarly, item (v) relates to
paragraph (2) of the definition of SCI
review relating to penetration test
reviews and would require an SCI entity
to provide a summary of each
penetration test review conducted as
part of the SCI review.354 Item (v) also
would require that the summary include
the scope of testing and the resulting
action plan. Item (vi) would require a
description of each deficiency and
weakness identified during the SCI
review, including through the
assessments and any testing conducted
as part of the SCI review. This
information is proposed to be included
in the report of the SCI review to
provide the senior management and
board of the SCI entity, as well as the
Commission and its staff, with
information on the SCI review,
including any deficiencies and
weaknesses identified by the objective
personnel that conducted the SCI
review.
The Commission believes that
requiring this minimum set of
requirements for the report of the SCI
review, as described above, would help
ensure that SCI entities and the
objective personnel that conduct the SCI
review include in the report of the SCI
review the key pieces of information
relating to the SCI review (i.e.,
information relating to the controls
reviewed; substantive findings from the
assessments conducted as part of the
SCI review; summaries of penetration
test reviews; and descriptions of each
deficiency and weakness identified) that
go towards ensuring that the SCI
354 The Commission notes that the proposed
requirement under item (vi) would specify that a
summary of each penetration test review be
included but does not call for the penetration test
review itself be included. The Commission believes
that a summary that includes the scope of testing
and action plan of the penetration test would
provide Commission staff with sufficient initial
information to obtain a broad understanding of
what was tested and any vulnerabilities it identified
and that Commission staff could, in any case, if it
believed it appropriate, request that the SCI entity
provide it with a copy of the penetration test
review.
E:\FR\FM\14APP2.SGM
14APP2
23190
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
systems of SCI entities remain robust
with respect to their capacity, integrity,
resiliency, availability, and security,
and are in compliance with the
requirements of Regulation SCI.
Finally, the Commission is proposing
several revisions to paragraph (b)(3) of
Rule 1003, which relates to submission
of the report of the SCI review to the
Commission and to the board of
directors (or its equivalent) of the SCI
entity. First, because Rule 1003(b)(2)
now contains details relating to the
required contents of the report of the
SCI review, the Commission is
proposing to update the internal crossreference in paragraph (b)(3) from
‘‘paragraph (b)(1)’’ to ‘‘paragraph (b)(2).’’
The proposed revisions would also
require that, when the report is
submitted to the board of directors of
the SCI entity and the Commission, it
must also include the date the report
was submitted to senior management. In
addition, the revisions would make
mandatory that a response from senior
management to the report is included
when it is submitted to the Commission
and board, whereas previously the
language appeared permissive. The
Commission believes that mandating a
response from senior management will
help ensure that both the SCI entity’s
senior management and board are
informed of the findings in the report of
the SCI review and that the SCI entity’s
policies and procedures are reasonably
designed, as required by the rule, and as
informed by the issues identified in the
report.
b. Request for Comment
75. Do commenters agree with the
proposed revisions to the definition of
‘‘SCI review’’ in Rule 1000? Why or why
not? Do commenters agree with the
proposed addition of ‘‘and
documented’’ to require that the work
relating to the SCI review be
documented? Why or why not? Do
commenters agree with the proposed
addition that the objective personnel
conducting the SCI review use
‘‘appropriate risk management
methodology?’’ Why or why not? What
risk management methodologies do
commenters believe would be
appropriate for use by SCI entities?
Please describe. Does the requirement
that SCI reviews be performed by
‘‘objective personnel’’ remain
appropriate? For example, should the
term ‘‘objective personnel’’ be defined?
Why or why not? Should there be a
requirement that the SCI review be
performed by an independent third
party? Why or why not? Should there be
a requirement that senior management
certify that the SCI review was
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
performed by objective personnel? Why
or why not?
76. What are commenters’ views on
not specifying a particular control
framework to be applied for the internal
control assessments? What are the costs
and benefits to SCI entities if the
Commission required the application of,
for example, a suitable, recognized
control framework that is established by
a body or group that has followed dueprocess procedures, including the broad
distribution of the framework for public
comment?
77. With respect to the three
assessments proposed to be required by
paragraph (1) of the definition of SCI
review, do commenters agree that these
assessments should be overseen by the
objective personnel responsible for the
SCI review, rather than utilizing, for
example, enterprise or IT risk
assessments as the basis for the SCI
review after deeming them
‘‘reasonable’’? Why or why not? What is
the current practice among objective
personnel conducting assessments for
SCI reviews? Please describe. What do
commenters believe would be the
advantages and disadvantages for this
proposed requirement?
78. Do commenters believe that it is
appropriate that the SCI review include
an assessment of ‘‘the risks related to
the capacity, integrity, resiliency,
availability, and security,’’ as proposed
to be required in paragraph (1)(A) of the
definition of SCI review under Rule
1000? Why or why not?
79. Do commenters believe that the
revisions to the second assessment
proposed to be required in paragraph
(1)(A) of the definition of SCI review in
Rule 1000 (replacing the phrase
‘‘internal control design and
effectiveness’’ with ‘‘internal control
design and operating effectiveness,’’ and
adding ‘‘systems capacity and
availability’’ and ‘‘information
technology service continuity’’ to the
current list of controls to be assessed)
are appropriate as part of the SCI
review?’’ Why or why not?
80. Do commenters agree that the
third assessment proposed to be
required as part of the SCI review,
relating to third-party provider
management risks and controls, is
appropriate? Why or why not?
81. Do commenters agree with the
revision that the three assessments in
paragraph (1) of the definition of SCI
review be made ‘‘with respect to each’’
SCI system and indirect SCI system,
thereby requiring that these assessments
be made for each applicable system for
each SCI review every year? Why or
why not?
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
82. Do commenters agree that the SCI
review and report of the SCI review
should be conducted by an SCI entity
‘‘for each calendar year during which it
was an SCI entity for any part of such
calendar year,’’ as proposed to be added
to Rule 1003(b)(1)? Why or why not?
83. Do commenters believe that the
requirements in proposed Rule
1003(b)(2) are appropriate for the report
of the SCI review? Why or why not? Do
commenters believe additional
requirements should be added or that
any proposed requirements should be
modified or not included? Why or why
not? Please describe.
5. Current SCI Industry Standards
a. Overview of Current Rule 1001(a)(4)
Rule 1001(a)(4) of Regulation SCI
states that, for purposes of paragraph (a)
of Rule 1001, an SCI entity’s policies
and procedures will be deemed to be
reasonably designed if they are
consistent with ‘‘current SCI industry
standards.’’ The provision defines
‘‘current SCI industry standards’’ to be
‘‘comprised of information technology
practices that are widely available to
information technology professionals in
the financial sector and issued by an
authoritative body that is a U.S.
governmental entity or agency,
association of U.S. governmental
entities or agencies, or widely
recognized organization.’’ In addition,
Rule 1001(a)(4) also states that
compliance with such current SCI
industry standards shall not be the
exclusive means to comply with the
requirements of paragraph (a). Thus,
Rule 1001(a)(4) provides a safe harbor
for SCI entities to comply with Rule
1001(a) (i.e., they will be deemed to
comply if they have policies and
procedures that are consistent with
current SCI industry standards), while
at the same time stating that following
such current SCI industry standards is
not the sole means of achieving
compliance with the rule.
b. Rule 1001(a)(4) Safe Harbor
The Commission believes that
utilizing current SCI industry standards
is an appropriate way for SCI entities to
develop their Rule 1001(a) policies and
procedures. It has been the experience
of the Commission and its staff that
some SCI entities look to publications
issued by the federal government’s
National Institute of Standards and
Technology (‘‘NIST’’) Framework for
Improving Critical Infrastructure
Cybersecurity (‘‘NIST Framework’’),355
or frameworks issued by non355 The NIST Framework is available at https://
www.nist.gov/cyberframework/framework.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
governmental bodies such as the
International Organization for
Standardization (‘‘ISO’’) 356 or the
Control Objectives for Information and
Related Technologies (‘‘COBIT’’),357 and
some SCI entities may not point to any
specific industry standards at all. In
addition, among those SCI entities that
utilize industry standards, some may
look to a single industry standard for
most or all of their policies and
procedures, while others may ‘‘mix and
match’’ standards for different policies
and procedures. And, in some cases, an
SCI entity may utilize multiple industry
standards for a single set of their
policies and procedures.
The Commission believes that use of
industry standards continues to be an
appropriate framework for SCI entities
to model their policies and
procedures.358 To make clear that Rule
1001(a)(4)’s reference to and definition
of ‘‘current SCI industry standards’’
provides a safe harbor for SCI entities
with respect to their Rule 1001(a)
policies and procedures, the
Commission proposes to add the words
‘‘safe harbor’’ in Rule 1001(a)(4).359
ddrumheller on DSK120RN23PROD with PROPOSALS2
c. Identification of Current SCI Industry
Standards Used
In the experience of Commission staff,
many SCI entities align their Rule
1001(a) policies and procedures, in part
356 ISO is an independent, non-governmental
international organization whose members include
national standards bodies that develops and
publishes international standards. See International
Organization for Standardization, available at
https://www.iso.org.
357 COBIT is a leading framework for the
enterprise governance of information and
technology and is issued by ISACA, an
international professional associated focused on
information technology governance. See ISACA,
available at https://www.isaca.org.
358 We note that concurrent with the
Commission’s adoption of Regulation SCI in 2014,
Commission staff stated its views regarding
‘‘current SCI industry standards,’’ including a
listing of examples of publications describing
processes, guidelines, frameworks, or standards for
each inspection area, or domain, an SCI entity
could look to in developing its reasonably designed
policies and procedures. See Commission, Staff
Guidance on Current SCI Industry Standards (Nov.
19, 2014), available at https://www.sec.gov/rules/
final/2014/staff-guidance-current-sci-industrystandards.pdf. Commission staff is reviewing staff
statements with respect to Regulation SCI to
determine whether any such statements, or portion
thereof, should be revised or withdrawn in
connection with any adoption of this proposal.
These statements include the Staff Guidance on
Current SCI Industry Standards, as well as the
Responses to Frequently Asked Questions
Concerning Regulation SCI, Sept. 2, 2015 (Updated
Aug. 21, 2019), available at https://www.sec.gov/
divisions/marketreg/regulation-sci-faq.shtml.
359 Specifically, the second sentence of Rule
1001(a)(4) would be revised to read: ‘‘Compliance
with such current SCI industry standards as a safe
harbor, however, shall not be the exclusive means
to comply with the requirements of paragraph (a)
of this section.’’
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
or whole, with current SCI industry
standards, often referencing such
standards in communications with
Commission staff during inspections or
examinations. However, some SCI
entities do not reference any industry
standard(s) for their Rule 1001(a)
policies and procedures.
In conjunction with the proposed
revision to Rule 1001(a)(4), the
Commission is proposing to add a new
requirement in Rule 1001(a)(2), which
lays out certain minimum requirements
for an SCI entity’s Rule 1001(a) policies
and procedures. Specifically, proposed
new 17 CFR 242.1001(a)(2)(xi)
(‘‘proposed Rule 1001(a)(2)(xi)’’) would
require that an SCI entity’s policies and
procedures include ‘‘[a]n identification
of the current SCI industry standard(s)
with which each such policy and
procedure is consistent, if any.’’ SCI
entities are not required to avail
themselves of the safe harbor of Rule
1001(a)(4) by aligning their policies and
procedures required by Rule 1001(a)
with current SCI industry standards,360
but for SCI entities that choose to do so,
this proposed provision would require
SCI entities to provide a list of the
specific current SCI industry standard(s)
with which each of its policies and
procedures is consistent. Thus, for
example, such SCI entities would be
required to identify the standard(s) used
for their business continuity and
disaster recovery policies and
procedures, and separately identify the
standard(s) used for its vendor
management policies and procedures.
In addition, the Commission
recognizes that there may be cases in
which an SCI entity may draw from
multiple current SCI industry standards
in developing a given policy and
procedure, and proposed Rule
1001(a)(2)(xi) recognizes this may be the
case (‘‘. . . the current SCI industry
standard (s). . .’’). In such cases, an SCI
entity may simply list multiple
standards with which the given policy
and procedure is consistent.
d. Request for Comment
84. Do commenters agree with the
proposed revisions to Rule 1001(a)(4)
relating to current SCI industry
standards? Why or why not?
85. Do SCI entities seek to make use
of the safe harbor contained in Rule
1001(a)(4) for compliance with Rule
1001(a) of Regulation SCI? Why or why
not? With what current SCI industry
standard(s) do SCI entities seek to make
their policies and procedures
consistent?
86. For an SCI entity that seeks to
avail itself of the safe harbor, do
commenters agree that an SCI entity
should identify the current SCI industry
standard(s) with which each of its
policies and procedures is consistent?
Why or why not?
6. Other Changes
Rule 1002(c) of Regulation SCI
requires that SCI entities disseminate
information to their members or
participants regarding SCI events.361
These information dissemination
requirements are scaled based on the
nature and severity of an event, with
SCI entities required to disseminate
certain information about the event to
members or participants that the SCI
entity reasonably estimated to have been
affected by the SCI event, and, in the
case of a major SCI event, to all
members or participants.362 In
connection with the proposal to include
SCI broker-dealers as SCI entities, the
Commission proposes that an SCI
broker-dealer be required to disseminate
information about an SCI event it is
experiencing, in accordance with the
requirements of Rule 1002(c), to its
‘‘customers.’’ As discussed above, the
Commission proposes to include SCI
broker-dealers as SCI entities because it
believes that a systems issue at an SCI
broker-dealer could, for example,
impede the ability of other market
participants to trade securities in a fair
and orderly manner. As explained in the
SCI Adopting Release, information
about an SCI event is likely to be of
greatest value to those market
participants affected by it, who can use
such information to evaluate the event’s
impact on their trading and other
activities and develop an appropriate
response.363 To the extent that an SCI
event at a broker-dealer affects its
customers (i.e., those with whom it
trades or for whom it facilitates trades
as an agent), the Commission believes
that the SCI broker-dealer should inform
them, and do so in the same manner and
as required for other SCI entities,
pursuant to Rule 1002(c). Similarly, and
consistent with the current requirement
of Rule 1002(b)(4)(ii)(B), an SCI brokerdealer would be required to include in
its notices to the Commission a copy of
any information it disseminated to its
361 See
360 For
SCI entities that do not seek to avail
themselves of the safe harbor of Rule 1001(a)(4), the
requirements of proposed Rule 1001(a)(2)(xi) would
not apply.
PO 00000
Frm 00047
Fmt 4701
Sfmt 4702
23191
17 CFR 242.1002(c).
See also supra section II.B.3 (discussing
current Rule 1002(c)).
363 See SCI Adopting Release, supra note 1 at
72334.
362 Id.
E:\FR\FM\14APP2.SGM
14APP2
23192
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
customers.364 The Commission requests
comment on the proposed amendments
to Rule 1002(b)(4)(ii)(B) and Rule
1002(c) in section III.A.2.b above, which
discusses the proposed definition of an
SCI broker-dealer.365
Rule 1005 of Regulation SCI requires
SCI entities to make, keep, and preserve
certain records related to their
compliance with Regulation SCI.366
Rule 1005(c) specifies that the
recordkeeping period survives even if
an SCI entity ceases to do business or
ceases to be registered under the
Exchange Act. The Commission
proposes to add that this survival
provision applies to an SCI entity
‘‘otherwise ceasing to be an SCI entity.’’
This addition accounts for
circumstances not expressly covered;
specifically, those in which an SCI
entity continues to do business or
remains a registered entity, but may
cease to qualify as an SCI entity, such
as an SCI ATS that no longer satisfies a
volume threshold. Such entities would
not be excepted from complying with
the recordkeeping provisions of Rule
1005 and would be required to make,
keep, and preserve their records related
to their compliance with Regulation SCI
related to the period during which they
were an SCI entity.
In addition, Form SCI is proposed to
be modified to conform the text of the
General Instructions and description of
the attached Exhibits to the other
changes proposed herein. Specifically,
the operational aspects of Form SCI
filing are unchanged, except to reflect
that quarterly reports of SCI events with
no or a de minimis impact would
pertain only to systems disruptions, and
not to systems intrusions.367
Furthermore, the instructions to Exhibit
5 of Form SCI is proposed to be
modified to reflect the requirement that
an SCI entity’s senior management
respond to the report of the SCI
review.368 In addition, the Commission
proposes to update section I of the
General Instructions for Form SCI:
Explanation of Terms to reflect the
proposed changes in the definitions in
Rule 1000, by revising the definitions of
SCI entity, SCI review, SCI systems, and
Systems Intrusion.
364 Id. See also supra section II.B.3 (discussing
current Rule 1002(b)(4).
365 See supra section III.A.2.b.
366 See 17 CFR 242.1005. Rule 1005(a) of
Regulation SCI relates to recordkeeping provisions
for SCI SROs, whereas Rule 1005(b) relates to the
recordkeeping provision for SCI entities other than
SCI SROs.
367 See supra section III.C.3.c (discussing
proposed changes to Rule 1002(b)(5)(ii)).
368 See supra section III.C.4 (discussing proposed
changes to Rule 1003(b)(3)).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
D. SCI Entities Subject to the Exchange
Act Cybersecurity Proposal and/or
Regulation S–P
1. Discussion
a. Introduction
The Commission separately is
proposing the Exchange Act
Cybersecurity Proposal,369 and
separately is also proposing to amend
Regulation S–P.370 As discussed in more
detail below, certain types of SCI
entities also are or would be subject to
the Exchange Act Cybersecurity
Proposal and/or Regulation S–P
(currently and as it would be
amended).371 The Exchange Act
Cybersecurity Proposal and Regulation
S–P (currently and as it would be
amended) have or would have
provisions requiring policies and
procedures that address certain types of
cybersecurity risks.372 The Exchange
Act Cybersecurity Proposal also requires
certain reporting to the Commission on
Form SCIR of certain types of
cybersecurity incidents.373 These
notification and subsequent reporting
requirements of the Exchange Act
Cybersecurity Proposal are triggered by
a ‘‘significant cybersecurity
incident,’’ 374 which could also be an
SCI event such as a ‘‘systems intrusion’’
as that term would be defined in current
and proposed Rule 1000 of Regulation
369 See Exchange Act Cybersecurity Proposal,
supra note 10.
370 See Regulation S–P 2023 Proposing Release
supra note 10.
371 See proposed 17 CFR 242.10 of the Exchange
Act Cybersecurity Proposal Rule (‘‘Rule 10’’); 17
CFR 248.1 through 248.30 (Regulation S–P). See
also section III.D.1.b. of this release (discussing the
types of SCI Entities that are or would be subject
to the Exchange Act Cybersecurity Proposal and/or
Regulation S–P).
372 See infra section III.D.1.c (discussing the
proposed requirements of the Exchange Act
Cybersecurity Proposal and the existing and
proposed requirements of Regulation S–P to have
policies and procedures that address certain
cybersecurity risks).
373 See infra section III.D.1.d (discussing the
proposed Commission notification requirements of
the Exchange Act Cybersecurity Proposal).
374 The Exchange Act Cybersecurity Proposal
defines a ‘‘significant cybersecurity incident’’ to be
a cybersecurity incident, or a group of related
cybersecurity incidents, that: (i) Significantly
disrupts or degrades the ability of the market entity
to maintain critical operations; or (ii) Leads to the
unauthorized access or use of the information or
information systems of the market entity, where the
unauthorized access or use of such information or
information systems results in or is reasonably
likely to result in: (A) Substantial harm to the
market entity; or (B) Substantial harm to a
customer, counterparty, member, registrant, or user
of the market entity, or to any other market
participant that interacts with the market entity. See
proposed § 242.10(a) of the Exchange Act
Cybersecurity Proposal.
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
SCI.375 Finally, the Exchange Act
Cybersecurity Proposal and Regulation
S–P (currently and as it would be
amended) have or would have
provisions requiring disclosures of
certain cybersecurity incidents.376
Consequently, if the proposed
amendments to Regulation SCI and the
other proposals are all adopted as
proposed, SCI entities could be subject
to requirements of that rule that relate
to certain proposed requirements of the
Exchange Act Cybersecurity Proposal
and certain existing and proposed
requirements of Regulation S–P. In the
Commission’s view, this would be
appropriate because, while the current
and proposed cybersecurity
requirements of Regulation SCI may
impose some broadly similar
obligations, it has a different scope and
purpose than the Exchange Act
Cybersecurity Proposal and Regulation
S–P. Moreover, in many instances,
compliance with the current and
proposed cybersecurity requirements of
Regulation SCI that relate to the
proposed requirements of the Exchange
Act Cybersecurity Proposal and the
existing or proposed requirements
Regulation S–P can be accomplished
through similar efforts.
The specific instances in which the
cybersecurity requirements of current
and proposed Regulation SCI would
relate to the proposed requirements of
the Exchange Act Cybersecurity
Proposal and the existing or proposed
requirements of Regulation S–P are
discussed briefly below. The
Commission encourages interested
persons to provide comments on the
discussion below, as well as on the
potential application of Regulation SCI,
the Exchange Act Cybersecurity
Proposal, and Regulation S–P. More
specifically, the Commission encourages
commenters: (1) to identify any areas
where they believe the relation between
requirements of the existing or proposed
requirements of Regulation SCI and the
proposed requirements of the Exchange
Act Cybersecurity Proposal and the
existing or proposed requirements of
Regulation S–P would be particularly
costly or create practical
implementation difficulties; (2) to
provide details on why these instances
would be particularly costly or create
practical implementation difficulties;
and (3) to make recommendations on
375 See current and proposed Rule 1000 of
Regulation SCI (defining the term ‘‘systems
intrusion’’).
376 See infra section III.D.1.e (discussing the
proposed disclosure requirements of the Exchange
Act Cybersecurity Proposal and the existing and
proposed disclosure requirements of Regulation S–
P).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
how to minimize these potential
impacts, while also achieving the goal of
this proposal to address, among other
things, the cybersecurity risks faced by
SCI entities. To assist this effort, the
Commission is seeking specific
comment below on these topics.377
b. SCI Entities That Are or Would Be
Subject to the Exchange Act
Cybersecurity Proposal and/or
Regulation S–P
Various SCI entities under this
proposal are or would be subject to the
Exchange Act Cybersecurity Proposal
and/or Regulation S–P (currently and as
it would be amended). In particular,
most SCI entities under Regulation SCI
(currently and as it would be amended)
would be subject to the requirements of
Exchange Act Cybersecurity Proposal.
Specifically, all SCI entities other than
plan processors and SCI competing
consolidators that are or would be
subject to Regulation SCI also would be
subject to the Exchange Act
Cybersecurity Proposal as ‘‘covered
entities’’ 378 of that proposal. Therefore,
if the proposed amendments to
Regulation SCI and the Exchange Act
Cybersecurity Proposal are all adopted
as proposed, these SCI entities would be
subject to the requirements of
Regulation SCI in addition to the
requirements of the Exchange Act
Cybersecurity Proposal.
In addition, broker-dealers that would
be subject to Regulation SCI and those
that operate certain ATSs currently
subject to Regulation ATS (i.e., as SCI
377 See
infra section III.D.2.
requirements of the Exchange Act
Cybersecurity Proposal would apply to brokerdealers, clearing agencies, major security-based
swap participants, the MSRB, national securities
associations, national securities exchanges,
security-based swap data repositories, securitybased swap dealers, and transfer agents. See
proposed 17 CFR 240.10(a). The Commission
believes that a broker-dealer that exceeds one or
more of the transaction activity thresholds under
the proposed amendments to Regulation SCI (i.e.,
an SCI broker-dealer) likely would meet one of the
broker-dealer definitions of ‘‘covered entity’’ in
proposed Rule 10 of the Exchange Act
Cybersecurity Proposal given their size and
activities. For example, it would either be a carrying
broker-dealer, have regulatory capital equal to or
exceeding $50 million, have total assets equal to or
exceeding $1 billion, or operate as a market maker.
See paragraphs (a)(1)(i)(A), (C), (D), and (E) of
proposed Rule 10. The Commission is seeking
comment in the Exchange Act Cybersecurity
Proposal as to whether a broker-dealer that is an SCI
entity should be defined specifically as a ‘‘covered
entity’’ under proposed Rule 10. See section II.A.10
of the Exchange Act Cybersecurity Proposal. In
addition, the Commission requests comment in the
Exchange Act Cybersecurity Proposal as to whether
plan processors and SCI competing consolidators
should be subject to its requirements. See id. The
discussion in this section III.D focuses on the
requirements of the Exchange Act Cybersecurity
Proposal only as they would apply to current and
proposed SCI entities.
ddrumheller on DSK120RN23PROD with PROPOSALS2
378 The
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
ATSs or SCI broker-dealers) also are or
would be subject to Regulation S–P
(currently and as it would be
amended).379 Therefore, if the proposed
amendments to Regulation SCI and
Regulation S–P are all adopted as
proposed, broker-dealers could be
subject to Regulation SCI in addition to
the requirements of Regulation S–P
(currently and as it would be amended).
c. Policies and Procedures To Address
Cybersecurity Risks
As discussed below, Regulation S–P
currently has certain cybersecurityrelated provisions. The Exchange Act
Cybersecurity Proposal and the
proposed amendments to Regulation S–
P would add to these requirements.
These existing and proposed
requirements would relate to certain of
the requirements of Regulation SCI
(currently and as it would be amended).
The Commission believes this result
would be appropriate because the
policies and procedures requirements of
Regulation SCI (currently and as it
would be amended) differ in scope and
purpose from those of the Exchange Act
Cybersecurity Proposal and Regulation
S–P, and because the policies and
procedures required under Regulation
SCI that relate to cybersecurity
(currently and as it would be amended)
are generally consistent with the
proposed requirements of the Exchange
Act Cybersecurity Proposal and the
existing and proposed requirements of
Regulation S–P that pertain to
cybersecurity.
i. Different Scope of the Policies and
Procedures Requirements
As discussed above in sections II.B
and III.C, Regulation SCI (currently and
as it would be amended) limits its
requirements to SCI systems, which are
certain systems of the SCI entity that
support specified securities market
related functions,380 and indirect SCI
systems.381 Therefore, the policies and
procedures requirements of Regulation
SCI (currently and as it would be
amended) that pertain to cybersecurity
apply to SCI systems and indirect SCI
systems. They do not and would not
379 Regulation S–P applies to additional types of
market participants that are not or would not be
subject to Regulation SCI. See 17 CFR 248.3. For
example, with regard to the proposed inclusion of
broker-dealers, Regulation SCI would only be
applicable to an estimated 17 broker-dealers under
the proposed definition of SCI broker-dealer. The
discussion in this section III.D focuses on the
current and proposed requirements of Regulation
S–P only as they would apply to current and
proposed SCI entities.
380 See 17 CFR 242.1000 (defining ‘‘SCI
systems’’). See also supra section II.B.1.
381 See 17 CFR 242.1000 (defining ‘‘indirect SCI
systems’’). See also supra section II.B.1.
PO 00000
Frm 00049
Fmt 4701
Sfmt 4702
23193
apply to other systems maintained by an
SCI entity.
Regulation S–P’s safeguards
provisions currently apply to customer
records and information.382 Regulation
S–P defines ‘‘customer’’ to mean a
consumer who has a customer
relationship with the broker-dealer.383
Regulation S–P further defines the term
‘‘consumer’’ to mean an individual who
obtains or has obtained a financial
product or service from the brokerdealer that is to be used primarily for
personal, family, or household
purposes, or that individual’s legal
representative.384 Regulation S–P’s
disposal provisions apply to consumer
report information maintained for a
business purpose.385 Regulation S–P
currently defines ‘‘consumer report
information’’ to mean any record about
an individual, whether in paper,
electronic or other form, that is a
consumer report or is derived from a
consumer report and also a compilation
of such records.386 The Commission is
separately proposing to amend the
scope of information covered under
both the Regulation S–P safeguards
provisions and the Regulation S–P
disposal provisions.387 The
amendments, however, would not
fundamentally broaden the scope of
these provisions. Therefore, the existing
and proposed policies and procedures
requirements of the Regulation S–P
safeguards and disposal provisions that
pertain to cybersecurity would apply to
customer and consumer-related
information. They do not and would not
apply to other types of information
stored on the information systems of the
broker-dealer.388
Regulation SCI (currently and as it
would be amended), the Exchange Act
Cybersecurity Proposal, and Regulation
S–P (currently and as it would be
amended) would, therefore, differ in
scope. The Exchange Act Cybersecurity
382 See
17 CFR 248.30(a).
17 CFR 248.3(j).
384 See 17 CFR 248.3(g)(1).
385 See 17 CFR 248.30(b)(2).
386 See 17 CFR 248.30(b)(1)(ii).
387 See Regulation S–P 2023 Proposing Release.
388 Additionally, Regulation S–P (currently and as
it would be amended) implicates cybersecurity to
the extent that customer records or information or
consumer report information is stored on an
information system (e.g., on a computer). If this
information is stored in paper form (e.g., in a file
cabinet), the requirements of Regulation S–P apply
but the policies and procedures required under the
rule would need to address risks that are different
than cybersecurity risks—for example, the physical
security risk that individuals could gain
unauthorized access to the room or file cabinet
where the paper records are stored as compared to
the cybersecurity risk that individuals could gain
unauthorized access to the information system on
which the records are stored electronically.
383 See
E:\FR\FM\14APP2.SGM
14APP2
23194
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Proposal would require covered entities
to establish, maintain, and enforce
written policies and procedures that are
reasonably designed to address their
cybersecurity risks.389 Therefore, the
Exchange Act Cybersecurity Proposal
does not limit its application to certain
systems or information residing on
those systems based on the functions
and operations performed by the
covered entity through the system or the
use of the information residing on the
system unlike Regulation SCI (currently
and as it would be amended). In
addition, the Exchange Act
Cybersecurity Proposal does not limit its
application to a specific type of
information residing on an information
system unlike Regulation S–P (currently
and as it would be amended).
ddrumheller on DSK120RN23PROD with PROPOSALS2
ii. Consistency of the Policies and
Procedures Requirements
The Commission also believes that it
would be appropriate to apply
Regulation SCI to SCI entities even if
they also are subject to the requirements
of the Exchange Act Cybersecurity
Proposal and/or Regulation S–P
(currently and as it would be amended)
because an SCI entity could use one
comprehensive set of policies and
procedures to satisfy the requirements
of the current and proposed
cybersecurity-related policies and
procedures requirements of Regulation
SCI, the Exchange Act Cybersecurity
Proposal, and Regulation S–P. As
explained below, the more focused
current and proposed policies and
procedures requirements of Regulation
SCI and Regulation S–P addressing
certain cybersecurity risks would
logically fit within and be consistent
with the broader policies and
procedures required under the Exchange
Act Cybersecurity Proposal to address
all cybersecurity risks (including those
outside of SCI systems and indirect SCI
systems).
SCI entities that would be covered
entities under the proposed
requirements of the Exchange Act
Cybersecurity Proposal would be subject
the proposed policies and procedures
requirements of the Exchange Act
Cybersecurity Proposal. In addition,
broker-dealers that would be subject to
Regulation SCI and those that operate
certain ATSs currently subject to
Regulation ATS (i.e., as SCI ATSs or SCI
broker-dealers) are subject to the
requirements of Regulation S–P
(currently and as it would be amended).
389 See paragraphs (b) and (e) of proposed Rule 10
(setting forth the requirements of covered entities,
among others, to have policies and procedures to
address their cybersecurity risks).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
General Cybersecurity Policies and
Procedures Requirements. Regulation
SCI, Regulation S–P, and the Exchange
Act Cybersecurity Proposal all include
requirements that address certain
cybersecurity-related risks. Regulation
SCI requires an SCI entity to have
reasonably designed policies and
procedures to ensure that its SCI
systems and, for purposes of security
standards, indirect SCI systems, have
levels of capacity, integrity, resiliency,
availability, and security, adequate to
maintain the SCI entity’s operational
capability and promote the maintenance
of fair and orderly markets.390
Regulation S–P’s safeguards
provisions require broker-dealers to
adopt written policies and procedures
that address administrative, technical,
and physical safeguards for the
protection of customer records and
information.391 Additionally,
Regulation S–P’s disposal provisions
require broker-dealers that maintain or
otherwise possess consumer report
information for a business purpose to
properly dispose of the information by
taking reasonable measures to protect
against unauthorized access to or use of
the information in connection with its
disposal.392
Rule 10 of the Exchange Act
Cybersecurity Proposal would require a
covered entity to establish, maintain,
and enforce written policies and
procedures that are reasonably designed
to address the covered entity’s
cybersecurity risks. These requirements
are designed to position covered entities
to be better prepared to protect
themselves against cybersecurity risks,
to mitigate cybersecurity threats and
vulnerabilities, and to recover from
cybersecurity incidents. They are also
designed to help ensure that covered
entities focus their efforts and resources
on the cybersecurity risks associated
with their operations and business
practices.
A covered entity that implements
reasonably designed policies and
procedures in compliance with the
requirements of the Exchange Act
Cybersecurity Proposal that cover its
SCI systems and indirect SCI systems
should generally satisfy the current and
proposed general policies and
procedures requirements of Regulation
390 See
17 CFR 242.1001(a)(1).
17 CFR 248.30(a).
392 See 17 CFR 248.30(b)(2). Regulation S–P
currently defines the term ‘‘disposal’’ to mean: (1)
the discarding or abandonment of consumer report
information; or (2) the sale, donation, or transfer of
any medium, including computer equipment, on
which consumer report information is stored. See
17 CFR 248.30(b)(1)(iii).
391 See
PO 00000
Frm 00050
Fmt 4701
Sfmt 4702
SCI that pertain to cybersecurity.393
Similarly, policies and procedures
implemented by a broker-dealer that is
an SCI entity that are reasonably
designed in compliance with the current
and proposed cybersecurity
requirements of Regulation SCI should
generally satisfy the existing general
policies and procedures requirements of
Regulation S–P safeguards and disposal
provisions discussed above that pertain
to cybersecurity.
Requirements to Oversee Service
Providers. Under the amendments to
Regulation SCI, the policies and
procedures required of SCI entities
would need to include a program to
manage and oversee third-party
providers that provide functionality,
support or service, directly or indirectly,
for SCI systems and indirect SCI
systems, and are discussed above in
more detail in section III.C.2. In
addition, proposed amendments to
Regulation S–P’s safeguards provisions
would require broker-dealers to include
written policies and procedures within
their response programs that require
their service providers, pursuant to a
written contract, to take appropriate
measures that are designed to protect
against unauthorized access to or use of
customer information, including
notification to the broker-dealer in the
event of any breach in security resulting
in unauthorized access to a customer
information maintained by the service
provider to enable the broker-dealer to
implement its response program.394
Proposed Rule 10 of the Exchange Act
Cybersecurity Proposal would have
several policies and procedures
requirements that are designed to
address similar cybersecurity-related
393 The CAT System is a facility of each of the
Participants and an SCI system. See also Joint
Industry Plan; Order Approving the National
Market System Plan Governing the Consolidated
Audit Trail, Securities Exchange Act Release No.
79318 (Nov. 15, 2016), 81 FR 84696, 84758 (Nov.
23, 2016) (‘‘CAT NMS Plan Approval Order’’). It
would also qualify as an ‘‘information system’’ of
each national securities exchange and each national
securities association under the Exchange Act
Cybersecurity Proposal. The CAT NMS Plan
requires the CAT’s Plan Processor to follow certain
security protocols and industry standards,
including the NIST Cyber Security Framework,
subject to Participant oversight. See, e.g., CAT NMS
Plan at Appendix D, Section 4.2. For the reasons
discussed above and below with respect to SCI
systems, the policies and procedures requirements
of Regulation SCI are not intended to be
inconsistent with the security protocols set forth in
the CAT NMS Plan. Moreover, to the extent the
CAT NMS Plan requires security protocols beyond
those that would be required under Regulation SCI,
those additional security protocols should generally
fit within and be consistent with the policies and
procedures required under the Exchange Act
Cybersecurity Proposal to address all cybersecurity
risks.
394 See Regulation S–P 2023 Proposing Release.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
risks to these proposed amendments to
Regulation SCI and Regulation S–P.
First, a covered entity’s policies and
procedures under proposed Rule 10
would need to require periodic
assessments of cybersecurity risks
associated with the covered entity’s
information systems and information
residing on those systems.395 This
element of the policies and procedures
would need to include requirements
that the covered entity identify its
service providers that receive, maintain,
or process information, or are otherwise
permitted to access its information
systems and any of its information
residing on those systems, and assess
the cybersecurity risks associated with
its use of these service providers.396
Second, under proposed Rule 10, a
covered entity’s policies and procedures
would need to require oversight of
service providers that receive, maintain,
or process its information, or are
otherwise permitted to access its
information systems and the
information residing on those systems,
pursuant to a written contract between
the covered entity and the service
provider, and through that written
contract the service providers would
need to be required to implement and
maintain appropriate measures that are
designed to protect the covered entity’s
information systems and information
residing on those systems.397
A covered entity that implements
these requirements of proposed Rule 10
of the Exchange Act Cybersecurity
Proposal with respect to its SCI systems
and indirect SCI systems should
generally satisfy the proposed
requirements of Regulation SCI that the
SCI entity’s policies and procedures
include a program to manage and
oversee third-party providers that
provide functionality, support or
service, directly or indirectly, for SCI
systems and indirect SCI systems.
Similarly, a broker-dealer that is an SCI
entity that implements these
requirements of Regulation SCI should
generally comply with the proposed
requirements of Regulation S–P’s
safeguards provisions relating to the
oversight of service providers.
Unauthorized Access Requirements.
Under the proposed amendments to
Regulation SCI, SCI entities would be
required to have a program to prevent
395 See paragraph (b)(1)(i)(A) of proposed Rule 10;
see also section II.B.1.a of the Exchange Act
Cybersecurity Proposal (discussing this requirement
in more detail).
396 See paragraph (b)(1)(i)(A)(2) of proposed Rule
10.
397 See paragraphs (b)(1)(iii)(B) of proposed Rule
10; see also section II.B.1.c. of this release
(discussing this requirement in more detail).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
the unauthorized access to their SCI
systems and indirect SCI systems, and
information residing therein, and are
discussed above in more detail in
section III.C.3.a. The proposed
amendments to Regulation S–P’s
disposal provisions would require
broker-dealers that maintain or
otherwise possess consumer
information or customer information for
a business purpose to properly dispose
of this information by taking reasonable
measures to protect against
unauthorized access to or use of the
information in connection with its
disposal.398 The broker-dealer would be
required to adopt and implement
written policies and procedures that
address the proper disposal of consumer
information and customer information
in accordance with this standard.399
Proposed Rule 10 of the Exchange Act
Cybersecurity Proposal would have
several policies and procedures
requirements that are designed to
address similar cybersecurity-related
risks to these proposed requirements of
Regulation SCI and the proposed
disposal provisions of Regulation S–P.
First, a covered entity’s policies and
procedures under proposed Rule 10
would need controls: (1) requiring
standards of behavior for individuals
authorized to access the covered entity’s
information systems and the
information residing on those systems,
such as an acceptable use policy; (2)
identifying and authenticating
individual users, including but not
limited to implementing authentication
measures that require users to present a
combination of two or more credentials
for access verification; (3) establishing
procedures for the timely distribution,
replacement, and revocation of
passwords or methods of authentication;
(4) restricting access to specific
information systems of the covered
entity or components thereof and the
information residing on those systems
solely to individuals requiring access to
the systems and information as is
necessary for them to perform their
responsibilities and functions on behalf
of the covered entity; and (5) securing
remote access technologies.400
398 See Regulation S–P 2023 Proposing Release.
As discussed above, the general policies and
procedures requirements of Regulation S–P’s
safeguards provisions require the policies and
procedures—among other things—to protect against
unauthorized access to or use of customer records
or information that could result in substantial harm
or inconvenience to any customer. See 17 CFR
248.30(a)(3).
399 See Regulation S–P 2023 Proposing Release.
400 See paragraphs (b)(1)(ii)(A) through (E) of
proposed Rule 10; see also section II.B.1.b of the
Exchange Act Cybersecurity Proposal (discussing
these requirements in more detail).
PO 00000
Frm 00051
Fmt 4701
Sfmt 4702
23195
Second, under proposed Rule 10, a
covered entity’s policies and procedures
would need to include measures
designed to protect the covered entity’s
information systems and protect the
information residing on those systems
from unauthorized access or use, based
on a periodic assessment of the covered
entity’s information systems and the
information that resides on the
systems.401 The periodic assessment
would need to take into account: (1) the
sensitivity level and importance of the
information to the covered entity’s
business operations; (2) whether any of
the information is personal information;
(3) where and how the information is
accessed, stored and transmitted,
including the monitoring of information
in transmission; (4) the information
systems’ access controls and malware
protection; and (5) the potential effect a
cybersecurity incident involving the
information could have on the covered
entity and its customers, counterparties,
members, registrants, or users, including
the potential to cause a significant
cybersecurity incident.402
A covered entity that implements
these requirements of proposed Rule 10
of the Exchange Act Cybersecurity
Proposal with respect to its SCI systems
and indirect SCI systems should
generally satisfy the proposed
requirements of Regulation SCI that the
SCI entity’s policies and procedures
include a program to prevent the
unauthorized access to their SCI
systems and indirect SCI systems, and
information residing therein. Similarly,
a broker-dealer that is an SCI entity that
implements these proposed
requirements of Regulation SCI should
generally satisfy the proposed
requirements of Regulation S–P’s
disposal provisions to adopt and
implement written policies and
procedures that address the proper
disposal of consumer information and
customer information.
Review Requirements. The current
and proposed provisions of Regulation
SCI prescribe certain elements that must
be included in each SCI entity’s policies
and procedures relating to regular
reviews and testing, penetration testing,
and the SCI review, and are discussed
above in more detail in sections II.B.2,
II.B.4, III.C.3.b, and III.C.4.
Proposed Rule 10 of the Exchange Act
Cybersecurity Proposal would have
several policies and procedures
requirements that are designed to
401 See paragraph (b)(1)(iii)(A) of proposed Rule
10; see also section II.B.1.c. of the Exchange Act
Cybersecurity Proposal (discussing these
requirements in more detail).
402 See paragraphs (b)(1)(iii)(A)(1) through (5) of
proposed Rule 10.
E:\FR\FM\14APP2.SGM
14APP2
23196
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
address similar cybersecurity-related
risks to these existing and proposed
requirements of Regulation SCI. First, a
covered entity’s policies and procedures
under proposed Rule 10 would need to
require periodic assessments of
cybersecurity risks associated with the
covered entity’s information systems
and information residing on those
systems.403 Moreover, this element of
the policies and procedures would need
to include requirements that the covered
entity categorize and prioritize
cybersecurity risks based on an
inventory of the components of the
covered entity’s information systems
and information residing on those
systems and the potential effect of a
cybersecurity incident on the covered
entity.404 Second, under proposed Rule
10, a covered entity’s policies and
procedures would need to require
measures designed to detect, mitigate,
and remediate any cybersecurity threats
and vulnerabilities with respect to the
covered entity’s information systems
and the information residing on those
systems.405
A covered entity that implements
these requirements of proposed Rule 10
with respect to its SCI systems and
indirect SCI systems should generally
satisfy the current requirements of
Regulation SCI that the SCI entity’s
policies and procedures require regular
reviews and testing of SCI systems and
indirect SCI systems, including backup
systems, to identify vulnerabilities from
internal and external threats. Further,
while proposed Rule 10 does not require
penetration testing, the proposed rule
requires measures designed to protect
the covered entity’s information systems
and protect the information residing on
those systems from unauthorized access
or use, based on a periodic assessment
of the covered entity’s information
systems and the information that resides
on the systems 406 and penetration
testing could be part of these
measures.407 Therefore, the existing and
proposed requirements of Regulation
SCI requiring penetration testing could
be incorporated into and should
logically fit within a covered entity’s
policies and procedures to address
403 See paragraph (b)(1)(i)(A) of proposed Rule 10;
see also section II.B.1.a of the Exchange Act
Cybersecurity Proposal (discussing this requirement
in more detail).
404 See paragraph (b)(1)(i)(A)(1) of proposed Rule
10.
405 See paragraph (b)(1)(iv) of proposed Rule 10;
see also section II.B.1.d of the Exchange Act
Cybersecurity Proposal (discussing this requirement
in more detail).
406 See paragraph (b)(1)(iii)(A) of proposed Rule
10.
407 See also section II.B.1.c of the Exchange Act
Cybersecurity Proposal.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
cybersecurity risks under proposed Rule
10 of the Exchange Act Cybersecurity
Proposal.
Response Program. Regulation SCI
requires SCI entities to have policies
and procedures to monitor its SCI
systems and indirect SCI systems for
SCI events, which include systems
intrusions for unauthorized access, and
also requires them to have policies and
procedures that include escalation
procedures to quickly inform
responsible SCI personnel of potential
SCI events, which are discussed above
in more detail in section II.B.2.408 The
amendments to Regulation S–P’s
safeguards provisions would require the
policies and procedures to include a
response program for unauthorized
access to or use of customer
information. Further, the response
program would need to be reasonably
designed to detect, respond to, and
recover from unauthorized access to or
use of customer information, including
procedures, among others: (1) to assess
the nature and scope of any incident
involving unauthorized access to or use
of customer information and identify
the customer information systems and
types of customer information that may
have been accessed or used without
authorization; and (2) to take
appropriate steps to contain and control
the incident to prevent further
unauthorized access to or use of
customer information.409
Proposed Rule 10 of the Exchange Act
Cybersecurity Proposal would have
several policies and procedures
requirements that are designed to
address similar cybersecurity-related
risks to these proposed requirements of
Regulation SCI and the proposed
requirements of the safeguards
provisions of Regulation S–P. First,
under proposed Rule 10, a covered
entity’s policies and procedures would
need to have measures designed to
detect, mitigate, and remediate any
cybersecurity threats and vulnerabilities
408 See paragraphs (a)(2)(vii) and (c)(1) of Rule
1001 of Regulation SCI, respectively. See also Rule
1002(a) of Regulation SCI and supra sections II.B.3
and III.C.3.c (discussing Regulation SCI’s current
and proposed requirements with respect to taking
corrective action for SCI events, including systems
intrusions).
409 See Regulation S–P 2023 Proposing Release.
The response program also would need to have
procedures to notify each affected individual whose
sensitive customer information was, or is
reasonably likely to have been, accessed or used
without authorization unless the covered institution
determines, after a reasonable investigation of the
facts and circumstances of the incident of
unauthorized access to or use of sensitive customer
information, the sensitive customer information has
not been, and is not reasonably likely to be, used
in a manner that would result in substantial harm
or inconvenience. See id.
PO 00000
Frm 00052
Fmt 4701
Sfmt 4702
with respect to the covered entity’s
information systems and the
information residing on those
systems.410 Second, under proposed
Rule 10, a covered entity’s policies and
procedures would need to have
measures designed to detect, respond to,
and recover from a cybersecurity
incident, including policies and
procedures that are reasonably designed
to ensure (among other things): (1) the
continued operations of the covered
entity; (2) the protection of the covered
entity’s information systems and the
information residing on those systems;
and (3) external and internal
cybersecurity incident information
sharing and communications.411
A covered entity that implements
reasonably designed policies and
procedures in compliance with these
requirements of proposed Rule 10 of the
Exchange Act Cybersecurity Proposal
should generally satisfy the current and
proposed requirements of Regulation
SCI and Regulation S–P’s safeguards
provisions relating to response programs
for unauthorized access.
d. Commission Notification
As discussed above in sections II.B.3
and III.C.3.c, Regulation SCI (currently
and as it would be amended) provides
the framework for notifying the
Commission of SCI events including,
among other things, requirements to:
notify the Commission of the event
immediately; provide a written
notification on Form SCI within 24
hours that includes a description of the
SCI event and the system(s) affected,
with other information required to the
extent available at the time; provide
regular updates regarding the SCI event
until the event is resolved; and submit
a final detailed written report regarding
the SCI event.412 If proposed Rule 10 of
the Exchange Act Cybersecurity
Proposal is adopted as proposed, it
would establish a framework for
covered entities to provide the
Commission (and other regulators, if
applicable) with immediate written
electronic notice of a significant
cybersecurity incident affecting the
covered entity and, thereafter, report
and update information about the
410 See paragraph (b)(1)(iv) of proposed Rule 10;
see also section II.B.1.d of the Exchange Act
Cybersecurity Proposal (discussing this requirement
in more detail).
411 See paragraph (b)(1)(v) of proposed Rule 10;
see also section II.B.1.e of the Exchange Act
Cybersecurity Proposal (discussing this requirement
in more detail).
412 See 17 CFR 242.1002(b); supra sections II.B.2
and III.C.3.c (discussing Regulation SCI’s current
and proposed requirements relating to SCI events,
which include systems intrusions, and Commission
notification for SCI events).
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
significant cybersecurity incident by
filing Part I of proposed Form SCIR with
the Commission (and other regulators, if
applicable).413 Part I of proposed of
Form SCIR would elicit information
about the significant cybersecurity
incident and the covered entity’s efforts
to respond to, and recover from, the
incident.
Consequently, an SCI entity that is
also a covered entity under the
Exchange Act Cybersecurity Proposal
that experiences a systems intrusion
under Regulation SCI that also is a
significant cybersecurity incident under
proposed Rule 10 would be required to
make two filings for the single incident:
one on Form SCI and the other on Part
I of proposed Form SCIR. The SCI entity
also would be required to make
additional filings on Forms SCI and
SCIR pertaining to the systems intrusion
(i.e., to provide updates and final
reports). The Commission believes the
approach of having two separate
notification and reporting programs—
one under Regulation SCI and the other
under proposed Rule 10 of the Exchange
Act Cybersecurity Proposal—would be
appropriate for the following reasons.
As discussed earlier, most brokerdealers would not be SCI entities under
the current and proposed requirements
of Regulation SCI.414 Certain of the
broker-dealers that are not SCI entities
(currently and as it would be amended)
would be covered entities under the
Exchange Act Cybersecurity Proposal, as
would other types of entities.415 In
addition, the current and proposed
reporting requirements of Regulation
SCI are or would be triggered by events
impacting SCI systems and indirect SCI
systems. In addition to SCI systems and
indirect SCI systems, covered entities
that are or would be SCI entities use and
rely on information systems that are not
SCI systems or indirect SCI systems
under the current and proposed
amendments to Regulation SCI. For
these reasons, covered entities under the
Exchange Act Cybersecurity Proposal
could be impacted by significant
cybersecurity incidents that do not
trigger the current and proposed
413 See paragraphs (c)(1) and (2) of proposed Rule
10 (requiring covered entities to provide immediate
written notice and subsequent reporting on Part I
of proposed Form SCIR of significant cybersecurity
incidents); and sections II.B.2. and II.B.4. of the
Exchange Act Cybersecurity Proposal (discussing
the requirements of paragraphs (c)(1) and (2) of
proposed Rule 10 and Part I of Form SCIR in more
detail).
414 See section II.F.1.b of the Exchange Act
Cybersecurity Proposal.
415 See paragraphs (a)(1)(i)(A) and (F) of proposed
Rule 10 (defining the categories of broker-dealers
that would be covered entities); see also supra note
378.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
notification requirements of Regulation
SCI either because they do not meet the
current or proposed definitions of ‘‘SCI
entity’’ or because the significant
cybersecurity incident does not meet the
current or proposed definitions of ‘‘SCI
event.’’
The objective of notification and
reporting requirements of proposed Rule
10 of the Exchange Act Cybersecurity
Proposal is to improve the
Commission’s ability to monitor and
respond to significant cybersecurity
incidents and use the information
reported about them to better
understand how they can be avoided or
mitigated.416 For this reason, Part I of
proposed Form SCIR is tailored to elicit
information relating specifically to
cybersecurity, such as information
relating to the threat actor, and the
impact of the incident on any data or
personal information that may have
been accessed.417 The Commission and
its staff could use the information
reported on Part I of Form SCIR to
monitor the U.S. securities markets and
the covered entities that support those
markets broadly from a cybersecurity
perspective, including identifying
cybersecurity threats and trends from a
market-wide view. By requiring all
covered entities to report information
about a significant cybersecurity
incident on a common form, the
information obtained from these filings
over time would create a comprehensive
set of data of all significant
cybersecurity incidents impacting
covered entities that is based on these
entities responding to the same check
boxes and questions on the form. This
would facilitate analysis of the data,
including analysis across different
covered entities and significant
cybersecurity incidents. Eventually, this
set of data and the ability to analyze it
by searching and sorting how different
covered entities responded to the same
questions on the form could be used to
spot common trending risks and
vulnerabilities as well as best practices
employed by covered entities to respond
to and recover from significant
cybersecurity incidents.418
The current and proposed definitions
of ‘‘SCI event’’ include not only
cybersecurity events, but also events
that are not related to significant
416 See section II.B.2.a of the Exchange Act
Cybersecurity Proposal.
417 See section II.B.2.b of the Exchange Act
Cybersecurity Proposal.
418 FSOC has found that ‘‘[s]haring timely and
actionable cybersecurity information can reduce the
risk that cybersecurity incidents occur and can
mitigate the impacts of those that do occur.’’ FSOC,
Annual Report (2021), available at https://
home.treasury.gov/system/files/261/FSOC2021
AnnualReport.pdf (‘‘FSOC 2021 Annual Report’’).
PO 00000
Frm 00053
Fmt 4701
Sfmt 4702
23197
cybersecurity incidents under the
Exchange Act Cybersecurity
Proposal.419 For example, under the
current and proposed requirements of
Regulation SCI, the definition of ‘‘SCI
event’’ includes ‘‘systems disruptions,’’
which are events in an SCI entity’s SCI
systems that disrupts, or significantly
degrades, the normal operation of an
SCI system.420 Therefore, the definitions
are not limited to events in an SCI
entity’s SCI systems that disrupt, or
significantly degrade, the normal
operation of an SCI system caused by a
significant cybersecurity incident. The
information elicited in Form SCI reflects
the broader scope of the reporting
requirements of Regulation SCI (as
compared to the narrower focus of
proposed Rule 10 on reporting about
significant cybersecurity incidents). For
example, Form SCI requires the SCI
entity to identify the type of SCI event:
systems compliance issue, systems
disruption, and/or systems intrusion. In
addition, Form SCI is tailored to elicit
information specifically about SCI
systems. For example, the form requires
the SCI entity to indicate whether the
type of SCI system impacted by the SCI
event directly supports: (1) trading; (2)
clearance and settlement; (3) order
routing; (4) market data; (5) market
regulation; and/or (6) market
surveillance. If the impacted system is
a critical SCI system, the SCI entity
must indicate whether it directly
supports functionality relating to: (1)
clearance and settlement systems of
clearing agencies; (2) openings,
reopenings, and closings on the primary
listing market; (3) trading halts; (4)
initial public offerings; (5) the provision
of consolidated market data; and/or (6)
exclusively listed securities. The form
also requires the SCI entity to indicate
if the systems that provide functionality
to the securities markets for which the
availability of alternatives is
significantly limited or nonexistent and
without which there would be a
material impact on fair and orderly
markets.
e. Information Dissemination and
Disclosure
As discussed above in sections II.B.3
and III.C.3.c, Regulation SCI (currently
and as it would be amended) would
require that SCI entities disseminate
information to their members,
419 See 17 CFR 242.1000 (defining the term ‘‘SCI
event’’); see also supra sections II.B.3 and III.C.3.c
(discussion the current and proposed requirements
relating to SCI events, including systems
intrusions).
420 See 17 CFR 242.1000 (defining the term
‘‘system disruption’’ and including that term in the
definition of ‘‘SCI event’’).
E:\FR\FM\14APP2.SGM
14APP2
23198
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
participants, or customers (as
applicable) regarding SCI events,
including systems intrusions.421 The
proposed amendments to Regulation S–
P would require broker-dealers to notify
affected individuals whose sensitive
customer information was, or is
reasonably likely to have been, accessed
or used without authorization.422
Proposed Rule 10 of the Exchange Act
Cybersecurity Proposal would require a
covered entity to make two types of
public disclosures relating to
cybersecurity on Part II of proposed
Form SCIR.423 Covered entities would
be required to make the disclosures by
filing Part II of proposed Form SCIR on
the Electronic Data Gathering, Analysis,
and Retrieval (EDGAR) system and
posting a copy of the filing on their
business websites.424 In addition, a
covered entity that is either a carrying
or introducing broker-dealer would be
required to provide a copy of the most
recently filed Part II of Form SCIR to a
customer as part of the account opening
process. Thereafter, the carrying or
introducing broker-dealer would need to
provide the customer with the most
recently filed form annually. The copies
of the form would need to be provided
to the customer using the same means
that the customer elects to receive
account statements (e.g., by email or
through the postal service). Finally, a
covered entity would be required to
make updated disclosures promptly
through each of the methods described
above (as applicable) if the information
required to be disclosed about
cybersecurity risk or significant
cybersecurity incidents materially
changes, including, in the case of the
disclosure about significant
cybersecurity incidents, after the
occurrence of a new significant
cybersecurity incident or when
information about a previously
421 See
17 CFR 242.1002(c).
disclosure under proposed
Regulation S–P would not be required if ‘‘a covered
institution has determined, after a reasonable
investigation of the facts and circumstances of the
incident of unauthorized access to or use of
sensitive customer information, that sensitive
customer information has not been, and is not
reasonably likely to be, used in a manner that
would result in substantial harm or
inconvenience.’’ See Regulation S–P 2023
Proposing Release. The proposed amendments to
Regulation S–P would define ‘‘sensitive customer
information’’ to mean any component of customer
information alone or in conjunction with any other
information, the compromise of which could create
a reasonably likely risk of substantial harm or
inconvenience to an individual identified with the
information. Id. The proposed amendments would
provide example of sensitive customer information.
Id.
423 See paragraph (d)(1) of proposed Rule 10.
424 See section II.B.3.b (discussing these proposed
requirements in more detail).
ddrumheller on DSK120RN23PROD with PROPOSALS2
422 However,
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
disclosed significant cybersecurity
incident materially changes.
Consequently, a covered entity would,
if it experiences a ‘‘significant
cybersecurity incident,’’ be required to
make updated disclosures under
proposed Rule 10 by filing Part II of
proposed Form SCIR on EDGAR,
posting a copy of the form on its
business website, and, in the case of a
carrying or introducing broker-dealer,
by sending the disclosure to its
customers using the same means that
the customer elects to receive account
statements. Thus, if an SCI entity is a
covered entity under the Exchange Act
Cybersecurity Proposal and if the SCI
event would be a significant
cybersecurity incident under the
Exchange Act Cybersecurity Proposal,
the SCI entity also could be required to
disseminate certain information about
the SCI event to certain of its members,
participants, or customers (as
applicable). Further, if the SCI entity is
a broker-dealer and, therefore, subject to
Regulation S–P (as it is proposed to be
amended), the broker-dealer also could
be required to notify individuals whose
sensitive customer information was, or
is reasonably likely to have been,
accessed or used without authorization.
However, the Commission believes
that this result would be appropriate.
First, as discussed above, Regulation
SCI (currently and as it would be
amended), proposed Rule 10, and
Regulation S–P (as proposed to be
amended) require different types of
information to be disclosed. Second, as
discussed above, the disclosures, for the
most part, would be made to different
persons: (1) affected members,425
participants, or customers (as
applicable) of the SCI entity in the case
of Regulation SCI; (2) the public at large
in the case of proposed Rule 10 of the
Exchange Act Cybersecurity
Proposal; 426 and (3) affected individuals
whose sensitive customer information
was, or is reasonably likely to have
been, accessed or used without
authorization or, in some cases, all
individuals whose information resides
in the customer information system that
was accessed or used without
authorization in the case of Regulation
S–P (as proposed to be amended).427 For
425 Information regarding major SCI events would
be required to be disseminated by an SCI entity to
all of its members, participants, or customers (as
applicable). See current and proposed Rule
1002(c)(3) of Regulation SCI.
426 A carrying broker-dealer would be required to
make the disclosures to its customers as well
through the means by which they receive account
statements.
427 Under the Regulation SCI and Regulation S–
P proposals, there could be circumstances in which
a compromise involving sensitive customer
PO 00000
Frm 00054
Fmt 4701
Sfmt 4702
these reasons, the Commission believes
it would be appropriate to apply these
current and proposed requirements of
Regulation SCI to SCI entities even if
they would be subject to the disclosure
requirements of proposed Rule 10 of the
Exchange Act Cybersecurity Proposal
and/or Regulation S–P (as proposed to
be amended).
2. Request for Comment
The Commission requests comment
on the relation between the
requirements of Regulation SCI (as it
currently exists and as it is proposed to
be amended), proposed Rule 10, and
Regulation S–P (as it currently exists
and as it is proposed to be amended). In
addition, the Commission is requesting
comment on the following matters:
87. Should the policies and
procedures requirements of current and
proposed Regulation SCI regarding
cybersecurity be modified to address
SCI entities that also would be subject
to proposed Rule 10 of the Exchange Act
Cybersecurity Proposal and/or the
existing and proposed requirements of
Regulation S–P? For example, would it
be particularly costly or create practical
implementation difficulties to apply the
requirements of current and proposed
Regulation SCI to have policies and
procedures to address cybersecurity
risks to SCI entities even if they also
would be subject to requirements to
have policies and procedures under
proposed Rule 10 (if it is adopted) and/
or Regulation S–P that address certain
cybersecurity risks (currently and it they
would be amended)? If so, explain why.
If not, explain why not. Are there ways
the policies and procedures
requirements of current or proposed
Regulation SCI regarding could be
modified to minimize these potential
impacts while achieving the separate
goals of this proposal? If so, explain
how and suggest specific modifications.
88. Should the Commission
notification and reporting requirements
of current and proposed Regulation SCI
be modified to address SCI entities that
also would be subject to the proposed
requirements of Rule 10 of the Exchange
Act Cybersecurity Proposal? For
example, would it be particularly costly
or create practical implementation
difficulties to apply the Commission
notification and reporting requirements
information at a broker-dealer that is an SCI entity
could result in two forms of notification being
provided to customers for the same incident. In
addition, under the Exchange Act Cybersecurity
Proposal, the broker-dealer also may need to
publicly disclose a summary description of the
incident via EDGAR and the entity’s business
internet website, and, in the case of an introducing
or carrying broker-dealer, send a copy of the
disclosure to its customers.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
of current and proposed Regulation SCI
and Form SCI to SCI entities even if
they also would be subject to immediate
notification and subsequent reporting
requirements under proposed Rule 10 of
the Exchange Act Cybersecurity
Proposal and Part I of proposed Form
SCIR (if they are adopted)? If so, explain
why. If not, explain why not. Are there
ways the Commission notification and
reporting requirements of current or
proposed Regulation SCI and Form SCI
could be modified to minimize these
potential impacts while achieving the
separate goals of this proposal? If so,
explain how and suggest specific
modifications. For example, should
Form SCI be modified to include a
section that incorporates the check
boxes and questions of Part I of Form
SCIR so that a single form could be filed
to meet the reporting requirements of
Regulation SCI and proposed Rule 10?
If so, explain why. If not, explain why
not. Should the Commission modify the
proposed Commission notification
framework for systems intrusions that
are also significant cybersecurity
incidents under Rule 10? For example,
should such systems intrusions be
initially reported (i.e., immediately and
for the 24-hour notification) on Form
SCI, with subsequent reports exempted
from Rule 1002(b)’s requirements if they
are reported to the Commission on Form
SCIR pursuant to the proposed
requirements of Rule 10? Why or why
not? Are there other ways Form SCI
could be modified to combine the
elements of Part I of Form SCIR? If so,
explain how.
89. Should the disclosure
requirements of proposed and current
Regulation SCI be modified to address
SCI entities that also would be subject
to the proposed requirements of the
Exchange Act Cybersecurity Proposal
and the existing and proposed
requirements of Regulation S–P? For
example, would it be particularly costly
or create practical implementation
difficulties to apply the disclosure
requirements of current and proposed
Regulation SCI to SCI entities even if
they also would be subject to the
proposed Rule 10 and Part II of
proposed form SCIR (if they are
adopted) the current and proposed
requirements of Regulation S–P? If so,
explain why. If not, explain why not.
Are there ways the disclosure
requirements of Regulation SCI could be
modified to minimize these potential
impacts while achieving the separate
goals of this proposal? If so, explain
how and suggest specific modifications.
90. Would the addition of the
requirements in the Exchange Act
Cybersecurity Proposal—together with
the current broker-dealer regulatory
regime, including the Market Access
Rule and other Commission and FINRA
rules—be sufficient to reasonably ensure
the operational capability of the
technological systems of the proposed
SCI broker-dealers? Why or why not?
For example, are there any provisions of
Regulation SCI that, if added to the
Exchange Act Cybersecurity Proposal as
it applies to broker-dealers, would help
ensure the operational capability of the
technological systems of the proposed
SCI broker-dealers? Which provisions?
IV. Paperwork Reduction Act
Certain provisions of the proposal
would contain a new ‘‘collection of
information’’ within the meaning of the
Paperwork Reduction Act of 1995
(‘‘PRA’’).428 The Commission is
submitting the proposed rule
amendments to the Office of
Management and Budget (‘‘OMB’’) for
review and approval in accordance with
the PRA and its implementing
regulations.429 An agency may not
conduct or sponsor, and a person is not
required to respond to a collection of
information unless it displays a
currently valid OMB control number.430
The Commission is proposing to alter
the 31 existing collections of
information and apply such collections
of information to new categories of
respondents. The title for the collections
of information is: Regulation Systems
Compliance and Integrity (OMB control
number 3235–0703). The burden
estimates contained in this section do
not include any other possible costs or
economic effects beyond the burdens
required to be calculated for PRA
purposes.
A. Summary of Collections of
Information
The proposed amendments to
Regulation SCI create paperwork
burdens under the PRA by (1) adding
new categories of respondents to the 31
existing collections of information
(across 7 rules) noted above and (2)
modifying the requirements of 16 of
those collections, as noted below. For
entities that are already required to
comply with Regulation SCI (‘‘Current
SCI Entities’’), the proposed
amendments would result in the
modification of certain collections of
information. Entities that would become
subject to Regulation SCI as a result of
the proposed amendments (‘‘New SCI
Entities’’) would be newly subject to the
31 existing collections of information,
including the modifications.431 The
collections of information and
applicable categories of new
respondents are summarized (by rule) in
the following table.432
Collection of information
Rule
Burden description
Rule 1001 of Regulation SCI
Rule 1001(a) ......................
Rule Description: Requirement to establish, maintain,
and enforce written policies and procedures related
to capacity, integrity, resiliency, availability, and security.
Revised burden: ensure policies and procedures include a program to manage and oversee third-party
providers that provide functionality, support or service for the SCI entity’s SCI systems; inventory all
SCI systems, include a program to prevent unauthorized access to SCI system access and the information residing therein, identify the SCI industry
standard with which such policy and procedure is
consistent, if any.
428 See
44 U.S.C. 3501 et seq.
44 U.S.C. 3507; 5 CFR 1320.11.
430 See 5 CFR 1320.11(l).
429 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
431 See infra section IV.C (Respondents) for more
information on Current SCI Entities and New SCI
Entities.
PO 00000
Frm 00055
Fmt 4701
Sfmt 4702
23199
Respondent categories
Current SCI Entities and
New SCI Entities.
432 Unless otherwise described, none of the
existing information collections are being revised
with new requirements.
E:\FR\FM\14APP2.SGM
14APP2
23200
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Collection of information
Rule
Burden description
Rule 1001(b) ......................
Rule Description: Requirement to establish, maintain,
and enforce policies and procedures reasonably designed to ensure that its SCI systems operate in a
manner that complies with the Exchange Act, rules
and regulations thereunder, and the entity’s rules
and governing documents.
Rule Description: Establish, maintain, and enforce reasonably designed written policies and procedures
that include the criteria for identifying responsible
SCI personnel, the designation and documentation
of responsible SCI personnel, and escalation procedures to inform responsible SCI personnel of potential SCI events.
Rule Description: Each SCI entity is required to take
appropriate corrective action upon any responsible
SCI personnel having a reasonable basis to conclude that an SCI event has occurred.
Rule Description: Rules 1002(b)(1) through (4): Requirement that each SCI entity, upon any responsible SCI personnel having a reasonable basis to
conclude that an SCI event has occurred, notify the
Commission immediately of such SCI event and
submit a written notification within 24 hours of responsible SCI personnel having a reasonable basis
to conclude there was an SCI event. Periodic updates are required pertaining to the SCI event on either a regular basis or at such frequency requested
by representatives of the Commission. An interim
written notification is required if the SCI event is not
closed within 30 days of its occurrence. A final notification is required to be submitted within five days
of the resolution and closure of the SCI event.
Rule 1002(b)(5): For events that the SCI entity reasonably estimates would have no, or a de minimis
impact on the SCI entity’s operations or on market
participants, submit a report within 30 days after the
end of each calendar quarter containing a summary
description of such systems disruptions and systems intrusions.
Revised burden: add (1) cybersecurity events that disrupt, or significantly degrade the normal operation of
an SCI system, and (2) significant attempted unauthorized entries into SCI systems or indirect SCI
systems, as determined by the SCI entity pursuant
to established reasonable written criteria, to the definition of systems intrusions in Rule 1000, thus requiring that SCI entities provide notifications under
Rule 1002(b)(1) through (4); eliminate the de minimis exception’s applicability to systems intrusions,
thus requiring all systems intrusions to be reported
pursuant to Rule 1002(b)(1) through (4); require interim written notification to the Commission to include a copy of any information disseminated pursuant to Rule 1002(c) regarding the SCI event by SCI
broker-dealers to their customers.
Rule Description: Requirements to disseminate certain
information to members and participants concerning
SCI events promptly after any responsible SCI personnel has a reasonable basis to conclude that an
SCI event has occurred. For major SCI events, information must be disseminated to all members and
participants, and for SCI events that are not major,
the information must be disseminated to members
or participants that any responsible SCI personnel
has reasonably estimated may have been affected
by the SCI event.
Rule 1001(c) ......................
Rule 1002 of Regulation SCI
Rule 1002(a) ......................
Rule 1002(b) ......................
ddrumheller on DSK120RN23PROD with PROPOSALS2
Rule 1002(c) ......................
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00056
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
Respondent categories
14APP2
New SCI Entities.
New SCI Entities.
New SCI Entities.
Current SCI Entities and
New SCI Entities.
Current SCI Entities and
New SCI Entities.
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Collection of information
Rule 1003 of Regulation SCI
Rule
Burden description
Rule 1003(a) ......................
Rule 1003(b) ......................
Rule 1004 of Regulation SCI
Rule 1004 ..........................
Rule 1005 of Regulation SCI
Rule 1005 ..........................
Rule 1006 ............................
Rule 1006 ..........................
Rule 1007 ............................
Rule 1007 ..........................
ddrumheller on DSK120RN23PROD with PROPOSALS2
B. Proposed Use of Information
The existing information collections
and the proposed amendments are used
as described below:
1. Rule 1001 of Regulation SCI
Rule 1001(a)(1) of Regulation SCI
requires each SCI entity to establish,
maintain, and enforce written policies
and procedures reasonably designed to
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
433 See
PO 00000
Respondent categories
Revised burden: add cybersecurity events to the definition of systems intrusions in Rule 1000, thus making them SCI events and requiring that SCI entities
provide notifications under Rule 1002(c)(2) for those
additional SCI events; exclude systems intrusions
that are significant attempted unauthorized entries
into the SCI systems or indirect SCI systems of an
SCI entity from information dissemination requirements; add that SCI broker-dealers would notify
their customers (rather than members or participants).
Rule Description: Submit quarterly report describing
completed, ongoing, and planned material changes
to SCI systems and the security of indirect SCI systems; establish reasonable written criteria to identify
changes to SCI systems and the security of indirect
SCI systems as material and report such changes in
accordance with such criteria. Promptly submit a
supplemental report notifying the Commission of a
material error in or material omission from a previously submitted report.
Rule Description: Requirement to conduct an SCI review of the SCI entity’s compliance with Regulation
SCI not less than once each calendar year; conduct
penetration test reviews not less than once every
three years.
Revised burden: include certain additional requirements and information in SCI reviews, require the
SCI review to be performed annually, and require a
response by senior management be reported to the
Commission.
Rule Description: Establish standards to designate
members and participants that are the minimum
necessary for the maintenance of fair and orderly
markets, designate members or participants and require their participation in testing of the BC/DR
plans pursuant to such standards, and coordinate
testing on an industry or sector-wide basis with
other SCI entities.
Revised burden: require SCI entities to establish
standards for designating certain third-party providers that are the minimum necessary for the maintenance of fair and orderly markets, and designate
third-party providers for BC/DR testing pursuant to
those standards.
Rule Description: Requirement to make, keep, and
preserve all documents relating to compliance with
Regulation SCI.
Revised burden: Entities that ‘‘otherwise [cease] to be
an SCI entity’’ are required to comply with the recordkeeping requirements in this section.
Rule Description: Require submissions to the Commission pursuant to Regulation SCI to be made electronically on Form SCI.
Rule Description: Requirement that SCI entities make
available records required to be filed or kept under
Regulation SCI that are prepared or maintained by
a service bureau or other recordkeeping service on
behalf of the SCI entity.
ensure that their SCI systems and, for
purposes of security standards, indirect
SCI systems, have levels of capacity,
integrity, resiliency, availability, and
security adequate to maintain their
operational capability and promote the
maintenance of fair and orderly
markets.433 Rule 1001(a)(2) of
Regulation SCI requires that, at a
17 CFR 242.1001(a)(1).
Frm 00057
Fmt 4701
Sfmt 4702
23201
New SCI Entities.
Current SCI Entities and
New SCI Entities.
Current SCI Entities and
New SCI Entities.
Current SCI Entities and
New SCI Entities.
New SCI Entities.
New SCI Entities.
minimum, such policies and procedures
include: current and future capacity
planning; periodic stress testing;
systems development and testing
methodology; reviews and testing to
identify vulnerabilities; business
continuity and disaster recovery
planning (inclusive of backup systems
that are geographically diverse and
designed to meet specified recovery
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23202
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
time objectives); standards for market
data collection, processing, and
dissemination; and monitoring to
identify potential SCI events.434 Rule
1001(a)(3) of Regulation SCI requires
that SCI entities periodically review the
effectiveness of these policies and
procedures and take prompt action to
remedy any deficiencies.435 Rule
1001(a)(4) of Regulation SCI provides
that an SCI entity’s policies and
procedures will be deemed to be
reasonably designed if they are
consistent with current SCI industry
standards, which is defined to be
comprised of information technology
practices that are widely available to
information technology professionals in
the financial sector and issued by an
authoritative body that is a U.S.
governmental entity or agency,
association of U.S. governmental
entities or agencies, or widely
recognized organization; 436 however,
Rule 1001(a)(4) of Regulation SCI also
makes clear that compliance with such
‘‘current SCI industry standards’’ is not
the exclusive means to comply with
these requirements.
Rule 1001(b) of Regulation SCI
requires each SCI entity to establish,
maintain, and enforce written policies
and procedures reasonably designed to
ensure that its SCI systems operate in a
manner that complies with the
Exchange Act and the rules and
regulations thereunder and the entity’s
rules and governing documents, as
applicable, and specifies certain
minimum requirements for such
policies and procedures.437 Rule 1001(c)
of Regulation SCI requires SCI entities
to establish, maintain, and enforce
reasonably designed written policies
and procedures that include the criteria
for identifying responsible SCI
personnel, the designation and
documentation of responsible SCI
personnel, and escalation procedures to
quickly inform responsible SCI
personnel of potential SCI events.438
The Commission is proposing
revisions to Rule 1001(a)(2) and (4) of
Regulation SCI to include four
additional elements in the policies and
procedures: (1) the maintenance of a
written inventory of all SCI systems,
critical SCI systems, and indirect SCI
systems, including a lifecycle
management program with respect to
such systems; (2) a program to manage
and oversee third-party providers that
includes an initial and periodic review
434 See
17 CFR 242.1001(a)(2).
17 CFR 242.1001(a)(3).
436 See 17 CFR 242.1001(a)(4).
437 See 17 CFR 242.1001(b).
438 See 17 CFR 242.1001(c).
435 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
of contracts with third-party providers
and a risk-based assessment of each
third-party provider’s criticality to the
SCI entity; (3) a program to prevent
unauthorized SCI system access; and (4)
identification of the SCI industry
standard with which such policies and
procedures are consistent, if any. The
Commission also proposes to amend the
existing requirements in Rule
1001(a)(2)(v) for the BC/DR plan to
include the requirement to maintain
backup and recovery capabilities that
are reasonably designed to address the
unavailability of any third-party
provider without which there would be
a material impact on any of its critical
SCI systems.
The requirement to have a third-party
provider management program would
help ensure that any third-party
provider an SCI entity selects is able to
support the SCI entity’s compliance
with Regulation SCI’s requirements.
Additionally, the proposed revisions
would ensure SCI entities are creating
an inventory of their SCI systems,
critical SCI systems, and indirect SCI
systems and have a lifecycle
management program for such systems,
which would ensure that SCI entities
are able to identify when a system
becomes an SCI system or indirect SCI
system and when it ceases to be one.
Next, the revisions would require SCI
entities to have in place a program to
prevent unauthorized SCI system
access. The existing collections of
information, which would be extended
to new SCI entities would advance the
goals of promoting the maintenance of
fair an orderly markets and improving
Commission review and oversight of
U.S. securities market infrastructure.
The proposed additional collections of
information would advance these same
goals.
2. Rule 1002 of Regulation SCI
Under Rule 1002 of Regulation SCI,
SCI entities have certain obligations
regarding SCI events. Rule 1002(a)
requires an SCI entity to begin to take
appropriate corrective action when any
responsible SCI personnel has a
reasonable basis to conclude that an SCI
event has occurred. The corrective
action must include, at a minimum,
mitigating potential harm to investors
and market integrity resulting from the
SCI event and devoting adequate
resources to remedy the SCI event as
soon as reasonably practicable.439 Rule
1002(b)(1) requires each SCI entity to
immediately notify the Commission of
an SCI event.440 Under 17 CFR
439 See
440 See
Jkt 259001
PO 00000
17 CFR 242.1002(a).
17 CFR 242.1002(b)(1).
Frm 00058
Fmt 4701
Sfmt 4702
242.1002(b)(2) (‘‘Rule 1002(b)(2)’’), each
SCI entity is required, within 24 hours
of any responsible SCI personnel having
a reasonable basis to conclude that the
SCI event has occurred, to submit a
written notification to the Commission
pertaining to the SCI event that includes
a description of the SCI event and the
system(s) affected, with other
information required to the extent
available at the time.441 Under 17 CFR
242.1002(b)(3) (‘‘Rule 1002(b)(3)’’), each
SCI entity is required to provide regular
updates regarding the SCI event until
the event is resolved.442 Under 17 CFR
242.1002(b)(4)(i) (‘‘Rule 1002(b)(4)(i)’’),
each SCI entity is required to submit
written interim reports, as necessary,
and a written final report regarding an
SCI event to the Commission.443 Under
17 CFR 242.1002(b)(4)(ii) (‘‘Rule
1002(b)(4)(ii)’’), the information that is
required to be included in the interim
and final written reports is set forth,
including the SCI entity’s assessment of
the types and number of market
participants affected by the SCI event
and the impact of the SCI event on the
market, and a copy of any information
disseminated pursuant to Rule 1002(c)
regarding the SCI event to the SCI
entity’s members or participants. For
any SCI event that ‘‘has had, or the SCI
entity reasonably estimates would have,
no or a de minimis impact on the SCI
entity’s operations or on market
participants,’’ Rule 1002(b)(5) provides
an exception to the general Commission
notification requirements under Rule
1002(b) Instead, an SCI entity must
make, keep, and preserve records
relating to all such SCI events, and
submit a quarterly report to the
Commission regarding any such events
that are systems disruptions or systems
intrusions. SCI events that are reported
immediately and later determined to
have a de minimis impact may be
reclassified as de minimis.444
Rule 1002(c) of Regulation SCI
requires that SCI entities disseminate
information to their members or
participants regarding SCI events.445
Under 17 CFR 242.1002(c)(1)(i) (‘‘Rule
1002(c)(1)(i)’’), each SCI entity is
required, promptly after any responsible
SCI personnel has a reasonable basis to
conclude that an SCI event (other than
a systems intrusion) has occurred, to
disseminate certain information to its
members or participants. Under 17 CFR
242.1002(c)(1)(ii) (‘‘Rule 1002(c)(1)(ii)’’),
each SCI entity is required, when
441 See
17 CFR 242.1002(b)(2).
17 CFR 242.1002(b)(3).
443 See 17 CFR 242.1002(b)(4).
444 See 17 CFR 242.1002(b)(5).
445 See 17 CFR 242.1002(c).
442 See
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
known, to disseminate additional
information about an SCI event (other
than a systems intrusion) to its members
or participants promptly. Under 17 CFR
242.1002(c)(1)(iii) (‘‘Rule
1002(c)(1)(iii)’’), each SCI entity is
required to provide to its members or
participants regular updates of any
information required to be disseminated
under Rule 1002(c)(1)(i) and (ii) until
the SCI event is resolved. Rule
1002(c)(2) requires each SCI entity to
disseminate certain information
regarding a systems intrusion to its
members or participants. For ‘‘major SCI
events,’’ these disseminations must be
made to all of its members or
participants. For SCI events that are not
‘‘major SCI events,’’ SCI entities must
disseminate such information to those
SCI entity members and participants
reasonably estimated to have been
affected by the event.446 In addition,
dissemination of information to
members or participants is permitted to
be delayed for systems intrusions if
such dissemination would likely
compromise the security of the SCI
entity’s systems or an investigation of
the intrusion and documents the
reasons for such determination.447 Rule
1002(c)(4) of Regulation SCI provides
exceptions to the dissemination
requirements under Rule 1002(c) of
Regulation SCI for SCI events to the
extent they relate to market regulation
or market surveillance systems and SCI
events that have had, or the SCI entity
reasonably estimates would have, no or
a de minimis impact on the SCI entity’s
operations or on market participants.448
Rule 1000 sets out the definition of
systems intrusion, which means any
unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity.
The Commission proposes to amend
the definition of systems intrusion in
Rule 1000 to include cybersecurity
events that disrupt, or significantly
degrade, the normal operation of an SCI
system and significant attempted
unauthorized entries into the SCI
systems or indirect SCI systems of an
SCI entity, as determined by the SCI
entity pursuant to established
reasonable written criteria. SCI entities
would be required to report information
concerning these systems intrusions
pursuant to Rule 1002(b). The
Commission believes that it is
appropriate to expand the definition of
systems intrusion to include two
additional types of cybersecurity events
that are currently not part of the current
definition as described above. The
446 See
17 CFR 242.1002(c)(3).
17 CFR 242.1002(c)(2).
448 See 17 CFR 242.1002(c)(4).
447 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
additional notifications that would
result from the proposed revised
definition of systems intrusion would
provide the Commission and its staff
more complete information to assess the
security status of the SCI entity, and
also assess the impact or potential
impact that unauthorized activity could
have on the security of the SCI entity’s
affected systems as well on other SCI
entities and market participants.
The proposed revisions to Rule
1002(b) would eliminate the de minimis
exception’s applicability to systems
intrusions, thus requiring all systems
intrusions, whether de minimis or nonde minimis, to be reported pursuant to
Rule 1002(b)(1) through (4). The
Commission would also amend the
information required under Rule
1002(b)(4)(ii) to be included in the
interim and final written notifications to
include a copy of any information
disseminated pursuant to Rule 1002(c)
by an SCI broker-dealer to its customers.
The Commission would use this
information to be aware of potential and
actual security threats to SCI entities,
including threats that may extend to
other market participants in the
securities markets, including other SCI
entities.
As a result of the amendment to the
definition of systems intrusions, SCI
entities would be required to
disseminate information to members
and participants pursuant to Rule
1002(c)(2) concerning cybersecurity
events not currently covered by the rule.
This would have the effect of increasing
the number of SCI events that would be
required to be disseminated. Further, in
connection with expansion of
Regulation SCI to SCI broker-dealers,
amended Rule 1002(c)(3) would require
that SCI broker-dealers promptly
disseminate information about major
SCI events to all of its customers and,
for SCI events that are not major SCI
events, to customers that any
responsible SCI personnel subsequently
reasonably estimates may have been
affected by the SCI event. Such
information would be used by the SCI
entity’s members and participants, and
in the case of an SCI broker-dealer, its
customers, to understand better the
threats faced by the SCI entity, evaluate
the event’s impact on their trading or
other business with the SCI entity and
formulate a response, thereby advance
the Commission’s goal of promoting fair
and orderly markets and investor
protection. The proposed revisions to
Rule 1002(c), however, would exclude
systems intrusions that are significant
attempted unauthorized entries into the
SCI systems or indirect SCI systems of
an SCI entity from the information
PO 00000
Frm 00059
Fmt 4701
Sfmt 4702
23203
dissemination requirements of Rule
1002(c)(1) through (3).449
3. Rule 1003 of Regulation SCI
Rule 1003(a) establishes reporting
burdens for all SCI entities. Rule
1003(a)(1) requires each SCI entity to
submit to the Commission quarterly
reports describing completed, ongoing,
and planned material changes to its SCI
systems and security of indirect SCI
systems during the prior, current, and
subsequent calendar quarters, including
the dates or expected dates of
commencement and completion.450
Under 17 CFR 242.1003(a)(2) (‘‘Rule
1003(a)(2)’’), each SCI entity is required
to promptly submit a supplemental
report notifying the Commission of a
material error in or material omission
from a report previously submitted
under Rule 1003(a)(1).
Rule 1003(b) of Regulation SCI also
requires that an SCI entity conduct an
‘‘SCI review’’ not less than once each
calendar year.451 ‘‘SCI review’’ is
defined in Rule 1000 of Regulation SCI
to mean a review, following established
procedures and standards, that is
performed by objective personnel
having appropriate experience to
conduct reviews of SCI systems and
indirect SCI systems, and which review
contains: (1) a risk assessment with
respect to such systems of an SCI entity;
and (2) an assessment of internal control
design and effectiveness of its SCI
systems and indirect SCI systems to
include logical and physical security
controls, development processes, and
information technology governance,
consistent with industry standards Rule
1003(b)(2) requires each SCI entity to
submit a report of the SCI review to
senior management no more than 30
calendar days after completion of the
review.452 Rule 1003(b) requires that
penetration test reviews of the network,
firewalls, and production systems shall
be conducted at a frequency of not less
than once every three years and that
assessments of SCI systems directly
supporting market regulation or market
surveillance shall be conducted at a
frequency based upon the risk
assessment conducted as part of the SCI
review, but in no case less than once
every three years.453 Rule 1003(b)(2)
requires that the submission of a report
of the SCI review to senior management
of the SCI entity for review no more
than 30 calendar days after completion
449 See
proposed amended Rule 1002(c)(4).
17 CFR 242.1003(a).
451 See 17 CFR 242.1003(b).
452 See 17 CFR 242.1003(b)(2).
453 See 17 CFR 242.1003(b)(1)(i) and (ii).
450 See
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23204
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
of such SCI review.454 Rule 1003(b)(3)
requires each SCI entity to submit the
report of the SCI review to the
Commission and to its board of directors
or the equivalent of such board, together
with any response by senior
management, within 60 calendar days
after its submission to senior
management.455
The Commission is proposing
revisions to Rule 1003(b) and the
definition of SCI review. The
Commission is proposing to increase the
frequency of penetration testing by SCI
entities such that they are conducted at
least annually, rather than once every
three years, and that the penetration
tests include any of the vulnerabilities
of its SCI systems and indirect SCI
systems identified pursuant to Rule
1001(a)(2)(iv).456 The Commission
would use this more frequent
information to have more up-to-date
information regarding an SCI entity’s
systems vulnerabilities and help the
Commission with its oversight of U.S.
securities market technology
infrastructure.
In addition, the Commission is
proposing a number of revisions to the
requirements relating to SCI reviews
and for the reports SCI entities submit
(both to their board of directors as well
as to the Commission). The definition of
SCI review in Rule 1000 is proposed to
contain the substantive requirements for
an SCI review, which would be required
to be ‘‘a review, following established
and documented procedures and
standards, that is performed by objective
personnel having appropriate
experience to conduct reviews of SCI
systems and indirect SCI systems
. . .’’ 457 The Commission proposes to
amend the definition of SCI review in
Rule 1000 to require that the SCI review:
(1) use appropriate risk management
methodology, (2) include third-party
provider management risks and
controls, (3) include the risks related to
the capacity, integrity, resiliency,
availability, and security, and (4)
include systems capacity and
availability and information technology
service continuity within the review of
internal control design and operating
effectiveness.458
The Commission also proposes to
amend Rule 1003(b)(2) to require that
the SCI review be conducted in each
calendar year during which the entity
was an SCI entity for any part of that
calendar year and that the SCI entity
454 See
17 CFR 242.1003(b)(2).
17 CFR 242.1003(b)(3).
456 See 17 CFR 242.1000.
457 See id.
458 See id.
submit the associated report of the SCI
review to the SCI entity’s senior
management and board, as well as to the
Commission.459 The Commission
proposes amend Rule 1003(b)(2) to
specify that certain elements be
included in the report of the SCI review,
namely: (1) the dates the SCI review was
conducted and the date of completion;
(2) the entity or business unit of the SCI
entity performing the review; (3) a list
of the controls reviewed and a
description of each such control; (4) the
findings of the SCI review with respect
to each SCI system and indirect SCI
system, which shall include, at a
minimum, assessments of: the risks
related to the capacity, integrity,
resiliency, availability, and security;
internal control design and operating
effectiveness; and an assessment of
third-party provider management risks
and controls; (5) a summary, including
the scope of testing and resulting action
plan, of each penetration test review
conducted as part of the SCI review; and
(6) a description of each deficiency and
weakness identified by the SCI
review.460 The Commission also
proposes to amend Rule 1003(b)(3) to
require a response to the report of the
SCI review from senior management and
to require that the date the report was
submitted to senior management be
submitted to the Commission and the
board of directors, and that the response
from senior management include a
response for each deficiency and
weakness identified by the SCI review,
and the associated mitigation and
remediation plan and associated dates
for each.461
The additional requirements and
details are designed to ensure SCI
reviews contain certain baseline
information and are based on the
appropriate risk management
methodology. The enhanced SCI review
and corresponding report would
provide the Commission and its staff
greater insight into the SCI entity’s
compliance with Regulation SCI and
would more thoroughly assist the staff
in determining how to follow up with
the SCI entity in reviewing and
addressing any identified weaknesses
and vulnerabilities. The Commission
would use this additional reporting and
information to improve the
Commission’s oversight of the
technology infrastructure of SCI entities
further.
455 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
17 CFR 242.1003(b)(2) and (3).
17 CFR 242.1003(b)(2).
461 See 17 CFR 242.1003(b)(3).
4. Rule 1004 of Regulation SCI
Rule 1004 of Regulation SCI requires
SCI entities to, with respect to an SCI
entity’s business continuity and disaster
recovery plans, including its backup
systems: (a) establish standards for the
designation of those members or
participants that the SCI entity
reasonably determines are, taken as a
whole, the minimum necessary for the
maintenance of fair and orderly markets
in the event of the activation of such
plans; (b) designate members or
participants pursuant to such standards
and require participation by such
designated members or participants in
scheduled functional and performance
testing of the operation of such plans, in
the manner and frequency specified by
the SCI entity, provided that such
frequency shall not be less than once
every 12 months; and (c) coordinate the
testing of such plans on an industry- or
sector-wide basis with other SCI
entities.462
The Commission is proposing to
include certain third-party providers in
the BC/DR testing requirements of Rule
1004. Specifically, an SCI entity would
be required to establish standards for
the designation of third-party providers
(in addition to members or participants)
that it determines are, taken as a whole,
the minimum necessary for the
maintenance of fair and orderly markets
in the event of the activation of the SCI
entity’s BC/DR plans. In addition, Rule
1004 would require each SCI entity to
designate such third-party providers (in
addition to members or participants)
pursuant to such standards and require
their participation in the scheduled
functional and performance testing of
the operation of such BC/DR plans.463
The Commission believes that the
requirement that SCI entities establish
standards that require designated thirdparty providers to participate in the
testing of their business continuity and
disaster recovery plans will help reduce
the risks associated with an SCI entity’s
decision to activate its BC/DR plans and
help to ensure that such plans operate
as intended, if activated. The testing
participation requirement should help
an SCI entity to ensure that its efforts to
develop effective BC/DR plans are not
undermined by a lack of participation
by third-party providers that the SCI
entity believes are necessary to the
successful activation of such plans. This
requirement should also assist the
Commission in maintaining fair and
orderly markets in a BC/DR scenario
following a wide-scale disruption.
459 See
460 See
Jkt 259001
PO 00000
Frm 00060
Fmt 4701
Sfmt 4702
462 See
463 See
E:\FR\FM\14APP2.SGM
17 CFR 242.1003(b)(4).
id.
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
5. Rule 1005 and 1007 of Regulation SCI
Rule 1005 of Regulation SCI requires
SCI entities to make, keep, and preserve
certain records related to their
compliance with Regulation SCI.464
Rule 1007 sets forth requirements for a
SCI entity whose Regulation SCI records
are prepared or maintained by a service
bureau or other recordkeeping service
on behalf of the SCI entity.465
Rule 1005(c) specifies that the
requirement that records required to be
made, kept, and preserved by Rule 1005
be accessible to the Commission and its
representatives for the period required
by Rule 1005, in cases where an SCI
entity ceases to do business or ceases to
be registered under the Exchange Act.466
The Commission proposes to add that
this survival provision similarly applies
to an SCI entity that ‘‘otherwise [ceases]
to be an SCI entity.’’ 467 This addition
accounts for circumstances not
expressly covered; specifically, the
circumstance in which an SCI entity
continues to do business or remains a
registered entity, but may cease to
qualify as an SCI entity (e.g., an SCI
ATS that no longer satisfies a volume
threshold). Such entities would not be
excepted from complying with the
recordkeeping provisions of Rule 1005.
The Commission believes the records
of entities that ceased being SCI entities
are important for assisting the
Commission and its staff in
understanding whether such an SCI
entity met its obligations under
Regulation SCI, assessing whether such
an SCI entity had appropriate policies
and procedures with respect to its
technology systems, helping to identify
the causes and consequences of an SCI
event, and understanding the types of
material systems changes that occurred
at such an SCI entity. The Commission
expects this revision to facilitate the
Commission’s inspections and
examinations of SCI entities that have
ceased to be SCI entities and assist it in
evaluating such SCI entity’s previous
compliance with Regulation SCI.
Furthermore, having an SCI entity’s
records available even after it has ceased
to be an SCI entity should provide an
additional tool to help the Commission
to reconstruct important market events
and better understand the impact of
such events. There are no amendments
to Rule 1007, which sets forth
requirements for a SCI entity whose
Regulation SCI records are prepared or
maintained by a service bureau or other
recordkeeping service on behalf of the
SCI entity.
6. Rule 1006 of Regulation SCI
Rule 1006 requires each SCI entity,
with a few exceptions, to file any
notification, review, description,
analysis, or report to the Commission
required under Regulation SCI
electronically on Form SCI.468 There are
23205
no amendments to this section. The
Commission staff would use the
collection of information in its
examination and oversight program in
identifying patterns and trends across
registrants.
C. Respondents
The collection of information
requirements contained in Regulation
SCI apply to SCI entities. As of 2021,
there were an estimated 47 Current SCI
Entities (i.e., entities that met the
definition of SCI entity) 469 that were
subject to the requirements of
Regulation SCI.470 The Commission
preliminarily estimates that as a result
of the proposed amendments to Rule
1000, there would be a total of 23 New
SCI Entities (i.e., meet the amended
definition of SCI entity) that would
become subject to the requirements of
Regulation SCI. Thus, the Commission
preliminarily estimates that a total of 70
entities would be subject to the
requirements of Regulation SCI. The
Commission preliminarily believes that
the remaining amendments would not
add any additional respondents but
would result in additional reporting
burdens, which are discussed in section
IV.D (Total Initial and Annual Reporting
Burdens).
The following table summarizes the
estimated number of Current SCI
Entities and New SCI Entities:
Type of SCI entity
Number
Current SCI Entities .............................................................................................................................................................................
New SCI Entities:
SBSDR 1 .......................................................................................................................................................................................
SCI broker-dealers 2 .....................................................................................................................................................................
Exempt Clearing Agencies 3 .........................................................................................................................................................
47
Total New SCI Entities ..........................................................................................................................................................
23
Total SCI Entities ..................................................................................................................................................................
70
3
17
3
1 See
ddrumheller on DSK120RN23PROD with PROPOSALS2
supra notes 118, 124 and accompanying text. As noted earlier, two SBSDRs are currently registered with the Commission. The Commission estimates for purposes of the PRA that one additional entity may seek to register as an SBSDR in the next three years, and so for purposes
of this proposal the Commission has assumed three SBSDR respondents.
2 See supra note 219 and accompanying text.
3 See supra notes 240 and accompanying text. As noted earlier, the Commission proposes to expand the scope of ‘‘SCI entity’’ to cover two
additional exempt clearing agencies that are not subject to ARP, which are Euroclear Bank SA/NV and Clearstream Banking, S.A. The Commission estimates for purposes of the PRA that one additional entity may receive an exemption from registration as a clearing agency in the next
three years, and so for purposes of this proposal the Commission has assumed three exempt clearing agency respondents.
464 See 17 CFR 242.1005. Rule 1005(a) of
Regulation SCI relates to recordkeeping provisions
for SCI SROs, whereas Rule 1005(b) relates to the
recordkeeping provision for SCI entities other than
SCI SROs.
465 See 17 CFR 242.1007.
466 See 17 CFR 242.1005(c).
467 See id.
468 See 17 CFR 242.1003(b)(6).
469 In 2020, the Commission amended Regulation
SCI to add as SCI entities SCI competing
consolidators, defined as competing consolidators
that exceed a five percent consolidated market data
gross revenue threshold over a specified time
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
period. See Market Data Infrastructure Adopting
Release, supra note 24. The Commission estimated
that seven persons would meet the definition of SCI
competing consolidator and be subject to
Regulation SCI, two of which would be Current SCI
Entities (as plan processors) and five of which
would be new SCI competing consolidators, if they
registered as competing consolidators and exceeded
the threshold. See Extension Without Change of a
Currently Approved Collection: Regulation SCI and
Form SCI; ICR Reference No. 202111–3235–005;
OMB Control No. 3235–0703 (Mar. 3, 2022),
available at https://www.reginfo.gov/public/do/
PRAViewDocument?ref_nbr=202111-3235-005
(‘‘2022 PRA Supporting Statement’’). Currently, no
PO 00000
Frm 00061
Fmt 4701
Sfmt 4702
competing consolidators have registered with the
Commission. As a result, no competing
consolidators (in addition to the two current plan
processors that are Current SCI Entities) are
included as Current SCI Entities. To the extent that
a competing consolidator registers with the
Commission and qualifies as an SCI competing
consolidator it would be subject to the same
additional burdens as Current SCI Entities as a
result of the proposed amendments to Regulation
SCI. The additional burdens for Current SCI Entities
are set forth in section IV.D.
470 Proposed Collection; Comment Request;
Extension: Regulation SCI, Form SCI; SEC File No.
270–653, OMB Control No. 3235–0703, 87 FR 3132.
E:\FR\FM\14APP2.SGM
14APP2
23206
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
D. Total Initial and Annual Reporting
Burdens
more fully in sections III.A and III.C
above.
As stated above, each requirement to
disclose information, offer to provide
information, or adopt policies and
procedures constitutes a collection of
information requirement under the PRA.
We discuss below the collection of
information burdens associated with the
proposed rules and rule amendments.
a. Rule 1001(a)
1. Rule 1001
The rules under Regulation SCI that
would require an SCI entity to establish
policies and procedures are discussed
more fully in sections II.B, and the
proposed amendments are discussed
Current SCI Entities are already
required to establish, maintain, and
enforce policies and procedures
pursuant to Rule 1001(a) and therefore
already incur baseline initial 471 and
ongoing burden 472 for complying with
Rule 1001(a), so the amendments should
only impose a burden required to
comply with the additional
requirements.473 Presently, none of the
New SCI Entities are required to comply
with the policies and procedures
requirement of Rule 1001(a), but the
proposed amendments will newly
Burden type
Current SCI Entities ........................................................
Initial ...................................
Annual ................................
Initial ...................................
Annual ................................
The table below summarizes the
Commission’s estimates for the average
Current SCI Entities ..............................................
Initial .............................
Annual ...........................
Initial .............................
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
47
47
23
23
Estimated
respondents
(entities)
Burden type
471 The Commission’s currently approved
baseline for average compliance burden per SCI
entity to develop and draft the policies and
procedures required by Rule 1001(a) (except for 17
CFR 242.1001(a)(2)(vi) (‘‘Rule 1001(a)(2)(vi)’’)) is
534 hours. See Extension Without Change of a
Currently Approved Collection: Regulation SCI and
Form SCI; ICR Reference No. 202111–3235–005;
OMB Control No. 3235–0703 (Mar. 3, 2022),
available at https://www.reginfo.gov/public/do/
PRAViewDocument?ref_nbr=202111-3235-005
(‘‘2022 PRA Supporting Statement’’). Rule
1001(a)(2) currently requires six elements
(excluding Rule 1001(a)(2)(vi)) to be included in the
policies and procedures required by Rule
1001(a)(1). The burden hours for each element
would be 89 hours per policy element (534 hours/
6 policy elements).
472 The Commission’s currently approved
baseline for average compliance burden per SCI
entity to review and update the policies and
procedures required by Rule 1001(a) (except for
Rule 1001(a)(2)(vi)) is 87 hours. See 2022 PRA
Supporting Statement, supra note 471. The burden
hours for each element would be 14.5 hours per
policy element (87 hours/6 policy elements).
Burden hours
per entity
(hours)
386
58
890
145
Estimated burden
hours for all entities
(estimated
respondents × burden
hours per entity)
18,142
2,726
20,470
3,335
internal cost of compliance for Current
SCI Entities and New SCI Entities:
Respondent type
New SCI Entities ..................................................
ddrumheller on DSK120RN23PROD with PROPOSALS2
Estimated
respondents
(entities)
Respondent type
New SCI Entities .............................................................
impose the baseline burden to develop
and draft written policies and
procedures and review and update
annually such policies and procedures,
as well as the additional burden to
include the proposed requirements in
the policies and procedures. The
Commission estimates an initial
compliance burden of 386 additional
hours 474 for Current SCI Entities and
890 hours 475 for New SCI Entities. The
Commission estimates an annual
compliance burden of 58 hours 476 for
Current SCI Entities and 145 hours 477
for New SCI Entities.478 The table below
summarizes the initial and ongoing
annual burden estimates for Current SCI
Entities and New SCI Entities:
Average internal
cost of compliance
per entity
473 The Commission estimates that at the
additional burden would be the result of the
additions to Rule 1001(a)(2), specifically the
proposed requirement in the BC/DR plan and the
four proposed additional policy elements. The
Commission does not anticipate that Current SCI
Entities or New SCI Entities would incur any
additional burden from the amendment to Rule
1001(a)(4) above and beyond the burden hours
estimated for the policies and procedures in this
release.
474 89 hours × 4 additional policy elements = 356
hours. The Commission estimates a one-time
burden of 30 hours (one-third of 89 hours per policy
element) for SCI entities to address the
unavailability of third-party providers in their BC/
DR plans. 356 hours + 30 hours = 386 hours. The
burden hours include 139 Compliance Manager
hours, 139 Attorney hours, 43 Senior System
Analyst hours, 43 Operations Specialist hours, 15
Chief Compliance Officer hours, and 7 Director of
Compliance hours.
475 534 baseline burden hours + 356 additional
burden hours = 890 hours. The burden hours
include 320 Compliance Manager hours, 320
Attorney hours, 100 Senior System Analyst hours,
PO 00000
Frm 00062
Fmt 4701
Sfmt 4702
1 $144,787
47
47
23
2 23,403
3 333,371
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$6,804,989
1,099,941
7,667,533
100 Operations Specialist hours, 33 Chief
Compliance Officer hours, and 17 Director of
Compliance hours.
476 14.5 hours × 4 additional policy elements = 58
hours. The burden hours include 19 Compliance
Manager hours, 19 Attorney hours, 5 Senior System
Analyst hours, 5 Operations Specialist hours, 7
Chief Compliance Officer hours, and 3 Director of
Compliance hours.
477 87 baseline burden hours + 58 additional
burden hours = 145 hours. The burden hours
include 47 Compliance Manager hours, 47 Attorney
hours, 13 Senior System Analyst hours, 13
Operations Specialist hours, 17 Chief Compliance
Officer hours, and 8 Director of Compliance hours.
478 The Commission recognizes that the some of
the Regulation SCI requirements and certain
proposed requirements in the Exchange Act
Cybersecurity Proposal rule may appear
duplicative. The Commission believes that although
the requirements are related, they are ultimately
separate obligations. Thus, the Commission has not
considered the requirements of the Exchange Act
Cybersecurity Proposal rule in formulating its
estimates.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Respondent type
Estimated
respondents
(entities)
Burden type
Annual ...........................
Average internal
cost of compliance
per entity
4 58,315
23
23207
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
1,341,245
Compliance Manager hours × $344) + (139 Attorney hours × $462) + (43 Senior Systems Analyst hours × $316) + (43 Operations Specialist hours × $152) + (15 Chief Compliance Officer hours × $589) + (7 Director of Compliance hours × $542) = $144,787. The Commission derived this estimate based on per hour figures from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified by
Commission staff to account for an 1,800-hour work-year and inflation, and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead.
2 (19 Compliance Manager hours × $344) + (19 Attorney hours × $462) + (5 Senior Systems Analyst hours × $316) + (5 Operations Specialist
hours × $152) + (7 Chief Compliance Officer hours × $589) + (3 Director of Compliance hours × $542) = $23,403.
3 (320 Compliance Manager hours × $344) + (320 Attorney hours × $462) + (100 Senior Systems Analyst hours × $316) + (100 Operations
Specialist hours × $152) + (33 Chief Compliance Officer hours × $589) + (17 Director of Compliance hours × $542) = $333,371.
4 (47 Compliance Manager hours × $344) + (47 Attorney hours × $462) + (13 Senior Systems Analyst hours × $316) + (13 Operations Specialist hours × $152) + (17 Chief Compliance Officer hours × $589) + (8 Director of Compliance hours × $542) = $58,315.
1 (139
The proposed amendments would
newly impose a burden on New SCI
Entities to comply with Rule
1001(a)(2)(vi), which requires the
policies and procedures required by
Rule 1001(a) to include standards that
result in systems being designed,
developed, tested, maintained, operated,
and surveilled in a manner that
facilitates the successful collection,
processing, and dissemination of market
data.479 The Commission estimates that
New SCI Entities would incur an initial
burden of 160 hours and an ongoing
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .............................................................
Initial ...................................
Annual ................................
The table below summarizes the
Commission’s estimates for the average
burden of 145 hours to annually review
and update the policies and
procedures.480 The table below
summarizes the initial and ongoing
annual burden estimates for New SCI
Entities to comply with Rule
1001(a)(2)(vi):
Burden hours
per entity
23
23
160
145
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
3,680
3,335
internal cost of compliance for New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
Average internal
cost of compliance
per entity
1 $60,980
23
23
2 52,380
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,402,540
1,204,740
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 (100 Senior Systems Analyst hours × $316) + (20 Chief Compliance Officer hours × $589) + (10 Director of Compliance hours × $542) + (30
Compliance Attorney hours × $406) = $60,980.
2 (100 Senior Systems Analyst hours × $316) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) + (30
Compliance Attorney hours × $406) = $52,380.
479 Current SCI Entities would incur no additional
burden as they are already required to include the
required standards in their policies and procedures.
480 These estimates are consistent with the
Commission-approved baseline initial and ongoing
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
average compliance burdens per SCI entity. See
2022 PRA Supporting Statement, supra note 471.
The 160 hour initial burden includes 100
Compliance Manager hours, 20 Chief Compliance
Officer hours, 10 Director of Compliance hours, and
PO 00000
Frm 00063
Fmt 4701
Sfmt 4702
30 Compliance Attorney hours. The 145 annual
burden hours includes 100 Compliance Manager
hours, 10 Chief Compliance Officer hours, 5
Director of Compliance hours, and 30 Compliance
Attorney hours.
E:\FR\FM\14APP2.SGM
14APP2
23208
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
The Commission estimates that on
average, Current SCI Entities would seek
outside legal and/or consulting services
to initially update their policies and
procedures for the proposed additional
requirements at a cost of $29,050 per
SCI entity,481 while New SCI Entities
would seek such services in the initial
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
b. Rule 1001(b)
New SCI Entities would be required to
meet the requirements of Rule 1001(b),
which requires each SCI entity to
establish, maintain, and enforce systems
Estimated
respondents
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
The table below summarizes the
Commission’s estimates for the average
Average external
cost per entity
47
23
compliance policies. The Commission
estimates a compliance burden of 270
hours initially to design the systems
compliance policies and procedures and
95 hours annually to review and update
Respondent type
preparation of the policies and
procedures (including the proposed
requirements) at a cost of $73,800 per
SCI entity.482
$29,050
73,800
Total internal
cost of compliance
(estimated
respondents ×
average external
cost per entity)
$1,365,350
1,697,400
such policies and procedures.483 The
table below summarizes the initial and
ongoing annual burden estimates for
New SCI Entities to comply with Rule
1001(b):
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
Burden hours
per entity
23
23
270
95
6,210
2,185
internal cost of compliance for New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
Average internal
cost of compliance
per entity
1 $96,640
23
23
2 35,140
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$2,222,720
808,220
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 (200 Senior Systems Analyst hours × $316) + (20 Chief Compliance Officer hours × $589) + (10 Director of Compliance hours × $542) + (40
Compliance Attorney hours × $406) = $96,640.
2 (66 Senior Systems Analyst hours × $316) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) + (14
Compliance Attorney hours × $406) = $35,140.
In establishing, maintaining, and
enforcing the policies and procedures
required by Rule 1001(b), the
Commission believes that each new SCI
entity will seek outside legal and/or
consulting services in the initial
preparation of such policies and
procedures. The total annualized cost of
seeking outside legal and/or consulting
services will be $621,000.484
c. Rule 1001(c)
481 The Commission’s currently approved
baseline for annualized recordkeeping cost per SCI
entity to consult outside legal and/or consulting
services in the initial preparation policies and
procedures required by Rule 1001(a) is $47,000. See
2022 PRA Supporting Statement, supra note 471.
Rule 1001(a)(2) currently requires seven elements
(including Rule 1001(a)(2)(vi)) to be included in the
policies and procedures required by Rule
1001(a)(1). The cost per element would be
approximately $6,700 per policy element ($47,000
hours/7 policy elements = $6,714). As noted earlier,
the Commission proposes to add four additional
elements to the policies and procedures. $6,700 per
policy element × 4 additional policy elements =
$26,800. The Commission also estimates a one-time
burden of approximately $2,250 per SCI entity (one-
third of $6,700 per policy element) to address the
unavailability of third-party providers in their BC/
DR plans. $26,800 + $2,250 = $29,050.
482 $47,000 + $26,800 = $73,800.
483 The Commission estimates that the burden for
New SCI Entities is consistent with the
Commission’s current approved baselines for the
initial and ongoing burdens. For the initial
recordkeeping burden, this baseline is 270 hours
(40 Compliance Attorney hours + 200 Senior
System Analyst hours + 20 Chief Compliance
Officer hours + 10 Director of Compliance hours).
The Commission estimated separate baselines for
the ongoing recordkeeping burden for SCI SROs and
entities that were not SROs. Since none of the
entities that would potentially be subject to
Regulation SCI as a result of the proposed
amendments are SROs, the Commission is basing its
estimates on the baseline for non-SROs. The
Commission’s current approved baseline for the
ongoing recordkeeping burden for entities that are
not SROs is 95 hours (14 Compliance Attorney
hours + 66 Senior System Analyst hours + 10 Chief
Compliance Officer hours + 5 Director of
Compliance hours). See 2022 PRA Supporting
Statement, supra note 471.
484 The Commission estimates that the cost for
outside legal and/or consulting services for New
SCI Entities is consistent with the Commission’s
current approved baselines, which is $27,000 per
new SCI entity. See 2022 PRA Supporting
Statement, supra note 471. $27,000 for the first year
× 23 New SCI Entities = 621,000.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00064
Fmt 4701
Sfmt 4702
The proposed amendments would
newly impose a burden on New SCI
Entities to develop and maintain
policies with Rule 1001(c), relating to
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
the policies for designation of
responsible SCI personnel. The
Commission estimates a compliance
burden of 114 hours initially to design
the systems compliance policies and
procedures and 39 hours annually to
review and update such policies and
procedures.485 The table below
Burden type
New SCI Entities .............................................................
Initial ...................................
Annual ................................
The table below summarizes the
Commission’s estimates for the average
summarizes the initial and ongoing
annual burden estimates for New SCI
Entities to comply with Rule 1001(b):
Estimated
respondents
Respondent type
23209
Burden hours
per entity
23
23
114
39
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
2,622
897
internal cost of compliance for New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
Average internal
cost of compliance
per entity
1 $47,672
23
23
2 17,427
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,096,456
400,821
1 (32 Compliance Manager hours × 344) + (32 Attorney hours × $462) + (10 Senior Systems Analyst hours × $316) + (10 Operations Specialist
hours × $152) + (20 Chief Compliance Officer hours × $589) + (10 Director of Compliance hours × $542) = $47,672.
2 (9.5 Compliance Manager hours × $344) + (9.5 Attorney hours × $462) + (2.5 Senior Systems Analyst hours × $316) + (2.5 Operations Specialist hours × $152) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) = $17,427.
well as review them annually.488
Current SCI Entities are already required
to take corrective action pursuant to
Rule 1002(a) and therefore already incur
the initial 489 and ongoing 490 baseline
burdens for developing and revising
their corrective action process, so the
amendments should only impose a onetime burden required to update the
procedures to account for the additional
types of systems intrusions.491 The
Commission estimates that the one-time
burden for each SCI entity to include in
its corrective action process the
proposed systems intrusions would be
20% of the 114 hours baseline
As noted above, Rule 1002(a) requires
each SCI entity, upon any responsible
SCI personnel having a reasonable basis
to conclude that an SCI event has
occurred, to begin to take appropriate
corrective action. The Commission has
previously expressed the view that Rule
1002(a) would likely result in SCI
entities developing and revising their
processes for corrective action.486 The
Commission believes that the
requirement to take corrective action for
these additional systems intrusions
would likely result in SCI entities
updating their processes for corrective
action.487
The Commission continues to believe
that Rule 1002(a) will likely result in
SCI entities developing and revising
their processes for corrective action as
485 The Commission’s current approved baseline
114 hours for the initial burden to establish the
criteria for identifying responsible SCI personnel
and the escalation procedures (32 Compliance
Manager hours + 32 Attorney hours × $412 + 10
Senior Systems Analyst hours × $282 + 10
Operations Specialist hours × $135 + 20 Chief
Compliance Officer hours × $526 + 10 Director of
Compliance). The Commission’s approved baseline
is 39 hours for the ongoing burden to annually
review and update the criteria and the escalation
procedures (9.5 Compliance Manager hours + 9.5
Attorney hours + 2.5 Senior Systems Analyst hours
+ 2.5 Operations Specialist hours + 10 Chief
Compliance Officer hours + 5 Director of
Compliance hours). See 2022 PRA Supporting
Statement, supra note 471.
486 See 2022 PRA Supporting Statement, supra
note 471.
487 The Commission’s estimate includes the
amendments to the definition of systems intrusions
adding (1) cybersecurity events that disrupt, or
significantly degrade, the normal operation of an
SCI system and (2) significant attempted
unauthorized entries into the SCI systems or
indirect SCI systems of an SCI entity. It does not
include the systems intrusions that would
previously have been classified as de minimis
events because Current SCI Entities are already
required to take corrective action to resolve such
SCI events.
488 See 2022 PRA Supporting Statement, supra
note 471.
489 The Commission’s currently approved
baseline for average compliance burden per
respondent to develop a process for corrective
action is 114 hours (32 Compliance Manager hours
+ 32 Attorney hours + 10 Senior Systems Analyst
hours + 10 Operations Specialist hours + 20 Chief
Compliance Officer hours + 10 Director of
Compliance hours). See 2022 PRA Supporting
Statement, supra note 471.
490 The average compliance burden for each SCI
entity to review their process is 39 hours (9
Compliance Manager hours + 9 Attorney hours + 3
Senior Systems Analyst hours + 3 Operations
Specialist hours + 10 Chief Compliance Officer
hours + 5 Director of Compliance hours. See 2022
PRA Supporting Statement, supra note 471.
491 The Commission also proposes to remove the
option for SCI entities to classify systems intrusions
as de minimis and potentially report them pursuant
to Rule 1002(b)(5) on the quarterly SCI reports as
de minimis events. SCI entities would instead
report these systems intrusions pursuant to Rule
1002(b)(1) through (4). The Commission believes
that the burden for developing a corrective action
plan for these systems intrusions is already
incorporated in the baseline burden estimates. See
supra notes 489–490.
The Commission does not expect SCI
entities to incur any external PRA costs
in connection with the policies and
procedures required under Rule 1001(c).
2. Rule 1002
The rules under Regulation SCI that
would require an SCI entity to take
corrective action, provide certain
notifications and reports, and
disseminate certain information
regarding SCI events are discussed more
fully in sections II.B, and the proposed
amendments are discussed more fully in
sections III.A and III.C above.
ddrumheller on DSK120RN23PROD with PROPOSALS2
a. Rule 1002(a)
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00065
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
23210
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
burden.492 Presently, the New SCI
Entities are not required to comply with
requirement in Rule 1002(a) to take
corrective action, but the proposed
amendments will newly impose these
burdens, including the burden for
incorporating the additional systems
intrusions into the corrective action
process. For Current SCI Entities, the
Commission estimates a one-time
compliance burden of 23 hours. For
New SCI Entities, the Commission
estimates an initial burden of 137
hours 493 and an annual compliance
Estimated
respondents
Respondent type
Burden type
Current SCI Entities ........................................................
New SCI Entities .............................................................
One-time Burden ................
Initial ...................................
Ongoing ..............................
The table below summarizes the
Commission’s estimates for the cost of
burden of 39 hours 494 for New SCI
Entities. The table below summarizes
the initial and ongoing annual burden
estimates for Current SCI Entities and
New SCI Entities:
Burden hours
per SCI entity
47
23
23
137
39
Burden hours for
all respondents
(estimated
respondents ×
burden hours
per SCI entity)
1,081
3,151
897
compliance for Current SCI Entities and
New SCI Entities:
Estimated
respondents
Respondent type
Burden type
Current SCI Entities ................................................
New SCI Entities .....................................................
One-time Burden ............
Initial ...............................
Ongoing ..........................
Average internal
cost of compliance
per entity
1 $9,556
47
23
2 57,228
3 17,258
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$449,132
1,316,244
396,934
Compliance Manager hours × 344) + (6 Attorney hours × $462) + (2 Senior Systems Analyst hours × $316) + (2 Operations Specialist
hours × $152) + (4 Chief Compliance Officer hours × $589) + (2 Director of Compliance hours × $542) = $9,556.
2 (39 Compliance Manager hours × 344) + (38 Attorney hours × $462) + (12 Senior Systems Analyst hours × $316) + (12 Operations Specialist
hours × $152) + (24 Chief Compliance Officer hours × $589) + (12 Director of Compliance hours × $542) = $57,228.
3 (9 Compliance Manager hours × 344) + (9 Attorney hours × $462) + (3 Senior Systems Analyst hours × $316) + (3 Operations Specialist
hours × $152) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) = $17,258.
1 (7
As noted earlier, SCI entities have
certain reporting obligations regarding
SCI events. Current SCI Entities are
already required to submit the
notifications, updates, and reports
required by Rule 1002(b)(1) through (4)
and therefore already incur a baseline
burden. As a result of the additional
systems intrusions, including the
amendments to the definition of systems
intrusions and the exclusion of systems
intrusions from de minimis SCI events
required to be reported to the
Commission, Current SCI Entities could
potentially incur new burdens pursuant
to Rule 1002(b)(1) through (4) reporting
additional SCI events for which they
currently either do not report or which
they currently report quarterly as de
minimis. As proposed, New SCI Entities
would for the first time be required to
provide the submissions required by
Rule 1002(b)(1) through (4) and would
bear the existing burden for compliance
with Rule 1002(b)(1) through (4) and the
additional burden to report the
proposed systems intrusions.
The Commission estimates that on
average each Current SCI Entity will
experience an additional three SCI
events each year that are not de minimis
SCI events 495 and New SCI Entities will
experience an average of eight SCI
events each year that are not de minimis
SCI events.496
As a result, pursuant to Rule
1002(b)(1), which requires immediate
notification of SCI events, the
Commission estimates that each Current
SCI Entity will submit, on average, an
additional three notifications per year
beyond the current baseline,497 and
each New SCI Entity will submit eight
492 114 hours × 0.20 = 23 hours. The burden hours
include 7 Compliance Manager hours, 6 Attorney
hours, 2 Senior Systems Analyst hours, 2
Operations Specialist hours, 4 Chief Compliance
Officer hours, and 2 Director of Compliance hours.
493 114 baseline burden hours + 23 burden hours
for additional systems intrusions = 137 hours. The
burden hours include 39 Compliance Manager
hours, 38 Attorney hours, 12 Senior Systems
Analyst hours, 12 Operations Specialist hours, 24
Chief Compliance Officer hours, and 12 Director of
Compliance hours.
494 The Commission estimates that the ongoing
recordkeeping burden for each New SCI Entity to
review its corrective action process would be the
same as the baseline ongoing recordkeeping burden
of 39 hours. See supra note 490.
495 The Commission’s currently approved
baseline for the number of SCI events is five events
per year that are not de minimis. See 2022 PRA
Supporting Statement, supra note 471. The
Commission estimates that as a result of the
additional systems intrusions that SCI entities
would be required to report, the number of SCI
events would increase by three events per year that
are not de minimis.
496 The Commission estimates that each New SCI
Entity would experience the baseline burden of five
SCI events and three additional SCI events, for a
total of eight SCI events that are not de minimis.
497 The Commission’s currently approved
baseline for the number of notifications submitted
by an SCI entity pursuant to Rule 1002(b)(1) is five
notifications per year, with one-fourth of the five
notifications submitted in writing (i.e.,
approximately one event per year for each SCI
entity), and approximately three-fourths provided
orally (i.e., approximately four events per year for
each SCI entity). See 2022 PRA Supporting
Statement, supra note 471. The Commission
estimates that the proposed systems intrusions will
result in each SCI entity submitting three additional
notifications, one for each of the three estimated
additional SCI events.
The Commission does not expect SCI
entities to incur any external PRA costs
in connection with the requirement to
take corrective actions under Rule
1002(a).
ddrumheller on DSK120RN23PROD with PROPOSALS2
b. Rule 1002(b)(1) Through (4)
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00066
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
notifications per year.498 These
notifications can be made orally or in
writing, and the Commission estimates
that approximately one-fourth of these
notifications will be submitted in
writing (i.e., approximately one event
per year for each Current SCI Entity and
two events per year for each New SCI
Entity 499), and approximately threefourths will be provided orally (i.e.,
approximately two events per year for
each Current SCI Entity 500 and six
events per year for each New SCI
Entity 501). The Commission estimates
that each written notification will
require two hours and each oral
notification will require 1.5 hours.502
The Commission estimates a burden of
5 hours 503 for each Current SCI Entities
and 13 hours 504 for New SCI Entities.
The table below summarizes the initial
and ongoing annual burden estimates
for Current SCI Entities and New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
The table below summarizes the
Commission’s estimates for the average
Burden hours for
all respondents
(estimated
respondents ×
burden hours
per SCI entity)
5
13
235
299
Current SCI Entities and New SCI
Entities:
Estimated
respondents
(entities)
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
Burden hours
per SCI entity
47
23
internal cost of compliance associated
with the ongoing reporting burden for
Respondent type
23211
Average internal
cost of compliance
per SCI entity
1 $1,737.50
47
23
2 4,499
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$81,663
103,477
1 The average internal cost of compliance for each Current SCI entity to submit an additional written notification per year is $713.50 (0.5 Compliance Manager hours × $344) + (0.5 Attorney hours × $462) + (0.5 Senior Systems Analyst hours × $316) + (0.5 Senior Business Analyst
hours × $305) = $713.50 per written notification. $713.50 × 1 written notification each year = $713.50.
(0.25 Compliance Manager hours × $344) + (0.25 Attorney hours × $462) + (0.5 Senior Systems Analyst hours × $316) + (0.5 Senior Business
Analyst hours × $305) = $512 per oral notification. $512 × 2 = $1,024.
$713.50 + $1,024 = $1,737.50.
2 $713.50 per written notification × 2 written notifications + $512 per written notification × 6 oral notifications = $4,499.
The Commission estimates that each
notification submitted pursuant to Rule
1002(b)(2) will require 24 hours per SCI
entity.505 The Commission estimates an
average of 72 hours 506 for each Current
SCI Entity and 192 hours 507 for each
New SCI Entity to submit the 24 hour
written notifications required by Rule
Estimated
respondents
(entities)
Respondent type
ddrumheller on DSK120RN23PROD with PROPOSALS2
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
498 The Commission estimates that each New SCI
Entity will submit both the current baseline of five
notifications and the additional three notifications,
for a total of eight notifications. See supra note 497
(discussing the 3 additional notifications).
499 8 SCI events ÷ 4 = 2 SCI events reported in
writing. The Commission estimates that each
Current SCI Entities already reports one SCI event
per year in writing. See 2022 PRA Supporting
Statement, supra note 471. The Commission
therefore estimates that they would report one
additional SCI event in writing. New SCI Entities
would report two SCI events in writing.
500 3 SCI events¥1 SCI event reported in writing
= 2 SCI events reported orally.
501 8 SCI events¥2 SCI events reported in writing
= 6 SCI events reported orally.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
502 The Commission-approved baseline for the
burden hours for each notification are 2 hours for
written communications (0.5 Compliance Manager
hours + 0.5 Attorney hours + 0.5 Senior Systems
Analyst hours + 0.5 Senior Business Analyst hours)
and 1.5 hours for oral communications (0.25
Compliance Manager hours + 0.25 Attorney hours
+ 0.5 Senior Systems Analyst hours + (0.5 Senior
Business Analyst hours). See 2022 PRA Supporting
Statement, supra note 471. The Commission does
not believe that reporting the proposed systems
intrusions would change the estimated burden
hours.
503 1 written notification each year * 2 hours per
notification + 2 oral notifications each year * 1.5
hours per notification = 5 hours.
PO 00000
1002(b)(2). The table below summarizes
the initial and ongoing annual burden
estimates for Current SCI Entities and
New SCI Entities:
Frm 00067
Fmt 4701
Sfmt 4702
Burden hours
per SCI entity
47
23
72
192
Burden hours for
all respondents
(estimated
respondents ×
burden hours
per SCI entity)
3,384
4,416
504 2 written notification each year * 2 hours per
notification + 6 oral notifications each year * 1.5
hours per notification = 13 hours.
505 The Commission-approved baseline for the
burden hours for each written notification is 24
hours (5 Compliance Manager hours + 5 Attorney
hours + 6 Senior Systems Analyst hours + 1
Assistant General Counsel hour + 1 Chief
Compliance Officer hour + 6 Senior Business
Analyst hours) for each SCI entity. See 2022 PRA
Supporting Statement, supra note 471.
506 3 additional notifications × 24 hours per
notification = 72 hours. See supra note 497
(discussing the three additional notifications for
each Current SCI Entity).
507 8 notifications × 24 hours per notification =
192 hours. See supra note 498 (discussing the eight
notifications for each New SCI Entity).
E:\FR\FM\14APP2.SGM
14APP2
23212
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
The table below summarizes the
Commission’s estimates for the cost of
compliance associated with the ongoing
reporting burden for Current SCI
Entities and New SCI Entities:
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
Average internal
cost of compliance
per SCI entity
1 $26,589
47
23
2 70,904
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity
$1,249,683
1,630,792
1 The average internal cost of compliance for each Current SCI entity to submit an additional written notification per year is $8,863 per notification ((5 Compliance Manager hours × $344) + (5 Attorney hours × $462) + (6 Senior Systems Analyst hours × $316) + (1 Assistant General
Counsel × $518) + (6 Senior Business Analyst hours × $305) + (1 Chief Compliance Officer hour × $589)). $8,863 per notification × 3 notifications each year = $26,589.
2 $8,863 per notification × 8 notifications each year = $70,904.
As for Rule 1002(b)(3), the
Commission estimates that, based on
past experience, each Current SCI entity
will submit 1 additional written update
and 1 additional oral update each year
and each New SCI Entity will submit 2
written updates (on Form SCI) and 2
oral updates.508 The Commission
estimates that each written update will
require 6 hours and each oral update
will require 4.5 hours.509 The
Commission estimates a total burden of
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
The table below summarizes the
Commission’s estimates for the cost of
compliance associated with the ongoing
10.5 hours 510 for Current SCI Entities
and 21 hours 511 for New SCI Entities.
The table below summarizes the initial
and ongoing annual burden estimates
for Current SCI Entities and New SCI
Entities:
Burden hours
per SCI entity
47
23
10.5
21
Burden hours for
all respondents
(estimated
respondents ×
burden hours
per SCI entity)
493.5
483
reporting burden for Current SCI
Entities and New SCI Entities:
Estimated
respondents
(entities)
Respondent type
Current SCI entities .............................................................................................
New SCI Entities ..................................................................................................
Average internal
cost of compliance
per SCI entity
1 $3,677
47
23
2 7,354
Total internal
cost of compliance
(estimated
respondents ×
average internal cost
of compliance
per entity)
$172,819
169,142
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 The average internal cost of compliance for each SCI entity to submit an additional written update is $2,141 per notification ((1.5 Compliance
Manager hours × $344) + (1.5 Attorney hours × $462) + (1.5 Senior Systems Analyst hours × $316) + (1.5 Senior Business Analyst hours ×
$305)).
The average internal cost of compliance for each SCI entity to submit an additional oral update is $1,536 ((0.75 Compliance Manager hours ×
$344) + (0.75 Attorney hours × $462) + (1.5 Senior Systems Analyst hours × $316) + (1.5 Senior Business Analyst hours × $305)).
$2,141 + $1,536 = $3,677 for each Current SCI Entity to submit two additional updates (one written update and one oral update).
2 $2,141 per written update × 2 written updates per year + $1,536 per oral update × 2 oral updates per year = $7,354 for each New SCI Entity
to submit updates in compliance with Rule 1002(b)(3).
508 The Commission’s currently approved
baseline for the number of updates submitted by an
SCI entity pursuant to Rule 1002(b)(3) is one
written update and one oral update each year, for
a total of two updates per a year. See 2022 PRA
Supporting Statement, supra note 471. The
Commission estimates that as a result of the three
additional SCI events resulting from the additional
systems intrusions each SCI entity is potentially
required to be report, the total number of updates
would increase to two written updates and two oral
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
updates each year, for a total of four updates per
a year.
509 The Commission-approved baseline for the
burden hours for each update are 6 hours for the
written update (1.5 Compliance Manager hours +
1.5 Attorney hours + 1.5 Senior Systems Analyst
hours + 1.5 Senior Business Analyst hours) and 4.5
hours for the oral update (0.75 Compliance Manager
hours + 0.75 Attorney hours + 1.5 Senior Systems
Analyst hours + 1.5 Senior Business Analyst hours).
See 2022 PRA Supporting Statement, supra note
471. The Commission does not propose to change
PO 00000
Frm 00068
Fmt 4701
Sfmt 4702
the estimated burden hours at this time and notes
that the estimated hours for the Senior Systems
Analyst and Senior Business Analyst regarding the
oral update reflect a correction to a typographical
error in the 2022 PRA Supporting Statement.
510 1 written notification × 6 hours per written
notification + 1 oral notification × 4.5 hours per oral
notification = 10.5 hours.
511 2 written notifications × 6 hours per written
notification + 2 oral notifications × 4.5 hours per
oral notification = 21 hours.
E:\FR\FM\14APP2.SGM
14APP2
23213
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
year.513 The Commission estimates that
compliance with Rule 1002(b)(4) for a
particular SCI event will require 35
hours.514 The Commission estimates
that each Current SCI Entity will incur
105 hours 515 and each New SCI Entity
As for Rule 1002(b)(4), the
Commission estimates that Current SCI
Entities will submit an additional 3
reports per year above and beyond the
current baseline 512 and New SCI
Entities will submit 8 reports per
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
The Commission estimates that the
average internal cost of compliance per
notification is $13,672.517 The table
105
280
4,935
6,440
Estimated
respondents
(entities)
Average internal
cost of compliance
per SCI entity
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity
1 $41,016
47
23
$1,927,752
2,515,648
2 109,376
per notification × 3 notifications each year = $41,016.
per notification × 8 notifications per year = $109,376 average internal cost of compliance for each New SCI Entity.
c. Rule 1002(b)(5)
The Commission estimates that
eliminating systems intrusions from the
SCI events reported as de minimis
events 518 on the quarterly reports
reduces the burden for each SCI entity
to submit the quarterly report by 10%
less compared to the current baseline, or
36 hours.519 Each Current SCI Entity
would experience a decrease in its
reporting burden of 4 hours per
quarterly report,520 for a total decrease
of 16 hours per SCI entity.521 As New
SCI Entities are not currently required to
meet this burden, they would newly
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .....................................
ddrumheller on DSK120RN23PROD with PROPOSALS2
Burden hours for
all respondents
(estimated
respondents ×
burden hours
per SCI entity)
burden for Current SCI Entities and New
SCI Entities:
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
2 $13,672
Burden hours
per SCI entity
47
23
below summarizes the Commission’s
estimates for the cost of compliance
associated with the ongoing reporting
Respondent type
1 $13,672
will incur 280 hours 516 to meet the
requirements of Rule 1002(b)(4). The
table below summarizes the initial and
ongoing annual burden estimates for
Current SCI Entities and New SCI
Entities:
512 The Commission’s currently approved
baseline for the number of reports submitted by an
SCI entity pursuant to Rule 1002(b)(4) is five reports
per year. See 2022 PRA Supporting Statement,
supra note 471. The Commission estimates that as
a result of the increase in the estimated number of
SCI events from five events to eight events, SCI
entities would potentially be required to submit an
additional three reports per year.
513 As noted earlier, the Commission estimates
that New SCI Entities would submit both the
baseline estimate of five reports and the additional
three reports, for a total of eight reports.
514 The Commission’s currently approved
baseline for burden hours each SCI entity would
incur to comply with Rule 1002(b)(4) for each SCI
event would be 35 hours (8 Compliance Manager
hours + 8 Attorney hours + 7 Senior Systems
Analyst hours + 2 Assistant General Counsel hours
+ 1 General Counsel hour + 2 Chief Compliance
Officer hours + 7 Senior Business Analyst hours).
See 2022 PRA Supporting Statement, supra note
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Number of
reports
47
Hours per
report
4
Frm 00069
Fmt 4701
Sfmt 4702
Burden hours
per SCI entity
(number of reports ×
hours per report)
(4)
471. The Commission does not propose to change
the estimated burden hours at this time.
515 3 notifications each year × 35 hours per
notification = 105 hours.
516 8 notifications each year × 35 hours per
notification = 280 hours.
517 (8 Compliance Manager hours × $344) + (8
Attorney hours × $462) + (7 Senior Systems Analyst
hours × $316) + (2 Assistant General Counsel hours
× $518) + (1 General Counsel hour × $663) + (2
Chief Compliance Officer hours × $589) + (7 Senior
Business Analyst hours × $305) = $13,672.
518 Systems intrusions, whether de minimis or
non-de minimis, would be reported pursuant to
Rules 1002(b)(1) through (4), as discussed earlier.
See section III.C.3. The burdens for reporting all
systems intrusions as non-de minimis events is
discussed above. See supra notes 495–517 and
accompanying text.
519 The Commission’s currently approved
baseline for the initial and ongoing reporting
PO 00000
incur a burden of 36 hours per report,
for a total burden per SCI entity of 144
hours.522
The table below summarizes the
initial and ongoing annual burden
estimates for Current SCI Entities and
New SCI Entities:
(16)
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
(752)
burden to comply with the quarterly report
requirement is 40 hours. See 2022 PRA Supporting
Statement, supra note 471. 40 hours × 10% = 36
hours. This estimate includes 7 hours for a
Compliance Manager, 7 hours for an Attorney, 9
hours for a Senior Systems Analyst, 1 hours for an
Assistant General Counsel, 9 hours for a Senior
Business Analyst, 1 hours for a General Counsel,
and 2 hours for a Chief Compliance Officer.
520 40 hours (baseline estimate)¥36 hours
(revised estimate) = 4 hours per quarterly report.
This estimate includes 0.75 hours for a Compliance
Manager, 0.75 hours for an Attorney, 1 hour for a
Senior Systems Analyst, 0.2 hours for an Assistant
General Counsel, 1 hours for a Senior Business
Analyst, 0.1 hours for a General Counsel, and 0.2
hours for a Chief Compliance Officer.
521 4 quarterly submissions per year × 4 hours per
submission = 16 hours decrease per SCI entity.
522 4 quarterly submissions per year × 36 hours
per submission = 144 hours per SCI entity.
E:\FR\FM\14APP2.SGM
14APP2
23214
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
New SCI Entities ..........................................
23
The table below summarizes the
Commission’s estimates for the average
Hours per
report
4
36
internal cost of compliance associated
with the ongoing reporting burden for
Estimated
respondents
(entities)
Respondent type
Number of
reports
Burden hours
per SCI entity
(number of reports ×
hours per report)
Current SCI entities .................................
New SCI entities ......................................
Internal cost of
compliance per
report
Number of
reports
47
23
4
4
144
Average internal
cost of compliance
per SCI entity
(number of reports ×
internal cost of
compliance per
report)
1 $(1,513)
2 $(6,052)
3 13,619
4 54,476
Rule
Type of respondent
Rule 1002(b)(1) ..............................
Current SCI Entities ....
New SCI Entities .........
Current SCI Entities ....
New SCI Entities .........
Current SCI Entities ....
New SCI Entities .........
Current SCI Entities ....
New SCI Entities .........
Current SCI Entities ....
New SCI Entities .........
Rule 1002(b)(2) ..............................
Rule 1002(b)(3) ..............................
Rule 1002(b)(4) ..............................
Rule 1002(b)(5) ..............................
d. Rule 1002(c)
The Commission anticipates that the
proposed amendment will newly
ddrumheller on DSK120RN23PROD with PROPOSALS2
Commission estimates that the total
annual reporting cost of seeing outside
legal advice is $5,800 per SCI entity.523
Because Rule 1002(b) will impose
approximately 32 reporting
requirements 524 per SCI entity per year
523 The Commission-approved baseline for the
annual reporting cost of seeking outside legal
advice is $5,800 per SCI entity. See 2022 PRA
Supporting Statement, supra note 471.
524 The Commission-approved baseline for the
number of reporting requirements required by Rule
1002(b) is 21 requirements for each SCI entity. See
2022 PRA Supporting Statement, supra note 471.
The proposed amendments add an additional 11
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Number of
respondents
Number of
reporting
requirements
47
23
47
23
47
23
47
23
47
23
3
8
3
8
2
4
3
8
0
4
3,312
Current SCI Entities and New SCI
Entities:
1 (0.75 Compliance Manager hours × $344) + (0.75 Attorney hours × $462) + (1 Senior Systems
eral Counsel hours × $518) + (0.1 General Counsel hour × $663) + (0.2 Chief Compliance Officer
hours × $305) = $1,513.
2 $1,513 per notification × 4 notifications each year = $6,052 per Current SCI Entity.
3 (6.75 Compliance Manager hours × $344) + (6.75 Attorney hours × $462) + (9 Senior Systems
eral Counsel hours × $518) + (0.9 General Counsel hour × $663) + (1.8 Chief Compliance Officer
hours × $305) = $13,619.
4 $13,619 per notification × 4 notifications each year = $54,476 per New SCI Entity.
The Commission estimates that while
SCI entities will handle internally most
of the work associated with Rule
1002(b), SCI entities will seek outside
legal advice in the preparation of certain
Commission notifications. The
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity
$(284,444)
1,252,948
Analyst hours × $316) + (0.2 Assistant Genhours × $589) + (1 Senior Business Analyst
Analyst hours × $316) + (1.8 Assistant Genhours × $589) + (9 Senior Business Analyst
and each required notification will be
require an average of $181.25.525 The
total annual reporting costs for Current
SCI Entities and New SCI Entities is
summarized below:
Cost per
reporting
requirement
$181.25
181.25
181.25
181.25
181.25
181.25
181.25
181.25
181.25
181.25
Cost per
SCI entity
(number of
reporting
requirements ×
cost per
reporting
requirement)
$544
1,450
544
1,450
363
725
544
1,450
0
725
Total cost
burdens
(cost per SCI
entity ×
number of
respondents)
$25,556
33,350
25,556
33,350
17,038
16,675
25,556
33,350
0
16,675
impose the information dissemination
requirements of Rule 1002(c)(1) on New
SCI Entities, and New SCI Entities will
incur the same burdens that Current SCI
Entities already incur to comply with
these requirements.526 The table below
summarizes the burden that would be
newly imposed on New SCI Entities:
reporting requirements (3 immediate notifications +
3 24-hour notifications + 2 updates pertaining to an
SCI event + 3 interim/final notifications). 21 + 11
= 32 reporting requirements.
525 $5,800 per SCI entity/32 reporting
requirements = $181.25 per reporting requirement.
526 Current SCI Entities are already required to
comply with Rule 1002(c)(1). The burdens for
compliance are summarized in the most recent PRA
Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed
amendments impose no additional burden related
to this section. The Commission does not anticipate
that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting
Statement.
PO 00000
Frm 00070
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
23215
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
Rule
Respondent type
Rule 1002(c)(1)(i) ..............................
New SCI Entities ...........
23
Rule 1002(c)(1)(ii) and (iii) ................
Number of
dissemination
Burden hours per
SCI Entity
(number of
reports × hours
per report)
Hours per
dissemination
3 information disseminations 1.
9 updates 3 .............
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
27
21
483
4 13
117
2,691
1 The
Commission’s currently approved baseline for the number of each SCI entity’s information disseminations per year under Rule 1002(c)(1)(i) is three information disseminations. See 2022 PRA Supporting Statement, supra note 471.
2 The Commission’s currently approved baseline is that each information dissemination under Rule 1002(c)(1)(i) would require 7 hours. This includes 1 Compliance
Manager hour, 2.67 Attorney hours, 1 Senior System Analyst hour, 0.5 General Counsel hours, 0.5 Director of Compliance hours, 0.5 Chief Compliance Officer hours,
0.5 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note 471.
3 The Commission’s currently approved baseline for Rule 1002(c)(1)(ii) and (iii) is that each SCI entity will disseminate three updates for each SCI event. 3 updates
per SCI Event × 3 SCI events = 9 updates each year.
4 The Commission’s currently approved baseline is that each information dissemination under Rule 1002(c)(1)(ii) and (iii) would require 13 hours. This includes 2
Compliance Manager hours, 4.67 Attorney hours, 2 Senior System Analyst hour, 1 General Counsel hours, 1 Director of Compliance hours, 1 Chief Compliance Officer hours, 1 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note 471, at 25–26.
The table below summarizes the
Commission’s estimates for the average
internal cost of compliance associated
with the ongoing reporting burden for
Current SCI Entities and New SCI
Entities:
Estimated
respondents
(entities)
Rule
Respondent type
Rule 1002(c)(1)(i) ................................
Rule 1002(c)(1)(ii) and (iii) ..................
New SCI Entities ................................
Average internal
cost of compliance
per SCI entity
1 $9,212
23
2 51,666
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$211,876
1,188,318
1 (1 Compliance Manager hours × $344) + (2.67 Attorney hours × $462) + (1 Senior Systems Analyst hours × $316) + (0.5 General Counsel
hour × $663) + (0.5 Chief Compliance Officer hours × $589) + (0.5 Director of Compliance hours × $542) + (0.5 Corporate Communications Manager hours × $378) + (0.33 Webmaster hours × $276) = $3,071. $3,071 per notification × 3 notifications each year = $9,212.
2 (2 Compliance Manager hours × $344) + (4.67 Attorney hours × $462) + (2 Senior Systems Analyst hours × $316) + (1 General Counsel hour
× $663) + (1 Chief Compliance Officer hours × $589) + (1 Director of Compliance hours × $542) + (1 Corporate Communications Manager hours
× $378) + (0.33 Webmaster hours × $276) = $5,741. $5,741 per notification × 9 notifications each year = $51,666.
With respect to the Rule 1002(c)(2)
requirement to disseminate information
regarding systems intrusions, the
Commission estimates that each Current
SCI Entity will disseminate information
regarding 3 systems intrusions each year
and each New SCI Entity will
disseminate information regarding 4
systems intrusions each year.527 The
Commission estimates that each
dissemination under Rule 1002(c)(2)
will require 10 hours.528
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
13
ddrumheller on DSK120RN23PROD with PROPOSALS2
24
The table below summarizes the
initial and ongoing annual burden
estimates for Current SCI Entities and
New SCI Entities:
Burden hours
per SCI entity
1 30
47
23
2 40
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
1,410
920
information disseminations × 10 hours per dissemination = 30 hours.
information disseminations × 10 hours per dissemination = 40 hours.
The Commission estimates that the
average internal cost of compliance per
notification is $4,406.529 The table
below summarizes the Commission’s
estimates for the cost of compliance
associated with the ongoing reporting
burden for Current SCI Entities and New
SCI Entities:
527 The Commission’s currently approved
baseline for the number of each SCI entity’s
information disseminations per year under Rule
1002(c)(2) is that each SCI entity will disseminate
information about one systems intrusion each year.
See 2022 PRA Supporting Statement, supra note
471. As discussed above, the Commission estimates
an additional three SCI events (i.e., three additional
systems intrusions) as a result of the additional
types of systems intrusions added to the definition
systems intrusions in Rule 1000 and the elimination
of systems intrusions from the de minimis SCI
events reported quarterly in Rule 1002(b)(5). The
Commission estimates that each SCI entity would
disseminate information related to four systems
intrusions each year. Each Current SCI Entity would
disseminate information for three systems
intrusions beyond the baseline estimate of one
systems intrusion. As New SCI Entities will newly
incur this burden, and as a result will report four
systems intrusions.
528 The Commission’s currently approved
baseline is that each dissemination under Rule
1002(c)(2) will require 10 hours. See 2022 PRA
Supporting Statement, supra note 471.
529 (1.5 Compliance Manager hours × $344) +
(3.67 Attorney hours × $462) + (1.5 Senior Systems
Analyst hours × $316) + (0.75 General Counsel hour
× $633) + (0.75 Director of Compliance hours ×
$542) + (0.75 Chief Compliance Officer hours ×
$589) + (0.75 Corporate Communications Manager
hours × $378) + (0.33 Webmasters hours × $276) =
$4,406 per notification.
VerDate Sep<11>2014
21:05 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00071
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
23216
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
1 $4,406
2 $4,406
Average internal
cost of compliance
per SCI entity
1 $13,218
47
23
$621,246
405,352
2 17,624
per notification × 3 information disseminations each year = $13,218.
per notification × 4 information disseminations per year = $17,624.
The Commission believes SCI entities
will seek outside legal advice in the
preparation of the information
dissemination under Rule 1002(c). The
Commission estimates that the total
annual reporting cost of seeing outside
legal advice is $3,320 per SCI entity.530
Because Rule 1002(c) will impose
approximately 16 third-party disclosure
requirements 531 per SCI entity per year
Number of
respondents
Rule
Respondent type
Rule 1002(c)(1)(i) .......................................
Rule 1002(c)(1)(ii) and (iii) .........................
Rule 1002(c)(2) ..........................................
New SCI Entities .....
New SCI Entities .....
Current SCI Entities
New SCI Entities .....
As noted above, Regulation SCI
requires SCI entities to identify certain
types of events and systems. The
Commission believes that the
identification of critical SCI systems,
major SCI events, and de minimis SCI
events will impose an initial one-time
implementation burden on new SCI
entities in developing processes to
quickly and correctly identify the nature
ddrumheller on DSK120RN23PROD with PROPOSALS2
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
Number of
disclosures
23
23
47
23
of a system or event. The identification
of these systems and events may also
impose periodic burdens on SCI entities
in reviewing and updating the
processes. The Commission anticipates
that the because the proposed
amendment will newly impose the
requirements of Rule 1002(b) on New
SCI Entities, New SCI Entities will incur
the burden to develop processes to
New SCI Entities .............................................................
Initial ...................................
Annual ................................
The table below summarizes the
Commission’s estimates for the average
internal cost of compliance for New SCI
Entities:
530 The Commission-approved baseline for the
annual reporting cost of seeking outside legal
advice is $3,320 per SCI entity. See 2022 PRA
Supporting Statement, supra note 471.
531 The Commission-approved baseline for the
number of disclosure requirements required by Rule
1002(c) is 13 requirements for each SCI entity. See
2022 PRA Supporting Statement, supra note 471.
The proposed amendments add an additional 3
reporting requirements (3 additional information
disseminations related to 3 additional systems
intrusions). 13 + 3 = 16 disclosure requirements.
532 $3,320 per SCI entity/16 reporting
requirements = $207.50 per reporting requirement.
533 Current SCI Entities are already required to
comply with Rule 1003(a). The burdens for
compliance are summarized in the most recent PRA
Supporting Statement. See 2022 PRA Supporting
Jkt 259001
PO 00000
Frm 00072
Fmt 4701
Sfmt 4702
$207.50
207.50
207.50
207.50
Cost per
SCI entity
(number of
disclosures ×
cost per
disclosure)
$622.50
1,867.50
622.50
830
Total cost
burdens
(cost per SCI
entity ×
number of
respondents)
$14,317.50
42,952.50
29,257.50
19,090
comply with these requirements.533 The
Commission estimates that each New
SCI entity will initially require 198
hours to establish criteria for identifying
material systems changes and 39 hours
to annually to review and update the
criteria.534 The table below summarizes
the burden that would be newly
imposed on New SCI Entities:
Estimated
respondents
(entities)
Burden type
20:01 Apr 13, 2023
Cost per
disclosure
3
9
3
4
Respondent type
VerDate Sep<11>2014
and each required disclosure will be
require an average of $207.50.532 The
total annual reporting costs for Current
SCI Entities and New SCI Entities are
summarized below:
Burden hours
per entity
23
23
198
39
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
4,554
897
Statement, supra note 471. The proposed
amendments impose no additional burden related
to this section.
534 These estimates reflect the Commissionapproved baseline. See 2022 PRA Supporting
Statement, supra note 471. The Commission does
not anticipate that New SCI Entities would incur
burdens beyond what is estimated in the 2022 PRA
Supporting Statement.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
Average internal
cost of compliance
per entity
1 $78,144
23
23
2 17,258
23217
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,797,312
396,934
1 (64 Compliance Manager hours × $344) + (64 Attorney hours × $462) + (20 Senior Systems Analyst hours × $316) + (20 Operations Specialist hours × $152) + (20 Chief Compliance Officer hours × $589) + (10 Director of Compliance hours × $542) = $78,144.
2 (9 Compliance Manager hours × $344) + (9 Attorney hours × $462) + (3 Senior Systems Analyst hours × $316) + (3 Operations Specialist
hours × $152) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) = $17,258.
As discussed above in section
III.C.3.c, the proposed amendments to
the definition of systems intrusion
would require SCI entities to establish
reasonable written criteria to identify
significant attempted unauthorized
entries into the SCI systems or indirect
SCI systems of an SCI entity. As this is
a new burden for both Current SCI
Entities and New SCI Entities, the
Commission estimates an average
burden across all SCI entities of 89
hours 535 initially to establish the
criteria for identifying material systems
Estimated
respondents
(entities)
Respondent type
Burden type
Current SCI Entities ........................................................
Initial ...................................
Annual ................................
Initial ...................................
Annual ................................
New SCI Entities .............................................................
.....................................................................................
The table below summarizes the
Commission’s estimates for the average
changes and 14.5 hours 536 annually to
review and update the criteria.
The table below summarizes the
initial and ongoing annual burden
estimates for Current SCI Entities and
New SCI Entities:
Burden hours
per entity
47
47
23
23
89
14.5
89
14.5
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
4,183
681.5
2,047
333.5
internal cost of compliance for New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
Current SCI Entities ................................................
Initial ...............................
Annual ............................
Initial ...............................
Annual ............................
New SCI Entities .....................................................
Average internal
cost of compliance
per entity
1 $37,065
47
47
23
23
2 6,946
3 37,065
4 6,946
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,742,055
326,462
852,495
159,758
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 (25 Compliance Manager hours × $344) + (25 Attorney hours × $462) + (8 Senior Systems Analyst hours × $316) + (8 Operations Specialist
hours × $152) + (15 Chief Compliance Officer hours × $589) + (8 Director of Compliance hours × $542) = $37,065.
2 (2 Compliance Manager hours × $344) + (2 Attorney hours × $462) + (1 Senior Systems Analyst hours × $316) + (1 Operations Specialist
hours × $152) + (5.5 Chief Compliance Officer hours × $589) + (3 Director of Compliance hours × $542) = $6,946.
3 See supra note 1 of this table.
4 See supra note 2 of this table.
535 This estimate is based on the Commission’s
burden estimate for Rule 1001(a), because Rule
1001(a) requires policies and procedures. See supra
notes 474–475 and accompanying text. Rule 1001(a)
(excluding Rule 1001(a)(2)(vi)) requires a total of
ten policy elements at a minimum, consisting of six
currently required policy elements and four
proposed policy elements. See supra notes 471 and
474. Because the proposed amendment to the
definition of systems intrusion in Rule 1000
requires only one set of written criteria, the
Commission estimates that the initial staff burden
to draft the criteria required to identify significant
attempted unauthorized systems intrusions is onetenth of the initial staff burden to draft the policies
and procedures required by Rule 1001(a) (excluding
Rule 1001(a)(2)(vi)). 890 hours/10 policy elements
= 89 burden hours per policy element. The 89
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
burden hours includes 25 hours for a Compliance
Manager, 25 hours for an Attorney, 8 hours for a
Senior Systems Analyst, and 8 hours for an
Operations Specialist. The Commission also
estimates that a Chief Compliance Officer will
spend 15 hours and a Director of Compliance and
a Director of Compliance will spend 8 hours
reviewing the policies and procedures.
536 This estimate is based on the Commission’s
burden estimate for Rule 1001(a), because Rule
1001(a) requires policies and procedures. See supra
notes 475–476 and accompanying text. Rule 1001(a)
(excluding Rule 1001(a)(2)(vi)) requires a total of
ten policy elements at a minimum, consisting of six
currently required policy elements and four
proposed policy elements. See supra notes 472 and
475. Because the proposed amendment to the
definition of systems intrusion in Rule 1000
PO 00000
Frm 00073
Fmt 4701
Sfmt 4702
requires only one set of written criteria, the
Commission estimates that the ongoing staff burden
to review and update the criteria required to
identify significant attempted unauthorized systems
intrusions is one-tenth of the ongoing staff burden
to review and update the policies and procedures
required by Rule 1001(a) (excluding Rule
1001(a)(2)(vi)). 145 hours/10 policy elements = 14.5
burden hours per policy element. The 14.5 burden
hours includes 2 hours for a Compliance Manager,
2 hours for an Attorney, 1 hours for a Senior
Systems Analyst, and 1 hours for an Operations
Specialist. The Commission also estimates that a
Chief Compliance Officer will spend 5.5 hours and
a Director of Compliance and a Director of
Compliance will spend 3 hours reviewing the
policies and procedures.
E:\FR\FM\14APP2.SGM
14APP2
23218
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
3. Rule 1003
The Commission anticipates that the
proposed amendment will newly
impose the Rule 1003(a) requirements to
report material system changes on New
SCI Entities, and New SCI Entities will
incur the same burdens that Current SCI
Estimated
respondents
(entities)
Rule
Respondent type
Rule 1003(a)(1) .................................
New SCI Entities ...........
Rule 1003(a)(2) .................................
Burden hours per
SCI entity
(number of
reports × hours
per report)
Hours per
report
Number of reports
23
Entities already incur to comply with
these requirements.537 The table below
summarizes the burden that would be
newly imposed on New SCI Entities:
4 reports (1 per
quarter).
2 1 supplemental report.
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
1 125
500
11,500
3 15
15
345
1 The Commission’s currently approved baseline is that each quarterly report under Rule 1003(a)(1) would require 125 hours. This includes 7.5 Compliance Manager hours, 7.5 Attorney hours, 5 Chief Compliance Officer hours, 75 Senior System Analyst hours, and 30 Senior Business Analyst hours. See 2022 PRA Supporting
Statement, supra note 471.
2 The Commission’s currently approved baseline for Rules 1002(c)(1)(ii) and (iii) is that each SCI entity will submit one supplemental report each year. See 2022
PRA Supporting Statement, supra note 471.
3 The Commission’s currently approved baseline is that the supplemental report under Rule 1003(a)(1) would require 15 hours. This includes 2 Compliance Manager hours, 2 Attorney hours, 1 Chief Compliance Officer hours, 7 Senior System Analyst hours, and 3 Senior Business Analyst hours. See 2022 PRA Supporting
Statement, supra note 471.
The table below summarizes the
average internal cost of compliance that
would be newly imposed on New SCI
Entities:
Rule
Respondent type
Rule 1003(a)(1) .............................
New SCI Entities ........
Estimated
respondents
(entities)
23
Rule 1003(a)(2) .............................
Number of reports
4 reports (1 per
quarter).
1 supplemental report.
Cost of
compliance
per report
Average internal
cost of compliance
per entity
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
1 $41,480
2 $167,360
$3,849,280
3 5,328
5,328
122,544
1 (7.5 Compliance Manager hours × $344) + (7.5 Attorney hours × $462) + (5 Chief Compliance Officer hours × $589) + (75 Senior Systems Analyst hours × $316)
+ (30 Senior Business Analyst hours × $305) = $41,840.
2 $41,480 per report × 4 reports each year = $167,360.
3 (2 Compliance Manager hours × $344) + (2 Attorney hours × $462) + (1 Chief Compliance Officer hours × $589) + (7 Senior Systems Analyst hours × $316) + (3
Senior Business Analyst hours × $305) = $5,328.
ddrumheller on DSK120RN23PROD with PROPOSALS2
Rule 1003(a)(1) requires each SCI
entity to establish reasonable written
criteria for identifying a change to its
SCI systems and the security of indirect
SCI systems as material. The
Commission anticipates that the
proposed amendment will newly
impose these requirements on New SCI
Entities, and New SCI Entities will incur
the same burdens that Current SCI
Entities already incur to comply with
these requirements.538 The Commission
estimates that each New SCI entity will
initially require 114 hours to establish
criteria for identifying material systems
changes and 27 hours to annually to
review and update the criteria.539 The
table below summarizes the burden that
would be newly imposed on New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .............................................................
Initial ...................................
Annual ................................
Burden hours
per entity
23
23
114
27
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
2,622
621
The table below summarizes the
Commission’s estimates for the cost of
compliance for New SCI Entities:
537 Current SCI Entities are already required to
comply with Rule 1003(a). The burdens for
compliance are summarized in the most recent PRA
Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed
amendments impose no additional burden related
to this section. The Commission does not anticipate
that New SCI Entities would incur burdens beyond
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
what is estimated in the 2022 PRA Supporting
Statement.
538 Current SCI Entities are already required to
comply with Rule 1003(a). The burdens for
compliance are summarized in the most recent PRA
Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed
PO 00000
Frm 00074
Fmt 4701
Sfmt 4702
amendments impose no additional burden related
to this section.
539 These estimates reflect the Commissionapproved baseline. See 2022 PRA Supporting
Statement, supra note 471. The Commission does
not anticipate that New SCI Entities would incur
burdens beyond what is estimated in the 2022 PRA
Supporting Statement.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
New SCI Entities ..................................................................................................
Average internal
cost of compliance
per entity
1 $47,672
23
2 12,929
23219
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,096,456
297,367
1 (32 Compliance Manager hours × $344) + (32 Attorney hours × $462) + (10 Senior Systems Analyst hours × $316) + (10 Operations Specialist hours × $152) + (20 Chief Compliance Officer hours × $589) + (10 Director of Compliance hours × $542) = $47,672.
2 (4.5 Compliance Manager hours × $344) + (4.5 Attorney hours × $462) + (1.5 Senior Systems Analyst hours × $316) + (1.5 Operations Specialist hours × $152) + (10 Chief Compliance Officer hours × $589) + (5 Director of Compliance hours × $542) = $12,929.
The Commission does not expect SCI
entities to incur any external PRA costs
in connection with the reports required
under Rule 1003(a).
As for Rule 1003(b), each Current SCI
Entity is already required to perform an
SCI review and therefore already incurs
a baseline burden 540 for compliance, so
the amendments should only impose a
burden required to comply with the
additional requirements. Presently,
none of the New SCI Entities are
required to comply with the
requirements of Rule 1003(b), but the
proposed amendments will newly
impose both the baseline burden to
conduct the SCI review and the
additional burden to meet the proposed
requirements for the SCI review.
The Commission estimates that the
proposed additional requirements for
conducting the SCI review will increase
Estimated
respondents
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
The table below summarizes the
Commission’s estimates for the average
the burden of conducting the SCI review
and submitting the report by 50%. With
respect to Rule 1003(b)(1) and (2), the
Commission estimates an additional
burden for Current SCI Entities of 345
hours 541 and 1,035 hours 542 for New
SCI Entities. The table below
summarizes the initial and ongoing
annual burden estimates for Current SCI
Entities and New SCI Entities:
Burden hours
per entity
47
23
345
1,035
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
16,215
23,805
internal cost of compliance for Current
SCI Entities and New SCI Entities:
Estimated
respondents
Respondent type
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
Average internal
cost of compliance
per entity
1 $123,848
47
23
2 371,543
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity
$5,820,856
$8,545,489
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 (17.5 Compliance Manager hours × $344) + (40 Attorney hours × $462) + (187.5 Senior Systems Analyst hours × $316) + (2.5 General
Counsel hours × $663) + (2.5 Director of Compliance hours × $542) + (10 Chief Compliance Officer hours × $589) + (85 Internal Audit Manager
hours × $367) = $123,848.
2 (52.5 Compliance Manager hours × $344) + (120 Attorney hours × $462) + (562.5 Senior Systems Analyst hours × $316) + (7.5 General
Counsel hours × $663) + (7.5 Director of Compliance hours × $542) + (30 Chief Compliance Officer hours × $589) + (255 Internal Audit Manager
hours × $367) = $371,543.
With respect to Rule 1003(b)(3), the
Commission estimates that the burden
for SCI entities would increase to 25
hours from the current baseline
estimate.543 Thus, the Commission
estimates an additional burden for
540 The Commission’s currently approved
baseline for the annual recordkeeping burden of
conducting an SCI review and submitting the SCI
review to senior management of the SCI entity for
review is 690 hours (35 Compliance Manager hours
+ 80 Attorney hours + 375 Senior Systems Analyst
hours + 5 General Counsel hours + 5 Director of
Compliance hours + 20 Chief Compliance Officer
hours +170 Internal Audit Manager hours). See
2022 PRA Supporting Statement, supra note 471.
541 690 hours (baseline burden) × 0.5 = 345 hours.
This estimate includes 17.5 hours for a Compliance
Manager, 40 hours for an Attorney, 187.5 hours for
a Senior Systems Analyst, 2.5 hours for General
Counsel, 10 hours for a Chief Compliance Officer,
2.5 hours for a Director of Compliance, and 85
hours for an Internal Audit Manager.
542 690 baseline burden hours + 345 additional
burden hours = 1,035 hours. This estimate includes
52.5 hours for a Compliance Manager, 120 hours for
an Attorney, 562.5 hours for a Senior Systems
Analyst, 7.5 hours for General Counsel, 30 hours for
a Chief Compliance Officer, 7.5 hours for a Director
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00075
Fmt 4701
Sfmt 4702
of Compliance, and 255 hours for an Internal Audit
Manager.
543 The Commission’s currently approved
baseline to submit the report for the SCI review to
the board of directors is 1 hour (1 Attorney hour).
See 2022 PRA Supporting Statement, supra note
471. The Commission estimates an increase to 25
hours as a result of the proposed requirement that
senior management provide a response to the SCI
review.
E:\FR\FM\14APP2.SGM
14APP2
23220
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Current SCI Entities of 24 hours 544 and
a new burden of 25 hours 545 for New
SCI Entities. The table below
summarizes the initial and ongoing
annual burden estimates for Current SCI
Entities and New SCI Entities:
Estimated
respondents
(entities)
Respondent type
Current SCI Entities .........................................................................................................
New SCI Entities ..............................................................................................................
The table below summarizes the
Commission’s estimates for the average
Estimated
respondents
(entities)
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
1 (1 Compliance Manager hours × $344) + (3 Attorney hours
cer hours × $589) + (6 Internal Audit Manager hours × $367) =
2 (1 Compliance Manager hours × $344) + (3 Attorney hours
cer hours × $589) + (6 Internal Audit Manager hours × $367) =
ddrumheller on DSK120RN23PROD with PROPOSALS2
Average internal
cost of compliance
per entity
1 $8,629
47
23
Rule 1003(b), SCI entities will outsource
some of the work associated with an SCI
review. The Commission estimates that
the proposed amendments to the SCI
review would increase the annual
Estimated
respondents
(entities)
Current SCI Entities .............................................................................................
New SCI Entities ..................................................................................................
2 50,000
24
25
1,128
575
2 8,945
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$405,563
205,735
× $462) + (13 Senior Systems Analyst hours × $316) + (1 Chief Compliance Offi$8,629.
× $462) + (14 Senior Systems Analyst hours × $316) + (1 Chief Compliance Offi$8,945.
Respondent type
1 50,000
47
23
internal cost of compliance for Current
SCI Entities and New SCI Entities:
Respondent type
Rule 1003(b) imposes recordkeeping
costs for SCI entities. The Commission
estimates that while SCI entities will
handle internally some or most of the
work associated with compliance with
Burden hours
per entity
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
recordkeeping cost by 50% beyond the
current baseline.546 The table below
summarizes the Commission’s estimates
for the cost of outsourcing for Current
SCI Entities and New SCI Entities:
Average internal
cost of compliance
per entity
1 $25,000
47
23
2 75,000
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,175,000
1,725,000
(baseline estimate) × 0.5 = $25,000.
(baseline estimate) × 1.5 = $75,000.
4. Rule 1004
The rules under Regulation SCI that
would require an SCI entity to mandate
member or participant participation in
business continuity and disaster
recovery plan testing are discussed more
fully in sections II.B, and the proposed
amendments including third-party
providers in the requirement are
discussed more fully in III.C.2 above.
Current SCI Entities are already
required to establish standards and
designate members or participants for
testing pursuant to Rule 1004 and
therefore already incur baseline
initial 547 and ongoing burdens 548 for
complying with Rule 1004, so the
amendments should only impose a
burden required to comply with the
additional requirements. Presently,
none of the New SCI Entities are
required to comply with the
requirements of Rule 1004, but the
proposed amendments will newly
544 25 hours (revised estimate) ¥ 1 hour (baseline
estimate) = 24 hours. This estimate includes 1 hours
for a Compliance Manager, 3 hours for an Attorney,
13 hours for a Senior Systems Analyst, 1 hours for
a Chief Compliance Officer, and 6 hours for an
Internal Audit Manager.
545 This estimate includes 1 hours for a
Compliance Manager, 3 hours for an Attorney, 14
hours for a Senior Systems Analyst, 1 hours for a
Chief Compliance Officer, and 6 hours for an
Internal Audit Manager.
546 The Commission-approved baseline for the
annual recordkeeping cost per SCI entity of
outsourcing is $50,000. See 2022 PRA Supporting
Statement, supra note 471.
547 The Commission’s currently approved
baseline for average initial compliance burden per
respondent with 17 CFR 242.1004(a) (‘‘Rule
1004(a)’’) (i.e., establishment of standards for the
designation of members and participants) and (c)
(i.e., the coordination of testing on an industry- or
sector-wide basis) is 360 hours (40 Compliance
Manager hours + 60 Attorney hours + 20 Assistant
General Counsel hours + 60 Senior Operations
Manager hours + 140 Operations Specialist hours +
26 Chief Compliance Officer hours + 14 Director of
Compliance hours). See 2022 PRA Supporting
Statement, supra note 471. The estimate of 360
hours includes the burden for designating members
or participants for testing, as required by 17 CFR
242.1004(b) (‘‘Rule 1004(b)’’). Id. at 18 n.50.
548 The average annual compliance burden for
each SCI entity to review and update the policies
and procedures is 135 hours for each entity that is
not a plan processor. See 2022 PRA Supporting
Statement, supra note 471. None of the New SCI
Entities are plan processors, so the Commission is
applying the 135 hour estimate to the New SCI
Entities.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00076
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
impose both the baseline burden to
establish standards for the designation
of members and participants for BC/DR
testing and coordinate industry or
sector-wide basis testing and additional
burden to establish standards for the
designation of third-party providers for
BC/DR testing and coordinate industry
or sector-wide basis testing for thirdparty providers. The Commission
estimates an initial compliance burden
of 90 hours 549 for Current SCI Entities
and 450 hours 550 for New SCI Entities.
The Commission estimates an annual
Burden type
Current SCI Entities ........................................................
Initial ...................................
Annual ................................
Initial ...................................
Annual ................................
New SCI Entities .............................................................
The table below summarizes the
Commission’s estimates for the cost of
compliance burden of 34 hours 551 for
Current SCI Entities and 169 hours 552
for New SCI Entities. The table below
summarizes the initial and ongoing
annual burden estimates for Current SCI
Entities and New SCI Entities:
Estimated
respondents
(entities)
Respondent type
23221
Burden hours
per entity
47
47
23
23
90
34
450
169
Estimated burden
hours for all entities
(estimated
respondents ×
burden hours
per entity)
4,230
1,598
10,350
3,887
compliance for Current SCI Entities and
New SCI Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
Current SCI Entities ................................................
Initial ...............................
Annual ............................
Initial ...............................
Annual ............................
New SCI Entities .....................................................
Average internal
cost of compliance
per entity
1 $30,072
47
47
23
23
2 10,011
3 150,478
4 50,331
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$1,413,384
470,517
3,460,994
1,157,613
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 (10 Compliance Manager hours × $344) + (15 Attorney hours × $462) + (5 Assistant General Counsel hours × $518) + (35 Operations Specialist hours × $152) + (6 Chief Compliance Officer hours × $589) + (4 Director of Compliance hours × $542) + (15 Senior Operations Manager
hours × $406) = $30,072.
2 (3 Compliance Manager hours × $344) + (3 Attorney hours × $462) + (1 Assistant General Counsel hours × $518) + (18 Operations Specialist hours × $152) + (3 Chief Compliance Officer hours × $589) + (1 Director of Compliance hours × $542) + (5 Senior Operations Manager
hours × $406) = $10,011.
3 (50 Compliance Manager hours × $344) + (75 Attorney hours × $462) + (25 Assistant General Counsel hours × $518) + (175 Operations
Specialist hours × $152) + (32.5 Chief Compliance Officer hours × $589) + (17.5 Director of Compliance hours × $542) + (75 Senior Operations
Manager hours × $406) = $150,478.
4 (13 Compliance Manager hours × $344) + (18 Attorney hours × $462) + (6 Assistant General Counsel hours × $518) + (88 Operations Specialist hours × $152) + (13 Chief Compliance Officer hours × $589) + (6 Director of Compliance hours × $542) + (25 Senior Operations Manager
hours × $406) = $50,331.
The Commission continues to believe
that SCI entities (other than plan
processors) would handle internally the
work associated with the requirements
of Rule 1004.
5. Rule 1005
Rules 1005 and 1007 impose on SCI
entities recordkeeping requirements
related to their compliance with
Regulation SCI. These requirements
would be newly imposed on New SCI
Entities as a result of the proposed
amendment. The table below
summarizes the Commission’s estimates
as to the burden that each New SCI
Entity would incur to meet the
requirements of Rules 1005 and
1007: 553
549 The Commission estimates that the additional
burden to establish standards for the designation of
third-party providers for BC/DR testing and
coordinate testing would be 25% of the 360 hour
baseline burden hours. 360 hours × 0.25 = 90 hours.
The burden hours include 10 Compliance Manager
hours, 15 Attorney hours, 5 Assistant General
Counsel hours, 35 Operations Specialist hours, 6
Chief Compliance Officer hours, 4 Director of
Compliance hours, and 15 Senior Operations
Manager hours.
550 360 baseline burden hours + 90 additional
burden hours = 450 hours.
551 The Commission estimates that the additional
annual burden would be 25% of the 135 hour
baseline burden hours, or 34 hours (135 hours ×
0.25). The burden hours include 3 Compliance
Manager hours, 3 Attorney hours, 1 Assistant
General Counsel hours, 18 Operations Specialist
hours, 3 Chief Compliance Officer hours, 1 Director
of Compliance hours, and 5 Senior Operations
Manager hours.
552 135 baseline burden hours + 34 additional
burden hours = 169 hours.
553 Current SCI Entities are already required to
comply with Rules 1005 and 1007. The burdens for
compliance are summarized in the most recent PRA
Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed
amendments impose no additional burden related
to this section. The Commission does not anticipate
that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting
Statement.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00077
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
23222
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .............................................................
Initial ...................................
Annual ................................
Burden hours
per SCI entity
1 170
23
2 25
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
3,910
575
1 The Commission approved baseline estimate for each new non-SRO SCI entity to set up or modify a recordkeeping system is 170 hours.
See 2022 PRA Supporting Statement, supra note 471.
2 The Commission approved baseline estimate for each new non-SRO SCI entity to make, keep, and preserve records relating to compliance
with Regulation SCI, as required by Rule 1005(b), is 25 hours. See 2022 PRA Supporting Statement, supra note 471.
The table below summarizes the
average internal cost of compliance that
would be newly imposed on New SCI
Entities:
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
Average internal
cost of compliance
per entity
1 $13,260
23
2 1,950
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
$304,980
44,850
Compliance Clerk hours × $78 per hour = $13,260.
Compliance Clerk hours × $78 per hour = $1,950.
1 170
2 25
The recordkeeping requirements
impose recordkeeping costs for SCI
entities other than SCI SROs. The
Commission estimates that a New SCI
Entity other than an SCI SRO will incur
a one-time cost of $900 for information
technology costs for purchasing
recordkeeping software, for a total of
$20,700.554
6. Rule 1006
SCI entities submit Form SCI through
the Electronic Form Filing System
(‘‘EFFS’’), which is also used by SCI
SROs to file Form 19b–4 filings. Access
to EFFS establishes reporting burdens
for all SCI entities. An SCI entity will
submit to the Commission an External
Application User Authentication Form
(‘‘EAUF’’) to register each individual at
Estimated
respondents
(entities)
Respondent type
Type of
burden
New SCI Entities ................
Initial ............
Annual .........
Number of
individuals
requesting
access
12
23
Time to
complete
EAUF
the SCI entity who will access the EFFS
system on behalf of the SCI entity. The
Commission is including in its burden
estimates the reporting burden for
completing the EAUF for each
individual at a New SCI Entity that will
request access to EFFS.555 The table
below summarizes the initial and
ongoing burdens that would be New SCI
Entities would incur to establish access
to EFFS:
Burden hours
per SCI entity
(number of
individuals requesting
access × time to
complete EAUF)
2 0.15
0.3
0.15
31
Burden hours for all
respondents
(estimated
respondents ×
burden hours
per SCI entity)
6.9
3.5
ddrumheller on DSK120RN23PROD with PROPOSALS2
1 The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS initially through the
EAUF is two individuals. See 2022 PRA Supporting Statement, supra note 471.
2 The Commission approved baseline estimate to complete the EAUF is 0.15 hours. See 2022 PRA Supporting Statement, supra note 471.
3 The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS annually through
the EAUF is one individual. See 2022 PRA Supporting Statement, supra note 471.
The table below summarizes the
average internal cost of compliance that
would be newly imposed on New SCI
Entities:
554 $900 per SCI entity × 21 SCI entities =
$18,900.
555 Current SCI Entities would already have
incurred these burdens, which are summarized in
the most recent PRA Supporting Statement. See
2022 PRA Supporting Statement, supra note 471.
The proposed amendments impose no additional
burden related to this section. The Commission
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00078
Fmt 4701
Sfmt 4702
does not anticipate that New SCI Entities would
incur burdens beyond what is estimated in the 2022
PRA Supporting Statement.
E:\FR\FM\14APP2.SGM
14APP2
23223
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Estimated
respondents
(entities)
Respondent type
Burden type
New SCI Entities .....................................................
Initial ...............................
Annual ............................
1 0.3
Total internal
cost of compliance
(estimated
respondents ×
average internal
cost of compliance
per entity)
Average internal
cost of compliance
per entity
1 $139
23
$3,197
1,587
2 69
Attorney hours × $462 = $139.
Attorney hours × $462 = $69.
2 0.15
Obtaining the ability for an individual
to electronically sign a Form SCI
imposes reporting costs for SCI entities.
The table below summarizes the cost for
individuals at each New SCI Entity to
obtain digital IDs to sign Form SCI:
Respondent type
Estimated
respondents
(entities)
Number of
individuals to
sign form SCI
Cost to obtain
digital ID
Cost per SCI entity
(number of
individuals requesting
access × time to
complete EAUF)
Cost for all
respondents
(estimated
respondents × burden
hours per SCI entity)
New SCI Entities ..........................................
23
12
2 $25
$50
$1,150
1 The Commission approved baseline estimate for the number of individuals per SCI entity who will sign Form SCI each year is two individuals.
See 2022 PRA Supporting Statement, supra note 471.
2 The Commission approved baseline estimate to obtain a digital ID is $50. See 2022 PRA Supporting Statement, supra note 471.
7. Summary of the Information
Collection Burden
The table below summarizes the
Commission’s estimate of the total
hourly burden, total internal costs of
compliance, and external cost estimates
for SCI entities under Regulation SCI.
Burden hours
Rule
ddrumheller on DSK120RN23PROD with PROPOSALS2
Initial
Policies and procedures required by Rule
1001(a) (except Rule 1001(a)(2)(vi)) (Recordkeeping).
Policies and procedures required by Rule
1001(a)(2)(vi) (Recordkeeping).
Costs for outside legal/consulting services in initial preparation of policies and procedures required by Rule 1001(a) (Recordkeeping).
Policies and procedures required by Rule
1001(a) Total.
Policies and procedures required by Rule
1001(b) (Recordkeeping).
Costs for outside legal/consulting services in initial preparation of policies and procedures required by Rule 1001(b) (recordkeeping).
Policies and procedures required by Rule
1001(b) Total.
Policies and procedures required by Rule
1001(c) (Recordkeeping).
Mandate participation in certain testing required
by Rule 1004 (Recordkeeping).
SCI Event Notice Required By Rule 1002(b)(1)
(Reporting).
External Legal Costs for Rule 1001(b)(1) (Reporting).
SCI Event Notice Required By Rule 1002(b)(1)
Total.
SCI Event Notice Required By Rule 1002(b)(2)
(Reporting).
External Legal Costs for Rule 1001(b)(2) (Reporting).
SCI Event Notice Required By Rule 1002(b)(2)
Total.
SCI Event Notice Required By Rule 1002(b)(3)
(Reporting).
External Legal Costs for Rule 1002(b)(3) (Reporting).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Costs of compliance
Respondent type
Jkt 259001
PO 00000
Annual
Initial
Annual
Current SCI Entities .....
New SCI Entities ..........
18,142
20,470
2,726
3,335
$6,804,989
7,667,533
$1,099,941
1,341,245
New SCI Entities ..........
3,680
3,335
1,402,540
1,204,740
Current SCI Entities .....
New SCI Entities ..........
N/A
N/A
N/A
N/A
1,365,350
1,697,400
N/A
N/A
Current SCI Entities .....
New SCI Entities ..........
New SCI Entities ..........
18,142
24,150
6,210
2,726
6,670
2,185
8,170,339
10,767,473
2,222,720
1,099,941
2,545,985
808,220
New SCI Entities ..........
N/A
N/A
621,000
0
New SCI Entities ..........
6,210
2,185
2,843,720
808,220
New SCI Entities ..........
2,622
897
1,096,456
400,821
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
4,230
10,350
235
299
N/A
N/A
235
299
3,384
4,416
N/A
N/A
3,384
4,416
493.5
483
N/A
N/A
1,598
3,887
235
299
N/A
N/A
235
299
3,384
4,416
N/A
N/A
3,384
4,416
493.5
483
N/A
N/A
1,413,384
3,460,994
81,663
103,477
25,556
33,350
107,219
136,827
1,249,683
1,630,792
25,556
33,350
1,275,239
1,664,142
172,819
169,142
17,038
16,675
470,517
1,157,613
81,663
103,477
25,556
33,350
107,219
136,827
1,249,683
1,630,792
25,556
33,350
1,275,239
1,664,142
172,819
169,142
17,038
16,675
Frm 00079
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
23224
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Burden hours
Rule
Initial
SCI Event Notice Required By Rule 1002(b)(3)
Total.
SCI Event Notice Required By Rule 1002(b)(4)
(Reporting).
External Legal Costs for 1001(b)(4) (Reporting) ..
SCI Event Notice Required By Rule 1002(b)(4)
Total.
SCI Event Notice Required By Rule 1002(b)(5)
(Reporting).
External Legal Costs for Rule 1002(b)(5) (Reporting).
SCI Event Notice Required By Rule 1002(b)(5)
Total.
Dissemination of information required by Rule
1002(c)(1) (Third-Party Disclosure).
External Legal Costs for Rule 1002(c)(1) (ThirdParty Disclosure).
Dissemination of information required by Rule
1002(c)(1) Total.
Dissemination of information required by Rule
1002(c)(2) (Third-Party Disclosure).
External Legal Costs for Rule 1002(c)(2) (ThirdParty Disclosure).
Dissemination of information required by Rule
1002(c)(2) Total.
Burden to develop processes to identify the nature of a system or event.
Establish reasonable written criteria for identifying a significant attempted unauthorized systems intrusion.
Material systems change notice required by Rule
1003(a)(1) and (2) (Reporting).
Establish reasonable written criteria for identifying a material change to its SCI systems and
the security of indirect SCI systems.
SCI review required by Rule 1003(b)(1) and (2)
(Recordkeeping).
SCI review required by Rule 1003(b)(3) (Reporting).
External Legal Costs for Rule 1003(b) (Recordkeeping).
SCI Review Costs (Rule 1003(b)) Total ...............
Corrective action required by Rule 1002(a) (Recordkeeping).
Recordkeeping required by Rules 1005/1007
(Recordkeeping).
One-time cost to purchase recordkeeping software Rules 1005/1007 (Recordkeeping).
Total recordkeeping costs required by Rules
1005/1007.
Request access to EFFS (Rule 1006) (Reporting)
Rule 1006—obtain digital IDs (Reporting) ............
Total Costs to comply with Rule 1006 .................
Total ......................................................................
Per Entity Hourly Burden/Cost .............................
ddrumheller on DSK120RN23PROD with PROPOSALS2
Costs of compliance
Respondent type
Annual
Initial
Annual
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
New SCI Entities ..........
493.5
483
4,935
6,440
N/A
N/A
4,935
6,440
(752)
3,312
N/A
N/A
(752)
3,312
3,174
493.5
483
4,935
6,440
N/A
N/A
4,935
6,440
(752)
3,312
N/A
N/A
(752)
3,312
3,174
189,857
185,817
1,927,752
2,515,648
25,556
33,350
1,953,308
2,548,998
(284,444)
1,252,948
0
16,675
(284,444)
1,269,623
1,400,194
189,857
185,817
1,927,752
2,515,648
25,556
33,350
1,953,308
2,548,998
(284,444)
1,252,948
0
16,675
(284,444)
1,269,623
1,400,194
New SCI Entities ..........
N/A
N/A
57,270
57,270
New SCI Entities ..........
3,174
3,174
1,457,464
1,457,464
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
New SCI Entities ..........
1,410
920
N/A
N/A
1,410
920
4,554
1,410
920
N/A
N/A
1,410
920
897
621,246
405,352
29,257.50
19,090
650,503.5
424,442
1,797,312
621,246
405,352
29,257.50
19,090
650,503.5
424,442
396,934
Current SCI Entities .....
New SCI Entities ..........
4,183
2,047
681.5
333.5
1,742,055
852,495
326,462
159,758
New SCI Entities ..........
11,845
11,845
3,971,824
3,971,824
New SCI Entities ..........
2,622
621
1,096,456
297,367
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities .....
New SCI Entities ..........
New SCI Entities ..........
16,215
23,805
1,128
575
N/A
N/A
17,343
24,380
1,081
3,151
3,910
16,215
23,805
1,128
575
N/A
N/A
17,343
24,380
N/A
897
575
5,820,856
8,545,489
405,563
205,735
1,175,000
1,725,000
7,401,419
10,476,224
449,132
1,316,244
304,980
5,820,856
8,545,489
405,563
205,735
1,175,000
1,725,000
7,401,419
10,476,224
N/A
396,934
44,850
New SCI Entities ..........
N/A
N/A
20,700
N/A
New SCI Entities ..........
3,910
575
325,680
44,850
New SCI Entities ..........
New SCI Entities ..........
New SCI Entities ..........
6.9
N/A
6.9
3.5
N/A
3.5
3,197
1,150
4,347
1,587
1,150
2,737
Overall Total .................
Current SCI Entities .....
New SCI Entities ..........
Current SCI Entities 1 ...
New SCI Entities ..........
169,576
54,685
112,845
1,163
4,995
104,289
32,054
72,235
682
3,141
68,764,549
23,068,011
45,696,538
490,808.75
1,986,806
41,536,601
13,190,021
28,346,580
280,639.75
1,232,460
1 As noted earlier, currently no SCI competing consolidators have registered with the Commission. See supra note 469. To the extent that a
competing consolidator registers with the Commission, its initial and ongoing burdens as a result of the proposed amendments would be the
same as the initial and ongoing burden per entity calculated for Current SCI Entities.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00080
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
In summary, the estimated paperwork
related compliance burdens for SCI
entities as a result of the amendments
are approximately 170,000 hours and
$69 million initially and approximately
104,000 hours and $41 million
annually.
E. Collection of Information Is
Mandatory
The collections of information
pursuant to Regulation SCI is mandatory
as to all entities subject to the rule.
ddrumheller on DSK120RN23PROD with PROPOSALS2
F. Confidentiality of Responses to
Collection of Information
The Commission expects that the
written policies and procedures,
processes, criteria, standards, or other
written documents developed or revised
by SCI entities pursuant to Regulation
SCI will be retained by SCI entities in
accordance with, and for the periods
specified in 17 CFR 240.17a–1 (‘‘Rule
17a–1’’ of the Exchange Act) and Rule
1005, as applicable. Should such
documents be made available for
examination or inspection by the
Commission and its representatives,
they would be kept confidential subject
to the provisions of applicable law.556 In
addition, the information submitted to
the Commission pursuant to Regulation
SCI that is filed on Form SCI, as
required by Rule 1006, will be treated as
confidential, subject to applicable law,
including amended 17 CFR 240.24b–2
(‘‘Rule 24b–2’’).557 The information
disseminated by SCI entities pursuant to
Rule 1002(c) under Regulation SCI to
their members or participants will not
be confidential.
G. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B),
the Commission solicits comment on
the proposed collections of information
in order to:
91. Evaluate whether the proposed
collections of information are necessary
for the proper performance of the
functions of the Commission, including
whether the information would have
practical utility;
92. Evaluate the accuracy of the
Commission’s estimates of the burden of
the proposed collections of information;
93. Determine whether there are ways
to enhance the quality, utility, and
clarity of the information to be
collected; and
556 See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the
Commission); 5 U.S.C. 552 et seq.
557 See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the
Commission); 5 U.S.C. 552 et seq. See also Form
SCI section IV (including a provision stating
‘‘Confidential treatment is requested pursuant to 17
CFR 240.24b–2(g) (‘‘Rule 24b–(g)’’)).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
94. Evaluate whether there are ways
to minimize the burden of the collection
of information on those who respond,
including through the use of automated
collection techniques or other forms of
information technology.
Persons submitting comments on the
collection of information requirements
should direct them to the Office of
Management and Budget, Attention:
Desk Officer for the Securities and
Exchange Commission, Office of
Information and Regulatory Affairs,
Washington, DC 20503, and should also
send a copy of their comments to
Vanessa A. Countryman, Secretary,
Securities and Exchange Commission,
100 F Street NE, Washington, DC
20549–1090, with reference to File
Number S7–07–23. Requests for
materials submitted to OMB by the
Commission with regard to this
collection of information should be in
writing, with reference to File Number
S7–07–23 and be submitted to the
Securities and Exchange Commission,
Office of FOIA/PA Services, 100 F Street
NE, Washington, DC 20549–2736. As
OMB is required to make a decision
concerning the collections of
information between 30 and 60 days
after publication, a comment to OMB is
best assured of having its full effect if
OMB receives it within 30 days of
publication.
V. Economic Analysis
A. Introduction
The Commission is sensitive to the
economic effects, including the costs
and benefits, of its rules. When engaging
in rulemaking pursuant to the Exchange
Act that requires the Commission to
consider or determine whether an action
is necessary or appropriate in the public
interest, section 3(f) of the Exchange Act
requires the Commission to consider, in
addition to the protection of investors,
whether the action would promote
efficiency, competition, and capital
formation. In addition, section 23(a)(2)
of the Exchange Act requires the
Commission in making rules pursuant
to the Exchange Act to consider the
impact any such rule would have on
competition. The Exchange Act
prohibits the Commission from adopting
any rule that would impose a burden on
competition not necessary or
appropriate in furtherance of the
purposes of the Exchange Act.
As explained above, the Commission
believes that developments in the U.S.
securities markets since the adoption of
Regulation SCI in 2014 warrant
expanding the scope of Regulation SCI
as well as strengthening the obligations
of SCI entities. These developments
PO 00000
Frm 00081
Fmt 4701
Sfmt 4702
23225
include the growth of electronic trading,
which allows greater volumes of
securities transactions to take place
across a multitude of trading systems in
our markets. In addition, large
institutional and other professional
market participants today employ
sophisticated methods to trade
electronically on multiple venues
simultaneously in ever-increasing
volumes with increasing speed. In
recent years, financial institutions have
increasingly used and relied on third
parties that provide information and
communications technology systems.558
Together, these developments have
resulted in greater dispersal,
sophistication, and interconnection of
the systems underpinning our U.S.
securities markets, thereby bringing
potential new risks.
The proposed amendments to
Regulation SCI would expand the
definition of ‘‘SCI entity’’ to include a
broader range of entities that perform
key functions in U.S. securities market
infrastructure, and update certain other
definitions and provisions to take
account of technological market
developments, including cybersecurity
and vendor management, since the
adoption of Regulation SCI in 2014. The
proposed expansion would add to the
definition of ‘‘SCI entity’’ registered
security-based swap data repositories,
and registered broker-dealers exceeding
certain asset and transaction activity
thresholds, and the proposal would
expand the category of exempt clearing
agencies subject to Regulation SCI to
include all clearing agencies exempted
from registration. Additional proposed
amendments to Regulation SCI are
designed to update the requirements of
Regulation SCI relating to: (i) systems
classification and lifecycle management;
(ii) vendor management; (iii)
cybersecurity; (iv) SCI review; (v)
current SCI industry standards; and (vi)
other matters.
The Commission is sensitive to the
economic effects of the proposed
expansion and strengthening of
Regulation SCI, including its costs and
benefits. As discussed further below, the
Commission requests comment on all
558 See, e.g., FINRA, Cloud Computing in the
Securities Industry (Aug. 16, 2021), available at
https://www.finra.org/rules-guidance/key-topics/
fintech/report/cloud-computing; see also Franklin
Allen et al., A Survey of Fintech Research and
Policy Discussion, 1 Rev. Corp. Fin. 259, 259 (2021)
(‘‘Cloud storage and cloud computing have also
played increasing roles in payment systems,
financial services, and the financial system
overall’’). See also Financial Stability Board,
Regulatory and Supervisory Issues Relating to
Outsourcing and Third-Party Relationships,
(discussion paper Nov. 9, 2020), available at
https://www.fsb.org/wp-content/uploads/
P091120.pdf.
E:\FR\FM\14APP2.SGM
14APP2
23226
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
aspects of the costs and benefits of the
proposal, including any effects the
proposed rules may have on efficiency,
competition, and capital formation.
B. Baseline
The Commission proposes to expand
the scope of Regulation SCI to include
new entities as well as strengthen the
obligations of SCI entities. In order to
assess the benefits and costs that can
properly be attributed to the proposed
rules, the Commission begins by
considering the relevant baselines—the
current market practices as well as
applicable regulations in the absence of
these proposed rules.
1. New SCI Entities
The proposed rules will affect new
SCI entities, specifically SBSDRs,
certain broker-dealers, and certain
exempt clearing agencies, in addition to
existing SCI entities. The baseline for
each category of entities is discussed in
turn, including applicable regulatory
baselines and relevant market
descriptions.
a. Registered Security-Based Swap Data
Repositories
ddrumheller on DSK120RN23PROD with PROPOSALS2
i. Affected Parties
The Commission proposes to include
SBSDRs as SCI entities. SBSDRs are
required for the dissemination of SBS
market data to provide price
transparency, limit risk posed to the
maintenance of fair and orderly markets,
promote the market stability, prevent
market abuses, and reduce operational
risk. They play an important role in
transparency in the market for SBSs and
make available to the Commission SBS
data that will provide a broad view of
this market and help monitor for
pockets of risk and potential market
abuses that might not otherwise be
observed by the Commission and other
relevant authorities.
Security-based swaps entail the
transfer of financial obligations between
two parties with sometimes a long time
horizon. Counterparties to a securitybased swap rely on each other’s
creditworthiness and bear this credit
risk and market risk until the securitybased swap terminates or expires.559
The information provided by SBSDRs,
such as individual counterparty trade
and position data, helps the
Commission gain a better understanding
of the actual and potential market
559 For cleared trades, the clearing agencies
generally step in the place of the original
counterparties and effectively assume the risk
should there be a default.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
risks.560 This information also helps the
Commission and other relevant
authorities investigate market
manipulation, fraud, and other market
abuses.
As of February 2023, two data
repositories for security-based swap
markets are registered with the
Commission. The registered SBSDRs are
Depository Trust & Clearing Corporation
Data Repository (‘‘DDR’’) and the ICE
Trade Vault (‘‘ITV’’). DDR operates as a
registered SBSDR for security-based
swap transactions in the credit, equity,
and interest rate derivatives asset
classes. ITV operates as a registered
SBSDR for security-based swap
transactions in the credit derivatives
asset class.561 As of March 2022, 47
entities had registered with the
Commission as security-based swap
dealers and pursuant to Regulation
SBSR, they are required to report the
trade activities to the SBSDRs.562 In
total, these two SBSDRs received
approximately 542.6 million reports 563
between November 2021 and September
2022, from contracts of 15,593 distinct
counterparties.564
ii. Regulatory Baseline
As discussed above in section III.A.2,
SBSDRs are subject to Rule 13n–6,
which requires that ‘‘every securitybased swap data repository, with respect
to those systems that support or are
integrally related to the performance of
its activities, shall establish, maintain,
and enforce written policies and
procedures reasonably designed to
ensure that its systems provide adequate
levels of capacity, integrity, resiliency,
availability, and security.’’ 565 The
SBSDRs registered with the Commission
are also registered with the CFTC as
swap data repositories and accordingly
are also subject to CFTC rules and
regulations related to swap data
560 See SBSR Adopting Release, supra note 96 (for
information required to be reported by SBSDRs to
the Commission).
561 See DTCC Data Repository (U.S.) LLC; Order
Approving Application, supra note 111; ICE Trade
Vault, LLC; Order Approving Application, supra
note 111. Note that additional entities may register
as SBSDRs in the future.
562 See List of Registered Security-Based Swap
Dealers and Major Security-Based Swap
Participants, supra note 110 (providing the list of
registered security-based swap dealers and major
SBS participants that was updated as of Mar. 28,
2022).
563 The transaction reports include not only the
initial trade, but also life-cycle events.
564 Number of reports and number of
counterparties are calculated from trade activities
data of the DDR and ITV reports. Number of
counterparties is calculated as the number of
unique counterparties’ IDs. Due to data limitation,
we only included reports occurred on or after Nov.
8, 2021.
565 See 17 CFR 240.13n–6.
PO 00000
Frm 00082
Fmt 4701
Sfmt 4702
repositories, including the ‘‘SDR System
Safeguards’’ rule.566 That rule requires
swap data repositories to establish and
maintain emergency procedures,
geographically diverse backup facilities
and staff, and a business continuity and
disaster recovery plan that should
enable next day resumption of the swap
data repository’s operations following
the disruption.567
In addition, the rule requires
programs of risk analysis and oversight
with respect to its operations and
automated systems to address each of
the following categories of risk analysis
and oversight: (1) information security;
(2) business continuity and disaster
recovery planning and resources; (3)
capacity and performance planning; (4)
systems operations; (5) systems
development and quality assurance; (6)
physical security and environmental
controls; and (7) enterprise risk
management.568 This rule also requires
systems monitoring to identify potential
systems disruptions and cybersecurity
attacks via provisions relating to
capacity and performance planning,
information security, and physical
security and environmental controls. It
also requires swap data repositories to
maintain a security incident response
plan that must include, among other
items, policies and procedures for
reporting security incidents and for
internal and external communication
and information sharing regarding
security incidents, the hand-off and
escalation points in its security incident
response process, and the roles and
responsibilities of its management, staff
and independent contractors in
responding to security incidents.569
Furthermore, the rule requires regular,
periodic testing and review of business
continuity and disaster recovery
capabilities.570 Under the rule, both the
senior management and the board of
directors of a swap data repository
receive and review reports setting forth
the results of the specified testing and
assessment. A swap data repository is
required to establish and follow
appropriate procedures for the
remediation of issues identified through
the review, and for evaluation of the
effectiveness of testing and assessment
protocols.571
The System Safeguards rule requires
SDRs to conduct testing and review
sufficiency to ensure that their
566 See
17 CFR 49.24.
17 CFR 49.24(a).
568 See 17 CFR 49.24(b).
569 See 17 CFR 49.24.
570 Id.
571 17 CFR 49.24(m) (Internal reporting and
review).
567 See
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Figures 2 through 5 represent the
distribution of firms by level of
transaction activity 585 as measured by
average daily dollar volume 586 (Panel
A) and the distribution of firms by
percentage of transaction activity 587
572 See
573 See
17 CFR 49.24(j).
17 CFR 49.24(j)(3).
ddrumheller on DSK120RN23PROD with PROPOSALS2
574 Id.
575 See
17 CFR 49.24(g).
17 CFR 49.24(h).
577 See 17 CFR 49.24(c).
578 See supra note 131.
579 The level of total assets is measured by the
average quarterly total assets for each broker-dealer
between Q4 2021 and Q3 2022.
580 The percentage of aggregate total assets is
estimated by the average quarterly percentage of
aggregate total assets for each broker-dealer between
Q4 2021 and Q3 2022.
576 See
VerDate Sep<11>2014
21:05 Apr 13, 2023
Jkt 259001
to automated systems that may affect the
reliability, security, or adequate scalable
capacity of such systems.576 Finally, the
CFTC’s System Safeguards rule requires
an SDR to follow generally accepted
standards and best practices with
respect to the development, operation,
reliability, security, and capacity of
automated systems related to SDR
data.577
b. Broker-Dealers
i. Affected Parties
The Commission is proposing to
expand the application of Regulation
SCI to include certain broker-dealers in
the definition of SCI entity. There are
approximately 3,500 broker-dealers
registered with the Commission
pursuant to section 15(b) of the
Exchange Act as of Q3 2022.578 Figure
1 represents the distribution of all
registered broker-dealer firms between
Q4 2021 and Q3 2022 by level of total
assets 579 (Panel A) and by percentage of
aggregate total assets 580 (Panel B) with
firm size (Panel A) and percentage of
aggregate total assets (Panel B)
increasing along the x-axis from left to
right. These entities encompass a broad
range of sizes, business activities, and
business models.581 The distribution of
firms 582 by level of total assets (Panel
A) shows that the vast majority of
firms 583 fall somewhere within the
$30,000 to $450,000,000 dollar range,
with a small minority of firms showing
up as a descending long right tail. The
distribution of broker-dealers 584 by
percentage of aggregate total assets
(Panel B) shows that a small number of
firms individually had percentages of
aggregate total assets in the high single
digits to low double digits.
BILLING CODE 8011–01–P
(Panel B) for each of four asset classes
including NMS stocks, exchange-listed
options, U.S. Treasury Securities, and
Agency Securities respectively. The
distributions of firms 588 by level of
transaction activity (Panel A) show that
the vast majority of firms 589 fall
somewhere within the $30,000 to $14.4
billion dollar range, $500,000 to $3.1
billion dollar range, $2,000 to $4.0
billion dollar range, and $500 to $1.2
billion dollar range for the NMS, stock
581 See 2022 FINRA Industry Snapshot, supra
note 131.
582 Panel A of Figures 1 through 5 is represented
on a logarithmic scale for ease of viewing when the
distribution is far less evenly distributed if
displayed using a standard x-axis.
583 This represents the range of the average
quarterly total assets for firms that fall between the
5th and 95th percentile.
584 The number of individual firms in Panel B of
Figures 1 through 5 is more visible here due to use
of a standard x-axis even though the y-axis is
represented logarithmically. The use of a
logarithmic y-axis does however flatten the overall
distribution with a disproportionate effect on the
firms with percentage of aggregate average daily
dollar volume between 0% and 2.5% making it
slightly less obvious upon first glance that the vast
majority of firms actually fall between 0% and
2.5%.
585 The level of transaction activity in Panel A of
Figures 2 through 5 is measured by the average of
monthly average daily dollar volume for each
broker-dealer from Jan. 2022 to June 2022.
586 These measures are described in more detail
in section III.A.2.b.iii.
587 Id.
588 See supra note 582.
589 This represents the range of the average of
monthly average daily dollar volume for firms that
fall between the 5th and 95th percentile.
PO 00000
Frm 00083
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
EP14AP23.000</GPH>
automated systems are reliable, secure,
and have adequate scalable capacity.572
The System Safeguards rule requires
SDRs to conduct external and internal
penetration testing at a frequency
determined by an appropriate risk
analysis, but no less frequently than
annually.573
The System Safeguards rule also
specifies and defines five types of
system safeguards testing that a SDR
necessarily must perform to fulfill the
testing requirement: vulnerability
testing; penetration testing; controls
testing; security incident response plan
testing; and enterprise technology risk
assessment.574 SDRs are required to
notify CFTC staff of any system
malfunctions, cyber security incidents,
or activation of the business continuity
and disaster recovery plan.575 A swap
data repository must also give CFTC
staff advance notice of planned changes
23227
exchange-listed options, U.S. Treasury
Securities, and Agency Securities
markets, respectively.
Figures 2 through 5 (Panel B),
showing the distribution of broker-
dealers by percentage of aggregate
average daily dollar volume,590 indicate
that a very small number of firms 591
individually had percentages of
aggregate average daily dollar volume in
the high single digits to low double
digits.
590 The percentage of aggregate average daily
dollar volume in Panel B of figures 2 through 5 is
estimated by the average of monthly percentage for
each broker-dealer of aggregate average daily dollar
volume reported to the plan processors (SIPs) of the
CTA/CQ Plans and Nasdaq UTP Plan, OPRA Plan,
or FINRA TRACE in each respective asset class
from Jan. 2022 to June 2022.
591 See supra note 584.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00084
Fmt 4701
Sfmt 4725
E:\FR\FM\14APP2.SGM
14APP2
EP14AP23.002</GPH>
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
EP14AP23.001</GPH>
ddrumheller on DSK120RN23PROD with PROPOSALS2
23228
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
592 The
number of firms that had transaction
activity here may be different than the number of
firms that reported business lines on Form BD at
least in part due to differences in how business
activities are categorized on Form BD, and also
because firms are able to indicate lines of business
based on expected business rather than current
business. With respect to categorical differences,
Form BD does not allow firms to distinguish
between NMS and OTC equity business as both
types of stocks can be traded over the counter.
Additionally, Form BD does not distinguish
between lines of business for exchange-traded or
OTC options. Finally, Form BD allows firms to
indicate government securities broker or dealer
lines of business but does not allow firms to specify
more granularly treasury or agency securities
businesses.
593 Estimate is based on Consolidated Audit Trail
(CAT) data from Jan. 2022 to June 2022.
VerDate Sep<11>2014
21:05 Apr 13, 2023
Jkt 259001
transaction activity,594 703 had
transaction activity in U.S. Treasury
Securities,595 and 461 had transaction
activity in Agency Securities.596
ii. Regulatory Baseline
As discussed above in section
III.A.2.b.ii, there are already a number of
Exchange Act and FINRA rules that
affect how broker-dealers design and
maintain their technology and promote
business continuity and regulatory
compliance. These include: Commission
broker-dealer rules; 597 FINRA
supervision rules 598 (discussed at
length in section III.A.2.b); and FINRA’s
business continuity and reporting rules
(Rule 4370 and 4530, respectively)
discussed previously in section III.A2.b
and further in this section. Furthermore,
the Commission’s cybersecurity-related
regulations (Regulation S–P and 17 CFR
part 248, subpart C (Regulation S–ID))
are discussed further below.599
FINRA Rule 4370 primarily requires
that each broker-dealer create and
maintain a written business continuity
plan 600 identifying procedures relating
594 Id.
595 Estimate is based on TRACE for Treasury
Securities data from Jan. 2022 to June 2022 and firm
names as of Feb. 1, 2023.
596 Estimate is based on regulatory TRACE data
from Jan. 2022 to June 2022.
597 See supra section III.A.2.b (discussing Rules
17a–3, 17a–4, 17a–11, 15c3–1, 15c3–3, and 15c3–
5 (the Market Access Rule)).
PO 00000
Frm 00085
Fmt 4701
Sfmt 4702
598 FINRA
rule 3110 and 3130.
supra note 156.
600 See FINRA, 2019 Report on Examination
Findings and Observations: Business Continuity
Plans (BCPs) (Oct. 16, 2019), available at https://
www.finra.org/rules-guidance/guidance/reports/
2019-report-exam-findings-and-observations.
599 See
E:\FR\FM\14APP2.SGM
Continued
14APP2
EP14AP23.004</GPH>
A substantial number of firms had
transaction activity 592 across these four
markets: 336 had transaction activity in
NMS equities,593 105 had options
EP14AP23.003</GPH>
BILLING CODE 8011–01–C
23229
23230
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
to an emergency or significant business
disruption that are reasonably designed
to enable them to meet their existing
obligations to customers with explicit
requirements for data back-up and
recovery with respect to mission critical
systems as well as an alternate physical
location of employees.601 Each brokerdealer must update its plan in the event
of any material change to the member’s
operations, structure, business or
location. Each member must also
conduct an annual review of its
business continuity plan to determine
whether any modifications are
necessary in light of changes to the
member’s operations, structure,
business, or location. FINRA identified
that firms 602 frequently tested their BC/
DRs plans as part of their annual review
and also included key vendors in those
tests.603 Furthermore, a broker-dealer
must disclose to its customers through
public disclosure statements how its
business continuity plan addresses the
possibility of a future significant
business disruption and how the
member plans to respond to events of
varying scope. Such required business
continuity public disclosure
statements 604 offer some summary
information on broker-dealer actual
practices that relate to FINRA Rule
4370. Recent FINRA exam findings
reports 605 in relation to FINRA Rule
Broker-dealers are required to conduct an annual
review of their business continuity plans along with
recommended testing and evaluation of its
effectiveness with vendor participation.
601 FINRA Rules 4370, 3110 (Supervision), and
4511 (General Requirements), as well as Securities
Exchange Act of 1934 (Exchange Act) Rules 17a–3
and 17a–4.
602 FINRA did not disclose the number or identity
of these firms.
603 See FINRA, 2019 Report on Examination
Findings and Observations: Business Continuity
Plans (BCPs), supra note 600.
604 While broker-dealers are required to provide a
brief summary disclosure statement regarding their
BCPs to customers, they do not disclose the actual
BCP. Based on a review of 2021 and 2022 BCP
disclosure statements, firms often did not provide
any detail on operational capacity to meet demand
surges or any specific timeframes for resumption of
service. They sometimes mention the use of
redundant service centers, data centers, systems,
and staff across geographically diverse locations in
case primary centers and systems go offline;
immediate failover to backup systems and plans to
restore services quickly in the event of a technology
disruption; and review of third parties’ business
contingency plans.
605 See FINRA, 2022 Report on FINRA’s
Examination and Risk Monitoring Program (Feb. 9,
2022), available at https://www.finra.org/sites/
default/files/2022-02/2022-report-finrasexamination-risk-monitoring-program.pdf. See also
FINRA, 2020 Risk Monitoring and Examination
Priorities Letter (Jan. 9, 2020), available at https://
www.finra.org/rules-guidance/communicationsfirms/2020-risk-monitoring-and-examinationpriorities-letter; FINRA, Equity Trading Initiatives:
Supervision and Control Practices for Algorithmic
Trading Strategies (Mar. 2015), available at https://
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
4370 suggest increasing attention by
broker-dealers to operational resiliency
issues and the value of capacity
planning, stress testing, and the review
of testing and development
methodology.
FINRA rules relating to
supervision 606 require each member to
establish, maintain, and enforce written
procedures to supervise the types of
business in which it engages and the
activities of its associated persons that
are reasonably designed to achieve
compliance with applicable securities
laws and regulations including Federal
cybersecurity laws and regulations
applicable to broker-dealers such as
Regulation S–P 607 and Regulation S–
ID.608 As discussed in section III.D.1.c.i,
Regulation S–P’s safeguards provisions
require broker-dealers to adopt written
policies and procedures that address
administrative, technical, and physical
safeguards for the protection of
customer records and information.609
The Regulation S–P Safeguards Rule
further provides that these policies and
procedures must: (1) insure the security
and confidentiality of customer records
and information; (2) protect against any
anticipated threats or hazards to the
security or integrity of customer records
and information; and (3) protect against
unauthorized access to or use of
customer records or information that
could result in substantial harm or
inconvenience to any customer.610
Additionally, the Regulation S–P
Disposal Rule requires broker-dealers
that maintain or otherwise possess
consumer report information for a
business purpose to properly dispose of
the information by taking reasonable
measures to protect against
unauthorized access to or use of the
information in connection with its
disposal.611 In contrast, Regulation S–ID
is more narrowly concerned with
identity theft. Broker-dealers subject to
Regulation S–ID must develop and
implement a written identity theft
program that includes policies and
procedures to identify and detect
relevant red flags.612
www.finra.org/sites/default/files/notice_doc_file_
ref/Notice_Regulatory_15-09.pdf.
606 FINRA Rules 3110 (Supervision) and 3120
(Supervisory Control Systems).
607 See 17 CFR 248.1 through 248.30.
608 See 17 CFR 248.201 and 248.202.
609 See 17 CFR 248.30(a).
610 See 17 CFR 248.30(a)(1) through (3).
611 See 17 CFR 248.30(b)(2). Regulation S–P
currently defines the term ‘‘disposal’’ to mean: (1)
the discarding or abandonment of consumer report
information; or (2) the sale, donation, or transfer of
any medium, including computer equipment, on
which consumer report information is stored. See
17 CFR 248.30(b)(1)(iii).
612 See 17 CFR 248.201.
PO 00000
Frm 00086
Fmt 4701
Sfmt 4702
Past Commission staff statements 613
and FINRA guidance 614 with respect to
these rules identify common elements of
reasonably designed cybersecurity
policies and procedures including risk
assessment, user security and access,
613 See OCIE, SEC, Cybersecurity: Safeguarding
Client Accounts against Credential Compromise
(Sep. 15, 2020), available at https://www.sec.gov/
files/Risk%20Alert%20-%20Credential
%20Compromise.pdf; OCIE, SEC, Select COVID–19
Compliance Risks and Considerations for BrokerDealers and Investment Advisers (Aug. 12, 2020),
available at https://www.sec.gov/files/Risk
%20Alert%20-%20COVID-19%20Compliance.pdf;
OCIE, SEC, Cybersecurity: Ransomware Alert (July
10, 2020), available at https://www.sec.gov/files/
Risk%20Alert%20-%20Ransomware.pdf; OCIE,
SEC, Report on OCIE Cybersecurity and Resiliency
Observations (Jan. 27, 2020), available at https://
www.sec.gov/files/OCIE%20Cybersecurity%20and
%20Resiliency%20Observations.pdf; OCIE, SEC,
OCIE Safeguarding Customer Records and
Information in Network Storage—Use of Third Party
Security Features (May 23, 2019), available at
https://www.sec.gov/files/OCIE%20Risk%20Alert
%20-%20Network%20Storage.pdf; OCIE, SEC,
Investment Adviser and Broker-Dealer Compliance
Issues Related to Regulation S–P—Privacy Notices
and Safeguard Policies (Apr. 16, 2019), available at
https://www.sec.gov/files/OCIE%20Risk
%20Alert%20-%20Regulation%20S-P.pdf; OCIE,
SEC, Observations from Cybersecurity
Examinations (Aug. 7, 2017), available at https://
www.sec.gov/files/observations-from-cybersecurityexaminations.pdf; OCIE, SEC, Cybersecurity:
Ransomware Alert (May 17, 2017), available at
https://www.sec.gov/files/risk-alert-cybersecurityransomware-alert.pdf; OCIE, SEC, OCIE’s 2015
Cybersecurity Examination Initiative (Sep. 15,
2015), available at https://www.sec.gov/files/ocie2015-cybersecurity-examination-initiative.pdf;
OCIE, SEC, Cybersecurity Examination Sweep
Summary (Feb. 3, 2015), available at https://
www.sec.gov/about/offices/ocie/cybersecurityexamination-sweep-summary.pdf; OCIE, SEC,
OCIE’s 2014 Cybersecurity Initiative (Apr. 15, 2014),
available at https://www.sec.gov/ocie/
announcement/Cybersecurity-Risk-Alert-Appendix---4.15.14.pdf.
614 See FINRA, Core Cybersecurity Threats and
Effective Controls for Small Firms (May 2022),
available at https://www.finra.org/sites/default/
files/2022-05/Core_Cybersecurity_Threats_and_
Effective_Controls-Small_Firms.pdf; FINRA, Cloud
Computing in the Securities Industry (Aug. 16,
2021), available at https://www.finra.org/rulesguidance/key-topics/fintech/report/cloudcomputing; FINRA, Common Cybersecurity Threats
(July 9, 2019), available at https://www.finra.org/
rules-guidance/guidance/common-cybersecuritythreats; FINRA, Report on Selected Cybersecurity
Practices (Dec. 1, 2018), available at https://
www.finra.org/rules-guidance/guidance/commoncybersecurity-threats; FINRA, Report on FINRA
Examination Findings (Dec. 6, 2017), available at
https://www.finra.org/sites/default/files/2017Report-FINRA-Examination-Findings.pdf; FINRA,
Small Firm Cybersecurity Checklist (May 23, 2016),
available at https://www.finra.org/compliancetools/small-firm-cybersecurity-checklist.
Cybersecurity has also been a regular theme of
FINRA’s Regulatory and Examination Priorities
Letter since 2008 often with reference to Regulation
S–P. Similarly the SEC sponsored a Cybersecurity
Roundtable and the Division of Examination
conducted cybersecurity initiative I and II to assess
industry practices and legal and compliance issues
associated with broker-dealer and investment
adviser cybersecurity preparedness.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
information protection, incident
response,615 and training.616
Consistent with these rules, nearly all
broker-dealers that participated in two
Commission exam sweeps in 2015 and
2017 reported 617 maintaining some
cybersecurity policies and procedures;
conducting some periodic risk
assessments to identify threats and
vulnerabilities,618 conducting firm-wide
systems inventorying or cataloguing,
ensuring regular system maintenance
including the installation of software
patches to address security
vulnerabilities, performing some
penetration testing,619 although both
sweeps also discussed various flaws in
compliance. A separate staff statement,
based on observed industry practices,
noted that at least some firms
implemented capabilities that are able
to control, monitor, and inspect all
incoming and outgoing network traffic
to prevent unauthorized or harmful
traffic and implemented capabilities
615 See FINRA, 2021 Report on FINRA’s
Examination and Risk Monitoring Program (Feb. 01,
2021), available at https://www.finra.org/rulesguidance/guidance/reports/2021-finrasexamination-and-risk-monitoring-program/
cybersecurity (FINRA recommended among
effective practices with respect to incident
response: Establishing and regularly testing (often
using tabletop exercises) a written formal incident
response plan that outlines procedures for
responding to cybersecurity and information
security incidents; and developing frameworks to
identify, classify, prioritize, track and close
cybersecurity-related incidents.).
616 These categories vary somewhat in terms of
nomenclature and the specific categories
themselves across different Commission and FINRA
publications.
617 See Cybersecurity Examination Sweep
Summary, supra note 613 (Of 57 examined brokerdealers, the vast majority adopted written
information security policies, conducted periodic
audits to determine compliance with these
information security policies and procedures,
conducted risk assessments and reported
considering such risk assessments in establishing
their cybersecurity policies and procedures. With
respect to vendors, the majority of the brokerdealers required cybersecurity risk assessments of
vendors with access to their firms’ networks and
had at least some specific policies and procedures
relating to vendors.). See also Observations from
Cybersecurity Examinations, supra note 613 (This
largely aligned with the prior 2015 Exam Sweep but
is based on additional data from a mixed group of
75 broker-dealers and investment advisers. For
example, nearly all firms had incident response
plans. Still, it appeared that a number of firms did
not appear to fully remediate some of the high risk
observations that they discovered from these tests
and vulnerability scans in a timely manner or failed
to conduct penetration testing regularly).
618 See Report on Selected Cybersecurity
Practices, supra note 614. According to FINRA’s
2018 RCA, 94% of higher revenue firms and 70%
of mid-level revenue firms use a risk assessment as
part of their cybersecurity program. The Risk
Control Assessment (RCA) Survey is a voluntary
survey conducted by FINRA on an annual basis
with all active member firms.
619 Id. According to FINRA’s 2018 RCA, 100% of
higher revenue firms include penetration testing as
a component in their overall cybersecurity program.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
that are able to detect threats on
endpoints.620 In the two Commission
exam sweeps, many firms indicated that
policies and procedures were vetted and
approved by senior management and
that firms provided annual
cybersecurity reports to the board while
some also provided ad hoc reports in
the event of major cybersecurity
events.621 Broadly, many broker-dealers
reported relying on industry standards
with respect to cybersecurity 622
typically by adhering to a specific
industry standard or combination of
industry standards or by using industry
standards as guidance in designing
policies and procedures. In the
Commission’s 2017 sweep, however,
weaknesses in policies and procedures
and failure to implement policies and
procedures were observed at a majority
of the participating firms.623
FINRA Rule 3110’s supervisory
obligation also extends to member firms’
outsourcing of certain ‘‘covered
activities’’—activities or functions that,
if performed directly by a member firm,
would be required to be the subject of
a supervisory system and written
supervisory procedures pursuant to
FINRA Rule 3110. These vendor
management obligations are discussed
in further guidance.624 As discussed in
section III.A.2.b of this release, FINRA
Rule 4530 requires broker-dealer
reporting of certain events to FINRA,
including, among other things,
compliance issues and other events 625
620 See Cybersecurity and Resiliency
Observations, supra note 614.
621 See Cybersecurity Examination Sweep
Summary, supra note 613, and Observations from
Cybersecurity Examinations, supra note 613.
622 Id. Among the firms that were part of the
sweep, nearly 90% used one or more of the NIST,
ISO or ISACA frameworks or standards. More
specifically, 65% of the respondents reported that
they use the ISO 27001/27002 standard while 25%
use COBIT. Some firms use combinations of these
standards for various parts of their cybersecurity
programs. While the report focused on firm
utilization of cybersecurity frameworks specifically,
in many cases, the referenced frameworks were
broader IT frameworks.
623 See OCIE, SEC, Observations from
Cybersecurity Examinations (Aug. 7, 2017),
available at https://www.sec.gov/files/observationsfrom-cybersecurity-examinations.pdf.
624 See Regulatory Notice 21–29: Vendor
Management and Outsourcing, supra note 165;
Notice to Members 05–48: Outsourcing, supra note
165. FINRA found that most firms had adequate
privacy and security language in contracts where
customer or firm confidential data or high-risk
systems were at risk. Standard contract language
topics that firms included were: non-disclosure
agreements/confidentiality agreements, data
storage, retention, and delivery; breach notification
responsibilities; right-to-audit clauses; vendor
employee access limitations; use of subcontractors;
and vendor obligations upon contract termination.
Id.
625 While FINRA has urged firms to report
material cyber incidents that do not trigger a
PO 00000
Frm 00087
Fmt 4701
Sfmt 4702
23231
where a broker-dealer has concluded or
should have reasonably concluded that
a violation of securities or other
enumerated law, rule, or regulation of
any domestic or foreign regulatory body
or SRO has occurred. Broker-dealers
affiliated with a banking organization 626
may also be affected by a cybersecurity
notification requirement. For example,
if a broker-dealer is a subsidiary of a
bank holding company, an incident at
the broker-dealer would likely be
reported by the bank holding company
to its respective banking regulator.
Aside from specific dissemination
obligations under Regulation SCI for a
limited number of broker-dealers with
respect to their related SCI ATSs, there
are no Commission or FINRA
requirements for broker-dealers to
disseminate notifications of breaches to
members or clients although many firms
do so 627 pursuant to various state data
breach laws.628 Broker-dealers are
subject to state laws known as ‘‘Blue
Sky Laws,’’ which generally are
regulations established as safeguards for
investors against securities fraud.629 All
50 states have enacted laws in recent
years requiring firms to notify
individuals of data breaches, standards
differ by state, with some states
imposing heightened notification
requirements relative to other states.630
reporting obligation to their regulatory coordinator,
current practices are unclear.
626 In the simplification of the Volcker Rule,
effective Jan. 21, 2020, Commission staff estimated
that there were 202 broker-dealers that were
affiliated with banking organizations.
627 See Cybersecurity Examination Sweep
Summary, supra note 613 (Based on a small sample
of firms, the vast majority of broker-dealers
maintained plans for data breach incidents and
most had plans for notifying customers of material
events.)
628 See Digital Guardian, The Definitive Guide to
U.S. State Data Breach Laws, digitalguardian.com,
available at https://info.digitalguardian.com/rs/
768-OQW-145/images/the-definitive-guide-to-usstate-data-breach-laws.pdf (last visited Nov. 15,
2022).
629 See, e.g., Office of Investor Education and
Advocacy, Commission, Blue Sky Laws, available at
https://www.investor.gov/introduction-investing/
investing-basics/glossary/blue-sky-laws.
630 For example, some states may require a firm
to notify individuals when a data breach includes
biometric information, while others do not.
Compare Cal. Civil Code sec. 1798.29 (notice to
California residents of a data breach generally
required when a resident’s personal information
was or is reasonably believed to have been acquired
by an unauthorized person; ‘‘personal information’’
is defined to mean an individual’s first or last name
in combination with one of a list of specified
elements, which includes certain unique biometric
data), with Ala. Stat. secs. 8–38–2, 8–38–4, 8–38–
5 (notice of a data breach to Alabama residents is
generally required when sensitive personally
identifying information has been acquired by an
unauthorized person and is reasonably likely to
cause substantial harm to the resident to whom the
information relates; ‘‘sensitive personally
E:\FR\FM\14APP2.SGM
Continued
14APP2
23232
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Additionally, market data, including
bids, offers, quotation sizes, among
other types of data, are currently
collected from broker-dealers and
consolidated and distributed pursuant
to a variety of Exchange Act rules and
joint industry plans.631
c. Exempt Clearing Agencies
ddrumheller on DSK120RN23PROD with PROPOSALS2
i. Affected Parties
Certain SCI entities are in the market
for clearance and settlement services.
Registered clearing agencies and certain
exempt clearing agencies are already
SCI entities. The Commission proposes
to extend Regulation SCI to include all
other exempt clearing agencies. The
proposed amendment would have the
immediate effect of introducing two
exempt clearing agencies into the scope
of Regulation SCI.
There are broadly two types of
clearing agencies: registered clearing
agencies and exempt clearing agencies.
There are seven registered and active
clearing agencies: DTC, FICC, NSCC,
ICC, ICEEU, the Options Clearing Corp.,
and LCH SA. There are two other
clearing agencies that are no longer
active but both maintain registration
with the Commission.632 In addition to
these registered clearing agencies, there
are clearing agencies that have received
from the Commission an exemption
from registration as a clearing agency
under section 17A of the Exchange Act.
There are five exempt clearing agencies:
Bloomberg STP (inactive), ITPMATCH
(DTCC), SSCNET (SS&C Technologies),
Euroclear Bank SA/NV, and Clearstream
Banking, S.A. Of these exempt clearing
agencies, Bloomberg STP, ITPMATCH
(DTCC), and SSCNET (SS&C
Technologies) are subject to Regulation
SCI as ‘‘exempt clearing agencies subject
to ARP,’’ together with registered
clearing agencies.
The other two, Euroclear Bank SA/
NV, and Clearstream Banking, S.A, both
exempt clearing agencies,633 have not
identifying information’’ is defined as the resident’s
first or last name in combination with one of a list
of specified elements, which does not include
biometric information).
631 See, e.g., Rules 601 through 17 CFR 242.604
(‘‘Rule 604’’) of Regulation NMS and 17 CFR
242.301(b)(3) (‘‘Rule 301(b)(3)’’) of Regulation ATS.
632 See BSECC Notice and SCCP Notice, supra
note 230.
633 See Euroclear Exemption, supra note 231
(providing an exemption to Euroclear Bank SA/NV
(successor in name to Morgan Guaranty Trust
Company of NY)); Clearstream Exemption, supra
note 231 (providing an exemption to Clearstream
Banking, S.A. (successor in name to Cedel Bank,
socie´te´ anonyme, Luxembourg)). Furthermore,
pursuant to the Commission’s statement on CCPs in
the European Union (‘‘EU’’) authorized under the
European Markets Infrastructure Regulation
(‘‘EMIR’’), an EU CCP may request an exemption
from the Commission where it has determined that
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
been required to comply with
Regulation SCI. Each performs CSD
functions and provides clearance and
settlement for U.S. Treasury
transactions, subject to volume limits
set forth in their exemptions. Euroclear
Bank also provides collateral
management services for U.S. equity
transactions involving a U.S. person and
a non-U.S. person.
ii. Regulatory Baseline
The two exempt clearing agencies not
subject to ARP are required per
Commission exemptive orders to submit
to the Commission a number of items
including transaction volume data,634
notification regarding material adverse
changes in any account maintained for
customers,635 one or more disclosure
documents, amendments to its
application for exemption on Form CA–
1,636 responses to a Commission request
for information,637 etc. In the case of
one exempt clearing agency, its
exemptive order also requires
submission of additional items related
to its systems including quarterly
reports describing completed, ongoing,
and planned material system
changes,638 notification 639 regarding
the application of SEC requirements would impose
unnecessary, duplicative, or inconsistent
requirements in light of EMIR requirements to
which it is subject. See Statement on Central
Counterparties Authorized under the European
Markets Infrastructure Regulation Seeking to
Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the
Securities Exchange Act of 1934 supra note 240
(stating that in seeking an exemption, an EU CCP
could provide ‘‘a self-assessment . . . [to] explain
how the EU CCP’s compliance with EMIR
corresponds to the requirements in the Exchange
Act and applicable SEC rules thereunder, such as
Rule 17Ad–22 and Regulation SCI.’’).
634 Id. This is provided in the form of quarterly
reports, calculated on a twelve-month rolling basis,
of volume statistics related to government
securities. One exempt clearing agency also reports
volume statistics related to equities.
635 Id. This is for customers that are members or
affiliates of members of a U.S. registered clearing
agency in the case of one exempt clearing or US
participants in the case of the other.
636 Id. This must be filed prior to the
implementation of any change in stated policies,
practices, or procedures that makes the information
contained in the original Form CA–1 incomplete or
inaccurate in any material respect.
637 Id. This would typically concern a U.S.
customer or its affiliate about whom the
Commission has financial solvency concerns.
638 This must be filed within 30 calendar days
after the end of each quarter. These reported
information represents changes related to the
Clearing Agency Activities during the prior,
current, and subsequent calendar quarters,
including the dates or expected dates of
commencement and completion.
639 This requires notification of such systems
event within 24 hours after occurrence; regular
updates until such time as a systems event is
resolved and investigation of the systems event is
closed; interim written notification within 48 hours
after the occurrence of a systems event or promptly
PO 00000
Frm 00088
Fmt 4701
Sfmt 4702
systems events; 640 as well as a
requirement to take appropriate
corrective action regarding such systems
events. This exempt clearing agency is
also required to maintain policies and
procedures that are reasonably designed
to identify, manage, and monitor
systems operational risk; clearly define
the roles and responsibilities of
personnel for addressing operational
risk; review such policies and
procedures; conduct systems audits and
system tests periodically and at
implementation of significant changes;
clearly define operational reliability
objectives for the systems; ensure that
the systems have scalable capacity
adequate to handle increasing stress
volumes and achieve the systems
service-level objectives; establish
comprehensive physical and
information security policies that
address all potential vulnerabilities and
threats to the systems; and establish a
business continuity plan 641 for the
systems that addresses events posing a
significant risk of disrupting the
systems’ operations, including events
that could cause a wide-scale or major
disruption in the provision of the
clearing agency activities. Such policies
and procedures should be consistent
with current information technology
industry standards 642 and be reasonably
designed to ensure that the systems
operate on an ongoing basis in a manner
that complies with the conditions
applicable to the systems and with the
exempt clearing agency’s rules and
governing documents applicable to the
clearing agency activities. This exempt
clearing agency must also provide the
thereafter if such a deadline cannot be met; a
written final report within ten business days after
the occurrence of a systems event or promptly
thereafter if such a deadline cannot be met. For
systems events characterized as ‘‘bronze level’’
events (i.e., a Systems Event in which the incident
is clearly understood, almost immediately under
control, involves only one business unit and/or
entity, and is resolved within a few hours), the
clearing agency is instead required to provide on a
quarterly basis an aggregated list of bronze level
events.
640 This includes disruptions, compliance issues,
or intrusions of the systems that impact, or is
reasonably likely to impact clearing agency
activities.
641 The business continuity plan would require
the use of a secondary site designed to ensure twohour resumption of operation following disruptive
events; regular testing of business continuity plans;
identification, monitoring, and management of the
risks that key participants, other financial market
infrastructures, and service and utility providers
might pose to the systems’ operations in relation to
the clearing agency activities.
642 The exempt clearing agency is required to
provide annual notice to the Commission regarding
the industry standards utilized. These standards
consist of information technology practices that are
widely available to information technology
professionals in the financial sector and issued by
a widely recognized organization.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
Commission with an annual update
regarding policies and procedures.
Additionally, the two exempt clearing
agencies not subject to ARP are subject
to Europe’s Central Securities
Depositories Regulation (CSDR) which
provides a set of common requirements
for CSDs operating securities settlement
systems across the EU.643 CSDR
provides, among other things,
Operational Risk rules (Article 45).644
There are more specific requirements in
the CSDR’s Regulatory Technical
Standards 645 including identifying
operational risks; 646 methods to test,
address and minimize operational
risks; 647 IT systems; 648 and business
continuity.649
Furthermore, each of these two
exempt clearing agencies publish
disclosure framework reports 650 that
purport to describe the policies and
procedures 651 with respect to the
operational risk framework of the
Principles for Financial Market
Infrastructures (PFMI) published by
CPSS and IOSCO.652
2. Existing SCI Entities
ddrumheller on DSK120RN23PROD with PROPOSALS2
a. Affected Parties
In addition to these proposed new SCI
entities, Regulation SCI has applied to
643 The two exempt clearing agencies may also be
subject to the EU Regulation, the Digital
Operational Resilience Act (DORA), which went
into effect in 2015: See Proposal for a Regulation
of the European Parliament and of the Council on
Digital Operational Resilience for the Financial
Sector and Amending Regulations (EC) No 1060/
2009, (EU) No 648/2012, (EU) No 600/2014 and
(EU) No 909/2014 available at https://eurlex.europa.eu/legal-content/EN/TXT/
?uri=CELEX%3A52020PC0595.
644 See Commission Regulation No. 909/2014 of
July 23, 2014, on improving securities settlement in
the European Union and on central securities
depositories and amending Directives 98/26/EC and
2014/65/EU and Regulation (EU) No 236/2012, art.
45, 2014 O.J. (L 257) 47, available at https://eurlex.europa.eu/legal-content/EN/TXT/
?uri=CELEX:32014R0909.
645 See Commission Delegated Regulation 2017/
392, Supplementing Regulation (EU) No 909/2014
of the European Parliament and of the Council with
Regard to Regulatory Technical Standards on
Authorization, Supervisory and Operational
Requirements for Central Securities Depositories. 65
Off. J. Eur. Union 48 (2017) available at https://eurlex.europa.eu/legal-content/EN/TXT/PDF/
?uri=CELEX:32017R0392&from=EN.
646 Id. art. 45:1.
647 Id. art. 45:2.
648 Id. art. 45:3.
649 Id. art. 45:4.
650 See infra notes 683–684.
651 The respective disclosure documents have not
been reviewed by the Commission and its staff for
accuracy and may or may not demonstrate
implementation/compliance with international
standards.
652 Bank for International Settlements (BIS),
Principles for Financial Market Infrastructures:
Disclosure Framework and Assessment
Methodology (Dec. 2012), available at https://
www.bis.org/cpmi/publ/d106.pdf.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
entities that facilitate several different
markets, including the market for
trading services, the market for listing
services, the market for regulation and
surveillance services, the market for
clearance and settlement services, and
the market for market data.653 As of this
writing, there are 47 SCI entities. These
include 35 SCI SROs (including 24
exchanges, 9 registered clearing
agencies, FINRA, and the MSRB), 7 SCI
ATSs (including 5 NMS stock ATSs and
2 non-NMS stock ATSs), 2 plan
processors, and 3 exempt clearing
agencies subject to ARP.654 All of them
are already required to comply with
Regulation SCI, and, as discussed in
section V.B.2.b, subsets of these entities
also have other specific rules that apply
to them.
The general characteristics of the
markets in which the existing SCI
entities operate are described in the SCI
Proposing Release 655 and SCI Adopting
Release.656 There are, however, broad
changes to these markets—as they
pertain to Regulation SCI—that should
be noted. The markets have changed in
at least four important ways. First, the
total trading volumes have increased
across all types of securities.657 Second,
there is an increased reliance on
technology and automation among
financial institutions, a trend which
accelerated due to the COVID–19
pandemic.658 Third, and relatedly,
653 17 CFR 242.1000 (definitions of ‘‘SCI systems’’
and ‘‘critical SCI systems’’).
654 In 2021, the Commission amended Regulation
SCI to add competing consolidators that exceed a
5% consolidated market data gross revenue
threshold over a specified time period as SCI
entities. Currently, no competing consolidators
have registered with the Commission. See Market
Data Infrastructure Adopting Release, supra note
24.
655 See SCI Proposing Release, supra note 14, at
section V. See also Market Data Infrastructure
Adopting Release, supra note 24, for a description
of competing consolidator market characteristics.
656 See SCI Adopting Release, supra note 1, at
section VI.
657 See, e.g., SIFMA Insights: Electronic Trading
Market Structure Primer, supra note 3
(summarizing electronic trading history and trends
in different markets); SEC, Staff Report on Equity
and Options Market Structure Conditions in Early
2021 (Oct. 14, 2021), available at https://
www.sec.gov/files/staff-report-equity-optionsmarket-struction-conditions-early-2021.pdf; see also
U.S. House Committee on Financial Services, Game
Stopped: How the Meme Stock Market Event
Exposed Troubling Business Practices, Inadequate
Risk Practices, and the Need for Legislative and
Regulatory Reform (June 2022), available at: https://
democrats-financialservices.house.gov/
uploadedfiles/6.22_hfsc_gs.report_
hmsmeetbp.irm.nlrf.pdf.
658 See, e.g., Henning Soller, et al., Innovative
Technologies in Financial Institutions: Risk as a
Strategic Issue, McKinsey Digital (Sep. 25, 2020),
available at: https://www.mckinsey.com/businessfunctions/mckinsey-digital/our-insights/techforward/innovative-technologies-in-financialinstitutions-risk-as-a-strategic-issue (‘‘The current
PO 00000
Frm 00089
Fmt 4701
Sfmt 4702
23233
financial institutions have become
increasingly dependent on third
parties—including cloud service
providers—to operate their businesses
and provide their services.659 This is, in
fact, a general trend among all global
companies, and this trend, too, has been
driven in part by the COVID–19
pandemic.660 Fourth, cybersecurity
events have grown in both number and
sophistication.661 These developments
in the market have significantly
increased the negative externalities that
may flow from systems failures.
Current SCI entities are required to
report systems intrusions, either
immediately or on a quarterly basis,
rather than immediately if de miminis
in impact. However, current SCI entities
have not been reporting attempted
intrusions, as they were not required to
do so.
b. Regulatory Baseline
The common regulatory baseline for
current SCI entities is Regulation SCI
which was adopted in 2014. Regulation
SCI requires, among other things, that
these entities establish, maintain, and
enforce written policies and procedures
reasonably designed to ensure that their
SCI systems have levels of capacity,
integrity, resiliency, availability, and
security adequate to maintain their
operational capability and promote the
maintenance of fair and orderly markets
and operate in a manner that complies
with the Exchange Act and the rules and
regulations thereunder and the entity’s
rules and governing documents, as
applicable, and specifies certain
minimum requirements for such
policies and procedures. As a policies
and procedures based rule, and one that
employs a risk-based approach,
Regulation SCI provides flexibility to
allow each SCI entity to determine how
COVID–19 crisis has significantly accelerated the
need for financial institutions to adopt innovative
technologies.’’).
659 See, e.g., Noah Kessler, Cloud Is on the Rise
in Financial Services and Regulators Are Taking
Note, ABA Risk and Compliance (Sept. 29, 2021),
available at https://bankingjournal.aba.com/2021/
09/cloud-is-on-the-rise-in-financial-services-andregulators-are-taking-note/.
660 See, e.g., Deloitte, 2021 Global Shared
Services and Outsourcing Survey Report 3,
available at https://www2.deloitte.com/content/
dam/Deloitte/global/Documents/Process-andOperations/gx-2021-global-shared-servicesreport.pdf (‘‘[T]here’s an increasing shift to leverage
global, multifunctional, and virtual or remote
models, especially driven by learnings from
COVID–19’’).
661 See, e.g., Chuck Brooks, Alarming Cyber
Statistics For Mid-Year 2022 That You Need To
Know, Forbes.com (June 3, 2022), available at
https://www.forbes.com/sites/chuckbrooks/2022/
06/03/alarming-cyber-statistics-for-mid-year-2022that-you-need-to-know/?sh=2429c57e7864.
E:\FR\FM\14APP2.SGM
14APP2
23234
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
to best meet the requirements in Rule
1001(a).
In addition, 17 CFR 242.613 (‘‘Rule
613’’) of Regulation NMS requires
national securities exchanges and
national securities associations (FINRA)
to jointly develop and submit to the
Commission a Consolidated Audit Trail
National Market System (CAT NMS)
Plan.662
Under the Commission-approved CAT
NMS Plan, the national securities
exchanges and FINRA (the Participants)
conduct the activities related to the CAT
through a jointly owned limited liability
company, Consolidated Audit Trail,
LLC (‘‘Company’’).663 FINRA CAT,
LLC—a wholly-owned subsidiary of
FINRA—has entered into an agreement
with the Company to act as the plan
processor for the CAT. However, the
Participants remain ultimately
responsible for the performance of the
CAT and its compliance with any
statutes, rules, and regulations.664 The
Plan Processor must develop three sets
of policies and procedures: (1) the CAT
information security program and
related data security policies and
procedures; (2) user security and access
policies and procedures; and (3) breach
management policies and procedures.665
First, the Plan Processor must develop
and maintain a comprehensive
information security program, to be
approved and reviewed at least annually
by an operating committee, which
contains certain specific requirements
for the Company related to data
security.666 As part of this requirement,
the Plan Processor is required to create
and enforce policies, procedures, and
662 17
CFR 242.613.
Audit Trail, LLC, CAT NMS
Plan, secs. 1.1, 3.1, 4.1 (July 2020), available at
https://catnmsplan.com/sites/default/files/2020-07/
LLC-Agreement-of-Consolidated-Audit-Trail-LLCas-of-7.24.20.pdf; see also CAT NMS Plan Approval
Order, supra note 393; Joint Industry Plan; Order
Approving Amendment to the National Market
System Plan Governing the Consolidated Audit
Trail, Securities Exchange Act Release No. 89397
(July 24, 2020), 85 FR 45941 (July 30, 2020).
664 CAT NMS Plan, secs. 4.3, 5.1, 6.1. The
Participants jointly own on an equal basis the
Company. As such, the CAT’s Central Repository is
a facility of each of the Participants, and also an SCI
system of each of the Participants. See SCI
Adopting Release, supra note 1, at 72275 at n. 246;
CAT NMS Plan Approval Order, supra note 393, at
84758.
665 CAT NMS Plan, secs. 6.12 and app. D. secs.
4.1 to 4.1.5. The Plan Processor is subject to certain
industry standards with respect to its information
security program, including, among others, NIST–
800–23 (Guidelines to Federal Organizations on
Security Assurance and Acquisition/Use of Test/
Evaluated Products), NIST 800–53 (Security and
Privacy Controls for Federal Information Systems
and Organizations), and NIST 800–115 (Technical
Guide to Information Security Testing and
Assessment). CAT NMS Plan, app D sec 4.2.
666 CAT NMS Plan, app. D sec. 4.1.
ddrumheller on DSK120RN23PROD with PROPOSALS2
663 Consolidated
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
control structures to monitor and
address CAT data security, including
reviews of industry standards and
periodic penetration testing.667 Second,
both the Participants and the Plan
Processor must implement user security
and access policies and procedures that
include safeguards to secure access and
use of the CAT.668 The Plan Processor
must also review Participant
information security policies and
procedures related to the Company to
ensure that such policies and
procedures are comparable to those of
the CAT system.669 Finally, the Plan
Processor must develop a cyber-incident
response plan and document all
information relevant to breaches.670 In
addition to these policies and
procedures requirements, the CAT NMS
Plan requires several forms of periodic
review of CAT, including an annual
written assessment,671 regular
reports,672 and an annual audit.673 The
Commission has proposed amendments
to the CAT NMS Plan that are designed
to enhance the security of the CAT
through increased security requirements
as well as limiting the scope of sensitive
information required to be collected by
the CAT.674
3. Current Market Practice
This section describes current and
new SCI entities’ market practices, as
relevant to certain of the proposed and
667 Id.
sec. 6.2(b)(v) and app. D secs. 4.1 to 4.2.
these safeguards must include:
(1) restrictions on the acceptable uses of CAT Data;
(2) role-based access controls; (3) authentication of
individual users; (4) multifactor authentication and
password controls; (5) implementation of
information barriers to prevent unauthorized staff
from accessing CAT Data; (6) separate storage of
sensitive personal information and controls on
transmission of data; (7) security-driven monitoring
and logging; (8) escalation of non-compliance or
security events; and (9) remote access controls. Id.
at secs. 6.2(b)(v), 6.5(c)(i), 6.5(c)(iii) and (iv) and
app. D secs. 4.1 to 4.1.4, 4.1.6, 8.1, 8.1.1, 8.1.3, 8.2,
8.2.2.
669 Id. sec. 6.2(b)(vii).
670 Id. app. D sec. 4.1.5.
671 The Participants are required to provide the
Commission with an annual written assessment of
the Plan Processor’s performance, which must
include, among other things, an evaluation of
potential technology upgrades and an evaluation of
the CAT information security program. Id. secs.
6.2(a)(v)(G), 6.6(b).
672 The Plan Processor is required to provide the
operating committee with regular reports on various
topics, including data security issues and the Plan
Processor. Id. secs. 6.1(o), 6.2(b)(vi), 6.2(a)(v)(E),
6.2(b)(vi).
673 The Plan Processor is required to create and
implement an annual audit plan that includes a
review of all Plan Processor policies, procedures,
control structures, and tools that monitor and
address data security. Id. secs. 6.2(a)(v)(B) and (C),
app. D secs. 4.1.3, 5.3.
674 Proposed Amendments to the National Market
System Plan Governing the Consolidated Audit
Trail to Enhance Data Security, Release No. 89632
(Aug. 21, 2020), 85 FR 65990 (Oct. 16, 2020).
668 Specifically,
PO 00000
Frm 00090
Fmt 4701
Sfmt 4702
existing provisions. These market
practices include entities’ compliance
efforts that exceed current regulatory
baseline requirements, entities’
adherence to voluntary standards and
best practices, and business practices
not directly related to compliance with
a regulatory obligation that nevertheless
overlap with the substantive or
procedural requirements of the
proposed rule. To the extent the entities’
existing practices already comply with
the requirements or proposed
requirements of Regulation SCI, or to
the extent those practices might
facilitate such compliance, the benefits
and costs of the proposal could be
mitigated. The Commission requests
comment on how the new and existing
SCI entities’ current market practices
affect the baseline against which the
economic effects are measured.
a. Systems Classification and Lifecycle
Management
Based on the experience of
Commission most current SCI entities
undertake some form of lifecycle
management program that includes
acquisition, integration, support, refresh
and disposal of covered systems, as
applicable, and the sanitization of endof-life systems.
b. Third-Party Vendor Management and
Oversight
Globally the end-user spending on
public cloud services is estimated to
grow 20.4% in 2022 to a total of $494.7
billion, up from $410.9 billion in
2021.675 In terms of market
concentration, as of Q1 2022, the three
largest CSPs collectively have the
market share of 65 percent global
spending on cloud computing 676 and
the eight largest CSPs have roughly 80
percent of the market.677 SCI entities
employ cloud service providers. Some
of the largest cloud service providers
appear to be familiar with the
Regulation SCI requirements with
which SCI entities are obliged to
comply.678
675 See Press Release, Gartner.com (Apr. 19,
2020), available at https://www.gartner.com/en/
newsroom/press-releases/2022-04-19-gartnerforecasts-worldwide-public-cloud-end-userspending-to-reach-nearly-500-billion-in-2022.
676 See Synergy Research Group, Huge Cloud
Market Still Growing at 34% Per Year; Amazon,
Microsoft & Google Now Account for 65% of the
Total, PR Newswire (Apr. 28, 2022), available at
https://www.prnewswire.com/news-releases/hugecloud-market-still-growing-at-34-per-year-amazonmicrosoft--google-now-account-for-65-of-the-total301535935.html (estimating as of Q1 2022 that the
breakdown is: Amazon Web Services (AWS): 33%;
Microsoft Azure: 22%; Google Cloud: 10%).
677 Id.
678 For example, see Microsoft Azure, Regulation
Systems Compliance and Integrity (SCI) Cloud
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Both new and existing SCI entities
may have existing agreements with
third-party providers that govern the
obligations and expectations as between
an SCI entity and a third-party provider
it utilizes. These documents may not
currently be consistent with the SCI
entity’s requirements under the
proposed amendments Regulation SCI.
Some SCI entities may currently rely on
a third-party provider’s standard
contract or SLA, which may not been
drafted with Regulation SCI’s
requirements in mind. Similarly, some
existing agreements between the SCI
entity and a third-party provider may
provide the third-party provider with
the contractual right to be able to make
decisions that would negatively impact
an SCI entity’s obligations in the thirdparty provider’s ‘‘commercially
reasonable discretion.’’ Likewise,
existing agreements may include
defined terms that differ from those
under the proposed amendments.
Regardless of their size, SCI entities
typically enter into contracts with thirdparty providers to perform a specific
function for a given time frame at a set
price. At the conclusion of a contract, it
may be renewed if both parties are
satisfied. Because prices typically
increase over time, there may be some
need to negotiate a new fee for
continued service. Negotiations also
occur if additional services are
requested from a given third-party
provider. In the instance where
additional services are required midcontract, for example, due to increased
regulatory requirements, the third-party
provider may be able to separately bill
for the extra work that it must incur to
provide the additional service,
particularly if that party is in a highly
concentrated market for that service and
can wield market power. Alternatively,
the service provider may be forced to
absorb the additional cost until the
contract can be renegotiated. This may
be the case because that condition is
specified in the contract with the SCI
entity.
Request for Comment
95. The Commission requests that
commenters provide relevant data on
the number of third-party providers
available to SCI entities by their types
of services they offer or by the types of
Implementation Guide (2019), available at https://
azure.microsoft.com/mediahandler/files/
resourcefiles/microsoft-azure-regulation-systemscompliance-and-integrity-sci-cloudimplementation-guide/AzureRegSCIGuidance.pdf;
or Google Cloud, U.S. Securities & Exchange
Commission Regulation Systems Compliance &
Integrity (Regulation SCI) (Dec. 2021), available at
https://services.google.com/fh/files/misc/sec_
regulation_sci_gcp_whitepaper.pdf.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
systems, such as critical SCI systems,
SCI systems, and indirect SCI systems.
96. To what extent do third-party
providers compete with each other for
SCI entities?
c. SCI Review
With respect to business continuity
and disaster recovery plan reviews,
FINRA Rule 4370 requires a brokerdealer to conduct an annual review of
its business continuity plan. FINRA has
observed that some broker-dealers 679
engaged in annual testing to evaluate
the effectiveness of their business
continuity plans.680 With respect to
broker-dealer reporting to their boards
regarding cybersecurity policies and
procedures and cybersecurity incidents,
the board reporting frequency ranged
from quarterly to ad-hoc among the
firms FINRA reviewed.681
Approximately two-thirds of the brokerdealers (68%) examined in a 2015
survey had an individual explicitly
assigned as the firm’s CISO which might
suggest extensive executive leadership
engagement.
d. Current SCI Industry Standards
As of 2015, the majority of brokerdealers reported utilizing one or more
frameworks with respect to
cybersecurity 682 either mapping
directly to the standard or using it as
reference point. Some of the standards
such as COBIT may have broad
application to various areas of IT but it
is unclear to what extent broker-dealers
utilize such standards beyond
cybersecurity.
Also, each of the two exempt clearing
agencies (Euroclear Bank SA/NV, and
Clearstream Banking, S.A.) publish
disclosure framework reports,683 that
679 FINRA did not disclose the number or identity
of the firms but it is likely that larger firms have
more robust systems and practices given their
greater resources.
680 See FINRA, 2019 Report on Examination
Findings and Observations: Business Continuity
Plans (BCPs), supra note 600.
681 See Report on Cybersecurity Practices, supra
note 621. At a number of firms, the board received
annual cybersecurity-related reporting while other
firms report on a quarterly basis. A number of firms
also provide ad hoc reporting to the board in the
event of major cybersecurity events.
682 See supra note 622. Among the firms that were
part of the FINRA sweep, nearly 90% used one or
more of the NIST, ISO or ISACA frameworks or
standards. More specifically, 65% of the
respondents reported that they use the ISO 27001/
27002 standard while 25% use COBIT. Some firms
use combinations of these standards for various
parts of their cybersecurity programs. The COBIT
standard, for example, is focused more on
information technology governance than
cybersecurity per se. In addition, several firms
underscored the utility of the PCI Standard as well
as the SANS Top 20.
683 Clearstream, Principles for financial market
infrastructures: Disclosure Framework (Dec. 23,
PO 00000
Frm 00091
Fmt 4701
Sfmt 4702
23235
purport to describe the policies and
procedures relating to the 24 principles
and five responsibilities set forth in the
Principles for Financial Market
Infrastructures (PFMI) published by
CPSS and IOSCO.684 The PFMI
establishes new international standards
for financial market infrastructures
(FMIs) including payment systems that
are systemically important, central
securities depositories, securities
settlement systems, central
counterparties and trade repositories
and prescribes the form and content of
the disclosures expected of financial
market infrastructures. Most relevant,
principle 17 on operational risk offers
guidelines on policies and procedures to
identify, monitor, and manage
operational risks, vulnerabilities, and
threats; capacity planning; stress testing;
systems development and testing
methodology; business continuity and
disaster recovery planning and testing;
vendor risk management; and board
supervision of risk management, etc.
e. Penetration Testing
Current SCI entities are required to
conduct penetration testing as part of its
SCI review 685 once every three years.686
Among the new SCI entities, two
SBSDRs that are currently registered as
SDRs are subject to CFTC’s rules, which
require conducting penetration testing
of the systems with the scope of those
rules at least once every year.
4. Other Affected Parties
In addition to new and existing SCI
entities, the proposed amendments may
indirectly affect other parties, namely
third-party service providers to which
SCI systems functionality is outsourced.
As discussed in depth above, an SCI
entity may decide to outsource certain
functionality to, or utilize the support or
services of, a third-party provider
(which would include both affiliated
providers as well as vendors unaffiliated
with the SCI entity) for a variety of
reasons, including cost efficiencies,
2020), available at https://www.clearstream.com/
resource/blob/1386778/3458c1c468e5f40ddf5d
c970e8da4af2/cpmi-iosco-data.pdf; Euroclear Bank,
Disclosure Framework CPMI IOSCO 2020 (June
2020), available at https://www.euroclear.com/
content/dam/euroclear/About/business/PA005Euroclear-Bank-Disclosure-Framework-Report.pdf.
684 Bank for International Settlements (BIS),
Principles for Financial Market Infrastructures:
Disclosure Framework and Assessment
Methodology (Dec. 2012), available at https://
www.bis.org/cpmi/publ/d106.pdf.
685 Specifically, paragraph (b)(1) of Rule 1003
currently requires that ‘‘[p]enetration test reviews of
the network, firewalls, and production systems
shall be conducted at a frequency of not less than
once every three years. . .’’. Rule 1003(b)(1).
686 See SCI Adopting Release, supra note 1, at
72344.
E:\FR\FM\14APP2.SGM
14APP2
23236
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
C. Analysis of Benefits and Costs of
Proposed Amendments
The proposed amendments both
expand the scope of Regulation SCI to
reach new entities and also strengthen
existing requirements in Regulation SCI
that would apply to both old and new
entities. This section explores the
benefits and costs of these changes.
First, we discuss the general benefits
and costs of the proposed amendments
to Regulation SCI. Next, we discuss the
expansion of Regulation SCI to certain
new SCI entities and the rationale for it.
Finally, we analyze the specific benefits
and costs of applying each provision of
amended Regulation SCI to each of the
proposed new SCI entities and current
SCI entities.689 The Commission
encourages commenters to identify,
discuss, analyze, and supply relevant
data, information, or statistics regarding
the benefits and costs.
The Commission is providing both a
qualitative assessment and quantified
estimates, including ranges, of the
potential economic effects of the
proposal where feasible. The overall
magnitude of the economic effects will
depend, in part, on the extent to which
the new and current SCI entities already
have in place practices that are aligned
with the requirements of Regulation
SCI, including the proposed
amendments. New SCI entities’ costs of
implementing Regulation SCI could also
differ with the number and size of their
systems affected.
In many cases it is difficult to
quantify the economic effects,
particularly those beyond the costs
estimated in the Paperwork Reduction
Act analysis. As explained in more
detail below, the Commission in certain
cases does not have, and does not
believe it can reasonably obtain, data or
information necessary to quantify
certain effects. For instance, the
Commission finds it impracticable to
quantify many of the benefits associated
with amended Regulation SCI. Indeed,
we lack information that would allow us
to predict the reduction in frequency
and severity of SCI events or the specific
cost savings that might arise from
avoiding the harm Regulation SCI is
designed to prevent. Further, even in
cases where the Commission has some
data, quantification is not practicable
due to the number and type of
assumptions necessary to quantify
certain economic effects, which render
any such quantification unreliable. The
Commission requests that commenters
provide relevant data and information to
assist the Commission in quantifying
687 It has long been recognized that the financial
services industry is increasingly relying on service
providers through various forms of outsourcing.
See, e.g., Bank for International Settlements,
Outsourcing in Financial Services (Feb. 15, 2005),
available at https://www.bis.org/publ/joint12.htm.
Recent estimates suggest that the aggregate contract
value of outsourcing in the financial services
industry is on the order of $10 to $20 billion. See,
e.g., Business Wire, Insights on the Finance and
Accounting Outsourcing Global Market to 2026 (Jan.
14, 2022), available at https://
www.businesswire.com/news/home/
20220114005440/en/Insights-on-the-Finance-andAccounting-Outsourcing-Global-Market-to-2026--Featuring-Accenture-Capgemini-and-GenpactAmong-Others---ResearchAndMarkets.com.
688 Although certain regulatory filings may shed
a limited light on the use of third-party service
providers, we are unaware of any data sources that
provide detail on the overall picture for each of the
new and existing SCI entities.
689 For purposes of measuring the benefits and
costs of the proposed rule on both existing and new
SCI entities, this analysis assumes that market
participants are compliant with existing applicable
Commission, FINRA, CFTC, and other applicable
rules, including those requiring registration and the
rules and regulations applicable to such registered
entities. To the extent that some entities engaged in
activities including crypto asset securities are not,
but should be, FINRA or Commission registered
entities, they may incur additional costs to comply
with existing registration obligations that are
distinct from the costs associated with the proposed
rule amendments and are not discussed in this
analysis. Similarly, any benefits from coming into
compliance with existing registration obligations
are also not discussed in this analysis. For such
entities, we expect the benefits and costs
specifically associated with the proposed rule
amendments to be same as those described below
for existing and new SCI entities that are currently
registered.
ddrumheller on DSK120RN23PROD with PROPOSALS2
increased automation, particular
expertise, or functionality that the SCI
entity does not have in-house. Based on
Commission staff experience, the
Commission believes that these thirdparty providers, play a growing role
with respect to SCI systems and indirect
SCI systems, and the Commission
anticipates that third-party providers
will likely arise to provide other types
of functionality, service, or support to
SCI entities that are not contemplated
yet today.687
Due to data limitations, we are unable
to quantify or characterize in much
detail the structure of these various
service provider markets.688 The
Commission lacks specific information
on the exact extent to which third-party
service providers are retained, the
specific services they provide, and the
costs for those services beyond the
estimates discussed above for cloud
service providers. We also do not have
information about the market for these
services, including the competitiveness
of such markets. We request information
from commenters on the services related
to SCI systems and indirect systems
provided by third parties to new and
existing SCI entities, the costs for those
services, and the nature of the market
for these services.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00092
Fmt 4701
Sfmt 4702
the economic consequences of proposed
amendments to Regulation SCI.
1. General Benefits and Costs of
Proposed Amendments
Regulation SCI promotes the capacity,
integrity, resiliency, availability, and
security of SCI systems, as well as
transparency about systems problems
when they do occur, and thereby
promote investors’ confidence in market
transactions. SCI events can today have
broad impacts because of the growth of
electronic trading, which allows
increased volumes of securities
transactions in a broader range of asset
classes, at increasing speed, by a variety
of trading platforms; 690 changes in the
way SCI entities employ technology,
including the increasing importance of
third-party service providers to ensure
reliable, resilient, and secure
systems; 691 a significant increase in
cybersecurity events across all types of
companies, including SCI entities; 692
and an evolution of the threat
environment.693 A joint report from the
World Economic Form and Deloitte
states that ‘‘new interconnections and
collective dependencies on certain
critical providers significantly
contribute to the number of vulnerable
nodes that could threaten and exploit
the financial system’s essential
functions.’’ 694
Expanding Regulation SCI to new SCI
entities will help to ensure that the core
technology systems of these newly
designated SCI entities are robust,
resilient, and secure—especially for
those entities that have not already
adopted comparable measures on their
own—and would also help to improve
Commission oversight of the core
technology of key entities in the U.S.
securities markets.695
690 See
section I and supra note 3.
sections III.B, III.B.2.a.
692 See section III.B.3.
693 See id.
694 See World Economic Forum, Beneath the
Surface: Technology-Driven Systemic Risks and the
Continued Need for Innovation (Oct. 28, 2021) at
14, available at https://www.weforum.org/reports/
beneath-the-surface-technology-driven-systemicrisks-and-the-continued-need-for-innovation/; see
also Henning Soller, et al., Innovative Technologies
in Financial Institutions: Risk as a Strategic Issue,
McKinsey Digital (Sep. 25, 2020), available at:
https://www.mckinsey.com/business-functions/
mckinsey-digital/our-insights/tech-forward/
innovative-technologies-in-financial-institutionsrisk-as-a-strategic-issue.
695 For example, some expert views suggest that
current SCI entities’ compliance with Regulation
SCI likely prepared those entities to be more
resilient and more prepared to face times of
increased volatility—beyond what their prudent
business practices may have allowed. For example,
one industry publication notes that even as
financial firms ‘‘updated their [business continuity
planning] after the Sept. 11, 2001, terrorist attacks
691 See
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
The Commission is also proposing
amendments to update Regulation SCI
in order to strengthen its requirements.
These amendments would benefit
markets and market participants by
reducing the likelihood, severity, and
duration of market disruptions arising
from systems issues, among both current
and new SCI entities, whether such
events may originate from natural
disasters, third-party provider service
outages, cybersecurity events, hardware
or software malfunctions, or any other
sources.696 Decreasing the number of
trading interruptions can improve price
discovery and liquidity because such
interruptions interfere with the process
through which relevant information gets
incorporated into security prices and,
may thereby, temporarily disrupt
liquidity flows.697 Trading interruptions
in one security can also affect securities
trading in other markets. For example,
and superstorm Hurricane Sandy in 2012, when
these events exposed cracks in Wall Street’s
contingency plans,’’ they were still ‘‘more prepared
during COVID–19 thanks to Regulation SCI for
Systems, Compliance and Integrity.’’ See, e.g., Is
Remote Trading Leading to a Paradigm Shift on the
Trading Desk?, supra note 2. Similarly, a senior
executive at FINRA stated in an interview that he
found most surprising the resiliency of the market
during COVID–19 and said ‘‘a lot of credit goes to
the SEC for [the market’s resiliency] with respect to
adopting [Regulation SCI].’’ FINRA, Podcast: Market
Structure & COVID–19: Handling Increased
Volatility and Volumes, at 24:38–25:08 (Apr. 28,
2020), available at https://www.finra.org/mediacenter/finra-unscripted/market-structure-covid19coronavirus (featuring an interview with FINRA’s
then-Executive VP of Market Regulation and
Transparency Services, Tom Gira).
696 For example, the Ponemon Institute’s 2016
Cost of Data Center Outages report estimates the
average cost per minute of an unplanned outage
was $8,851 for the average data center the Institute
surveyed in 2016. See Ponemon Institute, 2016 Cost
of Data Center Outages 14 (Jan. 19, 2016) available
at https://www.vertiv.com/globalassets/documents/
reports/2016-cost-of-data-center-outages-11-11_
51190_1.pdf. Also, although it is difficult to
estimate the total cost of a cyberattack at an SCI
entity, a potential effect of a cyberattack involving
an SCI entity is a data breach. According to the
IBM’s 2022 Cost of a Data Breach report, the average
cost of a data breach in the United States is $9.44
million, and the report added that ‘‘[f]or 83% of
companies, it’s not if a data breach will happen, but
when. Usually more than once.’’ See IBM, 2022
Cost of a Data Breach, available at https://
www.ibm.com/reports/databreach#:∼:text=Average%20cost
%20of%20a%20data,million%20in%20the
%202020%20report. Relatedly, another study
reports that in 2020 the average loss in the financial
services industry was $18.3 million per company
per incident. The average cost of a financial services
data breach was $5.85 million. See Jennifer Rose
Hale, The Soaring Risks of Financial Services
Cybercrime: By the Numbers, Diligent (Apr. 9,
2021), available at https://www.diligent.com/
insights/financial-services/cybersecurity/#.
697 See Osipovich, Alexander, NYSE Glitch
Causes Erroneous Prices in Hundreds of Stocks,
Wall St. J. (online edition) (Jan. 24, 2023), available
at https://www.wsj.com/articles/dozens-of-nysestocks-halted-in-opening-minutes-after-wild-priceswings-11674585962 (retrieved from Factiva
database).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
an interruption in the market for index
options and other securities that
underlie derivatives securities could
harm the price discovery process for
derivatives securities, and liquidity
flows between the stock market and
derivatives markets could be restricted.
For this reason, market-based incentives
alone are unlikely to result in optimal
provision of SCI-related services. In this
context, having plans and procedures in
place to prepare for and respond to
system issues is beneficial,698 and the
proposed amendments to Regulation
SCI would help ensure that the
infrastructure of the U.S. securities
markets remains robust, resilient, and
secure. A well-functioning financial
system is a public good.
The Commission recognizes that the
proposed amendments to Regulation
SCI would impose costs on SCI entities,
as well as costs on certain members,
participants, customers (in the case of
SCI broker-dealers), or third-party
providers of SCI entities. The majority
of these costs would be direct
compliance costs, which are discussed
in detail below for each requirement of
proposed Regulation SCI. For current
SCI entities, these costs would relate to
the areas of Regulation SCI that are
being amended. For new SCI entities,
the costs would relate to complying
with the entirety of Regulation SCI,
including the proposed amendments.
For current SCI entities, these costs may
be mitigated to the extent the SCI
entity’s current business practices are
already consistent with the proposed
requirements, and if, as a result of
compliance, the SCI entity avoids the
costs associated with a systems failure
or breach. Likewise, for new SCI
entities, these costs may be mitigated to
the extent the SCI entity’s current
business practices are already consistent
with the requirements of Regulation
SCI, including the proposed
amendments, and if, as a result of
compliance, the SCI entity avoids the
costs associated with a systems failure
or breach.
Some portion of compliance costs
could be economic transfers. This may
698 For example, according to the IBM Report, in
the context of system issues arising from
cybersecurity events, having an incident response
plan and ‘‘testing that plan regularly can help [each
firm] proactively identify weaknesses in [its]
cybersecurity and shore up [its] defenses’’ and
‘‘save millions in data breach costs.’’ See 2022 Cost
of a Data Breach, supra note 696. See also Alex
Asen et al., Are You Spending Enough on
Cybersecurity (Feb. 19, 2020), available at https://
www.bcg.com/publications/2019/are-you-spendingenough-cybersecurity (noting ‘‘[a]s the world
becomes ever more reliant on technology, and as
cybercriminals refine and intensify their attacks,
organizations will need to spend more on
cybersecurity’’).
PO 00000
Frm 00093
Fmt 4701
Sfmt 4702
23237
be the case if compliance with a
particular provision entails making use
of certain third-party providers, and the
market for third-party provider services
is not itself competitive.699 In such a
case, third-party providers would make
economic profits from the services they
offer and the fees they charge, and some
of the services fees charged would be
economic transfers from SCI entities to
third-party providers.
The proposed amendments could
have other potential costs. For example,
entities covered by the proposed rule
frequently would need to make systems
changes to comply with new and
amended rules and regulations under
Federal securities laws and SRO rules.
For entities that meet the definition of
SCI entity, because they would need to
comply with the proposed amendments
when they make systems changes, the
proposed amendments could increase
the costs and time needed to make
systems changes to comply with new
and amended rules and regulations. The
Commission requests comment on the
nature of such additional costs and
time.
Request for Comment
The Commission requests comment
on all aspects of the Overall Benefits
and Costs of Proposed Amendments
discussion. In addition, the Commission
is requesting comment on the following
specific aspects of the discussion:
97. For new SCI entities, what
activities do you currently perform
(either because you are required to or
you have chosen to voluntarily) that are
already consistent with the
requirements of Regulation SCI?
98. For new SCI entities and current
SCI entities, can compliance with
Regulation SCI result in the benefits the
Commission describes in the analysis?
99. Are commenters aware of any data
that can be used to quantify any aspects
of benefits?
100. The Commission seeks
commenters’ views regarding the
prospective costs, as well as the
potential benefits, of applying
Regulation SCI to SBSDRs. Are there
characteristics specific to SBSDRS or
the SBS market that would make
applying Regulation SCI broadly or any
specific provision or proposed new
provision Regulation SCI challenging for
699 See, e.g., Yoon-Ho Alex Lee, SEC Rules,
Stakeholder Interests, and Cost-Benefit Analysis, 10
Mkts L.J. 311 (2015), available at https://
papers.ssrn.com/sol3/papers.cfm?abstract_
id=2541805 (retrieved from SSRN Elsevier database;
Yoon-Ho Alex Lee, The Efficiency Criterion of
Securities Regulation: Investor Welfare or Total
Surplus?, 57 Ariz. L. Rev. 85 (2015), available at
https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=2406032 (retrieved from SSRN Elsevier database.
E:\FR\FM\14APP2.SGM
14APP2
23238
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
SBSDRs? How much time would an
SBSDR reasonably need to come into
compliance with Regulation as
proposed? Commenters should quantify
the costs of applying Regulation SCI to
SBSDRs, to the extent possible.
Commenters are urged to address
specifically each requirement of
Regulation SCI and note whether it
would be reasonable to apply each such
requirement to SBSDRs and what the
benefits and costs of such application
would be.
101. For current SCI entities, what
activities do you currently perform that
are already consistent with the proposed
amendments that seek to strengthen the
obligations of SCI entities?
102. Are the Commission’s estimates
of incremental compliance costs owing
to these proposed reasonable? Please
note that the Commission does not
purport to estimate the total costs of all
activities SCI entities will perform in
promoting the capacity, integrity,
resiliency, availability, and security of
their automated systems. The
Commission’s estimates pertain only to
the increase in costs that will arise
directly as a result of having to comply
with the specific provisions of the
proposed rules to the extent the covered
entity has not already been performing
such activities on its own or pursuant to
other relevant rules or regulations.
103. What activities do you currently
perform that go beyond the proposed
amendments to Regulation SCI?
104. For current SCI entities, will
compliance with the proposed
amendments to Regulation SCI result in
performing activities that go
significantly above and beyond their
current approach to promoting the
capacity, integrity, resiliency,
availability, and security of their
automated systems? In other words, will
these new rules require a significant
rearranging of their resources beyond
what they are already complying with
voluntarily?
105. What are the costs of Regulation
SCI? Are commenters aware of any data
that can be used to quantify any aspects
of costs?
2. Expansion to New SCI Entities
The Commission proposes to expand
the definition of SCI entity to
encompass SBSDRs, certain brokerdealers, and additional clearing agencies
exempted from registration. These
entities are key market participants that
play a significant role in the U.S.
securities markets and, in the event of
a systems issues, they have the potential
to impact investors, the overall market,
or the trading of individual securities.
Under the proposed amendments, the
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
new SCI entities would become subject
to all provisions of Regulation SCI,
including the provisions that the
Commission proposes to amend for SCI
entities, as discussed in section III.C of
this release. We discuss in this section
the entities to which Regulation SCI
would be extended, including the
rationale for doing so. The benefits and
costs associated with applying each of
the Regulation SCI requirements to
these entities are subsequently
discussed in section V.D.3.
The Commission preliminarily
estimates that as a result of the proposed
amendments to the definition of ‘‘SCI
entity’’ in Rule 1000, there would be a
total of 21 new SCI entities that would
become subject to the requirements of
Regulation SCI. These include 2
SBSDRs, 17 SCI broker-dealers, and 2
exempt clearing agencies.700 Generally,
inclusion of these new SCI entities in
the amended definition is expected to
help ensure systems resiliency at such
entities and reduce the potential for
incidents at these entities to have broad,
disruptive effects across the securities
markets and for investors. Furthermore,
applying Regulation SCI to these entities
increases market protections by
establishing these obligations under the
Exchange Act so that the Commission
may enforce them directly and examine
for compliance and provides a uniform
requirement for all SCI entities.
a. SBSDRs
Currently, two SBSDRs are registered
with the Commission and are subject to
Rule 13n–6. The SBSDRs registered
with the Commission are also registered
with the CFTC as swap data repositories
(SDRs) and accordingly, with respect to
systems of concern to the CFTC, are
subject to CFTC rules and regulations
related to swap data repositories,
including the CFTC’s System Safeguards
rule.
Systems failures at SBSDRs can limit
access to data, call into question the
integrity of data, and prevent market
participants from being able to report
transaction data, and receive transaction
data, and thereby have a large impact on
market confidence, risk exposure, and
market efficiency. For example, were an
SBSDR to experience a systems issue,
market participants could be prevented
700 The Commission is estimating 23 new SCI
entities in the PRA section based on the PRA’s
forward-looking requirement to account for persons
to whom a collection of information is addressed
by the agency within any 12-month period. But for
purposes of the Economic Analysis, this section
analyzes the baseline of existing entities that will
be new SCI entities and then predicts the cost to
those entities if the rule were to be adopted.
Accordingly the Economic Analysis assumes 21,
rather than 23, new SCI entities.
PO 00000
Frm 00094
Fmt 4701
Sfmt 4702
from receiving timely information
regarding accurate prices for individual
SBSs—such as aggregate market
exposures to referenced entities
(instruments), positions taken by
individual entities or groups, and data
elements necessary for a person to
determine the market value of the
transaction.701 This could contribute to
market instability.
Having SBSDRs comply with
Regulation SCI would reduce the risk of
system issues at SBSDRs and allow
continued transparency and access to
data. As noted above in the baseline,
SBSDRs are currently subject to Rule
13n–6, which requires an SBSDR to
‘‘establish, maintain, and enforce
written policies and procedures
reasonably designed to ensure that its
systems provide adequate levels of
capacity, integrity, resiliency,
availability, and security.’’ However, as
described in detail below, the
requirements of Regulation SCI that go
beyond those required in Rule 13n–6—
such as policies and procedures that
include specific elements for
infrastructure planning, up-to-date
system development and testing
methodology, regular systems reviews
and testing, BC/DR planning,
monitoring for SCI events, and
standards to facilitate successful
collection, processing, and
dissemination of market data—should
deliver benefits beyond those currently
achieved through Rule 13n–6.
The coverage of SBSDRs under the
proposed amendments to Regulation
SCI would augment the current
principles-based requirements for
policies and procedures on operational
risk with detailed, more specific
requirements to help ensure that SBSDR
market systems are robust, resilient, and
secure and that policies and procedures
in place at SBSDRs meet requirements
necessary to maintain the robustness of
critical systems.
b. SCI Broker-Dealers
The Commission proposes to include
certain broker-dealers—to be referred to
as ‘‘SCI broker-dealers’’—in the
definition of SCI entity. This expansion
would be limited to broker-dealers that
exceed one or more size thresholds. The
first proposed threshold is a total assets
test. This test scopes within Regulation
SCI any broker-dealers with five percent
701 See Access to Data Obtained by SecurityBased Swap Data Repositories, Securities Exchange
Act Release No. 78716 (Aug. 29, 2016), 81 FR
60585, 60594, 60605–6 (Sep. 2, 2016). In that
release, the Commission estimates that
approximately 300 relevant authorities may make
requests for data from security-based swap data
repositories.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
(5%) or more of the total assets 702 of all
security brokers and dealers during at
least two of the four preceding calendar
quarters ending March 31, June 30,
September 30, and December 31. The
second proposed threshold is a
transaction activity test. This test scopes
within Regulation SCI any broker-dealer
that transacted ten percent (10%) or
more of the total average daily dollar
volume by applicable reporting entities
during at least four of the preceding six
calendar months in any of the following
asset classes: NMS stocks, exchangelisted options contracts, Agency
Securities, or U.S. Treasury Securities.
The Commission proposes to limit the
definition of ‘‘SCI systems’’ for an SCI
broker-dealer that qualifies as an SCI
entity that satisfies only one or more
transaction activity thresholds.703
Specifically, only those systems that
relate to the asset class for which the
trading activity threshold is met (i.e.,
NMS stocks, exchange-listed options
contracts, Treasury Securities, or
Agency Securities) would be ‘‘SCI
systems’’ or ‘‘indirect SCI systems.’’ 704
Broker-dealers may have multiple
business lines and transact in different
types of securities, and the proposal
reflects the Commission’s preliminary
conclusion that systems related to asset
classes that do not meet the rule’s
transaction activity threshold are
unlikely to pose risk to the maintenance
of fair and orderly markets if the
systems with respect to that type of
security were unavailable (assuming the
systems for the distinct asset class are
separate) relative to the burden of
complying with the regulation’s more
stringent requirements.
In contrast, no such limitation applies
to an SCI broker-dealer that qualifies as
an SCI entity because it satisfies the
total assets threshold. In this case,
broker-dealers that qualify as SCI
entities due to the total assets threshold
are subject to Regulation SCI
requirements for all of its applicable
systems, regardless of the asset classes
such systems relate to.705 As discussed
702 See
supra note 169.
section III.A.2.b(iv).
704 See section III.A.2.b(iv). As explained above in
section III.A.2.b.v, although crypto asset securities
are not a separately enumerated asset class for the
volume threshold, the SCI systems and indirect SCI
systems pertaining to crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury
Securities, or Agency securities would be subject to
Regulation SCI, including as it is proposed to be
amended, as discussed in section III. C, with respect
to the asset class for which the SCI broker-dealer
satisfies the threshold.
705 As explained above, any system of an SCI
broker-dealer meeting the total asset threshold that
pertains to any type of security, including crypto
asset securities, that meets the definition of SCI
ddrumheller on DSK120RN23PROD with PROPOSALS2
703 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
in section III.A.2.b.iii, this approach
with respect to the total assets threshold
takes into consideration the multiple
roles that the largest broker-dealers play
in the U.S. securities markets. Not only
do some of the largest broker-dealers
generate liquidity in multiple types of
securities, but many also operate
multiple types of trading platforms.
Entities with assets at this level also
take risks that they may seek to hedge
across asset classes, in some cases using
‘‘central risk books’’ for that and other
purposes, and engage in routing
substantial order flow to other trading
venues. For these reasons, the
Commission believes that systems
issues at firms having assets at this level
could have the potential to impact
investors, the overall market, and the
trading of individual securities,
following a systems failure in any
market in which they operate.
The Commission estimates that there
would be 17 SCI broker-dealers, five of
which would satisfy both the total assets
threshold and at least one of the
transaction activity thresholds, and
twelve others of which would satisfy at
least one of the transaction activity
thresholds.706 As discussed in section
V.B.1.b.i, figure 6 (Panel A) shows the
distribution of all registered brokerdealer firms between Q4 2021 and Q3
2022 by level of total assets. Figure 6
(Panel B) represents the distribution of
all registered broker-dealer firms by
percentage of aggregate total assets.707 It
shows that five firms accounted for
roughly half of broker-dealer aggregate
total assets and thus each could pose a
substantial risk to the maintenance of
fair and orderly markets in the event of
a systems issue. During all four quarters
from Q4 2021 to Q3 2022, all five firms
reported to the Commission, on Form
X–17A–5 (§ 249.617), total assets in an
amount that equals five percent (5%) or
more of the total assets of all security
brokers and dealers.708 Figures 7
through 10 represent the distribution by
level of transaction activity as measured
by average daily dollar volume 709
(Panel A) and the distribution of firms
systems or indirect SCI systems would be covered
by Regulation SCI.
706 See section III.A.2.b(iv).
707 Panel A and Panel B in figure 6 show the same
information as in figure 1 in section V.B.1.b.i., but
with 5% threshold lines added. The threshold line
in Panel A shows the average of 5% of aggregate
total assets in each quarter from Q4 2021 to Q3
2022.
708 Each of these firms would satisfy the proposed
total assets thresholds for an ‘‘SCI broker-dealer’’.
See section III.A.2.b.iii (discussing proposed
thresholds for an ‘‘SCI broker-dealer’’).
709 These measures are described in more detail
in section III.A.2.b.iii.
PO 00000
Frm 00095
Fmt 4701
Sfmt 4702
23239
by percentage of transaction activity 710
(Panel B) for each of four asset classes
including NMS stocks, exchange-listed
options, U.S. Treasury Securities, and
Agency Securities respectively.711 These
figures clearly show that a few firms
consistently accounted for a significant
percentage of transaction activity over
the six month period and thus each
could pose a substantial risk to the
maintenance of fair and orderly markets
in the event of a systems issue. During
at least four months of the six month
period, six NMS stocks trading firms,
six exchange-listed options contracts
trading firms, four U.S. Treasury
Securities trading firms, and six Agency
Securities trading firms transacted
average daily dollar volume in an
amount that equals ten percent (10%) or
more of the total average daily dollar of
the corresponding markets. Most of
these firms transacted more than ten
percent (10%) during all six months.712
These large broker-dealers, by virtue
of the total assets or transaction activity
each represents over a period of time,
play a significant role in the orderly
functioning of U.S. securities markets. If
such a broker-dealer was adversely
affected by a system issue, then the
impact could not only affect the brokerdealer’s own customers, but also disrupt
the overall market, by compromising or
removing significant liquidity from the
market, interrupting the price discovery
process, or indirectly contributing to
capacity issues at other brokerdealers.713
Application of Regulation SCI is
expected to reduce the likelihood of
system issues at these largest brokerdealers as well as mitigate the effects of
any such event. While it is possible that
these broker-dealers may have systems
in place due to market-based incentives,
there are reasons to believe that these
incentives may be insufficient. First, as
mentioned in section V.C.1, a wellfunctioning financial system is a public
good.714 Second, investment in SCI
710 Id.
711 Panel A and Panel B in figures 7 through 10
show the same information as in figures 2 through
5 in section V.B.1.b.i., but with 10% threshold lines
added. The threshold line in each Panel A shows
the average of 10% of aggregate average daily dollar
volume reported to the plan processors (SIPs) of the
CTA/CQ Plans and Nasdaq UTP Plan, OPRA Plan,
or FINRA TRACE in each respective asset class
from Jan. 2022 to June 2022. The threshold line in
each Panel B equals 10%.
712 Each of these firms would satisfy the proposed
transaction activity thresholds for an ‘‘SCI brokerdealer’’. See section III.A.2.b.iii (discussing
proposed thresholds for an ‘‘SCI broker-dealer’’).
713 See section III.A.2.b(iv).
714 Since broker-dealers are not compensated for
the positive impact that their systems investments
have on other entities, they lack sufficient
E:\FR\FM\14APP2.SGM
Continued
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
In this case, a broker-dealer’s
investment in SCI systems would offer
benefits to customers and counterparties
who might incur switching costs to find
a different broker if a substantial
systems issue occurred. These benefits
are likely to be especially high for
incentives to invest on others’ behalf. See, for
instance, Mazaher Kianpour et al., Advancing the
concept of cybersecurity as a public good, 116
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00096
Fmt 4701
Sfmt 4725
market participants who rely on a single
counterparty (such as is sometimes the
case in Treasury securities and prime
brokerage relationships), and for retail
investors who have invested in the
relationship with a single retail broker.
BILLING CODE 8011–01–P
Simulation Modeling Practice and Theory 102493
(2022).
E:\FR\FM\14APP2.SGM
14APP2
EP14AP23.006</GPH>
systems takes the form of a hiddenaction problem. As such, due to
principal-agent conflict, it may not be
possible for customers or counterparties
to observe the degree of investment in
SCI systems and thus to provide marketbased discipline from underinvestment.
EP14AP23.005</GPH>
ddrumheller on DSK120RN23PROD with PROPOSALS2
23240
EP14AP23.008</GPH>
EP14AP23.009</GPH>
23241
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00097
Fmt 4701
Sfmt 4725
E:\FR\FM\14APP2.SGM
14APP2
EP14AP23.007</GPH>
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
23242
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
BILLING CODE 8011–01–C
c. Additional Exempt Clearing Agencies
The proposed amendments would
expand the scope of exempt clearing
agencies covered by Regulation SCI to
include two new exempt clearing
agencies: Euroclear Bank SA/NV and
Clearstream Banking, S.A. These exempt
clearing agencies are not currently
subject to Regulation SCI because
Regulation SCI was initially limited to
those exempt clearing agencies that
were ‘‘subject to ARP’’ and these exempt
clearing agencies are not subject to ARP.
At the time it adopted Regulation SCI,
the Commission stated it was taking a
measured approach in applying
requirements primarily to entities
already covered under the ARP
Inspection Program.715
The exempt clearing agencies not
subject to ARP that the Commission
proposes to scope into Regulation SCI
provide CSD functions for transactions
in U.S. securities between U.S. and nonU.S. persons using similar technologies
as registered clearing agencies that are
subject to Regulation SCI.716 The
technology systems that underpin
operations of these exempt clearing
agencies are critical systems that
centralize and automate clearance and
settlement functions for the global
financial markets.717 Such systems
concentrate risk in the clearing
agency.718 A disruption to a clearing
agency’s operations, or failure on the
part of a clearing agency to meet its
obligations, could therefore serve as a
source of contagion, resulting in
significant costs not only to the clearing
agency itself and its participants but
also to other market participants across
the U.S. financial system.719 For
715 SCI
Adopting Release, supra note 1, at 72259.
section III.A.2.c.
717 See section III.A.2.c.
718 See generally Albert J. Menkveld & Guillaume
Vuillemey, The Economics of Central Clearing, 13
Ann. Rev. Fin. Econ. 153 (2021), available at
https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=3957021 (retrieved from SSRN Elsevier
database). See also Paolo Saguato, Financial
Regulation, Corporate Governance, and the Hidden
Costs of Clearinghouses, 82 Ohio St. L.J. 1071,
1074–75 (2022), available at https://
papers.ssrn.com/sol3/papers.cfm?abstract_
id=3269060 (retrieved from SSRN Elsevier
database) (‘‘[T]he decision to centralize risk in
clearinghouses made them critical for the stability
of the financial system, to the point that they are
considered not only too-big-to-fail, but also tooimportant-to-fail institutions.’’).
719 See generally Dietrich Domanski, et al.,
Central Clearing: Trends and Current Issues, BIS Q.
Rev. (Dec. 2015), available at https://www.bis.org/
publ/qtrpdf/r_qt1512g.pdf (describing links
between CCP financial risk management and
systemic risk); Darrell Duffie, et al., Policy
Perspectives on OTC Derivatives Market
Infrastructure, Fed. Res. Bank N.Y. Staff Rep. No.
424, at 9 (Mar. 2010), available at https://ssrn.com/
ddrumheller on DSK120RN23PROD with PROPOSALS2
716 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
example, an SCI event could cause a
delay or disruption in the settlement
process with respect to certain
securities, leading to a decrease in
liquidity. Trading firms could be
unwilling or unable to enter into new
positions should prior trades suffer
settlement timing delays requiring
posting of additional margin at clearing
agencies and the assumption of
additional risk by trading firms.
Notably, Euroclear Bank SA/NV and
Clearstream Banking, S.A. are already
subject to Europe’s CSDR, which has
Operational Risk rules (Article 45) that
includes many requirements that may
align with those in Regulation SCI.720
Additionally, the Commission
exemptive order for one of the exempt
clearing agencies requires certain
provisions that are consistent with those
in Regulation SCI.
3. Specific Benefits and Costs of
Regulation SCI Requirements for All SCI
Entities
a. Rule 1001—Policies and Procedures
Rule 1001(a) through (c) sets forth
requirements relating to the written
policies and procedures that SCI entities
are required to establish, maintain, and
enforce. New SCI entities will need to
comply with these requirements for the
first time. In addition, the Commission
is proposing to amend portions of Rule
1001(a), which will affect existing SCI
entities as well. We discuss the benefits
and costs of applying existing
provisions to new SCI entities, as well
as the benefits and costs of the
amendments for both new and existing
entities, below. We also discuss below
the economic effects of these changes
specific to the new SCI entities.
i. Benefits
abstract=1534729 (retrieved from SSRN Elsevier
database) (‘‘If a CCP is successful in clearing a large
quantity of derivatives trades, the CCP is itself a
systemically important financial institution. The
failure of a CCP could suddenly expose many major
market participants to losses. Any such failure,
moreover, is likely to have been triggered by the
failure of one or more large clearing agency
participants, and therefore to occur during a period
of extreme market fragility.’’); Craig Pirrong, The
Inefficiency of Clearing Mandates, Policy Analysis
No. 655, at 11–14, 16–17, 24–26 (July 2010),
available at https://www.cato.org/pubs/pas/
PA665.pdf (stating, among other things, that ‘‘CCPs
are concentrated points of potential failure that can
create their own systemic risks,’’ that ‘‘[a]t most,
creation of CCPs changes the topology of the
network of connections among firms, but it does not
eliminate these connections,’’ that clearing may
lead speculators and hedgers to take larger
positions, that a CCP’s failure to effectively price
counterparty risks may lead to moral hazard and
adverse selection problems, that the main effect of
clearing would be to ‘‘redistribute losses
consequent to a bankruptcy or run,’’ and that
clearing entities have failed or come under stress in
the past, including in connection with the 1987
market break); Glenn Hubbard et al., Report of the
Task Force on Financial Stability 96, Brookings
Inst.(June 2021), available at https://
www.brookings.edu/wp-content/uploads/2021/06/
financial-stability_report.pdf (‘‘In short, the
systemic consequences from a failure of a major
CCP, or worse, multiple CCPs, would be severe.
Pervasive reforms of derivatives markets following
2008 are, in effect, unfinished business; the
systemic risk of CCPs has been exacerbated and left
unaddressed.’’); Froukelien Wendt, Central
Counterparties: Addressing their Too Important to
Fail Nature (IMF Working Paper No. 15/21, Jan.
2015), available at https://www.imf.org/external/
pubs/ft/wp/2015/wp1521.pdf (assessing the
potential channels for contagion arising from CCP
interconnectedness); Manmohan Singh, Making
OTC Derivatives Safe—A Fresh Look (IMF Working
Paper No. 11/66, Mar. 2011), at 5–11, available at
https://www.imf.org/external/pubs/ft/wp/2011/
wp1166.pdf (retrieved from SSRN Elsevier
database) (addressing factors that could lead central
counterparties to be ‘‘risk nodes’’ that may threaten
systemic disruption).
720 The two exempt clearing agencies may also be
subject to the EU Regulation, the Digital
Operational Resilience Act (DORA), which went
into effect in 2015: https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A52020PC0595.
PO 00000
Frm 00098
Fmt 4701
Sfmt 4702
(1) Provisions Applicable Only to New
SCI Entities
Rule 1001 requires certain policies
and procedures for SCI entities. We
consider here the provisions under Rule
1001 that we are not amending and
therefore will only have an impact on
SCI entities, relative to the baseline. We
separately consider the provisions that
we propose to amend in the following
section, for both new and existing SCI
entities.
(i) Capacity, Integrity, Resiliency,
Availability, and Security (Rule
1001(a)(1), (a)(2)(i) Through (iv), (vi),
and (vii))
Rule 1001(a)(1) requires that each SCI
entity establish, maintain, and enforce
written policies and procedures
reasonably designed to ensure that its
SCI systems and, for purposes of
security standards, indirect SCI systems,
have levels of capacity, integrity,
resiliency, availability, and security,
adequate to maintain the SCI entity’s
operational capability and promote the
maintenance of fair and orderly markets.
Rule 1001(a)(2)(i) through (iv), (vi), and
(vii) prescribe certain minimum
requirements for an SCI entity’s policies
and procedures. The Commission is not
amending paragraphs (a)(1) and (a)(2)(i)
through (iv), (vi), or (vii), and therefore
current SCI entities will not be affected
whereas new SCI entities will become
subject to these provisions for the first
time.
Generally, the requirements to
establish policies and procedures in
Rule 1001(a)(1) should help ensure
more robust systems that help reduce
the risk and incidence of systems issues
affecting the markets by imposing
requirements on new entities that are
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
not currently subject to Regulation SCI
and by covering systems and events that
are not currently within the scope of
existing regulations and current
practices.721 In addition, the required
policies and procedures may help new
SCI entities recover more quickly from
SCI events that do occur.
Application of Rule 1001(a)(2)(i)
through (iv), (vi), and (vii) to the new
SCI entities is expected to benefit
securities markets and market
participants by leading to the
establishment, maintenance, and
enforcement of policies and procedures
for these entities related to current and
future capacity planning; periodic stress
testing; systems development and
testing methodology; and reviews and
testing to identify vulnerabilities;
standards for market data collection,
processing, and dissemination; and
monitoring to identify potential systems
problems. These requirements should
reduce the risk and incidence of systems
issues, such as systems disruptions and
systems intrusions. This, in turn, could
reduce interruptions in the price
discovery process and liquidity flows.
Systems issues that directly inhibit
execution facilities, order matching, and
dissemination of market data could
cause slow executions or delayed
orders, or cause inoperability of an SCI
entity for a period of time. If executions
were delayed by a systems disruption in
an SCI system related to a trading, order
routing, clearance and settlement, or
market data system, given the
magnitude of the transaction activity in
which SCI entities consistently engage,
the delay could have cascading effects
disruptive to the broader market.722
In addition, Rule 1001(a)(2)(vi)
provides that an SCI entity’s policies
and procedures must include standards
that result in systems being designed,
developed, tested, maintained, operated,
and surveilled in a manner that
facilitates the successful collection,
processing, and dissemination of market
data. Rule 1001(a)(2)(vi) is expected to
help ensure that timely and accurate
market data are made available by new
SCI entities. Market participants rely on
market data in a variety of ways,
including for making markets,
formulating trading algorithms, and
placing orders, among others. Although
new SCI entities currently facilitate the
successful collection, processing, and
dissemination of market data,
721 The potential adverse effects of systems
failures are described in section V.C.2. for each type
of new SCI entity. Benefits to new SCI entities from
a reduction in the risk and incidents of systems
issues would arise from a reduction in these
adverse effects.
722 See supra note 197.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
improvements in timeliness and
accuracy of the generation of market
data inputs would help further ensure
pricing efficiencies and uninterrupted
liquidity flows in markets.
Similarly, by requiring policies and
procedures for monitoring systems to
identify potential SCI events, Rule
1001(a)(2)(vii) may help ensure that new
SCI entities identify potential SCI
events, which could allow them to
prevent some SCI events from occurring
or to take timely appropriate corrective
action after the occurrence of SCI
events. As discussed above, reducing
the frequency and duration of SCI
events or reducing the duration of SCI
events that disrupt markets would
reduce pricing inefficiencies and
promote price discovery and liquidity.
In general, setting forth policies and
procedures with regard to capacity
planning, stress testing, systems
development and testing methodology,
and reviews and testing to identify
vulnerabilities could yield benefits to
market participants and new SCI
entities, including a potential reduction
in the likelihood, duration, or severity
of SCI events, thus helping to contain
losses from these events, as described
above.723 Capacity planning and stress
testing are necessary to help an SCI
entity determine its systems’ ability to
process transactions in an accurate,
timely, and efficient manner, and
thereby help ensure market integrity.
Development and testing systems are
important in ensuring the reliability and
resiliency of SCI systems. The potential
adverse effects of systems failures are
described in section V.C.2. for each type
of new SCI entity. More reliable and
resilient systems should help reduce the
occurrence of SCI events and improve
systems uptime for the new SCI entities,
and thus possibly result in a reduction
in losses due to SCI events and a
reduction in these adverse effects.
Furthermore, the use of inadequately
tested software in production could
result in substantial losses to market
participants if it does not function as
intended. For instance, if software
malfunctions, it might not execute or
route orders as intended and also could
have unintended effects on quoted
prices and the actual prices at which
orders execute. Additionally, if a
system’s capacity thresholds are
improperly estimated, it may become
congested, resulting in higher indirect
transaction costs due to lower execution
quality (e.g., decrease in order fill rates).
The Commission recognizes that the
new SCI entities are subject to existing
policies and procedures obligations as
723 See
PO 00000
section V.D.1.
Frm 00099
Fmt 4701
Sfmt 4702
23243
discussed in the baseline. Pursuant to
those obligations, the new SCI entities
may already engage in practices that are
similar to certain requirements under
Regulation SCI. To the extent that the
existing policies and procedures are
similar to those reflected in Regulation
SCI, the magnitude of the costs and
benefits discussed above that stem from
the application of those policies and
procedures will be correspondingly
reduced. However, costs and benefits
that arise from obligations under
Regulation SCI that differ from those
existing obligations, such as reporting to
the Commission will be maintained.
While some of the existing regulations
that apply to the proposed new SCI
entities may be consistent with or
similar to the policy and procedure
requirements of Regulation SCI
discussed in this section, the
Commission believes it is nevertheless
appropriate to apply these policy and
procedure requirements to the new SCI
entities and doing so would benefit
participants in the securities markets in
which these entities operate. Applying
Regulation SCI to these entities
increases market protections by
establishing these obligations under the
Exchange Act so that the Commission
may enforce them directly and examine
for compliance and provides a uniform
mandatory requirement that will ensure
their continued application.
In addition, some new SCI entities
may already be voluntarily
implementing policies and procedures
consistent with the requirements of
Regulation SCI. The magnitude of the
benefits (and associated costs, as
discussed below) from the policy and
procedure requirements in Rule
1001(a)(1) and (a)(2)(i) through (iv), (vi),
and (vii) for the new SCI entities (and
the costs, as discussed below), will
therefore depend on the extent to which
their current operations already align
with the rule’s requirements, given both
existing regulation and current practice.
However, the Commission believes the
application of Regulation SCI is still
necessary. For example, while SBSDRs
that also function as SDRs in the swap
markets, may currently apply the CFTC
rules to their securities-based swap
markets as well as their swaps markets,
the CFTC rules only apply to their swap
market SDR systems. Therefore,
applying Regulation SCI to SBSDRs
would help to ensure that the systems
relevant to the securities markets are
subject to a requirement to have levels
of capacity, integrity, resiliency,
availability, and security adequate to
maintain their operational capability
and promote the maintenance of fair
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23244
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
and orderly markets and are subject to
enhanced Commission oversight.
Additionally, with respect to SBSDRs,
the requirements of Regulation SCI are
more specific and comprehensive than
the principles-based requirements of
Rule 13n–6. The requirements of
Regulation SCI would thus exist and
operate in conjunction with Rule 13n–
6, helping ensure that SBSDR market
systems are robust, resilient, and secure
and enhancing Commission oversight of
the these systems.
Similarly, application of Regulation
SCI to broker-dealers would
complement existing requirements and
enhance the policies and procedures
already in place for these entities. For
example, the Market Access Rule
prescribes specific controls and
procedures around a broker-dealer
entering orders on an exchange or ATS,
but the policy and procedure
requirements of Regulation SCI are
broader in scope and are designed to
ensure that the key technology
pervasive and important to the
functioning of the U.S. securities
markets is robust, resilient, and secure.
Further, the SCI review requirement
obligates an SCI entity to assess the risks
of its systems and effectiveness of its
technology controls at least annually,
identify weaknesses, and ensure
compliance with the safeguards of
Regulation SCI. In addition, with
respect to the requirements concerning
the collection, processing, and
dissemination of market data,
Regulation SCI extends beyond existing
requirements to include SCI systems
directly supporting proprietary market
data, which will provide additional
benefits to market participants. Further
while Rule 17a–3 has a notification
requirement when a broker-dealer fails
to make and keep current the records
required by that Rule, Regulation SCI
more directly addresses mitigating the
impact of technology failures with
respect to SCI systems and indirect SCI
systems (which include systems that are
not used to make and keep current the
records required by Rule 17a–3) and
requires notifications to the Commission
for a different set of events—systems
intrusions, systems compliance issues,
and systems disruptions—than the
notification requirements of 17 CFR
240.17a–11 (‘‘Rule 17a–11’’).
Likewise, while FINRA Rule 4370
requires broker-dealers to maintain
business contingency and disaster
recovery plans, it does not include the
requirement that the business continuity
and disaster recovery plans be
reasonably designed to achieve next
business day resumption of trading and
two-hour resumption of critical SCI
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
systems following a wide-scale
disruption, nor does it require the
functional and performance testing and
coordination of industry or sectortesting of such plans, which are
instrumental in achieving the goals of
Regulation SCI with respect to SCI
entities.
Finally, with respect to the exempt
clearing agencies not subject to ARP,
subjecting these entities to the policy
and procedure requirements of
Regulation SCI will ensure that uniform,
minimum requirements regarding
capacity, integrity, resiliency,
availability, and security applies to all
exempt clearing agencies. Although
some of the conditions underlying the
exemptive orders for the two exempt
clearing agencies that would be subject
to Regulation SCI under the proposed
amendments may be consistent with
Regulation SCI’s policy and procedure
requirements, the conditions vary across
the agencies and in their similarity to
the Regulation SCI requirements. As
these exempt clearly agencies and other
entities that they interact with become
more technologically innovative and
interconnected, applying a uniform,
minimum set of requirements will
improve the Commission’s oversight
and better ensure the resiliency of the
markets in which they operate.
Overall, applying the specific and
comprehensive requirements set forth in
Rule (a)(2)(i) through (iv), (vi), and (vii)
of Regulation SCI to the new SCI entities
would create a uniform, mandatory
framework under the Commission’s
oversight thereby furthering the goals of
Regulation SCI to strengthen the
technology infrastructure of the U.S.
securities markets and improve its
resilience.
(ii) Systems Compliance (Rule 1001(b))
Rule 1001(b)(1) requires each SCI
entity to establish, maintain, and
enforce written policies and procedures
reasonably designed to ensure that its
SCI systems operate in a manner that
complies with the Exchange Act and the
rules and regulations thereunder, and
the entity’s rules and governing
documents, as applicable. Rule
1001(b)(2)(i) through (iv) provides that
an SCI entity’s policies and procedures
under Rule 1001(b)(1) must include, at
a minimum: (i) testing of all SCI systems
and any changes to SCI systems prior to
implementation; (ii) a system of internal
controls over changes to SCI systems;
(iii) a plan for assessments of the
functionality of SCI systems designed to
detect systems compliance issues,
including by responsible SCI personnel
and by personnel familiar with
applicable provisions of the Exchange
PO 00000
Frm 00100
Fmt 4701
Sfmt 4702
Act and the rules and regulations
thereunder and the SCI entity’s rules
and governing documents; and (iv) a
plan of coordination and
communication between regulatory and
other personnel of the SCI entity,
including by responsible SCI personnel,
regarding SCI systems design, changes,
testing, and controls designed to detect
and prevent systems compliance issues.
These provisions remain unchanged
and do not create any new requirement
for current SCI entities. New SCI
entities, however, would become subject
to these provisions for the first time.
The Commission recognizes that new
SCI entities currently take various
measures to ensure that their systems
operate in a manner that complies with
relevant laws and rules. The specific
requirements of Rule 1001(b) will
further ensure that new SCI entities
operate their SCI systems in compliance
with the Exchange Act and relevant
rules. For example, the tests under Rule
1001(b)(2)(i) should help new SCI
entities to identify potential compliance
issues before new systems or systems
changes are implemented; the internal
controls under 17 CFR 242.1001(b)(2)(ii)
(‘‘Rule 1001(b)(2)(ii)’’) should help to
ensure that new SCI entities remain
vigilant against compliance challenges
when changing their systems and
resolve potential noncompliance before
the changes are implemented; and the
systems assessment plans under 17 CFR
242.1001(b)(2)(iii) (‘‘Rule
1001(b)(2)(iii)’’) and the coordination
and communication plans under Rule
1001(b)(2)(iv) should help technology,
regulatory, and other relevant personnel
of new SCI entities to work together to
prevent compliance issues, and to
promptly identify and address
compliance issues if they occur.724 To
the extent that new SCI entities operate
market regulation and market
surveillance systems, and to the extent
that compliance with Rule 1001(b)
reduces the occurrence of systems
compliance issues, Rule 1001(b) should
advance investor protection.725
(iii) Responsible SCI Personnel (17 CFR
242.1001(c)(1) (‘‘Rule 1001(c)(1)’’))
Rule 1001(c)(1) requires an SCI entity
to establish, maintain, and enforce
reasonably designed written policies
and procedures that include the criteria
724 See
SCI Adopting Release, at 72422.
id. at 72410 and 72422; see also section
III.A.2.b.ii (policies and procedures, including those
for system compliance, are expected to strengthen
broker-dealers’ operational capabilities independent
of any specific SCI event affecting their technology
supporting trading, clearance and settlement, order
routing, market data, market regulation, and market
surveillance).
725 See
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
for identifying responsible SCI
personnel, the designation and
documentation of responsible SCI
personnel, and escalation procedures to
quickly inform responsible SCI
personnel of potential SCI events. This
provision remains unchanged and does
not create any new requirement for
current SCI entities. New SCI entities,
however, will become subject to this
provision for the first time.
Requiring policies and procedures to
identify and designate responsible SCI
personnel and to establish escalation
procedures to quickly inform such
personnel of potential SCI events should
help to effectively determine whether an
SCI event occurred and what
appropriate actions should be taken
without unnecessary delay. As such,
Rule 1001(c)(1) is expected to reduce
the duration of SCI events as new SCI
entities become aware of them and take
appropriate corrective actions more
quickly. The reduction in the duration
of SCI events would benefit markets and
their participants as it would promote
pricing efficiency and price discovery.
The Commission recognizes that the
new SCI entities currently have certain
regulatory obligations that may align
with certain requirements of Rule
1001(c)(1), as described in the baseline,
and in addition the new SCI entities
may already be voluntarily
implementing policies and procedures
that may align with certain
requirements of Rule 1001(c)(1). For
example, SBSDRs and exempt clearing
agencies may have policies and
procedures that identify roles and
responsibilities for key personnel as
well as appropriate escalation
procedures including designation and
documentation of responsible personnel
as noted above.726 Likewise, as
discussed above,727 broker-dealers may
have policies and procedures for
designating employees with specific
roles and responsibilities and escalation
procedures documented in their
incident response plans. As discussed
above, the extent of these benefits (and
related costs, as discussed below) would
depend in part on how closely the
existing policies and procedures of the
new SCI entities align with the specific
requirements of Rule 1000(c)(1).
(iv) Periodic Reviews of Policies and
Procedures and Prompt Remedial
Actions (Rule 1001(a)(3), (b)(3), (c)(2))
Rule 1001(a)(3), (b)(3), and (c)(2)
require each SCI entity to periodically
review the effectiveness of the policies
and procedures required under Rule
726 See
727 See
sec. V.B.1.a.ii and V.B.1.c.ii.
section V.B.1.b.ii.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
1001(a) through (c) related to capacity,
integrity, resiliency, availability, and
security; systems compliance; and
responsible SCI personnel, respectively,
and to take prompt action to remedy
deficiencies in such policies and
procedures. These provisions remain
unchanged since the adoption of
Regulation SCI in 2014, but new SCI
entities will become subject to them for
the first time.
Requiring periodic review of the
policies and procedures and remedial
actions to address any deficiencies in
the policies and procedures would help
to ensure that new SCI entities maintain
robust policies and procedures and
update them when necessary so that the
benefits of Rule 1001(a) through (c) as
discussed in section V.C.1 should
continue to be realized. For example,
Rule 1001(a)(3), (b)(3), and (c)(2) should
help to decrease the number of trading
interruptions due to system issues in
new SCI entities. It should lead to fewer
interruptions in the price discovery
process 728 and liquidity flows, thus,
may result in fewer periods with pricing
inefficiencies. Further, because
interruptions in liquidity flows and the
price discovery process in one security
can affect securities trading in other
markets, reducing trading interruptions
could have broad effects.
As with the other requirements of
Regulation SCI previously discussed,
the Commission acknowledges that the
new SCI entities are subject to existing
regulations, and the extent of the
benefits (and costs, as discussed below)
will depend on how closely their
current policies and procedures align
with the requirements for review and
remedial action under Rule 1001(a)(3),
(b)(3), and (c)(2). The SBSDRs registered
with the Commission are registered with
the CFTC as swap data repositories
(SDRs) and, with respect to systems of
concern to the CFTC, are subject to
CFTC’s rules that require these entities
to conduct periodic reviews of
automated systems and business
continuity-disaster recovery
capabilities.729 While such entities may
apply the CFTC rules to the entirety of
their repositories, the CFTC rules do not
apply to the SBSDR and its securitybased swap related systems. Therefore,
applying Rule 1001(a)(3), (b)(3), and
(c)(2) to SBSDRs would ensure periodic
reviews of the effectiveness of policies
and procedures specifically related to
728 The price discovery process involves trading—
buyers and sellers arriving at a transaction price for
a specific asset at a given time. Thus, generally, any
trading interruptions would interfere with the price
discovery process.
729 See 17 CFR 49.24(j); 17 CFR 49.24(m); 17 CFR
49.24(b)(3).
PO 00000
Frm 00101
Fmt 4701
Sfmt 4702
23245
SCI systems and create a uniform,
mandatory framework under the
Commission’s oversight.
Similarly, SCI broker-dealers also are
required under FINRA Rule 4370 to
conduct an annual review of the
business continuity and disaster
recovery plans.730 Further, as noted
above, the two exempt clearing agencies
are required to report at least on an
annual basis to the competent authority
regarding their compliance with CSDR,
including on their operational risk
management framework and systems
and their information security
framework.731 The exempt clearing
agencies must also periodically test and
review the operational arrangements
and policies and procedures with users.
Additionally, the exemptive order for
one of the exempted clearing agencies
requires a review of policies and
procedures and reporting on the status
of policies and procedures to the
Commission. To the extent that that the
broker-dealers and the exempt clearing
agencies increase the scope of the
review of their policies and procedures
related to capacity, integrity, resiliency,
availability, and security; systems
compliance; and responsible SCI
personnel, and take prompt action to
remedy deficiencies, the exempt
clearing agencies, broker-dealers and
their customers will benefit from
application of Rule 1001(a)(3), (b)(3),
and (c)(2) and create a uniform,
mandatory framework under the
Commission’s oversight.
(2) Amended Provisions Applicable to
Current and New SCI Entities
The Commission is proposing to
amend Rule 1001(a)(2)(v)—to add to
that provision a requirement that
business continuity and disaster
recovery plans be reasonably designed
to address the unavailability of any
third-party provider that provides
functionality, support, or service to the
SCI entity without which there would
be a material impact on any of its
critical SCI systems—and add several
new provisions in Rule 1001(a)(2),
including proposed Rule 1001(a)(2)(viii)
(systems classifications and lifecycle
management programs); proposed Rule
1001(a)(2)(ix) (third-party provider
management program); proposed Rule
1001(a)(2)(x) (a program to prevent the
unauthorized access to such systems
and information residing therein); and
proposed Rule 1001(a)(2)(xi)
(identification of the relevant current
industry standard claimed as a safe
harbor, if any). In addition, we are
730 See
731 See
E:\FR\FM\14APP2.SGM
sec. V.B.1.b.ii.
sec. V.B.1.c.ii.
14APP2
23246
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
proposing to amend Rule 1001(a)(4) to
clarify that policies and procedures that
are consistent with current SCI industry
standards provide a safe harbor with
respect to the requirement that such
policies and procedures be reasonably
designed. These amendments would
impact both new and existing SCI
entities.
(i) Business Continuity and Disaster
Recovery Plans (Rule 1001(a)(2)(v))
Rule 1001(a)(2)(v) currently requires
SCI entities’ policies and procedures to
set forth business continuity and
disaster recovery plans that include
maintaining backup and recovery
capabilities sufficiently resilient and
geographically diverse and that are
reasonably designed to achieve next
business day resumption of trading and
two-hour resumption of critical SCI
systems following a wide-scale
disruption. The Commission is
proposing to also require that such
plans are reasonably designed to
address the unavailability of any thirdparty provider that provides
functionality, support, or service to the
SCI entity, without which there would
be a material impact on any of its
critical SCI systems.
With respect to the existing
requirements that will remain
unchanged, these would only affect new
SCI entities and not create any new
requirement for current SCI entities.
Requiring business continuity and
disaster recovery plans increases the
likelihood that the markets in which
they participate will continue to
function, and SCI systems can resume
operation in a timely manner, even
when there are significant outages to
SCI systems. Rule 1001(a)(2)(v), among
other things, is expected to help ensure
prompt resumption of all critical SCI
systems, which in turn is expected to
help minimize interruptions in trading
and clearance and settlement after a
wide-scale disruption. Notably, in the
case of a wide-scale disruption, multiple
SCI entities may be affected by the same
incident at the same time. Given that
U.S. securities market infrastructure is
concentrated in relatively few areas,
such as New York City, New Jersey, and
Chicago, maintaining backup and
recovery capabilities that are
geographically diverse could facilitate
resumption in trading and critical SCI
systems following wide-scale market
disruptions.732 Reducing the frequency
and duration of trading interruptions
732 As discussed in section III.C.2, the geographic
diversity of data center sites is an important
consideration even where an SCI entity uses CSPs
as its business continuity and disaster recovery
service providers.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
would promote pricing efficiency, price
discovery, and liquidity flows in
markets.
With respect to the new requirement
on the unavailability of third-party
providers, both new and current SCI
entities will be affected. Financial
institutions, including SCI entities, have
become increasingly dependent on third
parties—such as cloud service
providers—to operate their businesses
and provide their services.733 The
proposed requirement for business
continuity and disaster recovery plans
to address the unavailability of any
third-party provider would help ensure
that SCI entities are appropriately
prepared for contingencies relating to a
third-party provider with respect to
critical SCI systems., including the
potential for an extended outage, if, for
example the third-party provider goes
into bankruptcy or dissolves, or if it
breaches its contract and decides to
suddenly, unilaterally, and/or
permanently cease to provide the SCI
entity’s critical SCI systems with
functionality, support, or service.
The Commission understands that
some new SCI entities are already
subject to similar requirements and may
already have policies and procedures
that may align with Rule
1001(a)(2)(v),734 while others may need
to make more significant changes to
their current policies, procedures and
practices. As discussed above, the
extent of the benefits (and costs, as
discussed below) will depend on how
closely the new SCI entities’ current
policies and procedures align with the
requirements of 1001(a)(2)(v), including
the proposed amendment. With respect
to SBSDRs, which are also registered as
SDRs with the CFTC, the CFTC’s System
Safeguard rule sets forth requirements
for swap data repositories to establish
and maintain emergency procedures,
geographically diverse 735 backup
facilities, and a business continuitydisaster recovery plan that allows for
the timely recovery and resumption of
next day operations following the
disruption. While such entities may
apply the CFTC rules to the entirety of
their repositories, the CFTC rules do not
apply to the SBSDR and its securitybased swap related systems. Therefore,
Rule 1001(a)(2)(v) would help ensure
SBSDR’s have in place for their SCI
systems business continuity and
disaster recovery plans that meet the
minimum requirements set forth in the
733 See
supra sec. V.B.4. and note 687.
sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
735 SDRs deemed critical by the CFTC require
geographically diverse backup facilities and staff.
734 See
PO 00000
Frm 00102
Fmt 4701
Sfmt 4702
rule and create a uniform, mandatory
framework under the Commission’s
oversight. The proposed amendment
would ensure that these plans
specifically address the unavailability of
any third-party provider that provides
functionality, support, or service to the
SBSDR’s SCI systems, without which
there would be a material impact on any
of its critical SCI systems.
SCI broker-dealers are likewise
required to create and maintain a
written business continuity plan under
FINRA Rule 4370.736 Currently required
business continuity public disclosure
statements 737 generally indicate that
some backup systems are geographically
diverse, but limited information is
disclosed with respect to a specific
timeline for resumption of service in the
event of a disruption. Similarly, these
required business continuity public
disclosure statements generally do not
provide information on specific BC/DR
plans to address the unavailability of
any third-party provider, as would be
required under the proposed
amendment. Applying the requirements
of Rule 100(a)(2)(v) to broker-dealers
may reduce the frequency and duration
of trading interruptions, which would
promote pricing efficiency, price
discovery, and liquidity flows in
markets. Further, the proposed
amendment to Rule 1001(a)(2)(v) would
help ensure broker-dealers have
business continuity and disaster
recovery plans in place to address the
unavailability of any third-party
provider that provides functionality,
support, or service to the SCI systems.
Finally, as discussed above, the
exempt clearing agencies are currently
required to maintain a business
continuity policy and disaster recovery
plan that ensures two hour resumption
of critical operations and geographically
diverse backup systems and monitor
and test it at least annually.738 The
exempt clearing agencies are also
required to address the unavailability of
any critical third-party provider.739
Application of Rule 1000(a)(2)(v),
including the proposed amendment,
would help ensure exempt clearing
agencies have business continuity and
disaster recovery plans in place to
address the unavailability of any third736 See
section V.B.1.b.ii.
broker-dealers are required to provide a
brief summary disclosure statement regarding their
BCPs to customers, they do not disclose the actual
BCP. Based on a review of 2021 and 2022 BCP
disclosure statements, firms often do not provide
any detail on operational capacity to meet demand
surges or any specific timeframes for resumption of
service.
738 See sec. V.b.1.e.ii.
739 Id.
737 While
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
party provider that provides
functionality, support, or service to the
SCI systems and thus would likely
incrementally reduce the frequency and
duration of trading interruptions and
promote pricing efficiency, price
discovery, and liquidity flows in
markets.
(ii) Systems Classification and Lifecycle
Management (Proposed Rule
1001(a)(2)(viii))
Proposed Rule 1001(a)(2)(viii)
provides that an SCI entity’s policies
and procedures must provide for the
maintenance of a written inventory and
classification of all SCI systems, critical
SCI systems, and indirect SCI systems as
such, and a program with respect to the
lifecycle management of such systems,
including the acquisition, integration,
support, refresh, and disposal of such
systems, as applicable. This is a new
provision and applies to both current
SCI entities and new SCI entities.
A foundational and essential step for
an SCI entity to be able to meet its
obligations under Regulation SCI is to
be able to clearly identify the different
types of its systems that are subject to
differing obligations under Regulation
SCI. Reasonably designed systems
classification and lifecycle management
policies and procedures, which include
vulnerability and patch management,
reduce the risk of SCI system defects
and operational issues. The systems
classification requirement would
promote more efficient and timely
compliance with the remaining
provisions of Regulation SCI. The
lifecycle management requirement
would also ensure that sensitive
information (including software
configuration info, middleware, etc.) is
not inadvertently revealed, potentially
compromising the security of an SCI
entity’s data and network—and would
further enhance the systems’ integrity,
resiliency, and security. The
Commission understands that one of the
first steps many current SCI entities
would take to comply with Regulation
SCI is to develop a classification of their
systems in accordance with the
definitions of each type of system in
SCI, but not all SCI entities maintain
such a list. Accordingly, the extent of
the benefits described above will
depend on whether existing entities
have taken such steps and how closely
they align with the proposed
requirements.
With respect to new SCI entities,
broker-dealers are required to maintain
policies and procedures per Regulation
S–P and S–ID, as discussed above.740 In
two Commission exam sweeps, the
Commission staff observed that most
broker-dealers already inventory,
catalog, and classify the risks of their
systems and had a process in place for
ensuring regular system maintenance,
including the installation of software
patches to address security
vulnerabilities.741 Furthermore,
identification of mission critical systems
is required by FINRA rule 4370.
Accordingly, there would be an
incremental benefit (and cost) from
applying this particular provision of
Regulation SCI to the broker-dealers.
Additionally, the practice of
inventorying and classifying systems
might also encourage the firm to invest
in supplemental security measures to
reduce the number of indirect SCI
systems, which would result in an
incremental and upfront or short-term
cost.
As discussed in section V.B.1.c.ii,
exempt clearing agencies are required
by CSDR to prepare a list with all the
processes and activities that contribute
to the delivery of the services they
provide; and identify and create an
inventory of all the components of their
IT systems that support the processes
and activities. This likely would
represent an incremental benefit (and
cost). Additionally, the practice of
inventorying and classifying systems
might also encourage the firm to invest
in supplemental security measures to
reduce the number of indirect SCI
systems to reduce the long-time
compliance burden which would result
in an incremental and upfront or shortterm cost.
(iii) Third-Party Provider Management
(Proposed Rule 1001(a)(2)(ix))
Proposed Rule 1001(a)(2)(ix) concerns
policies and procedures for effective
third-party provider management and
would newly apply to both existing and
new SCI entities. As discussed above,
financial institutions have been
increasingly outsourcing parts of their
services.742 When a market participant
chooses to outsource a particular
component of its operation to a thirdparty vendor, the vendor may offer
components of services (of certain
quality) at a cheaper rate than the
market participant can supply on its
own or where the market participant
may lack the expertise or ability to
provide them. If this is done properly
and with full information, it can result
in an efficient outcome without
741 Id.
740 See
sec. V.B.1.b.ii.
VerDate Sep<11>2014
20:01 Apr 13, 2023
742 See
Jkt 259001
PO 00000
supra sec. V.B.4. and note 687.
Frm 00103
Fmt 4701
Sfmt 4702
23247
compromising the service quality below
what is required under Regulation SCI.
But in some cases, if there is
information asymmetry—especially
with respect to service quality—market
dynamics among SCI entities result on
the provision of sub-optimal services.
This may be the case for a number of
reasons, including imperfect
communication between the SCI entity
and its third-party provider. First, a
third-party provider providing its
service to an SCI entity may lack the
knowledge of the level of resiliency and
capacity the SCI entity must maintain.
Second, an SCI entity may lack the
knowledge of the robustness of the
third-party provider’s operation. Third,
the market for these services may not be
competitive, and an SCI entity looking
to outsource these services may not
have other comparable choices. Failure
to ensure that policies and procedures
are adequate to reduce these risks may
result in unidentified security
weaknesses, the inability to analyze
potential security events, and delayed
business continuity and disaster
recovery.
Proposed Rule 1001(a)(2)(ix) would
require each SCI entity to have a
program to manage and oversee thirdparty providers that provide
functionality, support or service,
directly or indirectly, for its SCI systems
and, for purposes of security standards,
its indirect SCI systems. Each SCI entity
would be required to undertake a riskbased assessment of each third-party
provider’s criticality to the SCI entity,
including analyses of third-party
provider concentration, of key
dependencies if the third-party
provider’s functionality, support, or
service were to become unavailable or
materially impaired, and of any
potential security, including
cybersecurity, risks posed. The
Commission believes that specifically
requiring each SCI entity to undertake a
risk-based assessment of each of its
third-party providers’ criticality to the
SCI entity will help it more fully
understand the risks and vulnerabilities
of utilizing each third-party provider,
and provide the opportunity for the SCI
entity to better prepare in advance for
contingencies should the provider’s
functionality, support, or service
become unavailable or materially
impaired.
Again, the extent of these benefits
may depend on whether an SCI entities’
existing practices, and applicable
regulations, are consistent with the
requirements of proposed Rule
1001(a)(2)(ix). As noted above, SBSDRS
that are dually registered as SDRs with
the CFTC are also subject to the CFTC
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23248
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
System Safeguards rule, which requires
a SDR to undertake program of risk
analysis and oversight of outsourcing
and vendor management affecting its
operations and automated systems.743 A
dual-registered entity’s outsourced
systems for processing SDR data might
also be SCI systems if such systems also
process SBSDR data. Accordingly, an
SDR’s adherence to the System
Safeguard Rule’s provision for vendor
management and outsourcing is
reasonably likely to reduce the benefit
(and the cost, as discussed below) of
complying with proposed Rule
1001(a)(2)(ix).
Similarly, as discussed above, brokerdealers are already subject to general
vendor management obligations in
accordance with FINRA Rule 3110 and
obligations under Regulation S–P 744
and thus some of their current practices
may be consistent with some of the
requirements of Rule 1001(a)(ix).
However, those rules are different in
scope and purpose than the proposed
amendment to Regulation SCI.745 For
example, while FINRA rules already
require initial and ongoing due
diligence, third-party provider contract
review and ongoing third-party risk
assessment, proposed Rule
1001(a)(2)(ix) also requires an additional
risk-based assessment of each thirdparty provider’s criticality to the SCI
entity. Accordingly, proposed Rule
1001(a)(2)(ix) may restrict usage of
particular third-party providers, if and
when they are unwilling or unable to
comply with Regulation SCI’s thirdparty provider requirements.
Finally, as discussed in V.B.1.c.ii, the
two exempt clearing agencies are
required by CSDR to have arrangements
for the selection and substitution of IT
third-party service providers and proper
controls and monitoring tools which
seems within the scope of proposed
Rule 1001(a)(2)(ix) initial and ongoing
due diligence provisions. The exempt
clearing agencies are also required to
identify critical utilities providers and
critical service providers that may pose
risks to tier operations due to
dependency on them which seems
within the scope of ongoing third-party
risk assessment. In light of the existing
requirements for exempt clearing
agencies discussed in the baseline, any
benefits (and associated costs, as
discussed below) from the proposed
amendment are likely to be relatively
small with respect to critical service
providers. However, the benefit would
likely be larger with respect to non743 17
CFR 49.24(b)(6).
supra sec. V.B.1.b.ii.
745 See sec. III.A.2.b.ii. and III.D.
744 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
critical service providers where the
requirements are less specific.
(iv) Security (Proposed Rule
1001(a)(2)(x))
Since the adoption of Regulation SCI
in 2014, the financial system has
become more digitized and
consequently cybersecurity has become
a significant concern for financial firms,
investors, and regulatory authorities.746
In addition, the COVID–19 pandemic
and accelerated move to working from
home increased the demand for digital
services and reliance of SCI entities on
third-party providers including CSPs.
Moving the majority of activities to the
online or digitized environment has
increased the risk of cybersecurity
events.747 According to the Bank for
International Settlements, the financial
sector had the second-largest share of
COVID–19-related cybersecurity events
between March and June 2020.748 The
Commission is proposing a new
paragraph (a)(2)(x) of Rule 1001 that
would require policies and procedures
of SCI entities include a program to
prevent the unauthorized access to SCI
systems and, for purposes of security
standards, indirect SCI systems and
information residing therein. This
would be a new provision and would
apply to both current SCI entities and
new SCI entities.
The Commission anticipates that the
primary benefit of the proposed rule
would be to ensure that all SCI entities,
including the new SCI entities, have
policies and procedures to enhance
their preparedness against cybersecurity
threats. The proposed requirements to
develop policies and procedures that are
specifically designed to prevent the
unauthorized access to SCI systems and
information residing therein, would
better protect SCI entities against
cybersecurity threats. Such policies and
procedures can strengthen the security
surrounding their information systems
and the data contained within, aiding in
the prevention of unauthorized access;
minimizing the damage from
cybersecurity events; and improving
incident recovery time.
Another significant benefit is that any
such unauthorized access should be
reported to the Commission. Thus, this
rule, together with the Commission
notification requirement in Rule
1002(b), as amended, will help the
Commission better understand which
746 See
supra sec. III.C.3.
Aldasoro et al., COVID–19 and Cyber
Risk in the Financial Sector, BIS Bull. No. 37 (Jan.
14, 2021), available at https://www.bis.org/publ/
bisbull37.pdf.
748 Id. The health sector is ranked first in term of
the cyberattacks.
747 In
˜ aki
PO 00000
Frm 00104
Fmt 4701
Sfmt 4702
entities are most affected by
cybersecurity events, what the current
trends may be, and provide the
Commission with information that may
aid in subsequent guidance or
rulemaking to further strengthen the
affected entities from future
cybersecurity events and disruptions to
their business operations. Indeed, as we
stated in section B.2.a, it is the
Commission’s understanding that
current SCI entities have been reporting
de minimis system intrusions on a
quarterly basis, rather than immediately,
as permitted under the current
requirements of Regulation SCI. Current
SCI entities are not required to report
attempted intrusions.
The extent of these benefits will
depend on how consistent the existing
policies and procedures of both current
and new SCI entities are with the
requirements of proposed Rule
1001(a)(2)(x). The Commission believes
that many existing SCI entities already
have most or all of such policies and
procedures in place as part of their
security protocols; thus the benefits
(and the associated costs) of applying
the proposed Rule 1001(a)(2)(x) may be
reduced.
Among new SCI entities, both
registered SBSDRs have stated they have
policies and procedures addressing
access management.749 To the extent
that SBSDRs already have access
management policies and procedures
that are aligned with the requirements
of proposed Rule 1001(a)(2)(x), the
proposed rule would offer limited
benefits. Further, as discussed in section
V.B.1.b.ii, broker-dealers are required to
maintain policies and procedures
addressing security issues per
Regulation S–P and S–ID, although
those regulations and the required
policies and procedures are different in
scope and purpose. The extent of the
benefits of proposed Rule 1001(a)(2)(x)
would thus depend on how consistent
the broker-dealer’s current policies and
procedures are with the requirements of
the proposed Rule.
As discussed in section V.B.1.c.ii, the
two exempt clearing agencies are
required to maintain information
security frameworks describing
mechanisms to detect and prevent
cyber-attacks and a plan in response to
cyber-attacks. The information security
749 17 CFR 49.24(b)(2). See Security-Based Swap
Data Repositories; ICE Trade Vault, LLC; Notice of
Filing of Application for Registration as a SecurityBased Swap Data Repository, available at https://
www.sec.gov/rules/other/2021/34-91331.pdf;
Security-Based Swap Data Repositories; DTCC Data
Repository (U.S.), LLC; Notice of Filing of
Application for Registration as a Security-Based
Swap Data Repository, available at https://
www.sec.gov/rules/other/2021/34-91071.pdf.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
framework includes among other
requirements access controls to the
system and adequate safeguards against
intrusions and data misuse. Therefore,
proposed Rule 1001(a)(2)(x) may offer
only limited incremental benefits.750
(v) Current SCI Industry Standards
(Proposed Rule 1001(a)(2)(xi)) and Safe
Harbor for Policies and Procedures
Consistent With SCI Industry Standards
(Rule 1001(a)(4))
Proposed Rule 1001(a)(2)(xi) would
provide that an SCI entity’s policies and
procedures must include an
identification of the current SCI
industry standard(s) with which each
such policy and procedure is consistent,
if any. This requirement would be
applicable if the SCI entity is taking
advantage of the safe harbor provision,
Rule 1001(a)(4). We are also proposing
to amend the text of Rule 1001(a)(4),
which deems an SCI entity’s policies
and procedures under Rule 1001(a) to be
reasonably designed if they are
consistent with current SCI industry
standards, to make clear that its
reference to and definition of ‘‘current
SCI industry standards’’ provides a safe
harbor for SCI entities with respect to
their Rule 1001(a) policies and
procedures. Proposed Rule
1001(a)(2)(xi) and the amendment to
Rule 1001(a)(4) would apply to both
current SCI entities and new SCI
entities.
Rule 1001(a)(4) specifically states that
compliance with current SCI industry
standards is not the exclusive means to
comply with the requirements of Rule
1001(a). Therefore, Rule 1001(a)(4)
provides flexibility to allow each SCI
entity to determine how to best meet the
requirements in Rule 1001(a), taking
into account, for example, its nature,
size, technology, business model, and
other aspects of its business. SCI entities
can choose the technology standards
that best fit with their business,
promoting efficiency. The ability of SCI
entities to rely on widely recognized
technology standards, if they choose to
do so, will provide guidance to SCI
entities on policies and procedures that
would meet the articulated standard of
being ‘‘reasonably designed to ensure
that their systems have levels of
capacity, integrity, resiliency,
availability, and security, adequate to
maintain their operational capability
and promote the maintenance of fair
and orderly markets.’’
In addition, the flexibility of this
requirement leaves room for industrywide innovation, while encouraging
each SCI entity to conform to an
industry standard that is most
appropriate for itself given the entity’s
scope of operation and particular
characteristics. These standards
currently in place may require protocols
that go beyond the level that would
have been chosen by an entity that is
driven by profit-maximizing or costsaving motives. Furthermore, as
industry standards continue to evolve,
Regulation SCI helps to ensure that SCI
entities are motivated to adhere to the
changing standards that reflect the
changes in market conditions and
technology. The Commission
understands that many existing SCI
entities rely on industry standards,
typically by adhering to a specific
industry standard or combination of
industry standards for a particular
technology area or by using industry
standards as guidance in designing
policies and procedures. Thus, overall
benefits and costs to existing SCI
entities will be incremental, and the
benefits and costs are likely to be greater
for entities that do not already rely on
industry standards and lesser for
entities that already adhere closely to
industry standards.
Among new entities, both SBSDR
entities are also registered with the
CFTC as SDRs, and as such are subject
to the CFTC’s System Safeguard rule in
their capacity as SDRs. The System
Safeguard rule requires SDRs to follow
generally accepted standards and best
practices with respect to the
development, operation, reliability,
security, and capacity of automated
systems.751 While not required, it is
likely that dual-registered SDRs/SBSDRs
are following these requirements for
SBSDRs given the CFTC requirements
for SDRs. Therefore, it is likely that
SBSDRs already have policies and
procedures consistent with existing
industry standards.
As discussed above, broker-dealers
are required to have certain policies and
procedures pursuant to Regulation S–P
and S–ID.752 The 2015 FINRA report on
cybersecurity practices observed that
broker-dealers reported relying on
industry standards with respect to
cybersecurity requirements, typically by
adhering to a specific industry standard
or combination of industry standards or
by using industry standards as a
reference point for designing policies
and procedures.753 To the extent that
any broker-dealers do not rely on
industry standards or only selectively,
applying Rule 1001(a)(4) and proposed
Rule 1001(a)(2)(xi) will likely increase
751 See
17 CFR 49.24.
sec. V.B.1.b.ii.
753 See section V.B.1.b.ii.
752 See
750 See
section V.B.1.c.ii.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00105
Fmt 4701
Sfmt 4702
23249
broker-dealer adherence to industry
standards and improve overall
compliance with Rule 1001.
As discussed in section V.B.1.c.ii, the
two exempt clearing agencies are
required by CSDR to rely on
internationally recognized technical
standards and industry best practices
with respect to its IT systems. As such,
it is likely that they already have
policies and procedures that are
consistent with one or more industry
standards. The proposed amendment
may have some incremental benefit and
improve overall compliance with Rule
1001.
ii. Costs
The policies and procedures
requirements of Regulation SCI would
impose certain compliance costs on new
SCI entities, which are expected to
change at least some of their current
practices to comply. In addition, the
proposed amendments to certain
provisions in Rule 1001 would impose
additional costs on new and existing
SCI entities. We discuss these costs
below.
(1) Compliance Costs for New SCI
Entities
Some of the new SCI entities are
already subject to existing regulatory
requirements that are similar to the
requirements in Rule 1001, including
the proposed amendments. To the
extent these entities already have
policies and procedures that are
consistent with the Rule 1001
requirements, they could incur lower
costs to comply with the requirements
of Rule 1001 than entities without such
existing policies and procedures.
Similarly, the compliance costs
associated with Rule 1001 may vary
across SCI entities depending on the
degree to which their current voluntary
practices are already consistent with the
requirements of Rule 1001.The
compliance costs of Rule 1001 may
further depend on the complexity of SCI
entities’ systems (e.g., the compliance
costs will be higher for SCI entities with
more complex systems). They may also
depend, to a large extent, on the scale
as well as the relative criticality of a
given SCI entity’s systems. We discuss
below the costs for new SCI entities to
comply with Rule 1001, including the
proposed amendments; this includes
PRA costs as well as additional
compliance costs.
First, with respect to PRA costs, the
Commission estimates total initial costs
of approximately $13.4 million and
annual costs of approximately $3.5
E:\FR\FM\14APP2.SGM
14APP2
23250
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
million for all new SCI entities.754 In
addition to the compliance costs
estimated as part of the PRA analysis,
the Commission acknowledges there
may, in some cases, be other compliance
costs. In the SCI Adopting Release, the
Commission formed estimates of nonPRA compliance costs for complying
with Rule 1001(a) and (b),755 which are
instructive for determining such costs
now for the new SCI entities. The
Commission believed then, and
continues to do so now, that the costs
of complying with Rule 1001(c) are fully
captured in the PRA cost estimates. The
Commission’s estimates then were
based on extensive discussions with
industry participants as well as
information contained in the comment
letters submitted during the rulemaking
process. After carefully considering all
comments, the Commission concluded
that to comply with all requirements
underlying the policies and procedures
required by Rule 1001(a) and (b), other
than paperwork burdens, on average,
each SCI entity will incur an initial cost
of between approximately $320,000 and
$2.4 million and an ongoing annual cost
of between approximately $213,600 and
$1.6 million.756 Adjusted for inflation
since 2014, the initial cost would be
between approximately $407,000 and
$3.1 million, and the ongoing annual
cost would be between approximately
$272,000 and $2.0 million.757
In the 2014 adopting release, the
Commission acknowledged that its cost
estimates reflect a high degree of
uncertainty because the compliance
costs may depend on the complexity of
SCI entities’ systems (e.g., the
compliance costs will be higher for SCI
754 See section IV.D.7. These are the estimated
costs to comply with Rule 1001(a) through (c). For
purposes of this Economic Analysis, there are two
fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
755 According to the 2014 adopting release, these
non-PRA compliance costs include, for example,
establishing current and future capacity planning
estimates, capacity stress testing, reviewing and
keeping current systems development and testing
methodology, regular reviews and testing to detect
vulnerabilities, testing of all SCI systems and
changes to SCI systems prior to implementation,
implementing a system of internal controls,
implementing a plan for assessments of the
functionality of SCI systems, implementing a plan
of coordination and communication between
regulatory and other personnel of the SCI entity,
including by responsible SCI personnel, designed to
detect and prevent systems compliance issues, and
hiring additional staff. See SCI Adopting Release,
supra note 1, at 72416 n. 1939.
756 Id.
757 SEC inflation calculations are based on annual
GDP price index data from Table 1.1.4. in the
National Income and Product Accounts from the
Bureau of Economic Analysis, and on inflation
projections from The Budget and Economic
Outlook: 2023 to 2033, published by the
Congressional Budget Office in February 2023.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
entities with more complex systems).
The initial compliance costs associated
with Rule 1001 could also vary across
SCI entities depending on the degree of
that their current practices are already
consistent with the requirements of Rule
1001.758 The Commission explained the
difficulty of gauging the degree to which
an SCI entity was already taking
measures consistent with Regulation
SCI, which would affect the compliance
costs with respect to Rule 1001. These
considerations continue to apply to the
Commission’s estimate of any non-PRA
costs for new SCI entities, which span
multiple markets and vary a great deal
in terms of the services they provide
and the operations they perform. These
new SCI entities face different baselines
depending on the applicable regulatory
requirements that they are subject to
and the market practices each SCI entity
has been following.
Given these considerations, the
Commission believes that the estimates
from 2014 are still appropriate estimates
for the non-PRA costs associated with
Rule 1001(a) and (b) of Regulation SCI
without the proposed amendments for
the new SCI entities. There are reasons
to believe that these ranges should be
increased for inflation 759 and
technological changes since 2014, such
as greater interconnectivity, that have
expanded the scope for testing, leading
to greater costs. However, there are also
reasons to believe that as of 2023 these
ranges may have come down.
First, some components of costs may
be lower in 2023 because of
technological improvements since
758 These estimates in the SCI Adopting Release
were in turn based on the preliminary estimates
included in the SCI Proposing Release, supra note
14, at 18171. However, one important assumption
the SCI Proposing Release made was to assume that
certain SCI entities ‘‘already [had or had] begun
implementation of business continuity and disaster
recovery plans that include maintaining backup and
recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day
resumption of trading and two-hour resumption of
clearance and settlement services following a widescale disruption.’’ Id. at note 633. In the SCI
Adopting Release, however, in order to
accommodate the cost considerations of those SCI
entities that did not already have geographically
diverse backup facilities, the Commission estimated
the average cost to be approximately $1.5 million
annually for such SCI entities. See SCI Adopting
Release, supra note 1, at 72420. In the section
discussing Rule 1001(a)(2)(v) below, the
Commission estimates the comparable estimate to
be between $1.5 million and $1.8 million. This
additional estimate range only applies to SCI
entities that do not already have geographically
diverse backup facilities and would be in addition
to the non-paperwork burden estimates discussed
in the current section.
759 For example, GDP Price Index data from the
Bureau of Economic Analysis (BEA) and projections
from the Congressional Budget Office show that,
economy-wide, prices increased by about 27% from
2014 to 2023.
PO 00000
Frm 00106
Fmt 4701
Sfmt 4702
2014.760 Second, the experience of the
current 47 SCI entities complying with
Regulation SCI since 2014 has likely
generated a useful industry knowledge
base for new SCI entities, including
common practices, industry standards,
and cost-saving measures. From this
perspective, the cost of learning would
be lower, including the start-up cost.
Third, the Commission understands that
many financial institutions that are not
subject to Regulation SCI have
voluntarily begun to conform to one or
more industry standards and adopted
written policies and procedures related
to ensuring capacity, integrity,
resiliency, availability, and security of
their systems. Indeed, the Commission
understands—based on the
Commission’s discussions with industry
participants—that the changes in the
market—including greater automation
and interconnectivity and an overall
need to expand the scope of testing—
have already incentivized many SCI
entities to improve their internal
protocols and to increase their
technology expenditures. For example,
the growing risk of cybersecurity events
has already led many corporate
executives to significantly increase their
cybersecurity budgets.761 From this
perspective, although the overall
security and IT spending may have
increased manifold for SCI entities over
the years, the Commission estimates
that the magnitude of compliance costs
owing to the adoption of Regulation SCI
760 See Matt Rosoff, Why is Tech Getting
Cheaper?, weforum.org (Oct. 16, 2015), available at
https://www.weforum.org/agenda/2015/10/why-istech-getting-cheaper/. For example, price has been
dropping for cloud computing services over the last
years. See Jean Atelsek, et al., Major Cloud
Providers and Customers Face Cost and Pricing
Headwinds, spglobal.com (May 10, 2022), available
at https://www.spglobal.com/marketintelligence/en/
news-insights/research/major-cloud-providers-andcustomers-face-cost-and-pricing-headwinds; see
also David Friend, The Coming Era of Simple, Fast,
Incredibly Cheap Cloud Storage, Cloudtweaks.com
(Nov. 15, 2022, 9:12 a.m.), available at https://
cloudtweaks.com/2018/02/fast-incredibly-cheapcloud-storage/ (describing the significant price drop
for cloud storage as of 2018, and explaining that
‘‘the prices for cloud storage are heading in the
same direction.’’). These trends may be reversing.
See Jean Atelsek, et al., (‘‘Rising energy costs and
supply chain woes threaten to push up costs for the
cloud hyperscalers in building and operating their
data centers; therefore, cloud infrastructure prices
are poised to increase.’’); Frederic Lardinois, Google
Cloud Gets More Expensive, TechCrunch+ (Mar. 14,
2022, 11:54 p.m.), available at https://
techcrunch.com/2022/03/14/inflation-is-realgoogle-cloud-raises-its-storage-prices/.
761 For example, according to one source, as of
2020, ‘‘55% of enterprise executives [were
planning] to increase their cybersecurity budgets in
2021 and 51% are adding full-time cyber staff in
2021.’’ Louis Columbus, The Best Cybersecurity
Predictions for 2021 Roundup, Forbes.com (Dec. 15,
2020), available at https://www.forbes.com/sites/
louiscolumbus/2020/12/15/the-best-cybersecuritypredictions-for-2021-roundup/?sh=6d6db8b65e8c.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
for new SCI entities, over and above
their current expenses, may not
necessarily have increased significantly
as a result since 2014.
Taking these varied considerations
into account, the Commission estimates
that, adjusted for inflation since 2014,
the 2014 figures remain reasonable
ranges for non-PRA costs associated
with Rule 1001(a) and (b) in 2023,
without accounting for the proposed
amendments in Rule 1001(a). In other
words, the Commission estimates that a
new SCI entity in 2023 will incur an
initial non-PRA cost of between
approximately $407,000 and $3.1
million and an ongoing annual non-PRA
cost of between approximately $272,000
and $2.0 million to comply with the
original provisions of Regulation SCI
from 2014.
To account for the proposed
amendments, the Commission
preliminarily estimates that, based on
staff experience with current SCI
entities’ compliance practices, the nonPRA cost of complying with the
amended provisions could be up to
approximately 20% of the estimated
non-PRA cost for complying with the
original (i.e., unamended) Rule 1001(a).
Accordingly, the Commission estimates
that a new SCI entity would incur an
additional initial cost of between
approximately $81,000 and $611,000
and an additional ongoing annual cost
of between approximately $54,000 and
$407,000 to comply with the amended
provisions of Rule 1001(a).762 Combined
with the non-PRA costs estimates above
for complying with the rest of Rule
1001(a) and (b), a new SCI entity will
incur an additional initial non-PRA cost
of between approximately $489,000 and
$3.7 million 763 and an additional
ongoing annual non-PRA cost of
between approximately $326,000 and
$2.4 million, plus the PRA costs
estimated above.764 The Commission
estimates that, in the aggregate, all new
SCI entities will incur a total initial nonPRA cost of between approximately
$10.3 million and $77.0 million to
comply with the policies and
procedures required by Rule 1001(a)
and (b).765 In addition, the Commission
762 These figures are 20% of the range from the
Regulation SCI Adopting Release, adjusted for
inflation from 2014 to 2023.
763 These figures are 120% of the range from the
Adopting Release of Regulation SCI, adjusted for
inflation since 2014.
764 These figures are approximately 120% of the
range from the Adopting Release of Regulation SCI,
adjusted for inflation since 2014.
765 The Commission currently estimates there are
23 new SCI entities, two of which are excluded
from the economic analysis as explained above. The
range of $10.3 million and $77.0 million represents
21 times the per-entity initial cost range from the
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
estimates that, in the aggregate, new SCI
entities will incur total annual ongoing
non-PRA cost of between approximately
$6.9 million and $51.3 million.766
Depending on the price-sensitivity of
their customers and the availability of
alternative providers, new SCI entities
may pass on some of these costs to their
customers.767
In addition, with respect to the
periodic reviews required by Rule
1001(a)(3), (b)(3), and (c)(2), there may
be additional indirect costs if an SCI
entity takes prompt or unplanned
remedial action following the discovery
of deficiencies in its policies and
procedures. Specifically, the new SCI
entities may need to delay or shift their
resources away from profitable projects
and reallocate their resources towards
taking prompt or unplanned remedial
actions required by the rules. It is
nevertheless difficult to assess such
indirect costs imposed on SCI entities
because the Commission lacks
information necessary to provide a
reasonable estimate and such indirect
costs will be circumstance-specific.
(2) Compliance Costs for Existing SCI
Entities
Existing SCI entities should incur new
costs only to comply with the proposed
amendments to Rule 1001(a). With
respect to PRA costs, the Commission
estimates total initial costs of
approximately $8.2 million and annual
costs of approximately $1.1 million for
all current SCI entities.768 For non-PRA
costs associated with these
amendments, the Commission estimates
that the non-PRA cost of complying
with the amended provisions could be
up to approximately 20% of the
estimated non-PRA cost for complying
with the original (i.e., unamended) Rule
1001(a), as explained above.
Accordingly, the Commission estimates
that an existing SCI entity would incur
an additional initial non-PRA cost of
between approximately $81,000 and
$611,000 and an additional ongoing
annual non-PRA cost of between
Regulation SCI Adopting Release, adjusted for
inflation since 2014.
766 The range of $6.9 million and $51.3 million
represents 21 times the per-entity ongoing annual
cost range from the Regulation SCI Adopting
Release, adjusted for inflation since 2014.
767 See, e.g., Jonathan Baker, Orley Ashenfelter,
David Ashmore & Signe-Mary McKernan,
Identifying the Firm-Specific Cost Pass-Through
Rate, Federal Trade Commission. Bureau of
Economics 1 (1998), available at https://
www.ftc.gov/sites/default/files/documents/reports/
identifying-firm-specific-cost-pass-through-rate/
wp217.pdf.
768 See section IV.D.7. These include costs for
existing entities to comply only with Rule 1001(a),
and for new entities to comply with Rule 1001(a)
through (c).
PO 00000
Frm 00107
Fmt 4701
Sfmt 4702
23251
approximately $54,000 and $407,000 to
comply with the amended provisions of
Rule 1001(a).769 The Commission in
turn estimates that, in the aggregate,
current SCI entities will incur a total
initial non-PRA cost of between
approximately $3.8 million and $28.7
million to comply with the policies and
procedures required by Rule 1001(a)
and (b).770 In addition, the Commission
estimates that, in the aggregate, current
SCI entities will incur total annual
ongoing non-PRA cost of between
approximately $2.6 million and $19.1
million.771
(3) Other Costs for All SCI Entities and
Other Affected Parties
Proposed Rule 1001(a)(2)(ix) could
raise costs of third-party service
providers insofar as they may have to
renegotiate contracts and change the
terms of their services to accommodate
the requirements of SCI entities. SCI
entities could also incur costs in
enforcing their third-party provider
management program. In particular, to
the extent that accommodating the
terms and conditions that would be
demanded by SCI entities under
proposed Rule 1001(a)(2)(ix) would be
costly to third-party service providers,
SCI entities could face higher prices
from third-party providers, though any
change in prices would also depend
upon market conditions (such as the
level of competition amongst third-party
service providers for the type of services
sought after by the SCI entity, the
relative bargaining power of the SCI
entity in negotiations with third-party
service providers, new entry into the
market for third-party services, and
willingness of service providers to
absorb costs or pass costs to other
customers).
Request for Comment
106. For current SCI entities, do you
agree that the Commission’s specified
ranges reasonably capture the nonpaperwork burden costs owing to Rule
1001(a) and (b) that you have incurred
above and beyond amounts you were
already spending to ensure your SCI
systems’ capacity, integrity, resiliency,
availability, and security under the
existing requirements of Regulation SCI?
769 These figures are 20% of the range from the
Regulation SCI Adopting Release, adjusted for
inflation since 2014.
770 The Commission currently estimates there are
47 current SCI entities. The range of $3.8 million
and $28.7 million represents 47 times the per-entity
cost range from the SCI Adopting Release, adjusted
for inflation since 2014.
771 The range of $2.6 million and $19.1 million
represents 47 times the per-entity cost range from
the SCI Adopting Release, adjusted for inflation
since 2014.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23252
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
107. For new SCI entities, do you
agree that the Commission’s specified
ranges reasonably capture the nonpaperwork burden costs owing to Rule
1001(a) and (b) that you expect to incur
above and beyond the amounts you
were already spending to ensure your
SCI systems’ capacity, integrity,
resiliency, availability, and security
under the existing requirements of
Regulation SCI?
108. For current and new SCI entities,
do you agree that the Commission’s
specified ranges for the non-paperwork
cost of complying with the proposed
amendments to Rule 1001(a) and (b), at
20 percent of the specified ranges for
Rule 1001(a) and (b), reasonably capture
such costs that you expect to incur,
above and beyond amounts you are
already spending to ensure your SCI
systems’ capacity, integrity, resiliency,
availability, and security owing to the
proposed amendments?
109. If you are a current SCI entity
and currently inventory and
classification of all SCI systems, critical
SCI systems, and indirect SCI systems,
how does your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
110. If you are a current SCI entity
and have a program with respect to the
lifecycle management of SCI systems,
does it address the acquisition,
integration, support, refresh, and
disposal of such systems, as applicable?
How does your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
111. If you are a current SCI entity
and you currently have a third-party
provider management program to ensure
that your SCI systems contractors
perform their work in accordance with
the requirements of Regulation SCI, how
does your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
112. If you are a current SCI entity
and you currently require an initial and
periodic review of contracts with
service providers for consistency with
your obligations under Regulation SCI,
how does your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
113. If you are a current or proposed
SCI entity and you currently conduct a
risk-based assessment of each thirdparty provider’s criticality, to your
operations, how does your activity differ
from the requirements of the rule
proposal? What have been the benefits
and costs of this activity?
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
114. If you are a current SCI entity
and your policies and procedures
include a program to prevent the
unauthorized access to SCI systems and
information residing therein, how does
your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
115. The Commission requests that
commenters provide relevant data and
analysis to assist us in determining the
economic consequences of the proposed
amendments related to third-party
providers’ management. In particular,
the Commission requests data and
analysis regarding the costs SCI entities
and third-party providers may incur,
and benefits they may receive, from the
proposed amendments.
116. Do you agree with the
Commission’s analysis of the benefits of
the proposed amendments related to
third-party providers’ management?
Why or why not? Please explain in
detail.
117. Do you agree with the
Commission’s analysis of the costs of
the proposed amendments related to
third-party providers’ management?
Why or why not? Please explain in
detail.
b. Rule 1002—Corrective Action,
Commission Notification, and
Information Dissemination
Regulation SCI requires SCI entities to
take appropriate corrective actions in
response to SCI events (Rule 1002(a)),
notify the Commission of SCI events
(Rule 1002(b)), and disseminate
information regarding certain major SCI
events to all members or participants of
an SCI entity and certain other SCI
events to affected members or
participants (Rule 1002(c)). Rule 1000,
in turn, defines SCI events to include
systems disruptions, systems
compliance issues, and systems
intrusions. The Commission is
proposing two amendments that affect
these provisions. First, it is proposing to
expand the definition of systems
intrusion in Rule 1000. Second, it is
proposing to amend Rule 1002(b)(5) to
eliminate the exception to the reporting
requirement for de minimis systems
intrusions and instead require the
reporting of all systems intrusions,
whether de minimis or not, within the
time frames specified in paragraphs
(b)(1) through (4).
New SCI entities will need to comply
with these requirements of Rules 1000
and 1002, and their proposed
amendments, for the first time. Existing
SCI entities will need to apply the new
definition of systems intrusion in Rule
1000 to the requirements of Rule 1002,
PO 00000
Frm 00108
Fmt 4701
Sfmt 4702
including the amendments to Rule
1002(c). We discuss below the benefits
and costs of these provisions and
amendments for new and existing SCI
entities.
i. Benefits
(1) Rule 1000—Definition of SCI Events
In general, the definition of SCI event
(and its component parts) in Rule 1000
circumscribe the scope of the
substantive requirements in Rule 1002.
Therefore, many of the costs and
benefits associated with the definitions
are incorporated in the discussion of the
substantive requirements. The benefits
associated with scoping the substantive
requirements for Rule 1002 through the
specific definitions of systems
disruption, systems compliance issue,
and systems intrusion are discussed at
length in the 2014 SCI Adopting
Release 772 and would apply to the new
SCI entities. We summarize those
benefits here and discuss the benefits
for both new and current SCI entities
resulting from expanding the definition
of systems intrusion.
Systems Disruption. Rule 1000 of
Regulation SCI currently defines a
‘‘systems disruption’’ as an event in an
SCI entity’s SCI systems that disrupts, or
significantly degrades, the normal
operation of an SCI system. This
definition would remain unchanged. As
the Commission noted in 2014, the
definition sets forth a standard that SCI
entities can apply in a wide variety of
circumstances to determine in their
discretion whether a systems issue
should be appropriately categorized as a
systems disruption. The inclusion of
systems disruptions in the definition of
SCI event, along with the requirements
Rule 1002 should help effectively
reduce the severity and duration of
events for new SCI entities that harm
pricing efficiency, price discovery, and
liquidity and help Commission
oversight of the securities markets.
Systems Compliance Issues. Under
Rule 1000, a systems compliance issue
is an event at an SCI entity that has
caused any SCI system of such entity to
operate in a manner that does not
comply with the Act and the rules and
regulations thereunder or the entity’s
rules or governing documents, as
applicable. The Commission stated in
2014 that inclusion of systems
compliance issues in the definition of
SCI event and the resulting applicability
of the Commission reporting,
information dissemination, and
recordkeeping requirements are
important to help ensure that SCI
772 See SCI Adopting Release, supra note 1, at
72423–27.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
systems are operated by SCI entities in
compliance with the Exchange Act,
rules thereunder, and their own rules
and governing documents.
System Intrusion. Rule 1000 of
Regulation SCI currently defines a
‘‘systems intrusion’’ as any
unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity.
The Commission is proposing to expand
the definition of systems intrusions to
include any cybersecurity attack that
disrupts, or significantly degrades, the
normal operation of an SCI system. This
revision includes cybersecurity events
that cause disruption on an SCI entity’s
SCI systems or indirect SCI systems,
whether or not the event resulted in an
entry into or access to such systems. In
addition, the proposed revised
definition would include any significant
attempted unauthorized entry into the
SCI systems or indirect SCI systems of
an SCI entity, as determined by the SCI
entity pursuant to established
reasonable written criteria. This revision
is intended to capture unsuccessful, but
significant, attempts to enter an SCI
entity’s SCI systems or indirect SCI
systems. The definition, including the
proposed amendments, will apply to
new SCI entities for the first time while
the proposed amendments will apply to
existing SCI entities.
In the SCI Adopting Release, the
Commission discussed the benefits of
including a system intrusion in the
definition of an SCI event for which the
requirements of Rule 1002 apply. These
same benefits extend to the new SCI
entities. Specifically, the Commission
stated that unauthorized access,
destruction, and manipulation of SCI
systems and indirect SCI systems could
adversely affect the markets and market
participants because intruders could
force systems to operate in unintended
ways that could create significant
disruptions in securities markets.
Therefore, the inclusion of systems
intrusions in the definition of SCI
events can help reduce the risk of such
adverse effects for new SCI entities.
The proposed changes, which would
apply to new and current SCI entities,
would update the definition to include
additional types of incidents that are
currently considered to be cybersecurity
events that are not included in the
current definition. If an incident meets
the definition, it must then comply with
the requirements for corrective action,
Commission notice, and information
dissemination in Rule 1002. The
proposed changes to the definition
would thus ensure that the Commission
and its staff are made aware when an
SCI entity is the subject of a significant
cybersecurity threat, including those
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
that may be ultimately unsuccessful,
which would provide important
information regarding threats that may
be posed to other entities in the
securities markets, including other SCI
entities. Because such cybersecurity
events can cause serious harm and
disruption to an SCI entity’s operations,
the Commission believes that the
definition of systems intrusion should
be broadened to include cybersecurity
events that may not entail actually
entering or accessing the SCI entity’s
SCI systems or indirect SCI systems, but
still cause disruption or significant
degradation, as well as significant
attempted unauthorized entries. By
requiring SCI entities to submit SCI
filings for these new types of systems
intrusions, the Commission believes
that the revised definition of systems
intrusion would also provide the
Commission and its staff more complete
information to assess the security status
of the SCI entity, and also assess the
impact or potential impact that
unauthorized activity could have on the
security of the SCI entity’s affected
systems as well on other SCI entities
and market participants.
(2) Rule 1002—Corrective Action,
Commission Notice, Information
Dissemination
As noted, Rule 1002 prescribes certain
required actions for SCI entities upon
any responsible SCI personnel having a
reasonable basis to conclude that an SCI
event has occurred. The requirements of
Rule 1002(a) and (c) remain
substantively unchanged from current
Regulation SCI except additional events
are scoped into the Rules for existing
SCI entities through the proposed
expanded definition of systems
intrusion. These provisions will
therefore primarily affect new SCI
entities. We discuss generally the
benefits of the expanded definition
above and do not repeat those here.773
Corrective Action (Rule 1002(a)). Rule
1002(a) requires an SCI entity to begin
to take appropriate corrective action
upon any responsible SCI personnel
having a reasonable basis to conclude
that an SCI event has occurred. Rule
773 The SCI Adopting Release considered the
benefits and costs of the specific definitions for
each type of SCI event. See SCI Adopting Release,
supra note 1, at 72404–08. Those costs and benefits
remain the same for new SCI entities to which these
definitions would apply and are not repeated here,
except with respect to the definition of systems
intrusions, which the Commission proposes to
amend. To the extent that the primary effect of
these definitions is realized through the
requirements in Rule 1002 to take corrective action,
notify the Commission, and disseminate
information, we discuss the effects of applying
those requirements on new SCI entities below.
PO 00000
Frm 00109
Fmt 4701
Sfmt 4702
23253
1002(a) also requires corrective action to
include, at a minimum, mitigating
potential harm to investors and market
integrity resulting from the SCI event,
and devoting adequate resources to
remedy the SCI event as soon as
reasonably practicable. Thus, it would
not be appropriate for an SCI entity to
delay the start of corrective action once
its responsible SCI personnel have a
reasonable basis to conclude that an SCI
event has occurred, and the SCI entity
would be required to focus on
mitigating potential harm to investors
and market integrity resulting from the
SCI event and devoting adequate
resources to remedy the SCI event as
soon as reasonably practicable. This
provision remains unchanged for
existing SCI entities, except to the
extent they must comply with the
requirements for additional events
scoped in under the expanded
definition of systems intrusion, as noted
above. For both current and new SCI
entities, the benefits of expanding the
definition to include certain types of
systems intrusions that are not covered
by Regulation SCI would include a
potential reduction in the length or
severity of systems disruptions caused
by these types of intrusions and would
thus reduce the negative effects of those
interruptions on the SCI entity and on
market participants.
The corrective action requirement of
Regulation SCI will likely reduce the
length of systems disruptions, systems
compliance issues, and systems
intrusions, and thus reduce the negative
effects of those interruptions on the SCI
entity and market participants.
Additionally, to the extent that
corrective action could involve widescale systems upgrades, some SCI
entities may potentially seek to
accelerate capital expenditures, for
example, by updating their systems with
newer technology earlier than they
might have otherwise to comply with
Regulation SCI. As such, Rule 1002(a)
could further help ensure that SCI
entities invest sufficient resources as
soon as reasonably practicable to
address systems issues.
New SCI entities will become subject
to Rule 1002(a) for the first time. The
Commission believes that new SCI
entities already have a variety of
procedures in place to take corrective
actions when system issues occur.
However, Rule 1002(a) may require
modifications to those existing practices
in part because the rule specifies the
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23254
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
timing and enumerates certain goals for
corrective action.774
Commission Notification (Rule
1002(b)). Rule 1002(b) requires an SCI
entity to notify the Commission of the
SCI event immediately upon any
responsible SCI personnel having a
reasonable basis to conclude that an SCI
event has occurred. Within 24 hours of
any responsible SCI personnel having a
reasonable basis to conclude that an SCI
event has occurred, an SCI entity is
required to submit to the Commission a
more detailed written notification, on a
good faith, best efforts basis, pertaining
to the SCI event. Until such time as the
SCI event is resolved and the SCI
entity’s investigation of the SCI event is
closed, the SCI entity is required to
provide updates regularly, or at such
frequency as requested by a
representative of the Commission. The
SCI entity is also required to submit a
detailed final written notification after
the SCI event is resolved and the SCI
entity’s investigation of the event is
closed (and an additional interim
written notification, if the SCI event is
not resolved or the investigation is not
closed within a specified period of
time). Finally, paragraph (b)(5) currently
provides an exception to the reporting
requirements of paragraphs (b)(1)
through (4) for de minimis SCI events,
and SCI entities are currently required
to submit a summary to the Commission
with respect to systems disruptions and
systems intrusions only on a quarterly
basis. The Commission is proposing to
amend this provision to require SCI
entities to exclude systems intrusions
from this exception so that SCI entities
will need to report systems intrusions,
whether de minimis or not, within the
time frames specified in paragraphs
(b)(1) through (4). This would eliminate
quarterly reporting for de minimis
systems intrusions. Thus, for current
SCI entities, the difference concerns the
time frame for, and manner of, reporting
de minimis systems intrusions while
new SCI entities will be subject to the
entire Commission notification regime
for the first time.
For the new SCI entities, Rule 1002(b)
as a whole would enhance the
effectiveness of Commission oversight
of the operation of these entities. For
example, SCI events notification results
in greater transparency for the
Commission, including ensuring that
the Commission has a view into
problems at particular SCI entities for
regulatory purposes as well as
perspective on the effect of a single
problem to the market at-large.775
Further, the requirements of submitting
notifications pertaining to the SCI
events to the Commission, set forth by
Rule 1002(b), could help prevent
systems failures from being dismissed as
momentary issues, because notification
would help focus the SCI entity’s
attention on the issue and encourage
allocation of SCI entity resources to
resolve the issue as soon as reasonably
practicable.
Both new and current SCI entities
would be subject to the new reporting
requirements under the proposed
revisions to Rule 1001(b)(5). These
revisions eliminate the need for entities
to determine if an intrusion (which
should be rare and also may be difficult
to assess) meets the de minimis
threshold before it notifies the
Commission, and instead would require
reporting to the Commission for all
systems intrusions at the time of the
event, which will provide more timely
information to the Commission. This
may result in more frequent reporting
for systems intrusions while also
eliminating quarterly reporting of
systems intrusions, as compared to the
baseline.
Information Dissemination (Rule
1002(c)). Rule 1002(c) currently requires
an SCI entity to disseminate information
regarding certain major SCI events to all
of its members or participants and
certain other SCI events to affected
members or participants. Specifically,
promptly after any responsible SCI
personnel having a reasonable basis to
conclude that an SCI event has
occurred, an SCI entity is required to
disseminate certain information
regarding the SCI event. When certain
additional information becomes known,
the SCI entity is required to promptly
disseminate such information to those
members or participants (or, as
proposed, in the case of an SCI brokerdealer, customers) of the SCI entity that
any responsible SCI personnel has
reasonably estimated may have been
affected by the SCI event. Until the SCI
event is resolved, the SCI entity is
required to provide regular updates on
the required information. In the case of
a major SCI event, where the impact is
most likely to be felt by many market
participants, dissemination of
information to all members,
participants, or customers, as
applicable, of the SCI entity is required.
A major SCI event is defined to mean an
SCI event that has any impact on a
critical SCI system or a significant
impact on the SCI entity’s operations or
on market participants.
The information dissemination
requirement currently does not apply to
SCI events to the extent that they relate
to market regulation or market
surveillance systems and de minimis
SCI events. The Commission is
proposing to add to these exceptions for
the information dissemination
requirement, a systems intrusion that is
a significant attempted unauthorized
entry into the SCI systems or indirect
SCI systems. Accordingly, Rule 1002(c)
remains mostly unchanged for existing
SCI entities, except to the extent they
must comply with the requirements for
additional events scoped in under the
expanded definition of systems
intrusion (the benefits of which are
discussed above) and except for systems
intrusions that are significant attempted
unauthorized entries, which are
exempted from the information
dissemination requirements. New SCI
entities, however, will become subject
to the information dissemination
requirements for the first time.
Rule 1002(c) is expected to help
market participants—specifically the
members, participants, or customers, as
applicable of new SCI entities estimated
to be affected by an SCI event and, in
the case of major SCI events, all
members, participants, or customers of
a new SCI entity—to better evaluate the
operations of SCI entities by requiring
certain information about the SCI event
to be disclosed. Furthermore, increased
awareness of SCI events through
information disseminated to members,
participants, or customers, as
applicable, should provide new SCI
entities additional incentives to
maintain robust systems and minimize
the occurrence of SCI events. More
robust SCI systems and the reduction in
the occurrence of SCI events at new SCI
entities could reduce interruptions in
price discovery processes and liquidity
flows. For example, in 2014, a
commenter stated that sharing
information about hardware failures,
systems intrusions, and software
glitches will alert others in the industry
about such problems and help reduce
system-wide costs of diagnosing
problems, as well as result in improved
responses to technology problems.776
With respect to the new exception for
significant attempted unauthorized
entries, which impacts new and existing
SCI entities, the Commission is
concerned that disseminating
information about unsuccessful
attempted entries to members or
774 See SCI Adopting Release, supra note 1, at
72423.
775 See SCI Adopting Release, supra note 1, at
72424 (citing letter by David Lauer).
776 See SCI Adopting Release, supra note 1, at
72426 n. 931 (citing letter from James Angel).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
PO 00000
Frm 00110
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
participants of an SCI entity would
create unnecessary distractions,
particularly since the SCI entity’s
security controls were able, in fact, to
repel the cybersecurity event. In
addition, disseminating information
regarding unsuccessful intrusions could
result in the threat actors being
unnecessarily alerted that they have
been detected, which could make it
more difficult to identify the attackers
and halt their efforts on an ongoing,
more permanent basis.
The Commission recognizes that
many of the new SCI entities are
currently subject to other regulatory
requirements to maintain policies and
procedures that address the provisions
required by these rules, as discussed in
detail above.777 Similarly, some existing
SCI entities engage in current market
practices consistent with the expanded
definition of systems intrusion.
The benefits from the policy and
procedure requirements in Rule 1002(a)
through (c) for the new SCI entities (and
the costs, as discussed below), will
therefore depend on the extent to which
their current operations already align
with the rule’s requirements, given both
existing regulation and current practice.
While some of the existing regulations
that apply to the proposed new SCI
entities may be consistent with or
similar to the policy and procedure
requirements of Regulation SCI
discussed in this section, the
Commission believes it is nevertheless
appropriate to apply these policy and
procedure requirements to the new SCI
entities and that doing so would benefit
participants in the securities markets in
which these entities operate.
Overall, applying the specific and
comprehensive requirements set forth in
Rule 1002(a) through (c) of Regulation
SCI to the new SCI entities would
enhance and build on any existing
policies and procedures, thereby
furthering the goals of Regulation SCI to
strengthen the technology infrastructure
of the U.S. securities markets and
improve its resilience.
ii. Costs
We discuss below the costs of
complying with the requirements of
Rule 1002, applying the definitions in
Rule 1000, including the amended
definition of systems intrusion. Because
the definitions themselves have no
associated costs, all of the costs
associated with the amended definition
flow through the substantive
requirements. New SCI entities will
need to comply with these requirements
777 See
sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
for the first time whereas costs for the
existing SCI entities are attributed to the
expanded definition of systems
intrusion and the amendment to Rule
1002(b)(5). Relative to the current
practice and baseline, the proposed rule
expansion of the definition of the
intrusion would likely result in more
frequent reporting by the SCI entities to
the Commission, which is reflected in
the costs estimates below.
Corrective Action (Rule 1002(a)). Rule
1002(a) could impose modestly higher
costs for new SCI entities in responding
to SCI events relative to their current
practice. In the PRA analysis, the
Commission estimates those costs as
approximately $1.2 million in initial
and $0.4 million in annual costs.778
Furthermore, if Regulation SCI reduces
the frequency and severity of SCI events
in the future, the cost of corrective
action could similarly decline over time.
Nevertheless, the Commission lacks
data regarding the degree to which
Regulation SCI will reduce the
frequency and severity of SCI events at
new SCI entities.
In addition, if a new SCI entity is
required to take corrective action sooner
than it might have without the
requirements of Regulation SCI, this
may impose indirect costs (i.e.,
opportunity costs) to such SCI entities
because they may have to delay or
reallocate their resources away from
profitable projects and direct their
resources toward taking corrective
action required by the rule. It is difficult
to assess indirect costs imposed on new
SCI entities without having
comprehensive and detailed
information on the value of the potential
foregone projects of those SCI entities.
The facts and circumstances of each
specific SCI event will be different.
Existing SCI entities may incur new
costs associated with corrective action
for additional systems intrusions scoped
in under the expanded definition. The
Commission estimates a one-time total
cost of approximately $0.5 million for
all existing SCI entities to update their
procedures to account for additional
types of systems intrusions.779
To the extent new SCI entities
currently undertake correction action
consistent with the Rule 1002(a)
requirements, they could incur lower
PRA costs to comply with the
requirements of Rule 1002(a) than
entities without such existing
requirements. Similarly, to the extent
778 See section IV.D.7. For purposes of this
Economic Analysis, there are two fewer entities
than under the PRA analysis, lowering these
estimated costs. See supra note 700.
779 See section IV.D.2.b, IV.D.7.
PO 00000
Frm 00111
Fmt 4701
Sfmt 4702
23255
many existing SCI entities currently
undertake corrective action consistent
with the expanded definition of systems
intrusion, they could incur lower PRA
costs to comply with the amended
requirements of Rule 1002(a) than
entities without such existing
requirements.
Notification of SCI Events (Rule
1002(b)). The compliance costs
associated with Rule 1002(b) are
attributed to the paperwork burden of
Commission notifications of SCI events,
including recordkeeping and
submission of quarterly reports with
respect to de minimis SCI events, as
applicable. For new SCI entities, these
costs include costs to comply with the
notification requirements, as amended,
for the first time. Existing SCI entities
would incur costs complying with the
amendment to Rule 1002(b)(5) as well as
the costs associated with notification for
new events scoped in under the
expanded definition of systems
intrusions. These are discussed in detail
in section IV.
For Rule 1002(b)(1), the Commission
estimates approximately $0.1 million in
initial and annual costs for existing and
new SCI entities alike.780 For Rule
1002(b)(2), the Commission estimates
approximately $1.3 million in initial
and annual costs for existing SCI
entities and $1.5 million in initial and
annual costs for new SCI entities.781 For
Rule 1002(b)(3), the Commission
estimates approximately $0.2 million in
initial and annual costs for existing SCI
entities and $0.2 million in initial and
annual costs for new SCI entities.782 For
Rule 1002(b)(4), the Commission
estimates approximately $2.0 million in
initial and annual costs for existing SCI
entities and $2.3 million in initial and
annual costs for new SCI entities.783
Finally, for Rule 1002(b)(5), the
Commission estimates a savings for
existing SCI entities, as noted above,
and approximately $1.2 million in
initial and annual costs for new SCI
entities.784
To the extent new SCI entities
currently provide notification consistent
with the Rule 1002(b) requirements,
they could incur lower PRA costs to
comply with the requirements of Rule
1002(b) than entities without such
existing practices.
Information Dissemination (Rule
1002(c)). While some new SCI entities
currently provide their members or
participants and, in some cases, market
780 See
781 See
section IV.D.7; see also supra note 700.
id.
782 Id.
783 Id.
784 Id.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23256
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
participants or the public more
generally, with notices of certain
systems issues (e.g., system outages),
Rule 1002(c) may impose new
requirements that they have not
currently implemented. As such, the
requirements of Rule 1002(c) will
impose costs—which are attributed to
paperwork burdens—on new SCI
entities with respect to preparing,
drafting, reviewing, and making the
information available to members or
participants, or, in the case of an SCI
broker-dealer, customers. For new SCI
entities the Commission estimates
approximately $1.3 million in costs,
initially and annually, for disseminating
information about SCI events and
systems affected, as required by Rule
1002(c)(1).785 For new entities, the
Commission also estimates
approximately $1.6 million in initial
costs and $0.4 million in annual costs
to develop processes to identify the
nature of a critical system, major SCI
event, or a de minimis SCI event for
purposes of disseminating this
information.786
Existing SCI entities may incur new
costs associated with information
dissemination for additional systems
intrusions scoped in under the
expanded definition. The Commission
estimates approximately $0.7 million in
initial and annual PRA costs for existing
SCI entities, and $0.4 million in initial
and annual costs for new SCI entities,
for disseminating information about
system intrusions as required by the
proposed revisions to Rule
1002(c)(2).787 These costs are discussed
in more detail in section IV.
To the extent new SCI entities
currently disseminate information
consistent with the Rule 1002(c)
requirements, they could incur lower
PRA costs to comply with the
requirements of Rule 1002(c) than
entities without such existing
requirements. Similarly, to the extent
many existing SCI entities currently
disseminate information consistent with
the expanded definition of systems
intrusion, they could incur lower PRA
costs to comply with the amended
requirements of Rule 1002(c) than
entities without such existing practices.
Identification of Nature of System or
Event. To comply with the requirements
of Rule 1002, SCI entities need to
identify certain types of events and
systems issues, including whether the
785 See section IV.D.7. For purposes of this
Economic Analysis, there are two fewer entities
than under the PRA analysis, lowering these
estimated costs. See supra note 700.
786 See section IV.D.2.d, IV.D.7; see also supra
note 700.
787 See section IV.D.7; supra note 700.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
event is de minimis. Current SCI entities
would already have such processes in
place to comply with the existing
requirements of Regulation SCI. The
Commission understands that many
new SCI entities likely already have
some internal procedures for
determining the severity of a systems
issue.
As a new SCI entity must determine
whether an SCI event has occurred and
whether it is a de minimis SCI event,
Rule 1002 may impose one-time
implementation costs on new SCI
entities associated with developing a
process or modifying its existing process
to ensure that they are able to quickly
and correctly make such
determinations, as well as ongoing costs
in reviewing the adopted process. As
explained in detail in section IV, we
estimate new SCI entities would incur
an initial PRA cost of $1,641,024 and an
ongoing annual PRA cost of $362,418 to
develop these processes.
To the extent new SCI entities
currently have a process in place for
identifying certain types of events and
system issues consistent with the
relevant Rule 1002 requirements, they
could incur lower PRA costs to comply
with the relevant requirements of Rule
1002 than entities without such existing
requirements.
c. Rule 1003—Material Systems Changes
and SCI Review
i. Reports to the Commission (Rule
1003(a))
Rule 1003(a)(1) requires an SCI entity
to provide quarterly reports to the
Commission describing completed,
ongoing, and planned material systems
changes to its SCI systems and the
security of indirect SCI systems, during
the prior, current, and subsequent
calendar quarters. Rule 1003(a)(1) also
requires an SCI entity to establish
reasonable written criteria for
identifying a change to its SCI systems
and the security of its indirect SCI
systems as material. Rule 1003(a)(2)
requires an SCI entity to promptly
submit a supplemental report to notify
the Commission of a material error in or
material omission from a previously
submitted report. These requirements
remain unchanged. New SCI entities,
however, will become subject to them
for the first time. We discuss the
benefits and costs of applying these
provisions to new SCI entities below.
entity’s systems development progress
and plans, to aid in understanding the
operations and functionality of the
systems, and any material changes
thereto, without requiring SCI entities to
submit a notification to the Commission
for each material systems change.788
The Commission recognizes that some
of the new SCI entities are currently
subject to other material systems change
notification requirements and that most,
if not all, new SCI entities have some
internal processes for documenting
systems changes as discussed in detail
above.789 Accordingly, the Commission
notification requirements in Rule
1003(a) would be new for most but not
all of the new SCI entities.
The benefits from the policy and
procedure requirements in Rule 1003(a)
for the new SCI entities (and the costs,
as discussed below), will therefore
depend on the extent to which their
current operations already align with
the rule’s requirements, given both
existing regulation and current practice.
While some of the existing regulations
that apply to the proposed new SCI
entities may be consistent with or
similar to the policy and procedure
requirements of Regulation SCI
discussed in this section, the
Commission believes it is nevertheless
appropriate to apply these policy and
procedure requirements to the new SCI
entities and doing so would benefit
participants in the securities markets in
which these entities operate. Overall,
applying the specific and
comprehensive requirements set forth in
Rule 1003(a) of Regulation SCI to the
new SCI entities would complement any
existing requirements and enhance any
reporting of material systems changes
already in place for these entities.
Costs
(1) Benefits
The compliance costs of Rule 1003(a)
primarily entail costs associated with
preparing and submitting Form SCI in
accordance with the instructions
thereto. The initial and ongoing PRA
cost estimates associated with preparing
and submitting Form SCI with regard to
material systems changes under Rule
1003(a)(1) and (2) are discussed in detail
in section V. The Commission does not
expect Rule 1003(a) would impose
significant costs on SCI entities other
than those discussed in section IV. For
new SCI entities, the Commission
estimates approximately $1.0 million in
initial PRA costs and $0.3 million in
annual PRA costs to establish
The notification requirement would
be beneficial because it permits the
Commission and its staff to have up-todate information regarding an SCI
788 See SCI Adopting Release, supra note 1, at
72337–38.
789 See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
PO 00000
Frm 00112
Fmt 4701
Sfmt 4702
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
reasonable written criteria for
identifying material changes to SCI
systems and to the security of indirect
SCI systems.790 For new SCI entities, the
Commission also estimates
approximately $3.6 million initially and
annually in PRA costs associated with
material system change notices.791 The
Commission acknowledges that the
actual cost for each new entity may
differ depending on their existing
processes for documenting system
changes and whether the necessary
information is readily available. The
Commission does not expect Rule
1003(a) to impose significant costs on
new SCI entities besides the costs
discussed here. To the extent new SCI
entities are currently subject to other
material systems change notification
regulatory requirements and have
existing processes for documenting
systems changes that align with the Rule
1003(a) requirements, they could incur
lower costs to comply with the
requirements of Rule 1003(a) than
entities without such existing
requirements.
ii. Annual SCI Review (Rules 1000 and
1003(b))
Rule 1003(b) requires SCI entities to
conduct an annual SCI review and
works in conjunction with the
definition of ‘‘SCI review’’ from Rule
1000. Under the current definition, SCI
review includes ‘‘(1) A risk assessment
with respect to such systems of an SCI
entity; and (2) An assessment of internal
control design and effectiveness of its
SCI systems and indirect SCI systems to
include logical and physical security
controls, development processes, and
information technology governance,
consistent with industry standards.’’ 792
Rule 1003(b)(1) then requires an annual
SCI review, ‘‘provided, however, that (i)
Penetration test reviews . . . shall be
conducted at a frequency of not less
than once every three years; and (ii)
Assessment of SCI systems directly
supporting market regulation or market
surveillance shall be conducted at a
frequency based upon the risk
assessment conducted as part of the SCI
review, but in no case less than once
every three years.’’ 793 Rule 1003(b)(2)
and (3) require each SCI entity to submit
its annual SCI review report to,
respectively, ‘‘senior management of the
SCI entity for review’’ and ‘‘to the
Commission and to the board of director
790 See section IV.D.7. For purposes of this
Economic Analysis, there are two fewer entities
than under the PRA analysis, lowering these
estimated costs. See supra note 700.
791 Id.
792 17 CFR 242.1000.
793 17 CFR 242.1003(b)(1).
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
of the SCI entity, or the equivalent of
such board’’ within specified time
frames.794
The Commission proposes to make
changes to the definition of ‘‘SCI
review.’’ Specifically, under the
proposed amendment, ‘‘SCI review’’
would include, for both SCI systems and
indirect SCI systems, an annual
assessment, using appropriate risk
management methodology, of risks
related to capacity, integrity, resiliency,
availability, and security, and internal
control design and operating
effectiveness, and annual penetration
test reviews (increased from at least one
review every three years), and a review
of third-party provider management
risks and controls. Rule 1003(b) would
also be amended to require more
specific information to be included in
the SCI review report, including a list of
the controls reviewed and a description
of each such control; the findings of the
SCI review, including, at a minimum,
assessments of the risks described
above; a summary, including the scope
of testing and resulting action plan, of
each penetration test review; and a
description of each deficiency and
weakness identified by the SCI review.
In addition, the revisions would make
mandatory that a response from senior
management to the report is included
when it is submitted to the Commission
and board, whereas previously the
language appeared permissive.
(1) Benefits
The SCI review requirement would
have SCI entities assess the relative
strengths and weaknesses of their
systems which may help, in turn,
improve systems and reduce the number
of SCI events. The reduction in
occurrence of SCI events could reduce
interruptions in the price discovery
process and liquidity flows, as
discussed above. In addition, the
efficiency of the Commission’s oversight
(e.g., inspection) of SCI entities’ systems
would be enhanced.
The proposed increase in the
frequency of penetration testing
reviews, which applies to both new and
existing SCI entities, should better
prepare SCI entities against cyber
threats, which are increasing in
numbers and becoming more
sophisticated. For this reason, the
proposed amendment is expected to
further strengthen the security, integrity,
and resilience of all SCI entities. Having
an annual penetration testing
requirement can help SCI entities
reduce the likelihood of costly data
794 17
PO 00000
CFR 242.1003(b)(2) and (3).
Frm 00113
Fmt 4701
Sfmt 4702
23257
breaches.795 For instance, according to
one industry source, RSI Security, a
penetration test ‘‘can measure [the
entity’s] system’s strengths and
weaknesses in a controlled environment
before [the entity has] to pay the cost of
an extremely damaging data breach.’’ 796
The requirement to review third-party
provider management risks and controls
will work in conjunction with the
proposed amendment to Rule 1001(a)(2)
requiring inclusion of a third-party
provider management. The additional
benefit of requiring an annual review of
third-party provider management risks
and controls is to ensure the benefits
provided by the amendment to Rule
1001(a)(2) are properly realized and
further increasing the likelihood that
third-party providers provide
functionality, support or services that
are consistent with the requirements of
Regulation SCI.
The Commission understands that
many existing SCI entities have already
adopted practices that may align with
some of the provisions of the proposed
amendment to Rule 1003(b).
The Commission also understands
that many new SCI entities currently
undertake annual systems reviews and
that senior management and/or the
board of directors or a committee
thereof reviews reports of such reviews
as discussed in detail above.797
However, the scope of the systems
reviews, and the level of senior
management and/or board involvement
in such reviews, can vary.
The benefits from the policy and
procedure requirements in Rule 1003(b)
for the new SCI entities (and the costs,
as discussed below) and the benefits
from the amended policy and procedure
requirements in Rule 1003(b) for the
existing SCI entities, will therefore
depend on the extent to which their
current operations already align with
the rule’s requirements, given both
existing regulation and current practice.
For example, with respect to brokerdealers, prior Commission and FINRA
exam results indicate that many if not
most large broker-dealers conduct risk
assessments of internal control design
and effectiveness. Additionally, some
795 See, e.g., Mirza Asrar Baig, How Often Should
You Pentest?, Forbes.com (Jan. 22, 2021), available
at https://www.forbes.com/sites/forbestechcouncil/
2021/01/22/how-often-should-you-pentest/
?sh=b667999573c6.
796 RSI Security, What is the Average Cost of
Penetration Testing?, RSI Security Blog (Mar. 5,
2020), available at https://blog.rsisecurity.com/
what-is-the-average-cost-of-penetration-testing/
#:∼:text=Penetration%20testing%20can%20cost
%20anywhere,that%20of%20a%20large
%20company.
797 See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
E:\FR\FM\14APP2.SGM
14APP2
23258
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
broker-dealers provide annual
cybersecurity reports to the board. The
Commission understands that nearly all
large broker-dealers conduct penetration
testing 798 of systems considered critical
although not all firms conduct such
testing annually. Many of these current
market practices align with the policy
and procedure requirements of
Regulation SCI discussed in this section.
While some of the existing regulations
that apply to the proposed new SCI
entities or current market practices may
be consistent with or similar to some of
the policy and procedure requirements
of Regulation SCI discussed in this
section, the Commission believes it is
nevertheless appropriate to apply these
policy and procedure requirements to
the new SCI entities and that doing so
would benefit participants in the
securities markets in which these
entities operate.
Overall, applying the specific and
comprehensive requirements set forth in
Rule 1003(b) of Regulation SCI to the
new SCI entities would enhance and
build on any existing policies and
procedures, thereby furthering the goals
of Regulation SCI to strengthen the
technology infrastructure of the U.S.
securities markets and improve its
resilience.
ddrumheller on DSK120RN23PROD with PROPOSALS2
(2) Costs
New SCI entities will incur costs to
comply with the review requirements
for the first time, and existing SCI
entities will incur costs to comply with
the amended provisions. The initial and
ongoing paperwork burden associated
with conducting an SCI review,
submitting a report of the SCI review to
senior management of the SCI entity for
review, and submitting a report of the
SCI review and the response by senior
management to the Commission and to
the board of directors of the SCI entity
or the equivalent of such board is
discussed in detail in section IV. For
existing SCI entities, the Commission
estimates approximately $7.4 million in
initial and annual costs, while for new
SCI entities the Commission estimates
approximately $9.6 million in initial
and annual costs.799 The paperwork
798 Supra note 619. According to FINRA’s 2018
RCA, 100% of higher revenue firms include
penetration testing as a component in their overall
cybersecurity program. Other factors these firms
consider in evaluating the relevance of penetration
testing include the degree to which they manage or
store confidential or critical data such as trading
strategies, customer PII, information about mergers
and acquisitions or confidential information from
other entities (for example, in the case of clearing
firms).
799 See section IV.D.7. For purposes of this
Economic Analysis, there are two fewer entities
than under the PRA analysis, lowering these
estimated costs. See supra note 700.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
burden estimates provided here for new
SCI entities include the costs of
complying with the proposed amended
versions of the Rule, namely the
proposed additional requirements for
conducting the SCI review, the
requirement that SCI entities include
more specific information in their SCI
review reports, and related
recordkeeping.800
To the extent new SCI entities
currently undertake annual systems
reviews and that senior management
and/or the board of directors or a
committee thereof reviews reports of
such reviews consistent with the Rule
1003(a) requirements, they could incur
lower PRA costs to comply with the
requirements of Rule 1003(a) than
entities without such existing practices.
Similarly, to the extent many existing
SCI entities have already adopted
practices that are consistent with some
of the provisions of the proposed
amendment to Rule 1003(b), they could
incur lower PRA costs to comply with
the requirements of Rule 1003(a) than
entities without such existing practices.
With respect to the increased
frequency for the penetration test
review, this requirement will impose
non-paperwork compliance costs in
addition to those captured by the PRA
estimates for both new and existing SCI
entities. For example, RSI Security
explains that penetration testing ‘‘can
cost anywhere from $4,000–$100,000,’’
and ‘‘[o]n average, a high quality,
professional [penetration testing] can
cost from $10,000–$30,000.’’ 801 RSI
Security, however, was clear that the
magnitudes of these costs can vary with
size, complexity, scope, methodology,
types, experience, and remediation
measures.802 Another source estimates a
‘‘high-quality, professional [penetration
testing to cost] between $15,000–
$30,000,’’ while emphasizing that ‘‘cost
varies quite a bit based on a set of
variables.’’ 803 This is in line with a
third source, which states that ‘‘[a] true
penetration test will likely cost a
minimum of $25,000.’’ 804 The
Commission preliminarily believes that
the cost of penetration testing will range
between $25,000 and $100,000 for new
and existing SCI entities, in light of the
complexity and scope required,
800 See
section IV.D.3.
RSI Security, supra note 796.
802 See id.
803 Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.),
available at https://www.securitymetrics.com/blog/
how-much-does-pentest-cost.
804 Mitnick Security, What Should You Budget for
a Penetration Test? The True Cost, Mitnick Security
Blog, (Jan. 29, 2021, 5:13 a.m.), available at https://
www.mitnicksecurity.com/blog/what-should-youbudget-for-a-penetration-test-the-true-cost.
801 See
PO 00000
Frm 00114
Fmt 4701
Sfmt 4702
although the costs may be somewhat
lower depending on the frequency with
which such testing and review are
currently conducted by new and
existing SCI entities. The Commission
acknowledges the non-paperwork costs
of the proposed increase in the
frequency of a penetration test review,
and seeks feedback on these costs.
Request for Comment
118. For current and proposed SCI
entities, how often do you (already)
perform penetration testing and how
much does it cost?
d. Rule 1004—Business Continuity and
Disaster Recovery Plan Testing
Rule 1004(b) requires the testing of an
SCI entity’s business continuity and
disaster recovery plans at least once
every 12 months. Rule 1004(a) and (b)
require participation in such testing by
those members or participants that an
SCI entity reasonably determines are,
taken as a whole, the minimum number
necessary for the maintenance of fair
and orderly markets in the event of the
activation of its BC/DR plans. Rule
1004(c) requires an SCI entity to
coordinate such testing on an industryor sector-wide basis with other SCI
entities.805 The Commission is
proposing to amend Rule 1004 to
require that third-party providers also
participate in such testing. Therefore,
for current SCI entities, the difference is
to include third-party providers in its
testing. For new SCI entities, the entire
provision is a new obligation. We
discuss below the benefits and costs of
applying this provision, including the
proposed amendments, to new and
existing SCI entities.
i. Benefits
As discussed above, requiring the new
SCI entities to test their BC/DR plans
would likely improve backup
infrastructure and lead to fewer marketwide shutdowns, which should help
facilitate continuous liquidity flows in
markets, reduce pricing errors, and thus
improve the quality of the price
discovery process.806 Moreover, Rule
1004 would help ensure fair and orderly
markets in the event of the activation of
BC/DR plans.
In addition, for both new and existing
SCI entities, the proposed requirement
to establish standards for the
805 One avenue for coordinating such testing is
through SIFMA’s voluntary Industry-Wide Business
Continuity Test. See SIFMA, Industry-Wide
Business Continuity Test (Oct. 15, 2022), available
at https://www.sifma.org/resources/general/
industry-wide-business-continuity-test/.
806 See sec. V.C.1.; see also SCI Adopting Release,
supra note 1, at 72429.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
designation of third-party providers and
their participation in the currently
scheduled functional and performance
testing of the operation of BC/DR plans
will help those SCI entities ensure that
their efforts to develop effective BC/DR
plans are not undermined by a lack of
participation by third-party providers
that the SCI entity believes are
necessary to the successful activation of
such plans.
Although the Commission finds it
impracticable to quantify these benefits
in dollar terms,807 the Commission
believes it would be helpful to consider
the cost of an unplanned outage. For
example, the Commission considers a
reduced occurrence of a potential outage
as a benefit of complying with
Regulation SCI. As discussed above, one
source of cost estimates for an
unplanned outage is the Ponemon
Institute’s 2016 Cost of Data Center
Outages report.808 According to the
report, the total cost per minute of an
unplanned outage was $8,851 for the
average data center the Institute
surveyed in 2016.809 This implies a cost
of $531,060 per hour of an unplanned
outage at the time.810 Moreover, outages
themselves can also last far longer than
one hour. For example, natural
disasters, such as hurricanes, can often
lead to lengthy outages lasting 200 to
400 hours.811 Taken together, this data
suggests potentially significant benefits
to having an adequate policy and
procedure in place to ensure business
continuity and disaster relief plans for
SCI entities.
The benefits from the BC/DR
requirements in Rule 1004 for the
current and new SCI entities (and the
costs, as discussed below) will depend
on the extent to which their current
operations already align with the rule’s
requirements, given both existing
regulation and current practice. Based
on discussion with industry
participants, the Commission
understands that some existing SCI
entities already require third-party
service provider participation in testing
despite not being required to do so
currently under Regulation SCI. For
these SCI entities, there may be
incremental benefits from making the
807 As discussed in section V.D.1. multiple factors
would affect the harm to the overall economy from
an unplanned outage at an SCI entity.
808 See supra note 696.
809 Id. at 14.
810 The report also showed that this figure was
increasing over time. The same figure was $5,617/
min in 2010 and $7,908/min in 2013. See id.
811 See Data Foundry, How Much Should You
Spend On Business Continuity and Disaster
Recovery (Dec. 12, 2019), available at https://
www.datafoundry.com/blog/much-spend-businesscontinuity-disaster-recovery.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
third-party service provider
participation a requirement under the
Regulation and ensuring that they
continue to include these parties in
such testing going forward.
Some new SCI entities, either due to
existing regulatory requirements or on
their own volition, also already require
some of their members or participants,
as well as third-party providers, to
participate in performance testing of
BC/DR plans or offer the opportunity to
do so on a voluntary basis, although
such participation may be limited in
nature (e.g., testing for connectivity to
backup systems). However, existing
requirements for the new SCI entities
may differ from the requirements of
Rule 1004. For example, FINRA Rule
4370 does not require the functional and
performance testing and coordination of
industry or sector-testing of such plans.
With respect to SBSDRs, the
requirements of Regulation SCI are more
specific and comprehensive in terms of
testing business continuity and disaster
recovery plans than the principles-based
requirements of Rule 13n-6. The
requirements of Regulation SCI would
thus exist and operate in conjunction
with Rule 13n-6 and help ensure that
SBSDR market systems are robust,
resilient, and secure and enhance
Commission oversight of these systems.
Moreover, to the extent the systems of
SBSDRs that relate to the securitiesbased swap markets function separately
(or could function separately in the
future) from the systems of SDRs that
relate to the swaps markets, applying
Rule 1004 to these entities would help
to ensure effective testing of BC/DR
plans for the specific systems relevant to
the securities markets and would
subject these systems to enhanced
Commission oversight.
Similarly, the Commission recognizes
that exempt clearing agencies that this
rule proposal would newly scope into
Regulation SCI are currently required to
have BC/DR plans and test them at least
annually with the participation of
customers, critical utilities, critical
service providers, other clearing
agencies, other market infrastructures,
and any other institution with which
interdependencies have been identified
in the business continuity policy.
Overall, applying the specific and
comprehensive requirements set forth in
Rule 1004 would complement existing
requirements and enhance the BC/DR
plans tests already in place for these
entities.
ii. Costs
The mandatory testing of SCI entity
BC/DR plans, including backup systems,
as required under amended Rule 1004,
PO 00000
Frm 00115
Fmt 4701
Sfmt 4702
23259
will result in costs to SCI entities. For
current SCI entities, the increase in the
cost would come from the requirement
to include designated third-party
providers in when testing their BC/DR
plans—to the extent they have not been
doing so. In addition, because the
proposed requirements of Rule 1004
would require participation by various
other parties, including designated
members, participants, and other third
parties, these parties may also bear costs
of Rule 1004. We discuss these various
costs below.
Costs to New and Existing SCI
Entities. It is the Commission’s
understanding that some new SCI
entities already engage with their
members, participants or customers, as
applicable, or third-party providers
when testing BC/DR plans. Furthermore,
as mentioned above, market
participants, including new SCI entities,
already coordinate certain BC/DR plans
testing to an extent. However, Rule 1004
mandates participation in testing for
new SCI entities that do not currently
participate, requires coordination when
testing BC/DR plans, and requires their
members, market participants, or their
third-party providers participate.
In particular, Rule 1004 requires SCI
entities to designate their members,
participants, or third-party providers to
participate in BC/DR plans testing and
to coordinate such testing with other
SCI entities on an industry- or sectorwide basis. The requirement of member,
participant, or third-party provider
designation in BC/DR plans testing
under Rule 1004 may impose new costs
even for those that currently have BC/
DR plan testing, as an SCI would have
to allocate resources towards initially
establishing and later updating
standards for the designation of its
members and participants and thirdparty providers for testing. For example,
systems reconfiguration for functional
and performance testing and
establishing an effective coordinated
test script could be a complex process
and result in additional costs, but it is
an important first step in establishing
robust and effective BC/DR plans
testing. Furthermore, the requirement to
coordinate industry- or sector-wide
testing would impose additional
administrative costs because an SCI
entity would be required to notify its
members, participants, or third-party
providers and also organize, schedule,
and manage the coordinated testing.
Many of the costs associated with
Rule 1004 are costs estimated in the
PRA in section IV. For existing SCI
entities the Commission estimates
approximately $1.4 million in initial
costs and $0.5 million in annual costs,
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23260
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
while for new SCI entities the
Commission estimates approximately
$3.2 million in initial costs and $1.1
million in annual costs.812 In addition
to the PRA costs, the Commission
believes that new SCI entity’s may incur
non-paperwork costs associated with
the mandatory testing of BC/DR plans,
including backup systems; however, the
Commission finds it impracticable to
provide a quantified estimate of these
specific non-paperwork costs for new
SCI entities because the Commission
does not have detailed information
regarding the current level of
engagement by members or participants
in BC/DR testing and the associated
costs, or the details of the BC/DR testing
that new SCI entities would implement
pursuant to Rule 1004.
In addition, both new and existing
SCI entities may incur costs beyond the
PRA costs to comply with the
requirement that third-party providers
be included in the testing requirement.
The Commission acknowledges that
there will be significant variations in
incremental cost for new and existing
SCI entities beyond the costs of
complying with the rest of the testing
requirements, depending on the
relationship of each SCI entity with the
third-party provider and the need to
revise any contractual agreement
between them. But in any situation
where a third-party provider is already
required to provide a continuous service
plan (such as 24/7 connectivity), the
incremental cost of having the thirdparty provider participate in the BC/DR
testing should be modest. To the extent
existing and new SCI entities already
have BC/DR plan testing that align with
the Rule 1004 requirements, they could
incur lower costs to comply with the
requirements of Rule 1004 than entities
without such existing BC/DR plan
testing.
Costs to SCI Entity Members,
Participants, and Third-Party Providers.
Rule 1004 will also impose costs on SCI
entity designated members, participants
and third-party providers. Although
members, participants, and third-party
providers will incur costs as a result of
Rule 1004, those that are likely to be
designated to participate in business
continuity and disaster recovery plans
testing are those that conduct a high
level of activity with the SCI entity or
those that play an important role for the
SCI entity and who are more likely to
have already established connections to
the SCI entity’s backup site. It is the
812 See section IV.D.4. For purposes of this
Economic Analysis, there are two fewer entities
than under the PRA analysis, lowering these
estimated costs. See supra note 700.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Commission’s understanding that most
of the larger members, participants, and
third-party providers already have
established connectivity with the SCI
entity’s backup site and already monitor
and maintain such connectivity, and
thus the additional connectivity costs
imposed by Rule 1004 would be modest
to these members or participants.813 The
Commission, however, finds it
impracticable to provide a quantified
estimate of the specific costs for SCI
entity members, participants or thirdparty providers associated with the
mandatory testing required by Rule
1004 as such data or information is not
required to be provided by SCI entities
to the Commission under Regulation
SCI. Nevertheless, the Commission
preliminarily believes, for similar
reasons as provided in the section
discussing non-paperwork burden
estimates for Rule 1001(a) and (b), that
the figures from 2014 remain reasonable
approximations for new SCI entities in
2023, after adjusting for inflation since
2014.814
Because SCI entities have an incentive
to limit the imposition of the cost and
burden associated with testing to the
minimum necessary to comply with the
rule, given the option, most SCI entities
would likely, in the exercise of
reasonable discretion, prefer to
designate the fewest number of
members, participants, or third-party
providers to participate in testing and
meet the requirements of the rule, than
to designate more.
The Commission believes that the cost
associated with Rule 1004 is unlikely to
induce the designated members or
participants to reduce the number of SCI
entities through which they trade and
adversely affect price competitiveness
in markets. As noted above, the
Commission also recognizes that costs
to some SCI entity members,
participants, or third-party providers
associated with Rule 1004 could vary
depending on the BC/DR plans being
tested, and to the extent they
participate. Based on industry sources,
the Commission understands that most
of the larger members or participants of
SCI entities already maintain
connectivity with the backup systems of
SCI entities.815 However, the
Commission understands that there is a
813 See
SCI Adopting Release, supra note 1, at
72430.
814 After adjusting for inflation since 2014, the
cost of BD/DR plan testing ranges from
approximately $31,000 to $76,000 per year, per
member or participant. The aggregate annual cost
for designated members and participants to
participate in BC/DR testing is approximately $84.0
million after adjusting for inflation since 2014.
815 SCI Adopting Release, supra note 1, at 72430.
PO 00000
Frm 00116
Fmt 4701
Sfmt 4702
lower incidence of smaller members or
participants maintaining connectivity
with the backup sites of SCI entities. As
such, the Commission believes that the
compliance costs associated with Rule
1004 would be higher for those
members, participants, or third-party
providers that are designated for testing
by SCI entities who would need to
invest in additional infrastructure to
participate in such testing.816
As discussed above, Rule 1001(a) does
not require backup facilities of SCI
entities fully duplicate the features of
primary facilities.817 Further as
discussed in section IV.B.6, SCI entity
members, participants, or third-party
providers are not required by Regulation
SCI to maintain the same level of
connectivity with the backup sites of an
SCI entity as they do with the primary
sites. In the event of a wide-scale
disruption in the securities markets, the
Commission acknowledges that SCI
entities and their members, participants,
or third-party providers may not be able
to provide the same level of service as
on a normal trading day. However,
when BC/DR plans are in effect due to
a wide-scale disruption in the securities
markets, the requirements of Rule 1004
should help ensure adequate levels of
service and pricing efficiency, to
facilitate trading and maintain fair and
orderly markets without imposing
excessive costs on SCI entities and
market participants by requiring them to
maintain the same connectivity with the
backup systems as with the primary
sites.818
Request for Comment
119. If you are a current or proposed
SCI entity and you currently require any
of your service providers to participate
in your scheduled business continuity
or disaster recovery testing, how does
your activity differ from the
requirements of the rule proposal? What
have been the benefits and costs of this
activity?
120. If you are a current or proposed
SCI entity and your business continuity
or disaster recovery plans address the
unavailability of your third-party
providers, how does your activity differ
from the requirements of the rule
proposal? What have been the benefits
and costs of this activity?
e. Rules 1005 Through 1007—
Recordkeeping and Electronic Filing
Rules 1005 through 1007 relate to
recordkeeping requirements, filing and
submission requirements, and
816 Id.
817 SCI
818 See
E:\FR\FM\14APP2.SGM
Adopting Release, supra note 1, at 72353.
id.
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
requirements for service bureaus. SCI
entities are required by Rule 1005 of
Regulation SCI to make, keep, and
preserve certain records related to their
compliance with Regulation SCI.819
Rule 1006 of Regulation SCI provides
for certain requirements relating to the
electronic filing on Form SCI, of any
notification, review, description,
analysis, or report to the Commission
required to be submitted under
Regulation SCI.820 Rule 1007 of
Regulation SCI requires a written
undertaking when records are required
to be filed or kept by an SCI entity
under Regulation SCI, or are prepared or
maintained by a service bureau or other
recordkeeping service on behalf of the
SCI entity.821
Rule 1005(c) currently requires that
the recordkeeping period survives even
if an SCI entity ceases to do business or
ceases to be registered under the
Exchange Act. The Commission
proposes to amend Rule 1005(c) so that
this record retention provision also
applies to an SCI entity that remains in
business as a registered entity but
‘‘otherwise [ceases] to be an SCI entity.’’
Therefore, for existing SCI entities, this
is the only difference from the current
recordkeeping requirement in Rule
1005(c). For new SCI entities, all of the
requirements in Rules 1005 through
1007 are new obligations. We discuss
below the benefits and costs of applying
these provisions to new and existing SCI
entities.
i. Benefits
The Commission believes that Rules
1005 and 1007 would allow
Commission staff to inspect and
examine the new SCI entities for their
compliance with Regulation SCI, and
would increase the likelihood that
Commission staff can identify conduct
inconsistent with Regulation SCI.
Preserved information should provide
the Commission with an additional
source to help determine the causes and
consequences of one or more SCI events
and better understand how such events
may have impacted trade execution,
price discovery, liquidity, and investor
participation. Consequently, the
Commission believes that the
requirements of Rules 1005 and 1007
would help ensure compliance of the
new SCI entities with Regulation SCI
and help realize the potential benefits
(e.g., better pricing efficiency, price
819 See 17 CFR 242.1005. Rule 1005(a) of
Regulation SCI relates to recordkeeping provisions
for SCI SROs, whereas Rule 1005(b) relates to the
recordkeeping provision for SCI entities other than
SCI SROs.
820 See 17 CFR 242.1006.
821 See 17 CFR 242.1007.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
discovery, and liquidity flows) of the
regulation.
Rule 1006 requires SCI entities to
electronically file all written
information to the Commission on Form
SCI.822 Rule 1006 would provide a
uniform manner in which the
Commission receives—and SCI entities
provide—written notifications, reviews,
descriptions, analyses, or reports
required by Regulation SCI. Rule 1006
should add efficiency for the new SCI
entities in drafting and submitting the
required reports, and for the
Commission in reviewing, analyzing,
and responding to the information
provided.
The Commission recognizes that all of
the new SCI entities are currently
subject to the Commission and other
regulatory recordkeeping
requirements.823 However, records
relating to Regulation SCI may not be
specifically addressed in the
recordkeeping requirements of certain
rules. The benefits from the
recordkeeping requirements in Rules
1005 and 1007 for the new SCI entities
(and the costs, as discussed below), will
therefore depend on the extent to which
their current operations already align
with the rule’s requirements, given both
existing regulation and current practice.
The proposed amendment to Rule
1005(c) will apply to new and existing
SCI entities. Although many SCI events
may be resolved in a short time frame,
there may be other SCI events that may
not be discovered for an extended
period of time after their occurrences, or
may take significant periods of time to
fully resolve. In such cases, having an
SCI entity’s records available after it has
ceased to be an SCI entity or be
registered under the Exchange Act
would add to the scope of historical
records available for review in the event
of an SCI event. This is a particular
issue for entities whose coverage under
the rule might vary over time,
depending on when the entities—or
their systems—meet the rule’s coverage
thresholds. For these entities, uniform
record retention periods will also
facilitate comparative review of risk and
compliance trends. These benefits will
be limited if entities and systems of
entities tend to continue meeting
coverage requirements over time,
without a break in coverage.
ii. Costs
The recordkeeping requirements of
Rules 1005 and 1007 will impose
822 Except for notifications submitted pursuant to
Rule 1002(b)(1) and (3).
823 See, e.g., 17 CFR 240.17a–3 and 240.17a–4,
applicable to broker-dealers.
PO 00000
Frm 00117
Fmt 4701
Sfmt 4702
23261
additional costs, including a one-time
cost to set up or modify an existing
recordkeeping system to comply with
Rules 1005 and 1007. The initial and
ongoing compliance costs associated
with the recordkeeping requirements are
attributed to paperwork burdens, which
are discussed in section IV above.824
With respect to Rule 1006, all costs
associated with Form SCI are attributed
to the paperwork burdens discussed in
section IV. For existing SCI entities the
Commission estimates approximately
$21.0 million in initial costs and $12.0
million in annual costs, while for new
SCI entities the Commission estimates
approximately $41.7 million in initial
costs and $25.8 million in annual
costs.825
Every new SCI entity will be required
to have the ability to electronically
submit Form SCI through the EFFS
system, and every person designated to
sign Form SCI will be required to have
an electronic signature and a digital ID.
The Commission believes that this
requirement will not impose an
additional burden on new SCI entities,
as these entities likely already prepare
documents in an electronic format that
is text searchable or can readily be
converted into a format that is text
searchable.
The Commission also believes that
many new SCI entities currently have
the ability to access the EFFS system
and electronically submit Form SCI,
such that the requirement to submit
Form SCI electronically will not impose
significant new implementation or
ongoing costs.826 The Commission also
believes that some of the persons who
will be designated to sign Form SCI
already have digital IDs and the ability
to provide an electronic signature. To
the extent that some persons do not
have digital IDs, the additional cost to
obtain and maintain digital IDs is
accounted for in the paperwork burden,
discussed in section IV above.827
824 When monetized, the paperwork burden
associated with all recordkeeping requirements
would result in approximately $278,460 initially
and $40,950 annually for all new SCI entities in the
aggregate. The Commission estimates that a New
SCI Entity other than an SCI SRO will incur a onetime cost of $900 for information technology costs
for purchasing recordkeeping software, for a total of
$18,900. See section IV.D.7. For purposes of this
Economic Analysis, there is two fewer entities than
under the PRA analysis, lowering these estimated
costs. See supra note 700.
825 See section IV.D.7; supra note 700.
826 The initial and ongoing costs associated with
various electronic submissions of Form SCI for the
new SCI entities are discussed in the Paperwork
Reduction Act section above. See supra section
IV.D.6.
827 See id.
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
23262
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
D. Efficiency, Competition, and Capital
Formation Analysis
As previously discussed in section C,
the proposed amendments to Regulation
SCI would reduce the impact of market
disruptions arising as a result of natural
disasters, third-party provider service
outages, cybersecurity events, hardware
or software malfunctions. We expect
that the proposed amendments will
reduce the frequency, severity, and
duration of systems issues that occur in
the context of these events, and will
thus decrease the number of trading
interruptions. The proposed
amendments will thus improve market
efficiency, price discovery, and
liquidity, because trading interruptions
interfere with the process through
which information gets incorporated
into security prices. In addition, by
reducing trading interruptions, the
proposed amendments will have
beneficial effects across markets,
because of the interconnectedness of
securities markets. For example, an
interruption in the market for equity
securities could harm the price
discovery process in the options
markets, reducing the flow of liquidity
across markets. As a result, we expect
the proposed amendments, if adopted,
would improve price efficiency in
securities markets.828
Prices that accurately convey
information about fundamental value
improve the efficiency with which
capital is allocated across projects and
firms, thus promoting capital formation.
In addition, we expect the proposed
amendments to encourage capital
formation by reinforcing investors’
confidence in market transactions.
The proposed amendments to
Regulation SCI could affect competition
among SCI entities because the
compliance costs could differ among
SCI entities. For example, current SCI
entities are expected to face smaller
incremental compliance costs than new
SCI entities. New SCI entities that have
been subject to similar regulations could
also face smaller incremental
compliance costs than those who have
not. Even among new SCI entities,
certain provisions can be more costly for
some than others. For example, the
initial compliance costs of the systems
resumption requirements could differ
among new SCI entities. Specifically, as
mentioned above, Rule 1004’s BC/DR
testing requirements may require greater
incremental costs for smaller SCI
entities that have not already been
engaged in BC/DR testing. Lastly, some
of the new SCI entities may already
828 See
sections V.D.1 and V.D.3.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
have practices that are aligned with at
least some of the requirements under
amended Regulation SCI compared to
the baseline, reducing their incremental
compliance costs.
In addition to competition among SCI
entities, the compliance costs imposed
by the proposed amendments to
Regulation SCI could have an effect on
competition where SCI entities and nonSCI entities compete, such as in the
markets for trading services (e.g., brokerdealers). Specifically, since non-SCI
entities do not have to incur the
compliance costs associated with
Regulation SCI, SCI entities could find
it difficult to pass on their own
compliance costs to investors or
customers without losing investors or
customers to non-SCI entities. This
would adversely affect the profits of SCI
entities. That said, by expanding the set
of SCI entities, the proposed
amendments would ensure that, where
there is currently competition between
existing SCI entities and the new
entities under this proposed rule then
these competing entities are subject to
similar SCI compliance requirements.
The proposed threshold-based tests
for scoping a broker-dealer into
Regulation SCI could bring about a
potential unintended effect of deterring
growth among broker-dealers and
discouraging potential benefits of scale
economies. For example, to the extent a
certain broker-dealer may take
otherwise-unwanted steps to keep its
trading volumes or asset level low, or
spin off entities and not realize scale
economies, all for the purpose of
avoiding being subject to regulation, this
can be inefficient for the economy.
Likewise, the proposal to apply
regulation SCI to all exempt clearing
agencies would mean that any entity
that seeks to become a clearing agency
will automatically be subject to
Regulation SCI and will thus bear the
associated compliance cost.
The compliance costs associated with
Rule 1004 could raise barriers to entry
and affect competition among members
or participants of SCI entities.
Specifically, to the extent that members
or participants could be subject to
designation in BC/DR plan testing and
could incur additional compliance
costs, the member or participant
designation requirement of Rule 1004
could raise barriers to entry. In addition,
as discussed above, the compliance
costs of the rule will likely be higher for
smaller members or participants of SCI
entities compared to larger members or
participants of SCI entities. The adverse
effect on competition may be mitigated
to some extent, as the most likely
members or participants to be
PO 00000
Frm 00118
Fmt 4701
Sfmt 4702
designated for testing are larger
members or participants who already
maintain connectivity with an SCI
entity’s backup systems. Further, the
adverse effect on competition for
smaller members or participants could
be partially mitigated to the extent that
larger firms, which are members of
multiple SCI entities, could incur
additional compliance costs as these
larger member firms could be subject to
multiple designations for business
continuity and disaster recovery plan
testing.829
E. Reasonable Alternatives
In formulating our proposal, we have
considered various alternatives. Those
alternatives are discussed below and we
have also requested comments on
certain of these alternatives.
1. Limiting the Scope of the Regulation
SCI Provisions for New SCI Entities
The Commission has considered
whether all of the obligations set forth
in Regulation SCI should apply to the
new SCI entities or whether only certain
requirements should be imposed, such
as those requiring written policies and
procedures, notification of systems
problems, business continuity and
disaster recovery testing, and
penetration testing.830 For example, the
Commission has considered if SBSDRs
should be subject to full Regulation SCI
requirements, similar to SCI plan
processors, or should be subject to only
some of the Regulation SCI
requirements, given differing levels of
automation and stages of regulatory
development of the SBS market.
The Commission believes that these
alternatives would reduce some of the
benefits as well as some of the costs
compared to the proposed rules. The
lower costs from limiting the Regulation
SCI requirements, such as periodic
reviews of policies and procedures or
Commission notification, for some new
entities could result in lower barriers to
entry and could increase competition in
the relevant markets compared to the
proposed rules. However, taking into
consideration the large size of the new
SCI entities and, therefore, their
externalities on some other SCI entities
in case of system failure, the
Commission believes these effects on
the competition may not be significant
enough to warrant forgoing benefits
829 Id.
at 72433.
an approach is similar to that taken
regarding the competing consolidators in Market
Data Consolidator rule. The Market Data
Consolidator rule subjects competing consolidators
that do not meet the earning thresholds to some, but
not all, obligations that apply to competing
consolidators. 17 CFR 242.614.
830 Such
E:\FR\FM\14APP2.SGM
14APP2
ddrumheller on DSK120RN23PROD with PROPOSALS2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
(such as timely notifications to the
Commission) in addition to the reduced
effectiveness of the regulation.
Moreover, not requiring specific SCI
requirements for certain new SCI
entities would likely result in less
uniform treatment across current and
new SCI entities performing similar
functions.831
complex-structured SCI entities, losing
flexibility to design systems or develop
policies and procedures by mandating
the industry standards could also result
in less effective policies and procedures
or adversely affect integrity, resiliency,
availability, or security of SCI systems.
2. Mandating Compliance With Current
SCI Industry Standards
The Commission has considered the
alternative of mandating compliance
with current SCI industry standards.
This alternative would require that the
policies and procedures of SCI entities
required under Rule 1001(a) comply
with ‘‘current SCI industry standards’’
rather than simply making such
compliance a safe harbor under Rule
1001(a)(4).832 This alternative would
ensure that an SCI entity have policies
and procedures consistent with current
SCI industry standards. These standards
likely have the advantage of economy of
scale as several entities in that industry
adopted the standards and thus the
standards benefit from more innovative
efficiencies than in-house standards.
Moreover, mapping policies and
procedures to the industry standard
would help facilitate the Commission’s
inspection and enforcement capabilities.
Based on Commission staff
experience, however, this alternative
would not be an appropriate solution for
all SCI entities. One reason is that given
the differences exhibited by various SCI
entities and the complexity of each SCI
entity’s operations, it may not be
suitable for each one to find a current
SCI industry standard that suits its
needs without substantial modification
and customization. To this extent, the
Commission sees a great value in
allowing each SCI entity to customize
its policies and procedures to address
the specific operational risks it faces. It
is the Commission’s understanding that
a number of current SCI entities have
developed and implemented policies
and procedures largely based on
industry standards, but they have also
customized them based on the size,
risks, and unique characteristics of SCI
entities. For this reason, mandating
compliance with a current SCI industry
standard may be an inefficient
approach. For the larger and more
With respect to critical SCI systems,
the Commission has considered
mandating multi-vendor backups. This
alternative would require that SCI
entities that utilize third-party providers
to operate critical SCI systems have
geographically diverse backup systems
that are operated by a different thirdparty provider (e.g., multi-cloud). As
previously discussed, there can be
significant advantages for an entity
moving its systems from an onpremises, internally run data center to
cloud service providers (CSPs), which
may include cost efficiencies,
automation, increased security, and
resiliency, and the ability to leverage the
opportunity to reengineer or otherwise
update their systems and applications to
run more efficiently.833
However, each SCI entity is obligated
to satisfy the requirements of Regulation
SCI for systems operated on behalf the
SCI entity by a third party. This
necessarily requires an individualized
assessment of the costs and risks
associated with managing the CSP
relationship, and determining that the
CSPs’ backup and recovery capabilities
are sufficiently resilient, geographically
diverse, and reasonably designed to
achieve timely recovery following a
wide-scale disruption.834 Further, while
reducing the risk of over-reliance on a
single vendor and the chance of system
failures–for example, due to the same
vulnerabilities within a vendor—a
multi-cloud strategy would add
additional costs including negotiation,
contract, deployment, and management
costs; and it is the Commission’s
understanding that multi-cloud
architecture could introduce more
complexity and, accordingly,
operational and cybersecurity risks into
the SCI back-up systems.835 In place of
a prescriptive alternative of mandating
multi-vendor backups, the Commission
is proposing, in Rule 1001(a)(2)(v) and
(ix), a more flexible approach under
which each SCI entity must consider
CSPs and other third-party providers as
part of a risk-based assessment of the
831 See
supra section III.A.2.
Rule 1000(a)(4) defines ‘‘current SCI
industry standards’’ as ‘‘information technology
practices that are widely available to information
technology professionals in the financial sector and
issued by an authoritative body that is a U.S.
governmental entity or agency, association of U.S.
governmental entities or agencies, or widely
recognized organization.’’
832 Proposed
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
3. Requiring Diversity of Back-Up Plan
Resources
833 See
section III.C.2.
id.
835 For example, security breach possibilities
could increase because of the interconnection of
SCI systems between multi cloud providers.
834 See
PO 00000
Frm 00119
Fmt 4701
Sfmt 4702
23263
providers’ criticality and their role in
the entity’s business continuity and
disaster recovery planning.
4. Penetration Testing Frequency
With respect to the penetration testing
frequency, the Commission has
considered requiring longer (e.g., every
2 years) or shorter (quarterly, every 6
months) frequencies for penetration
testing, rather than the currently
proposed annual (a reduction from the
current rule of every three years). When
the Commission adopted Regulation SCI
in 2014, the Commission decided to
require penetration test reviews ‘‘not
less than once every three years in
recognition of the potentially significant
costs that may be associated with the
performance of such tests.’’ 836
Nevertheless, as mentioned above,
markets have changed since the
adoption of Regulation SCI. In
particular, cybersecurity has become a
more pervasive concern for all types of
businesses, including SCI entities. In
addition, the Commission understands
that industry practices with respect to
penetration testing has evolved such
that tests occur on a much more
frequent basis, as businesses confront
the threat of cybersecurity events on a
wider scale. To this extent, the
Commission has considered whether
penetration testing should be conducted
at least once quarterly, every 6 months,
or every 2 years.
The Commission understands
industry practices generally tend to
recommend at least one penetration test
review a year. Requiring penetration test
reviews more frequently could further
strengthen security and reduce
cybersecurity events at SCI entities.
Nevertheless, the Commission believes
that requiring all SCI entities to conduct
such reviews more than once every year
may be too much of a drain on the
institution’s resources, due to the
estimated cost of $10,000 to $30,000 per
test,837 and given the wide scope of
annual testing to be conducted as part
of an annual review under proposed
Rule 1003(b).838 Moreover, while some
entities may need to perform multiple
tests each year on different components
of their environment, for other entities
a requirement for multiple tests may be
counterproductive, if the testing cycle
836 SCI
Adopting Release, supra note 1, at 72344.
section V.D.3.c.
838 See proposed Rules 1000, 1001(a)(2)(iv)
(penetration testing as part of an annual review
under Rule 1003(b) must include testing of
‘‘network, firewalls, and production systems,
including of any vulnerabilities of . . . SCI systems
and indirect SCI systems,’’ including vulnerabilities
‘‘pertaining to internal and external threats,
physical hazards, and natural or manmade
disasters’’).
837 See
E:\FR\FM\14APP2.SGM
14APP2
23264
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
does not provide time to implement
security investments.
5. Attestation for Critical SCI System
Vendors
Given the importance of critical SCI
systems and SCI entities’ increasing
reliance on third-party providers, the
Commission has considered requiring
attestation (such as by an SCI entity’s
chief executive officer or general
counsel) that contracts with third-party
providers for critical SCI systems
comply with the SCI entity’s obligations
under Regulation SCI. Such an
attestation requirement would further
ensure that SCI entities are negotiating
contract terms with third-party
providers for critical SCI systems in a
manner that is consistent with
Regulation SCI’s requirements.
However, an attestation requirement for
each such contract may have limited
value, and may be overly timeconsuming and resource-intensive,
relative to the value of the attestation
requirement.
The value of an attestation
requirement will be limited, given that
proposed Rule 1001(a)(2)(ix) would
require each SCI entity to have a
program to manage and oversee thirdparty providers, or to the extent that
they already provide attestations to their
customers (which, in turn, may vary to
the degree that they are in competition
with like entities). At the same time, an
attestation requirement may have
significant costs.
For SCI entities these costs may
include the direct costs of updating
their oversight processes in order to
ensure that their attestations are
accurate and in compliance; training
their in-house personnel on the thirdparty service provider’s methods for
operating critical IT systems; and
conducting oversight of the service
provider’s subcontractors as well as
oversight of the service provider itself.
SCI entities may also incur costs if they
move critical system functions in-house
or consolidate vendors to reduce the
risk or burden of the attestation
requirement, which could result in
lower-quality or less efficient services.
Furthermore, requiring the attestation
by SCI entity’s senior officers could
increase the due diligence cost of the
attestation requirement. Senior officers
making attestations may require
additional liability insurance, higher
compensation or lower incentive pay as
a share of overall compensation. Finally,
the service providers themselves may
face increased costs as part of their
efforts to help the SCI entity make the
relevant attestation, including contract
renegotiation costs, upgrading
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
operations, and responding to
information requests from the SCI
entity. These costs, in turn, might be
passed to the SCI entity and ultimately
to its participants, members, or
customers.
The Commission believes the
additional costs could be
disproportionate to the benefits of an
attestation requirement. For these
reasons, the Commission has decided
against including an attestation
requirement.
6. Transaction Activity Threshold for
SCI Broker-Dealers
With respect to the transaction
activity threshold used to scope brokerdealers within Regulation SCI as
discussed in section III.A.2.b, the
Commission has considered as an
alternative whether to set a higher (more
limited) or lower (more expansive)
threshold than the proposed 10%
threshold. For example, the Commission
has considered if only broker-dealers
with transaction activity thresholds
above 15% should be included as SCI
broker-dealers 839 but determined that
this would fail to scope within
Regulation SCI some of the largest and
most significant broker-dealers that pose
technological vulnerabilities and risks
to the maintenance of fair and orderly
markets. This would have the effect of
decreasing costs moderately for brokerdealers no longer within the scope of
Regulation SCI at the expense of a
significant decrease in benefits
otherwise associated with the
improvements to fair and orderly
markets, as described above.
Similarly, the Commission has also
considered whether all broker-dealers
with transaction activity thresholds
above 5% should be included as SCI
broker-dealers,840 but determined that
839 The Commission believes that the proposed
threshold of 5% of total assets is a reasonable
approach to identifying the largest broker-dealers.
See section III.A.2.b.iii (discussing proposed
thresholds for an ‘‘SCI broker-dealer’’). The
Commission has considered as an alternative to
further scope in the broker-dealers with transaction
activity thresholds above 15%. Regulation SCI
would only be applicable to an estimated ten
broker-dealers based on the analysis of data which
include broker-dealer FOCUS Report Form X–17A–
5 Schedule II filings from Q4 2021 to Q3 2022. Also
for additional detail on the calculation of total
assets of all security broker-dealers, see supra note
127. Data also include Consolidated Audit Trail
(CAT) data from Jan. 2022 to June 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq
UTP Plan. CTA Plan, available at https://
www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting
Authority (OPRA) data, TRACE for Treasury
Securities data from Jan. 2022 to June 2022,
regulatory TRACE data from Jan. 2022 to June 2022,
and FINRA TRACE.
840 The Commission believes that the proposed
threshold of 5% of total assets is a reasonable
PO 00000
Frm 00120
Fmt 4701
Sfmt 4702
this would scope within Regulation SCI
several broker-dealers that are not
among the most significant brokerdealers that pose technological
vulnerabilities and risks to the
maintenance of fair and orderly markets.
This would have the effect of increasing
costs for marginal firms without a
comparable increase in benefits
associated with an improvement of fair
and orderly markets.
In addition, with respect to the
transaction activity threshold used to
scope broker-dealers within Regulation
SCI as discussed in section III.A.2.b, the
Commission has also considered as an
alternative whether to apply the
proposed 10% threshold to principal
trades only, rather than all transactions.
Accordingly, the Commission
considered whether to include as an SCI
entity any registered broker-dealer that,
irrespective of the size of its balance
sheet, consistently trades for its own
account at a substantially high level in
certain enumerated asset classes, scaled
as a percentage of total average daily
dollar volume, as reported by applicable
reporting organizations. Under the
alternative, ten broker-dealer firms 841
would have been scoped in as ‘‘SCI
broker-dealers,’’ which are among the 17
‘‘SCI broker-dealers’’ subject to the
proposed Regulation SCI.
This alternative approach to the
transaction activity threshold would
identify those broker-dealers that
approach to identifying the largest broker-dealers.
See section III.A.2.b.iii (discussing proposed
thresholds for an ‘‘SCI broker-dealer’’). The
Commission has considered as an alternative to
further scope in the broker-dealers with transaction
activity thresholds above 5%. Regulation SCI would
only be applicable to an estimated 29 broker-dealers
based on the analysis of data which include brokerdealer FOCUS Report Form X–17A–5 Schedule II
filings from Q4 2021 to Q3 2022. Also for additional
detail on the calculation of total assets of all
security broker-dealers, see supra note 127. Data
also include Consolidated Audit Trail (CAT) data
from Jan. 2022 to June 2022, the plan processors
(SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan.
CTA Plan, available at https://www.ctaplan.com;
Nasdaq UTP Plan, available at https://
www.utpplan.com, Options Price Reporting
Authority (OPRA) data, TRACE for Treasury
Securities data from Jan. 2022 to June 2022,
regulatory TRACE data from Jan. 2022 to June 2022,
and FINRA TRACE.
841 The estimated ten broker-dealer firms are
based on the analysis of data which include brokerdealer FOCUS Report Form X–17A–5 Schedule II
filings from Q4 2021 to Q3 2022. Also for additional
detail on the calculation of total assets of all
security broker-dealers, see supra note 127. Data
also include Consolidated Audit Trail (CAT) data
from Apr. 2022 to Sept. 2022, the plan processors
(SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan.
CTA Plan, available at https://www.ctaplan.com;
Nasdaq UTP Plan, available at https://
www.utpplan.com, Options Price Reporting
Authority (OPRA) data, TRACE for Treasury
Securities data from Apr. 2022 to Sept. 2022,
regulatory TRACE data from Apr. 2022 to Sept.
2022, and FINRA TRACE.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
generate significant liquidity in
specified types of securities markets and
could also be considered a proxy for
those that also engage in substantial
agency trading and other business.
Because the alternative would also
scope in fewer broker-dealers as SCI
entities, this alternative would also
impose fewer total costs compared to
the proposed approach.
However, the Commission
preliminarily believes that limiting the
extension of Regulation SCI to brokerdealers that engage in significant trading
activity for their own account in one or
more of the enumerated asset classes
and generate significant liquidity on
which fair and orderly markets rely
would fail to acknowledge the
substantial role that executing brokers
acting as agents also play in the markets.
Accordingly, the alternative approach
would fail to scope within Regulation
SCI some of the largest and most
significant broker-dealers that pose
technological vulnerabilities and risks
to the maintenance of fair and orderly
markets. In the Commission’s view,
using all transaction activity rather than
limiting the analysis to principal trades
is a more appropriate measure for
estimating the significance of a brokerdealer’s footprint in the markets and the
effect that its sudden unavailability
could have on the fair and orderly
market functioning.
Thus, while the alternative would
likely scope in fewer broker-dealers as
SCI entities, and thus reduce the
aggregate costs of extending Regulation
SCI, compared to the proposal, it would
also limit the extensive benefits,
discussed above, associated with
applying Regulation SCI to additional
broker-dealers that play a critical role in
the market.
7. Limitation on Definition of ‘‘SCI
Systems’’ for SCI Broker-Dealers
Additionally, the Commission
considered leaving the original
definition of ‘‘SCI systems’’ unrevised
such that any broker-dealer that were to
only meet or exceed the trading activity
threshold of 10% for any asset class
would have been subject to Regulation
SCI requirements for all of its systems,
not only those systems with respect to
the type of securities for which an SCI
broker-dealer satisfies the trading
activity threshold. Leaving the
definition unrevised would scope in SCI
broker-dealer systems with respect to
classes of securities with a lower
volume of trading, for which system
unavailability is less likely to pose a risk
to the maintenance of fair and orderly
markets. This would have the effect of
increasing costs for SCI broker-dealers
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
with limited trading activity in one or
more other cases of securities, while
yielding a potential benefit in terms of
risk reduction with respect to the
maintenance of fair and orderly markets.
23265
had gross revenues of less than $10
million during the preceding fiscal year
(or in the time it has been in business,
if shorter); (2) provided service to fewer
than 100 interrogation devices or
moving tickers at all times during the
VI. Regulatory Flexibility Act
preceding fiscal year (or in the time that
Certification
it has been in business, if shorter); and
The Regulatory Flexibility Act
(3) is not affiliated with any person
(‘‘RFA’’) 842 requires Federal agencies, in (other than a natural person) that is not
promulgating rules, to consider the
a small business or small organization
impact of those rules on small entities.
under 17 CFR 240.0–10.848 A small
Section 603(a) 843 of the Administrative
entity additionally includes a clearing
Procedures Act,844 as amended by the
agency that (1) Compared, cleared and
RFA, generally requires the Commission settled less than $500 million in
to undertake a regulatory flexibility
securities transactions during the
analysis of all proposed rules, or
preceding fiscal year (or in the time that
proposed rule amendments, to
it has been in business, if shorter); (2)
determine the impact of such
had less than $200 million of funds and
845
rulemaking on ‘‘small entities.’’
securities in its custody or control at all
Section 605(b) of the RFA states that
times during the preceding fiscal year
this requirement shall not apply to any
(or in the time that it has been in
proposed rule or proposed rule
business, if shorter); and (3) is not
amendment which, if adopted, would
affiliated with any person (other than a
not have a significant economic impact
natural person) that is not a small
on a substantial number of small
business or small organization as
entities.846
defined in 17 CFR 240.0–10.849
A. ‘‘Small Entity’’ Definitions
B. Current SCI Entities
For purposes of Commission
Currently, SCI entities comprise SCI
rulemaking in connection with the RFA, SROs, SCI ATSs, plan processors, SCI
a small entity includes an exchange that competing consolidators, and certain
has been exempt from the reporting
exempt clearing agencies. The
requirements of Rule 601 under
Commission believes that none of these
Regulation NMS, and is not affiliated
entities would be considered small
with any person (other than a natural
entities for purposes of the RFA.
person) that is not a small business or
1. SCI SROs
small organization. A small entity also
includes a broker-dealer with total
As discussed in section II.B.1 above,
capital (net worth plus subordinated
Regulation SCI currently applies to SCI
liabilities) of less than $500,000 on the
SROs, which is defined as any national
date in the prior fiscal year as of which
securities exchange, registered securities
its audited financial statements were
association, or registered clearing
prepared pursuant to 17 CFR 240.17a–
agency, or the Municipal Securities
5(d) (‘‘Rule 17a–5(d)’’ under the
Rulemaking Board; provided however,
847
Exchange Act),
or, if not required to
that for purposes of 17 CFR 242.1000,
file such statements, a broker-dealer
the term SCI self-regulatory organization
with total capital (net worth plus
shall not include an exchange that is
subordinated liabilities) of less than
notice registered with the Commission
$500,000 on the last business day of the pursuant to 15 U.S.C. 78f(g) or a limited
preceding fiscal year (or in the time that purpose national securities association
it has been in business, if shorter); and
registered with the Commission
is not affiliated with any person (other
pursuant to 15 U.S.C. 78o–3(k).850
than a natural person) that is not a small
Currently, there are 35 SCI SROs.
business or small organization.
Based on the Commission’s existing
Furthermore, a small entity includes a
information about the entities that are
securities information processor that: (1) subject to proposed Regulation SCI, the
Commission believes that SCI SROs
842 5 U.S.C. 601 et seq.
would not fall within the definition of
843 5 U.S.C. 603(a).
‘‘small entity’’ as described above.
844 5 U.S.C. 551 et seq.
As stated, the Commission has
845 Although section 601(b) of the RFA defines
the term ‘‘small entity,’’ the statute permits agencies defined a ‘‘small entity’’ as an exchange
to formulate their own definitions. The Commission that has been exempt from the reporting
has adopted definitions for the term ‘‘small entity’’
requirements of Rule 601 of Regulation
for purposes of Commission rulemaking in
NMS and is not affiliated with any
accordance with the RFA. Those definitions, as
relevant to this proposed rulemaking, are set forth
in 17 CFR 240.0–10 (‘‘Rule 0–10’’).
846 See 5 U.S.C. 605(b).
847 17 CFR 240.17a–5(d).
PO 00000
Frm 00121
Fmt 4701
Sfmt 4702
848 17
CFR 240.0–10(g).
CFR 240.0–10(d).
850 See 17 CFR 242.1000.
849 17
E:\FR\FM\14APP2.SGM
14APP2
23266
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
person (other than a natural person) that
is not a small business or small
organization.851 None of the national
securities exchanges registered under
section 6 of the Exchange Act that
would be subject to the proposed rule
and form is a ‘‘small entity’’ for
purposes of the RFA.
There is only one national securities
association (FINRA), and the
Commission has previously stated that
it is not a small entity as defined by 13
CFR 121.201.852
As stated, a small entity includes,
when used with reference to a clearing
agency, a clearing agency that: (1)
compared, cleared, and settled less than
$500 million in securities transactions
during the preceding fiscal year; (2) had
less than $200 million of funds and
securities in its custody or control at all
times during the preceding fiscal year
(or at any time that it has been in
business, if shorter); and (3) is not
affiliated with any person (other than a
natural person) that is not a small
business or small organization.853
Based on the Commission’s existing
information about the clearing agencies
currently registered with the
Commission, the Commission
preliminarily believes that such entities
exceed the thresholds defining ‘‘small
entities’’ set out above. While other
clearing agencies may emerge and seek
to register as clearing agencies, the
Commission preliminarily does not
believe that any such entities would be
‘‘small entities’’ as defined in Exchange
Act Rule 0–10.
2. The MSRB
The Commission’s rules do not define
‘‘small business’’ or ‘‘small
organization’’ for purposes of entities
like the MSRB. The MSRB does not fit
into one of the categories listed under
the Commission rule that provides
guidelines for a defined group of entities
to qualify as a small entity for purposes
of Commission rulemaking under the
RFA.854 The RFA in turn, refers to the
Small Business Administration (‘‘SBA’’)
in providing that the term ‘‘small
business’’ is defined as having the same
meaning as the term ‘‘small business
concern’’ under section 3 of the Small
Business Act.855 The SBA provides a
comprehensive list of categories with
accompanying size standards that
outline how large a business concern
851 See
paragraph (e) of Rule 0–10.
e.g., Securities Exchange Act Release No.
62174 (May 26, 2010), 75 FR 32556, 32605 n.416
(June 8, 2010) (‘‘FINRA is not a small entity as
defined by 13 CFR 121.201.’’).
853 See paragraph (d) of Rule 0–10.
854 See Rule 0–10.
855 See 5 U.S.C. 601(3).
852 See,
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
can be and still qualify as a small
business.856 The industry categorization
that appears to best fit the MSRB under
the SBA table is Professional
Organization. The SBA defines a
Professional Organization as an entity
having average annual receipts of less
than $15 million. Within the MSRB’s
2021 Annual Report the organization
reported total revenue exceeding $35
million for fiscal year 2021.857 The
Report also stated that the organization’s
total revenue for fiscal year 2020
exceeded $47 million.858 The
Commission is using the SBA’s
definition of small business to define
the MSRB for purposes of the RFA and
has concluded that the MSRB is not a
‘‘small entity.’’
3. SCI ATSs
As discussed in section II.B.1 above,
Regulation SCI currently applies to SCI
ATSs (which are required to be
registered as broker-dealers) that during
at least four of the preceding six
calendar months: (1) Had with respect
to NMS stocks: (i) Five percent (5%) or
more in any single NMS stock, and onequarter percent (0.25%) or more in all
NMS stocks, of the average daily dollar
volume reported by applicable
transaction reporting plans, which
represents the sum of all reported
bought and all reported sold dollar
volumes; or (ii) One percent (1%) or
more in all NMS stocks of the average
daily dollar volume reported by
applicable transaction reporting plans,
which represents the sum of all reported
bought and all reported sold dollar
volumes; or (2) Had with respect to
equity securities that are not NMS
stocks and for which transactions are
reported to a self-regulatory
organization, five percent (5%) or more
of the average daily dollar volume as
calculated by the self-regulatory
organization to which such transactions
are reported. All NMS stock and nonNMS stock ATSs are required to register
as broker-dealers.
There are seven SCI ATS currently.
As stated, a small entity also includes a
broker-dealer with total capital (net
worth plus subordinated liabilities) of
less than $500,000 on the date in the
prior fiscal year as of which its audited
financial statements were prepared
856 See 13 CFR 121.201. See also SBA, Table of
Small Business Size Standards Marched to North
American Industry Classification System Codes,
available at https://www.sba.gov/sites/default/files/
files/Size_Standards_Table.pdf (outlining the list of
small business size standards within 13 CFR
121.201).
857 See MSRB, 2021 Annual Report, 16, available
at https://msrb.org/-/media/Files/Resources/MSRB2021-Annual-Report.ashx.
858 Id.
PO 00000
Frm 00122
Fmt 4701
Sfmt 4702
pursuant to Rule 17a–5(d) under the
Exchange Act,859 or, if not required to
file such statements, a broker-dealer
with total capital (net worth plus
subordinated liabilities) of less than
$500,000 on the last business day of the
preceding fiscal year (or in the time that
it has been in business, if shorter); and
is not affiliated with any person (other
than a natural person) that is not a small
business or small organization.
Applying this test for broker-dealers, the
Commission believes that none of the
SCI ATSs currently trading were
operated by a broker-dealer that is a
‘‘small entity.’’
Plan Processors
As discussed in section II.B.1 above,
Regulation SCI currently applies to plan
processors, which are ‘‘any selfregulatory organization or securities
information processor acting as an
exclusive processor in connection with
the development, implementation and/
or operation of any facility
contemplated by an effective national
market system plan.’’ 860 Currently,
there are two plan processors subject to
Regulation SCI.
The current plan processors are SIAC
a subsidiary of NYSE Group, Inc., and
Nasdaq Stock Market LLC, a subsidiary
of Nasdaq, Inc. In addition, even if other
entities do become plan processors, the
Commission preliminarily believes that
most, if not all, plan processors would
be large business entities or subsidiaries
of large business entities, and that every
plan processor (or its parent entity)
would have gross revenues in excess of
$10 million and provide service to 100
or more interrogation devices or moving
tickers. Therefore, the Commission
preliminarily believes that none of the
current plan processors or potential
plan processors would be considered
small entities.
SCI Competing Consolidators
As discussed in section II.B.1 above,
Regulation SCI currently applies to SCI
competing consolidators. While no SCI
competing consolidators have yet to
register, as discussed in the adopting
release for the Market Data
Infrastructure rule, the Commission
estimates, and continues to estimate,
that up to 10 entities will register as
competing consolidators.861
As discussed in the Market Data
Infrastructure final rule, ‘‘based on the
Commission’s information about the 10
potential entities the Commission
859 17
CFR 240.17a–5(d).
17 CFR 242.1000; 17 CFR 242.600(b)(67).
861 See Market Data Infrastructure Adopting
Release, supra note 24, at 18808.
860 See
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
estimates may become competing
consolidators, the Commission believes
that all such entities will exceed the
thresholds defining ‘small entities’ set
out above.’’ 862 The Commission
continues to believe this analysis is
accurate, and that ‘‘[c]ompeting
consolidators will be participating in a
sophisticated business that requires
significant resources to compete
effectively.’’ 863 Accordingly, the
Commission believes that any such
registered competing consolidators will
exceed the thresholds for ‘‘small
entities’’ set forth in 17 CFR 240.0–10.
Exempt Clearing Agencies
As discussed in section II.B.1 above,
Regulation SCI currently applies to
certain clearing agencies, specifically,
exempt clearing agencies subject to
ARP. There are currently 3 exempt
clearing agencies subject to Regulation
SCI, and the Commission estimates that
Regulation SCI will apply to two more
if the proposed rules are finalized. The
Commission believes that all the
clearing agencies, both those to which
Regulation SCI currently applies and
those to which it will, exceed the
thresholds defining ‘small entities’ set
out above.
ddrumheller on DSK120RN23PROD with PROPOSALS2
C. Proposed SCI Entities
The proposed expansion of the
definition of the term ‘‘SCI entity’’
would include SBSDRs and SCI brokerdealers, as well as additional clearing
agencies exempted from registration.
The Commission preliminarily believes
that none of these would be considered
small entities for purposes of the RFA.
1. SBSDRs
As discussed in section III.A.2.a
above, in 2015, the Commission
established a regulatory framework for
SBSDRs, under which SBSDRs are
registered securities information
processors and disseminators of market
data in the SBS market. There are
currently two registered SBSDRs that
would be subject to Regulation SCI.
The two currently registered SBSDRs
are subsidiaries of large business
entities.864 In addition, even if other
entities do register as SBSDRs, for
purposes of Commission rulemaking,
the Commission believes that none of
the SBSDRs will be considered small
entities.865
862 Id.
863 Id.
at 18808–09.
supra note 111.
865 See SBSDR Adopting Release, supra note 96,
80 FR 14548–49 (providing that in the Proposing
Release, the Commission stated that it did not
believe that any persons that would register as
SBSDRs would be considered small entities. The
864 See
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
2. SCI Broker-dealers
As discussed in section III.A.2.b
above, the proposed definition of an SCI
broker-dealer would be a broker or
dealer registered with the Commission
pursuant to section 15(b) of the
Exchange Act which: (1) in at least two
of the four preceding calendar quarters,
ending March 31, June 30, September
30, and December 31, reported to the
Commission, on Form X–17A–5
(§ 249.617), total assets in an amount
that equals five percent (5%) or more of
the total assets of all security brokers
and dealers; or (2) during at least four
of the preceding six calendar months: (i)
with respect to transactions in NMS
stocks, transacted average daily dollar
volume in an amount that equals ten
percent (10%) or more of the average
daily dollar volume reported by or
pursuant to applicable effective
transaction reporting plans, provided,
however, that for purposes of
calculating its activity in transactions
effected otherwise than on a national
securities exchange or on an alternative
trading system, the broker-dealer shall
exclude transactions for which it was
not the executing party; or (ii) with
respect to transactions in exchangelisted options contracts, transacted
average daily dollar volume in an
amount that equals ten percent (10%) or
more of the average daily dollar volume
reported by an applicable effective
national market system plan; or (iii)
with respect to transactions in U.S.
Treasury Securities, transacted average
daily dollar volume in an amount that
equals ten percent (10%) or more of the
total average daily dollar volume made
available by the self-regulatory
organizations to which such
transactions are reported; or (iv) with
respect to transactions in Agency
securities, transacted average daily
dollar volume in an amount that equals
ten percent (10%) or more of the total
average daily dollar volume made
available by the self-regulatory
Commission stated that it believed that most, if not
all, SBSDRs would be part of large business entities
with assets in excess of $5 million and total capital
in excess of $500,000. As a result, the Commission
certified that the proposed rules would not have a
significant impact on a substantial number of small
entities and requested comments on this
certification. The Commission did not receive any
comments that specifically addressed whether 17
CFR 240.13n–1 through 240.13n–12 (‘‘Rules 13n–1
through 13n–12’’) and Form SBSDR would have a
significant economic impact on small entities.
Therefore, the Commission continues to believe that
Rules 13n–1 through 13n–12 and Form SBSDR will
not have a significant economic impact on a
substantial number of small entities. Accordingly,
the Commission hereby certifies that, pursuant to 5
U.S.C. 605(b), Rules 13n–1 through 13n–12, Form
SBSDR will not have a significant economic impact
on a substantial number of small entities.).
PO 00000
Frm 00123
Fmt 4701
Sfmt 4702
23267
organizations to which such
transactions are reported.866
The Commission preliminarily
estimates that 17 entities would satisfy
one or more of these thresholds.
Applying the test for broker-dealers
stated above, the Commission believes
that none of the potential SCI brokerdealers would be considered small
entities.
3. Exempt Clearing Agencies
For the purposes of Commission
rulemaking, a small entity includes,
when used with reference to a clearing
agency, a clearing agency that: (1)
compared, cleared, and settled less than
$500 million in securities transactions
during the preceding fiscal year; (2) had
less than $200 million of funds and
securities in its custody or control at all
times during the preceding fiscal year
(or at any time that it has been in
business, if shorter); and (3) is not
affiliated with any person (other than a
natural person) that is not a small
business or small organization.867
Based on the Commission’s existing
information about the clearing agencies
currently exempted from registration
with the Commission, the Commission
preliminarily believes that such entities
exceed the thresholds defining ‘‘small
entities’’ set out above. While other
clearing agencies may emerge and seek
to register as clearing agencies, the
Commission preliminarily does not
believe that any such entities would be
‘‘small entities’’ as defined in Exchange
Act Rule 0–10.
D. Certification
For the foregoing reasons, the
Commission certifies that the proposed
amendments to Rules 1000, 1001, 1002,
1003, 1004, and 1005, and Form SCI if
adopted, would not have a significant
economic impact on a substantial
number of small entities for purposes of
the RFA.
The Commission invites commenters
to address whether the proposed rules
would have a significant economic
impact on a substantial number of small
entities, and, if so, what would be the
nature of any impact on small entities.
The Commission requests that
commenters provide empirical data to
support the extent of such impact.
Statutory Authority
Pursuant to the Exchange Act, 15
U.S.C. 78a et seq., and particularly,
sections 2, 3, 5, 6, 11A, 13, 15, 15A, 17,
866 Such broker-dealer would not be required to
comply with the requirements of Regulation SCI
until six months after the SCI broker-dealer satisfied
either threshold for the first time.
867 See paragraph (d) of Rule 0–10.
E:\FR\FM\14APP2.SGM
14APP2
23268
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
17A, and 23(a) thereof (15 U.S.C. 78b,
78c, 78e, 78f, 78k–1, 78m, 78o, 78o–3,
78q, 78q–1, and 78w(a)), the
Commission proposes amendments to
Regulation SCI under the Exchange Act
and Form SCI under the Exchange Act,
and to amend Regulation ATS under the
Exchange Act, and 17 CFR parts 242 and
249.
List of Subjects in 17 CFR Parts 242 and
249
Brokers, Reporting and recordkeeping
requirements, Securities.
For the reasons stated in the
preamble, title 17, chapter II of the Code
of Federal Regulations is proposed to be
amended as follows:
PART 242—REGULATIONS M, SHO,
ATS, AC, NMS, AND SBSR AND
CUSTOMER MARGIN REQUIREMENTS
FOR SECURITY FUTURES
1. The authority citation for part 242
continues to read as follows:
■
Authority: 15 U.S.C. 77g, 77q(a), 77s(a),
78b, 78c, 78g(c)(2), 78i(a), 78j, 78k–1(c), 78l,
78m, 78n, 78o(b), 78o(c), 78o(g), 78q(a),
78q(b), 78q(h), 78w(a), 78dd–1, 78mm, 80a–
23, 80a–29, and 80a–37.
2. Amend § 242.1000 by:
a. Adding in alphabetical order the
definitions of ‘‘Agency Security’’ and
‘‘Exempt clearing agency’’;
■ b. Removing the definition of
‘‘Exempt clearing agency subject to
ARP’’;
■ c. Adding in alphabetical order the
definitions of ‘‘Registered security-based
swap data repository’’ and ‘‘SCI brokerdealer’’;
■ d. Revising the definitions of ‘‘SCI
entity’’, ‘‘SCI review’’, ‘‘SCI systems’’,
and ‘‘Systems intrusion’’; and
■ e. Adding in alphabetical order the
definition of ‘‘U.S. Treasury Security’’.
The additions and revisions read as
follows:
■
■
§ 242.1000
Definitions.
ddrumheller on DSK120RN23PROD with PROPOSALS2
*
*
*
*
*
Agency Security means a debt security
issued or guaranteed by a U.S. executive
agency, as defined in 5 U.S.C. 105, or
government-sponsored enterprise, as
defined in 2 U.S.C. 622(8).
*
*
*
*
*
Exempt clearing agency means an
entity that has received from the
Commission an exemption from
registration as a clearing agency under
section 17A of the Exchange Act.
*
*
*
*
*
Registered security-based swap data
repository means any security-based
swap data repository, as defined in 15
U.S.C. 78c(a)(75), that is registered with
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
the Commission pursuant to 15 U.S.C.
78m(n) and § 240.13n–1 of this chapter.
*
*
*
*
*
SCI broker-dealer means a broker or
dealer registered with the Commission
pursuant to section 15(b) of the
Exchange Act, which:
(1) In at least two of the four
preceding calendar quarters, ending
March 31, June 30, September 30, and
December 31, reported to the
Commission, on Form X–17A–5
(§ 249.617 of this chapter), total assets in
an amount that equals five percent (5%)
or more of the total assets of all security
brokers and dealers. For purposes of this
paragraph (1), total assets of all security
brokers and dealers shall mean the total
assets, as calculated and made publicly
available by the Board of Governors of
the Federal Reserve, or any subsequent
provider of such information, for the
associated preceding calendar quarter;
or
(2) During at least four of the
preceding six calendar months:
(i) With respect to transactions in
NMS stocks, transacted average daily
dollar volume in an amount that equals
ten percent (10%) or more of the average
daily dollar volume reported by or
pursuant to applicable effective
transaction reporting plans, provided,
however, that for purposes of
calculating its activity in transactions
effected otherwise than on a national
securities exchange or on an alternative
trading system, the broker-dealer shall
exclude transactions for which it was
not the executing party;
(ii) With respect to transactions in
exchange-listed options contracts,
transacted average daily dollar volume
in an amount that equals ten percent
(10%) or more of the average daily
dollar volume reported by an applicable
effective national market system plan;
(iii) With respect to transactions in
U.S. Treasury Securities, transacted
average daily dollar volume in an
amount that equals ten percent (10%) or
more of the total average daily dollar
volume made available by the selfregulatory organizations to which such
transactions are reported; or
(iv) With respect to transactions in
Agency Securities, transacted average
daily dollar volume in an amount that
equals ten percent (10%) or more of the
total average daily dollar volume made
available by the self-regulatory
organizations to which such
transactions are reported.
(3) Provided, however, that such SCI
broker-dealer shall not be required to
comply with the requirements of
Regulation SCI until six months after
the end of the quarter in which the SCI
PO 00000
Frm 00124
Fmt 4701
Sfmt 4702
broker-dealer satisfied paragraph (1) of
this definition for the first time or six
months after the end of the month in
which the SCI broker-dealer satisfied
paragraph (2) of this definition for the
first time.
*
*
*
*
*
SCI entity means an SCI selfregulatory organization, SCI alternative
trading system, plan processor, exempt
clearing agency, SCI competing
consolidator, SCI broker-dealer, or
registered security-based swap data
repository.
*
*
*
*
*
SCI review means a review, following
established and documented procedures
and standards, that is performed by
objective personnel having appropriate
experience to conduct reviews of SCI
systems and indirect SCI systems, and
which review, using appropriate risk
management methodology, contains:
(1) With respect to each SCI system
and indirect SCI system of the SCI
entity, assessments performed by
objective personnel of:
(i) The risks related to the capacity,
integrity, resiliency, availability, and
security;
(ii) Internal control design and
operating effectiveness, to include
logical and physical security controls,
development processes, systems
capacity and availability, information
technology service continuity, and
information technology governance,
consistent with industry standards; and
(iii) Third-party provider management
risks and controls; and
(2) Penetration test reviews performed
by objective personnel of the network,
firewalls, and production systems,
including of any vulnerabilities of its
SCI systems and indirect SCI systems
identified pursuant to
§ 242.1001(a)(2)(iv);
(3) Provided, however, that
assessments of SCI systems directly
supporting market regulation or market
surveillance shall be conducted at a
frequency based upon the risk
assessment conducted as part of the SCI
review, but in no case less than once
every three years.
*
*
*
*
*
SCI systems means all computer,
network, electronic, technical,
automated, or similar systems of, or
operated by or on behalf of, an SCI
entity that, with respect to securities,
directly support trading, clearance and
settlement, order routing, market data,
market regulation, or market
surveillance; provided, however, that
with respect to an SCI broker-dealer that
satisfies only the requirements of
paragraph (2) of the definition of ‘‘SCI
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
broker-dealer,’’ such systems shall
include only those systems with respect
to the type of securities for which an
SCI broker-dealer satisfies the
requirements of paragraph (2) of the
definition.
*
*
*
*
*
Systems intrusion means any:
(1) Unauthorized entry into the SCI
systems or indirect SCI systems of an
SCI entity;
(2) Cybersecurity event that disrupts,
or significantly degrades, the normal
operation of an SCI system; or
(3) Significant attempted
unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity,
as determined by the SCI entity
pursuant to established reasonable
written criteria.
U.S. Treasury Security means a
security issued by the U.S. Department
of the Treasury.
■ 3. Amend § 242.1001 by revising
paragraph (a) to read as follows:
ddrumheller on DSK120RN23PROD with PROPOSALS2
§ 242.1001 Obligations related to policies
and procedures of SCI entities.
(a) Capacity, integrity, resiliency,
availability, and security. (1) Each SCI
entity shall establish, maintain, and
enforce written policies and procedures
reasonably designed to ensure that its
SCI systems and, for purposes of
security standards, indirect SCI systems,
have levels of capacity, integrity,
resiliency, availability, and security,
adequate to maintain the SCI entity’s
operational capability and promote the
maintenance of fair and orderly markets.
(2) Policies and procedures required
by paragraph (a)(1) of this section shall
include, at a minimum:
(i) The establishment of reasonable
current and future technological
infrastructure capacity planning
estimates;
(ii) Periodic capacity stress tests of
such systems to determine their ability
to process transactions in an accurate,
timely, and efficient manner;
(iii) A program to review and keep
current systems development and
testing methodology for such systems;
(iv) Regular reviews and testing, as
applicable, of such systems, including
backup systems, to identify
vulnerabilities pertaining to internal
and external threats, physical hazards,
and natural or manmade disasters;
(v) Business continuity and disaster
recovery plans that include maintaining
backup and recovery capabilities
sufficiently resilient and geographically
diverse and that are reasonably designed
to achieve next business day resumption
of trading and two-hour resumption of
critical SCI systems following a widescale disruption; and that are reasonably
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
designed to address the unavailability of
any third-party provider that provides
functionality, support, or service to the
SCI entity without which there would
be a material impact on any of its
critical SCI systems;
(vi) Standards that result in such
systems being designed, developed,
tested, maintained, operated, and
surveilled in a manner that facilitates
the successful collection, processing,
and dissemination of market data;
(vii) Monitoring of such systems to
identify potential SCI events;
(viii) The maintenance of a written
inventory and classification of all SCI
systems, critical SCI systems, and
indirect SCI systems as such, and a
program with respect to the lifecycle
management of such systems, including
the acquisition, integration, support,
refresh, and disposal of such systems, as
applicable;
(ix) A program to manage and oversee
third-party providers that provide
functionality, support or service,
directly or indirectly, for any such
systems, including: initial and periodic
review of contracts with such thirdparty providers for consistency with the
SCI entity’s obligations under
Regulation SCI; and a risk-based
assessment of each third-party
provider’s criticality to the SCI entity,
including analyses of third-party
provider concentration, of key
dependencies if the third-party
provider’s functionality, support, or
service were to become unavailable or
materially impaired, and of any
potential security, including
cybersecurity, risks posed;
(x) A program to prevent the
unauthorized access to such systems
and information residing therein; and
(xi) An identification of the current
SCI industry standard(s) with which
each such policy and procedure is
consistent, if any.
(3) Each SCI entity shall periodically
review the effectiveness of the policies
and procedures required by this
paragraph (a), and take prompt action to
remedy deficiencies in such policies
and procedures.
(4) For purposes of this paragraph (a),
such policies and procedures shall be
deemed to be reasonably designed if
they are consistent with current SCI
industry standards, which shall be
composed of information technology
practices that are widely available to
information technology professionals in
the financial sector and issued by an
authoritative body that is a U.S.
governmental entity or agency,
association of U.S. governmental
entities or agencies, or widely
recognized organization. Compliance
PO 00000
Frm 00125
Fmt 4701
Sfmt 4702
23269
with such current SCI industry
standards as a safe harbor, however,
shall not be the exclusive means to
comply with the requirements of
paragraph (a) of this section.
*
*
*
*
*
■ 4. Amend § 242.1002 by:
■ a. In paragraph (b)(4)(ii)(B), removing
the words ‘‘or participants’’ and adding
in their place ‘‘participants, or, in the
case of an SCI broker-dealer,
customers’’;
■ b. Revising paragraph (b)(5) and (c)(3);
■ c. In paragraph (c)(4)(i), removing the
‘‘or’’ after the semicolon;
■ d. In paragraph (c)(4)(ii), removing the
period and adding in its place ‘‘; or’’;
and
■ e. Adding paragraph (c)(4)(iii).
The revision and additions read as
follows:
§ 242.1002
events.
Obligations related to SCI
*
*
*
*
*
(b) * * *
(5) The requirements of paragraphs
(b)(1) through (4) of this section shall
not apply to any systems disruption or
systems compliance issue that has had,
or the SCI entity reasonably estimates
would have, no or a de minimis impact
on the SCI entity’s operations or on
market participants. For such events,
each SCI entity shall:
(i) Make, keep, and preserve records
relating to all such systems disruptions
or systems compliance issues; and
(ii) Submit to the Commission a
report, within 30 calendar days after the
end of each calendar quarter, containing
a summary description of such systems
disruptions, including the SCI systems
affected by such systems disruptions
during the applicable calendar quarter.
(c) * * *
(3) The information required to be
disseminated under paragraphs (c)(1)
and (2) of this section promptly after
any responsible SCI personnel has a
reasonable basis to conclude that an SCI
event has occurred, shall be promptly
disseminated by the SCI entity to those
members, participants, or, in the case of
an SCI broker-dealer, customers of the
SCI entity that any responsible SCI
personnel has reasonably estimated may
have been affected by the SCI event, and
promptly disseminated to any
additional members, participants, or, in
the case of an SCI broker-dealer,
customers that any responsible SCI
personnel subsequently reasonably
estimates may have been affected by the
SCI event; provided, however, that for
major SCI events, the information
required to be disseminated under
paragraphs (c)(1) and (2) of this section
shall be promptly disseminated by the
E:\FR\FM\14APP2.SGM
14APP2
23270
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
SCI entity to all of its members,
participants, or, in the case of an SCI
broker-dealer, customers.
(4) * * *
(iii) A systems intrusion that is a
significant attempted unauthorized
entry into the SCI systems or indirect
SCI systems of an SCI entity.
■ 5. Amend § 242.1003 by revising
paragraph (b) to read as follows:
b. In paragraph (a), after the word
‘‘participants’’, adding ‘‘, and thirdparty providers’’; and
■ c. In paragraph (b), after both
instances of the word ‘‘participants’’
adding ‘‘, and third-party providers’’.
■
§ 242.1005
§ 242.1003 Obligations related to systems
changes; SCI review.
ddrumheller on DSK120RN23PROD with PROPOSALS2
*
*
*
*
*
(b) SCI review. Each SCI entity shall:
(1) Conduct an SCI review of the SCI
entity’s compliance with Regulation SCI
not less than once each calendar year for
each calendar year during which it was
an SCI entity for any part of such
calendar year;
(2) Submit a report of the SCI review
required by paragraph (b)(1) of this
section to senior management of the SCI
entity for review no more than 30
calendar days after completion of such
SCI review. Such report of the SCI
review shall include:
(i) The dates the SCI review was
conducted and the date of completion;
(ii) The entity or business unit of the
SCI entity performing the review;
(iii) A list of the controls reviewed
and a description of each such control;
(iv) The findings of the SCI review
with respect to each SCI system and
indirect SCI system, which shall include
assessments of: the risks related to the
capacity, integrity, resiliency,
availability, and security; internal
control design and operating
effectiveness; and an assessment of
third-party provider management risks
and controls;
(v) A summary, including the scope of
testing and resulting action plan, of each
penetration test review conducted as
part of the SCI review; and
(vi) A description of each deficiency
and weakness identified by the SCI
review; and
(3) Submit to the Commission, and to
the board of directors of the SCI entity
or the equivalent of such board, the
report of the SCI review required by
paragraph (b)(2) of this section, together
with the date the report was submitted
to senior management and the response
of senior management to such report,
within 60 calendar days after its
submission to senior management of the
SCI entity.
§ 242.1004
[Amended]
6. Amend § 242.1004 by:
a. In the section heading, adding ‘‘,
and third-party providers’’ to the end of
the heading;
■
■
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
[Amended]
7. Amend § 242.1005 in paragraph (c)
by:
■ a. Between ‘‘business’’ and ‘‘ceasing,’’
removing the ‘‘or’’ and adding a comma
in its place; and
■ b. Immediately before ‘‘an SCI entity’’
adding ‘‘or otherwise ceasing to be an
SCI entity,’’.
■
PART 249—FORMS, SECURITIES
EXCHANGE ACT OF 1934
8. The general authority citation for
part 249 continues to read as follows:
■
Authority: 15 U.S.C. 78a et seq. and 7201
et seq.; 12 U.S.C. 5461 et seq.; 18 U.S.C. 1350;
Sec. 953(b) Pub. L. 111–203, 124 Stat. 1904;
Sec. 102(a)(3) Pub. L. 112–106, 126 Stat. 309
(2012), Sec. 107 Pub. L. 112–106, 126 Stat.
313 (2012), Sec. 72001 Pub. L. 114–94, 129
Stat. 1312 (2015), and secs. 2 and 3 Pub. L.
116–222, 134 Stat. 1063 (2020), unless
otherwise noted.
*
*
*
*
*
9. Revise Form SCI (referenced in
§ 249.1900).
■
Note: Form SCI is attached as Appendix A
to this document. Form SCI will not appear
in the Code of Federal Regulations.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
Appendix A—Form SCI
Securities and Exchange Commission
Washington, DC 20549
Form SCI
Page 1 of lll
File No. SCI-{name}YYYY-###
SCI Notification and Reporting by: {SCI
entity name}
Pursuant to Rules 1002 and 1003 of
Regulation SCI under the Securities
Exchange Act of 1934
b Initial
b Withdrawal
Section I: Rule 1002—Commission
Notification of SCI Event
A. Submission Type (select one only)
b Rule 1002(b)(1) Initial Notification of SCI
event
b Rule 1002(b)(2) Notification of SCI event
b Rule 1002(b)(3) Update of SCI event: ####
b Rule 1002(b)(4) Final Report of SCI event
b Rule 1002(b)(4) Interim Status Report of
SCI event
If filing a Rule 1002(b)(1) or Rule
1002(b)(3) submission, please provide a brief
description:
PO 00000
Frm 00126
Fmt 4701
Sfmt 4702
lllllllllllllllllllll
lllllllllllllllllllll
lllllllllllllllllllll
B. SCI Event Type(s) (select all that apply)
b Systems compliance issue;
b Systems disruption
b Systems intrusion
C. General Information Required for (b)(2)
filings.
(1) Has the Commission previously been
notified of the SCI event pursuant to
1002(b)(1)? yes/no
(2) Date/time SCI event occurred: mm/dd/
yyyy hh:mm am/pm
(3) Duration of SCI event: hh:mm, or days
(4) Please provide the date and time when a
responsible SCI personnel had reasonable
basis to conclude the SCI event occurred:
mm/dd/yyyy hh:mm am/pm
(5) Has the SCI event been resolved? yes/no
(a) If yes, provide date and time of resolution:
mm/dd/yyyy hh:mm am/pm
(6) Is the investigation of the SCI event
closed? yes/no
(a) If yes, provide date of closure: mm/dd/
yyyy
(7) Estimated number of market participants
potentially affected by the SCI event: ####
(8) Is the SCI event a major SCI event (as
defined in Rule 1000)? yes/no
D. Information about impacted systems:
Name(s) of system(s):
lllllllllllllllllllll
lllllllllllllllllllll
lllllllllllllllllllll
Type(s) of system(s) impacted by the SCI
event (check all that apply):
b Trading
b Clearance and settlement
b Order routing
b Market data
b Market regulation
b Market surveillance
b Indirect SCI systems (please describe):
lllllllllllllllllllll
lllllllllllllllllllll
lllllllllllllllllllll
Are any critical SCI systems impacted by the
SCI event (check all that apply)? Yes/No
(1) Systems that directly support
functionality relating to:
b Clearance and settlement systems of
clearing agencies
b Openings, reopenings, and closings on the
primary listing market
b Trading halts
b Initial public offerings
b The provision of consolidated market data
b Exclusively-listed securities
(2) b Systems that provide functionality to
the securities markets for which the
availability of alternatives is significantly
limited or nonexistent and without which
there would be a material impact on fair
and orderly markets (please describe):
lllllllllllllllllllll
lllllllllllllllllllll
lllllllllllllllllllll
Section II: Periodic Reporting (select one
only)
A. Quarterly Reports: For the quarter ended:
mm/dd/yyyy
b Rule 1002(b)(5)(ii): Quarterly report of
systems disruptions with no or a de
minimis impact.
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
b Rule 1003(a)(1): Quarterly report of
material systems changes
b Rule 1003(a)(2): Supplemental report of
material systems changes
B. SCI Review Reports
b Rule 1003(b)(3): Report of SCI review,
together with the response of senior
management
Date of completion of SCI review: mm/dd/
yyyy
Date of submission of SCI review to senior
management: mm/dd/yyyy
Section III: Contact Information
Provide the following information of the
person at the {SCI entity name} prepared to
respond to questions for this submission:
Exhibit 1: Rule 1002(b)(2) Notification of SCI Event.
Add/Remove/View.
Exhibit 2: Rule 1002(b)(4) Final or Interim Report of
SCI Event. Add/Remove/View.
Exhibit 3: Rule 1002(b)(5)(ii) Quarterly Report of
DeMinimis SCI Events. Add/Remove/View.
Exhibit 4: Rule 1003 (a) Quarterly Report of Systems
Changes. Add/Remove/View.
Exhibit 5: Rule 1003(b)(3) Report of SCI review. Add/
Remove/View.
Exhibit 6: Optional Attachments. Add/Remove/View ....
General Instructions for Form SCI
ddrumheller on DSK120RN23PROD with PROPOSALS2
A. Use of the Form
Except with respect to notifications to the
Commission made pursuant to Rule
1002(b)(1) or updates to the Commission
made pursuant to Rule 1002(b)(3), any
notification, review, description, analysis, or
report required to be submitted pursuant to
Regulation SCI under the Securities
Exchange Act of 1934 (‘‘Act’’) shall be filed
in an electronic format through an electronic
form filing system (‘‘EFFS’’), a secure website
operated by the Securities and Exchange
Commission (‘‘Commission’’). Documents
attached as exhibits filed through the EFFS
system must be in a text-searchable format
without the use of optical character
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
Additional Contacts (Optional)
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
First Name:
Last Name:
Title:
23271
E-Mail:
Telephone:
Fax:
Section IV: Signature
Confidential treatment is requested
pursuant to Rule 24b–2(g). Additionally,
pursuant to the requirements of the
Securities Exchange Act of 1934, {SCI Entity
name} has duly caused this {notification}
{report} to be signed on its behalf by the
undersigned duly authorized officer:
Date:
By (Name)
Title (llllll)
‘‘Digitally Sign and Lock Form’’
Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event
has occurred, the SCI entity shall submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include:
(a) a description of the SCI event, including the system(s) affected; and
(b) to the extent available as of the time of the notification: the SCI entity’s current assessment of the
types and number of market participants potentially affected by the SCI event; the potential impact of
the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to
take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which
the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity
about the SCI event.
When submitting a final report pursuant to either Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI
entity shall include:
(a) a detailed description of: the SCI entity’s assessment of the types and number of market participants
affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market;
the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time
the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that
relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI
event;
(b) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding
the SCI event to any of its members, participants, or, in the case of an SCI broker-dealer, customers;
and
(c) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the
SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.
When submitting an interim report pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI entity shall include such information to the extent known at the time.
The SCI entity shall submit a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of systems disruptions that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants, including the SCI systems affected by such systems disruptions during the applicable calendar quarter.
When submitting a report pursuant to Rule 1003(a)(1), the SCI entity shall provide a report, within 30 calendar days after the end of each calendar quarter, describing completed, ongoing, and planned material
changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI
entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security
of indirect SCI systems as material and report such changes in accordance with such criteria.
When submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall provide a supplemental report of
a material error in or material omission from a report previously submitted under Rule 1003(a)(1).
The SCI entity shall provide the report of the SCI review, together with the date the report was submitted to
senior management and the response of senior management to such report, within 60 calendar days after
its submission to senior management of the SCI entity.
This exhibit may be used in order to attach other documents that the SCI entity may wish to submit as part
of a Rule 1002(b)(1) initial notification submission or Rule 1002(b)(3) update submission.
recognition. If, however, a portion of a Form
SCI submission (e.g., an image or diagram)
cannot be made available in a text-searchable
format, such portion may be submitted in a
non-text searchable format.
B. Need for Careful Preparation of the
Completed Form, Including Exhibits
This form, including the exhibits, is
intended to elicit information necessary for
Commission staff to work with SCI entities to
ensure the capacity, integrity, resiliency,
availability, security, and compliance of their
automated systems. An SCI entity must
provide all the information required by the
form, including the exhibits, and must
present the information in a clear and
comprehensible manner. A filing that is
PO 00000
Frm 00127
Fmt 4701
Sfmt 4702
incomplete or similarly deficient may be
returned to the SCI entity. Any filing so
returned shall for all purposes be deemed not
to have been filed with the Commission. See
also Rule 0–3 under the Act (17 CFR 240.0–
3).
C. When To Use the Form
Form SCI is comprised of six types of
required submissions to the Commission
pursuant to Rules 1002 and 1003. In
addition, Form SCI permits SCI entities to
submit to the Commission two additional
types of submissions pursuant to Rules
1002(b)(1) and 1002(b)(3); however, SCI
entities are not required to use Form SCI for
these two types of submissions to the
Commission. In filling out Form SCI, an SCI
E:\FR\FM\14APP2.SGM
14APP2
23272
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
entity shall select the type of filing and
provide all information required by
Regulation SCI specific to that type of filing.
The first two types of required submissions
relate to Commission notification of certain
SCI events:
(1) ‘‘Rule 1002(b)(2) Notification of SCI
Event’’ submissions for notifications
regarding systems disruptions, systems
compliance issues, or systems intrusions
(collectively, ‘‘SCI events’’), other than any
systems disruption or systems compliance
issue that has had, or the SCI entity
reasonably estimates would have, no or a de
minimis impact on the SCI entity’s
operations or on market participants; and
(2) ‘‘Rule 1002(b)(4) Final or Interim Report
of SCI Event’’ submissions, of which there
are two kinds (a final report under Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or
an interim status report under Rule
1002(b)(4)(i)(B)(1)).
The other four types of required
submissions are periodic reports, and
include:
(1) ‘‘Rule 1002(b)(5)(ii)’’ submissions for
quarterly reports of systems disruptions
which have had, or the SCI entity reasonably
estimates would have, no or a de minimis
impact on the SCI entity’s operations or on
market participants;
(2) ‘‘Rule 1003(a)(1)’’ submissions for
quarterly reports of material systems changes;
(3) ‘‘Rule 1003(a)(2)’’ submissions for
supplemental reports of material systems
changes; and
(4) ‘‘Rule 1003(b)(3)’’ submissions for
reports of SCI reviews.
ddrumheller on DSK120RN23PROD with PROPOSALS2
Required Submissions for SCI Events
For 1002(b)(2) submissions, an SCI entity
must notify the Commission using Form SCI
by selecting the appropriate box in Section I
and filling out all information required by the
form, including Exhibit 1. 1002(b)(2)
submissions must be submitted within 24
hours of any responsible SCI personnel
having a reasonable basis to conclude that an
SCI event has occurred.
For 1002(b)(4) submissions, if an SCI event
is resolved and the SCI entity’s investigation
of the SCI event is closed within 30 calendar
days of the occurrence of the SCI event, an
SCI entity must file a final report under Rule
1002(b)(4)(i)(A) within five business days
after the resolution of the SCI event and
closure of the investigation regarding the SCI
event. However, if an SCI event is not
resolved or the SCI entity’s investigation of
the SCI event is not closed within 30
calendar days of the occurrence of the SCI
event, an SCI entity must file an interim
status report under Rule 1002(b)(4)(i)(B)(1)
within 30 calendar days after the occurrence
of the SCI event. For SCI events in which an
interim status report is required to be filed,
an SCI entity must file a final report under
Rule 1002(b)(4)(i)(B)(2) within five business
days after the resolution of the SCI event and
closure of the investigation regarding the SCI
event. For 1002(b)(4) submissions, an SCI
entity must notify the Commission using
Form SCI by selecting the appropriate box in
Section I and filling out all information
required by the form, including Exhibit 2.
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
Required Submissions for Periodic Reporting
For 1002(b)(5)(ii) submissions, an SCI
entity must submit quarterly reports of
systems disruptions which have had, or the
SCI entity reasonably estimates would have,
no or a de minimis impact on the SCI entity’s
operations or on market participants. The SCI
entity must select the appropriate box in
Section II and fill out all information
required by the form, including Exhibit 3.
For 1003(a)(1) submissions, an SCI entity
must submit its quarterly report of material
systems changes to the Commission using
Form SCI. The SCI entity must select the
appropriate box in Section II and fill out all
information required by the form, including
Exhibit 4.
Filings made pursuant to Rule
1002(b)(5)(ii) and Rule 1003(a)(1) must be
submitted to the Commission within 30
calendar days after the end of each calendar
quarter (i.e., March 31st, June 30th,
September 30th and December 31st) of each
year.
For 1003(a)(2) submissions, an SCI entity
must submit a supplemental report notifying
the Commission of a material error in or
material omission from a report previously
submitted under Rule 1003(a). The SCI entity
must select the appropriate box in Section II
and fill out all information required by the
form, including Exhibit 4.
For 1003(b)(3) submissions, an SCI entity
must submit its report of its SCI review,
together with the date the report was
submitted to senior management and the
response of senior management to such
report, to the Commission using Form SCI. A
1003(b)(3) submission is required within 60
calendar days after the report of the SCI
review has been submitted to senior
management of the SCI entity. The SCI entity
must select the appropriate box in Section II
and fill out all information required by the
form, including Exhibit 5.
Optional Submissions
An SCI entity may, but is not required to,
use Form SCI to submit a notification
pursuant to Rule 1002(b)(1). If the SCI entity
uses Form SCI to submit a notification
pursuant to Rule 1002(b)(1), it must select the
appropriate box in Section I and provide a
short description of the SCI event.
Documents may also be attached as Exhibit
6 if the SCI entity chooses to do so. An SCI
entity may, but is not required to, use Form
SCI to submit an update pursuant to Rule
1002(b)(3). Rule 1002(b)(3) requires an SCI
entity to, until such time as the SCI event is
resolved and the SCI entity’s investigation of
the SCI event is closed, provide updates
pertaining to such SCI event to the
Commission on a regular basis, or at such
frequency as reasonably requested by a
representative of the Commission, to correct
any materially incorrect information
previously provided, or when new material
information is discovered, including but not
limited to, any of the information listed in
Rule 1002(b)(2)(ii). If the SCI entity uses
Form SCI to submit an update pursuant to
Rule 1002(b)(3), it must select the
appropriate box in Section I and provide a
short description of the SCI event.
Documents may also be attached as Exhibit
6 if the SCI entity chooses to do so.
PO 00000
Frm 00128
Fmt 4701
Sfmt 4702
D. Documents Comprising the Completed
Form
The completed form filed with the
Commission shall consist of Form SCI,
responses to all applicable items, and any
exhibits required in connection with the
filing. Each filing shall be marked on Form
SCI with the initials of the SCI entity, the
four-digit year, and the number of the filing
for the year (e.g., SCI Name-YYYY-XXX).
E. Contact Information; Signature; and Filing
of the Completed Form
Each time an SCI entity submits a filing to
the Commission on Form SCI, the SCI entity
must provide the contact information
required by Section III of Form SCI. Space for
additional contact information, if
appropriate, is also provided.
All notifications and reports required to be
submitted through Form SCI shall be filed
through the EFFS. In order to file Form SCI
through the EFFS, SCI entities must request
access to the Commission’s External
Application Server by completing a request
for an external account user ID and
password. Initial requests will be received by
contacting (202) 551–5777. An email will be
sent to the requestor that will provide a link
to a secure website where basic profile
information will be requested. A duly
authorized individual of the SCI entity shall
electronically sign the completed Form SCI
as indicated in Section IV of the form. In
addition, a duly authorized individual of the
SCI entity shall manually sign one copy of
the completed Form SCI, and the manually
signed signature page shall be preserved
pursuant to the requirements of Rule 1005.
F. Withdrawals of Commission Notifications
and Periodic Reports
If an SCI entity determines to withdraw a
Form SCI, it must complete Page 1 of the
Form SCI and indicate by selecting the
appropriate check box to withdraw the
submission.
G. Paperwork Reduction Act Disclosure
This collection of information will be
reviewed by the Office of Management and
Budget in accordance with the clearance
requirements of 44 U.S.C. 3507. An agency
may not conduct or sponsor, and a person is
not required to respond to, a collection of
information unless it displays a currently
valid control number. The Commission
estimates that the average burden to respond
to Form SCI will be between one and 125
hours, depending upon the purpose for
which the form is being filed. Any member
of the public may direct to the Commission
any comments concerning the accuracy of
this burden estimate and any suggestions for
reducing this burden.
Except with respect to notifications to the
Commission made pursuant to Rule
1002(b)(1) or updates to the Commission
made pursuant to Rule 1002(b)(3), it is
mandatory that an SCI entity file all
notifications, reviews, descriptions, analyses,
and reports required by Regulation SCI using
Form SCI. The Commission will keep the
information collected pursuant to Form SCI
confidential to the extent permitted by law.
Subject to the provisions of the Freedom of
E:\FR\FM\14APP2.SGM
14APP2
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Information Act, 5 U.S.C. 522 (‘‘FOIA’’), and
the Commission’s rules thereunder (17 CFR
200.80(b)(4)(iii)), the Commission does not
generally publish or make available
information contained in any reports,
summaries, analyses, letters, or memoranda
arising out of, in anticipation of, or in
connection with an examination or
inspection of the books and records of any
person or any other investigation.
H. Exhibits
List of exhibits to be filed, as applicable:
Exhibit 1: Rule 1002(b)(2)—Notification of
SCI Event. Within 24 hours of any
responsible SCI personnel having a
reasonable basis to conclude that the SCI
event has occurred, the SCI entity shall
submit a written notification pertaining to
such SCI event to the Commission, which
shall be made on a good faith, best efforts
basis and include: (a) a description of the SCI
event, including the system(s) affected; and
(b) to the extent available as of the time of
the notification: the SCI entity’s current
assessment of the types and number of
market participants potentially affected by
the SCI event; the potential impact of the SCI
event on the market; a description of the
steps the SCI entity has taken, is taking, or
plans to take, with respect to the SCI event;
the time the SCI event was resolved or
timeframe within which the SCI event is
expected to be resolved; and any other
pertinent information known by the SCI
entity about the SCI event.
Exhibit 2: Rule 1002(b)(4)—Final or Interim
Report of SCI Event. When submitting a final
report pursuant to either Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2),
the SCI entity shall include: (a) a detailed
description of: the SCI entity’s assessment of
the types and number of market participants
affected by the SCI event; the SCI entity’s
assessment of the impact of the SCI event on
the market; the steps the SCI entity has taken,
is taking, or plans to take, with respect to the
SCI event; the time the SCI event was
resolved; the SCI entity’s rule(s) and/or
governing document(s), as applicable, that
relate to the SCI event; and any other
pertinent information known by the SCI
entity about the SCI event; (b) a copy of any
information disseminated pursuant to Rule
1002(c) by the SCI entity to date regarding
the SCI event to any of its members,
participants, or, in the case of an SCI brokerdealer, customers; and (c) an analysis of
parties that may have experienced a loss,
whether monetary or otherwise, due to the
SCI event, the number of such parties, and
an estimate of the aggregate amount of such
loss. When submitting an interim report
pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI
entity shall include such information to the
extent known at the time.
Exhibit 3: Rule 1002(b)(5)(ii)—Quarterly
Report of De Minimis SCI Events. The SCI
entity shall submit a report, within 30
calendar days after the end of each calendar
quarter, containing a summary description of
systems disruptions that have had, or the SCI
entity reasonably estimates would have, no
or a de minimis impact on the SCI entity’s
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
operations or on market participants,
including the SCI systems affected by such
SCI events during the applicable calendar
quarter.
Exhibit 4: Rule 1003(a)—Quarterly Report
of Systems Changes. When submitting a
report pursuant to Rule 1003(a)(1), the SCI
entity shall provide a report, within 30
calendar days after the end of each calendar
quarter, describing completed, ongoing, and
planned material changes to its SCI systems
and the security of indirect SCI systems,
during the prior, current, and subsequent
calendar quarters, including the dates or
expected dates of commencement and
completion. An SCI entity shall establish
reasonable written criteria for identifying a
change to its SCI systems and the security of
indirect SCI systems as material and report
such changes in accordance with such
criteria. When submitting a report pursuant
to Rule 1003(a)(2), the SCI entity shall
provide a supplemental report of a material
error in or material omission from a report
previously submitted under Rule 1003(a);
provided, however, that a supplemental
report is not required if information
regarding a material systems change is or will
be provided as part of a notification made
pursuant to Rule 1002(b).
Exhibit 5: Rule 1003(b)(3)—Report of SCI
Review. The SCI entity shall provide the
report of the SCI review, together with the
date the report was submitted to senior
management and the response of senior
management to such report, within 60
calendar days after its submission to senior
management of the SCI entity.
Exhibit 6: Optional Attachments. This
exhibit may be used in order to attach other
documents that the SCI entity may wish to
submit as part of a Rule 1002(b)(1) initial
notification submission or Rule 1002(b)(3)
update submission.
I. Explanation of Terms
Critical SCI systems means any SCI
systems of, or operated by or on behalf of, an
SCI entity that: (1) directly support
functionality relating to: (i) clearance and
settlement systems of clearing agencies; (ii)
openings, reopenings, and closings on the
primary listing market; (iii) trading halts; (iv)
initial public offerings; (v) the provision of
market data by a plan processor; or (vi)
exclusively-listed securities; or (2) provide
functionality to the securities markets for
which the availability of alternatives is
significantly limited or nonexistent and
without which there would be a material
impact on fair and orderly markets.
Indirect SCI systems means any systems of,
or operated by or on behalf of, an SCI entity
that, if breached, would be reasonably likely
to pose a security threat to SCI systems.
Major SCI event means an SCI event that
has had, or the SCI entity reasonably
estimates would have: (1) any impact on a
critical SCI system; or (2) a significant impact
on the SCI entity’s operations or on market
participants.
Responsible SCI personnel means, for a
particular SCI system or indirect SCI system
impacted by an SCI event, such senior
PO 00000
Frm 00129
Fmt 4701
Sfmt 4702
23273
manager(s) of the SCI entity having
responsibility for such system, and their
designee(s).
SCI entity means an SCI self-regulatory
organization, SCI alternative trading system,
plan processor, exempt clearing agency, SCI
competing consolidator, SCI broker-dealer, or
registered security-based swap data
repository.
SCI event means an event at an SCI entity
that constitutes: (1) a systems disruption; (2)
a systems compliance issue; or (3) a systems
intrusion.
SCI review means a review, following
established and documented procedures and
standards, that is performed by objective
personnel having appropriate experience to
conduct reviews of SCI systems and indirect
SCI systems, and which review, using
appropriate risk management methodology,
contains: (1) with respect to each SCI system
and indirect SCI system of the SCI entity,
assessments performed by objective
personnel of: (A) the risks related to capacity,
integrity, resiliency, availability, and
security; (B) internal control design and
operating effectiveness, to include logical
and physical security controls, development
processes, systems capacity and availability,
information technology service continuity,
and information technology governance,
consistent with industry standards; and (C)
third party provider management risks and
controls; and (2) penetration test reviews
performed by objective personnel of the
network, firewalls, and production systems,
including of any vulnerabilities of its SCI
systems and indirect SCI systems identified
pursuant to paragraph § 242.1001(a)(2)(iv);
(3) provided, however, that assessments of
SCI systems directly supporting market
regulation or market surveillance shall be
conducted at a frequency based upon the risk
assessment conducted as part of the SCI
review, but in no case less than once every
three years.
SCI systems means all computer, network,
electronic, technical, automated, or similar
systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities,
directly support trading, clearance and
settlement, order routing, market data,
market regulation, or market surveillance;
provided, however, that with respect to an
SCI broker-dealer that satisfies only the
requirements of paragraph (2) of the
definition of ‘‘SCI broker-dealer,’’ such
systems shall include only those systems
with respect to the type of securities for
which an SCI broker-dealer satisfies the
requirements of paragraph (2) of the
definition.
Systems Compliance Issue means an event
at an SCI entity that has caused any SCI
system of such entity to operate in a manner
that does not comply with the Act and the
rules and regulations thereunder or the
entity’s rules or governing documents, as
applicable.
Systems Disruption means an event in an
SCI entity’s SCI systems that disrupts, or
significantly degrades, the normal operation
of an SCI system.
E:\FR\FM\14APP2.SGM
14APP2
23274
Federal Register / Vol. 88, No. 72 / Friday, April 14, 2023 / Proposed Rules
ddrumheller on DSK120RN23PROD with PROPOSALS2
Systems Intrusion means any: (1)
unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity; (2)
cybersecurity event that disrupts, or
VerDate Sep<11>2014
20:01 Apr 13, 2023
Jkt 259001
significantly degrades, the normal operation
of an SCI system; or (3) significant attempted
unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity, as
PO 00000
Frm 00130
Fmt 4701
Sfmt 9990
determined by the SCI entity pursuant to
established reasonable written criteria.
[FR Doc. 2023–05775 Filed 4–13–23; 8:45 am]
BILLING CODE 8011–01–P
E:\FR\FM\14APP2.SGM
14APP2
]]>Agencies
[Federal Register Volume 88, Number 72 (Friday, April 14, 2023)]
[Proposed Rules]
[Pages 23146-23274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05775]
[[Page 23145]]
Vol. 88
Friday,
No. 72
April 14, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 242 and 249
Regulation Systems Compliance and Integrity; Proposed Rule
��Federal Register / Vol. 88 , No. 72 / Friday, April 14, 2023 /
Proposed Rules��
[[Page 23146]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 242 and 249
[Release No. 34-97143; File No. S7-07-23]
RIN 3235-AN25
Regulation Systems Compliance and Integrity
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing amendments to Regulation Systems Compliance and
Integrity (``Regulation SCI'') under the Securities Exchange Act of
1934 (``Exchange Act''). The proposed amendments would expand the
definition of ``SCI entity'' to include a broader range of key market
participants in the U.S. securities market infrastructure, and update
certain provisions of Regulation SCI to take account of developments in
the technology landscape of the markets since the adoption of
Regulation SCI in 2014. The proposed expansion would add the following
entities to the definition of ``SCI entity'': registered security-based
swap data repositories (``SBSDRs''); registered broker-dealers
exceeding an asset or transaction activity threshold; and additional
clearing agencies exempted from registration. The proposed updates
would amend provisions of Regulation SCI relating to systems
classification and lifecycle management; third party/vendor management;
cybersecurity; the SCI review; the role of current SCI industry
standards; and recordkeeping and related matters. Further, the
Commission is requesting comment on whether significant-volume
alternative trading systems (ATSs) and/or broker-dealers using
electronic or automated systems for trading of corporate debt
securities or municipal securities should be subject to Regulation SCI.
DATES: Comments should be received on or before June 13, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/proposed.shtml); or
Send an email to [email protected]. Please include
File Number S7-07-23 on the subject line.
Paper Comments
Send paper comments to, Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-07-23. This file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules/proposed.shtml). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549 on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change. Persons submitting comments are cautioned that
we do not redact or edit personal identifying information from comment
submissions. You should submit only information that you wish to make
available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any materials will
be made available on our website. To ensure direct electronic receipt
of such notifications, sign up through the ``Stay Connected'' option at
www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Senior Special Counsel;
David Liu, Special Counsel; Sara Hawkins, Special Counsel; Gita
Subramaniam, Special Counsel; Josh Nimmo, Special Counsel; An Phan,
Special Counsel, at (202) 551-5500, Office of Market Supervision,
Division of Trading and Markets, U.S. Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Commission is proposing amendments to
the following rules under the Exchange Act and conforming amendments to
Form SCI.
------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Rule 1000................................ Sec. 242.1000
Rule 1001................................ Sec. 242.1001
Rule 1001(a)............................. Sec. 242.1001(a)
Rule 1001(a)(2).......................... Sec. 242.1001(a)(2)
Rule 1001(a)(2)(v)....................... Sec. 242.1001(a)(2)(v)
Rule 1001(a)(2)(vi)...................... Sec. 242.1001(a)(2)(vi)
Rule 1001(a)(2)(vii)..................... Sec. 242.1001(a)(2)(vii)
Rule 1001(a)(4).......................... Sec. 242.1001(a)(4)
Rule 1002................................ Sec. 242.1002
Rule 1002(b)............................. Sec. 242.1002(b)
Rule 1002(b)(4)(ii)(B)................... Sec. 242.1002(b)(4)(ii)(B)
Rule 1002(b)(5).......................... Sec. 242.1002(b)(5)
Rule 1002(b)(5)(i)....................... Sec. 242.1002(b)(5)(i)
Rule 1002(b)(5)(ii)...................... Sec. 242.1002(b)(5)(ii)
Rule 1002(c)............................. Sec. 242.1002(c)
Rule 1002(c)(3).......................... Sec. 242.1002(c)(3)
Rule 1002(c)(4).......................... Sec. 242.1002(c)(4)
Rule 1002(c)(4)(i)....................... Sec. 242.1002(c)(4)(i)
Rule 1002(c)(4)(ii)...................... Sec. 242.1002(c)(4)(ii)
Rule 1003................................ Sec. 242.1003
Rule 1003(b)............................. Sec. 242.1003(b)
Rule 1003(b)(1).......................... Sec. 242.1003(b)(1)
Rule 1003(b)(2).......................... Sec. 242.1003(b)(2)
Rule 1003(b)(3).......................... Sec. 242.1003(b)(3)
Rule 1004................................ Sec. 242.1004
Rule 1004(a)............................. Sec. 242.1004(a)
Rule 1004(b)............................. Sec. 242.1004(b)
Rule 1005................................ Sec. 242.1005
Rule 1005(c)............................. Sec. 242.1005(c)
------------------------------------------------------------------------
I. Introduction
II. Background and Overview
A. History of Regulation SCI
B. Current Regulation SCI
1. SCI Entities and SCI Systems
2. Reasonably Designed Policies and Procedures
3. SCI Events
4. Systems Changes and SCI Review
5. Business Continuity and Disaster Recovery Testing with
Members/Participants
6. Recordkeeping and Other Provisions (Rules 1005-1007)
C. Overview of Proposed Amendments to Regulation SCI
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
2. New Proposed SCI Entities
3. General Request for Comment on Proposed Expansion of SCI
Entities
B. Request for Comment Regarding Significant-Volume Fixed Income
ATSs and Broker-Dealers Using Electronic or Automated Systems for
Trading of Corporate Debt Securities or Municipal Securities
1. Discussion
2. Request for Comment
C. Strengthening Obligations of SCI Entities
1. Systems Classification and Lifecycle Management
2. Third-Party Provider Management
3. Security
4. SCI Review
5. Current SCI Industry Standards
6. Other Changes
D. SCI Entities Subject to the Exchange Act Cybersecurity
Proposal and/or Regulation S-P
1. Discussion
2. Request for Comment
IV. Paperwork Reduction Act
A. Summary of Collections of Information
B. Proposed Use of Information
1. Rule 1001 of Regulation SCI
2. Rule 1002 of Regulation SCI
3. Rule 1003 of Regulation SCI
4. Rule 1004 of Regulation SCI
5. Rule 1005 and 1007 of Regulation SCI
6. Rule 1006 of Regulation SCI
[[Page 23147]]
C. Respondents
D. Total Initial and Annual Reporting Burdens
1. Rule 1001
2. Rule 1002
3. Rule 1003
4. Rule 1004
5. Rule 1005
6. Rule 1006
7. Summary of the Information Collection Burden
E. Collection of Information Is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Request for Comment
V. Economic Analysis
A. Introduction
B. Baseline
1. New SCI Entities
2. Existing SCI Entities:
3. Current Market Practice
4. Other Affected Parties
C. Analysis of Benefits and Costs of Proposed Amendments
1. General Benefits and Costs of Proposed Amendments
2. Expansion to New SCI Entities
3. Specific Benefits and Costs of Regulation SCI Requirements
for All SCI Entities
D. Efficiency, Competition, and Capital Formation Analysis
E. Reasonable Alternatives
1. Limiting the Scope of the Regulation SCI Provisions for New
SCI Entities
2. Mandating Compliance with Current SCI Industry Standards
3. Requiring Diversity of Back-Up Plan Resources
4. Penetration Testing Frequency
5. Attestation for Critical SCI System Vendors
6. Transaction Activity Threshold for SCI Broker-Dealers
7. Limitation on Definition of ``SCI Systems'' for SCI Broker-
Dealers
VI. Regulatory Flexibility Act Certification
A. ``Small Entity'' Definitions
B. Current SCI Entities
1. SCI SROs
2. The MSRB
3. SCI ATSs
C. Proposed SCI Entities
1. SBSDRs
2. SCI Broker-dealers
3. Exempt Clearing Agencies
D. Certification
Statutory Authority
I. Introduction
The U.S. securities markets are among the largest and most liquid
in the world, attracting a wide variety of issuers and broad investor
participation, and are essential for capital formation, job creation,
and economic growth, both domestically and across the globe. The fair
and orderly functioning of the U.S. securities markets is critically
important to the U.S. economy. In 2014, recognizing the decades-long
transformation of many U.S. securities markets from primarily manual
markets to those that had become almost entirely electronic and highly
dependent on sophisticated technology, including complex and
interconnected trading, clearing, routing, market data, regulatory,
surveillance and other technological systems, the Commission adopted 17
CFR 242.1000 through 242.1007 (``Regulation SCI'') to supersede and
replace the Commission's voluntary Automation Review Policy Program
(``ARP'') and certain provisions of 17 CFR 242.300 through 242.304
(``Regulation ATS'').\1\ Regulation SCI, which applies to ``SCI
entities'' with respect to their ``SCI systems'' and ``indirect SCI
systems,'' was the Commission's first formal extensive regulatory
framework for oversight of the core technology of the U.S. securities
markets.
---------------------------------------------------------------------------
\1\ See Securities Exchange Act Release No. 73639 (Nov. 19,
2014), 79 FR 72252 (Dec. 5, 2014) (``SCI Adopting Release'').
---------------------------------------------------------------------------
The U.S. securities markets have demonstrated resilience since the
adoption of Regulation SCI, with some market observers crediting
Regulation SCI in helping to ensure that markets and market
participants were prepared for the unprecedented trading volumes and
volatility experienced in March 2020 at the onset of the COVID-19
pandemic.\2\ The U.S. securities markets continue to experience changes
and new challenges, however. The growth of electronic trading allows
ever-increasing volumes of securities transactions in a broader range
of asset classes to take place at increasing speed by competing trading
platforms, including those offered by broker-dealers that play multiple
roles in the markets.\3\ In addition, new types of registered entities
that are highly dependent on interconnected technology have entered the
markets.\4\ The prevalence of remote workforces, furthered by the
COVID-19 pandemic,\5\ and increased outsourcing to third-party
providers, including cloud service providers, continue to drive the
markets' and market participants' reliance on new and evolving
technology.\6\ While these advances demonstrate the dynamic and
adaptable nature of the U.S. securities markets and market
participants, the greater dispersal, sophistication, and
interconnection of the technology underpinning our markets bring
potential new risks. These risks include not only the heightened risk
of exposure to cybersecurity events from threat actors intent on doing
harm, but also operational systems problems that can and do arise
inadvertently.
---------------------------------------------------------------------------
\2\ See, e.g., Shane Remolina, Is Remote Trading Leading to a
Paradigm Shift on the Trading Desk?, Traders Magazine (May 20,
2020), available at www.tradersmagazine.com/departments/buyside/is-remote-trading-leading-to-a-paradigm-shift-on-the-trading-desk
(observing ``no outages'' at the stock exchanges in Mar. 2020 in
contrast to ``glitches'' experienced in 2000s); Financial Industry
Regulatory Authority, Inc. (``FINRA''), Market Structure & COVID-19:
Handling Increased Volatility and Volumes (Apr. 28, 2020), available
at https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus (observing that market infrastructure
and integrity held during the challenges in Mar. 2020, and crediting
Regulation SCI, among other regulatory protections).
\3\ See, e.g., Securities Industry and Financial Markets
Association (``SIFMA''), SIFMA Insights: Electronic Trading Market
Structure Primer (Oct. 2019), available at https://www.sifma.org/wp-content/uploads/2019/10/SIFMA-Insights-Electronic-Trading-Market-Structure-Primer.pdf (summarizing electronic trading history and
trends in different markets). See also SEC Staff Report on
Algorithmic Trading in U.S. Capital Markets at 16-19, 37 (Aug. 5,
2020), available at https://www.sec.gov/files/marketstructure/research/algo_trading_report_2020.pdf (discussing broker-dealer ATSs
and internalizers, and other in-house sources of liquidity, such as
single-dealer platforms (``SDPs''), and central risk books operated
by broker-dealers) (``Algorithmic Trading Report''). Staff reports,
Investor Bulletins, and other staff documents (including those cited
herein) represent the views of Commission staff and are not a rule,
regulation, or statement of the Commission. The Commission has
neither approved nor disapproved the content of these staff
documents and, like all staff statements, they have no legal force
or effect, do not alter or amend applicable law, and create no new
or additional obligations for any person.
\4\ See infra section III.A.2.a (discussing registered SBSDRs).
\5\ See FS-ISAC, Navigating Cyber 2021 (Apr. 2021), available at
https://www.fsisac.com/navigatingcyber2021-report. See also Vikki
Davis, Combating the cybersecurity risks of working home, Cyber
Magazine (Dec. 2, 2021), available at https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home.
\6\ See, e.g., Angus Loten, Cloud Demand Drives Data Center
Market to New Records, Wall St. J. (Feb. 27, 2020); Angus Loten,
CIOs Accelerate Pre-Pandemic Cloud Push, Wall St. J. (Apr. 26,
2021).
---------------------------------------------------------------------------
As the Commission has acknowledged, Regulation SCI is not, nor can
it be, designed to guarantee that SCI entities have flawless
systems.\7\ Rather, its goals are to strengthen the technology
infrastructure of the U.S. securities markets and improve its
resilience when technology falls short.\8\ To help achieve these goals,
the regulation requires that SCI entities have policies and procedures
reasonably designed to ensure that their systems have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets, and requires measures that facilitate the
Commission's oversight of securities market technology
infrastructure.\9\ Consistent with the goals of addressing
technological vulnerabilities and improving oversight of the core
[[Page 23148]]
technology of key U.S. securities market entities, the Commission is
proposing amendments to Regulation SCI that would expand its
application to additional key market participants and update certain of
its provisions to take account of the evolution of technology and
trading since the rule's adoption in 2014. The application of
Regulation SCI to a broader range of entities together with updates to
certain provisions--including to account for heightened cybersecurity
risks, wider use of cloud service providers, and the increasingly
complex and interconnected nature of SCI entities' systems--should help
ensure that the technology infrastructure of the U.S. securities
markets remains robust, resilient, and secure.
---------------------------------------------------------------------------
\7\ See SCI Adopting Release, supra note 1, at 72291, 72351.
\8\ See id. at 72257.
\9\ See generally SCI Adopting Release, supra note 1, at 72299,
72372, 72402, 72404-05.
---------------------------------------------------------------------------
The Commission has issued other proposals related to cybersecurity
that would apply to SCI entities as well as other entities under the
Commission's jurisdiction.\10\ Regulation SCI, currently, and as
proposed to be amended, however, differs from these proposals in terms
of its purpose and scope. Regulation SCI applies to entities designated
as key market participants because they play a significant role in the
U.S. securities markets and/or have the potential to impact investors,
the overall market, or the trading of individual securities in the
event of a systems issue. Regulation SCI requires key market
participants to (i) have policies and procedures in place to help
ensure the robustness and resiliency of their market technology
systems, and (ii) provide certain notices and reports to the
Commission, and in some cases, market participants, to facilitate
Commission oversight of securities market infrastructure. While
Regulation SCI has cybersecurity aspects and certain of the proposed
amendments to Regulation SCI would update policies and procedures
requirements designed to keep SCI systems and indirect SCI systems
secure, the proposed amendments are designed, more broadly, to ensure
that SCI entities (current and proposed) have systems technology
adequate to maintain operational capability of the systems on which the
maintenance of fair and orderly markets depend.
---------------------------------------------------------------------------
\10\ These include a proposal to adopt new rules requiring
broker-dealers, major security-based swap participants, national
securities exchanges, national securities associations, security-
based swap data repositories, security-based swap dealers, transfer
agents, and the Municipal Securities Rulemaking Board (``MSRB'') to
adopt and implement written cybersecurity policies and procedures
reasonably designed to address cybersecurity risks to their
``information systems'' and notify the Commission and the public of
significant cybersecurity incidents affecting their information
systems. See Securities Exchange Release No. 97142 (Mar. 15, 2023),
88 FR 20212 (April 5, 2023) (proposing 17 CFR 242.10) (for ease of
reference, this proposal is referred to as the ``Exchange Act
Cybersecurity Proposal''). See also Securities Exchange Release No.
97141 (Mar. 15, 2023), 88 FR 20616 (April 6, 2023) (proposing to
amend 17 CFR part 248, subpart A (``Regulation S-P''), to, among
other things, require broker-dealers, investment companies, SEC-
registered investment advisers, and transfer agents to adopt
incident response programs to address unauthorized access to or use
of customer records and information, including procedures for
providing timely notification to individuals affected by an
information security incident designed to help affected individuals
respond appropriately) (``Regulation S-P 2023 Proposing Release'').
See infra section III.D (discussing of how SCI entities would be
affected if the Exchange Act Cybersecurity Proposal, Regulation S-P
2023 Proposing Release, and this proposal are all adopted as
proposed). In addition, the Commission has pending proposals to
address cybersecurity risk with respect to investment advisers,
investment companies, and public companies. See Cybersecurity Risk
Management for Investment Advisers, Registered Investment Companies,
and Business Development Companies, Release Nos. 33-11028, 34-94917,
IA-5956, IC-34497 (Feb. 9, 2022), 87 FR 13524 (Mar. 9, 2022) (``IA/
IC Cybersecurity Proposing Release''); Cybersecurity Risk
Management, Strategy, Governance, and Incident Disclosure, Release
Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022), 87 FR 16590 (Mar.
23, 2022). The Commission has reopened the comment period for the
IA/IC Cybersecurity Proposing Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Exchange Act
Cybersecurity Proposal and the Regulation S-P 2023 Proposing
Release. The Commission encourages commenters to review those
proposals to determine whether they might affect their comments on
this proposing release.
---------------------------------------------------------------------------
II. Background and Overview
A. History of Regulation SCI
The Commission adopted Regulation SCI in 2014 to supersede and
replace the Commission's legacy voluntary ARP Program as well as
certain provisions of Regulation ATS.\11\ In doing so, the Commission
sought to strengthen the technology infrastructure of the U.S.
securities markets, reduce the occurrence of systems issues in those
markets, improve their resiliency when technological issues arise, and
establish an updated and formalized regulatory framework, thereby
helping to ensure more effective Commission oversight of such
systems.\12\ Several factors contributed to the Commission's decision
to adopt this regulation. Recognizing the growing importance of
technology in the securities markets, the Commission issued the ARP I
and ARP II Policy Statements in 1989 and 1991, respectively.\13\ In the
decades that followed, key market participants in the securities
industry increasingly relied on ever more complex technologies for
trading and clearance and settlement of securities. The increased
reliance on technology introduced challenges for the securities
markets, as evidenced by a variety of market disruptions occurring in a
relatively short time period.\14\ The Commission convened a roundtable
entitled ``Technology and Trading: Promoting Stability in Today's
Markets'' (``Technology Roundtable'') in 2012.\15\ Shortly thereafter,
following Superstorm Sandy on the U.S. East Coast, the U.S. national
securities exchanges closed for two business days in light of concerns
over the physical safety of personnel and the possibility of technical
issues.\16\ These and other developments in U.S. securities markets led
the Commission to consider the effectiveness of the 1980s and 90s-era
ARP Program. The focus of the ARP Program was to ensure that the self-
regulatory organizations (``SROs'') had adequate capacity, security,
and business continuity plans by, among other things, reporting to the
Commission staff their planned systems changes 30 days in advance and
reporting outages in trading and related systems.\17\ While the ARP
Policy Statements were rooted in Exchange Act
[[Page 23149]]
requirements, as policy statements rather than Commission rules,
compliance was voluntary and in many instances the SROs did not fully
disclose problems that occurred. In the SCI Proposing Release, the
Commission stated that ``the continuing evolution of the securities
markets to the current state, where they have become almost entirely
electronic and highly dependent on sophisticated trading and other
technology (including complex regulatory and surveillance systems, as
well as systems relating to the provision of market data, intermarket
routing and connectivity, and a variety of other member and issuer
services), has posed challenges for the ARP Inspection Program.'' \18\
Informed by its review of recent technology problems in the markets,
the discussions at the Technology Roundtable, and its evaluation of the
ARP Program,\19\ the Commission proposed Regulation SCI in 2013 to help
address the technological vulnerabilities, and improve Commission
oversight, of the core technology of key U.S. securities markets
entities, including national securities exchanges and associations,
significant-volume ATSs, clearing agencies, and plan processors.\20\
After considering the views of a wide variety of commenters, the
Commission adopted Regulation SCI in 2014.\21\ In the SCI Adopting
Release, the Commission stated that it was taking a ``measured
approach'' and pursuing an ``incremental expansion from the entities
covered under the ARP Inspection Program'' given the potential costs of
compliance with Regulation SCI.\22\ It added, however, that this
approach would allow it ``to monitor and evaluate the implementation of
Regulation SCI, the risks posed by the systems of other market
participants, and the continued evolution of the securities markets,
such that it may consider, in the future, extending the types of
requirements in Regulation SCI to additional categories of market
participants, such as non-ATS broker-dealers, security-based swap
dealers, investment advisers, investment companies, transfer agents,
and other key market participants.'' \23\ In 2021, the Commission
amended Regulation SCI to add certain ``competing consolidators'' to
the definition of SCI entity.\24\ Specifically, a competing
consolidator that exceeds a five percent consolidated market data gross
revenue threshold over a specified time period is an SCI competing
consolidator because it is a significant source of consolidated market
data for NMS stocks on which market participants rely.\25\
---------------------------------------------------------------------------
\11\ See generally SCI Adopting Release, supra note 1.
\12\ See SCI Adopting Release, supra note 1, at 72252-56
(discussing the background of Regulation SCI).
\13\ See Securities Exchange Act Release Nos. 27445 (Nov. 16,
1989), 54 FR 48703 (Nov. 24, 1989), and 29185 (May 9, 1991), 56 FR
22490 (May 15, 1991).
\14\ See Securities Exchange Act Release No. 69077 (Mar. 8,
2013), 78 FR 18083, 18089 (Mar. 25, 2013) (``SCI Proposing
Release'') (citing, among other things, Findings Regarding the
Market Events of May 6, 2010, Report of the Staffs of the Commodity
Futures Trading Commission (``CFTC'') and SEC to the Joint Advisory
Committee on Emerging Regulatory Issues (Sept. 30, 2010) (``Staff
Report'') and discussing hackers penetrating certain Nasdaq OMX
Group, Inc. computer networks in 2011, a ``software bug'' that
hampered the initial public offerings of BATS Global Markets, Inc.
in 2012, and issues with Nasdaq's trading systems delaying the start
of trading in the high-profile initial public offering of Facebook,
Inc.).
\15\ See Securities Exchange Act Release No. 67802 (Sept. 7,
2012), 77 FR 56697 (Sept. 13, 2012) (File No. 4-652); Technology
Roundtable Transcript, available at https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. A webcast of the
Roundtable is available at www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. The Technology Roundtable examined the relationship
between the operational stability and integrity of the securities
market and the ways in which market participants design, implement,
and manage complex and interconnected trading technologies. The
Technology Roundtable also highlighted that quality standards,
testing, and improved response mechanisms were issues ripe for
consideration. See SCI Proposing Release, supra note 14, at 18090-91
(providing for further discussion of the Technology Roundtable).
\16\ See SCI Proposing Release, supra note 14, at 18091. See
also SCI Adopting Release, supra note 1, at 72254-72255 (summarizing
additional disruptions during the period between publication of the
SCI Proposing and Adopting Releases).
\17\ See supra note 13.
\18\ SCI Proposing Release, supra note 14, at 18089.
\19\ See SCI Proposing Release, supra note 14, at 18085-91 for a
further discussion of these considerations.
\20\ As further explained in the SCI Adopting Release, the term
``plan processor'' means ``any self-regulatory organization or
securities information processor acting as an exclusive processor in
connection with the development, implementation and/or operation of
any facility contemplated by an effective national market system
plan.'' See SCI Adopting Release, supra note 1, at 72270 n. 196.
This term refers to the securities information processors that are
exclusive processors (and frequently referred to as the ``SIPs'')
that collect and process (for distribution) quotation data and/or
transaction reports on behalf of the Consolidated Tape Association
System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''),
Joint Self-Regulatory Organization Plan Governing the Collection,
Consolidation, and Dissemination of Quotation and Transaction
Information for Nasdaq-Listed Securities Traded on Exchanges on an
Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options
Price Reporting Authority (``OPRA Plan''). The CTA Plan and Nasdaq
UTP Plan (applicable to national market system (``NMS'') stocks) are
each a ``transaction reporting plan'' as well as a ``national market
system plan'' as defined in 17 CFR 242.600 (``Rule 600'' of
Regulation NMS). The OPRA Plan (applicable to exchange-listed
options) is a national market system plan. See infra note 212. See
also text accompanying note 212 (discussing these Plans and how
transaction reports containing the price and volume associated with
a transaction involving the purchase or sale of a security are
currently, and anticipated in the future to be, readily available to
enable SCI ATSs and SCI broker-dealers to ascertain the total
average daily dollar volume traded in NMS stock and exchange-listed
options in a calendar month and self-assess if they exceed the
proposed transaction activity thresholds discussed below).
\21\ See generally SCI Adopting Release, supra note 1.
\22\ Id. at 72259.
\23\ Id. See also supra note 10 and accompanying text
(referencing other cybersecurity rules proposed to apply to
Commission registrants).
\24\ See Securities Exchange Act Release No. 90610 (Dec. 9,
2020), 86 FR 18596, 18659-18676 (Apr. 9, 2021) (``Market Data
Infrastructure Adopting Release'') (adopting rules with respect to
competing consolidators and defining ``competing consolidator'' to
mean a securities information processor required to be registered
pursuant to 17 CFR[thinsp]242.614 (``Rule 614'') or a national
securities exchange or national securities association that receives
information with respect to quotations for and transactions in NMS
stocks and generates a consolidated market data product for
dissemination to any person).
\25\ An ``SCI competing consolidator'' is any competing
consolidator, which during at least four of the preceding six
calendar months, accounted for five percent or more of consolidated
market data gross revenue paid to the effective national market
system plan or plans required under 17 CFR 242.603(b) (``Rule
603(b)'') for NMS stocks (1) listed on the New York Stock Exchange,
(2) listed on The Nasdaq Stock Market, or (3) listed on national
securities exchanges other than the New York Stock Exchange or The
Nasdaq Stock Market, as reported by such plan or plans pursuant to
the terms thereof. See Rule 1000. An SCI competing consolidator is
subject to Regulation SCI, and a competing consolidator for which
Regulation SCI does not apply is subject the systems capability
requirement in 17 CFR 242.614(d)(9) (``Rule 614(d)(9)'' of
Regulation NMS). See infra note 28 and accompanying text.
---------------------------------------------------------------------------
B. Current Regulation SCI
1. SCI Entities and SCI Systems
Regulation SCI applies to ``SCI entities.'' \26\ SCI entities are
those that the Commission has determined are market participants that
play a significant role in the U.S. securities markets and/or have the
potential to impact investors, the overall market, or the trading of
individual securities in the event of certain types of systems
problems.\27\ Today SCI entities comprise the self-regulatory
organizations (excluding securities futures exchanges) (``SCI SROs''),
ATSs meeting certain volume thresholds with respect to NMS stocks and
non-NMS stocks (``SCI ATSs''), exclusive disseminators of consolidated
market data (``plan processors''), certain competing disseminators of
consolidated market (``SCI competing consolidators'' \28\), and certain
exempt clearing agencies.\29\
---------------------------------------------------------------------------
\26\ See 17 CFR 242.1000 (defining the term ``SCI entity'' and
terms included therein).
\27\ See SCI Adopting Release, supra note 1, at 72259. Although
some commenters had urged that Regulation SCI apply to fewer
entities and only the most systemically important entities, the
Commission disagreed, stating, ``[L]imiting the applicability of
Regulation SCI to only the most systemically important entities
posing the highest risk to the markets is too limited of a category
of market participants, as it would exclude certain entities that,
in the Commission's view, have the potential to pose significant
risks to the securities markets should an SCI event occur.'' Id.
\28\ See supra notes 24-25 (stating the definitions of competing
consolidator and SCI competing consolidator). SCI competing
consolidators are subject to Regulation SCI after a one-year
transition period. See Market Data Infrastructure Adopting Release,
supra note 24, at 18604. Competing consolidators in the transition
period and competing consolidators below the gross revenue threshold
are subject to a tailored set of operational capability and
resiliency obligations designed to help ensure that the provision of
consolidated market data products is prompt, accurate, and reliable.
See Market Data Infrastructure Adopting Release, supra note 24, at
18690-97 (providing for a full discussion of systems capability
requirements for competing consolidators (that are not subject to
Regulation SCI), but instead subject to Rule 614(d)(9)).
\29\ See 17 CFR 242.1000 (defining the term SCI entity to mean
``an SCI self-regulatory organization, SCI alternative trading
system, plan processor, exempt clearing agency subject to ARP, or
SCI competing consolidator'' and also separately defining each of
these terms). See also SCI Adopting Release, supra note 1, at 72258-
72 (discussing the rationale for inclusion of SCI SROs, SCI ATSs,
plan processors, and certain exempt clearing agencies in the
original adopted definition of SCI entity); infra notes 83-84 and
accompanying text (citing the releases explaining the expansion the
definition of SCI entity to include SCI competing consolidators, and
the recent proposal to further expand the definition of SCI entity
to include certain ATSs that trade U.S. Treasury Securities or
Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'')).
---------------------------------------------------------------------------
An SCI entity has obligations with respect to its ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI
[[Page 23150]]
systems.'' \30\ ``SCI systems'' are, broadly, the technology systems
of, or operated by or on behalf of, an SCI entity that, with respect to
securities, directly support at least one of six market functions: (i)
trading; (ii) clearance and settlement; (iii) order routing; (iv)
market data; (v) market regulation; or (vi) market surveillance.\31\ In
addition, Regulation SCI defines ``critical SCI systems,'' which are a
subset of SCI systems,\32\ and designated as such because they
represent potential single points of failure in the U.S. securities
markets.\33\
---------------------------------------------------------------------------
\30\ See 17 CFR 242.1000 (defining the terms ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI systems'').
\31\ Id. (defining SCI systems to mean ``all computer, network,
electronic, technical, automated, or similar systems of, or operated
by or on behalf of, an SCI entity that, with respect to securities,
directly support trading, clearance and settlement, routing, market
data, market regulation, or market surveillance'').
\32\ Id. (defining critical SCI systems to mean any SCI systems
of, or operated by or on behalf of, an SCI entity that: (1) Directly
support functionality relating to: (i) Clearance and settlement
systems of clearing agencies; (ii) Openings, reopenings, and
closings on the primary listing market; (iii) Trading halts; (iv)
Initial public offerings; (v) The provision of consolidated market
data; or (vi) Exclusively listed securities; or (2) Provide
functionality to the securities markets for which the availability
of alternatives is significantly limited or nonexistent and without
which there would be a material impact on fair and orderly markets).
\33\ As discussed in the SCI Adopting Release, ``critical SCI
systems'' are subject to certain heightened resilience and
information dissemination provisions of Regulation SCI on the
rationale that, lacking or having limited substitutes, these systems
pose the greatest risks to the continuous and orderly function of
the markets if they malfunction. See SCI Adopting Release, supra
note 1, at 72277-79 (providing additional discussion of critical SCI
systems).
---------------------------------------------------------------------------
The term ``indirect SCI systems'' describes systems of, or operated
by or on behalf of, an SCI entity that, ``if breached, would be
reasonably likely to pose a security threat to SCI systems.'' \34\ The
distinction between SCI systems and indirect SCI systems seeks to
encourage SCI entities physically and/or logically to separate systems
that perform or directly support securities market functions from those
that perform other functions (e.g., corporate email; general office
systems for member regulation and recordkeeping).\35\
---------------------------------------------------------------------------
\34\ Id. at 72279.
\35\ See SCI Adopting Release, supra note 1, at 72281 (``[I]f an
SCI entity designs and implements security controls so that none of
its non-SCI systems would be reasonably likely to pose a security
threat to SCI systems, then it will have no indirect SCI systems.
If, however, an SCI entity does have indirect SCI systems, then
certain provisions of Regulation SCI will apply to those indirect
SCI systems.'').
---------------------------------------------------------------------------
Currently, the application of Regulation SCI is triggered when an
entity meets the definition of SCI entity. If an entity meets the
definition of SCI entity, Regulation SCI applies to its SCI systems and
indirect SCI systems. The scope of an SCI entity's technology systems
is determined by whether they are operated ``by or on behalf of'' the
SCI entity and whether they directly support any of the six market
functions enumerated in the definition. As a result, the SCI systems
and indirect SCI systems of an SCI entity are neither limited by the
type of security nor by the type of business in which an SCI entity
primarily conducts its securities market activities. Thus, if an SCI
entity elects to, or obtains the necessary approvals to, engage in
market functions in multiple types of securities, Regulation SCI's
obligations apply to the relevant functional systems relating to all
such securities.\36\ Accordingly, the SCI systems of an SCI entity may
include systems pertaining to any type of security, whether those
securities are NMS stocks, over-the-counter (OTC) equity securities,
listed options, debt securities, security-based swaps (``SBS''), crypto
asset securities,\37\ or another type of security.\38\
---------------------------------------------------------------------------
\36\ The current definition of ``SCI systems,'' includes the
clause, ``with respect to securities,'' without limitation. SCI
systems ``means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support
trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance.'' See 17 CFR 242.1000
(emphasis added). But see infra section III.A.2.b.iv (discussing the
proposed limitation to the definition of SCI systems for certain SCI
broker-dealers).
\37\ The term ``digital asset'' refers to an asset that is
issued and/or transferred using distributed ledger or blockchain
technology (``distributed ledger technology''), including, but not
limited to, so-called ``virtual currencies,'' ``coins,'' and
``tokens.'' See Custody of Digital Asset Securities by Special
Purpose Broker-Dealers, Securities Exchange Act Release No. 90788
(Dec. 23, 2020), 86 FR 11627, 11627 n.1 (Feb. 26, 2021) (``Crypto
Asset Securities Custody Release''). A digital asset may or may not
meet the definition of a ``security'' under the Federal securities
laws. See, e.g., Report of Investigation Pursuant to Section 21(a)
of the Securities Exchange Act of 1934: The DAO, Securities Exchange
Act Release No. 81207 (July 25, 2017) (``DAO 21(a) Report''),
available at https://www.sec.gov/litigation/investreport/34-81207.pdf. See also SEC v. W.J. Howey Co., 328 U.S. 293 (1946). To
the extent digital assets rely on cryptographic protocols, these
types of assets also are commonly referred to as ``crypto assets,''
and ``digital asset securities'' can be referred to as ``crypto
asset securities.'' For purposes of this release, the Commission
does not distinguish between the terms ``digital asset securities''
and ``crypto asset securities.''
\38\ Today, under the current definition of SCI systems, an SCI
entity (current or future) that engages in market functions for any
type of securities, including crypto asset securities, is required
to assess whether the technological systems of, or operated by or on
its behalf, with respect to securities, directly support at least
one of six market functions: (i) trading; (ii) clearance and
settlement; (iii) order routing; (iv) market data; (v) market
regulation; or (vi) market surveillance. As discussed below,
however, the Commission is proposing an amendment to the definition
of SCI systems that would limit its scope solely for certain
proposed SCI broker-dealers. See infra section III.A.2.b.iv.
---------------------------------------------------------------------------
2. Reasonably Designed Policies and Procedures
The foundational principles of Regulation SCI are set forth in Rule
1001, which requires each SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems and, for purposes of security standards, indirect
SCI systems, have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair and orderly markets.\39\
Rule 1001(a)(2) of Regulation SCI requires that, at a minimum, such
policies and procedures include: current and future capacity planning;
periodic stress testing; systems development and testing methodology;
reviews and testing to identify vulnerabilities; business continuity
and disaster recovery planning (inclusive of backup systems that are
geographically diverse and designed to meet specified recovery time
objectives); standards for market data collection, processing, and
dissemination; and monitoring to identify potential systems
problems.\40\ Under 17 CFR 242.1001(a)(3) (``Rule 1001(a)(3)'' of
Regulation SCI), SCI entities must periodically review the
effectiveness of these policies and procedures and take prompt action
to remedy any deficiencies.\41\ Rule 1001(a)(4) of Regulation SCI
provides that an SCI entity's policies and procedures will be deemed to
be reasonably designed if they are consistent with ``current SCI
industry standards,'' which is defined to be comprised of information
technology practices that are widely available to information
technology professionals in the financial sector and issued by an
authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization; however, Rule 1001(a)(4) of Regulation SCI
also makes clear that compliance with such ``current SCI industry
standards'' is not the exclusive means to comply with these
requirements.\42\
---------------------------------------------------------------------------
\39\ See 17 CFR 242.1001(a)(1).
\40\ See 17 CFR 242.1001(a)(2).
\41\ See 17 CFR 242.1001(a)(3).
\42\ See 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(1) (``Rule 1001(b)(1)'' of Regulation
SCI), each SCI entity is required to establish, maintain,
[[Page 23151]]
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder and the entity's
rules and governing documents, as applicable, and specifies certain
minimum requirements for such policies and procedures.\43\ In addition,
17 CFR 242.1001(b)(2) (``Rule 1001(b)(2)'') requires that at a minimum,
these policies and procedures must include: testing of all SCI systems
and any changes to SCI systems prior to implementation; a system of
internal controls over changes to SCI systems; a plan for assessments
of the functionality of SCI systems designed to detect systems
compliance issues, including by ``responsible SCI personnel'' (defined
below) and by personnel familiar with applicable provisions of the
Exchange Act and the rules and regulations thereunder and the SCI
entity's rules and governing documents; and a plan of coordination and
communication between regulatory and other personnel of the SCI entity,
including by responsible SCI personnel, regarding SCI systems design,
changes, testing, and controls designed to detect and prevent systems
compliance issues.\44\
---------------------------------------------------------------------------
\43\ See 17 CFR 242.1001(b)(1).
\44\ See 17 CFR 242.1001(b)(2).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(3) (``Rule 1001(b)(3)'' of Regulation
SCI), SCI entities must periodically review the effectiveness of these
policies and procedures and take prompt action to remedy any
deficiencies.\45\ Under 17 CFR 242.1001(b)(4) (``Rule 1001(b)(4)'' of
Regulation SCI), individuals are provided with a safe harbor from
liability under Rule 1001(b) if certain conditions are met.\46\
---------------------------------------------------------------------------
\45\ See 17 CFR 242.1001(b)(3).
\46\ See 17 CFR 242.1001(b)(4).
---------------------------------------------------------------------------
Further, 17 CFR 242.1001(c) (``Rule 1001(c)'' of Regulation SCI),
requires SCI entities to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for
identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI
events.\47\ Rule 1000 of Regulation SCI defines ``responsible SCI
personnel'' to mean, for a particular SCI system or indirect SCI system
impacted by an SCI event, such senior manager(s) of the SCI entity
having responsibility for such system, and their designee(s).\48\ Rule
1000 also defines ``SCI event'' to mean an event at an SCI entity that
constitutes a systems disruption, a systems compliance issue, or a
systems intrusion.\49\ Under 17 CFR 242.1001(c)(2) (``Rule 1001(c)(2)''
of Regulation SCI), SCI entities are required periodically to review
the effectiveness of these policies and procedures and take prompt
action to remedy any deficiencies.\50\
---------------------------------------------------------------------------
\47\ See 17 CFR 242.1001(c).
\48\ 17 CFR 242.1000.
\49\ Id.
\50\ See 17 CFR 242.1001(c)(2).
---------------------------------------------------------------------------
3. SCI Events
Under Rule 1002 of Regulation SCI, SCI entities have certain
obligations regarding SCI events. An ``SCI event'' is defined as: (i) a
``systems disruption,'' which is an event in an SCI entity's SCI
systems that disrupts, or significantly degrades, the normal operation
of an SCI system; and/or (ii) a ``systems intrusion,'' which is any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity; and/or (iii) a ``systems compliance issue,'' which is an
event at an SCI entity that has caused any SCI system of such entity to
operate in a manner that does not comply with the Exchange Act and the
rules and regulations thereunder or the entity's rules or governing
documents, as applicable.\51\
---------------------------------------------------------------------------
\51\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
When any responsible SCI personnel has a reasonable basis to
conclude that an SCI event has occurred, the SCI entity must begin to
take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.\52\ With limited
exceptions,\53\ Rule 1002(b) provides the framework for notifying the
Commission of SCI events including, among other things, requirements
to: notify the Commission of the event immediately; provide a written
notification on Form SCI within 24 hours that includes a description of
the SCI event and the system(s) affected, with other information
required to the extent available at the time; provide regular updates
regarding the SCI event until the event is resolved; and submit a final
detailed written report regarding the SCI event.\54\
---------------------------------------------------------------------------
\52\ See 17 CFR 242.1002(a).
\53\ See 17 CFR 242.1002(b)(5) (relating to the exception for de
minimis SCI events).
\54\ See 17 CFR 242.1002(b).
---------------------------------------------------------------------------
Rule 1002(c) of Regulation SCI also requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\55\ These information dissemination requirements are scaled
based on the nature and severity of an event. SCI entities are required
to disseminate certain information about the event to certain of its
members or participants (i.e., those that are reasonably estimated to
have been affected) promptly after any responsible SCI personnel has a
reasonable basis to conclude that an SCI event has occurred. For
``major SCI events,'' such dissemination must be made to all of its
members or participants. In addition, dissemination of information to
members or participants is permitted to be delayed for systems
intrusions if such dissemination would likely compromise the security
of the SCI entity's systems or an investigation of the intrusion.\56\
In addition, 17 CFR 242.1002(c)(4) (``Rule 1002(c)(4)'' of Regulation
SCI) provides exceptions to the dissemination requirements under Rule
1002(c) of Regulation SCI for SCI events to the extent they relate to
market regulation or market surveillance systems or SCI events that
have had, or the SCI entity reasonably estimates would have, either a
de minimis or no impact on the SCI entity's operations or on market
participants.\57\
---------------------------------------------------------------------------
\55\ See 17 CFR 242.1002(c).
\56\ See id. The rule also requires that the SCI entity document
its reasons for delayed notification. Id.
\57\ See 17 CFR 242.1002(c)(4).
---------------------------------------------------------------------------
4. Systems Changes and SCI Review
Under 17 CFR 242.1003(a) (``Rule 1003(a)'' of Regulation SCI), SCI
entities are required to provide reports to the Commission relating to
system changes, including a report each quarter describing completed,
ongoing, and planned material changes to their SCI systems and the
security of indirect SCI systems, during the prior, current, and
subsequent calendar quarters, including the dates or expected dates of
commencement and completion.\58\ Rule 1003(b) of Regulation SCI also
requires that an SCI entity conduct an ``SCI review'' not less than
once each calendar year.\59\ ``SCI review'' is defined in Rule 1000 of
Regulation SCI to mean a review, following established procedures and
standards, that is performed by objective personnel having appropriate
experience to conduct reviews of SCI systems and indirect SCI systems,
and which review contains: a risk assessment with respect to such
systems of an SCI entity; and an assessment of internal control design
and effectiveness of its SCI systems and indirect SCI systems to
include logical and physical security controls,
[[Page 23152]]
development processes, and information technology governance,
consistent with industry standards.\60\ Under Rule 1003(b)(2) and (3),
SCI entities are also required to submit a report of the SCI review to
their senior management, and must also submit the report and any
response by senior management to the report, to their board of
directors, as well as to the Commission.\61\
---------------------------------------------------------------------------
\58\ See 17 CFR 242.1003(a).
\59\ See 17 CFR 242.1003(b).
\60\ See 17 CFR 242.1000. Rule 1003(b)(1) of Regulation SCI also
states that penetration test reviews of an SCI entity's network,
firewalls, and production systems must be conducted at a frequency
of not less than once every three years, and assessments of SCI
systems directly supporting market regulation or market surveillance
must be conducted at a frequency based upon the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years. See 17 CFR 242.1003(b)(1)(i) and (ii) (``Rule
1003(b)(1)(i) and (ii)'').
\61\ See 17 CFR 242.1003(b)(2) and (3).
---------------------------------------------------------------------------
5. Business Continuity and Disaster Recovery Testing With Members/
Participants
Rule 1004 of Regulation SCI sets forth certain requirements for
testing an SCI entity's business continuity and disaster recovery plans
with its members or participants. This rule requires that, with respect
to an SCI entity's business continuity and disaster recovery plan,
including its backup systems, each SCI entity shall: (a) establish
standards for the designation of those members or participants that the
SCI entity reasonably determines are, taken as a whole, the minimum
necessary for the maintenance of fair and orderly markets in the event
of the activation of such plans; (b) designate members or participants
pursuant to the standards established and require participation by such
designated members or participants in scheduled functional and
performance testing of the operation of such plans, in the manner and
frequency specified by the SCI entity, provided that such frequency
shall not be less than once every 12 months; and (c) coordinate the
testing of such plans on an industry- or sector-wide basis with other
SCI entities.\62\
---------------------------------------------------------------------------
\62\ See 17 CFR 242.1004.
---------------------------------------------------------------------------
6. Recordkeeping and Other Provisions (Rules 1005-1007)
SCI entities are required by Rule 1005 of Regulation SCI to make,
keep, and preserve certain records related to their compliance with
Regulation SCI.\63\ In addition, 17 CFR 242.1006 (``Rule 1006'' of
Regulation SCI), provides for certain requirements relating to the
electronic filing, on Form SCI, of any notification, review,
description, analysis, or report to the Commission required to be
submitted under Regulation SCI.\64\ Finally, 17 CFR 242.1007 (``Rule
1007'' of Regulation SCI) requires a written undertaking when records
required to be filed or kept by an SCI entity under Regulation SCI are
prepared or maintained by a service bureau or other recordkeeping
service on behalf of the SCI entity.\65\
---------------------------------------------------------------------------
\63\ See 17 CFR 242.1005. Unlike 17 CFR 242.1005(a) (``Rule
1005(a)'') of Regulation SCI, which relates to recordkeeping
provisions for SCI SROs, 17 CFR 242.1005(b) (``Rule 1005(b)'')
relates to the recordkeeping provision for SCI entities other than
SCI SROs.
\64\ See 17 CFR 242.1006.
\65\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
C. Overview of Proposed Amendments to Regulation SCI
The Commission is proposing amendments to Regulation SCI that would
expand the definition of ``SCI entity'' to include a broader range of
key market participants in the U.S. securities market infrastructure
and update certain provisions of Regulation SCI to take account of
developments in the technology landscape of the markets and the
Commission and its staff's oversight experience since the adoption of
Regulation SCI in 2014. As discussed in section III.A, the Commission
is proposing to expand the definition of SCI entity to include
registered SBSDRs, registered broker-dealers exceeding a size threshold
(``SCI broker-dealers''), and additional clearing agencies exempt from
registration.\66\ As discussed in section III.C, the Commission is also
proposing to update several requirements of Regulation SCI to
acknowledge certain technology changes in the market, including
cybersecurity and third-party provider management challenges since the
adoption of Regulation SCI in 2014, and to account for the experience
and insights the Commission and its staff have gained with respect to
technology issues surrounding SCI entities and their systems. These
include:
---------------------------------------------------------------------------
\66\ See infra section III.A.2.a. through c. (providing a
detailed discussion of each of these categories of entities and
associated proposed definitions).
---------------------------------------------------------------------------
Amendments to Rule 1001(a) to require that an SCI entity's
policies and procedures for SCI systems, critical SCI systems, and
indirect SCI systems, address with specificity:
[cir] Systems classification and life cycle management; \67\
---------------------------------------------------------------------------
\67\ See infra section III.C.1.
---------------------------------------------------------------------------
[cir] Management of third-party providers, including cloud service
providers and providers of critical SCI systems; \68\
---------------------------------------------------------------------------
\68\ See infra section III.C.2.
---------------------------------------------------------------------------
[cir] Access controls; \69\ and
---------------------------------------------------------------------------
\69\ See infra section III.C.3.a.
---------------------------------------------------------------------------
[cir] Identification of current SCI industry standards, if any;
\70\
---------------------------------------------------------------------------
\70\ See infra section III.C.5.c.
---------------------------------------------------------------------------
Expansion of the definition of ``systems intrusion'' in
Rule 1000 to include a wider range of cybersecurity events; \71\
---------------------------------------------------------------------------
\71\ See infra section III.C.3.c.
---------------------------------------------------------------------------
Amendments to Rule 1002 regarding notice of systems
intrusions to the Commission and affected persons; \72\
---------------------------------------------------------------------------
\72\ See infra section III.C.3.c.
---------------------------------------------------------------------------
Amendments to the definition of ``SCI review'' and Rule
1003(b) to specify in greater detail the contents of the SCI review and
associated report, and to require annual penetration testing; \73\
---------------------------------------------------------------------------
\73\ See infra sections III.C.3.b and III.C.4.
---------------------------------------------------------------------------
Amendments to Rule 1004 to require that SCI entities
designate key third-party providers for participation in annual
business continuity/disaster recovery testing; \74\
---------------------------------------------------------------------------
\74\ See infra section III.C.2.d.
---------------------------------------------------------------------------
Amendments to Rule 1001(a)(4) to address how an SCI entity
may avail itself of the safe harbor provision; \75\
---------------------------------------------------------------------------
\75\ See infra section III.C.5.
---------------------------------------------------------------------------
Amendments to Rule 1005 to address the maintenance of
records by a former SCI entity; and
Changes to Form SCI consistent with the proposed
changes.\76\
---------------------------------------------------------------------------
\76\ See infra section III.C.6.
---------------------------------------------------------------------------
The amendments to Regulation SCI are proposed independently of the
proposals discussed in the Exchange Act Cybersecurity Proposal and
Regulation S-P 2023 Proposing Release. However, the relationship of all
three proposals, as each may apply to an SCI entity, is discussed in
section III.D.
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
Currently, SCI entities are the SCI SROs, SCI ATSs, plan
processors, certain exempt clearing agencies, and, as of 2020, SCI
competing consolidators.\77\ In 2013, the Commission proposed to
include other entities: specifically, ATSs trading corporate debt or
municipal securities (hereafter, ``Fixed Income ATSs'') exceeding
specified volume thresholds.\78\ The Commission did not include any
Fixed Income ATSs as SCI entities at adoption in 2014, however, based
on consideration of comments regarding the risk profile of Fixed
[[Page 23153]]
Income ATSs at that time.\79\ In 2013, the Commission also solicited
comment on the inclusion of several other types of entities, including
SBSDRs and broker-dealers (beyond SCI ATSs).\80\ At adoption in 2014,
comments regarding these and other entities were summarized, with
specific proposals deferred for possible future consideration.\81\ In
sum, the Commission stated in 2014 that it was neither limiting the
applicability of Regulation SCI to only the most systemically important
entities as urged by some commenters, nor taking a broad approach at
the outset, but rather that it was taking a ``measured'' approach in
establishing the initial scope of SCI entities.\82\ Since the initial
adoption of Regulation SCI, the Commission has considered expansion of
the definition of SCI entity several times: first to propose and adopt
certain competing consolidators as SCI entities,\83\ and more recently
to propose and repropose adding ATSs that trade U.S. Treasury
Securities or Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'') as SCI entities.\84\
---------------------------------------------------------------------------
\77\ See supra notes 27-29 and accompanying text; infra note 83
and accompanying text.
\78\ See SCI Proposing Release, supra note 14, at 18097.
\79\ See SCI Adopting Release, supra note 1, at 72270, 72409
(discussing determination not to apply Regulation SCI to ATSs
trading only corporate debt and municipal securities at that time).
\80\ See SCI Proposing Release, supra note 14, at 18133-41. The
Commission also solicited comment on the inclusion of security-based
swap execution facilities (``SB SEFs''), which entities are now the
subject of another proposal. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 94615 (Apr. 6, 2022), 87 FR
28872 (May 11, 2022) (proposing that SB SEFs be subject to 17 CFR
242.800 through 242.835 (``Regulation SE'') which includes
operational capability requirements closely modeled on a detailed
CFTC rule for SEFs (17 CFR 37.1401)). SB SEFs are not further
discussed herein.
\81\ See SCI Adopting Release, supra note 1, at 72364-66
(contemplating possible future proposals).
\82\ See SCI Adopting Release, supra note 1, at 72259 (stating
that this measured approach would enable the Commission to ``monitor
and evaluate the implementation of Regulation SCI, the risks posed
by the systems of other market participants, and the continued
evolution of the securities markets, such that it may consider, in
the future, extending the types of requirements in Regulation SCI to
additional categories of [key] market participants . . . .'').
\83\ See Market Data Infrastructure Adopting Release, supra note
24, at 18659-18676.
\84\ See Securities Exchange Act Release Nos. 90019 (Sept. 28,
2020), 85 FR 87106 (Dec. 31, 2020) (``Government Securities ATS
Proposing Release''); 94062 (Jan. 26, 2022), 87 FR 15496 (Mar. 18,
2022) (``Government Securities ATS Reproposal'') (among other
things, citing operational similarities between Government
Securities ATSs and NMS stock ATSs). In the Government Securities
ATS Reproposal, the Commission proposed amendments to 17 CFR 240.3b-
16(a) (``Rule 3b-16(a)'' of the Exchange Act), which defines certain
terms used in the statutory definition of ``exchange'' under section
3(a)(1) of the Exchange Act, to include systems that offer the use
of non-firm trading interest and provide communication protocols to
bring together buyers and sellers of securities. Trading systems
that may fall within the criteria of proposed 17 CFR 240.3b-16
(``Rule 3b-16''), as proposed to be amended, would likely operate as
ATSs, and possibly SCI ATSs. Because the proposed amendments to Rule
3b-16(a) could result in a greater number of ATSs, and the
amendments proposed to expand and update SCI could impact newly
designated ATSs, commenters are encouraged to review both the
Government Securities ATS Reproposal and this proposal to determine
whether it might affect their comments on this proposal, as well as
their responses to the Commission's request for comment on
application of Regulation SCI to Fixed Income ATS contained herein.
---------------------------------------------------------------------------
The Commission now proposes a further expansion of the definition
of SCI entity to include SBSDRs, certain registered broker-dealers
(i.e., SCI broker-dealers), and additional clearing agencies exempted
from registration. The Commission also solicits comment on whether, in
light of technological changes in the fixed income markets in recent
years, Fixed Income ATSs should again be proposed to be subject to
Regulation SCI, rather than 17 CFR 240.301(b)(6) (``Rule 301(b)(6)'' of
Regulation ATS), and also whether and how broker-dealers trading
corporate debt and municipal securities should be considered.\85\
---------------------------------------------------------------------------
\85\ Currently, Rule 301(b)(6) of Regulation ATS applies to
Fixed Income ATSs exceeding a volume threshold. Under Rule
301(b)(6), an ATS that trades only municipal securities or corporate
debt at a threshold of 20% or more of the average daily volume
traded in the United States, during at least four of the preceding
six calendar months, is required to comply with capacity, integrity,
and security requirements with respect to those systems that support
order entry, order routing, order execution, transaction reporting,
and trade comparison. See 17 CFR 242.301(b)(6). As discussed further
below, the amendments proposed in this release do not include
amendments to modify the numerical volume thresholds or to otherwise
modify Rule 301(b)(6) of Regulation ATS, or move systems
requirements for Fixed Income ATSs from Regulation ATS to Regulation
SCI. The Commission does, however, request comment on the state of
electronic trading and automation in the corporate debt and
municipal securities markets, as well as the risks associated with
entities with significant activity in these markets. See infra
section III.B.
---------------------------------------------------------------------------
2. New Proposed SCI Entities
When it adopted Regulation SCI, the Commission acknowledged that
there may be other categories of entities not included in the
definition of SCI entity that, given their increasing size and
importance, could pose risks to the market should an SCI event occur,
but decided to include only certain key market participants at that
time.\86\ The Commission proposes to expand the definition of SCI
entity to include SBSDRs, certain types of broker-dealers, and
additional clearing agencies exempted from registration as additional
key market participants that would also have to comply with Regulation
SCI because they play a significant role in the U.S. securities markets
and/or have the potential to impact investors, the overall market, or
the trading of individual securities in the event of a systems issue.
If this amendment is adopted, these new SCI entities would become
subject to all provisions of Regulation SCI, including the provisions
proposed to be amended as discussed in section III.C of this release.
---------------------------------------------------------------------------
\86\ See SCI Adopting Release, supra note 1, at 72259. See also
supra note 82 and accompanying text.
---------------------------------------------------------------------------
a. Registered Security-Based Swap Data Repositories (SBSDRs)
The Commission proposes to expand the application of Regulation SCI
to SBSDRs. As registered securities information processors that
disseminate market data and provide price transparency in the SBS
market, and centralized trade repositories for SBS data for use by
regulators, SBSDRs play a key role in the SBS market.\87\
---------------------------------------------------------------------------
\87\ Rule 1000 would define the term registered security-based
swap data repository to mean ``a security-based swap data
repository, as defined in 15 U.S.C. 78c(a)(75), and that is
registered with the Commission pursuant to 15 U.S.C. 78m(n) and
Sec. 240.13n-1,'' with a proviso that compliance with Regulation
SCI would not be required until six months after the entity's
registration is effective. See proposed Rule 1000.
---------------------------------------------------------------------------
As noted, the Commission solicited comment on the inclusion of
SBSDRs as SCI entities when it first proposed Regulation SCI in
2013.\88\ At that time, the Commission anticipated that SBSDRs would
``play an important role in limiting systemic risk and promoting the
stability of the SBS market [and] also would serve as information
disseminators in a manner similar to plan processors in the equities
and options markets.'' \89\ But it also acknowledged that there may be
differences between the equities and options markets and the SBS
market, ``including differing levels of automation and stages of
regulatory development.'' \90\
---------------------------------------------------------------------------
\88\ See supra text accompanying note 80.
\89\ SCI Proposing Release, supra note 14, at 18135 (citation
omitted).
\90\ Id.
---------------------------------------------------------------------------
Comments received on the inclusion of SBSDRs as SCI entities in the
SCI Proposing Release were limited. One commenter stated that ``the
similarities between certain SCI entities and SB SDRs . . . do not
provide a clear justification for a different set of rules.'' \91\
Another commenter stated that SBSDRs should have standards that are
consistent with, but not identical to, those of SCI entities because
the
[[Page 23154]]
functions that SBSDRs perform are significantly different from those
performed by SCI entities.\92\ Other commenters, however, felt the
practical differences between options and equities and derivatives
called for some form of harmonization of rules, but not direct
application of Regulation SCI to these entities.\93\ The Commission
deferred and stated in the SCI Adopting Release that, ``should [it]
decide to propose to apply the requirements of Regulation SCI to SB
SDRs [it] would issue a separate release discussing such a proposal.''
\94\ Taking into account the role of SBSDRs in the SBS market, their
reliance on technology to perform their functions, and the current
state of regulatory development in the SBS market, the Commission is
doing so now.
---------------------------------------------------------------------------
\91\ SCI Adopting Release, supra note 1, at 72364.
\92\ See id.
\93\ See id.
\94\ SCI Adopting Release, supra note 1, at 72364; SCI Proposing
Release, supra note 14, at 18134.
---------------------------------------------------------------------------
i. Role of SBSDRs and Associated Risks
Title VII of the Dodd-Frank Act, enacted in 2010, provided for a
comprehensive, new regulatory framework for swaps and security-based
swaps, including regulatory reporting and public dissemination of
transactions in security-based swaps.\95\ In 2015, the Commission
established a regulatory framework for SBSDRs to provide improved
transparency to regulators and help facilitate price discovery and
efficiency in the SBS market.\96\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the SBS market,\97\ thereby serving Title VII's goal of
having public dissemination of price information for all security-based
swaps, to enhance price discovery for market participants.\98\ Like
FINRA's Trade Reporting and Compliance Engine (``TRACE'') and the
MSRB's Electronic Municipal Market Access (``EMMA''),\99\ SBSDRs serve
an important function for market participants because they disseminate
market data, thereby providing price transparency in the SBS
market.\100\ Just as TRACE and EMMA provide price transparency to
market participants and regulatory information to regulators, SBSDRs
are designed to meet two purposes as mandated by Title VII of the Dodd-
Frank Act: (1) to provide SBS data and information to regulators to
surveil the markets and assess for market risks; and (2) to enhance
price discovery to market participants.\101\ As discussed in detail
below, given that SBSDRs rely on automated systems and are designed to
limit systemic risk and promote the stability of the markets they
serve, the Commission believes that including SBSDRs in the definition
of SCI entities would better ensure that SBSDR systems are robust,
resilient, and secure. Additionally, this approach is reasonable and
consistent as other entities that play a key price transparency role in
their respective markets, such as plan processors, SCI competing
consolidators, FINRA and the MSRB, are SCI entities, and their systems
that directly support market data, among other functions, are currently
SCI systems.\102\
---------------------------------------------------------------------------
\95\ Public Law 111-203, section 761(a) (adding Exchange Act
section 3(a)(75) (defining SBSDR)) and section 763(i) (adding
Exchange Act section 13(n) (establishing a regulatory regime for
SBSDRs)).
\96\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Securities Exchange Act Release No.
74246 (Feb. 11, 2015), 80 FR 14438, 14441 (Mar. 19, 2015) (``SBSDR
Adopting Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Securities Exchange Act Release No.
74244 (Feb. 11, 2015), 80 FR 14563 (Mar. 19, 2015) (``SBSR Adopting
Release'').
\97\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR.''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\98\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\99\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730, while municipal securities
dealers are subject to transaction reporting obligations under MSRB
Rule G-14. See FINRA Rule 6730(a)(1) (requiring FINRA members to
report transactions in TRACE-Eligible Securities, which FINRA Rule
6710 defines to include a range of fixed-income securities). See
also MRSB Rule G-14 (requiring transaction reporting by municipal
bond dealers). EMMA, established by the MSRB in 2009, serves as the
official repository of municipal securities disclosure providing the
public with free access to relevant municipal securities data, and
is the central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires municipal bond dealers to submit transaction data to the
MSRB within 15 minutes of trade execution, and such near real-time
post-trade transaction data can be accessed through the MSRB's EMMA
website.
\100\ See Committee on Payment and Settlement Systems and
Technical Committee of the International Organization of Securities
Commissions, Principles for financial market infrastructures, at
1.14, Box 1 (Apr. 16, 2012) (``PFMI''), available at https://www.bis.org/publ/cpss101a.pdf (stating that ``[a] TR [trade
repository] may serve a number of stakeholders that depend on having
effective access to TR services, both to submit and retrieve data.
In addition to relevant authorities and the public, other
stakeholders can include exchanges, electronic trading venues,
confirmation or matching platforms, and third-party service
providers that use TR data to offer complementary services.'').
\101\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\102\ See SBSDR Adopting Release, supra note 96.
---------------------------------------------------------------------------
As centralized repositories for SBS data for use by regulators,
SBSDRs provide important infrastructure that assists relevant
authorities in performing their market oversight.\103\ Data maintained
by SBSDRs may assist regulators in preventing market abuses, performing
supervision, and resolving issues and positions if an institution
fails.\104\ SBSDRs are required to collect and maintain accurate SBS
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\105\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic
details.\106\
---------------------------------------------------------------------------
\103\ See generally PFMI, supra note 100, at 1.14 (stating that
``[b]y centralising the collection, storage, and dissemination of
data, a well-designed TR that operates with effective risk controls
can serve an important role in enhancing the transparency of
transaction information to relevant authorities and the public,
promoting financial stability, and supporting the detection and
prevention of market abuse.'').
\104\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010), 75 FR 77306, 77307 (Dec. 10, 2010), corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'').
\105\ See SBSDR Adopting Release, supra note 96, at 14440
(stating that ``SDRs are required to collect and maintain accurate
SBS transaction data so that relevant authorities can access and
analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
\106\ See SBSDR Proposing Release, supra note 104, at 77307
(stating that ``[t]he enhanced transparency provided by an SDR is
important to help regulators and others monitor the build-up and
concentration of risk exposures in the SBS market . . . . In
addition, SDRs have the potential to reduce operational risk and
enhance operational efficiency in the SBS market.'').
---------------------------------------------------------------------------
Furthermore, SBSDRs themselves are subject to certain operational
risks that may impede the ability of SBSDRs to meet the goals set out
in Title VII of the Dodd-Frank Act and the Commission's rules.\107\ For
instance, the links established between an SBSDR and other entities,
including unaffiliated clearing agencies and other SBSDRs, may expose
the SBSDR to vulnerabilities outside of its direct control.\108\
Without appropriate
[[Page 23155]]
safeguards in place for the systems of SBSDRs, their vulnerabilities
could lead to significant failures, disruptions, delays, and
intrusions, which could disrupt price transparency and oversight of the
SBS market. For instance, an SBSDR processes and disseminates trade
data using electronic systems, and if these systems fail, public access
to timely and reliable trade data for the derivatives markets could
potentially be compromised.\109\ Also, if the data stored at an SBSDR
is corrupted, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, because SBSDRs receive and maintain
proprietary and sensitive information (e.g., trading data, non-public
personal information), it is essential that their systems be capable of
ensuring the security and integrity of this data.
---------------------------------------------------------------------------
\107\ See SBSDR Adopting Release, supra note 96 at 14450 (``SDRs
themselves are subject to certain operational risks that may impede
the ability of SDRs to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\108\ See PFMI, supra note 100, at 3.20.20 (stating that ``A TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT
[information technology] and related resources. A TR can establish
links with another TR or with another type of FMI. Such links may
expose the linked FMIs to additional risks if not properly designed.
Besides legal risks, a link to either another TR or to another type
of FMI may involve the potential spillover of operational risk. The
mitigation of operational risk is particularly important because the
information maintained by a TR can support bilateral netting and be
used to provide services directly to market participants, service
providers (for example, portfolio compression service providers),
and other linked FMIs.'').
\109\ See PFMI, supra note 100, at 1.14, Box 1 (stating that
``[t]he primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------
Along with the reliance of SBSDRs on automated systems to perform
their functions, regulatory development of the SBS market has proceeded
significantly since 2015. In particular, security-based swap dealers
have registered with the Commission,\110\ SBSDRs have registered with
the Commission,\111\ security-based swap execution facilities
(``SBSEF'') registration has been proposed,\112\ and straight-through
processing has increased in the market.\113\ On November 8, 2021, SBS
data began being reported to SBSDRs, which in turn began disseminating
such data to the Commission and the public.\114\ In light of the
important role of SBSDRs in the markets for security-based swaps, their
level of automation, and the regulatory development of the SBS market
in recent years, the Commission believes it is timely to propose
enhanced requirements for registered SBSDRs with respect to their
technology systems that are central to the performance of their
regulated activities.
---------------------------------------------------------------------------
\110\ See List of Security-Based Swap Dealers and Major
Security-Based Swap Participants, Commission (last updated Jan. 4,
2023), available at: https://www.sec.gov/files/list_of_sbsds_msbsps_1_4_2023locked_final.xlsx.
\111\ The Commission approved the registration of two SBSDRs in
2021. See Security-Based Swap Data Repositories, DTCC Data
Repository (U.S.), LLC, Order Approving Application for Registration
as a Security-Based Swap Data Repository, Securities Exchange Act
Release No. 91798 (May 7, 2021), 86 FR 26115 (May 12, 2021);
Security-Based Swap Data Repositories, ICE Trade Vault, LLC, Order
Approving Application for Registration as a Security-Based Swap Data
Repository, Securities Exchange Act Release No. 92189 (Jun. 16,
2021), 86 FR 32703 (Jun. 22, 2021).
\112\ See Rules Relating to Security-Based Swap Execution and
Registration and Regulation of Security-Based Swap Execution
Facilities, Securities Exchange Act Release No. 94615 (Apr. 6,
2022), 87 FR 28872 (May 11, 2022).
\113\ See, e.g., Security-Based Swap Data Repositories, DTCC
Data Repository (U.S.), LLC, Notice of Filing of Application for
Registration as a Security-Based Swap Data Repository, Securities
Exchange Act Release No. 91071 (Feb. 5, 2021), 86 FR 8977 (Feb. 10,
2021) (``[T]he SDR process is an end-to-end straight through
process; from the receipt of data, processing and maintenance of
data, and dissemination of data, processes are automated and do not
require manual intervention.'').
\114\ See SEC Approves Registration of First Security-Based Swap
Data Repository; Sets the First Compliance Date for Regulation SBSR,
Press Release, Commission (May 7, 2021), available at: https://www.sec.gov/news/press-release/2021-80.
---------------------------------------------------------------------------
ii. Current Regulation
The Commission believes the current technology regulation framework
for SBSDRs should be strengthened. SBSDR technology regulation is
currently governed by 17 CFR 240.13n-6 (``Rule 13n-6''), a broad,
principles-based operational risk rule,\115\ which the Commission
adopted in 2015 when regulatory development of the SBS market was still
nascent and SBSDRs were not yet registered with the Commission under 17
CFR 240.13n-1 (``Rule 13n-1'').\116\ Additionally, Rule 13n-6 was
adopted shortly after the adoption of Regulation SCI, with
modifications that did not include some of the more detailed proposed
requirements.\117\ As a result, the two currently-registered SBSDRs
(which are affiliated with registered clearing agencies that are
subject to Regulation SCI) \118\ remain subject to the broad
principles-based rule, Rule 13n-6, which is the only applicable
operational risk requirement for SBSDRs in the Commission's current
regulatory framework.
---------------------------------------------------------------------------
\115\ See 17 CFR 240.13n-6.
\116\ See SBSDR Adopting Release, supra note 96, at 14499, 14550
(``[T]he Commission may consider the application of any features of
Regulation SCI to SDRs in the future.''); SCI Adopting Release,
supra note 1, at 72364.
\117\ See SBSDR Adopting Release, supra note 96, at 14499
(stating that ``[t]he Commission is not adopting Rule 13n-6 as
proposed because, after proposing Rule 13n-6, the Commission
considered the need for an updated regulatory framework for certain
systems of the U.S. securities trading markets and adopted
Regulation Systems Compliance and Integrity (`Regulation SCI').'').
Specifically, the Commission stated that the rule as adopted better
sets an appropriate core framework for the policies and procedures
of SBSDRs with respect to automated systems and that the framework
adopted is ``broadly consistent'' with Regulation SCI. See id.
Therefore, the Commission declined to adopt more prescriptive
elements of the rule as proposed, including proposed Rule 13n-6(b),
which would have required that every security-based swap data
repository, with respect to those systems that support or are
integrally related to the performance of its activities: (1)
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its systems provide adequate
levels of capacity, resiliency, and security. These policies and
procedures shall, at a minimum: (i) establish reasonable current and
future capacity estimates; (ii) conduct periodic capacity stress
tests of critical systems to determine such systems' ability to
process transactions in an accurate, timely, and efficient manner;
(iii) develop and implement reasonable procedures to review and keep
current its system development and testing methodology; (iv) review
the vulnerability of its systems and data center computer operations
to internal and external threats, physical hazards, and natural
disasters; and (v) establish adequate contingency and disaster
recovery plans; (2) on an annual basis, submit an objective review
to the Commission within thirty calendar days of its completion.
Where the objective review is performed by an internal department,
an objective, external firm shall assess the internal department's
objectivity, competency, and work performance with respect to the
review performed by the internal department. The external firm must
issue a report of the objective review, which the security-based
swap data repository must submit to the Commission on an annual
basis, within 30 calendar days of completion of the review; (3)
promptly notify the Commission of material systems outages and any
remedial measures that have been implemented or are contemplated
(prompt notification includes the following: (i) immediately notify
the Commission when a material systems outage is detected; (ii)
immediately notify the Commission when remedial measures are
selected to address the material systems outage; (iii) immediately
notify the Commission when the material systems outage is addressed;
and (iv) submit to the Commission within five business days of the
occurrence of the material systems outage a detailed written
description and analysis of the outage and any remedial measures
that have been implemented or are contemplated); and (4) notify the
Commission in writing at least thirty calendar days before
implementation of any planned material systems changes. See SBSDR
Proposing Release, supra note 104, at 77370.
\118\ The two registered SBSDRs, DTCC Data Repository (U.S.),
LLC and ICE Trade Vault, LLC, are affiliated with the registered
clearing agencies, Depository Trust Company and ICE Clear Credit
LCC, respectively.
---------------------------------------------------------------------------
Rule 13n-6 requires that SBSDRs, with respect to those systems that
support or are integrally related to the performance of their
activities, establish, maintain, and enforce written policies and
procedures reasonably designed to ensure that their systems provide
adequate levels of capacity, integrity, resiliency, availability, and
[[Page 23156]]
security.\119\ The operational risk principles underlying Rule 13n-6
are an essential part of the rules that comprise the core framework for
SBSDRs that the Commission established in 2015 at the opening of its
regulatory regime governing SBSDRs. The core framework influences all
applicable requirements relevant to SBSDRs that follow. The core
framework not only addresses SBSDR operational risk, but also other
SBSDR enumerated duties, including registration, market access to
services and data, governance arrangements, conflicts of interest, data
collection and maintenance, privacy and disclosure requirements, and
chief compliance officers,\120\ thereby implementing the provisions of
Exchange Act section 13(n).\121\ Therefore, the SBSDR core framework,
which Rule 13n-6 is a part, is different in focus and broader in scope
than proposed Regulation SCI--as it relates to SBSDRs--which is focused
on, among things, protecting the security of SBSDR systems. While Rule
13n-6 may not provide the absolute requirements relating to SBSDR
operational risk, as the Commission's regulatory regime continues to
evolve, Rule 13n-6 sets forth an enumerated duty for operational risk
concerns that registered SBSDRs must address--at the time of
registration and throughout its registration with the Commission.
Compliance with the core principles and requirements in the SBSDR
rules, including Rule 13n-6, is, thus, an important building block for
better ensuring the integrity of an SBSDR's data quality upon which the
Commission and the securities markets rely. In this regard, the
Commission believes that Rule 13n-6 should be preserved, with the
requirements of this proposal, if adopted, working to complement Rule
13n-6.\122\ Specifically, the proposed requirements of Regulation SCI
on SBSDRs would exist and operate in conjunction with Rule 13n-6 and
would prescribe certain key features and more detailed functional
requirements to help ensure that SBSDR market systems are robust,
resilient, and secure.\123\
---------------------------------------------------------------------------
\119\ See 17 CFR 240.13n-6.
\120\ See 17 CFR 240.13n-1 through 240.13n-12; See SBSDR
Adopting Release, supra note 96, at 14440-42.
\121\ 15 U.S.C. 78m(n).
\122\ When adopting Rule 13n-6, the Commission acknowledged the
potential application of Regulation SCI provisions to SBSDRs in the
future. See SBSDR Adopting Release, supra note 96, at 14438, 14499
(stating that ``[c]onsistent with this approach and in recognition
of the importance of SDRs as the primary repositories of SBS trade
information, the Commission may consider the application of any
features of Regulation SCI to SDRs in the future.''). Additionally,
as guidance, the Commission stated that, in preparing their policies
and procedures to comply with Rule 13n-6, SBSDRs may consider
whether to incorporate aspects of Regulation SCI that may be
appropriate for their particular implementation of Rule 13n-6. See
id., at 14499, n.826 (stating that ``[i]n preparing their policies
and procedures, SDRs may consider whether to incorporate aspects of
Regulation SCI that may be appropriate for their particular
implementation of Rule 13n-6, including where an SDR is related by
virtue of its corporate structure to an entity subject to Regulation
SCI.'').
\123\ In 2014, the SEC's SBSDR regulatory framework was subject
to a Level 2 assessment by the Bank for International Settlements'
Committee on Payments and Market Infrastructures (``CPMI'') and the
International Organization of Securities Commissions (``IOSCO''),
which concluded that ``the U.S. jurisdiction has developed rules or
proposed rules that completely and consistently implement the
majority of Principles that are applicable to CCPs [central
counterparties] [but that] [t]he progress of the U.S. jurisdiction
towards completely and consistently implementing the Principles for
[trade repositories] has been more limited.'' See CPMI-IOSCO,
Implementation Monitoring of PFMIs: Level 2 assessment report for
central counterparties and trade repositories--United States (Feb.
26, 2015), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD477.pdf. Additionally, CPMI-IOSCO issued guidance for cyber
resilience for financial market infrastructures (``FMIs''),
including trade repositories. See CPMI-IOSCO, Guidance on cyber
resilience for financial market infrastructures (June 2016),
available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf; see also CPMI-IOSCO, Implementation monitoring of
the PFMI: Level 3 assessment on Financial Market Infrastructures'
Cyber Resilience (Nov. 2022), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf (presenting the results of an
assessment of the state of cyber resilience (as of Feb. 2021) at 37
FMIs from 29 jurisdictions that participated in this exercise in
2020 to 2022).
---------------------------------------------------------------------------
Regulation SCI, among other things, defines the scope of systems
covered, and requires: the establishment, maintenance, and enforcement
of written policies and procedures to ensure that SCI systems have
levels of capacity, integrity, resiliency, availability, and security
adequate to maintain operational capacity and promote the maintenance
of fair and orderly markets, with minimum elements that include, among
others, standards designed to facilitate the successful collection,
processing, and dissemination of market data and robust business
continuity and disaster recovery plans; policies and procedures
designed to ensure compliance with the federal securities laws;
corrective action and reporting and dissemination of SCI events,
quarterly reporting of material systems changes, and an annual SCI
review; and participation of key members in SCI entity's business
continuity and disaster recovery plans.
The Commission believes that SBSDRs operate with similar complexity
and in a similar fashion as other registered securities information
processors that are currently subject to Regulation SCI and that they
play an important role in the SBS market and face similar technological
vulnerabilities as existing SCI entities, such as FINRA's TRACE and
MSRB's EMMA. For example, were an SBSDR to experience a systems issue,
market participants could be prevented from receiving timely
information regarding accurate prices for individual SBSs. Given
SBSDRs' reliance on automated systems and their dual Dodd-Frank
mandated role of providing price transparency to market participants
and SBS data to regulators to surveil markets to better ensure that
systemic risk is limited and market stability is enhanced, the
Commission believes it appropriate to include SBSDRs into the scope of
the Regulation SCI proposal.
Currently, there are two registered SBSDRs that would become
subject to Regulation SCI should the Regulation SCI amendments be
adopted.\124\
---------------------------------------------------------------------------
\124\ See supra note 118.
---------------------------------------------------------------------------
iii. Request for Comment
1. The Commission requests comment generally on the inclusion of
SBSDRs as SCI entities. Is their inclusion appropriate? Why or why not?
Please be specific and provide examples, if possible, to illustrate
your points.
2. Should all or some aspects of Regulation SCI apply to SBSDRs?
Why or why not? If only a portion, please specify which portion(s) and
explain why. If all, explain why.
3. Are the definitions of SCI systems and indirect SCI systems
appropriate for SBSDRs? Why or why not? Are there any systems of SBSDRs
that should be included but would not be covered by these definitions?
Please explain. Are there any systems of SBSDRs that should be excluded
by these definitions? Please explain. Do SBSDRs have any systems that
would or should be covered by the definition of critical SCI systems?
Please explain.
4. Is current Rule 13n-6 sufficient to govern the technology of
SBSDRs? If not, why not? Would the Regulation SCI proposed
requirements, together with Rule 13n-6, be sufficient to address
operational risk concerns posed by SBSDRs? Why or why not? Should Rule
13n-6 serve as an operational risk requirement for new SBSDR
registrants during the first year registered with the Commission, with
Regulation SCI proposed requirements imposed after the first year of
registration? Why or why not? Please be specific and respond with
examples, if possible.
5. Given the current practices of SBSDRs, would the proposed
Regulation SCI requirements pose unreasonable or unworkable
difficulties
[[Page 23157]]
for them, technologically, legally, operationally, or procedurally? Why
or why not? Please be specific and respond with examples, if possible.
6. Should Regulation SCI distinguish among different types of
SBSDRs such that some requirements of Regulation SCI might be
appropriate for some SBSDRs but not others? Why or why not? If so, what
are those distinctions and what are those requirements? For example,
should any requirements be based on criteria such as number of
transactions or notional volume reported to a SBSDR? If so, what would
be an appropriate threshold for any such criteria, and why? Please be
specific and provide examples, if possible.
7. Because proposed Regulation SCI would include SBSDRs as ``SCI
entities,'' SBSDRs that share systems with affiliated clearing agencies
could be required to classify those shared systems as SCI systems of
the SBSDR and indirect SCI systems of the clearing agency, and vice
versa. Is this outcome appropriate? Why or why not? Please be specific
and provide examples, if possible.
8. Is Regulation SCI, including as proposed to be amended,
comprehensive and robust enough to address SBSDRs that rely on third-
party providers to support core SBSDR operations? Why or why not?
Please be specific and provide examples, if possible.
b. SCI Broker-Dealers
The Commission further proposes to expand the application of
Regulation SCI by including certain broker-dealers--to be referred to
as ``SCI broker-dealers''--in the definition of SCI entity. An SCI
broker-dealer would be a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act that exceeds
one or more size thresholds. An SCI broker-dealer would be a broker-
dealer that meets or exceeds: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers by size, as measured in two different ways. The first is
analysis of broker-dealer size based on total assets reported on Form
X-17A-5 (Financial and Operational Combined Uniform Single (``FOCUS'')
Report Part II, Item 940),\125\ which reveals the largest firms based
on their balance sheets at a point in time, and which is a measure used
by the Board of Governors of the Federal Reserve System (``Federal
Reserve Board'') to calculate and provide to the public on a quarterly
basis a measure of total assets of all security broker-dealers.\126\
The second is a measure of broker-dealer size using transaction
activity to identify significant firms active in certain enumerated
types of securities. As discussed further below, the total assets
threshold is expressed in terms of the broker-dealer's total assets at
specified points in time as a percentage of the ``total assets of all
security broker-dealers'' with ``total assets of all security-broker-
dealers'' being calculated and made publicly available by the Federal
Reserve Board for the associated preceding calendar quarter, or any
subsequent provider of such information.\127\ The trading activity
threshold is expressed in terms of the sum of buy and sell transactions
that the broker-dealer transacted during a specified time period as a
percentage of reported total average daily dollar volume in one or more
enumerated types of securities. The proposed total assets threshold is
broadly similar to the approach banking regulators use to assess the
appropriate capital and liquidity requirements for banks.\128\ The
proposed transaction activity thresholds are similar to, but
distinguishable from, the market share thresholds for SCI ATSs.\129\
The proposed threshold approaches in the proposed definition of SCI
broker-dealer are designed to identify entities that play key roles in
the U.S. securities markets due to the magnitude of their activity in
these markets.\130\
---------------------------------------------------------------------------
\125\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at https://www.sec.gov/files/formx-17a-5_2_2.pdf (requiring broker-
dealers to report their total assets in Item 940).
\126\ See infra note 127.
\127\ For additional detail on the calculation of total assets
of all security broker-dealers, see Z.1: Financial Accounts of the
United States, available at https://www.federalreserve.gov/apps/fof/Guide/z1_tables_description.pdf; ((i) stating that the term
``security broker-dealers'' refers to firms that buy and sell
securities for a fee, hold an inventory of securities for resale, or
do both; and firms that make up this sector are those that submit
information to the Commission on one of two reporting forms, either
the Financial and Operational Combined Uniform Single Report of
Brokers and Dealers (FOCUS) or the Report on Finances and Operations
of Government Securities Brokers and Dealers (FOGS); and (ii)
describing the major assets of the security brokers and dealers
sector). Currently, this information is readily accessible on the
Federal Reserve Economic Data (``FRED'') website. See Board of
Governors of the Federal Reserve System (US), Security Brokers and
Dealers; Total Assets (Balance Sheet), Level [BOGZ1FL664090663Q],
retrieved from FRED, Federal Reserve Bank of St. Louis, available
at: https://fred.stlouisfed.org/series/BOGZ1FL664090663Q (making
publicly available the total assets of all security brokers and
dealers, as calculated and updated quarterly by the Federal Reserve
Board).
\128\ See infra notes 178-180 and accompanying text.
\129\ See infra section III.A.b.iii.
\130\ See infra text accompanying notes 138-142 (summarizing
comments on the SCI Proposing Release from commenters urging that
application of Regulation SCI to broker-dealers should be limited to
those with substantial transaction volume or having a large
``footprint'').
---------------------------------------------------------------------------
i. Background
There are approximately 3,500 broker-dealers registered with the
Commission pursuant to section 15(b) of the Exchange Act, and these
entities encompass a broad range of sizes, business activities, and
business models.\131\ In 2013, the Commission proposed to include
significant volume ATSs in the definition of SCI entity but at that
time did not propose to include any other aspects of broker-dealer
operations.\132\ Rather, the Commission solicited comment on whether
certain classes of broker-dealers should be covered. In particular, the
Commission sought comment on whether Regulation SCI should apply, for
example, to OTC market makers \133\ (either all or those
[[Page 23158]]
that execute a significant volume of orders), exchange market makers
\134\ (either all or those that trade a significant volume on
exchanges), order-entry firms that handle and route order flow for
execution (either all or those that handle a significant volume of
investor orders), clearing broker-dealers (either all or those that
engage in a significant amount of clearing activities), and/or large
multi-service broker-dealers that engage in a variety of order
handling, trading, and clearing activities.\135\ Although OTC market
makers and clearing broker-dealers were noted specifically as examples
of categories of broker-dealers that could pose significant risk to the
market if a large portion of the order flow they handle or process were
disrupted due to a systems issue, the Commission broadly solicited
commenters' views on the importance of different categories of broker-
dealers to the stability of overall securities market infrastructure
and the risks posed by their systems.\136\
---------------------------------------------------------------------------
\131\ This estimate is derived from information on broker-dealer
FOCUS Report Form X-17A-5 Schedule II filings as of Dec. 31, 2021,
as well as the third quarter of 2022. See also FINRA, 2022 FINRA
Industry Snapshot (Mar. 2022), available at https://www.finra.org/sites/default/files/2022-03/2022-industry-snapshot.pdf. Section
15(b)(8) of the Exchange Act prohibits any broker-dealer from
effecting transactions in securities unless it is a member of a
registered national securities association (i.e., FINRA) or effects
securities transactions solely on a national securities exchange of
which it is a member. See 15 U.S.C. 78o(b)(8); see also 17 CFR
240.15b9-1 (``Rule 15b9-1'') (exempting proprietarily trading
dealers from section 15(b)(8)'s national securities association
membership requirement if they are a member of a national securities
exchange and meet certain other requirements). But see Securities
Exchange Act Release No. 95388 (July 29, 2022), 87 FR 49930 (Aug.
12, 2022) (proposing amendments to Exchange Act Rule 15b9-1 that
would generally require proprietary trading firms that are
registered broker-dealers to become a registered member of a
national securities association (i.e., FINRA) if they effect
securities transactions otherwise than on an exchange of which they
are a member). See also Securities Exchange Act Release No. 94524
(Mar. 28, 2022), 87 FR 23054 (Apr. 18, 2022) (``Dealer-Trader
Release'') (proposing to further define ``dealer'' and ``government
securities dealer'' to identify certain activities that would
constitute a ``regular business'' requiring a person engaged in
those activities to register as a ``dealer'' or a ``government
securities dealer,'' absent an exception or exemption). Because the
proposed amendments to further define the definition of dealer could
result in a greater number of dealers and the amendments proposed to
expand and update Regulation SCI could impact these newly designated
dealers, commenters also are encouraged to review the Dealer-Trader
Release to determine whether it might affect their comments on this
proposal.
\132\ See SCI Proposing Release, supra note 14, at 18138-42.
\133\ An OTC market maker is a dealer that holds itself out as
willing to buy and sell NMS stocks on a continuous basis in amounts
of less than block size otherwise than on an exchange. See 17 CFR
242.600(b)(64).
\134\ An exchange market maker is any member of a national
securities exchange that is registered as a specialist or market
maker pursuant to the rules of such exchange. See 17 CFR
242.600(b)(32).
\135\ See SCI Proposing Release, supra note 14, at 18139-40.
\136\ See SCI Proposing Release, supra note 14, at 18138-40
(including questions 194-196 soliciting comment on whether and how
to distinguish between and among categories of broker-dealers, such
as OTC market makers, order entry firms that handle and route order
flow for execution, clearing broker-dealers, and large multi-service
broker-dealers that engage in a variety of order handling, trading,
and clearing activities).
---------------------------------------------------------------------------
As summarized in the SCI Adopting Release, commenters' views
varied.\137\ One commenter opined that market makers and brokers or
dealers that execute orders internally by trading as a principal or
crossing orders as an agent and handle market share that exceeds that
of certain SCI ATSs should be subject to Regulation SCI.\138\ Others
stated that market makers, high frequency trading firms, or any firm
with market access should be included, arguing that these market
participants could present systemic risks to the market and had ``a
significant footprint in the markets.'' \139\ Others stated that
broker-dealers should be SCI entities because 17 CFR 240.15c3-5 (``Rule
15c3-5'' or ``Market Access Rule''),\140\ requiring the implementation
of risk management and supervisory controls to limit risk associated
with routing orders to exchanges or ATSs, was not sufficient by itself,
as it does not address the reliability or integrity of the systems that
implement such controls.\141\ One commenter stated that Regulation SCI
should be extended to any trading platforms that transact significant
volume, including systems that are not required to register as an ATS
because all executions are against the bids and offers of a single
dealer.\142\ In contrast, other commenters argued that broker-dealers
should not be subject to Regulation SCI because they must comply with
other Exchange Act and FINRA rules and the proposed Regulation SCI
requirements would be ``duplicative and unduly burdensome.'' \143\ At
adoption, the Commission stated that ``should [it] decide to propose to
apply the requirements of Regulation SCI to [broker-dealer operations
other than ATSs, it] would issue a separate release discussing such a
proposal and would take these comments into account.'' \144\
---------------------------------------------------------------------------
\137\ See SCI Adopting Release, supra note 1, at 72365.
\138\ See id. (citing letter from the New York Stock Exchange,
Inc. (``NYSE'')).
\139\ See id. (citing letters from Liquidnet, Inc., David Lauer,
and R.T. Leuchtkafer).
\140\ See 17 CFR 240.15c3-5.
\141\ See SCI Adopting Release, supra note 1, at 72365 (citing
letters from David Lauer and the NYSE).
\142\ See id. (citing letter from BlackRock at 4, in which
BlackRock stated that trading systems that ``transact significant
volume'' are ``venues that have a meaningful role and impact on the
equity market'').
\143\ See id.
\144\ SCI Adopting Release, supra note 1, at 72366.
---------------------------------------------------------------------------
In considering expansion of Regulation SCI to broker-dealers or
broker-dealer operations beyond SCI ATSs, the Commission has considered
the extent to which current Commission and FINRA rules affect how
broker-dealers design and review their systems for capacity, integrity,
resiliency, availability, and/or security adequate to maintain
operational capability and promote the maintenance of fair and orderly
markets and compliance with federal securities laws and regulations,
and whether additional technology oversight is appropriate for certain
broker-dealers based on the magnitude of their activity in the markets
today.\145\ The Commission proposes to apply Regulation SCI to a
limited number of the approximately 3,500 broker-dealers registered
with the Commission. The proposed thresholds are designed to identify
firms that, by virtue of their total assets or level of transaction
activity over a period of time and on a consistent basis, play a
significant role in the orderly functioning of U.S. securities markets.
The thresholds are designed to identify firms that, if adversely
affected by a technology event, could disrupt or impede orderly and
efficient market operations more broadly.
---------------------------------------------------------------------------
\145\ As noted above, the concurrently issued Exchange Act
Cybersecurity Proposal would establish minimum ``cybersecurity
rules'' for all broker-dealers. That proposal does not, however,
independently address weaknesses in broker-dealer operational
capacity or resiliency not attributable to cybersecurity breaches.
---------------------------------------------------------------------------
ii. Current Regulatory Oversight of Broker-Dealer Systems Technology
There are a number of Commission and FINRA rules that affect how
broker-dealers design and maintain their technology and promote
business continuity and regulatory compliance.\146\ Although these
rules may support the goal of more resilient broker-dealer systems,
they are not designed to address the same concerns that Regulation SCI
addresses and are not a substitute for Regulation SCI.\147\
---------------------------------------------------------------------------
\146\ 17 CFR 240.3a1-1(a)(2) (``Rule 3a1-1(a)(2)''), exempts
from the Exchange Act section 3(a)(1) definition of ``exchange'' an
organization, association, or group of persons that complies with
Regulation ATS. All such exempted ATSs must be a registered broker-
dealer and become a member of an SRO, which typically is FINRA.
Accordingly, FINRA rules applicable to broker-dealers apply to ATSs.
A similar discussion of FINRA rules applicable to ATSs appears in
the SCI Adopting Release, supra note 1, at 72263.
\147\ See infra notes 148-166 and accompanying text. See also
SCI Adopting Release, supra note 1, at 72263 (n. 115 and
accompanying text), 72365 (discussing comments received).
---------------------------------------------------------------------------
As some commenters on the SCI Proposing Release stated, the Market
Access Rule is relevant to certain broker-dealer systems. The Market
Access Rule requires broker-dealers with market access to implement, on
a market-wide basis, effective financial and regulatory risk management
controls and supervisory procedures reasonably designed to limit
financial exposure and ensure compliance with applicable regulatory
requirements, and thus seeks to address, among other things, certain
risks posed to the markets by broker-dealer systems.\148\ Pursuant to
the Market Access Rule, a broker or dealer with market access, or that
provides a customer or any other
[[Page 23159]]
person with access to a national securities exchange or ATS through use
of its market participant identifier or otherwise, must establish,
document, and maintain a system of risk management controls and
supervisory procedures reasonably designed to manage the financial,
regulatory, and other risks of this business activity.\149\ The Market
Access Rule specifies standards for financial and regulatory risk
management controls and supervisory procedures.\150\ It requires that
the financial risk management controls and supervisory procedures must
be reasonably designed to limit systematically the financial exposure
of the broker or dealer that could arise from market access.\151\ In
addition, the Market Access Rule requires that regulatory risk
management controls and supervisory procedures be reasonably designed
to ensure compliance with all regulatory requirements.\152\ As such,
the focus of the Market Access Rule requires controls to prevent
technology and other errors that can create some of the more
significant risks to broker-dealers and the markets, namely those that
arise when a broker-dealer enters orders into a national securities
exchange or ATS, including when it provides sponsored or direct market
access to customers or other persons, where the consequences of such an
error can rapidly magnify and spread throughout the markets. Further,
the Market Access Rule requires specific controls and procedures around
a broker-dealer entering orders on a national securities exchange or
ATS that Regulation SCI does not and would not prescribe.
---------------------------------------------------------------------------
\148\ See Securities Exchange Act Release No. 63241 (Nov. 3,
2010), 75 FR 69792 (Nov. 15, 2010) (``Market Access Release'').
Under 17 CFR 240.15c3-5(a)(1) (``Rule 15c3-5(a)(1)''), ``market
access'' is defined to mean: (i) access to trading in securities on
an exchange or ATS as a result of being a member or subscriber of
the exchange or ATS, respectively; or (ii) access to trading in
securities on an ATS provided by a broker-dealer operator of an ATS
to a non-broker-dealer. See 17 CFR 240.15c3-5(a)(1). In adopting
Rule 15c3-5(a)(1), the Commission stated that ``the risks associated
with market access . . . are present whenever a broker-dealer trades
as a member of an exchange or subscriber to an ATS, whether for its
own proprietary account or as agent for its customers, including
traditional agency brokerage and through direct market access or
sponsored access arrangements.'' See Market Access Release at 69798.
As such, the Commission stated that ``to effectively address these
risks, Rule 15c3-5 must apply broadly to all access to trading on an
Exchange or ATS.'' Id.
\149\ See 17 CFR 240.15c3-5(b).
\150\ See 17 CFR 240.15c3-5(c).
\151\ See 17 CFR 240.15c3-5(c)(1).
\152\ See 17 CFR 240.15c3-5(c)(2). See also 17 CFR 240.15c3-
5(a)(2) (defining ``regulatory requirements'' to mean all Federal
securities laws, rules and regulations, and rules of self-regulatory
organizations, that are applicable in connection with market
access).
---------------------------------------------------------------------------
In contrast, the policies and procedures required by Regulation SCI
apply broadly to technology that supports trading, clearance and
settlement, order routing, market data, market regulation, and market
surveillance and, among other things, address their overall capacity,
integrity, resilience, availability, and security independent of market
access. Whereas the Market Access Rule prescribes specific controls and
procedures around a broker-dealer entering orders on an exchange or
ATS, it is not designed to ensure that the key technology pervasive and
important to the functioning of the U.S. securities markets is robust,
resilient, and secure.\153\ Among other requirements, the policies and
procedures requirements of Regulation SCI are designed to help ensure
that the systems of SCI entities are adequate to maintain operational
capability independent of any specific SCI event (i.e., a systems issue
such as a systems disruption, systems intrusion, or systems compliance
issue). Further, the SCI review requirement obligates an SCI entity to
assess the risks of its systems and effectiveness of its technology
controls at least annually, identify weaknesses, and ensure compliance
with the safeguards of Regulation SCI. The Market Access Rule and
Regulation SCI, therefore, have different requirements and would
operate in conjunction with each other to help ensure that SCI broker-
dealer SCI systems, whether used for access to the national securities
exchanges or ATSs or not, are robust, resilient, and secure.
---------------------------------------------------------------------------
\153\ See also supra note 141 and accompanying text.
---------------------------------------------------------------------------
Broker-dealers are also subject to the Commission's financial
responsibility rules (17 CFR 240.15c3-1 (``Rule 15c3-1'') and 17 CFR
240.15c3-3 (``Rule 15c3-3'')) under the Exchange Act. Rule 15c3-1
requires broker-dealers to maintain minimum amounts of net capital,
ensuring that the broker-dealer at all times has enough liquid assets
to promptly satisfy all creditor claims if the broker-dealer were to go
out of business.\154\ Rule 15c3-3 imposes requirements relating to
safeguarding customer funds and securities.\155\ These rules provide
protections for broker-dealer counterparties and customers and can help
to mitigate the risks to, and impact on, customers and other market
participants by protecting them from the consequences of financial
failure that may occur because of a systems issue at a broker-dealer,
and thus have a different scope and purpose from Regulation SCI.\156\
---------------------------------------------------------------------------
\154\ See 17 CFR 240.15c3-1.
\155\ See 17 CFR 240.15c3-3.
\156\ Similarly, 17 CFR 248.30 (``Rule 30'' of Regulation S-P),
which requires registered brokers and dealers to have written
policies and procedures that are reasonably designed to safeguard
customer records and information--to insure their security and
confidentiality, protect against threats or hazards to their
security and integrity and protect against unauthorized access or
use that could result in substantial harm or inconvenience to any
customer--is not designed to help ensure operational capability of
market related systems. In addition, 17 CFR 248.201 (``Regulation S-
ID'') requires financial institutions or creditors (defined to
include registered broker-dealers) that have one or more covered
accounts, as defined in 17 CFR 248.201(b)(3) (e.g., brokerage
account), to develop and implement a written identity theft
prevention program to detect, prevent, and mitigate identity theft
in connection with covered accounts that includes policies and
procedures to identify and incorporate red flags into the program,
detect and respond to red flags, and incorporate periodic updates to
the program. This rule, however, is also not designed to ensure
operational capability of market related systems.
---------------------------------------------------------------------------
Pursuant to 17 CFR 240.17a-3 (``Rule 17a-3'' under the Exchange
Act) and 17 CFR 240.17a-4 (``Rule 17a-4'' under the Exchange Act),
broker-dealers are required to make and keep current records detailing,
among other things, securities transactions, money balances, and
securities positions.\157\ A systems issue at a broker-dealer would not
excuse the broker-dealer for noncompliance with these
requirements.\158\ Further, a broker-dealer that fails to make and keep
current the records required by Rule 17a-3 must give notice to the
Commission of this fact on the same day and, thereafter, within 48
hours transmit a report to the Commission stating what the broker-
dealer has done or is doing to correct the situation.\159\ Regulation
SCI, however, more directly addresses mitigating the impact of
technology failures with respect to SCI systems and indirect SCI
systems (which include systems that are not used to make and keep
current the records required by Rule 17a-3). Specifically, it requires
notifications to the Commission for a different set of events--systems
intrusions, systems compliance issues, and systems disruptions--than
the notification requirements of 17 CFR 240.17a-11 (``Rule 17a-11''),
and is therefore not duplicative of Rule 17a-11. In addition, it
requires that, when an SCI event has occurred, an SCI entity must begin
to take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.
---------------------------------------------------------------------------
\157\ See 17 CFR 240.17a-3; 17 CFR 240.17a-4.
\158\ See, e.g., Securities Exchange Act Release No. 40162 (July
2, 1998), 63 FR 37668 (July 13, 1998) (stating that computer systems
with ``Year 2000 Problems'' may be deemed not to have accurate and
current records and be in violation of Rule 17a-3).
\159\ See 17 CFR 240.17a-11.
---------------------------------------------------------------------------
FINRA also has several rules that are similar to, but take a
different approach from, Regulation SCI. For example, FINRA Rule 4370
requires that each broker-dealer create and maintain a written business
continuity plan identifying procedures relating to an emergency or
significant business disruption that are reasonably designed to enable
them to meet their existing obligations to customers. The procedures
must also address the broker-dealer's existing relationships
[[Page 23160]]
with other broker-dealers and counterparties. A broker-dealer is
required to update its plan in the event of any material change to the
member's operations, structure, business, or location and must conduct
an annual review of its business continuity plan to determine whether
any modifications are necessary in light of changes to the member's
operations, structure, business, or location. The rule sets forth
general minimum elements that a broker-dealer's business continuity
plan must address.\160\
---------------------------------------------------------------------------
\160\ Specifically, FINRA Rule 4370 requires that each plan
must, at a minimum, address: data back-up and recovery; all mission
critical systems; financial and operational assessments; alternate
communications between customers and the member; alternate
communications between the member and its employees; alternate
physical location of employees; critical business constituent, bank,
and counter-party impact; regulatory reporting; communications with
regulators; and how the member will assure customers' prompt access
to their funds and securities in the event that the member
determines that it is unable to continue its business.
---------------------------------------------------------------------------
This rule is akin to Regulation SCI's Rule 1001(a)(2)(v) requiring
policies and procedures for business continuity and disaster recovery
plans.\161\ However, unlike Regulation SCI, the FINRA rule does not
include the requirement that the business continuity and disaster
recovery plans be reasonably designed to achieve next business day
resumption of trading and two-hour resumption of critical SCI systems
following a wide-scale disruption, nor does it require the functional
and performance testing and coordination of industry or sector-testing
of such plans, which are instrumental in achieving the goals of
Regulation SCI with respect to SCI entities.\162\ In addition, FINRA
Rule 4370 contains certain provisions that Regulation SCI does
not.\163\ For example, a broker-dealer must disclose to its customers
through public disclosure statements how its business continuity plan
addresses the possibility of a future significant business disruption
and how the member plans to respond to events of varying scope.\164\
Accordingly, FINRA Rule 4370 and Regulation SCI would operate in
conjunction with one another to help ensure that an SCI broker-dealer
has business continuity and disaster recovery plans to achieve the
goals of each rule.
---------------------------------------------------------------------------
\161\ See SCI Adopting Release, supra note 1, at 72263-64.
\162\ Id.
\163\ See supra note 160.
\164\ See FINRA Rule 4370(e).
---------------------------------------------------------------------------
FINRA Rule 3110(b)(1) requires each broker-dealer to establish,
maintain, and enforce written procedures to supervise the types of
business in which it engages and to supervise the activities of
registered representatives, registered principals, and other associated
persons that are reasonably designed to achieve compliance with
applicable securities laws and regulations.
This supervisory obligation extends to member firms' outsourcing of
certain ``covered activities''--activities or functions that, if
performed directly by a member firm, would be required to be the
subject of a supervisory system and written supervisory procedures
pursuant to FINRA Rule 3110.\165\ This rule is broadly similar to Rule
1001(b) of Regulation SCI regarding policies and procedures to ensure
systems compliance. However, unlike Rule 1001(b), which focuses on
ensuring that an entity's systems operate in compliance with the
Exchange Act, the rules and regulations thereunder, and the entity's
rules and governing documents, this FINRA rule does not specifically
address compliance of broker-dealers' systems. Further, this provision
does not cover more broadly policies and procedures akin to those in
Rule 1001(a) of Regulation SCI regarding ensuring the SCI entity's
operational capability. FINRA Rule 3110(b)(1) and Regulation SCI would
operate in conjunction to help ensure that the SCI systems of SCI
broker-dealers, including those operated by third parties, are robust,
resilient, and operate as intended.
---------------------------------------------------------------------------
\165\ See FINRA, Regulatory Notice 21-29: Vendor Management and
Outsourcing (Aug. 13, 2021), available at https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf; FINRA,
Notice to Members 05-48: Outsourcing (July 2005), available at
https://www.finra.org/sites/default/files/NoticeDocument/p014735.pdf.
---------------------------------------------------------------------------
FINRA Rule 3130 requires a broker-dealer's chief compliance officer
to certify annually that the member has in place processes to
establish, maintain, review, test, and modify written policies and
procedures reasonably designed to achieve compliance with applicable
FINRA rules, MSRB rules, and federal securities laws and regulations.
This rule is similar to Rule 1001(b) of Regulation SCI regarding
policies and procedures to ensure systems compliance; however, like
FINRA Rule 3130(b)(1), it does not specifically address compliance of
broker-dealers' systems, and does not require similar policies and
procedures to those in Rule 1001(a) of Regulation SCI regarding
operational capability of SCI entities. Therefore, FINRA Rule 3130 and
Regulation SCI would operate in conjunction with each other to help
ensure compliance with applicable law.
FINRA Rule 4530 imposes a regime for reporting certain events to
FINRA, including, among other things, compliance issues and other
events where a broker-dealer has concluded, or should have reasonably
concluded, that a violation of securities or other enumerated law,
rule, or regulation of any domestic or foreign regulatory body or SRO
has occurred. This requirement is similar to Regulation SCI's reporting
requirements under Rule 1002 with respect to systems compliance issues;
however, it does not cover reporting of systems disruptions and systems
intrusions that did not also involve a violation of a securities law,
rule, or regulation. Further, the FINRA reporting rule differs from the
Commission notification requirements with respect to the scope, timing,
content and required recipient of the reports. FINRA Rule 4530
addressing reporting of certain issues to FINRA is thus not duplicative
of Regulation SCI, which, among other things, was designed to enhance
direct Commission oversight of entities designated as key entities
because they play a significant role in the U.S. securities markets.
Additionally, while regulations and associated guidance applicable
to bank holding companies promulgated by the Federal Reserve Board and
other bank regulators address operational resilience, their direct
application is to bank holding companies rather than broker-dealers
registered with the Commission. For example, a 2020 interagency paper
issued by the Federal Reserve Board, the Office of the Comptroller of
the Currency, and the Federal Deposit Insurance Corporation sets forth
``sound practices'' for the largest, most complex firms, including U.S.
bank holding companies, to follow to strengthen their operational
resilience. While this publication offers key strategies for covered
entities to follow to remain resilient, many of which are similar to
what Regulation SCI requires, they are not mandatory for registered
broker-dealers.\166\ Thus,
[[Page 23161]]
although some Exchange Act and FINRA rules other than Regulation SCI
support the goal of robust and resilient broker-dealer systems, the
Commission believes that additional protections, reporting of systems
problems, and direct Commission oversight of broker-dealer technology
is appropriate for the largest broker-dealers.
---------------------------------------------------------------------------
\166\ See Federal Reserve Board, SR 20-24: Interagency Paper on
Sound Practices to Strengthen Operational Resilience (Nov. 2, 2020),
(``Banking Interagency Paper''), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2024.htm (``To
help large and complex domestic firms address unforeseen challenges
to their operational resilience, the sound practices are drawn from
existing regulations, guidance, and statements as well as common
industry standards that address operational risk management,
business continuity management, third-party risk management,
cybersecurity risk management, and recovery and resolution
planning.''). The paper applies to national banks, state member
banks, state nonmember banks, savings associations, U.S. bank
holding companies, and savings and loan holding companies that have
average total consolidated assets greater than or equal to (a) $250
billion or (b) $100 billion and have $75 billion or more in average
cross-jurisdictional activity, average weighted short-term wholesale
funding, average nonbank assets, or average off-balance sheet
exposure. As discussed below, the Commission's proposed approach to
identifying SCI broker-dealers similarly takes into account the size
of the firm, as measured by a total assets threshold and/or market
activity thresholds.
---------------------------------------------------------------------------
iii. Proposed Thresholds for an ``SCI Broker-Dealer''
Overview
As proposed, Regulation SCI would apply to a limited number of
broker-dealers that satisfy: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The Commission preliminarily believes that a broker-dealer that
meets the proposed thresholds for assets or transaction activity,
whether operating in multiple markets or predominantly in a single
market, that becomes unreliable or unavailable due to a systems issue,
risks disrupting fair and orderly market functioning.
Current Regulation SCI applies to all national securities exchanges
and certain significant-volume ATSs, all of which are highly dependent
on sophisticated automated and interconnected systems. As electronic
trading has grown, and continues to grow in some asset classes, many
broker-dealers are similarly dependent on sophisticated and
interconnected automated systems.\167\ These broker-dealer systems
contribute to the orderly functioning of U.S. securities markets,
encompassing, for example, systems for trading and quoting, order
handling, dissemination and processing of market data, and the process
of clearance and settlement.
---------------------------------------------------------------------------
\167\ For example, see Algorithmic Trading Report, supra note 3
(discussing many uses of computer systems in contemporary markets,
particularly with respect to the trading of equity and debt
securities).
---------------------------------------------------------------------------
An ``SCI broker-dealer'' would be a broker or dealer registered
with the Commission pursuant to section 15(b) of the Exchange Act
which:
In at least two of the four preceding calendar quarters,
ending March 31, June 30, September 30, and December 31, reported to
the Commission, on Form X-17A-5 (Sec. 249.617),\168\ total assets in
an amount that equals five percent (5%) or more of the total assets of
all security brokers and dealers; or \169\
---------------------------------------------------------------------------
\168\ Broker-dealers that file Form X-17A-5 on a monthly basis
would use their total assets, as reported on Item 940 of Form X-17A-
5, for the months ending Mar. 31, June 30, Sept. 30, and Dec. 31.
Broker-dealers that file Form X-17A-5 on a quarterly basis would use
their total assets, as reported on Item 940 of Form X-17A-5, for the
quarters ending Mar. 31, June 30, Sept. 30, and Dec. 31.
\169\ See definition of SCI broker-dealer in proposed amended
Rule 1000. The term ``total assets of all security brokers and
dealers'' would, for purposes of this threshold, mean the total
assets calculated and made publicly available by the Board of
Governors of the Federal Reserve, or any subsequent provider of such
information, for the associated preceding calendar quarter. Id. See
supra note 127; infra text accompanying notes 181-185.
---------------------------------------------------------------------------
During at least four of the preceding six calendar months:
[cir] With respect to transactions in NMS stocks, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the average daily dollar volume \170\ reported by or
pursuant to applicable effective transaction reporting plans, provided,
however, that for purposes of calculating its activity in transactions
effected otherwise than on a national securities exchange or on an
alternative trading system, the broker-dealer shall exclude
transactions for which it was not the executing party; or
---------------------------------------------------------------------------
\170\ For June 2022, the average daily dollar volume in NMS
stocks, as reported by applicable effective transaction reporting
plans, was approximately $560 billion, with 10% of that reflecting
approximately $56 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in exchange-listed options
contracts, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
\171\ reported by an applicable effective national market system plan;
or
---------------------------------------------------------------------------
\171\ For June 2022, the average daily dollar volume in
exchange-listed options contracts, as reported by an applicable
effective national market system plan, was approximately $23.8
billion, with 10% of that reflecting approximately $2.4 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume \172\
made available by the self-regulatory organizations \173\ to which such
transactions are reported; or
---------------------------------------------------------------------------
\172\ For June 2022, the average daily dollar volume in U.S
Treasury Securities, according to FINRA TRACE data, was
approximately $634.1 billion, with 10% of that reflecting
approximately $63.4 billion.
\173\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA).
---------------------------------------------------------------------------
[cir] With respect to transactions in Agency Securities, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the total average daily dollar volume \174\ made available
by the self-regulatory organizations \175\ to which such transactions
are reported.
---------------------------------------------------------------------------
\174\ For June 2022, the average daily dollar volume in Agency
Securities, according to FINRA TRACE data was approximately $223
billion, with 10% of that reflecting approximately $22.3 billion.
\175\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA) and one organization to which transactions in Agency
securities are reported (i.e., FINRA).
---------------------------------------------------------------------------
An SCI broker-dealer would be required to comply with the
requirements of Regulation SCI six months after the SCI broker-dealer
satisfied either threshold for the first time.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers. To assess which broker-dealers should be subject to
Regulation SCI,\176\ the Commission has taken into account the size of
registered broker-dealers based on analyses of: (i) total assets
reported on Form X-17A-5 (Financial and Operational Combined Uniform
Single (``FOCUS'') Report Part II, Item 940),\177\ and (ii) transaction
activity in certain asset classes.
---------------------------------------------------------------------------
\176\ See supra note 82 and accompanying text.
\177\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at https://www.sec.gov/files/formx-17a-5_2_2.pdf (requiring broker-
dealers to report their total assets in Item 940).
---------------------------------------------------------------------------
Proposed Total Assets Threshold
A broker-dealer would be an SCI broker-dealer and included in the
definition of SCI entity if, in at least two of the four preceding
calendar quarters ending March 31, June 30, September 30, and December
31, it reported to the Commission on Form X-17A-5, FOCUS Report Part
II, Item 940 total assets in an amount that equals five percent or more
of the total assets of all security brokers and dealers. Congress and
multiple regulators have used total assets as a factor in assessing
whether an entity warrants heightened oversight. For example, under the
Dodd-Frank Act, the Financial Stability Oversight Council (``FSOC'')
considers financial assets as one factor to determine whether a U.S.
non-bank financial services company is supervised by the Federal
Reserve Board and subject to enhanced prudential standards.\178\
Furthermore, the Dodd-Frank Act requires the Federal Reserve Board to
establish enhanced prudential standards for bank holding companies over
a certain threshold of total assets.\179\ Additionally, the Federal
[[Page 23162]]
Deposit Insurance Corporation (``FDIC'') increases its Deposit
Insurance Fund assessment for large and highly complex institutions as
compared to small banks.\180\
---------------------------------------------------------------------------
\178\ See Dodd-Frank Act section 113(a)(2), 12 U.S.C.
5323(a)(2).
\179\ See Dodd-Frank Act section 165, 12 U.S.C. 5365(a)(1). See
also Federal Reserve Board, Prudential Standards for Large Bank
Holding Companies, Savings and Loan Holding Companies, and Foreign
Banking Organizations, 84 FR 59032 (Nov. 1, 2019), and Federal
Reserve Board, Changes to Applicability Thresholds for Regulatory
Capital and Liquidity Requirements, 84 FR 59230 (Nov. 1, 2019). See
SCI Adopting Release, supra note 1, at 72259, and also definition of
``critical SCI systems'' in 17 CFR 142.1000.
\180\ See FDIC, Deposit Insurance Fund, Assessment Rates &
Methodology (last updated July 20, 2021), available at https://www.fdic.gov/resources/deposit-insurance/deposit-insurance-fund/dif-assessments.html.
---------------------------------------------------------------------------
Although a broker-dealer's total assets alone could be used as the
proposed rule's measure of an entity's size and significance, to ensure
that a total assets measure reflects significant activity in relative
terms, the Commission proposes to scale each broker-dealer's total
assets (the numerator) to a quarterly measure of ``total assets of all
security brokers and dealers,'' as calculated by the Federal Reserve
Board (the denominator).\181\ The firm's total assets filed on FOCUS
reports (of which each firm has current and direct knowledge) would be
divided by the broader measure of total assets for all securities
brokers and dealers calculated and made publicly available by the
Federal Reserve Board, or any subsequent provider of such information,
for the purpose of comparing the size of a broker-dealer to the group
of entities tracked by the Federal Reserve Board.\182\ The Commission
understands that the Federal Reserve Board publishes total assets for
all security brokers and dealers approximately ten weeks after the end
of the quarter (e.g., 2022 third quarter results ((for quarter ending
September 30, 2022)) were published on December 13, 2022). Therefore,
the information for the preceding quarter should be available prior to
the date on which the firm's FOCUS report is required to be filed with
the Commission for the relevant quarter. To enable each firm to
calculate whether it exceeds the threshold at the time it files its
FOCUS report (which is due 17 days after the end of the quarter/
month),\183\ broker-dealers would compare their total assets to the
previous quarter on or before the FOCUS report filing deadline.
Accordingly, to assess whether it exceeds the threshold for a relevant
calendar quarter, a broker-dealer would divide its total assets
reported on Form X-17A-5, FOCUS Report Part II, Item 940 for that
quarter by the total assets of all security brokers and dealers for the
preceding quarter, as made available by the Federal Reserve.\184\
Although it is possible that the total assets of all security brokers
and dealers could increase or decrease sharply from one quarter to the
next, the FRED data shows that this has occurred rarely and that the
asset totals in the Federal Reserve Board's data generally do not
change significantly from quarter to quarter.\185\ The Commission
therefore believes that overall, the data made available by the Federal
Reserve Board is an appropriate and consistent figure for use as a
denominator in the proposed threshold.\186\
---------------------------------------------------------------------------
\181\ See supra note 127. This figure has been calculated by the
Federal Reserve Board and made available on the Federal Reserve
Economic Data (FRED) website for many years. As stated above, the
total assets figure calculated by the Federal Reserve Board is based
on the information reported to the Commission by ``security broker-
dealers'' on either the FOCUS report or the FOGS report. See id.
\182\ Id.
\183\ Form X-17A-5 must be filed within 17 business days after
the end of each calendar quarter, within 17 business days after the
end of the fiscal year where that date is not the end of a calendar
quarter, and/or monthly, in accordance with 17 CFR 240.17a-5,
240.17a-12, or 240.18a-7, as applicable. See Instructions to Form X-
17A-5, FOCUS Report, Part II, at 2, available at https://www.sec.gov/files/formx-17a-5_22.pdf.
\184\ See supra note 127. For example, to assess whether it
exceeds the threshold for the calendar quarter ending Dec. 31, a
broker-dealer would divide its total assets reported Form X-17A-5,
FOCUS Report Part II, Item 940 for the quarter ending Dec. 31, and
divide that by the total assets of security brokers and dealers for
the third quarter (ending Sept. 30) of the same year, as obtained
from the Federal Reserve Board. If a broker-dealer reported $350
billion, $385 billion, $359 billion, and $386 billion in total
assets on its FOCUS reports for Q4 2022, Q3 2022, Q2 2022, and Q1
2022, respectively, the broker-dealer would divide its total assets
for each quarter by 5.07 trillion (for Q3 2022), $5.07 trillion (for
Q2 2022), $5.23 trillion (for Q1 2022), and $4.96 trillion (for Q1
2021), respectively. See infra note 185. The broker-dealer's total
assets as a percentage of the total assets of all security broker-
dealers would be 6.9% for Q4 2022, 7.6% for Q3 2022. 6.9% for Q2
2022, and 7.8% for Q1 2022. In all four quarters, the broker-dealer
would exceed the 5% threshold and therefore meet the definition of
SCI broker-dealer.
\185\ See Board of Governors of the Federal Reserve System (US),
Security Brokers and Dealers; Total Assets (Balance Sheet), Level
[BOGZ1FL664090663Q], retrieved from FRED, Federal Reserve Bank of
St. Louis; https://fred.stlouisfed.org/series/BOGZ1FL664090663Q. The
total assets data from the Federal Reserve shows a sharp drop at the
time of the financial crisis, from Q3 2008 to Q4 2008. See id. More
recent data show total assets for all security-broker dealers for
purpose of the proposed denominator in recent quarters in trillion
dollars as follows: Q3 2022: 5.07 trillion; Q2 2022: $5.07 trillion;
Q1 2022: $5.23 trillion; Q4 2021: $4.96 trillion; Q3 2021: $5.05
trillion; Q2 2021: $4.94 trillion. See id.
\186\ The Federal Reserve Board data includes total assets
reported on both FOCUS and FOGS forms. Its use would result in a
conservative number of broker-dealers meeting the total assets
threshold (i.e., because elimination of FOGS data would reduce the
size of the denominator). The Commission solicits comment below on
whether another figure would be a more appropriate and useful
measure for determining if a broker-dealer is in the top 5% of all
broker-dealers in terms of its total assets, and if a percentage
threshold is better measure than a dollar measure.
---------------------------------------------------------------------------
If a firm meets or exceeds the threshold in two of the four
preceding calendar quarters, it would be required to comply with
Regulation SCI beginning six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time. Based on data from recent quarters, at the proposed
threshold, a broker-dealer registered with the Commission pursuant to
section 15(b) of the Exchange Act and having total assets on its
balance sheet in excess of approximately $250 billion in two of the
preceding four calendar quarters would be an SCI broker-dealer for as
long as it continued to satisfy the threshold.\187\
---------------------------------------------------------------------------
\187\ As a specific example, based on totals retrieved from FRED
(see supra note 127) a broker-dealer assessing its total assets in
Dec. 2022 would determine if that level exceeded 5% of total assets
in two of the preceding four quarters (approximately $253 billion,
$253 billion, $261 billion, and $248 billion, for Q3 of 2022, Q2 of
2022, Q1 of 2022, and Q4 of 2021, respectively). See also Banking
Interagency Paper, supra note 166 (applicable to banking
institutions having in excess of an average of $250 billion in total
assets).
---------------------------------------------------------------------------
The Commission believes that the proposed threshold of five percent
of total assets is a reasonable approach to identifying the largest
broker-dealers. In addition to its broad consistency with the approach
taken by banking regulators,\188\ this approach takes into
consideration the multiple roles that the largest broker-dealers play
in the U.S. securities markets. Not only do the largest broker-dealers
generate liquidity in multiple types of securities, but many also
operate multiple types of trading platforms.\189\ Further, entities
with assets at this level also take risk that they seek to hedge, in
some cases using ``central risk books'' for that and other purposes,
and engage in routing substantial order flow to other trading
venues.\190\ For these reasons, the
[[Page 23163]]
Commission believes that systems issues at firms having assets at this
level would have the potential to impact investors, the overall market,
and the trading of individual securities, and that therefore their
market technology should be subject to the requirements and safeguards
of Regulation SCI. The threshold is designed to be appropriately high
enough to ensure that only the largest broker-dealers are subject to
the obligations, and associated burdens and costs, of Regulation SCI.
It is also designed to be a relative measure that does not become
outdated over time, as the size of the overall market expands or
contracts.
---------------------------------------------------------------------------
\188\ See, e.g., supra notes 166 and 187 (discussing Banking
Interagency Paper).
\189\ For a broad discussion of these roles, see, e.g.,
Rosenblatt Securities, 2022 US Equity Trading Venue Guide (May 24,
2022) (discussing among other things the features of single-dealer
platforms for equity securities that are operated by broker-
dealers); Regulation of NMS Stock Alternative Trading Systems,
Securities Exchange Act Release No. 83663 (July 18, 2018), 83 FR
38768 at 38770-72 (Aug. 7, 2018) (discussing among other things the
operational complexity of multi-service broker-dealer with
significant brokerage and dealing activity apart from operation of
one or more ATSs).
\190\ See, e.g., Rosenblatt Securities, Central Risk Books: What
the Buy Side Needs to Know (Oct. 18, 2018) (stating that all of the
biggest bank-affiliated broker-dealers have some form of central
risk book and that the ``critical mass of order flow or principal
activity, spread across asset classes and regions'' may not justify
the operation of these books for smaller more focused firms). See
also Algorithmic Trading Report, supra note 3, at 41-42 (describing
central risk books as an important source of block liquidity). All
of the firms that satisfy the proposed total assets threshold also
satisfy at least one of the proposed trading activity thresholds.
See infra text accompanying note 219.
---------------------------------------------------------------------------
As noted, the proposed total assets threshold for SCI broker-
dealers would include a proposed time period measurement of ``at least
two of the four preceding calendar quarters.'' Requiring that the
threshold is met in two out of the four preceding quarters would help
mitigate the effect of a steep increase/decrease in total assets in any
individual quarter.
Further, this measurement is designed to capture only the broker-
dealers that are consistently at or above the proposed five percent
threshold, and would not include a broker-dealer that may have had an
anomalous quarterly increase, so that a short-term spike in total
assets uncharacteristic of the broker-dealer's overall total asset
history would not cause it to become subject to Regulation SCI.
Although the Commission is also proposing a time period measurement of
``at least four of the preceding six calendar months'' for the trading
activity thresholds discussed below (consistent with the time period
measurement for SCI ATSs),\191\ using a quarterly measure for the total
asset threshold is appropriate because FOCUS reports are required at
least quarterly for all broker-dealers and the proposed scaling measure
is one that is updated quarterly. Based on its analysis of FOCUS
reports during the period from Q4 2021 through Q3 2022, the Commission
estimates that five entities would exceed the proposed threshold (with
the fifth-ranked firm in each quarter reporting total assets in excess
of $300 billion, and all firms ranging from approximately seven to 14
percent of the total assets reported by the Federal Reserve Board for
the previous quarter), and further anticipates that this threshold
would result in little, if any, variation in which firms exceed the
threshold over the course of four calendar quarters.\192\
---------------------------------------------------------------------------
\191\ See Rule 1000 (definition of ``SCI ATS'') (providing a
time period measurement of ``at least four of the preceding six
calendar months'').
\192\ As with other entities that are SCI entities because they
satisfy a threshold (e.g., SCI ATSs), an SCI broker-dealer would no
longer be an SCI broker-dealer, and thus no longer be subject to
Regulation SCI, in the quarter when it no longer satisfies the total
assets test (i.e., it does not meet the threshold in two of the
previous four quarters). This assumes the broker-dealer also does
not meet or no longer satisfies the proposed transaction activity
threshold.
---------------------------------------------------------------------------
Proposed Transaction Activity Threshold
In the Commission's view, a broker-dealer's transaction activity is
another reasonable measure for estimating the significance of a broker-
dealer's role in contributing to fair and orderly markets. In several
asset classes, the transaction activity of each of a relatively small
number of broker-dealers constitutes a share of trading that could, if
affected by a systems issue, negatively impact fair and orderly
markets. For example, in NMS stocks, some broker-dealers constitute
significant concentrations of on-exchange trading, and some broker-
dealers execute off-exchange transactions at levels that rival or
exceed the volume of trading on current SCI entities.\193\ For listed
options, which are required to execute on a national securities
exchange, a small number of firms participate in a high proportion of
trades.\194\ Similarly, transaction reporting data for U.S. Treasury
Securities and Agency Securities reveal that a handful of broker-
dealers each represent a significant percentage of the average weekly
(for U.S. Treasury Securities) or daily (for Agency Securities) dollar
volume reported by FINRA (currently the only SRO to which such
transactions are reported).\195\
---------------------------------------------------------------------------
\193\ For example, in Sept. 2022, one broker-dealer executed a
greater proportion of shares in NMS stocks than all but two national
securities exchanges. See, e.g., FINRA, OTC Transparency Data,
available at https://otctransparency.finra.org/otctransparency;
CBOE, Historical Market Volume Data, available at https://www.cboe.com/us/equities/market_statistics/historical_market_volume/.
\194\ As discussed further below in this section, the Commission
estimates that six firms would satisfy the 10% options transaction
activity threshold.
\195\ As discussed further below in this section, the Commission
estimates that four firms would satisfy the 10% U.S. Treasury
Security transaction activity threshold, and six firms would satisfy
the 10% Agency Security transaction activity threshold.
---------------------------------------------------------------------------
Accordingly, the Commission is proposing to include as an SCI
entity any registered broker-dealer that, irrespective of the size of
its balance sheet, consistently engages in transaction activity at a
substantially high level in certain enumerated asset classes, scaled as
a percentage of total average daily dollar volume over a specified time
period.\196\ If a significant systems issue at a broker-dealer that
meets the proposed thresholds were to occur, the concern is that its
effect would have widespread impact, for example, by impeding the
ability of other market participants to trade securities in one or more
of the identified asset classes, interrupting the price discovery
process, or contributing to capacity issues at other broker-dealers.
Further, if executions were delayed by a systems disruption in an SCI
broker-dealer's trading, order routing, clearance and settlement, or
market data system, due to the magnitude of the proposed covered
transaction activity in which these firms consistently engage, the
delay could have cascading effects disruptive to the broader
market.\197\
---------------------------------------------------------------------------
\196\ As discussed further below, the Commission proposes that
average daily dollar volume be the denominator used as the scaling
measure for each relevant asset class. See infra notes 211-217 and
accompanying text (discussing entities that currently and may in the
future receive and make available transaction reports, or aggregated
volume statistics in NMS stocks, exchange-listed options, U.S.
Treasury Securities, and Agency Securities).
\197\ For example, capacity constraints, whether due to risk
management, or operational capability limitations of systems, could
limit how much one broker-dealer could handle a sudden increase in
order flow from a large broker-dealer. For context, based on
analysis of data from the Consolidated Audit Trail, in 2022, two
large market makers in NMS stocks engaged in over-the counter
transactions (all purchases and all sales effected otherwise than on
a national securities exchange or ATS) having a total dollar volume
of at least $37 billion on most trading days; with at least a
quarter of trading days in 2022 having total dollar volume of $42.3
billion or more, and all trading days having an average total dollar
volume of $37.3 billion. Counting volume across all venues (all
purchases and all sales effected over-the counter, on a national
securities exchange, or on ATS), these figures for the same two
firms, respectively, are: at least $82.2 billion, ($67.6 marked as
principal/riskless principal) on most trading days; at least $97.1
billion ($83.7 billion marked as principal/riskless principal) on at
least a quarter of the trading days; and $83.5 billion ($69.4
billion marked as principal/riskless principal) as the average for
all trading days.
---------------------------------------------------------------------------
The proposed transaction thresholds are broadly similar across
different types of securities. However, because of differences in
market structure, there are notable differences in the application of
the thresholds across types of securities.
Regulation SCI currently applies to, among other entities, national
securities exchanges for both listed equities and listed options, and
to ATSs trading significant volume in NMS stocks. A national securities
exchange and an ATS are a type of ``trading center,'' as that term is
defined in 17 CFR 242.600 through 242.614 (``Regulation NMS'').\198\
For purposes of counting
[[Page 23164]]
transaction activity in NMS stocks, the proposed thresholds are
anchored to broker-dealer activity conducted on or as a trading center.
Therefore, the Commission is proposing, with respect to the transaction
thresholds for NMS stocks, to include broker-dealer activity on
national securities exchanges and NMS Stock ATSs, as well as broker-
dealer activity as a trading center. Broker-dealer activity ``as a
trading center'' refers in this context to trading activity in NMS
stocks not effected on a national securities exchange or on an ATS, but
by the broker-dealer, where the broker-dealer is the executing party,
either as principal or as agent.\199\ A similar distinction is not made
for exchange-listed options contracts because those transactions are
executed on a national securities exchange.\200\
---------------------------------------------------------------------------
\198\ Rule 600 of Regulation NMS defines the term trading center
to mean: a national securities exchange or national securities
association that operates an SRO trading facility, an alternative
trading system, an exchange market maker, an OTC market maker, or
any other broker or dealer that executes orders internally by
trading as principal or crossing orders as agent. 17 CFR
242.600(b)(95).
\199\ See 17 CFR 242.600(a)(95), defining ``trading center'' to
include, among other entities, ``an OTC market maker, or any other
broker or dealer that executes orders internally by trading as
principal or crossing orders as agent.''
\200\ In some cases, matching of orders for exchange-listed
options occur on an ATS, with matches then routed to one or more
national securities exchange for execution.
---------------------------------------------------------------------------
The ``trading center'' term in Regulation NMS applies only to NMS
securities; however, there exist today electronic venues for fixed
income securities that perform similar functions as trading centers and
that are equally important to investors to execute trades in fixed
income securities. Such electronic trading venues, particularly for
U.S. Treasury Securities and Agency Securities (where electronic
trading is prevalent \201\), have developed from a market structure in
which electronic bilateral trading was and continues to be important.
For this reason, the Commission is proposing to include under the SCI
broker-dealer threshold all trades for U.S. Treasury Securities and
Agency Securities in which a broker-dealer may participate.
---------------------------------------------------------------------------
\201\ See Government Securities ATS Reproposal, supra note 84.
---------------------------------------------------------------------------
As proposed, an ``SCI broker-dealer'' would include a broker-dealer
that, during at least four of the preceding six calendar months: (i)
with respect to transactions in NMS stocks, transacted average daily
dollar volume in an amount that equals ten percent (10%) or more of the
average daily dollar volume reported by or pursuant to applicable
effective transaction reporting plans, provided, however, that for
purposes of calculating its activity in transactions effected otherwise
than on a national securities exchange or on an alternative trading
system, the broker-dealer shall exclude transactions for which it was
not the executing party; (ii) with respect to transactions in exchange-
listed options contracts, transacted average daily dollar volume in an
amount that equals ten percent (10%) or more of the average daily
dollar volume reported by an applicable effective national market
system plan; (iii) with respect to transactions in U.S. Treasury
Securities, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported; or (iv) with respect to transactions in
Agency securities, transacted average daily dollar volume in an amount
that equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported.\202\
---------------------------------------------------------------------------
\202\ The proposed definition of SCI broker-dealer does not
include a transaction activity threshold for equity securities that
are not NMS stocks and for which transactions are reported to an SRO
as a category in the proposed transaction activity threshold. The
size of this market, as currently measured, is substantially smaller
than the other asset classes enumerated. Based on its analysis of
data from the Consolidated Audit Trail, between Oct. 2021 and Sept.
2022, for example, the average daily dollar volume for this market
segment was approximately $2.6 billion. Nor do the proposed
amendments to Regulation SCI include Fixed Income ATSs or broker-
dealers that exceed a transaction activity threshold in corporate
debt or municipal securities. But see infra section III.A.3
(requesting comment on the matter).
---------------------------------------------------------------------------
The Commission proposes to add a definition of ``U.S. Treasury
Security'' and ``Agency Security'' to clarify how the transaction
activity threshold for these asset classes would operate.\203\ A ``U.S.
Treasury Security'' would mean a security issued by the U.S. Department
of the Treasury. ``Agency Security'' would mean a debt security issued
or guaranteed by a U.S. executive agency, as defined in 5 U.S.C. 105,
or government-sponsored enterprise, as defined in 2 U.S.C. 622(8).
These definitions are designed to provide the scope of securities an
SCI broker-dealer must include when assessing whether it has satisfied
the proposed transaction activity threshold. The proposed definitions
are similar to and consistent with those in FINRA's rules,\204\ to
avoid confusion and facilitate the comparison between data used to
create the numerator and denominator when assessing whether a broker-
dealer surpassed the U.S. Treasury Security or Agency Security
transaction thresholds.
---------------------------------------------------------------------------
\203\ The Commission believes that the terms NMS stock and
exchange-listed options are currently well understood. See Rule 600
of Regulation NMS (defining the terms NMS stock and NMS security and
distinguishing NMS stocks from listed options on the basis of how
transaction reports are made available).
\204\ See FINRA Rules 6710(l) and 6710(p). FINRA Rule 6710 also
establishes which securities are eligible for transaction reporting
to the ``Trade Reporting and Compliance Engine'' (TRACE), which is
the automated system developed by FINRA that, among other things,
accommodates reporting and dissemination of transaction reports
where applicable.
---------------------------------------------------------------------------
As is the case currently for the thresholds applicable to SCI
ATSs,\205\ the proposed thresholds for SCI broker-dealers would include
a proposed time period measurement of ``at least four of the preceding
six calendar months.'' Specifically, the proposed time measurement
period is designed to capture broker-dealers that consistently meet the
proposed thresholds and not capture broker-dealers with relatively low
transaction activity that may have had an anomalous increase in trading
on a given day or few days. In other words, a short-term spike in
transaction activity uncharacteristic of a broker-dealer's overall
activity should not cause it to become subject to Regulation SCI; using
the proposed time period of at least four of the preceding six calendar
months would help ensure this.
---------------------------------------------------------------------------
\205\ See Rule 1000 (definition of ``SCI ATS'').
---------------------------------------------------------------------------
The proposed thresholds would generally take into account all of a
broker-dealer's transactions.\206\ The thresholds proposed are designed
to identify firms whose transaction activity is of such a magnitude
that a systems issue negatively impacting that activity could
contribute to a disruption in fair and orderly markets, and for which
the application of Regulation SCI is therefore appropriate.
---------------------------------------------------------------------------
\206\ As described further above and below, the proposed
threshold for NMS stocks would operate slightly differently.
---------------------------------------------------------------------------
With respect to NMS stocks, only transactions which the broker-
dealer (i) trades on a national securities exchange or an ATS, or (ii)
executes off of a national securities exchange or an ATS would be
counted. When a broker-dealer is the non-executing counterparty to an
off-exchange, non-ATS transaction that transaction would not be counted
for that broker-dealer.\207\ The purpose of this approach is to count
towards the threshold for NMS stocks broker-dealer activity on or as a
trading center.
---------------------------------------------------------------------------
\207\ The volume for that trade, as reported through an
effective transaction reporting plan, would still be included in the
overall calculation of market volume used as the denominator in
threshold calculations.
---------------------------------------------------------------------------
To assess whether it satisfies the proposed thresholds, a broker-
dealer would need to determine its average daily dollar volume in an
enumerated asset class each calendar month, and
[[Page 23165]]
divide that figure by the total reported average daily dollar volume
for that month. More specifically, its numerator would be the average
daily dollar volume during the calendar month, taking into account all
relevant purchase and sale transactions \208\ in which the broker-
dealer engaged during that calendar month, as determined by the broker-
dealer from information in its books and records, as required to be
kept pursuant to Exchange Act Rule 17a-3.\209\ The denominator would be
the total average daily dollar volume for each calendar month, as that
total is determined from one or more sources that receive and make
available transaction reports, or, as the case may be, aggregated price
and volume statistics.
---------------------------------------------------------------------------
\208\ For NMS stocks, this would exclude those purchases or
sales off-exchange and not effected through an ATS, in which the
broker-dealer was not the executing party. As specific examples,
when broker-dealer A routes a customer order to broker-dealer B for
routing and execution, and broker-dealer B executes the customer
order as principal or crosses it against another order it is
holding, the volume for that order would contribute towards the
threshold for broker-dealer B but not for broker-dealer A.
Similarly, if broker-dealer A sends an order to the single-dealer
platform operated by broker-dealer B, and broker-dealer B executes a
trade against that order, the volume would contribute towards the
threshold for broker-dealer B but not for broker-dealer A. For any
asset class, the proposed definition of SCI broker-dealer would not
exclude from a broker-dealer operator's transaction tally
transactions executed on its own ATS. For example, if the broker-
dealer operator trades as a participant on its ATS, or where a
broker-dealer operator acts as a counterparty to every trade on its
own ATS, its volume would be counted as trading activity of the
broker-dealer.
\209\ See 17 CFR 240.17a-3(a)(6) (requiring a broker-dealer to
keep a memorandum of each brokerage order given or received for the
purchase or sale of a security, to include the price at which the
order executed); 17 CFR 240.17a-3(a)(7) (requiring a memorandum of
purchases and sales of a security for its own account, to include
the price).
---------------------------------------------------------------------------
With respect to NMS stocks, information necessary to calculate the
denominator currently is available from the plan processors (i.e., the
SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. These Plans are
effective transaction reporting plans, and effective national market
systems plans.\210\ Following implementation of the Market Data
Infrastructure rules, the information necessary to calculate the
denominator would be available from a competing consolidator or may be
self-determined by a self-aggregator that obtains the information
pursuant to effective transaction reporting plans, as required by 17
CFR 242.601 (``Rule 601'' of Regulation NMS) and 17 CFR 242.603(b)
(``Rule 603(b)'' of Regulation NMS).\211\ For listed options, total
average daily dollar volume may be determined from consolidated
information made available by the plan processor of the OPRA Plan.\212\
---------------------------------------------------------------------------
\210\ See supra note 20 and infra note 211. See also infra note
262 (stating that an ATS that trades NMS stocks is subject to
Regulation SCI if its trading volume reaches: (i) 5% or more in any
single NMS stock and 0.25% or more in all NMS stocks of the average
daily dollar volume reported by applicable transaction reporting
plans; or (ii) 1% or more in all NMS stocks of the average daily
dollar volume reported by applicable transaction reporting plans).
\211\ With respect to NMS stocks, Rule 601 of Regulation NMS (17
CFR 242.601) requires national securities exchanges and national
securities associations to report transactions and last sale data
pursuant to an effective transaction reporting plan filed with the
Commission in accordance with 17 CFR 242.608 (``Rule 608'' of
Regulation NMS). See 17 CFR 242.601. The national securities
exchanges and FINRA comply with Rule 601 by satisfying the
requirements of Rule 603(b) of Regulation NMS (which requires the
national securities exchanges and FINRA to act jointly pursuant to
one or more effective national market system plans, to disseminate
consolidated information, including transactions, in NMS stocks).
Currently, transaction information is consolidated by the
(exclusive) plan processor of each effective national market system
plan (i.e., the CTA/CQ Plan and Nasdaq UTP Plan for NMS stocks). See
CTA Plan, available at https://www.ctaplan.com; Nasdaq UTP Plan,
available at https://www.utpplan.com. After the implementation of
the Market Data Infrastructure rules (see Market Data Infrastructure
Adopting Release, supra note24) national securities exchanges and
FINRA will be required to provide transaction reports to competing
consolidators and/or self-aggregators pursuant to new effective
national market system plans that satisfy the requirements of Rule
603(b). Pursuant to 17 CFR 242.600(a)(14) (Rule 600(a)(14) of
Regulation NMS) the term ``competing consolidator'' means a
securities information processor required to be registered pursuant
to Rule 614 of Regulation NMS or a national securities exchange or
national securities association that receives information with
respect to quotations for and transactions in NMS stocks and
generates a consolidated market data product for dissemination to
any person. Pursuant to 17 CFR 242.600(a)(83) (Rule 600(a)(83) of
Regulation NMS) the term ``self-aggregator'' means a broker, dealer,
national securities exchange, national securities association, or
investment adviser registered with the Commission that receives
information with respect to quotations for and transactions in NMS
stocks, including all data necessary to generate consolidated market
data, and generates consolidated market data solely for internal use
(with a proviso that a self-aggregator may make consolidated market
data available to its affiliates that are registered with the
Commission for their internal use). See Market Data Infrastructure
Adopting Release, supra note 24 (providing a full discussion of
these terms). Following implementation of the Market Data
Infrastructure rules, a broker-dealer may obtain consolidated
average daily dollar volume from its chosen competing consolidator,
or independently calculate that figure itself, as a ``self-
aggregator.''
\212\ See OPRA Plan, available at https://www.opraplan.com.
---------------------------------------------------------------------------
With respect to U.S. Treasury Securities and Agency Securities,
total average daily dollar volume may be determined from information
made available by SROs to which transactions in U.S. Treasury
Securities and Agency Securities are reported. Currently there is only
one SRO to which this information is reported: FINRA.\213\ In
connection with its TRACE system, FINRA is currently the most complete
source of aggregate volume in U.S. Treasury Securities and Agency
Securities.\214\ Specifically, FINRA Rule 6750(a) requires FINRA to
disseminate information on Agency Securities, immediately upon receipt
of the transaction report.\215\ With respect to U.S. Treasury
Securities, information in TRACE regarding individual transactions is
for regulatory purposes only and is not disseminated publicly. However,
pursuant to FINRA Rule 6750, on March 10, 2020, FINRA began posting on
its website weekly, aggregate data on the trading volume of U.S.
Treasury Securities reported to TRACE, and the Commission recently
approved website posting of aggregate data more frequently (i.e.,
daily).\216\ Notwithstanding the transparency provided by FINRA/TRACE,
aggregate trading volume in U.S. Treasury and Agency securities does
not purport to reflect the whole of these markets, as aggregate volume
statistics are limited to volume reported by TRACE reporters, including
ATSs, registered-broker dealers that are members of FINRA, and
[[Page 23166]]
depository institutions meeting transaction volume thresholds in U.S.
Treasury Securities, agency-issued debt and mortgage-backed
securities.\217\
---------------------------------------------------------------------------
\213\ However, should a national securities exchange (an SRO)
trade U.S. Treasury or Agency Securities in the future, if
transaction reports are made available by that SRO, they would be
relevant to determining consolidated average daily dollar volume.
\214\ See FINRA, Trade Reporting and Compliance Engine (TRACE),
available at https://www.finra.org/filing-reporting/trace. FINRA
Rule 6730(a)(1) requires FINRA members to report transactions in
TRACE-Eligible Securities, which FINRA Rule 6710 defines to include
U.S. Treasury Securities and Agency Securities. For each transaction
in U.S. Treasury Securities and Agency Securities, a FINRA member
would be required to report the CUSIP number or similar numeric
identifier or FINRA symbol; size (volume) of the transaction; price
of the transaction (or elements necessary to calculate price);
symbol indicating whether transaction is a buy or sell; date of
trade execution (``as/of'' trades only); contra-party's identifier;
capacity (principal or agent); time of execution; reporting side
executing broker as ``give-up'' (if any); contra side introducing
broker (in case of ``give-up'' trade); the commission (total dollar
amount), if applicable; date of settlement; if the member is
reporting a transaction that occurred on an ATS pursuant to FINRA
Rule 6732, the ATS's separate Market Participant Identifier
(``MPID''); and trade modifiers as required. For when-issued
transactions in U.S. Treasury Securities, a FINRA member would be
required to report the yield in lieu of price. See FINRA Rule
6730(c).
\215\ See FINRA Rule 6750(a).
\216\ See Securities Exchange Act Release No. 95438 (Aug. 5,
2022), 87 FR 49626 (Aug. 11, 2022) (Order Approving a Proposed Rule
Change to Amend FINRA Rule 6750 Regarding the Publication of
Aggregated Transaction Information on U.S. Treasury Securities). The
implementation date for these TRACE enhancements for U.S. Treasury
Securities was Feb. 13, 2023, at which point the weekly data reports
were replaced with daily and monthly reports. Using daily reports of
U.S. Treasury Security data, broker-dealers should have the
information necessary to complete the calculations needed to assess
if they satisfy the proposed threshold.
\217\ See Federal Reserve Board, Agency Information Collection
Activities: Announcement of Board Approval Under Delegated Authority
and Submission to OMB (Oct. 21, 2021) 86 FR 59716 (Oct. 28, 2021).
---------------------------------------------------------------------------
Counting all relevant purchases and sales from all broker-dealers
may result in counting a transaction more than once across the market,
and would sum to total volume across broker-dealers that exceeds what
is reported pursuant to the relevant plans or SRO. Similarly, summing
the percentages that result from dividing the total activity of each
broker-dealer by the total volume reported by the relevant plans or SRO
would result in a value greater than 100 percent.\218\ Accordingly, the
proposed ten percent (10%) transaction activity thresholds for
measuring a broker-dealer's significance in the markets are not market
share thresholds analogous to the current SCI ATS volume thresholds.
However, because the types of transactions proposed to be counted are a
measure of a broker-dealer's size and significance, it is particularly
useful if that measure continues to reflect significant activity as the
size of the overall market expands or contracts and remains stable
relative to a recognizable measure so that it does not become outdated
over time. Therefore, the Commission proposes as a denominator a
measure that would scale each broker-dealer's average daily dollar
transaction volume to consolidated average daily dollar transaction
volume, the latter being determinable from information reported by, or
made available by or pursuant to, applicable effective transaction
reporting or national market system plans or self-regulatory
organizations, as described above.
---------------------------------------------------------------------------
\218\ Transaction reporting systems generally report volume for
trades, rather than volume for purchase and sales separately.
Consequently, adding up the total purchase and sale activity for all
broker-dealers will not equal the total volume reported through
these systems. For example, a trade for 100 shares of an NMS stock
between two broker-dealers on a national securities exchange would
be reported by the effective transaction reporting plan as 100
shares, even though one broker-dealer bought 100 shares and another
sold 100 shares. Similarly, because broker-dealers often trade with
customers, doubling the transaction volume reported through these
systems does not provide an accurate measure of total broker-dealer
purchase and sale activity. After the implementation of the Market
Data Infrastructure rules (see Market Data Infrastructure Adopting
Release, supra note 24) national securities exchanges on which NMS
stocks are traded and FINRA, each of which is required by Rule 601
of Regulation NMS to file a transaction reporting plan in accordance
with Rule 608 of Regulation NMS, will be further required, pursuant
to Rule 603(b) of Regulation NMS, to make available to all competing
consolidators and self-aggregators its information with respect to
quotations for and transactions in NMS stocks, including all data
necessary to generate consolidated market data. Following
implementation of the Market Data Infrastructure rules, a broker-
dealer may determine average daily dollar volume from information
provided by its chosen competing consolidator, or independently
calculate that figure itself, as a ``self-aggregator.''
---------------------------------------------------------------------------
Any broker-dealer that transacts, as proposed, ten percent (10%) or
more of the average daily dollar volume in an enumerated asset class,
during at least four of the preceding six calendar months would be an
SCI broker-dealer. The proposed trading activity thresholds are
designed to measure the size of a broker-dealer's footprint in the
market in terms that provide a method for assessing the size of its
footprint as the market grows (or shrinks). In this way, the proposed
thresholds identify broker-dealers by their transaction activity as
compared to a consistent measure of market volume, and give a sense of
the size and significance of a broker-dealer activity in the markets in
a manner that should not become outdated over time.
The Commission also believes that a threshold of ten percent (10%)
or more in the identified asset classes is appropriately high enough to
apply Regulation SCI only to the large broker-dealers on which the
maintenance of fair and orderly markets depend. The Commission
estimates that 17 entities would satisfy one or more of the proposed
transaction activity thresholds (the same five entities identified by
the total assets threshold plus 12 additional entities).\219\ In sum,
the Commission believes that the proposed total assets threshold and
transaction activity thresholds are appropriate measures for
identifying broker-dealers that would pose a substantial risk to the
maintenance of fair and orderly markets in the event of a systems
issue.
---------------------------------------------------------------------------
\219\ See supra text accompanying notes 189-190.
---------------------------------------------------------------------------
SCI broker-dealers would not have to comply with the requirements
of Regulation SCI until six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time, or six months after the end of the month in which the
SCI broker-dealer satisfied one of the proposed activity thresholds for
the first time. The Commission believes this is an appropriate amount
of time for firms to come into compliance with Regulation SCI.
iv. Proposed Revision to Definition of ``SCI Systems'' for Certain SCI
Broker-Dealers; SCI Entities Trading Multiple Asset Classes, Which May
Include Crypto Asset Securities
In conjunction with the proposed inclusion of SCI broker-dealers as
SCI entities, the Commission proposes to limit the definition of ``SCI
systems'' for an SCI broker-dealer that qualifies as an SCI entity only
because it satisfies a transaction activity threshold. Specifically,
the Commission is proposing to revise the definition of ``SCI systems''
to add a limitation that states, ``provided, however, that with respect
to an SCI broker-dealer that satisfies only the requirements of
paragraph (2) of the definition of `SCI broker-dealer,' such systems
shall include only those systems with respect to the type of securities
for which an SCI broker-dealer satisfies the requirements of paragraph
(2) of the definition.''
The current definition of ``SCI systems'' does not contain the
limitation that is proposed for SCI broker-dealers. For example, an SCI
ATS that exceeds the average daily dollar volume threshold for NMS
stocks is subject to Regulation SCI requirements for all of its SCI
systems (i.e., that meet the definition of SCI systems discussed in
section II.B.1 above) and indirect SCI systems. Thus, to the extent
that the SCI systems and indirect SCI systems of an SCI ATS (or any
other SCI entity) relate to equity securities that are non-NMS stocks,
exchange-listed options, debt securities, security-based swaps, or any
other securities, including crypto asset securities, such systems are
subject to the Regulation SCI requirements.\220\
---------------------------------------------------------------------------
\220\ See supra notes 37-38 and 36 and accompanying text
(discussing the scope of the current definition of ``SCI systems'').
---------------------------------------------------------------------------
As it considers the expansion of Regulation SCI to broker-dealers,
many of which operate multiple business lines and transact in different
types of securities, the Commission preliminarily believes that an SCI
broker-dealer that qualifies as an SCI entity based only on a
transaction activity threshold for a particular type of security should
have its obligations limited to systems with respect to that type of
security. If a broker-dealer meets only the transaction activity
threshold for NMS stocks, for example, its systems that directly
support trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance for NMS stocks are those that
raise the concerns Regulation SCI is meant to address. If the broker-
dealer's activity with respect to other classes of securities is
nominal, it is unlikely to pose risk to the maintenance of fair and
orderly markets if the systems with respect to those types of
securities were unavailable (assuming the systems for the distinct
asset class are separate). If a system of the broker-dealer is used for
[[Page 23167]]
more than one type of securities (i.e., an asset class that triggered
the threshold and an asset class that did not or is not subject to SCI
thresholds), such system would still meet the definition of ``SCI
system.'' \221\ Current SCI entities are and will continue to be, and
proposed SCI entities other than SCI broker-dealers that satisfy a
transaction activity threshold would be, required to assess whether the
technology systems of, or operated by or on their behalf, with respect
to any type of security (including crypto asset securities, discussed
further below) are SCI systems covered by Regulation SCI because they
directly support: (i) trading; (ii) clearance and settlement; (iii)
order routing; (iv) market data; (v) market regulation; or (vi) market
surveillance.
---------------------------------------------------------------------------
\221\ For example, if a broker-dealer operator of an SCI ATS
uses an SCI system to trade both a type of security that triggered
the SCI threshold and a type of security that did not trigger the
threshold, that system will be an SCI system for both types of
securities. A broker-dealer operator of such SCI ATS could wish to
use the SCI system only for trading the type of security that
triggered the SCI threshold and create a separate system only to
trade the type of security that did not trigger the SCI threshold.
---------------------------------------------------------------------------
v. Crypto Asset Securities
Public information about the size and characteristics of the crypto
asset securities market is limited.\222\ However, the Commission,
currently understands that only a small portion of crypto asset
security trading activity is occurring within Commission registered
entities, and particularly, registered broker-dealers. This may be due
in part to the fact that there are currently no special purpose broker-
dealers authorized to maintain custody of crypto asset securities.\223\
Without the ability to custody a customer's crypto-asset securities, a
broker-dealer is limited in the amount of agency business in crypto-
asset securities that it could do. Similarly, today, only a limited
amount of crypto asset security volume occurs on ATSs operating
pursuant to the Regulation ATS exemption.\224\ This may be due in part
to the significant trading activity in crypto asset securities that may
be in non-compliance with the federal securities laws.\225\
Nonetheless, if an SCI entity (current or proposed) trades crypto asset
securities, the systems used for trading crypto asset securities may
currently and in the future be subject to the requirements of
Regulation SCI.\226\
---------------------------------------------------------------------------
\222\ See, e.g., Fin. Stability Oversight Council, Report on
Digital Asset Financial Stability Risks and Regulation 119 (2022)
(``FSOC Report''), available at https://home.treasury.gov/system/files/261/FSOC-Digital-Assets-Report-2022.pdf (``The crypto-asset
ecosystem is characterized by opacity that creates challenges for
the assessment of financial stability risks.''); U.S. Dep't of the
Treasury, Crypto-Assets: Implications for Consumers, Investors, and
Businesses 12 (Sept. 2022) (``Crypto-Assets Treasury Report''),
available at https://home.treasury.gov/system/files/136/CryptoAsset_EO5.pdf (finding that data pertaining to ``off-chain
activity'' is limited and subject to voluntary disclosure by trading
platforms and protocols, with protocols either not complying with or
not subject to obligations ``to report accurate trade information
periodically to regulators or to ensure the quality, consistency,
and reliability of their public trade data''); Fin. Stability Bd.,
Assessment of Risks to Financial Stability from Crypto-assets 18-19
(Feb. 16, 2022) (``FSB Report''), available at https://www.fsb.org/wp-content/uploads/P160222.pdf (finding that the difficulty in
aggregating and analyzing available data in the crypto asset space
``limits the amount of insight that can be gained with regard to the
[crypto asset] market structure and functioning,'' including who the
market participants are and where the market's holdings are
concentrated, which, among other things, limits regulators' ability
to inform policy and supervision); Raphael Auer et al., Banking in
the Shadow of Bitcoin? The Institutional Adoption of
Cryptocurrencies 4, 9 (Bank for Int'l Settlements, Working Paper No.
1013, May 2022), available at https://www.bis.org/publ/work1013.pdf
(stating that data gaps, which can be caused by limited disclosure
requirements, risk undermining the ability for holistic oversight
and regulation of cryptocurrencies); Int'l Monetary Fund, The Crypto
Ecosystem and Financial Stability Challenges, in Global Financial
Stability Report 41, 47 (Oct. 2021), available at https://www.imf.org/-/media/Files/Publications/GFSR/2021/October/English/ch2.ashx (finding that crypto asset service providers provide
limited, fragmented, and, in some cases, unreliable data, as the
information is provided voluntarily without standardization and, in
some cases, with an incentive to manipulate the data provided).
\223\ For background on Rule 15c3-3 as it relates to digital
asset securities, see Commission, Joint Staff Statement on Broker-
Dealer Custody of Digital Asset Securities (July 8, 2019), available
at https://www.sec.gov/news/public-statement/joint-staff-statement-broker-dealer-custody-digital-asset-securities; FINRA, SEC Staff No-
Action Letter, ATS Role in the Settlement of Digital Asset Security
Trades (Sept. 25, 2020), available at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/finra-ats-role-in-settlement-of-digital-asset-security-trades-09252020.pdf. To date, five offerings of
crypto asset securities have been registered or qualified under the
Securities Act of 1933, and five classes of crypto asset securities
have been registered under the Exchange Act. The Commission issued a
statement describing its position that, for a period of five years,
special purpose broker-dealers operating under the circumstances set
forth in the statement will not be subject to a Commission
enforcement action on the basis that the broker-dealer deems itself
to have obtained and maintained physical possession or control of
customer fully paid and excess margin digital asset securities for
purposes of 17 CFR 240.15c3-3(b)(1) (``Rule 15c3-3(b)(1)'' under the
Exchange Act). See Crypto Asset Securities Custody Release, supra
note 37. To date, no such special purpose broker-dealer registration
applications have been granted by FINRA.
\224\ ATSs that do not trade NMS stocks file with the Commission
a Form ATS notice, which the Commission does not approve. Form ATS
requires, among other things, that ATSs provide information about:
classes of subscribers and differences in access to the services
offered by the ATS to different groups or classes of subscribers;
securities the ATS expects to trade; any entity other than the ATS
involved in its operations; the manner in which the system operates;
how subscribers access the trading system; procedures governing
entry of trading interest and execution; and trade reporting,
clearance, and settlement of trades on the ATS. In addition, all
ATSs must file quarterly reports on Form ATS-R with the Commission.
Form ATS-R requires, among other things, volume information for
specified categories of securities, a list of all securities traded
in the ATS during the quarter, and a list of all subscribers that
were participants. To the extent that an ATS trades crypto asset
securities, the ATS must disclose information regarding its crypto
asset securities activities as required by Form ATS and Form ATS-R.
Form ATS and Form ATS-R are deemed confidential when filed with the
Commission. Based on information provided on these forms, a limited
number of ATSs have noticed on Form ATS their intention to trade
certain crypto asset securities and a subset of those ATSs have
reported transactions in crypto asset securities on their Form ATS-
R. See also supra note 223, referencing, Commission, Joint Staff
Statement on Broker-Dealer Custody of Digital Asset Securities (July
8, 2019), available at https://www.sec.gov/news/public-statement/joint-staff-statement-broker-dealer-custody-digital-asset-securities; FINRA, SEC Staff No-Action Letter, ATS Role in the
Settlement of Digital Asset Security Trades (Sept. 25, 2020),
available at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/finra-ats-role-in-settlement-of-digital-asset-security-trades-09252020.pdf.
\225\ See also FSOC Report, supra note 222, at 5, 87, 94, 97
(emphasizing the importance of the existing financial regulatory
structure while stating that certain digital asset platforms may be
listing securities while not in compliance with exchange, broker-
dealer, or other registration requirements, which may impose
additional risk on banks and investors and result in ``serious
consumer and investor protection issues''); Crypto-Assets Treasury
Report, supra note 222, at 26, 29, 39, 40 (stating that issuers and
platforms in the digital asset ecosystem may be acting in non-
compliance with statutes and regulations governing traditional
capital markets, with market participants that actively dispute the
application of existing laws and regulations, creating risks to
investors from non-compliance with, in particular, extensive
disclosure requirements and market conduct standards); FSB Report,
supra note 222, at 4, 8, 18 (stating that some trading activity in
crypto assets may be failing to comply with applicable laws and
regulations, while failing to provide basic investor protections due
to their operation outside of or in non-compliance with regulatory
frameworks, thereby failing to provide the ``market integrity,
investor protection or transparency seen in appropriately regulated
and supervised financial markets'').
\226\ But see supra section II.B.1 (discussing how current SCI
entities that trade crypto asset securities must assess whether
their systems for trading crypto asset securities are SCI systems).
As a specific example, if an SCI SRO were to obtain Commission
approval to add a crypto asset security trading facility, that
facility would be part of an SCI SRO that is subject to Regulation
SCI.
---------------------------------------------------------------------------
SCI Broker-Dealer Activity in Crypto Asset Securities
As discussed above, the Commission is proposing to include as SCI
entities large broker-dealers: those that satisfy a total assets
threshold or a transaction activity threshold. The total assets
threshold applies to broker-dealers irrespective of asset classes in
which they conduct significant transaction activity. In contrast, the
proposed transaction activity threshold specifies four enumerated asset
classes: NMS stocks, exchange-listed options, U.S.
[[Page 23168]]
Treasury Securities, and Agency Securities.
The proposal would affect an SCI broker-dealer that engages in
crypto asset security activity as follows: for purposes of assessing
whether it meets a transaction activity threshold, a broker-dealer
would need to consider if it trades crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities, and if so, include those transactions in its
transaction tally of NMS stocks, exchange-listed options, U.S. Treasury
Securities, or Agency securities, to assess if it satisfies one or more
of the proposed thresholds. In addition, as proposed, the SCI systems
and indirect SCI systems pertaining to crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities would be subject to Regulation SCI, including as it
is proposed to be amended, as discussed in section III.C, with respect
to the asset class for which the SCI broker-dealer satisfies the
transaction activity threshold.
Furthermore, as proposed, an SCI broker-dealer that meets the
proposed total assets threshold would need consider its crypto asset
security activities and assess whether any systems pertaining to crypto
asset securities meet the current definition of SCI systems or indirect
SCI systems. Any such systems would be subject to Regulation SCI,
including as it is proposed to be amended, as discussed in section
III.C.\227\
---------------------------------------------------------------------------
\227\ Likewise, an ATS currently is an SCI ATS if it satisfies a
trading volume threshold for NMS stocks or equity securities that
are not NMS stocks. For purposes of assessing whether it meets an
SCI ATS trading volume threshold, an ATS needs to consider if it
trades crypto asset securities that are equity securities; and if it
does trade such securities, those transactions need to be included
in its transaction tally as (i) NMS stocks or (ii) equity securities
that are not NMS stocks, as they case may be, in order to calculate
the volume threshold. Additionally, the definition of SCI systems
and indirect SCI systems do not contain an asset class limitation
with respect to SCI SROs (or any other current SCI entity). See
supra note 36 and accompanying text.
---------------------------------------------------------------------------
vi. Request for Comment
9. Should Regulation SCI apply to broker-dealers? If not, why not?
If so, should Regulation SCI apply to all broker-dealers, or just a
subset? Please explain. At what size or level of a broker-dealer's
activity would market integrity or the protection of investors be
affected if the broker-dealer were no longer able to operate due to a
systems disruption, systems compliance issue, or a systems intrusion?
Are broker-dealers subject to more market discipline than current SCI
entities? Please explain. Conversely, does a lack of transparency
regarding events like SCI events limit this market discipline? Why or
why not?
10. Would it be more appropriate to define an SCI broker-dealer
using an approach that identifies a broker-dealer by category, rather
than by size? For example, what are commenters' views on the impact to
overall market integrity or the protection of investors if an OTC
market maker was no longer able to operate due to a systems disruption,
systems compliance issue, or a systems intrusion? Or an exchange market
maker? Or a clearing broker-dealer? What are commenters' views on the
importance of different categories of broker-dealers to the stability
of the overall U.S. securities market infrastructure, in the context of
requiring them to comply with Regulation SCI? What risks do the systems
of broker-dealers pose to the U.S. securities markets?
11. If the Commission were to identify an SCI broker-dealer by
category, rather than by size, which categories should be covered and
how should they be defined? For example, if commenters believe that
Regulation SCI should apply to significant ``OTC market makers,'' how
should they be defined? Is it sufficiently clear which entities are
``OTC market makers,'' as that term is defined under the Exchange Act?
If not, why not? If so, should a threshold be used to identify those
that are the most significant? What should that threshold be and how
should it be calculated?
12. Is the current broker-dealer regulatory regime, including the
Market Access Rule and other Commission and FINRA rules, sufficient to
reasonably ensure the operational capability of the technological
systems of the proposed SCI broker-dealers?
13. As discussed above, an SCI broker-dealer would be a broker-
dealer registered with the Commission pursuant to section 15(b) of the
Exchange Act, which: (1) in at least two of the four preceding calendar
quarters, ending March 31, June 30, September 30, and December 31,
reported to the Commission on Form X-17A-5 total assets in an amount
that equals five percent (5%) or more of the quarterly total assets
level of all security brokers and dealers; or (2) during at least four
of the preceding six calendar months: (i) with respect to transactions
in NMS stocks, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
reported by or pursuant to applicable effective transaction reporting
plans, provided, however, that for purposes of calculating its activity
in transactions effected otherwise than on a national securities
exchange or on an ATS, the broker-dealer shall exclude transactions for
which it was not the executing party; (ii) with respect to transactions
in exchange-listed options contracts, transacted average daily dollar
volume reported by an applicable effective national market system plan;
(iii) with respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume made
available by the self-regulatory organization to which such
transactions are reported; or (iv) with respect to transactions in
Agency Securities, transacted average daily dollar volume in an amount
that equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organization to which such
transactions are reported. The Commission solicits comment with respect
to all aspects of the proposed definition, including those aspects
identified in the succeeding questions.
14. Is the proposed total assets threshold an appropriate way to
identify broker-dealers that would pose a substantial risk to the
maintenance of fair and orderly markets in the event of a systems
issue?
15. Should the proposed total assets threshold be scaled using the
proposed sources as the denominator? Why or why not? Is use of data
made available by the Federal Reserve Board appropriate as the
denominator for the measure of all security broker-dealer total assets?
If not, what metric, if any, would be appropriate for the Commission to
use as the denominator? Should the denominator be different in the
event that such data is no longer made available by the Federal Reserve
Board? Recognizing that the proposed numeric thresholds ultimately
represent a matter of judgment by the Commission as it proposes to
apply Regulation SCI to the largest broker-dealers, the Commission
solicits comment on the proposed thresholds levels. Is the proposed
five percent numeric threshold appropriate? Why or why not? Is the
proposed two of the preceding four quarter methodology, with lookback
to the previous quarter for the denominator appropriate? Why or why
not?
16. Are the proposed transaction activity thresholds an appropriate
way to identify broker-dealers that would pose a substantial risk to
the maintenance of fair and orderly markets in the event of a systems
issue?
[[Page 23169]]
17. With respect to the proposed transaction activity thresholds,
are the asset classes identified appropriate? Are there asset classes
that are included that should be excluded, or asset classes that are
excluded that should be included? Which ones and why? For example,
should U.S. Treasury Securities and Agency Securities be included? Why
or why not? Should OTC equity securities be included? Or security-based
swaps? Is the size of the market in each asset class relevant? Why or
why not?
18. With respect to the proposed transaction activity thresholds,
recognizing that the proposed numeric thresholds ultimately represent a
matter of judgment by the Commission as it proposes to apply Regulation
SCI to the largest broker-dealers, the Commission solicits comment on
the proposed threshold levels. Are the 10 percent transaction activity
threshold levels proposed appropriate? Would higher or lower thresholds
be appropriate? Should thresholds vary based on asset class? Is there a
different approach that would be more appropriate?
19. For purposes of the numerator in each transaction activity
threshold, is use of average daily dollar volume of all purchase and
sale transactions, as proposed appropriate? If not, why not? Is there
an alternative measure of market activity that could be consistently
determined by broker-dealers, as well as the Commission, and that would
identify large broker-dealer activity that, if disrupted, could disrupt
market functioning more broadly? Would share volume be more appropriate
for any of the proposed asset classes?
20. Is it clear what average daily dollar volume, as made available
by or pursuant to applicable effective transaction reporting plans,
would be following implementation of the Market Data Infrastructure
rules? Why or why not?
21. Should the transaction activity thresholds denominator have a
minimum, so that if the market for a particular product shrinks
significantly, entities that have a significant portion of that small
market would not be scoped into the test? For example, should an
options trading activity threshold specify that the threshold is
exceeded if average daily dollar volume equals the greater of ten
percent (10%) or more of the average daily dollar volume reported by or
pursuant to an applicable effective transaction reporting plan,
applicable national market system plan, applicable SRO, or $x billion?
Why or why not? What would be an appropriate minimum dollar threshold
and why? Please be specific.
22. Is the four out of the preceding six-month measurement period
an appropriate timeframe for the transaction activity thresholds? Why
or why not? Is there a different timeframe or approach that would be
more appropriate? Please explain.
23. Do commenters believe that six months after the end of the
quarter in which the broker-dealer satisfies the total assets threshold
and six months after the end of the month in which the broker-dealer
satisfies the transaction activity threshold constitute an appropriate
amount of time to allow them to come into compliance with the
requirements of Regulation SCI? Why or why not? Is there a different
time period that would be more appropriate? Please explain.
24. What are the differences between the current practices of
broker-dealers and the practices that would be necessary if the
proposed changes to Regulation SCI are adopted? Please describe and be
specific.
25. Should all of the current or newly proposed requirements set
forth in Regulation SCI apply to SCI broker-dealers? If only a portion,
please specify which portion(s) and explain why. If all, explain why.
26. Is it appropriate to limit the application of the definition of
``SCI systems'' for SCI broker-dealers that meet the definition of an
SCI broker-dealer only because of a transaction activity threshold only
to those systems related to the types of securities for which the
entity has triggered the threshold, as the Commission is proposing? Why
or why not?
27. Should the definition of SCI systems as it applies to SCI
broker-dealers be modified further than as proposed? Is the limitation
of the definition of SCI systems as proposed to apply to SCI broker-
dealers (and not applicable to broker-dealers that satisfy the total
assets threshold) appropriate? Should the Commission instead provide a
unique definition of SCI systems and indirect SCI systems for broker-
dealers? If so, what should it be and why? For example, in the context
of broker-dealers, would systems that ``directly support trading'' be a
category of systems that is overbroad, or too narrow? Why or why not?
Please explain. Are there any types of systems of broker-dealers to
which Regulation SCI would apply that should not be covered? Which ones
and why? Are there any types of systems of broker-dealers that would
not be covered by the definitions of SCI systems and indirect SCI
systems as proposed that should be covered? Which types and why? Please
be specific.
28. Is it clear how Regulation SCI would apply to proposed new SCI
entities that trade crypto asset securities? Why or why not? Please be
specific.
29. Are any of the proposed amendments to Regulation SCI (as
discussed in section III.C below) inappropriate for broker-dealers? If
so, which ones? As discussed in section III.C.6 below, the Commission
proposes to add language to Rule 1002(c) of Regulation SCI regarding
dissemination of information about SCI events by an SCI broker-dealer
to its ``customers,'' as a broker-dealer does not have ``members and
participants.'' Should the Commission require an SCI broker-dealer to
notify its customers of an SCI event in the same manner as other SCI
entities? Why or why not? Should the term ``customers'' be defined? If
so, how? Should Rule 1002(c) be specifically tailored to SCI broker-
dealers in a way that differs from the current rule? If so, how? Please
be specific. Is the proposed requirement that, pursuant to Rule
1002(b)(4)(ii)(B), notices to the Commission include a copy of the
information disseminated to customers appropriate? Why or why not?
30. Do commenters believe that different or unique requirements
should apply to an SCI broker-dealer or systems of broker-dealers? What
should they be, and why?
31. What effect, if any, would there be of having the largest
broker-dealers subject to Regulation SCI, while others are not? Should
the Commission include additional broker-dealers as SCI entities, based
on size or function? Why or why not? For example, should the largest
carrying broker-dealers, based on a size threshold, be subject to
Regulation SCI? If so, should the size threshold be based on total
assets or number of customer accounts, or some other metric? If
application of all of Regulation SCI is not appropriate for these
entities, should they be required to adopt and implement reasonably
designed policies and procedures to address their ability to continue
to process customer and account transactions in a timely manner during
reasonably anticipated surges in demand?
32. Should the proposed thresholds take into account whether a
broker-dealer is affiliated with another broker-dealer?[thinsp]For
example, should the Commission aggregate the transaction activity of
affiliated broker-dealers for purposes of determining whether the
transaction activity threshold test has been satisfied and, if it has,
apply Regulation SCI to each broker-dealer?
[[Page 23170]]
Why or why not? Should it aggregate total assets of affiliated broker-
dealers? Why or why not?
33. Is the proposed six-month period during which a broker-dealer
that meets the threshold to become an SCI broker-dealer does not have
to comply with Regulation SCI appropriate? Should the Commission adopt
a different time period? If so, how long should the period be and why?
34. Are there characteristics specific to SCI broker-dealers that
would make applying Regulation SCI, either broadly or by specific
existing/proposed provision(s), unduly burdensome or inappropriate for
SCI broker-dealers? How much time would an SCI broker-dealer reasonably
need to come into compliance with Regulation as proposed?
c. Exempt Clearing Agencies (Deletion of ``Subject to ARP'')
The Commission proposes to include all ``exempt clearing agencies''
as SCI entities. This proposed approach would expand the scope of
exempt clearing agencies covered by Regulation SCI, which currently
covers certain exempt clearing agencies--those that are ``subject to
ARP.'' \228\ The technology systems that underpin operations of both
registered clearing agencies and exempt clearing agencies are critical
systems that drive the global financial markets. Further, the
activities of exempt clearing agencies subject to ARP and those not
subject to ARP are similar. For example, for covered clearing agencies
in particular,\229\ such systems include those that set and calculate
margin obligations and other charges, perform netting and calculate
payment obligations, facilitate the movement of funds and securities,
or effectuate end-of-day settlement. Increasingly, the technology
behind these systems are subject to both rapid innovation and
interconnectedness.\230\ For the exempt clearing agencies not subject
to ARP, they also provide CSD functions for transactions in U.S.
securities between U.S. and non-U.S. persons, using similar
technologies.\231\ More generally, all exempt clearing agencies offer
services that centralize a variety of technology functions, increasing
access to services that help improve the efficiency of the clearance
and settlement process by, for example, standardizing and automating
functions necessary to complete clearance and settlement.\232\ Over
time, the increasing availability of, and access to, such technologies
has also increased the dependence that market participants have on such
services, raising the potential that such services could become single
points of failure for U.S. market participants.\233\ Further, as the
services that exempt clearing agencies provide have evolved over time,
they have become increasingly reliant on the provision of new
technologies to market participants, and so the Commission has
increasingly focused its oversight of exempt clearing agencies on the
ways that such services might introduce operational risk to U.S. market
participants.\234\ Therefore, the Commission proposes to expand the
scope of SCI entities to cover all exempt clearing agencies. As a
result, there would no longer be a difference in how exempt clearing
agencies are addressed by Regulation SCI.
---------------------------------------------------------------------------
\228\ See Rule 1000; SCI Adopting Release, supra note 1, at
72271 (an ``exempt clearing agency subject to ARP'' is an entity
that has received from the Commission an exemption from registration
as a clearing agency under section 17A of the Exchange Act, and
whose exemption contains conditions that relate to the Commission's
Automation Review Policies, or any Commission regulation that
supersedes or replaces such policies (such as Regulation SCI)).
\229\ 17 CFR 240.17Ad-22 (``Rule 17Ad-22'' under the Exchange
Act) provides for two categories of registered clearing agencies and
contains a set of rules that apply to each category. The first
category is covered clearing agencies, which are subject to 17 CFR
240.17Ad-22(e) (Rule 17Ad-22(e)), which includes requirements
intended to address the activity and risks that their size,
operation, and importance pose to the U.S. securities markets, the
risks inherent in the products they clear, and the goals of both the
Exchange Act and the Dodd-Frank Act. See Securities Exchange Act
Release No. 78961 (Sept. 28, 2016), 81 FR 70786, 70793 (Oct. 13,
2016) (``CCA Standards Adopting Release''). Covered clearing
agencies are registered clearing agencies that provide central
counterparty (``CCP'') or central securities depository (``CSD'')
services. See 17 CFR 240.17Ad-22(a)(5). A CCP is a type of
registered clearing agency that acts as the buyer to every seller
and the seller to every buyer, providing a trade guaranty with
respect to transactions submitted for clearing by the CCP's
participants. See 17 CFR 240.17Ad-22(a)(2); Securities Exchange Act
Release No. 88616 (Apr. 9, 2020), 85 FR 28853, 28855 (May 14, 2020)
(``CCA Definition Adopting Release''). A CCP may perform a variety
of risk management functions to manage the market, credit, and
liquidity risks associated with transactions submitted for clearing.
If a CCP is unable to perform its risk management functions
effectively, however, it can transmit risk throughout the financial
system. A CSD is a type of registered clearing agency that acts as a
depository for handling securities, whereby all securities of a
particular class or series of any issuer deposited within the system
are treated as fungible. Through use of a CSD, securities may be
transferred, loaned, or pledged by bookkeeping entry without the
physical delivery of certificates. A CSD also may permit or
facilitate the settlement of securities transactions more generally.
See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad-22(a)(3); CCA
Definition Adopting Release, at 28856. If a CSD is unable to perform
these functions, market participants may be unable to settle their
transactions, transmitting risk through the financial system.
Currently, all clearing agencies registered with the Commission that
are actively providing clearance and settlement services are covered
clearing agencies. They are The Depository Trust Company (``DTC''),
FICC, NSCC, ICE Clear Credit (``ICC''), ICE Clear Europe
(``ICEEU''), The Options Clearing Corporation (``OCC''), and LCH SA.
\230\ The second category includes registered clearing agencies
other than covered clearing agencies; such clearing agencies must
comply with 17 CFR 240.17Ad-22(d) (``Rule 17Ad-22(d)''). See 17 CFR
240.17Ad-22(d). Rule 17Ad-22(d) establishes a regulatory regime to
govern registered clearing agencies that do not provide CCP or CSD
services. See CCA Standards Adopting Release, at 70793. Although
subject to Rule 17Ad-22(d), the Boston Stock Exchange Clearing
Corporation (``BSECC'') and Stock Clearing Corporation of
Philadelphia (``SCCP'') are currently registered with the Commission
as clearing agencies but conduct no clearance or settlement
operations. See Securities Exchange Act Release No. 63629 (Jan. 3,
2011), 76 FR 1473, 1474 (Jan. 10, 2011) (``BSECC Notice'');
Securities Exchange Act Release No. 63268 (Nov. 8, 2010), 75 FR
69730, 69731 (Nov. 15, 2010) (``SCCP Notice'').
\231\ See, e.g., Release No. 79577 (Dec. 16, 2016), 81 FR 93994
(Dec. 22, 2016) (``Euroclear Exemption''); Release No. 38328 (Feb.
24, 1997), 62 FR 9225 (Feb. 28, 1997) (``Clearstream Exemption'').
To manage the potential risks associated with these functions, the
Commission's exemptions impose volume limits on the amount of
transactions in U.S. Government securities for which each entity may
perform clearance and settlement.
\232\ See, e.g., Euroclear Exemption, supra note 231 (adding
services for collateral management); Release No. 44188 (Apr. 17,
2001), 66 FR 20494 (Apr. 23, 2001) (granting an exemption to provide
a central matching service to Global Joint Venture Matching Services
US LLC, now known as DTCC ITP Matching US LLC, to facilitate the
settlement of transactions between broker-dealers and their
institutional customers) (``ITPM Exemption'').
\233\ See Securities Exchange Act Release No. 76514 (Nov. 25,
2015), 80 FR 75387, 75401 (Dec. 1, 2015) (granting an exemption to
provide matching services to each of Bloomberg STP LLC and SS&C
Technologies, Inc. and stating that ``[o]n balance, the Commission
believes that the redundancy created by more interfaces and linkages
within the settlement infrastructure increases resiliency''); SEC
Division of Trading and Markets and Office of Compliance Inspections
and Examinations, Staff Report on the Regulation of Clearing
Agencies (Oct. 1, 2020) (``Staff Report on Clearing Agencies''),
available at https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf (staff stating that ``consolidation among providers of
clearance and settlement services concentrates clearing activity in
fewer providers and has increased the potential for providers to
become single points of failure.'').
\234\ For example, in 2016 the Commission approved modifications
to the Euroclear Exemption that included, among other things, a new
set of conditions for the reporting of service outages. See
Euroclear Exemption, supra note 231, at 94003 (setting forth eight
``Operational Risk Conditions Applicable to the Clearing Agency
Activities'').
---------------------------------------------------------------------------
i. Current Regulatory Framework for Exempt Clearing Agencies
The registration and supervisory framework for clearing agencies
under the Exchange Act provides the Commission with broad authority to
provide exemptive relief from certain of the Commission's regulatory
requirements under the Exchange Act. Specifically, section 17A(b)(1) of
the Exchange Act provides the Commission with authority to exempt a
clearing agency or any class of clearing agencies from any provision of
section 17A or the
[[Page 23171]]
rules or regulations thereunder.\235\ Such an exemption may be effected
by rule or order, upon the Commission's own motion or upon application,
either conditionally or unconditionally. The Commission's exercise of
authority to grant exemptive relief must be consistent with the public
interest, the protection of investors, and the purposes of section 17A,
including the prompt and accurate clearance and settlement of
securities transactions and the safeguarding of securities and
funds.\236\ The Commission has granted exemptions from clearing agency
registration to three entities that provide matching services. These
exempt clearing agencies are DTCC ITP Matching US, LCC (successor in
name to Omgeo and Global Joint Venture Matching Services US, LLC),
Bloomberg STP LLC (``BSTP''), and SS&C Technologies, Inc.
(``SS&C'').\237\ In certain instances, non-U.S. clearing agencies also
have received exemptions from registration as a clearing agency. These
exempt clearing agencies include Euroclear Bank SA/NV (successor in
name to Morgan Guaranty Trust Company of NY) \238\ and Clearstream
Banking, S.A. (successor in name to Cedel Bank, soci[eacute]t[eacute]
anonyme, Luxembourg).\239\ Each has an exemption to provide clearance
and settlement for U.S. Government and agency securities for U.S.
participants, subject to limitations on the volume of transactions set
forth in their exemptions. The Euroclear Exemption also provides an
exemption from registration to provide collateral management services
for transactions in U.S. equity securities between U.S. persons and
non-U.S. persons.
---------------------------------------------------------------------------
\235\ The Commission has also provided temporary relief from
registration to certain clearing agencies under section 36 of the
Exchange Act. On July 1, 2011, the Commission published a
conditional, temporary exemption from clearing agency registration
for entities that perform certain post-trade processing services for
security-based swap transactions. See, e.g., Release No. 64796 (July
1, 2011), 76 FR 39963 (July 7, 2011) (providing an exemption from
registration under section 17A(b) of the Exchange Act, and stating
that ``[t]he Commission is using its authority under section 36 of
the Exchange Act to provide a conditional temporary exemption [from
clearing agency registration], until the compliance date for the
final rules relating to registration of clearing agencies that clear
security-based swaps pursuant to sections 17A(i) and (j) of the
Exchange Act, from the registration requirement in section 17A(b)(1)
of the Exchange Act to any clearing agency that may be required to
register with the Commission solely as a result of providing
Collateral Management Services, Trade Matching Services, Tear Up and
Compression Services, and/or substantially similar services for
security-based swaps''). The order facilitated the Commission's
identification of entities that operate in that area and that
accordingly may fall within the clearing agency definition.
Recently, the Commission indicated that the 2011 Temporary Exemption
may no longer be necessary. See Securities Exchange Act Release No.
94615 (Apr. 6, 2022), 87 FR 28872, 28934 (May 11, 2022) (stating
that the ``Commission preliminarily believes that, if it adopts a
framework for the registration of [security-based swap execution
facilities (``SBSEFs'')], the 2011 Temporary Exemption would no
longer be necessary because entities carrying out the functions of
SBSEFs would be able to register with the Commission as such,
thereby falling within the exemption from the definition of
`clearing agency' in existing [17 CFR 240.17Ad-24 (Rule 17Ad-
24)]'').
\236\ See 15 U.S.C. 78q-1(b)(1).
\237\ See exemption, supra note 233 (granting an exemption to
provide matching services to each of BSTP and SS&C).
\238\ See Euroclear Exemption, supra note 231.
\239\ See Clearstream Exemption, supra note 231.
---------------------------------------------------------------------------
As previously discussed, each of these exempt clearing agencies
makes available to market participants an increasingly wide array of
technology services that help centralize and automate the clearance and
settlement of securities transactions for market participants. This
increasing reliance on new technologies has focused the Commission's
attention on the potential for such services to introduce operational
risk or introduce single points of failure into the national system for
clearance and settlement. Given this important role of exempt clearing
agencies in helping to ensure the functioning, resilience, and
stability of U.S. securities markets, and their growing technological
innovations and interconnectedness, the Commission proposes to expand
the scope of ``SCI entity'' to cover all exempt clearing agencies,
rather than only those ``subject to ARP'' to help ensure that the risks
associated with the greater dispersal, sophistication, and
interconnection of such technologies are appropriately mitigated.\240\
In this regard, pursuant to the terms and conditions of the clearing
agency exemptive orders, the Commission may modify by order the terms,
scope, or conditions if the Commission determines that such
modification is necessary or appropriate in the public interest, for
the protection of investors, or otherwise in furtherance of the
purposes of the Exchange Act.\241\
---------------------------------------------------------------------------
\240\ See supra note 228. Pursuant to the Commission's statement
on CCPs in the European Union (``EU'') authorized under the European
Markets Infrastructure Regulation (``EMIR''), an EU CCP may request
an exemption from the Commission where it has determined that the
application of SEC requirements would impose unnecessary,
duplicative, or inconsistent requirements in light of EMIR
requirements to which it is subject. See Statement on Central
Counterparties Authorized under the European Markets Infrastructure
Regulation Seeking to Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the Securities Exchange
Act of 1934, Securities Exchange Act Release No. 90492 (Nov. 23,
2020), 85 FR 76635, 76639 (Nov. 30, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf
(stating that in seeking an exemption, an EU CCP could provide ``a
self-assessment. . . [to] explain how the EU CCP's compliance with
EMIR corresponds to the requirements in the Exchange Act and
applicable SEC rules thereunder, such as Rule 17Ad-22 and Regulation
SCI'').
\241\ See ITPM Exemption, supra note 231; Euroclear Exemption,
supra note 231; Clearstream Exemption, supra note 231.
---------------------------------------------------------------------------
ii. Request for Comment
35. Is expanding the scope of ``SCI entity'' to cover all exempt
clearing agencies, not just those exempt clearing agencies subject to
ARP, appropriate? Why or why not? Please be specific and provide
examples, if possible, to illustrate your points.
36. Should all or some aspects of Regulation SCI apply to all
exempt clearing agencies? Why or why not? If only a portion, please
specify which portion(s) and explain why. If all, explain why.
37. Would the Regulation SCI proposed requirements, together with
the conditions under which the exempt clearing agency is subject in the
Commission exemptive order, be sufficient to address operational risk
concerns posed by exempt clearing agencies? Why or why not? Please be
specific and respond with examples, if possible.
38. Given the proposed new requirements of Regulation SCI, should
exempt clearing agencies be subject to a revised Commission exemptive
order? Why or why not?
39. In support of the public interest and the protection of
investors, the Commission is proposing to amend the clearing agency
exemptive orders to replace all operational risk conditions with a
condition that each exempt clearing agency must comply with Regulation
SCI requirements. Should the ordering language provide that the exempt
clearing agency must comply with all requirements in Regulation SCI? If
so, explain why. If not, explain why not.
40. Should proposed Regulation SCI distinguish among different
types of exempt clearing agencies such that some requirements of
Regulation SCI might be appropriate for some exempt clearing agencies,
but not others? Why or why not? If so, what are those distinctions and
what are those requirements? Please be specific and provide examples,
if possible.
41. To what extent do exempt clearing agencies rely on third-party
providers to provide systems that support their clearance and
settlement functions? Do such third-party providers introduce
operational or other risks that would be subject to the requirements of
Regulation SCI? Are there any
[[Page 23172]]
circumstances in which the use of a third-party provider would prevent
compliance with Regulation SCI? Why or why not? Please be specific and
provide examples, if possible.
42. For EU CCPs authorized under EMIR, the Commission stated that
exemptive relief may be considered under section 17A(b)(1) of the
Exchange Act in scenarios where SEC requirements are unnecessary,
duplicative, or inconsistent relative to EMIR requirements. The
Commission recognizes that the EU and other jurisdictions may have
requirements similar those being proposed in Regulation SCI. Should the
Commission provide foreign CCPs with exemptive relief from newly
proposed Regulation SCI? Why or why not? In the context of exemptive
requests for newly proposed Regulation SCI, what factors should the
Commission take into account in assessing whether SEC requirements may
be ``unnecessary, duplicative, or inconsistent'' relative to home
jurisdiction requirements for foreign CCPs, including EU CCPs
authorized under EMIR? Please be specific and provide examples, if
possible.
3. General Request for Comment on Proposed Expansion of SCI Entities
43. The Commission requests comment generally on the proposed
expansion of the definition of SCI entity. Are there are other entities
that should be included as SCI entities? If so, which entities and why?
Further, are there any entities, which if included as SCI entities,
would have critical SCI systems? Please explain.
B. Request for Comment Regarding Significant-Volume Fixed Income ATSs
and Broker-Dealers Using Electronic or Automated Systems for Trading of
Corporate Debt Securities or Municipal Securities
1. Discussion
As stated above, the Commission did not include Fixed Income ATSs
as SCI entities when it adopted Regulation SCI based on consideration
of comments regarding the risk profile of these ATSs at that time.\242\
In light of the evolution of technology since then, and specifically,
the technology for trading corporate debt and municipal securities, the
Commission requests comment on whether significant-volume ATSs and/or
broker-dealers with significant transaction activity in corporate debt
or municipal securities should be subject to Regulation SCI.\243\
---------------------------------------------------------------------------
\242\ See supra text accompanying note 79.
\243\ For purposes of this release, the term Fixed Income ATSs
refers only to ATSs trading corporate debt and municipal securities
and excludes Government Securities ATSs, which are the subject of a
separate proposal. See supra notes 84-85 and accompanying text.
---------------------------------------------------------------------------
Currently, an ATS is subject to Rule 301(b)(6) of Regulation ATS if
its trading volume reaches ``20 percent or more of the average daily
volume traded in the United States'' in either corporate debt or
municipal securities.\244\ Among other things, Rule 301(b)(6) requires
such a significant-volume Fixed Income ATS to notify the Commission
staff of material systems outages and significant systems changes and
to establish adequate contingency and disaster recovery plans.\245\ The
requirements of Rule 301(b)(6) applicable to significant-volume Fixed
Income ATSs, which date to 1998 and have not been updated since that
time, are less rigorous than the requirements of Regulation SCI.\246\
The Commission explained in the SCI Adopting Release that it adopted
Regulation SCI to expand upon, update, and modernize the requirements
of Rule 301(b)(6) for those ATSs trading NMS stocks and equity
securities that are not NMS stocks that it had identified as playing a
significant role in the U.S. securities markets.\247\ Regulation SCI
did this by, for example, moving from the Commission's 1980s and 90s-
era technology precepts to a framework that speaks to a broader set of
systems that are subject to an overarching standard: that they be
subject to policies and procedures reasonably designed to maintain
operational capability and promote the maintenance of fair and orderly
markets. Regulation SCI also requires tested business continuity and
disaster recovery plans that include geographic diversity to achieve
specified recovery time objectives. In addition, Regulation SCI
requires notice and dissemination of information regarding a wider
range of systems problems (i.e., SCI events) to the Commission and
affected market participants, and also requires that corrective action
be taken with respect to such problems.\248\
---------------------------------------------------------------------------
\244\ See 17 CFR 242.301(b)(6). Until Regulation SCI was
adopted, Rule 301(b)(6) applied to an ATS trading NMS stocks, equity
securities that are not NMS stocks, corporate debt securities, or
municipal securities exceeding a 20% volume threshold. Since the
adoption of Regulation SCI, Rule 301(b)(6) has applied only to ATSs
trading corporate debt securities or municipal securities exceeding
a 20% volume threshold. Rule 301(b)(6) currently does not specify
whether the thresholds refer to share, dollar, or transaction
volume. In the Government Securities ATS Reproposal, the Commission
has proposed to specify that these thresholds refer to ``average
daily dollar volume.'' See Government Securities ATS Reproposal,
supra note 84, at 15572.
\245\ More specifically, with regard to systems that support
order entry, order routing, order execution, transaction reporting,
and trade comparison, Rule 301(b)(6)(ii) of Regulation ATS requires
significant-volume ATSs to: establish reasonable current and future
capacity estimates; conduct periodic capacity stress tests of
critical systems to determine their ability to accurately, timely
and efficiently process transactions; develop and implement
reasonable procedures to review and keep current system development
and testing methodology; review system and data center vulnerability
to threats; establish adequate contingency and disaster recovery
plans; perform annual independent reviews of systems to ensure
compliance with the above listed requirements and perform review by
senior management of reports containing the recommendations and
conclusions of the independent review; and promptly notify the
Commission of material systems outages and significant systems
changes. See 17 CFR 242.301(b)(6)(ii). As discussed in the SCI
Adopting Release, the application of Rule 301(b)(6) to Fixed Income
ATSs is in addition to various Exchange Act and FINRA rules
applicable to broker-dealers operating ATSs. See SCI Adopting
Release, supra note 1, at 72263. See also supra notes 146-166 and
accompanying text (providing an updated discussion of various
Exchange Act, FINRA, and certain other regulations applicable to
broker-dealers, including those operating ATSs).
\246\ See Securities Exchange Act Release No. 40760 (Dec. 8,
1998), 63 FR 70844, (Dec. 22, 1998) (``Regulation ATS Adopting
Release'').
\247\ See SCI Adopting Release, supra note 1, at 72264.
\248\ As discussed further below, the Commission is now
proposing updates to Regulation SCI that are designed to take
account of new and emerging technology challenges. If adopted, these
changes to Regulation SCI will render Rule 301(b)(6) even more
outdated by comparison. Below the Commission solicits comment on
whether, in lieu of applying Regulation SCI to these entities, Rule
301(b)(6) should be updated instead.
---------------------------------------------------------------------------
When proposing Regulation SCI in 2013, the Commission sought to
include as SCI entities those ATSs that are reliant on automated
systems and represent a significant pool of liquidity in certain asset
classes.\249\ Regarding Fixed Income ATSs, the Commission proposed to
include those exceeding five percent or more of either average daily
dollar volume or average daily transaction volume traded in the United
States, but it did not adopt that proposal.\250\ Instead, for ATSs
trading corporate debt or municipal securities
[[Page 23173]]
exceeding a 20 percent ``average daily volume'' threshold, it left in
place the older, more limited technology regulations in Rule 301(b)(6)
of Regulation ATS.\251\ In support of that determination, the
Commission distinguished the equity markets from the corporate debt and
municipal securities markets, stating that the latter markets generally
relied much less on automation and electronic trading than markets that
trade NMS stocks or equity securities that are not NMS stocks, and also
tended to be less liquid than the equity markets, with slower execution
times and less complex routing strategies.\252\
---------------------------------------------------------------------------
\249\ See SCI Proposing Release, supra note 14, at 18094-96.
\250\ See SCI Proposing Release, supra note 14, at 18093, 18095.
At adoption, the Commission included only ATSs that trade NMS stocks
and equity securities that are not NMS stocks exceeding a specified
volume threshold. Rule 1000 of Regulation SCI defines SCI ATS to
mean an ATS, which, during at least four of the preceding six
calendar months, had: (1) With respect to NMS stocks: (i) 5% or more
in any single NMS stock, and 0.25% or more in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan, or (ii) 1% or more, in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan; or (2) with respect to equity securities that are
not NMS stocks and for which transactions are reported to an SRO, 5%
or more of the average daily dollar volume as calculated by the SRO
to which such transactions are reported. See 17 CFR 242.1000. Rule
1000 also states that an ATS that meets one of these thresholds is
not required to comply with Regulation SCI until six months after
satisfying the threshold for the first time. See id.
\251\ See SCI Adopting Release, supra note 1, at 72270.
\252\ See id. The Commission also acknowledged comments stating
that lowering the 20% threshold in Rule 301(b)(6) could have the
unintended effect of discouraging technology evolution in these
markets. Id.
---------------------------------------------------------------------------
Due to changes in the market and updates to technology, the
Commission again requests comment on applying Regulation SCI to
significant-volume Fixed Income ATSs, and further requests comment
regarding broker-dealers trading significant volume in corporate debt
or municipal securities.\253\ In particular, the Commission is
soliciting comment on whether the distinctions drawn by the Commission
in its original adoption of Regulation SCI, between equities markets on
the one hand, and the corporate debt and municipal securities markets
on the other, based on differences in their reliance on automation and
electronic trading strategies have diminished such that Fixed Income
ATSs or broker-dealers with significant activity in corporate debt and
municipal securities should be subject to increased technology
oversight pursuant to Regulation SCI.
---------------------------------------------------------------------------
\253\ See SCI Adopting Release, supra note 1, at 72409 (stating,
``[A]s the Commission monitors the evolution of automation in this
market, the Commission may reconsider the benefits and costs of
extending the requirements of Regulation SCI to fixed-income ATSs in
the future.'').
---------------------------------------------------------------------------
As noted above, the Commission proposed and then recently re-
proposed to extend Regulation SCI to ATSs that trade U.S. Treasury
Securities or Agency Securities (i.e., Government Securities ATSs)
exceeding a five percent dollar volume threshold in at least four out
of the preceding six months, citing the increased reliance on
technology in the government securities markets in recent years and the
resulting operational similarities and technological vulnerabilities
and risks of such ATSs to existing SCI entities.\254\ In the Government
Securities ATS Reproposal, the Commission discussed ways in which the
government securities markets have become increasingly dependent on
electronic trading in recent years.\255\ The Commission solicits
comment on whether trading in corporate debt securities or municipal
securities by ATSs and/or broker-dealers has evolved similarly.
---------------------------------------------------------------------------
\254\ See Government Securities ATS Proposing Release, supra
note 84, at 87152-54. See also Government Securities ATS Reproposal,
supra note 84, at 15527-29. Specifically, in the Government
Securities ATS Reproposal, the Commission discussed how advances in
technology have resulted in the increased use of systems that use
protocols and non-firm trading interest to bring together buyers and
sellers of securities and how these systems functioned as market
places similar to market places provided by registered exchanges and
ATSs. See Government Securities ATS Reproposal, supra note 84, at
15497-98.
\255\ See Government Securities ATS Reproposal, supra note 84,
at 15526.
---------------------------------------------------------------------------
The growth in electronic trading in the corporate debt and
municipal securities markets in recent years appears to be
substantial,\256\ and accelerating.\257\ Although traditional methods
of bilateral corporate bond trading conducted through either dealer-to-
dealer or dealer-to-customer negotiations (often using telephone calls)
remain important (with an estimated 71.4 percent of trading in
corporate bonds facilitated via bilateral voice trading during the
first half of 2021),\258\ more recent data suggest that dependencies on
electronic protocols have increased in the last year alone.\259\
---------------------------------------------------------------------------
\256\ See Government Securities ATS Reproposal, supra note 84,
at 15528 at n. 389, 15606, and 15609. See also SIFMA Insights:
Electronic Trading Market Structure Primer, supra note 3 (outlining
and comparing electronification trends in different markets); SIFMA,
SIFMA Insights: US Fixed Income Market Structure Primer (July 2018),
available at https://www.sifma.org/wp-content/uploads/2018/07/SIFMA-Insights-FIMS-Primer_FINAL.pdf (discussing several different types
of fixed-income markets, noting that the historically quote-driven
voice broker market structure has moved to accommodate limit order
book protocols in the intradealer markets and request-for-quote
(``RFQ'') protocols in the dealer-to-client markets; and assessing
that ``Current growth [in the dealer-to-client markets] is enabling
the total growth in overall electronification percentages: UST 70%,
Agency 50%, Repos 50%, IG Corporates 40% and HY Corporates 25%'').
\257\ See Annabel Smith, Pandemic sees electronic fixed income
trading skyrocket in 2021, the Trade (Mar. 3, 2021), available at
https://www.thetradenews.com/pandemic-sees-electronic-fixed-income-trading-skyrocket-in-2021/; Municipal Securities Rulemaking Board,
Characteristics of Municipal Securities Trading on Alternative
Trading Systems and Broker's Broker Platforms (Aug. 2021), available
at https://msrb.org/MarketTopics/-/media/27E4F111D18246C6B9DA849082230CD0.ashx (discussing volume on ATSs and
broker's broker platforms from 2016-2021).
\258\ See Government Securities ATS Reproposal, supra note 84,
at 15606-07. Market observers also note increased use of electronic
trading in the growth of all-to-all trading and portfolio trading.
See Greenwich Associates, All-to-All Trading Takes Hold in Corporate
Bonds (Q2 2021), available at https://content.marketaxess.com/sites/
default/files/2021-04/All-to-All-Trading-Takes-Hold-in-Corporate-
Bonds.pdf#:~:text=In%20all-%20to-
all%20markets%2C%20where%20asset%20managers%20provide,of%20the%20corp
orate%20bond%20market%E2%80%99s%20growth%20and%20evolution (stating
that all-to-all trading, which allows asset managers to provide
liquidity to dealers and each other and for dealers to trade with
one another electronically, has increased from 8% of investment
grade volume in 2019 to 12% of investment grade volume in 2020); see
also Li Renn Tsai, Understanding Portfolio Trading, Tradeweb (Sept.
6, 2022), available at https://www.tradeweb.com/newsroom/media-
center/in-the-news/understanding-portfolio-trading/
#:~:text=Portfolio%20Trading%20is%20a%20solution%20that%20gives%20ass
et,savings%2C%20mitigate%20operational%20risk%2C%20and%20reduce%20mar
ket%20slippage (discussing that portfolio trading, a process similar
to program trading for equities which allows asset managers to buy/
sell a basket of bonds to trade together as a single package,
increased from 2% of total corporate bond trades in Jan. 2020 to 5%
in Sept. 2021); Kate Marino, Algorithms have arrived in the bond
market, Axios (Sept. 3, 2021), available at https://www.axios.com/2021/09/03/bond-market-trading-algorithms (discussing the increase
in portfolio trading in the bond market).
\259\ See Jack Pitcher, Record E-Trading Brings More Liquidity
to Corporate Bond Market, Bloomberg (Oct. 31, 2022), available at
https://www.bloomberg.com/news/articles/2022-10-31/electronic-credit-trading-surges-to-record-boosting-liquidity (citing a Sept.
2022 Coalition Greenwich report stating that ``Investment-grade
electronic trading accounted for 42% of volume in September, up 9
percentage points from the same month last year, and high yield was
34%, up 10 percentage points'' and about one third of trading volume
on junk bonds was through online trading in Sept. 2022, up from
about a quarter of trading volume in the same period last year); but
see Maureen O'Hara and Xing Alex Zhou, The electronic evolution of
corporate bond dealers, Journal of Financial Economics (Jan. 5,
2021), available at https://www.sciencedirect.com/science/article/pii/S0304405X21000015 (discussing that any eventual domination of
electronic bond trading may ultimately be limited because of the
particular nature of bond trading, which includes bond illiquidity,
the inability for larger trades to be broken into smaller trade
sizes that can trade electronically, dealer unwillingness to trade
more information-sensitive high-yield bonds electronically, and the
lack of new dealers in bond market structure).
---------------------------------------------------------------------------
In the municipal securities markets, a majority (56.4%) of all
inter-dealer trades and 26% of inter-dealer par value traded were
executed on ATSs during the period from August 2016 through April
2021.'' \260\ Moreover, as recently reported by the MSRB, the number of
transactions with a dealer on an ATS
[[Page 23174]]
more than tripled from 2015 to 2021; the average daily number of
municipal securities trades increased more than 550% from 2015 to 2022
and also increased more than 75% in 2022; and the average daily par
amount traded increased more than 400% since 2015 and more than doubled
in 2022 compared to 2021.\261\
---------------------------------------------------------------------------
\260\ See Simon Z. Wu, Characteristics of Municipal Securities
Trading on Alternative Trading Systems and Broker's Broker
Platforms, Municipal Securities Rulemaking Board (Aug. 2021),
available at https://www.msrb.org/sites/default/files/MSRB-Trading-on-Alternative-Trading-Systems.pdf. See also Government Securities
ATS Reproposal, supra note 84, at 15609 (discussing use of
electronic trading protocols in the municipal securities markets,
and noting that ``one MSRB report found that technological
advancements in this market and the movement away from voice trading
and towards electronic trading have helped reduce transaction costs
for dealer-customer trades by 51 percent between 2005 and 2018'').
\261\ See John Bagley and Marcelo Vieira, Customer Trading with
Alternative Trading Systems, Municipal Securities Rulemaking Board
(Aug. 2022), available at https://www.msrb.org/sites/default/files/2022-08/MSRB-Customer-Trading-with-Alternative-Trading-Systems.pdf.
---------------------------------------------------------------------------
While technological developments provide many benefits to the U.S.
securities markets and investors, they also increase the risk of
operational problems that have the potential to cause a widespread
impact on the securities markets and market participants. The trend in
electronic trading in these markets and recent data on the volume of
Fixed Income ATSs suggest that there is likely to be one or more Fixed
Income ATSs (or broker-dealers) that both rely on electronic trading
technology and represent or generate significant sources of liquidity
in these asset classes. In light of these developments, the Commission
believes that it is appropriate to request comment on whether ATSs and
broker-dealers that trade significant volume in corporate debt
securities or municipal securities should also be subject to some or
all of the requirements of Regulation SCI, and if so, what an
appropriate threshold would be.\262\
---------------------------------------------------------------------------
\262\ An ATS that trades NMS stocks is subject to Regulation SCI
if its trading volume reaches: (i) 5% or more in any single NMS
stock and 0.25% or more in all NMS stocks of the average daily
dollar volume reported by applicable transaction reporting plans; or
(ii) 1% or more in all NMS stocks of the average daily dollar volume
reported by applicable transaction reporting plans. An ATS that
trades equity securities that are not NMS stocks is subject to
Regulation SCI if its trading volume is 5% or more of the average
daily dollar volume (across all equity securities that are not NMS
stocks) as calculated by the SRO to which such transactions are
reported. As stated in the SCI Adopting Release, the higher
threshold for equity securities that are not NMS stocks versus NMS
stocks was selected taking into account the lower degree of
automation, electronic trading, and interconnectedness in the market
for equity securities that are not NMS stocks and assessment that
those ATSs would present lower risk to the market in the event of a
systems issue, but not necessarily no risk. See SCI Adopting
Release, supra note 1, at 72269. As stated above, a 5% average daily
dollar volume threshold is proposed for Government Securities ATSs
(i.e., ATSs that that trade Agency Securities and/or U.S. Treasury
Securities), where electronic trading is prevalent.
---------------------------------------------------------------------------
2. Request for Comment
The Commission is requesting comment on whether to apply Regulation
SCI to Fixed Income ATSs on the basis of volume, or to broker-dealers
that trade corporate debt or municipal securities on or above a trading
activity threshold. Specifically:
44. Should significant volume ATSs and/or broker-dealers with
significant transaction activity in corporate debt or municipal
securities be subject, in whole or in part, to Regulation SCI? \263\
---------------------------------------------------------------------------
\263\ The Commission notes that ATSs may also trade crypto asset
securities. See section II.A.3.b.v. (discussing obligations of ATSs
trading crypto asset securities).
---------------------------------------------------------------------------
45. Do commenters agree that the corporate debt and municipal
securities markets have become increasingly electronic in recent years?
Why or why not? Please provide data to support your views. If
electronic trading in the corporate debt and municipal securities
markets has increased, are these markets sufficiently different or
unique to warrant an approach to technology oversight that differs from
the approach taken in Regulation SCI? Why or why not?
46. What are the risks associated with systems issues at Fixed
Income ATSs or broker-dealers that trade corporate debt or municipal
securities today? What impact would a systems issue at a Fixed Income
ATS or such broker-dealer have on the trading of corporate debt or
municipal securities and the maintenance of fair and orderly markets?
47. Do electronic systems used to trade corporate debt or municipal
securities markets today have linkages to any trading venues, including
to U.S. Treasury markets? Are these linkages developing or likely to
develop? If not, are there interconnections with third-party or other
types of systems? How do any interconnections impact the risk of an SCI
event at a Fixed Income ATS or broker-dealer that trades corporate debt
or municipal securities on the market and/or market participants?
48. If commenters believe that Regulation SCI should apply, in
whole or in part, to Fixed Income ATSs or broker-dealers that trade
corporate debt or municipal securities, should there be a volume
threshold? For example, should the definition of SCI ATS include those
ATSs which, during at least four of the preceding six calendar months
had: (1) with respect to municipal securities, five percent or more of
the average daily dollar volume traded in the United States, as
provided by the self-regulatory organization to which such transactions
are reported; or (2) with respect to corporate debt securities, five
percent or more of the average daily dollar volume traded in the United
States as provided by the self-regulatory organization to which such
transactions are reported? Similarly, should the definition of SCI-
broker-dealer include a similar threshold to that proposed for
registered broker-dealers trading Treasury or Agency securities (during
at least four of the preceding six calendar months reported to the
self-regulatory organization(s) to which such transactions are
reported, average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume as made
available by the self-regulatory organization to which such
transactions are reported)?
49. Is basing a threshold on a percentage of average daily dollar
volume appropriate? Should there be an alternative threshold based on
average daily share volume? Or par value? Or transaction volume?
50. Would commenters have a different view on what an appropriate
threshold would be for Fixed Income ATSs if additional entities become
Fixed Income ATSs as a result of adoption of the amendments to Rule 3b-
16(a) that the Commission has proposed in the Government Securities ATS
Reproposal?
51. If the Commission proposes to apply Regulation SCI to Fixed
Income ATSs, should it propose a similar approach for broker-dealers
that trade corporate debt or municipal securities? Why or why not?
52. Would four out of the preceding six months be an appropriate
period to measure the volume thresholds for corporate debt and
municipal securities for purposes of Regulation SCI? Why or why not?
Would Fixed Income ATSs or broker-dealers that trade corporate debt or
municipal securities have available appropriate data with which to
determine whether a proposed threshold has been met? If not, what data
or information is missing? Does the answer depend on whether the
Government Securities ATS Reproposal (proposing to expand the
definition of exchange in Rule 3b-16(a)) is adopted as proposed?
53. Should any or all Fixed Income ATSs that meet a volume
threshold be subject to Rule 301(b)(6) of Regulation ATS instead of
Regulation SCI (i.e., should Rule 301(b)(6) be retained)? Why or why
not? Alternatively, should any or all Fixed Income ATSs or broker-
dealers that trade corporate debt or municipal securities be subject to
only certain provisions of Regulation SCI? Which ones and why? Please
explain. Alternatively, should Rule 301(b)(6) of Regulation ATS be
updated to be more similar to Regulation SCI in certain respects? If
so, how?
[[Page 23175]]
54. If commenters believe Rule 301(b)(6) should continue to apply
to Fixed Income ATSs, is the 20 percent average daily volume threshold
an appropriate threshold? Should it be amended to specify what the 20
percent average daily volume refers to (e.g., share? dollar? par?
transaction?)? Should the Commission amend Rule 301(b)(6) to subject
all Fixed Income ATSs, or certain Fixed Income ATSs, to the
requirements of the rule if the Fixed Income ATS reaches a 5 percent,
10 percent, 15 percent or another volume threshold? If so, please
explain why such a threshold would be appropriate. Alternatively,
should Rule 301(b)(6) be superseded and replaced by Regulation SCI?
55. Are there characteristics specific to the corporate debt and
municipal securities markets that would make applying Regulation SCI
broadly or any specific provision of Regulation SCI to Fixed Income
ATSs or broker-dealers that trade corporate debt or municipal
securities unduly burdensome or inappropriate? Please explain. For
example, if an ATS that fits the description of a Communication
Protocol System (as described in the Government Securities ATS
Proposal) were to be become an SCI ATS, would there be certain features
or functions of that system that would not meet the definition of SCI
systems, but that should be subject to Regulation SCI as SCI systems?
Would there be any features or functions of that system that would meet
the definition of SCI systems, but that should not be subject to
Regulation SCI? Commenters that recommend that the Commission propose
that ATSs and/or broker-dealers with significant transaction activity
in corporate debt or municipal securities be subject to Regulation SCI
are requested to specifically address the expected benefits and costs
of their recommendations, above the current baseline of Rule 301(b)(6)
of Regulation ATS, and the expected effects of their recommendations on
efficiency, competition, and capital formation.
C. Strengthening Obligations of SCI Entities
In adopting Regulation SCI, the Commission recognized that
technology, standards, and threats would continue to evolve and that
the regulation would need to be flexible so as to develop alongside
such changes. Thus, 17 CFR 242.1001(a)(1) (``Rule 1001(a)(1)'' of
Regulation SCI) requires that each SCI entity have ``written policies
and procedures reasonably designed to ensure that its SCI systems and,
for purposes of security standards, indirect SCI systems, have levels
of capacity, integrity, resiliency, availability, and security,
adequate to maintain the SCI entity's operational capability and
promote the maintenance of fair and orderly markets.'' \264\ While Rule
1001(a)(2) itemizes certain minimum requirements such policies and
procedures must include, they are generally broad areas that must be
covered (e.g., requiring capacity planning estimates, stress tests,
systems development and testing programs, reviews and testing for
threats, business continuity and disaster recovery plans, standards
with respect to market data, and monitoring for potential SCI events),
Rule 1001(a) does not prescribe in detail how they should be
addressed.\265\
---------------------------------------------------------------------------
\264\ See 17 CFR 242.1001(a)(1).
\265\ Id.
---------------------------------------------------------------------------
Since the adoption and implementation of Regulation SCI, technology
and the ways SCI entities employ such technology have continued to
evolve, as have the potential vulnerabilities of, and threats posed to,
SCI entities. In addition, the Commission and its staff have gained
valuable experience and insights with respect to technology issues
surrounding SCI entities and their systems. Given the important role
SCI entities play in our markets, it is appropriate to strengthen the
requirements Regulation SCI imposes on SCI entities to help ensure that
their SCI systems and indirect SCI systems continue to remain robust,
resilient, and secure.
1. Systems Classification and Lifecycle Management
a. Discussion
The terms ``SCI systems,'' ``indirect SCI systems,'' and ``critical
SCI systems'' are foundational definitions within Regulation SCI. These
terms map out the scope of Regulation SCI's applicability to an SCI
entity. If an SCI entity does not classify its systems pursuant to
these defined terms, it cannot fully understand how it should apply
Regulation SCI's requirements and where its obligations under the
regulation start and end. Specifically, ``SCI systems'' is defined to
mean ``all computer, network, electronic, technical, automated, or
similar systems of, or operated by or on behalf of, an SCI entity that,
with respect to securities, directly support trading, clearance and
settlement, order routing, market data, market regulation, or market
surveillance.'' The definition of ``SCI systems'' does not scope in
every system of an SCI entity; rather, it is limited to those functions
the Commission believed were of particular significance for the
purposes of Regulation SCI, namely systems that, with respect to
securities, directly support trading, clearance and settlement, order
routing, market data, market regulation, or market surveillance.
``Indirect SCI systems'' come into play with respect to security
standards and systems intrusions and include ``any systems of, or
operated by or on behalf of, an SCI entity that, if breached, would be
reasonably likely to pose a security threat to SCI systems.''
Importantly, both definitions include systems operated by an SCI entity
as well as systems operated by third parties on behalf of a given SCI
entity.
Except as discussed above,\266\ the proposed rule amendments would
not change the definition of SCI systems, indirect SCI systems, or
critical SCI systems. However, the Commission is proposing to modify
certain existing, and add a number of additional, requirements to the
policies and procedures required of SCI entities with respect to their
SCI systems (and indirect SCI systems or critical SCI systems, as the
case may be), under Rule 1001(a), as discussed in further detail below.
---------------------------------------------------------------------------
\266\ See supra section III.A.2.b.iv (discussing the proposed
limitation to the definition of SCI systems for certain SCI broker-
dealers).
---------------------------------------------------------------------------
One of the first steps many SCI entities take to comply with
Regulation SCI is developing a classification of their systems in
accordance with these definitions; i.e., a documented inventory of the
specific systems of the SCI entity that fall within each type of
systems (i.e., SCI system, indirect SCI system, and critical SCI
system). However, not all SCI entities maintain such a list. A
foundational and essential step for an SCI entity to be able to meet
its obligations under Regulation SCI is to be able to identify clearly
the systems that are subject to obligations under Regulation SCI.
Therefore, the Commission is proposing a new provision to ensure that
SCI entities develop and maintain a written inventory of their systems
and classification. Specifically, new paragraph (a)(2)(viii) in Rule
1001 would require each SCI entity to include in their policies and
procedures the maintenance of a written inventory and classification of
all of its SCI systems, critical SCI systems, and indirect SCI systems.
In addition, 17 CFR 242.1001(a)(2)(viii) (``proposed Rule
1001(a)(2)(viii)'') would require that the
[[Page 23176]]
SCI entity's policies and procedures include a program with respect to
the lifecycle management of such systems, including the acquisition,
integration, support, refresh, and disposal of such systems, as
applicable. This provision would require SCI entities to consider how a
system subject to Regulation SCI moves through its lifecycle, from
initial acquisition to eventual disposal. The purpose of this provision
is to help ensure that an SCI entity is able to identify risks an SCI
system may face during its various lifecycle phases. Importantly, SCI
entities would need to address the refresh of such systems in their
lifecycle management program. Generally, systems that are properly
refreshed and updated include up-to-date software and security patches.
In addition, the lifecycle management program required in their
policies and procedures must address disposal of such systems. Disposal
generally should include sanitization of end-of-life systems to help
ensure that systems that are no longer intended as SCI systems or
indirect SCI systems do not contain sensitive information (e.g.,
relating to the operations or security of the SCI entity or its systems
architecture) that might be unintentionally revealed if such end-of-
life systems fall into the wrong hands.\267\ Thus, this generally would
require SCI entities to pinpoint precisely when a given system
``becomes'' an SCI system (or an indirect SCI system), as well as the
point at which it is officially ``no longer'' an SCI system (or an
indirect SCI system).
---------------------------------------------------------------------------
\267\ For example, such policies generally should not simply
require mere disposal of end-of-life SCI systems but should ensure
their effective disposal such that sensitive information (including
software, configuration info, middleware, etc.) that could
compromise the security of an SCI entity's data and network is not
inadvertently revealed.
---------------------------------------------------------------------------
b. Request for Comment
56. Do commenters agree with the proposed requirement in proposed
Rule 1001(a)(2)(viii) to require SCI entities to include in their
policies and procedures the maintenance of a written inventory and
classification of all of its SCI systems, critical SCI systems, and
indirect SCI systems? Why or why not?
57. Do commenters believe that Regulation SCI should require that
SCI entities have a program with respect to the lifecycle management of
such systems, including the acquisition, integration, support, refresh,
and disposal of such systems, as applicable? Why or why not? Do SCI
entities currently maintain such lifecycle management programs? Are
there other aspects of lifecycle management that commenters believe
should be included in the proposed requirement? If so, please describe.
2. Third-Party Provider Management
a. Third-Party Provider Management Issues
When it adopted Regulation SCI, the Commission recognized that an
SCI entity may choose to use third parties to assist it in running its
SCI systems and indirect SCI systems. The Commission took into account
such scenarios by including the phrase ``or operated by or on behalf of
'' \268\ in key definitions such as ``SCI systems,'' ``critical SCI
systems,'' and ``indirect SCI systems.'' The inclusion of the phrase
``or on behalf of'' was intended to make clear that outsourced systems
are not excluded and that any such systems were within the scope of
Regulation SCI, even when operated not by the SCI entity itself but
rather by a third party. In the SCI Adopting Release, the Commission
made clear that it was the responsibility of the SCI entity to manage
its relationships with such third parties through due diligence,
contract terms, and monitoring of third-party performance.\269\ In
addition, as the Commission stated when adopting Regulation SCI, ``[i]f
an SCI entity is uncertain of its ability to manage a third-party
relationship . . . to satisfy the requirements of Regulation SCI, then
it would need to reassess its decision to outsource the applicable
system to such third party. (footnotes omitted)'' \270\
---------------------------------------------------------------------------
\268\ Emphasis added.
\269\ See SCI Adopting Release, supra note 1, at 72276.
\270\ Id.
---------------------------------------------------------------------------
An SCI entity may decide to outsource certain functionality to, or
utilize the support or services of, a third-party provider (which would
include both affiliated providers as well as vendors unaffiliated with
the SCI entity) for a variety of reasons. In selecting a third-party
provider to operate an SCI system on its behalf, an SCI entity may be
attracted to the potential benefits that it may believe the third-party
provider would bring, which could range from cost efficiencies and
increased automation to particular expertise the vendor may provide in
areas such as security and data latency. Third-party providers may also
provide services that an SCI entity may not currently have in-house,
such as a particular type of software required to run or monitor a
given SCI system, or a data or pricing feed.
The Commission believes that the use of third-party providers by
SCI entities can be appropriate and even advantageous and preferable in
certain instances, given the benefits they may provide when employed
appropriately. However, as the Commission discussed in the SCI Adopting
Release, when utilizing a third-party provider, an SCI entity is
``responsible for having in place processes and requirements to ensure
that it is able to satisfy the requirements of Regulation SCI for
systems operated on behalf the SCI entity by a third party.'' \271\
Thus, an SCI entity generally should be aware of the potential costs
and risks posed by this choice including, for example: cybersecurity
risks (e.g., a compromise in a third-party provider's systems impacting
the systems of the SCI entity); operational risks (e.g., a disruption
or shutdown of a third-party provider's service, or a bankruptcy or
cessation of operation of a third-party provider, negatively impacting
or disrupting the operation of an SCI system); reputational risks
(e.g., a faulty or incorrect input from a third-party provider causing
an SCI entity's output to be incorrect); and legal and regulatory risks
(e.g., a third-party provider's lack of responsiveness or unwillingness
to provide the SCI entity necessary information or detail results in an
SCI entity missing a reporting or compliance deadline, such as a
deadline for reporting an SCI event or taking corrective action on an
SCI event). With the continued and increasing use of third-party
providers by SCI entities and, in some cases, with third-party
providers playing increasingly important and even critical roles in
ensuring the reliable, resilient, and secure operation of SCI systems
and indirect SCI systems, the Commission believes that it is
appropriate to strengthen Regulation SCI's requirements with respect to
SCI entities' use of third-party providers and the management of such
relationships, as described in detail below.\272\
---------------------------------------------------------------------------
\271\ See SCI Adopting Release, supra note 1, at 72276.
\272\ See infra sections III.C.2.b. through d (discussing the
proposed rule changes with respect to third-party management
programs, third-party providers for critical SCI systems, and third-
party provider participation in BC/DR testing).
---------------------------------------------------------------------------
In recent years, many types of businesses have turned to cloud
service providers (``CSPs'') to take advantage of their services.\273\
Today, CSPs can provide a range of support to a wide variety of
businesses, with deployment models ranging from public cloud, private
cloud, hybrid cloud, and multi-cloud, and service models including
Infrastructure as a Service (``IaaS''), Platform as a Service
(``PaaS''), and
[[Page 23177]]
Software as a Service (``SaaS'').\274\ SCI entities are also engaging
with CSPs to assist in operating their SCI systems and some utilize, or
have announced their intention to utilize, CSPs for all or nearly all
of their applicable systems,\275\ others have begun moving towards
employing CSPs at a more deliberate pace,\276\ and others continue to
explore and consider whether or not to use such services. A decision to
move their systems from an ``on-premises,'' \277\ internally run data
center to ``the cloud'' is a significant one, often with potential
benefits that may include cost efficiencies, automation, increased
security, and resiliency, and entities may also take advantage of such
an opportunity to reengineer or otherwise update their systems and
applications to run even more efficiently than before.
---------------------------------------------------------------------------
\273\ See, e.g., Angus Loten, CIOs Accelerate Pre-Pandemic Cloud
Push Wall St. J. (Apr. 26, 2021).
\274\ Additional information relating to the services provided
by CSPs is widely available online from CSPs as well as firms that
provide consulting services for potential clients of CSPs. FINRA,
Cloud Computing in the Securities Industry 3-4 (Aug. 2021),
available at https://www.finra.org/sites/default/files/2021-08/2021-cloud-computing-in-the-securities-industry.pdf (providing a summary
description of these services). For a discussion of considerations
and risks relevant to the use of cloud service providers by entities
in the financial services sector, see the Financial Services
Sector's Adoption of Cloud Services, U.S. Dept. of the Treasury
(issued February 8, 2023), available at: https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf.
\275\ See, e.g., FINRA, Podcast: How the Cloud has
Revolutionized FINRA Technology (July 30, 2018), available at
www.finra.org/media-center/finra-unscripted/how-cloud-has-revolutionized-finra-technology; Securities Exchange Act Release No.
93433 (Oct. 27, 2021), 86 FR 60503 (Nov. 2, 2021) (SR-OCC-2021-802)
(Notice of Filing and Extension of Review Period of Advance Notice
Relating to OCC's Adoption of Cloud Infrastructure for New Clearing,
Risk Management, and Data Management Applications). See also, Huw
Jones, Microsoft invests $2 billion in London Stock Exchange,
Reuters (Dec. 12, 2022).
\276\ See, e.g., Nasdaq, Press Release: Nasdaq and AWS Partner
to Transform Capital Markets (Nov. 30, 2021), available at
www.nasdaq.com/press-release/nasdaq-and-aws-partner-to-transform-capital-markets-2021-12-01; Nasdaq, Press Release: Nasdaq Completes
Migration of the First U.S. Options Market to AWS (Dec. 5, 2022),
available at https://www.nasdaq.com/press-release/nasdaq-completes-migration-of-the-first-u.s.-options-market-to-aws-2022-12-05.
\277\ In using the term ``on-premises,'' the Commission means
that the data center's hardware (e.g., the servers, switches, and
other physical machines) is generally under the control of and
operated by the SCI entity, even if the data center is physically
located in a facility operated by a third party and for which such
third party provides or arranges for certain services including, but
not limited to, power, water, and physical security.
---------------------------------------------------------------------------
In deciding whether to utilize a CSP, an SCI entity generally
should take into account the various factors it would as with any other
third-party providers.\278\ However, given the degree to which CSP
services may be integral to the operation of SCI systems, SCI entities
generally should examine closely any potential relationship and
utilization of CSP services. Importantly, regardless of the CSP and
service model an SCI entity may be considering, it is the SCI entity's
responsibility to ensure that it can and does comply with Regulation
SCI. For example, in describing the services they provide, CSP
marketing materials typically describe their service models as ``shared
responsibilities'' between the CSP and client. With respect to an SCI
entity's obligations under Regulation SCI, however, the SCI entity
bears responsibility for compliance with the requirements of Regulation
SCI, including for SCI systems operated on its behalf by third-party
providers. As with other third-party providers that operate SCI systems
on behalf of an SCI entity, if an SCI entity is uncertain of its
ability to manage a CSP relationship (whether through appropriate due
diligence, contract terms, monitoring, or other methods) to satisfy the
requirements of Regulation SCI, the SCI entity would need to reassess
its decision to outsource the applicable system to such CSP. As with
any third-party provider, the SCI entity generally should not rely
solely on the reputation of or attestations from a given CSP. In
addition, an SCI entity that utilizes a CSP should not view the usage
of a CSP from the perspective of being able to turn over its Regulation
SCI-related responsibilities to the CSP; instead, an SCI entity
generally should ensure that its own personnel have the requisite
skills to properly manage and oversee such a relationship, and
understand the issues--including technical ones--that may arise from
the utilization of a CSP and are relevant to ensure its compliance with
Regulation SCI.\279\
---------------------------------------------------------------------------
\278\ See SCI Adopting Release, supra note 1, at 72275-76. In
this section, the Commission discusses many issues that may be
relevant for SCI entities to consider in relation to their use of
third-party vendors generally, and with respect to cloud service
providers specifically. These issues include those that the
Commission and its staff have encountered with respect to SCI
entities since the adoption and implementation of Regulation SCI;
however, this is not meant to be a comprehensive list of all
potential issues and considerations, and the Commission welcomes
comment on other applicable issues and considerations that
commenters believe are relevant for SCI entities with respect to
third-party providers.
\279\ See SCI Adopting Release, supra note 1, at 72276.
---------------------------------------------------------------------------
Rule 1001(a)(2)(v) of Regulation SCI requires that an SCI entity's
policies and procedures include business continuity and disaster
recovery plans that include maintaining backup and recovery
capabilities sufficiently resilient and geographically diverse and that
are reasonably designed to achieve next business day resumption of
trading and two-hour resumption of critical SCI systems following a
wide-scale disruption.\280\ When the Commission adopted this provision
it did not specifically discuss its application to CSPs. Whereas ``on-
premises'' systems are installed and run at a site under the control of
an SCI entity, the systems of an SCI entity that reside ``in the public
cloud'' may not be tied to any specific geographic location. However,
SCI entities must ensure that their SCI systems, whether ``on-
premises'' or ``in the public cloud,'' comply with the requirement in
Regulation SCI to have backup and recovery capabilities sufficiently
resilient and geographically diverse and that are reasonably designed
to achieve next business day resumption of trading and two-hour
resumption of critical SCI systems following a wide-scale disruption.
These provisions of Regulation SCI exist to help limit the downtime
caused by wide-scale disruptions. Thus, for example, in determining
whether any SCI-related systems ``in the public cloud'' can meet this
requirement, SCI entities generally should understand where its systems
will reside (i.e., the locations of the CSP data center site(s) that
may be used), and should consider whether those sites provide
sufficient geographical diversity and operational resiliency to achieve
the resumption requirements of Rule 1001(a)(2)(v).\281\
---------------------------------------------------------------------------
\280\ See SCI Adopting Release, supra note 1, at 72295. See also
infra section III.C.2.c, including notes 292-294 and accompanying
text (discussing the proposed modifications to Rule 1001(a)(2)(v)).
\281\ While CSPs may use slightly different nomenclature,
typically, a CSP's region contains multiple availability zones, and
an availability zone contains multiple data centers.
---------------------------------------------------------------------------
As discussed in section III.C.2.b.2 below, the Commission's
proposal includes a requirement that every SCI entity undertake a risk-
based assessment of the criticality of each of its third-party
providers, including analyses of third-party provider concentration, of
key dependencies if the third-party provider's functionality, support,
or service were to become unavailable or materially impaired, and of
any potential security, including cybersecurity, risks posed. This
third-party provider assessment may be particularly relevant with
respect to CSPs utilized by SCI entities, and an SCI entity may want to
take into consideration the degree to which it may be ``locked-in'' to
any given CSP it is considering engaging. As with any third-party
provider, it could consider its exit strategies with respect to any
potential CSP it might choose and may consider architectural decisions
that would enable a quick re-deployment to another CSP if needed. Even
when tools,
[[Page 23178]]
such as containerization,\282\ exist that are designed to automate and
simplify the deployment of systems to CSPs, and which appear at first
glance to allow for greater portability among CSPs, SCI entities may
want to consider any lock-in effects that utilizing CSP-specific tools
might have. In addition, it may be useful for SCI entities to consider
the relative benefits and costs of potential alternatives that could
reduce dependence on any single CSP. In cases where the use of CSPs is
being considered for both primary and backup systems, an SCI entity,
taking into account the nature of its systems, may want to consider
whether it is appropriate to utilize different CSPs, for such systems,
as well as whether an ``on-premises'' backup may be appropriate.
Similarly, SCI entities should generally engage their CSPs to ensure
that they can meet the business continuity and disaster recovery
requirements of Regulation SCI, which may not apply to the vast
majority of a CSP's other clients.
---------------------------------------------------------------------------
\282\ Containerization allows developers to deploy applications
more quickly by bundling an application with its required
frameworks, configuration files, and libraries such that it may be
run in different computing environments. Container orchestrators
allow for automated deployment of identical applications across
different environments, and simplify the process for management,
scaling, and networking of containers.
---------------------------------------------------------------------------
More broadly, an SCI entity should ensure that it is able to meet
its regulatory obligations under Regulation SCI, including the notice
and dissemination requirements of Rule 1002. When there is a systems
issue (including, for example, an outage or a cybersecurity event) at a
CSP, a wide swath of CSP clients may be affected. SCI entities have
regulatory requirements under Regulation SCI that other CSP clients may
not have, and an SCI entity must have information regarding such issues
within the time requirements of Regulation SCI to comply with its
notice and dissemination requirements.\283\
---------------------------------------------------------------------------
\283\ See, e.g., Rule 1002 (relating to an SCI entity's
obligations with respect to SCI events). See also Rule 1001(c)
(which include requirements that an SCI entity's policies and
procedures include escalation procedures to quickly inform
responsible SCI personnel of potential SCI events).
---------------------------------------------------------------------------
An SCI entity should also be cognizant of its data security and
recordkeeping obligations under Regulation SCI,\284\ and generally
should consider how the CSP and its employees or contractors would
secure confidential information, how and where it would retain
information (including all records required to be kept under Regulation
SCI), how the information would be accessed by the personnel of the SCI
entity, or others, such as those conducting SCI reviews and Commission
staff, as well as ensure that such information access will be provided
in a manner that provides for its compliance with the requirements of
Regulation SCI.
---------------------------------------------------------------------------
\284\ See 17 CFR 242.1001(a)(2)(iv) (``Rule 1001(a)(2)(iv)'')
(relating to, among other things, vulnerabilities pertaining to
internal threats) and Rule 1005 (relating to recordkeeping
requirements related to compliance with Regulation SCI). See also
infra section III.C.3.a (discussing newly proposed 17 CFR
242.1001(a)(2)(x) (``proposed Rule 1001(a)(2)(x)''), relating to
unauthorized access to systems and information).
---------------------------------------------------------------------------
While the discussion above is focused on CSPs, they are only one of
many types of third-party providers an SCI entity may utilize. The
discussion above is not an exhaustive list of issues SCI entities
generally should consider with respect to utilizing CSPs; in addition,
while the discussion provides some illustrative examples of areas of
potential concern in an SCI entity's relationship with a CSP, similar
issues may be applicable to the relationships between SCI entities and
other types of third parties. In addition, some third-party providers
may provide key functionality that may not have been widely utilized by
SCI entities when Regulation SCI was adopted,\285\ and the Commission
anticipates that third-party providers will likely arise to provide
other types of functionality, service, or support to SCI entities that
are not contemplated yet today. All the same, the Commission believes
that any third-party provider that an SCI entity uses with respect to
its SCI systems and indirect SCI systems should be managed
appropriately by the SCI entity to help ensure that such utilization of
the third-party provider is consistent with the SCI entity's
obligations under Regulation SCI.
---------------------------------------------------------------------------
\285\ One example of this are the services of shadow
infrastructure providers, such as edge cloud computing, content
delivery networks, and DNS providers.
---------------------------------------------------------------------------
As discussed above, when the Commission adopted Regulation SCI in
2014, it had accounted for the possibility that an SCI entity might
utilize third-party providers to operate its SCI systems or indirect
SCI systems by incorporating the phrase ``on behalf of'' in certain key
definitions of Regulation SCI.\286\ In addition, ``outsourcing'' is one
of the ``domains'' identified by the Commission and its staff.\287\
Based on the experience of Commission staff, all SCI entities that
utilize third-party providers have some level of third-party provider
oversight in place. However, given the growing role they are playing
with respect to SCI systems and indirect SCI systems, and because the
myriad of issues that may arise with respect to third-party providers
(including, but not limited to oversight, access, speed of information
flow, security and unauthorized access, loss of expertise internally,
and lock-in) may become even more amplified when taking into account
the regulatory obligations of SCI entities, the Commission believes
that it is appropriate to delineate more clearly requirements with
respect to the oversight and management of third-party providers, and
thus is proposing to revise Regulation SCI to include additional
requirements relating to third-party providers.\288\
---------------------------------------------------------------------------
\286\ See supra notes 268-270 and accompanying text (discussing
``on behalf of'').
\287\ See SCI Adopting Release, supra note 1, at 72302. See also
Staff Guidance on Current SCI Industry Standards 5, 8 (Nov. 19,
2014), available at https://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.
\288\ The Commission proposed the Clearing Agency Governance
rules in Aug. 2022, which contains, among other proposed
requirements, proposed new 17 CFR 240.17Ad-25(i) (``Rule 17Ad-
25(i)''). See Clearing Agency Governance and Conflicts of Interest,
Securities Exchange Act Release No. 95431 (Aug. 8, 2022), 87 FR
51812 (Aug. 23, 2022) (proposing policy and procedure requirements
for clearing agency board of directors to oversee relationships with
service providers for critical services to, among other things,
confirm and document that risks related to relationships with
service providers for critical services are managed in a manner
consistent with its risk management framework, and review senior
management's monitoring of relationships with service providers for
critical services, and to review and approve plans for entering into
third-party relationships where the engagement entails being a
service provider for critical services to the registered clearing
agency). Registered clearing agencies that would be subject to
proposed Rule 17Ad-25(i), if adopted, would also be subject to
Regulation SCI, as proposed to be amended. However, the scope of
proposed Rule 17Ad-25(i) is meant to address not only service
providers providing technology or systems-based services, but also
service providers that would include the clearing agency's parent
company under contract to staff the registered clearing agency, as
well as service providers that are investment advisers under
contract to help facilitate the closing out of a defaulting
participant's portfolio. See id. at 51836. Commenters are encouraged
to review the Clearing Agency Governance proposed rules to determine
whether they might affect their comments on this proposal.
---------------------------------------------------------------------------
b. Third-Party Provider Management Program
The Commission is proposing new 17 CFR 242.1001(a)(2)(ix)
(``proposed Rule 1001(a)(2)(ix)'') regarding third-party provider
management. While some SCI entities may already have a formal vendor
management program, the Commission is proposing to require that SCI
entities have a third-party provider management program that includes
certain elements. Specifically, proposed Rule 1001(a)(2)(ix) would
require each SCI entity to include in its policies and procedures
required under Rule 1001(a)(1) a program to manage and
[[Page 23179]]
oversee third-party providers that provide functionality, support or
service, directly or indirectly, for its SCI systems and, for purposes
of security standards, indirect SCI systems. The Commission is
proposing this new provision to help ensure that an SCI entity that
elects to utilize a third-party provider will be able to meet its
obligations under Regulation SCI.
i. Third-Party Provider Contract Review
First, the program would be required to include initial and
periodic review of contracts with such third-party providers for
consistency with the SCI entity's obligations under Regulation SCI. The
Commission believes that it is critical that each SCI entity carefully
analyze and understand the impact any third-party providers it chooses
to utilize may have on its ability to satisfy its obligations under
Regulation SCI. As discussed above,\289\ the Commission recognizes that
many SCI entities may seek to and, in practice, do outsource certain of
its SCI-related functionality, support, or service to third parties. As
key entities in our securities markets, SCI entities have regulatory
obligations that are not placed upon non-SCI entities, and third-party
providers SCI entities may utilize may not be familiar with the
requirements of Regulation SCI. As the Commission stated in adopting
Regulation SCI, if an SCI entity determines to utilize a third party
for an applicable system, ``it is responsible for having in place
processes and requirements to ensure that it is able to satisfy the
applicable requirements of Regulation SCI for such system.'' \290\ And,
if an SCI entity is uncertain of its ability to manage a third-party
relationship (including through contract terms, among other methods) to
satisfy the requirements of Regulation SCI, ``then it would need to
reassess its decision to outsource the applicable system to such third
party.'' \291\ Thus, it is incumbent on SCI entities to review their
relationships with such third-party providers to ensure that the SCI
entities are able to satisfy their obligations under Regulation SCI. In
addition, consistent with the current requirement that an SCI entity
periodically review the effectiveness of its policies and procedures,
this provision would require an SCI entity to review contracts with
such third-party providers periodically for consistency with the SCI
entity's obligations under Regulation SCI.
---------------------------------------------------------------------------
\289\ See supra section III.C.2.a.
\290\ See SCI Adopting Release, supra note 1, at 72276.
\291\ See id.
---------------------------------------------------------------------------
A foundational part of this review is to ensure that any contracts
that the SCI entity has with such third-party providers are consistent
with the requirements of Regulation SCI. These documents govern the
obligations and expectations as between an SCI entity and a third-party
provider it utilizes, and the SCI entity is responsible for assessing
if these agreements allow it to comply with the requirements of
Regulation SCI. For example, an SCI entity generally should consider
whether or not it is appropriate to rely on a third-party provider's
standard contract or standard service level agreement (``SLA''),
particularly if such contract or SLA has not been drafted with
Regulation SCI's requirements in mind. For example, regardless of
whether an SCI entity is negotiating with the dominant provider in the
field, has made its best efforts in negotiating contract or SLA terms,
or has extracted what it believes to be ``the best terms'' it (or any
client of the third party) could get, if the SCI entity determines that
any term in such agreements are inconsistent with such SCI entity's
obligations under Regulation SCI, the SCI entity should reassess
whether such outsourcing arrangement is appropriate and will allow it
to meet its obligations under Regulation SCI. In addition, in some
cases, particularly where the third-party provider would play a
significant role in the operation of an SCI entity's SCI systems or
indirect SCI systems, or provide functionality, support, or service to
such systems without which there would be a meaningful impact, an SCI
entity and its third-party provider may find it useful to negotiate an
addendum to any standard contract to separate and highlight the
contractual understanding of the parties with respect to SCI-related
obligations.
While each contract's specific terms and circumstances will likely
differ, there are several considerations that SCI entities generally
should take into consideration when entering into such a contract. For
example, SCI entities generally should consider whether a contract
raises doubt on its consistency with the SCI entity's obligations under
Regulation SCI (e.g., the contract terms are vague regarding the third-
party provider's obligations to the SCI entity to enable the SCI entity
to meets its SCI obligations). Generally, contractual terms should not
be silent or lack substance on key aspects of Regulation SCI that would
need the third-party provider's cooperation (e.g., SCI event
notifications and information dissemination, and business continuity
and disaster recovery for an SCI entity seeking to move its SCI systems
to a cloud service provider). Nor should they undermine the ability of
the SCI entity to oversee and manage the third party (e.g., by limiting
the SCI entity's personnel ability to assess whether systems operated
by a third-party provider on behalf of the SCI entity satisfy the
requirements of Regulation SCI). The SCI entity may want to consider
and, if appropriate, negotiate provisions that provide priority to the
SCI entity's systems, such as for failover and/or business continuity
and disaster recovery (``BC/DR'') scenarios, if needed to meet the SCI
entity's obligations under Regulation SCI. In addition, an SCI entity
generally should review the contract for provisions that, by their
terms, are inconsistent with Regulation SCI or would otherwise fail to
satisfy the requirements of Regulation SCI (e.g., restricting
information flow to the SCI entity and/or Commission and its staff
pursuant to a non-disclosure agreement in a manner inconsistent with
the requirements of Regulation SCI; specifying response times that are
inconsistent with (i.e., slower than) those required by Regulation SCI
with respect to notifications regarding SCI events under Rule 1002).
The Commission also believes that, to the extent possible, SCI entities
may want to avoid defining terms in a contract with a third-party
provider differently from how they are used in Regulation SCI, as this
may introduce confusion as to the scope and applicability of Regulation
SCI. In addition, although it is a term that may be common in many
commercial contracts, provisions that provide the third-party provider
with the contractual right to be able to make decisions that would
negatively impact an SCI entity's obligations in its ``commercially
reasonable discretion'' should be carefully considered, as what may be
considered ``commercially reasonable'' for many entities that are not
subject to Regulation SCI may not be appropriate for an SCI entity and
its SCI systems and indirect SCI systems when taking into consideration
the regulatory obligations of Regulation SCI.
ii. Risk-Based Assessment of Third-Party Providers
The Commission is also proposing in proposed Rule 1001(a)(2)(ix) to
require each SCI entity to undertake a risk-based assessment of each
third-party provider's criticality to the SCI entity, including
analyses of third-party provider concentration, of key dependencies if
the third-party provider's functionality, support, or
[[Page 23180]]
service were to become unavailable or materially impaired, and of any
potential security, including cybersecurity, risks posed. The
Commission believes that specifically requiring each SCI entity to
undertake a risk-based assessment of each of its third-party providers'
criticality to the SCI entity will help them more fully understand the
risks and vulnerabilities of utilizing each third-party provider, and
provide the opportunity for the SCI entity to better prepare in advance
for contingencies should the provider's functionality, support, or
service become unavailable or materially impaired. In performing this
risk-based assessment, SCI entities would be required to consider
third-party provider concentration, which would help ensure that they
properly account and prepare contingencies or alternatives for an
overreliance on a given third-party provider by the SCI entity or by
its industry. In addition, each SCI entity would be required to assess
any potential security, including cybersecurity, risks posed by its
third-party provider, to help ensure that the SCI entity does not only
take into consideration the benefits it believes a third-party provider
can provide it, but the security risks involved in utilizing a given
provider as well.
c. Third-Party Providers for Critical SCI Systems
The newly proposed provisions of proposed Rule 1001(a)(2)(ix)
discussed above would apply to all SCI entities for all of their SCI
systems. However, given the essential nature of critical SCI
systems,\292\ the Commission believes that it is appropriate to require
SCI entities to have even more robust policies and procedures with
respect to any third-party provider that supports such systems. In
adopting Regulation SCI, the Commission stated that critical SCI
systems are those SCI systems ``whose functions are critical to the
operation of the markets, including those systems that represent
potential single points of failure in the securities markets [and] . .
. are those that, if they were to experience systems issues, the
Commission believes would be most likely to have a widespread and
significant impact on the securities market.'' \293\ Therefore, the
Commission is proposing to revise Rule 1001(a)(2)(v), which relates to
the business continuity and disaster recovery plans of SCI entities.
Currently, Rule 1001(a)(2)(v) requires their policies and procedures to
include business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse and that are reasonably designed to achieve next
business day resumption of trading and two-hour resumption of critical
SCI systems following a wide-scale disruption. To help ensure that SCI
entities are appropriately prepared for any contingency relating to a
third-party provider with respect to critical SCI systems, the
Commission is proposing to revise Rule 1001(a)(2)(v) to also require
the BC/DR plans of SCI entities to be reasonably designed to address
the unavailability of any third-party provider that provides
functionality, support, or service to the SCI entity without which
there would be a material impact on any of its critical SCI systems.
---------------------------------------------------------------------------
\292\ Critical SCI systems include systems that directly support
functionality relating to: (i) clearance and settlement systems of
clearing agencies; (ii) openings, reopenings, and closings on the
primary listing market; (iii) trading halts; (iv) initial public
offerings; (v) the provision of market data by a plan processor; or
(vi) exclusively listed securities. In addition, the definition of
critical SCI systems includes a catchall provision for systems that
provide functionality to the securities markets for which the
availability of alternatives is significantly limited or nonexistent
and without which there would be a material impact on fair and
orderly markets.
\293\ See SCI Adopting Release, supra note 1, at 72277.
---------------------------------------------------------------------------
As discussed above, the Commission is proposing under proposed Rule
1001(a)(2)(ix) to require each SCI entity to conduct a risk-based
assessment of the criticality of each of its third-party providers to
the SCI entity. With respect to an SCI entity's critical SCI systems,
the Commission believes the revised provisions of Rule 1001(a)(2)(v)
are appropriate to ensure that an SCI entity has considered and
addressed in its BC/DR plans how it would deal with a situation in
which a third-party provider that provides any functionality, support,
or service for any of its critical SCI systems has an issue that would
materially impact any such system. For example, such BC/DR plans
generally should not only take into account and address temporary
losses of functionality, support, or service--such as a momentary
outage that causes a feed to be interrupted or extended cybersecurity
event on the third-party provider--but also consider more extended
outage scenarios, including if the third-party provider goes into
bankruptcy or dissolves, or if it breaches its contract and decides to
suddenly, unilaterally, and/or permanently cease to provide the SCI
entity's critical SCI systems with functionality, support, or
service.\294\ In determining how to satisfy the requirement that
policies and procedures be reasonably designed to address the
unavailability of any third-party provider that provides functionality,
support, or service to the SCI entity without which there would be a
material impact on any of its critical SCI systems, an SCI entity could
consider if use of a CSP for its critical SCI systems also warrants
maintaining an ``on-premises'' backup data center or other contingency
plan which could be employed in the event of the scenarios noted above.
---------------------------------------------------------------------------
\294\ While such scenarios may appear to be improbable, given
the criticality of the critical SCI systems to the SCI entity and
U.S. securities markets, SCI entities should have plans in place to
account for such scenarios, however remote.
---------------------------------------------------------------------------
d. Third-Party Provider Participation in BC/DR Testing
With respect to an SCI entity's business continuity and disaster
recovery plans, including its backup systems, Rule 1004 of Regulation
SCI requires SCI entities to: (a) establish standards for the
designation of those members or participants that the SCI entity
reasonably determines are, taken as a whole, the minimum necessary for
the maintenance of fair and orderly markets in the event of the
activation of such plans; (b) designate members or participants
pursuant to such standards and require participation by such designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency specified
by the SCI entity, provided that such frequency shall not be less than
once every 12 months; and (c) coordinate the testing of such plans on
an industry- or sector-wide basis with other SCI entities.\295\
---------------------------------------------------------------------------
\295\ See 17 CFR 242.1004. See also SCI Adopting Release, supra
note 1, at 72347-55 (providing a more detailed discussion of the BC/
DR testing requirements under Rule 1004).
---------------------------------------------------------------------------
Because the Commission believes that some third-party providers may
be of such importance to the operations of an SCI entity, the
Commission is proposing to include certain third-party providers in the
BC/DR testing requirements of Rule 1004. In the same way SCI entities
currently are required to establish standards for and require
participation by their members or participants in the annual industry-
wide testing required of all SCI entities, the Commission is adding
third-party providers as another category of entities. Thus, pursuant
to revised paragraph (a) of Rule 1004, an SCI entity would be required
also to establish standards for the designation of third-party
providers (in addition to members or participants) that it determines
are, taken as a whole, the minimum necessary for the
[[Page 23181]]
maintenance of fair and orderly markets in the event of the activation
of the SCI entity's BC/DR plans. In addition, paragraph (b) of Rule
1004 would require each SCI entity to designate such third-party
providers (in addition to members or participants) pursuant to such
standards and require their participation in the scheduled functional
and performance testing of the operation of such BC/DR plans, which
would occur not less than once every 12 months and which would be
coordinated with other SCI entities on an industry- or sector-wide
basis.
As discussed above, SCI entities often employ a wide array of
third-party providers which perform a multitude of different functions,
support, or services for them. While many of these third-party
providers may provide relatively minor functions, support, or services
for an SCI entity, there may be one or more third-party providers of
such significance to the operations of an SCI entity that, without the
functions, support, or services of such provider(s), the maintenance of
fair and orderly markets in the event of the activation of the SCI
entity's BC/DR plans would not be possible. For example, the Commission
believes it likely that, for an SCI entity that utilizes a cloud
service provider for all, or nearly all, of its operations, such CSP
would be of such importance to the operations of the SCI entity and the
maintenance of fair and orderly markets in the event of the activation
of the SCI entity's BC/DR plans that it would be required to
participate in the BC/DR testing required by Rule 1004.\296\
---------------------------------------------------------------------------
\296\ Contractual arrangements with applicable third-party
providers that require such providers to engage in BC/DR testing
could help ensure implementation of this requirement. See also SCI
Adopting Release, supra note 1, at 72350 (discussing how contractual
arrangements by SCI entities that are not SROs would enable such SCI
entities to implement the BC/DR testing requirement for their
members or participants).
---------------------------------------------------------------------------
e. Third-Party Providers of Certain Registered Clearing Agencies
The Commission may examine the provision of services by third-party
providers of certain registered clearing agencies. The Financial
Stability Oversight Council (``FSOC'') has designated certain financial
market utilities (``FMUs'') \297\ as systemically important or likely
to become systemically important financial market utilities
(``SIFMUs'').\298\ The Payment, Clearing, and Settlement Supervision
Act of 2010 (``Clearing Supervision Act''), enacted in Title VIII of
the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
(``Dodd-Frank Act''), provides for the enhanced regulation of certain
FMUs.\299\ FMUs include clearing agencies that manage or operate a
multilateral system for the purpose of transferring, clearing, or
settling payments, securities, or other financial transactions among
financial institutions or between financial institutions and the
FMU.\300\ For SIFMUs, the Clearing Supervision Act provides for
enhanced coordination between the Commission and Federal Reserve Board
by allowing for regular on-site examinations and information
sharing,\301\ and further provides that the Commission and CFTC shall
coordinate with the Federal Reserve Board to develop risk management
supervision programs for SIFMUs jointly.\302\ In addition, section 807
of the Clearing Supervision Act provides that ``[w]henever a service
integral to the operation of a designated financial market utility is
performed for the designated financial market utility by another
entity, whether an affiliate or non-affiliate and whether on or off the
premises of the designated financial market utility, the Supervisory
Agency may examine whether the provision of that service is in
compliance with applicable law, rules, orders, and standards to the
same extent as if the designated financial market utility were
performing the service on its own premises.'' \303\ Given the
importance of the provision of services by SIFMUs to the U.S. financial
system and global financial stability, SIFMU third-party providers may
be integral to the operation of the SIFMU and thus be examined by the
Commission.
---------------------------------------------------------------------------
\297\ See 12 U.S.C. 5462(6). The definition of ``financial
market utility'' in section 803(6) of the Clearing Supervision Act
contains a number of exclusions that include, but are not limited
to, certain designated contract markets, registered futures
associations, swap data repositories, swap execution facilities,
national securities exchanges, national securities associations,
alternative trading systems, security-based swap data repositories,
security-based swap execution facilities, brokers, dealers, transfer
agents, investment companies, and futures commission merchants. See
12 U.S.C. 5462(6)(B).
\298\ See 12 U.S.C. 5463. An FMU is systemically important if
the failure of or a disruption to the functioning of such FMU could
create or increase the risk of significant liquidity or credit
problems spreading among financial institutions or markets and
thereby threaten the stability of the U.S. financial system. See 12
U.S.C. 5462(9). On July 18, 2012, the FSOC designated as
systemically important the following then-registered clearing
agencies: CME Group (``CME''), DTC, FICC, ICC, NSCC, and OCC. The
Commission is the supervisory agency for DTC, FICC, NSCC, and OCC,
and the CFTC is the supervisory agency for CME and ICE. The
Commission jointly regulates ICC and OCC with the CFTC. The
Commission also jointly regulates ICE Clear Europe (``ICEEU''),
which has not been designated as systemically important by FSOC,
with the CFTC and Bank of England. The Commission also jointly
regulated CME with the CFTC until 2015, when the Commission
published an order approving CME's request to withdraw from
registration as a clearing agency. See Securities Exchange Act
Release No. 76678 (Dec. 17, 2015), 80 FR 79983 (Dec. 23, 2015).
\299\ The objectives and principles for the risk management
standards prescribed under the Clearing Supervision Act shall be to
(i) promote robust risk management; (ii) promote safety and
soundness; (iii) reduce systemic risks; and (iv) support the
stability of the broader financial system. Further, the Clearing
Supervision Act states that the standards may address areas such as
risk management policies and procedures; margin and collateral
requirements; participant or counterparty default policies and
procedures; the ability to complete timely clearing and settlement
of financial transactions; capital and financial resources
requirements for designated FMUs; and other areas that are necessary
to achieve the objectives and principles described above. See 12
U.S.C. 5464(b), (c).
\300\ See 12 U.S.C. 5462(6).
\301\ See 12 U.S.C. 5466.
\302\ See 12 U.S.C. 5472; see also Federal Reserve Board, et
al., Risk Management Supervision of Designated Clearing Entities
(July 2011), available at https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf (describing the joint supervisory framework of the
Commission, CFTC, and Federal Reserve Board).
\303\ 12 U.S.C. 5466.
---------------------------------------------------------------------------
f. Request for Comment
58. Do SCI entities employ third-party providers to operate SCI
systems or indirect SCI systems on their behalf? If so, what types of
systems are most frequently operated by third parties?
59. Please describe SCI entities' use of third-party providers
generally, even if they do not operate SCI systems or indirect SCI
systems on behalf of an SCI entity. What types of functionality,
support, or service do such entities provide to SCI entities? Please
describe.
60. The Commission requests commenters' views on significant issues
that they believe SCI entities should take into account with respect to
their use of third-party providers and the requirements of Regulation
SCI. Are there common or important issues that commenters believe the
Commission should focus on in addition to those discussed above? If so,
please describe.
61. Do commenters believe it is appropriate to require, as in
proposed Rule 1001(a)(2)(ix), that each SCI entity have a program to
manage and oversee third-party providers that provide functionality,
support or service, directly or indirectly, for its SCI systems and,
for purposes of security standards, indirect SCI systems? Do commenters
believe that such a program should require an initial and periodic
review of contracts with such providers for consistency with the SCI
entity's obligations under Regulation SCI? Why or why not?
62. Do commenters believe that it is appropriate to require each
SCI entity to
[[Page 23182]]
include a risk-based assessment of each third-party provider's
criticality to the SCI entity, including analyses of third-party
provider concentration, of key dependencies if the third-party
provider's functionality, support, or service were to become
unavailable or materially impaired, and of any potential security,
including cybersecurity, risks posed? Why or why not?
63. Are there any third-party providers, or types of third-party
providers, that commenters believe an SCI entity or SCI entities rely
on in a manner that creates, from the commenters' point of view, undue
concentration risk? If so, please describe.
64. Are there other aspects of third-party provider management that
commenters believe should be included in the proposed rule provision?
If so, please describe.
65. Do commenters agree with the proposed revisions to Rule
1001(a)(2)(v) to require the BC/DR plans of SCI entities to be
reasonably designed to address the unavailability of any third-party
provider that provides functionality, support, or service to the SCI
entity without which there would be a material impact on any of its
critical SCI systems? Why or why not? Do commenters believe that any
such providers exist today for the critical SCI systems of SCI
entities? If so, please describe. Should the Commission require third-
party provider diversity for critical systems of an SCI entity, for
example, requiring an SCI entity that utilizes a third-party provider
for its critical SCI systems to use a different party (i.e., another
third-party provider or operate the critical SCI system itself) for its
backup for such systems? Why or why not?
66. Do commenters agree with the proposed revisions to Rule 1004 to
require that SCI entities establish standards and designate third-party
providers that must participate in BC/DR testing in the annual
industry-wide BC/DR testing required by Rule 1004? Why or why not?
3. Security
The Commission recognized the importance of security for the
technology systems of SCI entities and included various requirements
and provisions in Regulation SCI relating to the security of an SCI
entity's SCI systems. For example, the rules provide that minimum
policies and procedures must provide for, among other things, regular
reviews and testing of systems, including backup systems, to identify
vulnerabilities from internal and external threats.\304\ In addition,
penetration testing is required as part of the SCI review.\305\
Recognizing that SCI systems may be vulnerable if other types of
systems are not physically or logically separated (or ``walled off''),
Regulation SCI also specifies that ``indirect systems''--defined as
systems that if breached, are reasonably likely to pose a security
threat to SCI systems--are also subject to the provisions of Regulation
SCI relating to security standards and systems intrusions.\306\ Thus,
the application of Regulation SCI to indirect SCI systems could
encourage SCI entities to establish effective controls that result in
the core SCI systems being logically or physically separated from other
systems that could provide vulnerable entry points into SCI systems,
thereby removing these non-SCI systems from the scope of indirect SCI
systems.\307\
---------------------------------------------------------------------------
\304\ See 17 CFR 242.1001(a)(2)(iv).
\305\ See 17 CFR 242.1003(b)(1)(i).
\306\ See 17 CFR 242.1000.
\307\ See SCI Adopting Release, supra note 1, at 72287-89
(discussing systems intrusions).
---------------------------------------------------------------------------
Regulation SCI also includes ``systems intrusions'' \308\ as one of
three types of SCI events for which SCI entities are required to take
corrective action, provide notification to the Commission, and
disseminate information to their members and participants.\309\ Since
the adoption of Regulation SCI in 2014, cybersecurity has continued to
be a significant concern for SCI entities and non-SCI entities alike.
Various studies and surveys have noted significant increases in
cybersecurity events \310\ across all types of companies in recent
years.\311\ Among these are targeted ransomware attacks that lock
access to a victim's data unless a ransom is paid, and have included
certain high-profile incidents involving the local government of a
major U.S. city \312\ as well as one of the largest oil pipelines in
the United States.\313\ Cybersecurity events have also included hacks
that have had widespread impacts across many industries and types of
entities.\314\ Financial sector entities have been vulnerable to
cybersecurity events as well, including the Society for Worldwide
Interbank Financial Telecommunication (``SWIFT''), an international
cooperative of financial institutions that provides safe and secure
financial transactions for its members, which was the target of a
series of cybersecurity events in 2015 and 2016, including one incident
in which $81 million was stolen.\315\
---------------------------------------------------------------------------
\308\ A ``systems intrusion'' is defined as ``any unauthorized
entry into the SCI systems or indirect SCI systems of an SCI
entity.'' See 17 CFR 242.1000.
\309\ See 17 CFR 242.1002.
\310\ Cybersecurity events can span a wide variety of types of
threats. For example, FINRA summarized common cybersecurity threats
faced by broker-dealers to include phishing, imposter websites,
malware, ransomware, distributed denial-of-service attacks, and
vendor breaches, among others. See FINRA, Common Cybersecurity
Threats, available at www.finra.org/rules-guidance/guidance/common-cybersecurity-threats.
\311\ See, e.g., Financial Services Information Sharing and
Analysis Center, Navigating Cyber 2022 (Mar. 2022), available at
www.fsisac.com/navigatingcyber2022-report (detailing cyber threats
that emerged in 2021 and predictions for 2022); Bree Fowler, Number
and cost of cyberattacks continue to grow, new survey says, CNET
(Jan. 21, 2022), available at https://www.cnet.com/news/privacy/cyberattacks-continue-to-increase-new-survey-says (citing, among
other things, Anomali's poll of cybersecurity decision makers that
87% of their companies had experienced a cyberattack in the past
three years that resulted in damage, disruption, or data breach);
Accenture, Triple digit increase in cyberattacks: What next? (Aug.
4, 2021), available at www.accenture.com/us-en/blogs/security/triple-digit-increase-cyberattacks; Chris Morris, Cyberattacks and
ransomware hit a new record in 2021, says report, Fast Company (Jan.
25, 2022), available at https://www.fastcompany.com/90715622/cyberattacks-ransomware-data-breach-new-record-2021 (citing report
by Identity Theft Resource Center stating that the number of
security compromises was up more than 68% in 2021).
\312\ See, e.g., Stephen Deere, Cost of City of Atlanta's cyber
attack: $2.7 million--and rising, The Atlanta Journal-Constitution
(Apr. 12, 2018), available at https://www.ajc.com/news/cost-city-atlanta-cyber-attack-million-and-rising/nABZ3K1AXQYvY0vxqfO1FI/
(describing the costs relating to a five-day ransomware attack on
the City of Atlanta in Mar. 2018).
\313\ See, e.g., Clare Duffy, Colonial Pipeline attack: A `wake
up call' about the threat of ransomware, CNN Business (May 16,
2021), available at https://www.cnn.com/2021/05/16/tech/colonial-ransomware-darkside-what-to-know/ (describing the
ransomware attack on a pipeline and concerns regarding the potential
for similar attacks on critical US infrastructure).
\314\ See, e.g., David Uberti, et al., The Log4j Vulnerability:
Millions of Attempts Made Per Hour to Exploit Software Flaw, Wall
Street Journal (Dec. 21, 2021), available at https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180 (discussing the
Log4j hack).
\315\ See, e.g., Kim Zetter, That Insane, $81M Bangladesh Bank
Heist? Here's What We Know, WIRED (May 17, 2016), available at
https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/.
---------------------------------------------------------------------------
Given the continued and increasing risks associated with
cybersecurity for SCI entities, the Commission believes it is
appropriate to enhance the cybersecurity provisions of Regulation SCI
to help ensure that SCI systems and indirect SCI systems of the most
important entities in our securities markets remain secure.
a. Unauthorized Access to Systems and Information
While Rule 1001(a)(1) already requires an SCI entity to have
policies and procedures reasonably designed to ensure that its SCI
systems and indirect SCI systems have levels of security adequate to
maintain operational capabilities and promote the
[[Page 23183]]
maintenance of fair and orderly markets, and Rule 1001(a)(4) specifies
that policies and procedures will be deemed reasonable if consistent
with current SCI industry standards, Rule 1001(a)(2) is not specific in
terms of the need for an SCI entity to have access controls designed to
protect both the security of the systems and the information residing
therein. Limiting access to SCI systems and indirect SCI systems and
the information residing therein to authorized purposes and users is
particularly important given that these systems include the core
technology of key U.S. securities markets entities, and would help
ensure that such systems and information remain safeguarded and
protected from unauthorized uses. Proposed Rule 1001(a)(2)(x) would
specify that the Rule 1001(a)(1) policies and procedures of SCI
entities include a program to prevent the unauthorized access to such
systems and information residing therein. An SCI entity's policies and
procedures generally should specify appropriate access controls to
ensure that its applicable systems and information is protected. Such
policies and controls generally should be designed to prevent both
unauthorized external intruders as well as unauthorized internal
personnel from access to these systems and information. For example,
this would also include personnel that may be inappropriately accessing
certain systems and/or information residing on such systems, though
they may have authorized access to other systems, portions of systems,
or certain information residing in such systems at the SCI entity.
Thus, for example, the procedures and access controls at the SCI entity
generally should provide for an appropriate patch management cycle for
systems software, to ensure that known software vulnerabilities are
identified and patches are deployed and validated in a timely manner.
The procedures and access controls generally should also be calibrated
sufficiently to account for such different levels of access for each
person granted access to any part of the SCI entity's systems or
information. In addition, this requirement would make clear that an SCI
entity's policies and procedures are required to address not only
protection of its technology systems, but also of the information
residing on such systems.
In developing and implementing such policies and procedures, SCI
entities generally should develop a clear understanding of the need for
access to systems and data, including identifying which users should
have access to sensitive systems or data. In general, such policies and
procedures should include: requiring standards of behavior for
individuals authorized to access SCI systems and indirect SCI systems
and information residing therein, such as an acceptable use policy;
identifying and authenticating individual users; establishing
procedures for timing distribution, replacement, and revocation of
passwords or methods of authentication; restricting access to specific
SCI systems or components thereof or information residing therein only
to individuals requiring access to such systems or information as is
necessary for them to perform their responsibilities or functions for
the SCI entity; and securing remote access technologies used to
interface with SCI systems.\316\ Access to systems and data can be
controlled through a variety of means, including but not limited to the
issuance of user credentials, digital rights management with respect to
proprietary hardware and copyrighted software, authentication methods
including multifactor authentication as appropriate, tiered access to
sensitive information and network resources, and security and access
measures that are regularly monitored not only to provide access to
authorized users, but also to remove access for users that are no
longer authorized (e.g., due to termination of employment).\317\ As
with other policies and procedures required under Rule 1001, SCI
entities may, if they choose, look to SCI industry standards in
developing their policies and procedures to prevent unauthorized access
to information and systems.\318\
---------------------------------------------------------------------------
\316\ See Exchange Act Cybersecurity Proposal, supra note 10.
\317\ See Exchange Act Cybersecurity Proposal, supra note 10
(similarly discussing examples of access controls).
\318\ See Rule 1001(a)(4) of Regulation SCI (defining current
SCI industry standards), which is discussed further in infra section
III.C.5.
---------------------------------------------------------------------------
b. Penetration Testing
Penetration tests can help entities understand how effective their
security policies and controls are in the face of attempted and
successful systems intrusions, and assist in revealing the potential
threats and vulnerabilities to the entity's network and controls that
might be exploited by malicious attackers to disrupt the operation of
their systems, result in stolen confidential information, and damage
their reputations. When the Commission adopted Regulation SCI in 2014,
it required that SCI entities conduct penetration testing as part of
its SCI review \319\ but, because of the costs associated with
penetration testing at the time, only required that such tests be
conducted once every three years.\320\ In the time since the adoption
of Regulation SCI, cybersecurity has become an even greater and more
pervasive concern for all types of businesses, including SCI entities.
At the same time, best practices of businesses with respect to
penetration testing have evolved such that such tests occur on a much
more frequent basis, as businesses confront the threat of cybersecurity
events on a wider scale.\321\
---------------------------------------------------------------------------
\319\ Specifically, paragraph (b)(1) of Rule 1003 currently
requires that ``[p]enetration test reviews of the network,
firewalls, and production systems shall be conducted at a frequency
of not less than once every three years . . .''. Rule 1003(b)(1).
\320\ See SCI Adopting Release, supra note 1, at 72344.
\321\ See, e.g., Fortra, 2022 Penetration Testing Report 14
(July 7, 2022), available at https://static.fortra.com/core-security/pdfs/guides/cs-2022-pen-testing-report.pdf (stating that
42% of respondents conducted penetration testing one or two times a
year, and 45% of respondents conducted penetration testing at a more
frequent pace); PCI Security Standards Council, Information
Supplement: Penetration Testing Guidance 6 (Sept. 2017), available
at https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf (``at least annually and upon significant
changes'').
---------------------------------------------------------------------------
Given this, the Commission is proposing to increase the frequency
of penetration testing by SCI entities such that they are conducted at
least annually, rather than once every three years. The Commission
believes that such tests are a critical component of ensuring the
cybersecurity health of an SCI entity's technology systems and that
such a frequency would help to ensure that robust measures are in place
to protect an SCI entity's systems from cybersecurity events. In
addition, the proposed annual frequency would only be a minimum
frequency and SCI entities may choose to adopt even more frequent
penetration tests if they feel it appropriate to do so.\322\
---------------------------------------------------------------------------
\322\ As discussed further below, as part of the proposed
revisions to the SCI review requirement, the Commission is also
moving rule provisions relating to the substantive requirements of
the SCI review to Rule 1000 under the definition of ``SCI review,''
while timing requirements relating to the SCI review and the report
of the SCI review would be contained in Rule 1003(b). Thus, although
currently the requirement relating to penetration test reviews is in
Rule 1003, it is now proposed to be in Rule 1000.
---------------------------------------------------------------------------
In addition, the Commission is proposing to require that the
conduct of such penetration testing include testing by the SCI entity
of any vulnerabilities of its SCI entity's SCI systems and indirect SCI
systems identified pursuant to Sec. 242.1001(a)(2)(iv). Currently, the
requirement in Rule 1003 with respect to penetration testing does not
include this phrase. However, Rule 1001(a)(2)(iv) requires an SCI
entity's policies and procedures to include,
[[Page 23184]]
among other things, ``regular reviews and testing . . . to identify
vulnerabilities pertaining to internal and external threats . . .'' The
new language with respect to penetration testing (which is proposed to
be located in the definition of SCI review in Rule 1000) would require
SCI entities to include testing of the vulnerabilities identified
pursuant to its regular review and testing requirement in designing its
penetration testing. Thus, rather than, for example, running a static
annual test against a portion of its SCI systems, this proposed
language would require an SCI entity's penetration testing program to
include any identified relevant threats and then conduct penetration
testing accordingly, which should help ensure the security and
resiliency of SCI systems.
c. Systems Intrusions
Rule 1000 of Regulation SCI defines a ``systems intrusion'' as any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity. Systems intrusions are one of three types of SCI events
that each SCI entity must monitor for and, when they occur, subject to
certain exceptions, an SCI entity must: take corrective action; \323\
immediately notify the Commission and maintain certain records with
respect to the event; \324\ and promptly disseminate information about
the event to applicable members and participants of each SCI
entity.\325\ As discussed in the SCI Adopting Release,\326\ the
definition of systems intrusion has several important characteristics
to it, two of which are relevant to the changes proposed. First,
because the term ``entry'' is used in the current definition, the term
systems intrusions only applies to ``successful'' intrusions, thus
excluding attempted (i.e., unsuccessful) intrusions. In addition, the
term ``entry into'' implies that the intrusion is limited to events
that result in an intruder entering into the SCI entity's SCI systems
or indirect SCI systems, and thus does not include any types of attacks
on systems outside of the SCI entity's SCI systems or indirect SCI
systems that nonetheless impacts such systems.
---------------------------------------------------------------------------
\323\ See 17 CFR 242.1002(a).
\324\ See 17 CFR 242.1002(b) (setting forth the notification and
follow-up reporting that is required for a systems intrusion that is
not de minimis).
\325\ See 17 CFR 242.1002(c).
\326\ See SCI Adopting Release, supra note 1, at 72288.
---------------------------------------------------------------------------
As discussed above, cybersecurity has become ever more increasingly
important for all types of entities, and the same is true for SCI
entities. The Commission believes that it is appropriate to expand the
definition of systems intrusion to include two additional types of
cybersecurity events. The first additional type of systems intrusion
would include certain types of incidents that are currently considered
to be cybersecurity events that are not included in the current
definition, as discussed below. In addition, the revised definition
would ensure that the Commission and its staff are made aware when an
SCI entity is the subject of a significant cybersecurity threat,
including those that may be ultimately unsuccessful, which would
provide important information regarding threats that may be posed to
other entities in the securities markets, including other SCI entities.
By requiring SCI entities to submit SCI filings for these new types of
systems intrusions, the Commission believes that the revised definition
of systems intrusion would provide the Commission and its staff more
complete information to assess the security status of the SCI entity,
and also assess the impact or potential impact that unauthorized
activity could have on the security of the SCI entity's affected
systems as well on other SCI entities and market participants.
The proposed definition would have three prongs, the first of which
would contain the current requirement that defines any ``unauthorized
entry into the SCI systems or indirect SCI systems of an SCI entity''
as a systems intrusion, and would continue to include a wide range of
cybersecurity events. As stated in the SCI Adopting Release, the
current definition describes ``any unauthorized'' entry or ``breach''
into SCI systems or indirect SCI systems, and includes unauthorized
access, whether intentional or inadvertent, by employees or agents of
the SCI entity that resulted from weaknesses in the SCI entity's access
controls and/or procedures.\327\ For example, data breaches are
included under the first prong, as are instances in which an employee
of an SCI entity accessed an SCI system without proper authorization.
It also includes instances in which an employee, such as a systems
administrator, was authorized to access a system, but where the
employee improperly accessed confidential information within such
system. Similarly, an instance in which members of an SCI entity were
properly accessing a system but were inadvertently exposed to the
confidential information of other members would also likewise fall
within this prong.\328\
---------------------------------------------------------------------------
\327\ See SCI Adopting Release, supra note 1, at 72887-89
(providing a more detailed discussion of the current definition of
systems intrusions).
\328\ See id. (providing a more detailed discussion of the
current definition of systems intrusions).
---------------------------------------------------------------------------
The new second prong would expand the definition of systems
intrusion to include any cybersecurity event that disrupts, or
significantly degrades, the normal operation of an SCI system. This
prong is intended to include cybersecurity events on the SCI entity's
SCI systems or indirect SCI systems that cause disruption to such
systems, regardless of whether the event resulted in an entry into or
access to them. For example, in distributed denial-of-service attacks,
the attacker, often using malware-infected machines, typically seeks to
overwhelm or drain the resources of the target with illegitimate
requests to prevent the target's systems from providing services to
those seeking to access or use them. Unlike cybersecurity events that
would qualify under the current definition of systems intrusions (i.e.,
the first prong of the proposed definition), the objective of these
attacks is often simply to disrupt or disable the target's operations,
rendering them unable to run efficiently, or run at all. For example,
given the essential role hypervisors play in supporting cloud
computing, an attack on a CSP's hypervisor, which enables the sharing
of physical compute and memory resources across multiple virtual
machines, could also significantly disrupt or even disable, albeit
indirectly, the SCI systems of an SCI entity that is utilizing such
CSP, and thus constitute a systems intrusion under the proposed second
prong. Likewise, these systems intrusions could include certain command
and control attacks where a malicious actor is able to infiltrate a
system to install malware to enable it to send commands to infected
devices remotely. Similarly, supply chain attacks that enter a SCI
entity's systems through an apparently authorized means, such as
through regular maintenance software updates that--unbeknownst to the
software provider and the recipient--contain malicious code and could
also be systems intrusions under this proposal.\329\ Because such
cybersecurity events can cause serious harm and disruption to an SCI
entity's operations, the Commission believes that the definition of
systems intrusion should be broadened to include cybersecurity events
that may not entail actually entering or accessing the SCI entity's SCI
systems or indirect SCI systems, but still cause disruption or
significant
[[Page 23185]]
degradation. For this second prong, the Commission believes it is
appropriate to utilize language similar to that used in the definition
of systems disruption (i.e., ``disrupts, or significantly degrades, the
normal operation of an SCI system'').\330\ Similar to a systems
disruption that occurs within the SCI systems or indirect SCI systems,
if a cybersecurity event disrupts, or significantly degrades, an SCI
entity's normal operations,\331\ it would constitute a systems
intrusion under the proposed revised definition, and the obligations
and reporting requirements of Rule 1002 would apply.\332\
---------------------------------------------------------------------------
\329\ See supra note 314 and accompanying text (discussing the
Log4j hack).
\330\ The Commission believes that the term ``cybersecurity
event,'' as used here, would generally be understood to mean ``an
unauthorized activity that disrupts or significantly degrades the
normal operation of an SCI system.''
\331\ See SCI Adopting Release, supra note 1, at 72284 (``SCI
entities would likely find it helpful to establish parameters that
can aid them and their staff in determining what constitutes the
`normal operation' of each of its SCI systems and when such `normal
operation' has been disrupted or significantly degraded because
those parameters have been exceeded.'' (footnotes omitted)).
\332\ Such events may, in some cases, first appear to an SCI
entity to be a ``systems disruption'' but, upon further
investigation and understanding of the true cause of the SCI event,
may turn out to be both a ``systems intrusion'' as well as a
``systems disruption.'' In such cases, the applicable SCI entity
should mark the SCI event as both types on its submissions to the
Commission on Form SCI.
---------------------------------------------------------------------------
The third prong would include any significant attempted
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity, as determined by the SCI entity pursuant to established
reasonable written criteria. In contrast to the types of systems
intrusions that are part of the first prong of the proposed definition,
the third prong is intended to capture unsuccessful, but significant,
attempts to enter an SCI entity's SCI systems or indirect SCI systems.
The Commission recognizes that it would be inefficient, inappropriate,
and undesirable (for both SCI entities as well as the Commission and
its staff) to require that all attempted entries be considered systems
intrusions. Rather, the Commission is seeking to include only attempts
that an SCI entity believes to be significant attempts to its systems,
even if successfully prevented.
The term ``significant attempted unauthorized entry'' would not be
defined in the rule. Rather, the proposed rule would require each SCI
entity to establish reasonable written criteria for it to use to
determine whether a significant attempted unauthorized entry has
occurred, because the Commission believes that each SCI entity should
be granted some degree of discretion and flexibility in determining
what constitutes a significant attempted unauthorized entry for its
purposes, given that SCI entities differ in nature, size, technology,
business model, and other aspects of their businesses.\333\ However,
the Commission believes that certain characteristics of attempted
unauthorized entries would generally weigh in favor of such attempted
unauthorized entries being considered significant and constituting
systems intrusions that should be considered SCI events subject to the
requirements of Regulation SCI, including: when an SCI entity becomes
aware of reconnaissance that may be leveraged by a threat actor; a
targeted campaign that is customized to the SCI entity's system; \334\
an attempted cybersecurity event that required the SCI entity's
personnel to triage, even if it was ultimately determined to have no
impact; an attempted attack from a known sophisticated advanced threat
actor; the depth of the breach in terms of proximity to SCI systems and
critical SCI systems; and a cybersecurity event that, if successful,
had meaningful potential to result in widespread damage and/or loss of
confidential data or information.
---------------------------------------------------------------------------
\333\ Under 17 CFR 242.1003(a)(1) (``Rule 1003(a)(1)''), each
SCI entity is similarly required to establish reasonable written
criteria for identifying a material change to its SCI systems for
quarterly reporting to the Commission. See also SCI Adopting
Release, supra note 1, at 72341-42 (discussing the definition of
material systems change).
\334\ A wide variety of entities engage in web scanning, which
may be in a targeted manner (e.g., looking at certain IP address
ranges) or broadly across the internet. Often, such scanning may be
for non-malicious purposes such as, for example, indexing website
content (for search engines) or mapping networks. Others may engage
in such scanning to identify vulnerable systems or websites, which
could be to inform vulnerability management identification and
remediation efforts or identify opportunities for exploitation.
Because of the wide range of possible uses of scanning and the
nature of scanning tools' interactions with systems, such scanning
activity alone is not necessarily indicative of malicious intent or
even a vulnerable system capable of being exploited. However,
evidence of further, follow-on activity indicative of a precursor to
unauthorized entry may be a factor that an SCI entity should
consider in weighing whether a significant attempted unauthorized
entry has occurred.
---------------------------------------------------------------------------
As with all SCI events, SCI entities would be required under 17 CFR
242.1002(a) (``Rule 1002(a)'') to take corrective action with respect
to any events that were determined to be systems intrusions under the
proposed revised definition. In addition, the Commission is proposing
to make a revision to the Commission reporting requirements relating to
systems intrusions under Rule 1002(b) such that all systems intrusions
would be required to be immediately reported to the Commission pursuant
to the requirements of Rule 1002(b). Currently, paragraph (b)(5) of
Rule 1002 states that the Commission notification requirements under
paragraphs (b)(1) through (4) do not apply to any SCI event that has
had, or the SCI entity reasonably estimates would have, no or a de
minimis impact on the SCI entity's operations or on market participants
(``de minimis SCI events'').\335\ Instead, SCI entities are currently
required to make, keep and preserve records relating to all such SCI
events, and provide a quarterly report of de minimis systems intrusions
and systems disruptions pursuant to Rule 1002(b)(5).\336\ The
Commission is proposing to eliminate the de minimis exception's
applicability to systems intrusions, thus requiring all systems
intrusions, whether de minimis or non-de minimis, to be reported
pursuant to the requirements of 17 CFR 242.1002(b)(1) through (4)
(``Rule 1002(b)(1) through (4)'').\337\ By their very nature, systems
intrusions may be difficult to identify, and assessing the impact of
any systems intrusion is often complex and could potentially require a
lengthy investigation before any conclusions may be reached with any
degree of certainty. Because of this, the Commission recognizes that it
may be difficult for SCI entities to make a clear determination in a
timely manner of whether a systems intrusion is de minimis. At the same
time, the Commission believes that it is important for the Commission
and its staff to receive notification of systems intrusions to be aware
of potential and actual security threats to individual SCI entities,
particularly given that such threats may extend to other market
participants in the securities markets, including other SCI entities.
Thus, the Commission believes it is appropriate to eliminate systems
intrusions from the types of SCI events that may make use of the
exception for de minimis SCI events and be quarterly reported, and
instead require that each systems intrusion be reported under the
[[Page 23186]]
framework in Rule 1002(b)(1) through (4).\338\
---------------------------------------------------------------------------
\335\ Rule 1002(b)(5).
\336\ Id.
\337\ To conform to the proposed elimination of de minimis
systems intrusions from the quarterly report, Rule 1002(b)(5)(i)
would be amended by replacing the phrase ``all such SCI events''
with the phrase ``all such systems disruptions or systems compliance
issues,'' and Rule 1002(b)(5)(ii) would be amended to no longer
include references to systems intrusions and instead read: ``Submit
to the Commission a report, within 30 calendar days after the end of
each calendar quarter, containing a summary description of such
systems disruptions, including the SCI systems affected by such
systems disruptions during the applicable calendar quarter.''
\338\ The Commission notes that systems intrusions, as currently
defined in Rule 1000 of Regulation SCI, have been relatively
infrequent as compared to other types of SCI events, and thus the
burden of this proposed change in reporting for systems intrusions
under the current definition (which is the first prong of the
proposed revised definition of systems intrusions) should be
relatively low for SCI entities. For example, in the three-year
period from 2019 to 2021, systems intrusions only accounted for 27
of the 10,501 SCI events in total (including both de minimis and
non-de minimis SCI events). The Commission requests comment below
regarding the frequency of systems intrusions as defined by the
second and third prongs of the proposed revised definition of
systems intrusion.
---------------------------------------------------------------------------
Rule 1002(c) sets forth the requirements with respect to
disseminating information regarding SCI events to applicable members or
participants of SCI entities, and the Commission believes that it would
be appropriate that information about systems intrusions under the
proposed second prong of the systems intrusion definition (a
``cybersecurity event that disrupts, or significantly degrades, the
normal operation of an SCI system'') be disseminated pursuant to Rule
1002(c)'s requirements. However, importantly, in contrast to the more
detailed information dissemination requirements for SCI entities in
paragraph (c)(1) of Rule 1002 for systems disruptions and systems
compliance issues, in recognition of the more sensitive nature of
systems intrusions (disclosure of which may alert threat actors of an
existing or potential weakness in an SCI entity's systems, or alert
them of an ongoing investigation of a systems intrusion), the
Commission's information dissemination requirements for systems
intrusions contained in paragraph (c)(2) of Rule 1002 only requires SCI
entities to provide a ``summary description'' for such events.\339\ In
addition, paragraph (c)(2) also permits an SCI entity to delay
disclosure of a systems intrusion in cases where the SCI entity
``determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or indirect SCI
systems, or an investigation of the systems intrusion, and documents
the reasons for such determination.'' \340\
---------------------------------------------------------------------------
\339\ The information dissemination requirements described here
for systems intrusions differ from the analogous requirements for
the other two types of SCI events (systems disruptions and systems
compliance issues), which require SCI entities to also, among other
things, further provide a more detailed description of such SCI
events when known. See 17 CFR 242.1002(c)(1).
\340\ See 17 CFR 242.1002(c)(2) (``Rule 1002(c)(2)'').
---------------------------------------------------------------------------
With respect to information dissemination to an SCI entity's
members or participants, however, the Commission believes that
information regarding significant attempted unauthorized entries should
not be required to be disseminated to an SCI entity's members or
participants, as any benefits associated with disseminating information
about unsuccessful attempted unauthorized entries to members or
participants of an SCI entity would likely not be justified due to
distractions that such information would bring, particularly since the
SCI entity's security controls were able, in fact, to repel the
cybersecurity event. In addition, disseminating information regarding
unsuccessful intrusions could result in the threat actors being
unnecessarily alerted that they have been detected, which could make it
more difficult to identify the attackers and halt their efforts on an
ongoing, more permanent basis. Thus, the Commission is proposing to new
17 CFR 242.1002(c)(4)(iii) (``proposed Rule 1002(c)(4)(iii)'') which
would exclude systems intrusions that are significant attempted
unauthorized entries into the SCI systems or indirect SCI systems of an
SCI entity from the information dissemination requirements of 17 CFR
242.1002(c)(1) through (3) (``Rule 1002(c)(1) through (3)'').
d. Request for Comment
67. Do commenters agree that cybersecurity is an area that the
Commission should enhance as part of Regulation SCI? Is it necessary to
help ensure that SCI entities maintain a robust technology
infrastructure for the SCI systems and indirect SCI systems? Why or why
not?
68. Do commenters agree with the proposed addition of Rule
1001(a)(2)(x), to enumerate that the policies and procedures of SCI
entities shall include a program to prevent the unauthorized access to
SCI systems and, for purposes of security standards, indirect SCI
systems, and information residing therein? Why or why not?
69. Do commenters agree that SCI entities should be required to
have an increased frequency of penetration test reviews? Why or why
not? Do commenters feel that the requirement to have such tests at
least annually is appropriate? How frequently do SCI entities conduct
penetration testing today? Do commenters agree with the proposed
requirement that the penetration testing include testing of any
identified vulnerabilities? Why or why not?
70. Do commenters believe that it is appropriate to modify the
definition of systems intrusion as proposed in Rule 1000? Do commenters
believe that it would be useful (for example, for SCI entities and the
Commission and its staff) to include other types of scenarios in the
definition of systems intrusion? If so, which scenarios should be
included and why? If not, why not?
71. Do commenters agree with the proposed revisions to the
definition of systems intrusions to include the second prong, (i.e.,
for any cybersecurity event that disrupts, or significantly degrades,
the normal operation of an SCI system)? Why or why not? Could such
events put the security or operational capability of an SCI system at
risk? How frequently do commenters believe systems intrusions, as
defined by the proposed second prong, occur at SCI entities? The
Commission does not define the term ``cybersecurity event'' in the
proposed rule text but, as noted, believes it would generally be
understood to mean ``an unauthorized activity that disrupts or
significantly degrades the normal operation of an SCI system.'' Do
commenters agree? Do commenters believe it is necessary to provide a
definition of the term ``cybersecurity event'' in the proposed rule
text? If so, do commenters agree with the meaning above? If not, how
should it be defined? Please be specific.
72. Do commenters believe that significant attempted unauthorized
entries into the SCI systems or indirect SCI systems of an SCI entity
should be included in the definition of systems intrusions, as under
the proposed third prong? Why or why not? Do commenters believe that
the Commission should define the term ``significant attempted
unauthorized entry,'' or do commenters believe it is appropriate to
require an SCI entity to establish reasonable written criteria to make
such determinations to provide SCI entities some degree of discretion
and flexibility in determining what constitutes a significant attempted
unauthorized entry for its purposes, given differences as between SCI?
What types of criteria or scenarios do commenters believe should
constitute a significant attempted unauthorized entry? Please describe
and be specific. How frequently do commenters believe systems
intrusions, as defined by the proposed third prong, occur at SCI
entities?
73. Do commenters agree with the proposed removal of systems
intrusions from the types of de minimis SCI events permitted to be
reported quarterly under Rule 1002(b)(5)? Why or why not? Should there
be a requirement that SCI events that are systems intrusions, as
proposed to be defined, be reported to senior management of an SCI
entity? Why or why not?
74. Do commenters agree with proposed addition of Rule
[[Page 23187]]
1002(c)(4)(iii), which would exclude systems intrusions that are
significant attempted unauthorized entries from the information
dissemination requirements of Rule 1002(c)(1) through (3)? Why or why
not?
4. SCI Review
a. Discussion
Rule 1000 currently defines the SCI review to be a review,
following established procedures and standards, that is performed by
objective personnel having appropriate experience to conduct reviews of
SCI systems and indirect SCI systems, and which review contains: (a) a
risk assessment with respect to such systems of an SCI entity; and (b)
an assessment of internal control design and effectiveness of its SCI
systems and indirect SCI systems to include logical and physical
security controls, development processes, and information technology
governance, consistent with industry standards. Paragraph (b)(1) of
Rule 1003 requires each SCI entity to conduct an SCI review of the SCI
entity's compliance with Regulation SCI not less than once each
calendar year; however, penetration test reviews of the network,
firewalls, and production systems may be conducted at a frequency of
not less than once every three years, and assessments of SCI systems
directly supporting market regulation or market surveillance may be
conducted at a frequency based upon the risk assessment conducted as
part of the SCI review, but in no case less than once every three
years. Paragraph (b)(2) of Rule 1003 requires SCI entities to submit a
report of the SCI review to senior management of the SCI entity for
review no more than 30 calendar days after completion of such SCI
review, and paragraph (b)(3) requires SCI entities to submit to the
Commission, and to the board of directors of the SCI entity or the
equivalent of such board, a report of the SCI review, together with any
response by senior management, within 60 calendar days after its
submission to senior management of the SCI entity.
The SCI review is an important part of Regulation SCI because it is
a periodic evaluation by objective personnel of an SCI entity's
compliance with SCI and helps the SCI entity to identify weaknesses and
vulnerabilities in its systems and controls. In addition, because of
Rule 1003(b)'s reporting requirements, the SCI review and the report of
the SCI review helps to ensure that the senior management and board of
the SCI entity are involved in and aware of the SCI entity's compliance
with the regulation. Finally, the report provides the Commission and
its staff insight into the SCI entity's compliance with Regulation SCI
as well and assists the staff in determining how to follow up with the
SCI entity in reviewing and addressing any identified weaknesses and
vulnerabilities.
The SCI review is currently required to be conducted by ``objective
personnel,'' and the Commission believes that this requirement
continues to be appropriate. Thus, as the Commission discussed in the
SCI Adopting Release, SCI reviews may be performed by personnel of the
SCI entity (such as internal audit function) or an external firm,
provided that such personnel are, in fact, objective and, as required
by rule, have the appropriate experience to conduct reviews of SCI
systems and indirect SCI systems.\341\
---------------------------------------------------------------------------
\341\ See SCI Adopting Release, supra note 1, at 72343. The
Commission continues to believe that persons who were not involved
in the process for development, testing, and implementation of the
systems being reviewed would generally be in a better position to
identify weaknesses and deficiencies that were not identified in the
development, testing, and implementation stages. Thus, any personnel
with conflicts of interest that have not been adequately mitigated
to allow for objectivity should be excluded from serving in this
role, and a person or persons conducting an SCI review should not
have a conflict of interest that interferes with their ability to
exercise judgment, express opinions, and present recommendations
with impartiality. See id.
---------------------------------------------------------------------------
As described below, the Commission is proposing a number of
revisions to the requirements relating to SCI reviews and for the
reports SCI entities submit (both to their board of directors as well
as to the Commission).\342\ The definition of SCI review in Rule 1000
is proposed to be amended to contain the substantive requirements for
an SCI review, which would be required to be ``a review, following
established and documented procedures and standards, that is performed
by objective personnel having appropriate experience to conduct reviews
of SCI systems and indirect SCI systems . . .'' The revised definition
of SCI review in Rule 1000 would go on to detail what an SCI review
would be required to include and would require the use of appropriate
risk management methodology. Specifically, paragraph (1) of the
definition would require, with respect to each SCI system and indirect
SCI system of the SCI entity, three assessments to be performed by
objective personnel conducting the SCI review. The first required
assessment would be of the risks related to the capacity, integrity,
resiliency, availability, and security. The second assessment would be
of internal control design and operating effectiveness to include
logical and physical security controls, development processes, systems
capacity and availability, information technology service continuity,
and information technology governance, consistent with industry
standards. The third assessment would be of third-party provider
management risks and controls. As discussed above, the Commission is
also proposing to update the requirement for penetration testing, from
the current requirement of at least once every three years to at least
annually.\343\ Finally, the definition of SCI review in Rule 1000 would
provide that assessments of SCI systems directly supporting market
regulation or market surveillance would be required to be conducted at
a frequency based upon the risk assessment conducted as part of the SCI
review, but in no case less than once every three years.
---------------------------------------------------------------------------
\342\ Rule 1000 (definition of SCI review) and Rule 1003(b) both
currently contain requirements relating to SCI reviews. As described
in this section, the Commission is proposing to focus the definition
of SCI review in Rule 1000 on requirements relating to the SCI
review itself, whereas Rule 1003(b)'s proposed language would be
focused on the required contents of the report of the SCI review, as
well as the timelines for when the SCI review is required to be
conducted and when the report of the SCI review is required to be
provided to senior management and the Commission.
\343\ See supra section III.C.3.b (discussing the frequency of
required penetration test reviews).
---------------------------------------------------------------------------
It has been the experience of the Commission and its staff that the
SCI reviews and their reports of such SCI reviews vary among SCI
entities in content and detail. To help ensure that every SCI review
and report of such reviews contain the assessments and related
information the Commission and its staff believes is necessary for an
SCI entity to be able to assess its compliance with Regulation SCI, the
Commission proposes adding certain additional requirements and details
with respect to each SCI review and the report of the SCI review that
are submitted to the SCI entity's board and to the Commission. In the
lead-in provision for the definition, the words ``and documented'' are
proposed to be added to ensure that SCI entities and the objective
personnel conducting SCI reviews document the work that is done during
the SCI review. Documentation is necessary as evidence that the
requirements relating to the SCI review are being complied with, and
would help ensure that policies and procedures are followed.
Documentation is also critical to any follow-on reviews of the work
that may be required, such as follow-up on the work of the SCI review
by SCI entity personnel (including by its senior management or board of
directors) or by the Commission or its staff. In addition,
[[Page 23188]]
such documentation would facilitate follow-up required to address
deficiencies and weaknesses that may be identified during the SCI
review, such as through mitigation and remediation plans.
The proposed definition of SCI review would also require that the
SCI review use ``appropriate risk management methodology.'' The
objective personnel conducting the SCI review would be required to
establish, document, and utilize a given risk methodology in conducting
the SCI review that is appropriate for the SCI entity being reviewed.
The Commission is not specifying a particular methodology that a given
SCI entity and its objective personnel must use, but rather is
providing the flexibility to such objective personnel to determine the
risk management methodology that should be utilized, so long as it is
appropriate given the SCI entity's characteristics and risks.
The requirements of the SCI review would apply to each individual
SCI system and indirect SCI system, and would require that the SCI
review include three specific assessments to be performed by objective
personnel. This language is intended to require that each of these
assessments be performed by objective personnel--either by those
conducting the SCI review or others that those conducting the SCI
review engage for such purposes--rather than utilizing, for example,
enterprise or IT risk assessments as the basis for the SCI review after
deeming them ``reasonable.'' The proposed requirement would not specify
a particular control framework to be applied for such assessments, but
rather would provide flexibility to those conducting the SCI review to
choose the methodology they believe to be most appropriate given the
particular characteristics and risks of the SCI entity's systems being
assessed, and undertake the assessments themselves, or oversee and
direct other objective personnel on how the assessments should be
performed. The Commission considers the SCI reviews to be an important
window into the strength of the technological infrastructure of SCI
entities, and whether the controls implemented by the SCI entity are
appropriate and employed properly. In addition, the Commission requires
that objective personnel be used to help ensure the impartiality of the
review and that the reviewers examine what they believe to be most
appropriate for such a review.\344\ The Commission believes that, by
requiring that these assessments be performed by objective personnel,
these assessments and tests will be able to provide the SCI entity, its
senior management, its board of directors, and the Commission, an
appropriately impartial and accurate assessment of the risks associated
with the SCI entity's SCI systems and indirect SCI systems.
---------------------------------------------------------------------------
\344\ See supra note 341 and accompanying text (discussing
``objective personnel'').
---------------------------------------------------------------------------
In the definition of SCI review in Rule 1000, the phrase ``a risk
assessment with respect to such systems of an SCI entity'' would be
replaced with an assessment of ``the risks related to the capacity,
integrity, resiliency, availability, and security'' of each such
system. The Commission believes that the additional detail in the
proposed language would tie the required risk assessment more closely
with the key principles of Regulation SCI (found in Rule 1001(a)(1))
relating to the ``capacity, integrity, resiliency, availability and
security'' of each SCI entity's systems, while maintaining the focus of
the assessment on the overall risks associated with such systems.
Further, in the definition of SCI review he phrase ``internal
control design and effectiveness'' would be revised to read ``internal
control design and operating effectiveness'' to clarify that the
associated assessment must examine how well the internal controls
performed in actual operations, i.e., in practice. Thus, this
assessment would look not only at how the controls worked in theory
(i.e., as designed), but also in practice (i.e., in operations).\345\
In addition, the definition of SCI review in Rule 1000 would expand on
the list of controls to be assessed, adding ``systems capacity and
availability'' and ``information technology service continuity'' to the
current list of ``logical and physical security controls, development
processes, and information technology governance.'' The Commission
believes that systems capacity and availability and information
technology service continuity are important areas for SCI entities to
consider when conducting their SCI reviews, and is proposing to include
them on the list of controls reviewed by objective personnel performing
the SCI reviews to ensure that these additional areas of controls are
assessed during each SCI review. As stated above, the foundational
principles of Regulation SCI are set forth in Rule 1001 and require in
part that each SCI entity establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that their SCI
systems and, for purposes of security standards, indirect SCI systems,
have levels of capacity, integrity, resiliency, availability, and
security adequate to maintain their operational capability and promote
the maintenance of fair and orderly markets.\346\ The proposed addition
of ``systems capacity and availability'' relates to this requirement
with respect to ``capacity'' and ``availability,'' and ``information
technology service continuity'' relates to this requirement with
respect to ``resiliency'' and ``availability,'' and would require that
objective personnel consider whether an SCI entity's internal controls
have been designed and implemented in a manner to achieve these
objectives of Regulation SCI, rather than only those currently
enumerated regarding security, development processes, and governance.
---------------------------------------------------------------------------
\345\ See, e.g., Sunil Bakshi, Tips for Effective Control
Design, ISACA (Feb. 9, 2022), available at https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2022/volume-6/tips-for-effective-control-design; PCAOB, AS2201: An Audit of Internal
Controls Over Financial Reporting That is Integrated with An Audit
of Financial Statements, available at https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201; and AICPA, AU-C Section
94), An Audit of Internal Controls Over Financial Reporting That is
Integrated With an Audit of Financial Statements, available at
https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00940.pdf.
\346\ See supra note 39 and accompanying text.
---------------------------------------------------------------------------
New paragraph (1)(C) of the definition of SCI review in Rule 1000
would require an assessment of third-party provider management risks
and controls with respect to each of its SCI systems and indirect SCI
systems. As discussed in detail above,\347\ third-party provider
management is an important part of managing the risks posed when an SCI
entity uses a third-party for functionality, support, or services.
---------------------------------------------------------------------------
\347\ See supra section III.C.2.
---------------------------------------------------------------------------
Importantly, the proposed amended definition of SCI review under
Rule 1000 uses the phrase ``with respect to each'' when referencing SCI
systems and indirect SCI systems. This wording clarifies that the
associated assessments are required to be made for each applicable
system for each SCI review (i.e., every year). Thus, the Commission
believes it to be appropriate to conduct these assessments for each and
every SCI system or, as applicable, indirect SCI system annually,
rather than, for example, rotating control testing across several years
such that not all systems and/or relevant controls are tested each
year. However, in adopting Regulation SCI, the Commission determined to
allow assessments of SCI systems directly supporting market regulation
or market surveillance to be conducted, based upon a risk-assessment,
at least
[[Page 23189]]
once every three years, rather than annually, and the Commission is not
amending this provision.\348\
---------------------------------------------------------------------------
\348\ See 17 CFR 242.1003(b)(1)(ii).
---------------------------------------------------------------------------
Proposed paragraph (2) would contain the requirement that
penetration test reviews be performed by objective personnel, conducted
at least once each year. As discussed above, the revised requirements
relating to SCI reviews would change the frequency of required
penetration testing provision (currently located in Rule 1003(b)(1) but
proposed to be relocated to the definition of ``SCI review'' in Rule
1000) from ``not less than once every three years'' to at least
annually with each SCI review, and require that they include testing of
any identified vulnerabilities of its SCI systems and indirect SCI
systems.\349\ In addition, the language relating to the frequency of
assessments of SCI systems directly supporting market regulation or
market surveillance, proposed to be in paragraph (3), would remain
unchanged.\350\
---------------------------------------------------------------------------
\349\ See supra section III.C.3.b. and proposed paragraph (2) of
the definition of SCI review in Rule 1000, (relating to
cybersecurity revisions, including penetration testing). Of course,
while SCI entities would be required to conduct penetration test
reviews at least annually as part of the SCI review, nothing in the
proposed rule would prevent them from conducting penetration testing
more frequently if warranted.
\350\ As noted above, while the substance of the provision
relating to the frequency of assessments of SCI systems directly
supporting market regulation or market surveillance would remain
unchanged, the provision would be moved from current Rule
1003(b)(1)(ii) to proposed paragraph (3) of the definition of SCI
review in Rule 1000.
---------------------------------------------------------------------------
Proposed Rule 1003(b) would continue to include requirements
relating to the timeframes for conducting the SCI review (unchanged at
``not less than once each calendar year'') \351\ and submitting reports
of the SCI review to senior management (unchanged at ``no more than 30
calendar days after completion of such SCI review'') \352\ and the
Commission (unchanged at ``within 60 calendar days after its submission
to senior management'').\353\ However, proposed Rule 1003(b)(1) would
add the phrase ``for each calendar year during which it was an SCI
entity for any part of such calendar year'' to clarify that, if an SCI
entity is an SCI entity for any part of the calendar year, it must
conduct the SCI review and submit the associated report of the SCI
review to the SCI entity's senior management and board, as well as to
the Commission. Thus, an SCI review would be required for a new SCI
entity, even in its first year as an SCI entity and even if its
starting date as an SCI entity were not until late in the year.
Similarly, if an SCI entity ceased to be an SCI entity during the
middle of a calendar year (e.g., an SCI ATS that falls out of the SCI
ATS thresholds in July of a given year), it would still be required to
submit an SCI review for that portion of the calendar year during which
it was an SCI entity. The Commission believes this is appropriate, as
the SCI review and the report of the SCI review contain, among other
things, assessments of the SCI entity's compliance with the
requirements of Regulation SCI which help to confirm, through objective
personnel, that the capacity, integrity, resiliency, availability and
security requirements of Regulation SCI have been met by the entity for
the period during which it was an SCI entity.
---------------------------------------------------------------------------
\351\ See proposed Rule 1003(b)(1).
\352\ See proposed Rule 1003(b)(2).
\353\ See proposed Rule 1003(b)(3).
---------------------------------------------------------------------------
Rule 1003(b) would also add additional detail on what the report of
the SCI review is required to contain. Currently, the rule does not
provide any specific requirements with respect to the contents of the
report of the SCI review. In the experience of Commission staff, this
has resulted in a wide range in the types and quality of SCI reports
the Commission receives from SCI entities. In reviewing the reports,
the Commission staff has found certain information particularly
important in assessing the SCI review, and as a result the Commission
is now revising the rule to require this information to be included in
all reports on SCI reviews. Rule 1003(b)(2) would be revised to require
the report of the SCI review to include: (i) the dates the SCI review
was conducted and the date of completion; (ii) the entity or business
unit of the SCI entity performing the review; (iii) a list of the
controls reviewed and a description of each such control; (iv) the
findings of the SCI review with respect to each SCI system and indirect
SCI system, which must include, at a minimum, assessments of: the risks
related to the capacity, integrity, resiliency, availability, and
security; internal control design and operating effectiveness; and
vendor management risks and controls; (v) a summary, including the
scope of testing and resulting action plan, of each penetration test
review conducted as part of the SCI review; and (vi) a description of
each deficiency and weakness identified by the SCI review.
Items (i) and (ii) contain basic administrative information
(relating to dates and the entity/unit conducting the SCI review) about
the SCI review to identify the period over which the SCI review was
conducted and the entity/unit responsible for such review that
Commission staff may contact for any questions regarding the SCI review
or the report of the SCI review. Item (iii), relating to controls
reviewed as part of the SCI review, would assist Commission staff in
understanding the scope of the review and, if applicable, also allow
staff to identify and request additional information regarding any of
the controls listed or any controls it believed to be missing. Item
(iv) would contain the substantive findings of the SCI review and
relate to the three assessments that are required to be part of the SCI
review under paragraph (1) of the definition of SCI review in Rule
1000. Similarly, item (v) relates to paragraph (2) of the definition of
SCI review relating to penetration test reviews and would require an
SCI entity to provide a summary of each penetration test review
conducted as part of the SCI review.\354\ Item (v) also would require
that the summary include the scope of testing and the resulting action
plan. Item (vi) would require a description of each deficiency and
weakness identified during the SCI review, including through the
assessments and any testing conducted as part of the SCI review. This
information is proposed to be included in the report of the SCI review
to provide the senior management and board of the SCI entity, as well
as the Commission and its staff, with information on the SCI review,
including any deficiencies and weaknesses identified by the objective
personnel that conducted the SCI review.
---------------------------------------------------------------------------
\354\ The Commission notes that the proposed requirement under
item (vi) would specify that a summary of each penetration test
review be included but does not call for the penetration test review
itself be included. The Commission believes that a summary that
includes the scope of testing and action plan of the penetration
test would provide Commission staff with sufficient initial
information to obtain a broad understanding of what was tested and
any vulnerabilities it identified and that Commission staff could,
in any case, if it believed it appropriate, request that the SCI
entity provide it with a copy of the penetration test review.
---------------------------------------------------------------------------
The Commission believes that requiring this minimum set of
requirements for the report of the SCI review, as described above,
would help ensure that SCI entities and the objective personnel that
conduct the SCI review include in the report of the SCI review the key
pieces of information relating to the SCI review (i.e., information
relating to the controls reviewed; substantive findings from the
assessments conducted as part of the SCI review; summaries of
penetration test reviews; and descriptions of each deficiency and
weakness identified) that go towards ensuring that the SCI
[[Page 23190]]
systems of SCI entities remain robust with respect to their capacity,
integrity, resiliency, availability, and security, and are in
compliance with the requirements of Regulation SCI.
Finally, the Commission is proposing several revisions to paragraph
(b)(3) of Rule 1003, which relates to submission of the report of the
SCI review to the Commission and to the board of directors (or its
equivalent) of the SCI entity. First, because Rule 1003(b)(2) now
contains details relating to the required contents of the report of the
SCI review, the Commission is proposing to update the internal cross-
reference in paragraph (b)(3) from ``paragraph (b)(1)'' to ``paragraph
(b)(2).'' The proposed revisions would also require that, when the
report is submitted to the board of directors of the SCI entity and the
Commission, it must also include the date the report was submitted to
senior management. In addition, the revisions would make mandatory that
a response from senior management to the report is included when it is
submitted to the Commission and board, whereas previously the language
appeared permissive. The Commission believes that mandating a response
from senior management will help ensure that both the SCI entity's
senior management and board are informed of the findings in the report
of the SCI review and that the SCI entity's policies and procedures are
reasonably designed, as required by the rule, and as informed by the
issues identified in the report.
b. Request for Comment
75. Do commenters agree with the proposed revisions to the
definition of ``SCI review'' in Rule 1000? Why or why not? Do
commenters agree with the proposed addition of ``and documented'' to
require that the work relating to the SCI review be documented? Why or
why not? Do commenters agree with the proposed addition that the
objective personnel conducting the SCI review use ``appropriate risk
management methodology?'' Why or why not? What risk management
methodologies do commenters believe would be appropriate for use by SCI
entities? Please describe. Does the requirement that SCI reviews be
performed by ``objective personnel'' remain appropriate? For example,
should the term ``objective personnel'' be defined? Why or why not?
Should there be a requirement that the SCI review be performed by an
independent third party? Why or why not? Should there be a requirement
that senior management certify that the SCI review was performed by
objective personnel? Why or why not?
76. What are commenters' views on not specifying a particular
control framework to be applied for the internal control assessments?
What are the costs and benefits to SCI entities if the Commission
required the application of, for example, a suitable, recognized
control framework that is established by a body or group that has
followed due-process procedures, including the broad distribution of
the framework for public comment?
77. With respect to the three assessments proposed to be required
by paragraph (1) of the definition of SCI review, do commenters agree
that these assessments should be overseen by the objective personnel
responsible for the SCI review, rather than utilizing, for example,
enterprise or IT risk assessments as the basis for the SCI review after
deeming them ``reasonable''? Why or why not? What is the current
practice among objective personnel conducting assessments for SCI
reviews? Please describe. What do commenters believe would be the
advantages and disadvantages for this proposed requirement?
78. Do commenters believe that it is appropriate that the SCI
review include an assessment of ``the risks related to the capacity,
integrity, resiliency, availability, and security,'' as proposed to be
required in paragraph (1)(A) of the definition of SCI review under Rule
1000? Why or why not?
79. Do commenters believe that the revisions to the second
assessment proposed to be required in paragraph (1)(A) of the
definition of SCI review in Rule 1000 (replacing the phrase ``internal
control design and effectiveness'' with ``internal control design and
operating effectiveness,'' and adding ``systems capacity and
availability'' and ``information technology service continuity'' to the
current list of controls to be assessed) are appropriate as part of the
SCI review?'' Why or why not?
80. Do commenters agree that the third assessment proposed to be
required as part of the SCI review, relating to third-party provider
management risks and controls, is appropriate? Why or why not?
81. Do commenters agree with the revision that the three
assessments in paragraph (1) of the definition of SCI review be made
``with respect to each'' SCI system and indirect SCI system, thereby
requiring that these assessments be made for each applicable system for
each SCI review every year? Why or why not?
82. Do commenters agree that the SCI review and report of the SCI
review should be conducted by an SCI entity ``for each calendar year
during which it was an SCI entity for any part of such calendar year,''
as proposed to be added to Rule 1003(b)(1)? Why or why not?
83. Do commenters believe that the requirements in proposed Rule
1003(b)(2) are appropriate for the report of the SCI review? Why or why
not? Do commenters believe additional requirements should be added or
that any proposed requirements should be modified or not included? Why
or why not? Please describe.
5. Current SCI Industry Standards
a. Overview of Current Rule 1001(a)(4)
Rule 1001(a)(4) of Regulation SCI states that, for purposes of
paragraph (a) of Rule 1001, an SCI entity's policies and procedures
will be deemed to be reasonably designed if they are consistent with
``current SCI industry standards.'' The provision defines ``current SCI
industry standards'' to be ``comprised of information technology
practices that are widely available to information technology
professionals in the financial sector and issued by an authoritative
body that is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized organization.''
In addition, Rule 1001(a)(4) also states that compliance with such
current SCI industry standards shall not be the exclusive means to
comply with the requirements of paragraph (a). Thus, Rule 1001(a)(4)
provides a safe harbor for SCI entities to comply with Rule 1001(a)
(i.e., they will be deemed to comply if they have policies and
procedures that are consistent with current SCI industry standards),
while at the same time stating that following such current SCI industry
standards is not the sole means of achieving compliance with the rule.
b. Rule 1001(a)(4) Safe Harbor
The Commission believes that utilizing current SCI industry
standards is an appropriate way for SCI entities to develop their Rule
1001(a) policies and procedures. It has been the experience of the
Commission and its staff that some SCI entities look to publications
issued by the federal government's National Institute of Standards and
Technology (``NIST'') Framework for Improving Critical Infrastructure
Cybersecurity (``NIST Framework''),\355\ or frameworks issued by non-
[[Page 23191]]
governmental bodies such as the International Organization for
Standardization (``ISO'') \356\ or the Control Objectives for
Information and Related Technologies (``COBIT''),\357\ and some SCI
entities may not point to any specific industry standards at all. In
addition, among those SCI entities that utilize industry standards,
some may look to a single industry standard for most or all of their
policies and procedures, while others may ``mix and match'' standards
for different policies and procedures. And, in some cases, an SCI
entity may utilize multiple industry standards for a single set of
their policies and procedures.
---------------------------------------------------------------------------
\355\ The NIST Framework is available at https://www.nist.gov/cyberframework/framework.
\356\ ISO is an independent, non-governmental international
organization whose members include national standards bodies that
develops and publishes international standards. See International
Organization for Standardization, available at https://www.iso.org.
\357\ COBIT is a leading framework for the enterprise governance
of information and technology and is issued by ISACA, an
international professional associated focused on information
technology governance. See ISACA, available at https://www.isaca.org.
---------------------------------------------------------------------------
The Commission believes that use of industry standards continues to
be an appropriate framework for SCI entities to model their policies
and procedures.\358\ To make clear that Rule 1001(a)(4)'s reference to
and definition of ``current SCI industry standards'' provides a safe
harbor for SCI entities with respect to their Rule 1001(a) policies and
procedures, the Commission proposes to add the words ``safe harbor'' in
Rule 1001(a)(4).\359\
---------------------------------------------------------------------------
\358\ We note that concurrent with the Commission's adoption of
Regulation SCI in 2014, Commission staff stated its views regarding
``current SCI industry standards,'' including a listing of examples
of publications describing processes, guidelines, frameworks, or
standards for each inspection area, or domain, an SCI entity could
look to in developing its reasonably designed policies and
procedures. See Commission, Staff Guidance on Current SCI Industry
Standards (Nov. 19, 2014), available at https://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.
Commission staff is reviewing staff statements with respect to
Regulation SCI to determine whether any such statements, or portion
thereof, should be revised or withdrawn in connection with any
adoption of this proposal. These statements include the Staff
Guidance on Current SCI Industry Standards, as well as the Responses
to Frequently Asked Questions Concerning Regulation SCI, Sept. 2,
2015 (Updated Aug. 21, 2019), available at https://www.sec.gov/divisions/marketreg/regulation-sci-faq.shtml.
\359\ Specifically, the second sentence of Rule 1001(a)(4) would
be revised to read: ``Compliance with such current SCI industry
standards as a safe harbor, however, shall not be the exclusive
means to comply with the requirements of paragraph (a) of this
section.''
---------------------------------------------------------------------------
c. Identification of Current SCI Industry Standards Used
In the experience of Commission staff, many SCI entities align
their Rule 1001(a) policies and procedures, in part or whole, with
current SCI industry standards, often referencing such standards in
communications with Commission staff during inspections or
examinations. However, some SCI entities do not reference any industry
standard(s) for their Rule 1001(a) policies and procedures.
In conjunction with the proposed revision to Rule 1001(a)(4), the
Commission is proposing to add a new requirement in Rule 1001(a)(2),
which lays out certain minimum requirements for an SCI entity's Rule
1001(a) policies and procedures. Specifically, proposed new 17 CFR
242.1001(a)(2)(xi) (``proposed Rule 1001(a)(2)(xi)'') would require
that an SCI entity's policies and procedures include ``[a]n
identification of the current SCI industry standard(s) with which each
such policy and procedure is consistent, if any.'' SCI entities are not
required to avail themselves of the safe harbor of Rule 1001(a)(4) by
aligning their policies and procedures required by Rule 1001(a) with
current SCI industry standards,\360\ but for SCI entities that choose
to do so, this proposed provision would require SCI entities to provide
a list of the specific current SCI industry standard(s) with which each
of its policies and procedures is consistent. Thus, for example, such
SCI entities would be required to identify the standard(s) used for
their business continuity and disaster recovery policies and
procedures, and separately identify the standard(s) used for its vendor
management policies and procedures.
---------------------------------------------------------------------------
\360\ For SCI entities that do not seek to avail themselves of
the safe harbor of Rule 1001(a)(4), the requirements of proposed
Rule 1001(a)(2)(xi) would not apply.
---------------------------------------------------------------------------
In addition, the Commission recognizes that there may be cases in
which an SCI entity may draw from multiple current SCI industry
standards in developing a given policy and procedure, and proposed Rule
1001(a)(2)(xi) recognizes this may be the case (``. . . the current SCI
industry standard (s). . .''). In such cases, an SCI entity may simply
list multiple standards with which the given policy and procedure is
consistent.
d. Request for Comment
84. Do commenters agree with the proposed revisions to Rule
1001(a)(4) relating to current SCI industry standards? Why or why not?
85. Do SCI entities seek to make use of the safe harbor contained
in Rule 1001(a)(4) for compliance with Rule 1001(a) of Regulation SCI?
Why or why not? With what current SCI industry standard(s) do SCI
entities seek to make their policies and procedures consistent?
86. For an SCI entity that seeks to avail itself of the safe
harbor, do commenters agree that an SCI entity should identify the
current SCI industry standard(s) with which each of its policies and
procedures is consistent? Why or why not?
6. Other Changes
Rule 1002(c) of Regulation SCI requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\361\ These information dissemination requirements are scaled
based on the nature and severity of an event, with SCI entities
required to disseminate certain information about the event to members
or participants that the SCI entity reasonably estimated to have been
affected by the SCI event, and, in the case of a major SCI event, to
all members or participants.\362\ In connection with the proposal to
include SCI broker-dealers as SCI entities, the Commission proposes
that an SCI broker-dealer be required to disseminate information about
an SCI event it is experiencing, in accordance with the requirements of
Rule 1002(c), to its ``customers.'' As discussed above, the Commission
proposes to include SCI broker-dealers as SCI entities because it
believes that a systems issue at an SCI broker-dealer could, for
example, impede the ability of other market participants to trade
securities in a fair and orderly manner. As explained in the SCI
Adopting Release, information about an SCI event is likely to be of
greatest value to those market participants affected by it, who can use
such information to evaluate the event's impact on their trading and
other activities and develop an appropriate response.\363\ To the
extent that an SCI event at a broker-dealer affects its customers
(i.e., those with whom it trades or for whom it facilitates trades as
an agent), the Commission believes that the SCI broker-dealer should
inform them, and do so in the same manner and as required for other SCI
entities, pursuant to Rule 1002(c). Similarly, and consistent with the
current requirement of Rule 1002(b)(4)(ii)(B), an SCI broker-dealer
would be required to include in its notices to the Commission a copy of
any information it disseminated to its
[[Page 23192]]
customers.\364\ The Commission requests comment on the proposed
amendments to Rule 1002(b)(4)(ii)(B) and Rule 1002(c) in section
III.A.2.b above, which discusses the proposed definition of an SCI
broker-dealer.\365\
---------------------------------------------------------------------------
\361\ See 17 CFR 242.1002(c).
\362\ Id. See also supra section II.B.3 (discussing current Rule
1002(c)).
\363\ See SCI Adopting Release, supra note 1 at 72334.
\364\ Id. See also supra section II.B.3 (discussing current Rule
1002(b)(4).
\365\ See supra section III.A.2.b.
---------------------------------------------------------------------------
Rule 1005 of Regulation SCI requires SCI entities to make, keep,
and preserve certain records related to their compliance with
Regulation SCI.\366\ Rule 1005(c) specifies that the recordkeeping
period survives even if an SCI entity ceases to do business or ceases
to be registered under the Exchange Act. The Commission proposes to add
that this survival provision applies to an SCI entity ``otherwise
ceasing to be an SCI entity.'' This addition accounts for circumstances
not expressly covered; specifically, those in which an SCI entity
continues to do business or remains a registered entity, but may cease
to qualify as an SCI entity, such as an SCI ATS that no longer
satisfies a volume threshold. Such entities would not be excepted from
complying with the recordkeeping provisions of Rule 1005 and would be
required to make, keep, and preserve their records related to their
compliance with Regulation SCI related to the period during which they
were an SCI entity.
---------------------------------------------------------------------------
\366\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
---------------------------------------------------------------------------
In addition, Form SCI is proposed to be modified to conform the
text of the General Instructions and description of the attached
Exhibits to the other changes proposed herein. Specifically, the
operational aspects of Form SCI filing are unchanged, except to reflect
that quarterly reports of SCI events with no or a de minimis impact
would pertain only to systems disruptions, and not to systems
intrusions.\367\ Furthermore, the instructions to Exhibit 5 of Form SCI
is proposed to be modified to reflect the requirement that an SCI
entity's senior management respond to the report of the SCI
review.\368\ In addition, the Commission proposes to update section I
of the General Instructions for Form SCI: Explanation of Terms to
reflect the proposed changes in the definitions in Rule 1000, by
revising the definitions of SCI entity, SCI review, SCI systems, and
Systems Intrusion.
---------------------------------------------------------------------------
\367\ See supra section III.C.3.c (discussing proposed changes
to Rule 1002(b)(5)(ii)).
\368\ See supra section III.C.4 (discussing proposed changes to
Rule 1003(b)(3)).
---------------------------------------------------------------------------
D. SCI Entities Subject to the Exchange Act Cybersecurity Proposal and/
or Regulation S-P
1. Discussion
a. Introduction
The Commission separately is proposing the Exchange Act
Cybersecurity Proposal,\369\ and separately is also proposing to amend
Regulation S-P.\370\ As discussed in more detail below, certain types
of SCI entities also are or would be subject to the Exchange Act
Cybersecurity Proposal and/or Regulation S-P (currently and as it would
be amended).\371\ The Exchange Act Cybersecurity Proposal and
Regulation S-P (currently and as it would be amended) have or would
have provisions requiring policies and procedures that address certain
types of cybersecurity risks.\372\ The Exchange Act Cybersecurity
Proposal also requires certain reporting to the Commission on Form SCIR
of certain types of cybersecurity incidents.\373\ These notification
and subsequent reporting requirements of the Exchange Act Cybersecurity
Proposal are triggered by a ``significant cybersecurity incident,''
\374\ which could also be an SCI event such as a ``systems intrusion''
as that term would be defined in current and proposed Rule 1000 of
Regulation SCI.\375\ Finally, the Exchange Act Cybersecurity Proposal
and Regulation S-P (currently and as it would be amended) have or would
have provisions requiring disclosures of certain cybersecurity
incidents.\376\ Consequently, if the proposed amendments to Regulation
SCI and the other proposals are all adopted as proposed, SCI entities
could be subject to requirements of that rule that relate to certain
proposed requirements of the Exchange Act Cybersecurity Proposal and
certain existing and proposed requirements of Regulation S-P. In the
Commission's view, this would be appropriate because, while the current
and proposed cybersecurity requirements of Regulation SCI may impose
some broadly similar obligations, it has a different scope and purpose
than the Exchange Act Cybersecurity Proposal and Regulation S-P.
Moreover, in many instances, compliance with the current and proposed
cybersecurity requirements of Regulation SCI that relate to the
proposed requirements of the Exchange Act Cybersecurity Proposal and
the existing or proposed requirements Regulation S-P can be
accomplished through similar efforts.
---------------------------------------------------------------------------
\369\ See Exchange Act Cybersecurity Proposal, supra note 10.
\370\ See Regulation S-P 2023 Proposing Release supra note 10.
\371\ See proposed 17 CFR 242.10 of the Exchange Act
Cybersecurity Proposal Rule (``Rule 10''); 17 CFR 248.1 through
248.30 (Regulation S-P). See also section III.D.1.b. of this release
(discussing the types of SCI Entities that are or would be subject
to the Exchange Act Cybersecurity Proposal and/or Regulation S-P).
\372\ See infra section III.D.1.c (discussing the proposed
requirements of the Exchange Act Cybersecurity Proposal and the
existing and proposed requirements of Regulation S-P to have
policies and procedures that address certain cybersecurity risks).
\373\ See infra section III.D.1.d (discussing the proposed
Commission notification requirements of the Exchange Act
Cybersecurity Proposal).
\374\ The Exchange Act Cybersecurity Proposal defines a
``significant cybersecurity incident'' to be a cybersecurity
incident, or a group of related cybersecurity incidents, that: (i)
Significantly disrupts or degrades the ability of the market entity
to maintain critical operations; or (ii) Leads to the unauthorized
access or use of the information or information systems of the
market entity, where the unauthorized access or use of such
information or information systems results in or is reasonably
likely to result in: (A) Substantial harm to the market entity; or
(B) Substantial harm to a customer, counterparty, member,
registrant, or user of the market entity, or to any other market
participant that interacts with the market entity. See proposed
Sec. 242.10(a) of the Exchange Act Cybersecurity Proposal.
\375\ See current and proposed Rule 1000 of Regulation SCI
(defining the term ``systems intrusion'').
\376\ See infra section III.D.1.e (discussing the proposed
disclosure requirements of the Exchange Act Cybersecurity Proposal
and the existing and proposed disclosure requirements of Regulation
S-P).
---------------------------------------------------------------------------
The specific instances in which the cybersecurity requirements of
current and proposed Regulation SCI would relate to the proposed
requirements of the Exchange Act Cybersecurity Proposal and the
existing or proposed requirements of Regulation S-P are discussed
briefly below. The Commission encourages interested persons to provide
comments on the discussion below, as well as on the potential
application of Regulation SCI, the Exchange Act Cybersecurity Proposal,
and Regulation S-P. More specifically, the Commission encourages
commenters: (1) to identify any areas where they believe the relation
between requirements of the existing or proposed requirements of
Regulation SCI and the proposed requirements of the Exchange Act
Cybersecurity Proposal and the existing or proposed requirements of
Regulation S-P would be particularly costly or create practical
implementation difficulties; (2) to provide details on why these
instances would be particularly costly or create practical
implementation difficulties; and (3) to make recommendations on
[[Page 23193]]
how to minimize these potential impacts, while also achieving the goal
of this proposal to address, among other things, the cybersecurity
risks faced by SCI entities. To assist this effort, the Commission is
seeking specific comment below on these topics.\377\
---------------------------------------------------------------------------
\377\ See infra section III.D.2.
---------------------------------------------------------------------------
b. SCI Entities That Are or Would Be Subject to the Exchange Act
Cybersecurity Proposal and/or Regulation S-P
Various SCI entities under this proposal are or would be subject to
the Exchange Act Cybersecurity Proposal and/or Regulation S-P
(currently and as it would be amended). In particular, most SCI
entities under Regulation SCI (currently and as it would be amended)
would be subject to the requirements of Exchange Act Cybersecurity
Proposal. Specifically, all SCI entities other than plan processors and
SCI competing consolidators that are or would be subject to Regulation
SCI also would be subject to the Exchange Act Cybersecurity Proposal as
``covered entities'' \378\ of that proposal. Therefore, if the proposed
amendments to Regulation SCI and the Exchange Act Cybersecurity
Proposal are all adopted as proposed, these SCI entities would be
subject to the requirements of Regulation SCI in addition to the
requirements of the Exchange Act Cybersecurity Proposal.
---------------------------------------------------------------------------
\378\ The requirements of the Exchange Act Cybersecurity
Proposal would apply to broker-dealers, clearing agencies, major
security-based swap participants, the MSRB, national securities
associations, national securities exchanges, security-based swap
data repositories, security-based swap dealers, and transfer agents.
See proposed 17 CFR 240.10(a). The Commission believes that a
broker-dealer that exceeds one or more of the transaction activity
thresholds under the proposed amendments to Regulation SCI (i.e., an
SCI broker-dealer) likely would meet one of the broker-dealer
definitions of ``covered entity'' in proposed Rule 10 of the
Exchange Act Cybersecurity Proposal given their size and activities.
For example, it would either be a carrying broker-dealer, have
regulatory capital equal to or exceeding $50 million, have total
assets equal to or exceeding $1 billion, or operate as a market
maker. See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10. The Commission is seeking comment in the Exchange Act
Cybersecurity Proposal as to whether a broker-dealer that is an SCI
entity should be defined specifically as a ``covered entity'' under
proposed Rule 10. See section II.A.10 of the Exchange Act
Cybersecurity Proposal. In addition, the Commission requests comment
in the Exchange Act Cybersecurity Proposal as to whether plan
processors and SCI competing consolidators should be subject to its
requirements. See id. The discussion in this section III.D focuses
on the requirements of the Exchange Act Cybersecurity Proposal only
as they would apply to current and proposed SCI entities.
---------------------------------------------------------------------------
In addition, broker-dealers that would be subject to Regulation SCI
and those that operate certain ATSs currently subject to Regulation ATS
(i.e., as SCI ATSs or SCI broker-dealers) also are or would be subject
to Regulation S-P (currently and as it would be amended).\379\
Therefore, if the proposed amendments to Regulation SCI and Regulation
S-P are all adopted as proposed, broker-dealers could be subject to
Regulation SCI in addition to the requirements of Regulation S-P
(currently and as it would be amended).
---------------------------------------------------------------------------
\379\ Regulation S-P applies to additional types of market
participants that are not or would not be subject to Regulation SCI.
See 17 CFR 248.3. For example, with regard to the proposed inclusion
of broker-dealers, Regulation SCI would only be applicable to an
estimated 17 broker-dealers under the proposed definition of SCI
broker-dealer. The discussion in this section III.D focuses on the
current and proposed requirements of Regulation S-P only as they
would apply to current and proposed SCI entities.
---------------------------------------------------------------------------
c. Policies and Procedures To Address Cybersecurity Risks
As discussed below, Regulation S-P currently has certain
cybersecurity-related provisions. The Exchange Act Cybersecurity
Proposal and the proposed amendments to Regulation S-P would add to
these requirements. These existing and proposed requirements would
relate to certain of the requirements of Regulation SCI (currently and
as it would be amended). The Commission believes this result would be
appropriate because the policies and procedures requirements of
Regulation SCI (currently and as it would be amended) differ in scope
and purpose from those of the Exchange Act Cybersecurity Proposal and
Regulation S-P, and because the policies and procedures required under
Regulation SCI that relate to cybersecurity (currently and as it would
be amended) are generally consistent with the proposed requirements of
the Exchange Act Cybersecurity Proposal and the existing and proposed
requirements of Regulation S-P that pertain to cybersecurity.
i. Different Scope of the Policies and Procedures Requirements
As discussed above in sections II.B and III.C, Regulation SCI
(currently and as it would be amended) limits its requirements to SCI
systems, which are certain systems of the SCI entity that support
specified securities market related functions,\380\ and indirect SCI
systems.\381\ Therefore, the policies and procedures requirements of
Regulation SCI (currently and as it would be amended) that pertain to
cybersecurity apply to SCI systems and indirect SCI systems. They do
not and would not apply to other systems maintained by an SCI entity.
---------------------------------------------------------------------------
\380\ See 17 CFR 242.1000 (defining ``SCI systems''). See also
supra section II.B.1.
\381\ See 17 CFR 242.1000 (defining ``indirect SCI systems'').
See also supra section II.B.1.
---------------------------------------------------------------------------
Regulation S-P's safeguards provisions currently apply to customer
records and information.\382\ Regulation S-P defines ``customer'' to
mean a consumer who has a customer relationship with the broker-
dealer.\383\ Regulation S-P further defines the term ``consumer'' to
mean an individual who obtains or has obtained a financial product or
service from the broker-dealer that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.\384\ Regulation S-P's disposal provisions apply to
consumer report information maintained for a business purpose.\385\
Regulation S-P currently defines ``consumer report information'' to
mean any record about an individual, whether in paper, electronic or
other form, that is a consumer report or is derived from a consumer
report and also a compilation of such records.\386\ The Commission is
separately proposing to amend the scope of information covered under
both the Regulation S-P safeguards provisions and the Regulation S-P
disposal provisions.\387\ The amendments, however, would not
fundamentally broaden the scope of these provisions. Therefore, the
existing and proposed policies and procedures requirements of the
Regulation S-P safeguards and disposal provisions that pertain to
cybersecurity would apply to customer and consumer-related information.
They do not and would not apply to other types of information stored on
the information systems of the broker-dealer.\388\
---------------------------------------------------------------------------
\382\ See 17 CFR 248.30(a).
\383\ See 17 CFR 248.3(j).
\384\ See 17 CFR 248.3(g)(1).
\385\ See 17 CFR 248.30(b)(2).
\386\ See 17 CFR 248.30(b)(1)(ii).
\387\ See Regulation S-P 2023 Proposing Release.
\388\ Additionally, Regulation S-P (currently and as it would be
amended) implicates cybersecurity to the extent that customer
records or information or consumer report information is stored on
an information system (e.g., on a computer). If this information is
stored in paper form (e.g., in a file cabinet), the requirements of
Regulation S-P apply but the policies and procedures required under
the rule would need to address risks that are different than
cybersecurity risks--for example, the physical security risk that
individuals could gain unauthorized access to the room or file
cabinet where the paper records are stored as compared to the
cybersecurity risk that individuals could gain unauthorized access
to the information system on which the records are stored
electronically.
---------------------------------------------------------------------------
Regulation SCI (currently and as it would be amended), the Exchange
Act Cybersecurity Proposal, and Regulation S-P (currently and as it
would be amended) would, therefore, differ in scope. The Exchange Act
Cybersecurity
[[Page 23194]]
Proposal would require covered entities to establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks.\389\ Therefore, the Exchange Act
Cybersecurity Proposal does not limit its application to certain
systems or information residing on those systems based on the functions
and operations performed by the covered entity through the system or
the use of the information residing on the system unlike Regulation SCI
(currently and as it would be amended). In addition, the Exchange Act
Cybersecurity Proposal does not limit its application to a specific
type of information residing on an information system unlike Regulation
S-P (currently and as it would be amended).
---------------------------------------------------------------------------
\389\ See paragraphs (b) and (e) of proposed Rule 10 (setting
forth the requirements of covered entities, among others, to have
policies and procedures to address their cybersecurity risks).
---------------------------------------------------------------------------
ii. Consistency of the Policies and Procedures Requirements
The Commission also believes that it would be appropriate to apply
Regulation SCI to SCI entities even if they also are subject to the
requirements of the Exchange Act Cybersecurity Proposal and/or
Regulation S-P (currently and as it would be amended) because an SCI
entity could use one comprehensive set of policies and procedures to
satisfy the requirements of the current and proposed cybersecurity-
related policies and procedures requirements of Regulation SCI, the
Exchange Act Cybersecurity Proposal, and Regulation S-P. As explained
below, the more focused current and proposed policies and procedures
requirements of Regulation SCI and Regulation S-P addressing certain
cybersecurity risks would logically fit within and be consistent with
the broader policies and procedures required under the Exchange Act
Cybersecurity Proposal to address all cybersecurity risks (including
those outside of SCI systems and indirect SCI systems).
SCI entities that would be covered entities under the proposed
requirements of the Exchange Act Cybersecurity Proposal would be
subject the proposed policies and procedures requirements of the
Exchange Act Cybersecurity Proposal. In addition, broker-dealers that
would be subject to Regulation SCI and those that operate certain ATSs
currently subject to Regulation ATS (i.e., as SCI ATSs or SCI broker-
dealers) are subject to the requirements of Regulation S-P (currently
and as it would be amended).
General Cybersecurity Policies and Procedures Requirements.
Regulation SCI, Regulation S-P, and the Exchange Act Cybersecurity
Proposal all include requirements that address certain cybersecurity-
related risks. Regulation SCI requires an SCI entity to have reasonably
designed policies and procedures to ensure that its SCI systems and,
for purposes of security standards, indirect SCI systems, have levels
of capacity, integrity, resiliency, availability, and security,
adequate to maintain the SCI entity's operational capability and
promote the maintenance of fair and orderly markets.\390\
---------------------------------------------------------------------------
\390\ See 17 CFR 242.1001(a)(1).
---------------------------------------------------------------------------
Regulation S-P's safeguards provisions require broker-dealers to
adopt written policies and procedures that address administrative,
technical, and physical safeguards for the protection of customer
records and information.\391\ Additionally, Regulation S-P's disposal
provisions require broker-dealers that maintain or otherwise possess
consumer report information for a business purpose to properly dispose
of the information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal.\392\
---------------------------------------------------------------------------
\391\ See 17 CFR 248.30(a).
\392\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
---------------------------------------------------------------------------
Rule 10 of the Exchange Act Cybersecurity Proposal would require a
covered entity to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address the covered entity's
cybersecurity risks. These requirements are designed to position
covered entities to be better prepared to protect themselves against
cybersecurity risks, to mitigate cybersecurity threats and
vulnerabilities, and to recover from cybersecurity incidents. They are
also designed to help ensure that covered entities focus their efforts
and resources on the cybersecurity risks associated with their
operations and business practices.
A covered entity that implements reasonably designed policies and
procedures in compliance with the requirements of the Exchange Act
Cybersecurity Proposal that cover its SCI systems and indirect SCI
systems should generally satisfy the current and proposed general
policies and procedures requirements of Regulation SCI that pertain to
cybersecurity.\393\ Similarly, policies and procedures implemented by a
broker-dealer that is an SCI entity that are reasonably designed in
compliance with the current and proposed cybersecurity requirements of
Regulation SCI should generally satisfy the existing general policies
and procedures requirements of Regulation S-P safeguards and disposal
provisions discussed above that pertain to cybersecurity.
---------------------------------------------------------------------------
\393\ The CAT System is a facility of each of the Participants
and an SCI system. See also Joint Industry Plan; Order Approving the
National Market System Plan Governing the Consolidated Audit Trail,
Securities Exchange Act Release No. 79318 (Nov. 15, 2016), 81 FR
84696, 84758 (Nov. 23, 2016) (``CAT NMS Plan Approval Order''). It
would also qualify as an ``information system'' of each national
securities exchange and each national securities association under
the Exchange Act Cybersecurity Proposal. The CAT NMS Plan requires
the CAT's Plan Processor to follow certain security protocols and
industry standards, including the NIST Cyber Security Framework,
subject to Participant oversight. See, e.g., CAT NMS Plan at
Appendix D, Section 4.2. For the reasons discussed above and below
with respect to SCI systems, the policies and procedures
requirements of Regulation SCI are not intended to be inconsistent
with the security protocols set forth in the CAT NMS Plan. Moreover,
to the extent the CAT NMS Plan requires security protocols beyond
those that would be required under Regulation SCI, those additional
security protocols should generally fit within and be consistent
with the policies and procedures required under the Exchange Act
Cybersecurity Proposal to address all cybersecurity risks.
---------------------------------------------------------------------------
Requirements to Oversee Service Providers. Under the amendments to
Regulation SCI, the policies and procedures required of SCI entities
would need to include a program to manage and oversee third-party
providers that provide functionality, support or service, directly or
indirectly, for SCI systems and indirect SCI systems, and are discussed
above in more detail in section III.C.2. In addition, proposed
amendments to Regulation S-P's safeguards provisions would require
broker-dealers to include written policies and procedures within their
response programs that require their service providers, pursuant to a
written contract, to take appropriate measures that are designed to
protect against unauthorized access to or use of customer information,
including notification to the broker-dealer in the event of any breach
in security resulting in unauthorized access to a customer information
maintained by the service provider to enable the broker-dealer to
implement its response program.\394\
---------------------------------------------------------------------------
\394\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related
[[Page 23195]]
risks to these proposed amendments to Regulation SCI and Regulation S-
P. First, a covered entity's policies and procedures under proposed
Rule 10 would need to require periodic assessments of cybersecurity
risks associated with the covered entity's information systems and
information residing on those systems.\395\ This element of the
policies and procedures would need to include requirements that the
covered entity identify its service providers that receive, maintain,
or process information, or are otherwise permitted to access its
information systems and any of its information residing on those
systems, and assess the cybersecurity risks associated with its use of
these service providers.\396\ Second, under proposed Rule 10, a covered
entity's policies and procedures would need to require oversight of
service providers that receive, maintain, or process its information,
or are otherwise permitted to access its information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider, and through that
written contract the service providers would need to be required to
implement and maintain appropriate measures that are designed to
protect the covered entity's information systems and information
residing on those systems.\397\
---------------------------------------------------------------------------
\395\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\396\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\397\ See paragraphs (b)(1)(iii)(B) of proposed Rule 10; see
also section II.B.1.c. of this release (discussing this requirement
in more detail).
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal with respect to its
SCI systems and indirect SCI systems should generally satisfy the
proposed requirements of Regulation SCI that the SCI entity's policies
and procedures include a program to manage and oversee third-party
providers that provide functionality, support or service, directly or
indirectly, for SCI systems and indirect SCI systems. Similarly, a
broker-dealer that is an SCI entity that implements these requirements
of Regulation SCI should generally comply with the proposed
requirements of Regulation S-P's safeguards provisions relating to the
oversight of service providers.
Unauthorized Access Requirements. Under the proposed amendments to
Regulation SCI, SCI entities would be required to have a program to
prevent the unauthorized access to their SCI systems and indirect SCI
systems, and information residing therein, and are discussed above in
more detail in section III.C.3.a. The proposed amendments to Regulation
S-P's disposal provisions would require broker-dealers that maintain or
otherwise possess consumer information or customer information for a
business purpose to properly dispose of this information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\398\ The broker-dealer
would be required to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information in accordance with this standard.\399\
---------------------------------------------------------------------------
\398\ See Regulation S-P 2023 Proposing Release. As discussed
above, the general policies and procedures requirements of
Regulation S-P's safeguards provisions require the policies and
procedures--among other things--to protect against unauthorized
access to or use of customer records or information that could
result in substantial harm or inconvenience to any customer. See 17
CFR 248.30(a)(3).
\399\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related risks to these proposed
requirements of Regulation SCI and the proposed disposal provisions of
Regulation S-P. First, a covered entity's policies and procedures under
proposed Rule 10 would need controls: (1) requiring standards of
behavior for individuals authorized to access the covered entity's
information systems and the information residing on those systems, such
as an acceptable use policy; (2) identifying and authenticating
individual users, including but not limited to implementing
authentication measures that require users to present a combination of
two or more credentials for access verification; (3) establishing
procedures for the timely distribution, replacement, and revocation of
passwords or methods of authentication; (4) restricting access to
specific information systems of the covered entity or components
thereof and the information residing on those systems solely to
individuals requiring access to the systems and information as is
necessary for them to perform their responsibilities and functions on
behalf of the covered entity; and (5) securing remote access
technologies.\400\
---------------------------------------------------------------------------
\400\ See paragraphs (b)(1)(ii)(A) through (E) of proposed Rule
10; see also section II.B.1.b of the Exchange Act Cybersecurity
Proposal (discussing these requirements in more detail).
---------------------------------------------------------------------------
Second, under proposed Rule 10, a covered entity's policies and
procedures would need to include measures designed to protect the
covered entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the covered entity's information systems and the
information that resides on the systems.\401\ The periodic assessment
would need to take into account: (1) the sensitivity level and
importance of the information to the covered entity's business
operations; (2) whether any of the information is personal information;
(3) where and how the information is accessed, stored and transmitted,
including the monitoring of information in transmission; (4) the
information systems' access controls and malware protection; and (5)
the potential effect a cybersecurity incident involving the information
could have on the covered entity and its customers, counterparties,
members, registrants, or users, including the potential to cause a
significant cybersecurity incident.\402\
---------------------------------------------------------------------------
\401\ See paragraph (b)(1)(iii)(A) of proposed Rule 10; see also
section II.B.1.c. of the Exchange Act Cybersecurity Proposal
(discussing these requirements in more detail).
\402\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10.
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal with respect to its
SCI systems and indirect SCI systems should generally satisfy the
proposed requirements of Regulation SCI that the SCI entity's policies
and procedures include a program to prevent the unauthorized access to
their SCI systems and indirect SCI systems, and information residing
therein. Similarly, a broker-dealer that is an SCI entity that
implements these proposed requirements of Regulation SCI should
generally satisfy the proposed requirements of Regulation S-P's
disposal provisions to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information.
Review Requirements. The current and proposed provisions of
Regulation SCI prescribe certain elements that must be included in each
SCI entity's policies and procedures relating to regular reviews and
testing, penetration testing, and the SCI review, and are discussed
above in more detail in sections II.B.2, II.B.4, III.C.3.b, and
III.C.4.
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
[[Page 23196]]
address similar cybersecurity-related risks to these existing and
proposed requirements of Regulation SCI. First, a covered entity's
policies and procedures under proposed Rule 10 would need to require
periodic assessments of cybersecurity risks associated with the covered
entity's information systems and information residing on those
systems.\403\ Moreover, this element of the policies and procedures
would need to include requirements that the covered entity categorize
and prioritize cybersecurity risks based on an inventory of the
components of the covered entity's information systems and information
residing on those systems and the potential effect of a cybersecurity
incident on the covered entity.\404\ Second, under proposed Rule 10, a
covered entity's policies and procedures would need to require measures
designed to detect, mitigate, and remediate any cybersecurity threats
and vulnerabilities with respect to the covered entity's information
systems and the information residing on those systems.\405\
---------------------------------------------------------------------------
\403\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\404\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10.
\405\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems should
generally satisfy the current requirements of Regulation SCI that the
SCI entity's policies and procedures require regular reviews and
testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats. Further, while proposed Rule 10 does not require penetration
testing, the proposed rule requires measures designed to protect the
covered entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the covered entity's information systems and the
information that resides on the systems \406\ and penetration testing
could be part of these measures.\407\ Therefore, the existing and
proposed requirements of Regulation SCI requiring penetration testing
could be incorporated into and should logically fit within a covered
entity's policies and procedures to address cybersecurity risks under
proposed Rule 10 of the Exchange Act Cybersecurity Proposal.
---------------------------------------------------------------------------
\406\ See paragraph (b)(1)(iii)(A) of proposed Rule 10.
\407\ See also section II.B.1.c of the Exchange Act
Cybersecurity Proposal.
---------------------------------------------------------------------------
Response Program. Regulation SCI requires SCI entities to have
policies and procedures to monitor its SCI systems and indirect SCI
systems for SCI events, which include systems intrusions for
unauthorized access, and also requires them to have policies and
procedures that include escalation procedures to quickly inform
responsible SCI personnel of potential SCI events, which are discussed
above in more detail in section II.B.2.\408\ The amendments to
Regulation S-P's safeguards provisions would require the policies and
procedures to include a response program for unauthorized access to or
use of customer information. Further, the response program would need
to be reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information, including
procedures, among others: (1) to assess the nature and scope of any
incident involving unauthorized access to or use of customer
information and identify the customer information systems and types of
customer information that may have been accessed or used without
authorization; and (2) to take appropriate steps to contain and control
the incident to prevent further unauthorized access to or use of
customer information.\409\
---------------------------------------------------------------------------
\408\ See paragraphs (a)(2)(vii) and (c)(1) of Rule 1001 of
Regulation SCI, respectively. See also Rule 1002(a) of Regulation
SCI and supra sections II.B.3 and III.C.3.c (discussing Regulation
SCI's current and proposed requirements with respect to taking
corrective action for SCI events, including systems intrusions).
\409\ See Regulation S-P 2023 Proposing Release. The response
program also would need to have procedures to notify each affected
individual whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related risks to these proposed
requirements of Regulation SCI and the proposed requirements of the
safeguards provisions of Regulation S-P. First, under proposed Rule 10,
a covered entity's policies and procedures would need to have measures
designed to detect, mitigate, and remediate any cybersecurity threats
and vulnerabilities with respect to the covered entity's information
systems and the information residing on those systems.\410\ Second,
under proposed Rule 10, a covered entity's policies and procedures
would need to have measures designed to detect, respond to, and recover
from a cybersecurity incident, including policies and procedures that
are reasonably designed to ensure (among other things): (1) the
continued operations of the covered entity; (2) the protection of the
covered entity's information systems and the information residing on
those systems; and (3) external and internal cybersecurity incident
information sharing and communications.\411\
---------------------------------------------------------------------------
\410\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\411\ See paragraph (b)(1)(v) of proposed Rule 10; see also
section II.B.1.e of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
---------------------------------------------------------------------------
A covered entity that implements reasonably designed policies and
procedures in compliance with these requirements of proposed Rule 10 of
the Exchange Act Cybersecurity Proposal should generally satisfy the
current and proposed requirements of Regulation SCI and Regulation S-
P's safeguards provisions relating to response programs for
unauthorized access.
d. Commission Notification
As discussed above in sections II.B.3 and III.C.3.c, Regulation SCI
(currently and as it would be amended) provides the framework for
notifying the Commission of SCI events including, among other things,
requirements to: notify the Commission of the event immediately;
provide a written notification on Form SCI within 24 hours that
includes a description of the SCI event and the system(s) affected,
with other information required to the extent available at the time;
provide regular updates regarding the SCI event until the event is
resolved; and submit a final detailed written report regarding the SCI
event.\412\ If proposed Rule 10 of the Exchange Act Cybersecurity
Proposal is adopted as proposed, it would establish a framework for
covered entities to provide the Commission (and other regulators, if
applicable) with immediate written electronic notice of a significant
cybersecurity incident affecting the covered entity and, thereafter,
report and update information about the
[[Page 23197]]
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission (and other regulators, if applicable).\413\
Part I of proposed of Form SCIR would elicit information about the
significant cybersecurity incident and the covered entity's efforts to
respond to, and recover from, the incident.
---------------------------------------------------------------------------
\412\ See 17 CFR 242.1002(b); supra sections II.B.2 and
III.C.3.c (discussing Regulation SCI's current and proposed
requirements relating to SCI events, which include systems
intrusions, and Commission notification for SCI events).
\413\ See paragraphs (c)(1) and (2) of proposed Rule 10
(requiring covered entities to provide immediate written notice and
subsequent reporting on Part I of proposed Form SCIR of significant
cybersecurity incidents); and sections II.B.2. and II.B.4. of the
Exchange Act Cybersecurity Proposal (discussing the requirements of
paragraphs (c)(1) and (2) of proposed Rule 10 and Part I of Form
SCIR in more detail).
---------------------------------------------------------------------------
Consequently, an SCI entity that is also a covered entity under the
Exchange Act Cybersecurity Proposal that experiences a systems
intrusion under Regulation SCI that also is a significant cybersecurity
incident under proposed Rule 10 would be required to make two filings
for the single incident: one on Form SCI and the other on Part I of
proposed Form SCIR. The SCI entity also would be required to make
additional filings on Forms SCI and SCIR pertaining to the systems
intrusion (i.e., to provide updates and final reports). The Commission
believes the approach of having two separate notification and reporting
programs--one under Regulation SCI and the other under proposed Rule 10
of the Exchange Act Cybersecurity Proposal--would be appropriate for
the following reasons.
As discussed earlier, most broker-dealers would not be SCI entities
under the current and proposed requirements of Regulation SCI.\414\
Certain of the broker-dealers that are not SCI entities (currently and
as it would be amended) would be covered entities under the Exchange
Act Cybersecurity Proposal, as would other types of entities.\415\ In
addition, the current and proposed reporting requirements of Regulation
SCI are or would be triggered by events impacting SCI systems and
indirect SCI systems. In addition to SCI systems and indirect SCI
systems, covered entities that are or would be SCI entities use and
rely on information systems that are not SCI systems or indirect SCI
systems under the current and proposed amendments to Regulation SCI.
For these reasons, covered entities under the Exchange Act
Cybersecurity Proposal could be impacted by significant cybersecurity
incidents that do not trigger the current and proposed notification
requirements of Regulation SCI either because they do not meet the
current or proposed definitions of ``SCI entity'' or because the
significant cybersecurity incident does not meet the current or
proposed definitions of ``SCI event.''
---------------------------------------------------------------------------
\414\ See section II.F.1.b of the Exchange Act Cybersecurity
Proposal.
\415\ See paragraphs (a)(1)(i)(A) and (F) of proposed Rule 10
(defining the categories of broker-dealers that would be covered
entities); see also supra note 378.
---------------------------------------------------------------------------
The objective of notification and reporting requirements of
proposed Rule 10 of the Exchange Act Cybersecurity Proposal is to
improve the Commission's ability to monitor and respond to significant
cybersecurity incidents and use the information reported about them to
better understand how they can be avoided or mitigated.\416\ For this
reason, Part I of proposed Form SCIR is tailored to elicit information
relating specifically to cybersecurity, such as information relating to
the threat actor, and the impact of the incident on any data or
personal information that may have been accessed.\417\ The Commission
and its staff could use the information reported on Part I of Form SCIR
to monitor the U.S. securities markets and the covered entities that
support those markets broadly from a cybersecurity perspective,
including identifying cybersecurity threats and trends from a market-
wide view. By requiring all covered entities to report information
about a significant cybersecurity incident on a common form, the
information obtained from these filings over time would create a
comprehensive set of data of all significant cybersecurity incidents
impacting covered entities that is based on these entities responding
to the same check boxes and questions on the form. This would
facilitate analysis of the data, including analysis across different
covered entities and significant cybersecurity incidents. Eventually,
this set of data and the ability to analyze it by searching and sorting
how different covered entities responded to the same questions on the
form could be used to spot common trending risks and vulnerabilities as
well as best practices employed by covered entities to respond to and
recover from significant cybersecurity incidents.\418\
---------------------------------------------------------------------------
\416\ See section II.B.2.a of the Exchange Act Cybersecurity
Proposal.
\417\ See section II.B.2.b of the Exchange Act Cybersecurity
Proposal.
\418\ FSOC has found that ``[s]haring timely and actionable
cybersecurity information can reduce the risk that cybersecurity
incidents occur and can mitigate the impacts of those that do
occur.'' FSOC, Annual Report (2021), available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (``FSOC
2021 Annual Report'').
---------------------------------------------------------------------------
The current and proposed definitions of ``SCI event'' include not
only cybersecurity events, but also events that are not related to
significant cybersecurity incidents under the Exchange Act
Cybersecurity Proposal.\419\ For example, under the current and
proposed requirements of Regulation SCI, the definition of ``SCI
event'' includes ``systems disruptions,'' which are events in an SCI
entity's SCI systems that disrupts, or significantly degrades, the
normal operation of an SCI system.\420\ Therefore, the definitions are
not limited to events in an SCI entity's SCI systems that disrupt, or
significantly degrade, the normal operation of an SCI system caused by
a significant cybersecurity incident. The information elicited in Form
SCI reflects the broader scope of the reporting requirements of
Regulation SCI (as compared to the narrower focus of proposed Rule 10
on reporting about significant cybersecurity incidents). For example,
Form SCI requires the SCI entity to identify the type of SCI event:
systems compliance issue, systems disruption, and/or systems intrusion.
In addition, Form SCI is tailored to elicit information specifically
about SCI systems. For example, the form requires the SCI entity to
indicate whether the type of SCI system impacted by the SCI event
directly supports: (1) trading; (2) clearance and settlement; (3) order
routing; (4) market data; (5) market regulation; and/or (6) market
surveillance. If the impacted system is a critical SCI system, the SCI
entity must indicate whether it directly supports functionality
relating to: (1) clearance and settlement systems of clearing agencies;
(2) openings, reopenings, and closings on the primary listing market;
(3) trading halts; (4) initial public offerings; (5) the provision of
consolidated market data; and/or (6) exclusively listed securities. The
form also requires the SCI entity to indicate if the systems that
provide functionality to the securities markets for which the
availability of alternatives is significantly limited or nonexistent
and without which there would be a material impact on fair and orderly
markets.
---------------------------------------------------------------------------
\419\ See 17 CFR 242.1000 (defining the term ``SCI event''); see
also supra sections II.B.3 and III.C.3.c (discussion the current and
proposed requirements relating to SCI events, including systems
intrusions).
\420\ See 17 CFR 242.1000 (defining the term ``system
disruption'' and including that term in the definition of ``SCI
event'').
---------------------------------------------------------------------------
e. Information Dissemination and Disclosure
As discussed above in sections II.B.3 and III.C.3.c, Regulation SCI
(currently and as it would be amended) would require that SCI entities
disseminate information to their members,
[[Page 23198]]
participants, or customers (as applicable) regarding SCI events,
including systems intrusions.\421\ The proposed amendments to
Regulation S-P would require broker-dealers to notify affected
individuals whose sensitive customer information was, or is reasonably
likely to have been, accessed or used without authorization.\422\
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
require a covered entity to make two types of public disclosures
relating to cybersecurity on Part II of proposed Form SCIR.\423\
Covered entities would be required to make the disclosures by filing
Part II of proposed Form SCIR on the Electronic Data Gathering,
Analysis, and Retrieval (EDGAR) system and posting a copy of the filing
on their business websites.\424\ In addition, a covered entity that is
either a carrying or introducing broker-dealer would be required to
provide a copy of the most recently filed Part II of Form SCIR to a
customer as part of the account opening process. Thereafter, the
carrying or introducing broker-dealer would need to provide the
customer with the most recently filed form annually. The copies of the
form would need to be provided to the customer using the same means
that the customer elects to receive account statements (e.g., by email
or through the postal service). Finally, a covered entity would be
required to make updated disclosures promptly through each of the
methods described above (as applicable) if the information required to
be disclosed about cybersecurity risk or significant cybersecurity
incidents materially changes, including, in the case of the disclosure
about significant cybersecurity incidents, after the occurrence of a
new significant cybersecurity incident or when information about a
previously disclosed significant cybersecurity incident materially
changes.
---------------------------------------------------------------------------
\421\ See 17 CFR 242.1002(c).
\422\ However, disclosure under proposed Regulation S-P would
not be required if ``a covered institution has determined, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, that sensitive customer information has not been, and
is not reasonably likely to be, used in a manner that would result
in substantial harm or inconvenience.'' See Regulation S-P 2023
Proposing Release. The proposed amendments to Regulation S-P would
define ``sensitive customer information'' to mean any component of
customer information alone or in conjunction with any other
information, the compromise of which could create a reasonably
likely risk of substantial harm or inconvenience to an individual
identified with the information. Id. The proposed amendments would
provide example of sensitive customer information. Id.
\423\ See paragraph (d)(1) of proposed Rule 10.
\424\ See section II.B.3.b (discussing these proposed
requirements in more detail).
---------------------------------------------------------------------------
Consequently, a covered entity would, if it experiences a
``significant cybersecurity incident,'' be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business website, and,
in the case of a carrying or introducing broker-dealer, by sending the
disclosure to its customers using the same means that the customer
elects to receive account statements. Thus, if an SCI entity is a
covered entity under the Exchange Act Cybersecurity Proposal and if the
SCI event would be a significant cybersecurity incident under the
Exchange Act Cybersecurity Proposal, the SCI entity also could be
required to disseminate certain information about the SCI event to
certain of its members, participants, or customers (as applicable).
Further, if the SCI entity is a broker-dealer and, therefore, subject
to Regulation S-P (as it is proposed to be amended), the broker-dealer
also could be required to notify individuals whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization.
However, the Commission believes that this result would be
appropriate. First, as discussed above, Regulation SCI (currently and
as it would be amended), proposed Rule 10, and Regulation S-P (as
proposed to be amended) require different types of information to be
disclosed. Second, as discussed above, the disclosures, for the most
part, would be made to different persons: (1) affected members,\425\
participants, or customers (as applicable) of the SCI entity in the
case of Regulation SCI; (2) the public at large in the case of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal; \426\ and (3)
affected individuals whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without authorization
or, in some cases, all individuals whose information resides in the
customer information system that was accessed or used without
authorization in the case of Regulation S-P (as proposed to be
amended).\427\ For these reasons, the Commission believes it would be
appropriate to apply these current and proposed requirements of
Regulation SCI to SCI entities even if they would be subject to the
disclosure requirements of proposed Rule 10 of the Exchange Act
Cybersecurity Proposal and/or Regulation S-P (as proposed to be
amended).
---------------------------------------------------------------------------
\425\ Information regarding major SCI events would be required
to be disseminated by an SCI entity to all of its members,
participants, or customers (as applicable). See current and proposed
Rule 1002(c)(3) of Regulation SCI.
\426\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
\427\ Under the Regulation SCI and Regulation S-P proposals,
there could be circumstances in which a compromise involving
sensitive customer information at a broker-dealer that is an SCI
entity could result in two forms of notification being provided to
customers for the same incident. In addition, under the Exchange Act
Cybersecurity Proposal, the broker-dealer also may need to publicly
disclose a summary description of the incident via EDGAR and the
entity's business internet website, and, in the case of an
introducing or carrying broker-dealer, send a copy of the disclosure
to its customers.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on the relation between the
requirements of Regulation SCI (as it currently exists and as it is
proposed to be amended), proposed Rule 10, and Regulation S-P (as it
currently exists and as it is proposed to be amended). In addition, the
Commission is requesting comment on the following matters:
87. Should the policies and procedures requirements of current and
proposed Regulation SCI regarding cybersecurity be modified to address
SCI entities that also would be subject to proposed Rule 10 of the
Exchange Act Cybersecurity Proposal and/or the existing and proposed
requirements of Regulation S-P? For example, would it be particularly
costly or create practical implementation difficulties to apply the
requirements of current and proposed Regulation SCI to have policies
and procedures to address cybersecurity risks to SCI entities even if
they also would be subject to requirements to have policies and
procedures under proposed Rule 10 (if it is adopted) and/or Regulation
S-P that address certain cybersecurity risks (currently and it they
would be amended)? If so, explain why. If not, explain why not. Are
there ways the policies and procedures requirements of current or
proposed Regulation SCI regarding could be modified to minimize these
potential impacts while achieving the separate goals of this proposal?
If so, explain how and suggest specific modifications.
88. Should the Commission notification and reporting requirements
of current and proposed Regulation SCI be modified to address SCI
entities that also would be subject to the proposed requirements of
Rule 10 of the Exchange Act Cybersecurity Proposal? For example, would
it be particularly costly or create practical implementation
difficulties to apply the Commission notification and reporting
requirements
[[Page 23199]]
of current and proposed Regulation SCI and Form SCI to SCI entities
even if they also would be subject to immediate notification and
subsequent reporting requirements under proposed Rule 10 of the
Exchange Act Cybersecurity Proposal and Part I of proposed Form SCIR
(if they are adopted)? If so, explain why. If not, explain why not. Are
there ways the Commission notification and reporting requirements of
current or proposed Regulation SCI and Form SCI could be modified to
minimize these potential impacts while achieving the separate goals of
this proposal? If so, explain how and suggest specific modifications.
For example, should Form SCI be modified to include a section that
incorporates the check boxes and questions of Part I of Form SCIR so
that a single form could be filed to meet the reporting requirements of
Regulation SCI and proposed Rule 10? If so, explain why. If not,
explain why not. Should the Commission modify the proposed Commission
notification framework for systems intrusions that are also significant
cybersecurity incidents under Rule 10? For example, should such systems
intrusions be initially reported (i.e., immediately and for the 24-hour
notification) on Form SCI, with subsequent reports exempted from Rule
1002(b)'s requirements if they are reported to the Commission on Form
SCIR pursuant to the proposed requirements of Rule 10? Why or why not?
Are there other ways Form SCI could be modified to combine the elements
of Part I of Form SCIR? If so, explain how.
89. Should the disclosure requirements of proposed and current
Regulation SCI be modified to address SCI entities that also would be
subject to the proposed requirements of the Exchange Act Cybersecurity
Proposal and the existing and proposed requirements of Regulation S-P?
For example, would it be particularly costly or create practical
implementation difficulties to apply the disclosure requirements of
current and proposed Regulation SCI to SCI entities even if they also
would be subject to the proposed Rule 10 and Part II of proposed form
SCIR (if they are adopted) the current and proposed requirements of
Regulation S-P? If so, explain why. If not, explain why not. Are there
ways the disclosure requirements of Regulation SCI could be modified to
minimize these potential impacts while achieving the separate goals of
this proposal? If so, explain how and suggest specific modifications.
90. Would the addition of the requirements in the Exchange Act
Cybersecurity Proposal--together with the current broker-dealer
regulatory regime, including the Market Access Rule and other
Commission and FINRA rules--be sufficient to reasonably ensure the
operational capability of the technological systems of the proposed SCI
broker-dealers? Why or why not? For example, are there any provisions
of Regulation SCI that, if added to the Exchange Act Cybersecurity
Proposal as it applies to broker-dealers, would help ensure the
operational capability of the technological systems of the proposed SCI
broker-dealers? Which provisions?
IV. Paperwork Reduction Act
Certain provisions of the proposal would contain a new ``collection
of information'' within the meaning of the Paperwork Reduction Act of
1995 (``PRA'').\428\ The Commission is submitting the proposed rule
amendments to the Office of Management and Budget (``OMB'') for review
and approval in accordance with the PRA and its implementing
regulations.\429\ An agency may not conduct or sponsor, and a person is
not required to respond to a collection of information unless it
displays a currently valid OMB control number.\430\ The Commission is
proposing to alter the 31 existing collections of information and apply
such collections of information to new categories of respondents. The
title for the collections of information is: Regulation Systems
Compliance and Integrity (OMB control number 3235-0703). The burden
estimates contained in this section do not include any other possible
costs or economic effects beyond the burdens required to be calculated
for PRA purposes.
---------------------------------------------------------------------------
\428\ See 44 U.S.C. 3501 et seq.
\429\ See 44 U.S.C. 3507; 5 CFR 1320.11.
\430\ See 5 CFR 1320.11(l).
---------------------------------------------------------------------------
A. Summary of Collections of Information
The proposed amendments to Regulation SCI create paperwork burdens
under the PRA by (1) adding new categories of respondents to the 31
existing collections of information (across 7 rules) noted above and
(2) modifying the requirements of 16 of those collections, as noted
below. For entities that are already required to comply with Regulation
SCI (``Current SCI Entities''), the proposed amendments would result in
the modification of certain collections of information. Entities that
would become subject to Regulation SCI as a result of the proposed
amendments (``New SCI Entities'') would be newly subject to the 31
existing collections of information, including the modifications.\431\
The collections of information and applicable categories of new
respondents are summarized (by rule) in the following table.\432\
---------------------------------------------------------------------------
\431\ See infra section IV.C (Respondents) for more information
on Current SCI Entities and New SCI Entities.
\432\ Unless otherwise described, none of the existing
information collections are being revised with new requirements.
----------------------------------------------------------------------------------------------------------------
Collection of information Rule Burden description Respondent categories
----------------------------------------------------------------------------------------------------------------
Rule 1001 of Regulation SCI........ Rule 1001(a).......... Rule Description: Current SCI Entities
Requirement to establish, and New SCI Entities.
maintain, and enforce
written policies and
procedures related to
capacity, integrity,
resiliency, availability,
and security.
Revised burden: ensure
policies and procedures
include a program to
manage and oversee third-
party providers that
provide functionality,
support or service for the
SCI entity's SCI systems;
inventory all SCI systems,
include a program to
prevent unauthorized
access to SCI system
access and the information
residing therein, identify
the SCI industry standard
with which such policy and
procedure is consistent,
if any.
[[Page 23200]]
Rule 1001(b).......... Rule Description: New SCI Entities.
Requirement to establish,
maintain, and enforce
policies and procedures
reasonably designed to
ensure that its SCI
systems operate in a
manner that complies with
the Exchange Act, rules
and regulations
thereunder, and the
entity's rules and
governing documents.
Rule 1001(c).......... Rule Description: New SCI Entities.
Establish, maintain, and
enforce reasonably
designed written policies
and procedures that
include the criteria for
identifying responsible
SCI personnel, the
designation and
documentation of
responsible SCI personnel,
and escalation procedures
to inform responsible SCI
personnel of potential SCI
events.
Rule 1002 of Regulation SCI........ Rule 1002(a).......... Rule Description: Each SCI New SCI Entities.
entity is required to take
appropriate corrective
action upon any
responsible SCI personnel
having a reasonable basis
to conclude that an SCI
event has occurred.
Rule 1002(b).......... Rule Description: Rules Current SCI Entities
1002(b)(1) through (4): and New SCI Entities.
Requirement that each SCI
entity, upon any
responsible SCI personnel
having a reasonable basis
to conclude that an SCI
event has occurred, notify
the Commission immediately
of such SCI event and
submit a written
notification within 24
hours of responsible SCI
personnel having a
reasonable basis to
conclude there was an SCI
event. Periodic updates
are required pertaining to
the SCI event on either a
regular basis or at such
frequency requested by
representatives of the
Commission. An interim
written notification is
required if the SCI event
is not closed within 30
days of its occurrence. A
final notification is
required to be submitted
within five days of the
resolution and closure of
the SCI event.
Rule 1002(b)(5): For events
that the SCI entity
reasonably estimates would
have no, or a de minimis
impact on the SCI entity's
operations or on market
participants, submit a
report within 30 days
after the end of each
calendar quarter
containing a summary
description of such
systems disruptions and
systems intrusions.
Revised burden: add (1)
cybersecurity events that
disrupt, or significantly
degrade the normal
operation of an SCI
system, and (2)
significant attempted
unauthorized entries into
SCI systems or indirect
SCI systems, as determined
by the SCI entity pursuant
to established reasonable
written criteria, to the
definition of systems
intrusions in Rule 1000,
thus requiring that SCI
entities provide
notifications under Rule
1002(b)(1) through (4);
eliminate the de minimis
exception's applicability
to systems intrusions,
thus requiring all systems
intrusions to be reported
pursuant to Rule
1002(b)(1) through (4);
require interim written
notification to the
Commission to include a
copy of any information
disseminated pursuant to
Rule 1002(c) regarding the
SCI event by SCI broker-
dealers to their customers.
Rule 1002(c).......... Rule Description: Current SCI Entities
Requirements to and New SCI Entities.
disseminate certain
information to members and
participants concerning
SCI events promptly after
any responsible SCI
personnel has a reasonable
basis to conclude that an
SCI event has occurred.
For major SCI events,
information must be
disseminated to all
members and participants,
and for SCI events that
are not major, the
information must be
disseminated to members or
participants that any
responsible SCI personnel
has reasonably estimated
may have been affected by
the SCI event.
[[Page 23201]]
Revised burden: add
cybersecurity events to
the definition of systems
intrusions in Rule 1000,
thus making them SCI
events and requiring that
SCI entities provide
notifications under Rule
1002(c)(2) for those
additional SCI events;
exclude systems intrusions
that are significant
attempted unauthorized
entries into the SCI
systems or indirect SCI
systems of an SCI entity
from information
dissemination
requirements; add that SCI
broker-dealers would
notify their customers
(rather than members or
participants).
Rule 1003 of Regulation SCI........ Rule 1003(a).......... Rule Description: Submit New SCI Entities.
quarterly report
describing completed,
ongoing, and planned
material changes to SCI
systems and the security
of indirect SCI systems;
establish reasonable
written criteria to
identify changes to SCI
systems and the security
of indirect SCI systems as
material and report such
changes in accordance with
such criteria. Promptly
submit a supplemental
report notifying the
Commission of a material
error in or material
omission from a previously
submitted report.
Rule 1003(b).......... Rule Description: Current SCI Entities
Requirement to conduct an and New SCI Entities.
SCI review of the SCI
entity's compliance with
Regulation SCI not less
than once each calendar
year; conduct penetration
test reviews not less than
once every three years.
Revised burden: include
certain additional
requirements and
information in SCI
reviews, require the SCI
review to be performed
annually, and require a
response by senior
management be reported to
the Commission.
Rule 1004 of Regulation SCI........ Rule 1004............. Rule Description: Establish Current SCI Entities
standards to designate and New SCI Entities.
members and participants
that are the minimum
necessary for the
maintenance of fair and
orderly markets, designate
members or participants
and require their
participation in testing
of the BC/DR plans
pursuant to such
standards, and coordinate
testing on an industry or
sector-wide basis with
other SCI entities.
Revised burden: require SCI
entities to establish
standards for designating
certain third-party
providers that are the
minimum necessary for the
maintenance of fair and
orderly markets, and
designate third-party
providers for BC/DR
testing pursuant to those
standards.
Rule 1005 of Regulation SCI........ Rule 1005............. Rule Description: Current SCI Entities
Requirement to make, keep, and New SCI Entities.
and preserve all documents
relating to compliance
with Regulation SCI.
Revised burden: Entities
that ``otherwise [cease]
to be an SCI entity'' are
required to comply with
the recordkeeping
requirements in this
section.
Rule 1006.......................... Rule 1006............. Rule Description: Require New SCI Entities.
submissions to the
Commission pursuant to
Regulation SCI to be made
electronically on Form SCI.
Rule 1007.......................... Rule 1007............. Rule Description: New SCI Entities.
Requirement that SCI
entities make available
records required to be
filed or kept under
Regulation SCI that are
prepared or maintained by
a service bureau or other
recordkeeping service on
behalf of the SCI entity.
----------------------------------------------------------------------------------------------------------------
B. Proposed Use of Information
The existing information collections and the proposed amendments
are used as described below:
1. Rule 1001 of Regulation SCI
Rule 1001(a)(1) of Regulation SCI requires each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that their SCI systems and, for purposes
of security standards, indirect SCI systems, have levels of capacity,
integrity, resiliency, availability, and security adequate to maintain
their operational capability and promote the maintenance of fair and
orderly markets.\433\ Rule 1001(a)(2) of Regulation SCI requires that,
at a minimum, such policies and procedures include: current and future
capacity planning; periodic stress testing; systems development and
testing methodology; reviews and testing to identify vulnerabilities;
business continuity and disaster recovery planning (inclusive of backup
systems that are geographically diverse and designed to meet specified
recovery
[[Page 23202]]
time objectives); standards for market data collection, processing, and
dissemination; and monitoring to identify potential SCI events.\434\
Rule 1001(a)(3) of Regulation SCI requires that SCI entities
periodically review the effectiveness of these policies and procedures
and take prompt action to remedy any deficiencies.\435\ Rule 1001(a)(4)
of Regulation SCI provides that an SCI entity's policies and procedures
will be deemed to be reasonably designed if they are consistent with
current SCI industry standards, which is defined to be comprised of
information technology practices that are widely available to
information technology professionals in the financial sector and issued
by an authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization; \436\ however, Rule 1001(a)(4) of Regulation
SCI also makes clear that compliance with such ``current SCI industry
standards'' is not the exclusive means to comply with these
requirements.
---------------------------------------------------------------------------
\433\ See 17 CFR 242.1001(a)(1).
\434\ See 17 CFR 242.1001(a)(2).
\435\ See 17 CFR 242.1001(a)(3).
\436\ See 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
Rule 1001(b) of Regulation SCI requires each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in a manner
that complies with the Exchange Act and the rules and regulations
thereunder and the entity's rules and governing documents, as
applicable, and specifies certain minimum requirements for such
policies and procedures.\437\ Rule 1001(c) of Regulation SCI requires
SCI entities to establish, maintain, and enforce reasonably designed
written policies and procedures that include the criteria for
identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI
events.\438\
---------------------------------------------------------------------------
\437\ See 17 CFR 242.1001(b).
\438\ See 17 CFR 242.1001(c).
---------------------------------------------------------------------------
The Commission is proposing revisions to Rule 1001(a)(2) and (4) of
Regulation SCI to include four additional elements in the policies and
procedures: (1) the maintenance of a written inventory of all SCI
systems, critical SCI systems, and indirect SCI systems, including a
lifecycle management program with respect to such systems; (2) a
program to manage and oversee third-party providers that includes an
initial and periodic review of contracts with third-party providers and
a risk-based assessment of each third-party provider's criticality to
the SCI entity; (3) a program to prevent unauthorized SCI system
access; and (4) identification of the SCI industry standard with which
such policies and procedures are consistent, if any. The Commission
also proposes to amend the existing requirements in Rule 1001(a)(2)(v)
for the BC/DR plan to include the requirement to maintain backup and
recovery capabilities that are reasonably designed to address the
unavailability of any third-party provider without which there would be
a material impact on any of its critical SCI systems.
The requirement to have a third-party provider management program
would help ensure that any third-party provider an SCI entity selects
is able to support the SCI entity's compliance with Regulation SCI's
requirements.
Additionally, the proposed revisions would ensure SCI entities are
creating an inventory of their SCI systems, critical SCI systems, and
indirect SCI systems and have a lifecycle management program for such
systems, which would ensure that SCI entities are able to identify when
a system becomes an SCI system or indirect SCI system and when it
ceases to be one. Next, the revisions would require SCI entities to
have in place a program to prevent unauthorized SCI system access. The
existing collections of information, which would be extended to new SCI
entities would advance the goals of promoting the maintenance of fair
an orderly markets and improving Commission review and oversight of
U.S. securities market infrastructure. The proposed additional
collections of information would advance these same goals.
2. Rule 1002 of Regulation SCI
Under Rule 1002 of Regulation SCI, SCI entities have certain
obligations regarding SCI events. Rule 1002(a) requires an SCI entity
to begin to take appropriate corrective action when any responsible SCI
personnel has a reasonable basis to conclude that an SCI event has
occurred. The corrective action must include, at a minimum, mitigating
potential harm to investors and market integrity resulting from the SCI
event and devoting adequate resources to remedy the SCI event as soon
as reasonably practicable.\439\ Rule 1002(b)(1) requires each SCI
entity to immediately notify the Commission of an SCI event.\440\ Under
17 CFR 242.1002(b)(2) (``Rule 1002(b)(2)''), each SCI entity is
required, within 24 hours of any responsible SCI personnel having a
reasonable basis to conclude that the SCI event has occurred, to submit
a written notification to the Commission pertaining to the SCI event
that includes a description of the SCI event and the system(s)
affected, with other information required to the extent available at
the time.\441\ Under 17 CFR 242.1002(b)(3) (``Rule 1002(b)(3)''), each
SCI entity is required to provide regular updates regarding the SCI
event until the event is resolved.\442\ Under 17 CFR 242.1002(b)(4)(i)
(``Rule 1002(b)(4)(i)''), each SCI entity is required to submit written
interim reports, as necessary, and a written final report regarding an
SCI event to the Commission.\443\ Under 17 CFR 242.1002(b)(4)(ii)
(``Rule 1002(b)(4)(ii)''), the information that is required to be
included in the interim and final written reports is set forth,
including the SCI entity's assessment of the types and number of market
participants affected by the SCI event and the impact of the SCI event
on the market, and a copy of any information disseminated pursuant to
Rule 1002(c) regarding the SCI event to the SCI entity's members or
participants. For any SCI event that ``has had, or the SCI entity
reasonably estimates would have, no or a de minimis impact on the SCI
entity's operations or on market participants,'' Rule 1002(b)(5)
provides an exception to the general Commission notification
requirements under Rule 1002(b) Instead, an SCI entity must make, keep,
and preserve records relating to all such SCI events, and submit a
quarterly report to the Commission regarding any such events that are
systems disruptions or systems intrusions. SCI events that are reported
immediately and later determined to have a de minimis impact may be
reclassified as de minimis.\444\
---------------------------------------------------------------------------
\439\ See 17 CFR 242.1002(a).
\440\ See 17 CFR 242.1002(b)(1).
\441\ See 17 CFR 242.1002(b)(2).
\442\ See 17 CFR 242.1002(b)(3).
\443\ See 17 CFR 242.1002(b)(4).
\444\ See 17 CFR 242.1002(b)(5).
---------------------------------------------------------------------------
Rule 1002(c) of Regulation SCI requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\445\ Under 17 CFR 242.1002(c)(1)(i) (``Rule 1002(c)(1)(i)''),
each SCI entity is required, promptly after any responsible SCI
personnel has a reasonable basis to conclude that an SCI event (other
than a systems intrusion) has occurred, to disseminate certain
information to its members or participants. Under 17 CFR
242.1002(c)(1)(ii) (``Rule 1002(c)(1)(ii)''), each SCI entity is
required, when
[[Page 23203]]
known, to disseminate additional information about an SCI event (other
than a systems intrusion) to its members or participants promptly.
Under 17 CFR 242.1002(c)(1)(iii) (``Rule 1002(c)(1)(iii)''), each SCI
entity is required to provide to its members or participants regular
updates of any information required to be disseminated under Rule
1002(c)(1)(i) and (ii) until the SCI event is resolved. Rule 1002(c)(2)
requires each SCI entity to disseminate certain information regarding a
systems intrusion to its members or participants. For ``major SCI
events,'' these disseminations must be made to all of its members or
participants. For SCI events that are not ``major SCI events,'' SCI
entities must disseminate such information to those SCI entity members
and participants reasonably estimated to have been affected by the
event.\446\ In addition, dissemination of information to members or
participants is permitted to be delayed for systems intrusions if such
dissemination would likely compromise the security of the SCI entity's
systems or an investigation of the intrusion and documents the reasons
for such determination.\447\ Rule 1002(c)(4) of Regulation SCI provides
exceptions to the dissemination requirements under Rule 1002(c) of
Regulation SCI for SCI events to the extent they relate to market
regulation or market surveillance systems and SCI events that have had,
or the SCI entity reasonably estimates would have, no or a de minimis
impact on the SCI entity's operations or on market participants.\448\
Rule 1000 sets out the definition of systems intrusion, which means any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity.
---------------------------------------------------------------------------
\445\ See 17 CFR 242.1002(c).
\446\ See 17 CFR 242.1002(c)(3).
\447\ See 17 CFR 242.1002(c)(2).
\448\ See 17 CFR 242.1002(c)(4).
---------------------------------------------------------------------------
The Commission proposes to amend the definition of systems
intrusion in Rule 1000 to include cybersecurity events that disrupt, or
significantly degrade, the normal operation of an SCI system and
significant attempted unauthorized entries into the SCI systems or
indirect SCI systems of an SCI entity, as determined by the SCI entity
pursuant to established reasonable written criteria. SCI entities would
be required to report information concerning these systems intrusions
pursuant to Rule 1002(b). The Commission believes that it is
appropriate to expand the definition of systems intrusion to include
two additional types of cybersecurity events that are currently not
part of the current definition as described above. The additional
notifications that would result from the proposed revised definition of
systems intrusion would provide the Commission and its staff more
complete information to assess the security status of the SCI entity,
and also assess the impact or potential impact that unauthorized
activity could have on the security of the SCI entity's affected
systems as well on other SCI entities and market participants.
The proposed revisions to Rule 1002(b) would eliminate the de
minimis exception's applicability to systems intrusions, thus requiring
all systems intrusions, whether de minimis or non-de minimis, to be
reported pursuant to Rule 1002(b)(1) through (4). The Commission would
also amend the information required under Rule 1002(b)(4)(ii) to be
included in the interim and final written notifications to include a
copy of any information disseminated pursuant to Rule 1002(c) by an SCI
broker-dealer to its customers. The Commission would use this
information to be aware of potential and actual security threats to SCI
entities, including threats that may extend to other market
participants in the securities markets, including other SCI entities.
As a result of the amendment to the definition of systems
intrusions, SCI entities would be required to disseminate information
to members and participants pursuant to Rule 1002(c)(2) concerning
cybersecurity events not currently covered by the rule. This would have
the effect of increasing the number of SCI events that would be
required to be disseminated. Further, in connection with expansion of
Regulation SCI to SCI broker-dealers, amended Rule 1002(c)(3) would
require that SCI broker-dealers promptly disseminate information about
major SCI events to all of its customers and, for SCI events that are
not major SCI events, to customers that any responsible SCI personnel
subsequently reasonably estimates may have been affected by the SCI
event. Such information would be used by the SCI entity's members and
participants, and in the case of an SCI broker-dealer, its customers,
to understand better the threats faced by the SCI entity, evaluate the
event's impact on their trading or other business with the SCI entity
and formulate a response, thereby advance the Commission's goal of
promoting fair and orderly markets and investor protection. The
proposed revisions to Rule 1002(c), however, would exclude systems
intrusions that are significant attempted unauthorized entries into the
SCI systems or indirect SCI systems of an SCI entity from the
information dissemination requirements of Rule 1002(c)(1) through
(3).\449\
---------------------------------------------------------------------------
\449\ See proposed amended Rule 1002(c)(4).
---------------------------------------------------------------------------
3. Rule 1003 of Regulation SCI
Rule 1003(a) establishes reporting burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to submit to the Commission
quarterly reports describing completed, ongoing, and planned material
changes to its SCI systems and security of indirect SCI systems during
the prior, current, and subsequent calendar quarters, including the
dates or expected dates of commencement and completion.\450\ Under 17
CFR 242.1003(a)(2) (``Rule 1003(a)(2)''), each SCI entity is required
to promptly submit a supplemental report notifying the Commission of a
material error in or material omission from a report previously
submitted under Rule 1003(a)(1).
---------------------------------------------------------------------------
\450\ See 17 CFR 242.1003(a).
---------------------------------------------------------------------------
Rule 1003(b) of Regulation SCI also requires that an SCI entity
conduct an ``SCI review'' not less than once each calendar year.\451\
``SCI review'' is defined in Rule 1000 of Regulation SCI to mean a
review, following established procedures and standards, that is
performed by objective personnel having appropriate experience to
conduct reviews of SCI systems and indirect SCI systems, and which
review contains: (1) a risk assessment with respect to such systems of
an SCI entity; and (2) an assessment of internal control design and
effectiveness of its SCI systems and indirect SCI systems to include
logical and physical security controls, development processes, and
information technology governance, consistent with industry standards
Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI
review to senior management no more than 30 calendar days after
completion of the review.\452\ Rule 1003(b) requires that penetration
test reviews of the network, firewalls, and production systems shall be
conducted at a frequency of not less than once every three years and
that assessments of SCI systems directly supporting market regulation
or market surveillance shall be conducted at a frequency based upon the
risk assessment conducted as part of the SCI review, but in no case
less than once every three years.\453\ Rule 1003(b)(2) requires that
the submission of a report of the SCI review to senior management of
the SCI entity for review no more than 30 calendar days after
completion
[[Page 23204]]
of such SCI review.\454\ Rule 1003(b)(3) requires each SCI entity to
submit the report of the SCI review to the Commission and to its board
of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its
submission to senior management.\455\
---------------------------------------------------------------------------
\451\ See 17 CFR 242.1003(b).
\452\ See 17 CFR 242.1003(b)(2).
\453\ See 17 CFR 242.1003(b)(1)(i) and (ii).
\454\ See 17 CFR 242.1003(b)(2).
\455\ See 17 CFR 242.1003(b)(3).
---------------------------------------------------------------------------
The Commission is proposing revisions to Rule 1003(b) and the
definition of SCI review. The Commission is proposing to increase the
frequency of penetration testing by SCI entities such that they are
conducted at least annually, rather than once every three years, and
that the penetration tests include any of the vulnerabilities of its
SCI systems and indirect SCI systems identified pursuant to Rule
1001(a)(2)(iv).\456\ The Commission would use this more frequent
information to have more up-to-date information regarding an SCI
entity's systems vulnerabilities and help the Commission with its
oversight of U.S. securities market technology infrastructure.
---------------------------------------------------------------------------
\456\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
In addition, the Commission is proposing a number of revisions to
the requirements relating to SCI reviews and for the reports SCI
entities submit (both to their board of directors as well as to the
Commission). The definition of SCI review in Rule 1000 is proposed to
contain the substantive requirements for an SCI review, which would be
required to be ``a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems . . .'' \457\ The Commission proposes to amend the
definition of SCI review in Rule 1000 to require that the SCI review:
(1) use appropriate risk management methodology, (2) include third-
party provider management risks and controls, (3) include the risks
related to the capacity, integrity, resiliency, availability, and
security, and (4) include systems capacity and availability and
information technology service continuity within the review of internal
control design and operating effectiveness.\458\
---------------------------------------------------------------------------
\457\ See id.
\458\ See id.
---------------------------------------------------------------------------
The Commission also proposes to amend Rule 1003(b)(2) to require
that the SCI review be conducted in each calendar year during which the
entity was an SCI entity for any part of that calendar year and that
the SCI entity submit the associated report of the SCI review to the
SCI entity's senior management and board, as well as to the
Commission.\459\ The Commission proposes amend Rule 1003(b)(2) to
specify that certain elements be included in the report of the SCI
review, namely: (1) the dates the SCI review was conducted and the date
of completion; (2) the entity or business unit of the SCI entity
performing the review; (3) a list of the controls reviewed and a
description of each such control; (4) the findings of the SCI review
with respect to each SCI system and indirect SCI system, which shall
include, at a minimum, assessments of: the risks related to the
capacity, integrity, resiliency, availability, and security; internal
control design and operating effectiveness; and an assessment of third-
party provider management risks and controls; (5) a summary, including
the scope of testing and resulting action plan, of each penetration
test review conducted as part of the SCI review; and (6) a description
of each deficiency and weakness identified by the SCI review.\460\ The
Commission also proposes to amend Rule 1003(b)(3) to require a response
to the report of the SCI review from senior management and to require
that the date the report was submitted to senior management be
submitted to the Commission and the board of directors, and that the
response from senior management include a response for each deficiency
and weakness identified by the SCI review, and the associated
mitigation and remediation plan and associated dates for each.\461\
---------------------------------------------------------------------------
\459\ See 17 CFR 242.1003(b)(2) and (3).
\460\ See 17 CFR 242.1003(b)(2).
\461\ See 17 CFR 242.1003(b)(3).
---------------------------------------------------------------------------
The additional requirements and details are designed to ensure SCI
reviews contain certain baseline information and are based on the
appropriate risk management methodology. The enhanced SCI review and
corresponding report would provide the Commission and its staff greater
insight into the SCI entity's compliance with Regulation SCI and would
more thoroughly assist the staff in determining how to follow up with
the SCI entity in reviewing and addressing any identified weaknesses
and vulnerabilities. The Commission would use this additional reporting
and information to improve the Commission's oversight of the technology
infrastructure of SCI entities further.
4. Rule 1004 of Regulation SCI
Rule 1004 of Regulation SCI requires SCI entities to, with respect
to an SCI entity's business continuity and disaster recovery plans,
including its backup systems: (a) establish standards for the
designation of those members or participants that the SCI entity
reasonably determines are, taken as a whole, the minimum necessary for
the maintenance of fair and orderly markets in the event of the
activation of such plans; (b) designate members or participants
pursuant to such standards and require participation by such designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency specified
by the SCI entity, provided that such frequency shall not be less than
once every 12 months; and (c) coordinate the testing of such plans on
an industry- or sector-wide basis with other SCI entities.\462\
---------------------------------------------------------------------------
\462\ See 17 CFR 242.1003(b)(4).
---------------------------------------------------------------------------
The Commission is proposing to include certain third-party
providers in the BC/DR testing requirements of Rule 1004. Specifically,
an SCI entity would be required to establish standards for the
designation of third-party providers (in addition to members or
participants) that it determines are, taken as a whole, the minimum
necessary for the maintenance of fair and orderly markets in the event
of the activation of the SCI entity's BC/DR plans. In addition, Rule
1004 would require each SCI entity to designate such third-party
providers (in addition to members or participants) pursuant to such
standards and require their participation in the scheduled functional
and performance testing of the operation of such BC/DR plans.\463\
---------------------------------------------------------------------------
\463\ See id.
---------------------------------------------------------------------------
The Commission believes that the requirement that SCI entities
establish standards that require designated third-party providers to
participate in the testing of their business continuity and disaster
recovery plans will help reduce the risks associated with an SCI
entity's decision to activate its BC/DR plans and help to ensure that
such plans operate as intended, if activated. The testing participation
requirement should help an SCI entity to ensure that its efforts to
develop effective BC/DR plans are not undermined by a lack of
participation by third-party providers that the SCI entity believes are
necessary to the successful activation of such plans. This requirement
should also assist the Commission in maintaining fair and orderly
markets in a BC/DR scenario following a wide-scale disruption.
[[Page 23205]]
5. Rule 1005 and 1007 of Regulation SCI
Rule 1005 of Regulation SCI requires SCI entities to make, keep,
and preserve certain records related to their compliance with
Regulation SCI.\464\ Rule 1007 sets forth requirements for a SCI entity
whose Regulation SCI records are prepared or maintained by a service
bureau or other recordkeeping service on behalf of the SCI entity.\465\
---------------------------------------------------------------------------
\464\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
\465\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
Rule 1005(c) specifies that the requirement that records required
to be made, kept, and preserved by Rule 1005 be accessible to the
Commission and its representatives for the period required by Rule
1005, in cases where an SCI entity ceases to do business or ceases to
be registered under the Exchange Act.\466\ The Commission proposes to
add that this survival provision similarly applies to an SCI entity
that ``otherwise [ceases] to be an SCI entity.'' \467\ This addition
accounts for circumstances not expressly covered; specifically, the
circumstance in which an SCI entity continues to do business or remains
a registered entity, but may cease to qualify as an SCI entity (e.g.,
an SCI ATS that no longer satisfies a volume threshold). Such entities
would not be excepted from complying with the recordkeeping provisions
of Rule 1005.
---------------------------------------------------------------------------
\466\ See 17 CFR 242.1005(c).
\467\ See id.
---------------------------------------------------------------------------
The Commission believes the records of entities that ceased being
SCI entities are important for assisting the Commission and its staff
in understanding whether such an SCI entity met its obligations under
Regulation SCI, assessing whether such an SCI entity had appropriate
policies and procedures with respect to its technology systems, helping
to identify the causes and consequences of an SCI event, and
understanding the types of material systems changes that occurred at
such an SCI entity. The Commission expects this revision to facilitate
the Commission's inspections and examinations of SCI entities that have
ceased to be SCI entities and assist it in evaluating such SCI entity's
previous compliance with Regulation SCI. Furthermore, having an SCI
entity's records available even after it has ceased to be an SCI entity
should provide an additional tool to help the Commission to reconstruct
important market events and better understand the impact of such
events. There are no amendments to Rule 1007, which sets forth
requirements for a SCI entity whose Regulation SCI records are prepared
or maintained by a service bureau or other recordkeeping service on
behalf of the SCI entity.
6. Rule 1006 of Regulation SCI
Rule 1006 requires each SCI entity, with a few exceptions, to file
any notification, review, description, analysis, or report to the
Commission required under Regulation SCI electronically on Form
SCI.\468\ There are no amendments to this section. The Commission staff
would use the collection of information in its examination and
oversight program in identifying patterns and trends across
registrants.
---------------------------------------------------------------------------
\468\ See 17 CFR 242.1003(b)(6).
---------------------------------------------------------------------------
C. Respondents
The collection of information requirements contained in Regulation
SCI apply to SCI entities. As of 2021, there were an estimated 47
Current SCI Entities (i.e., entities that met the definition of SCI
entity) \469\ that were subject to the requirements of Regulation
SCI.\470\ The Commission preliminarily estimates that as a result of
the proposed amendments to Rule 1000, there would be a total of 23 New
SCI Entities (i.e., meet the amended definition of SCI entity) that
would become subject to the requirements of Regulation SCI. Thus, the
Commission preliminarily estimates that a total of 70 entities would be
subject to the requirements of Regulation SCI. The Commission
preliminarily believes that the remaining amendments would not add any
additional respondents but would result in additional reporting
burdens, which are discussed in section IV.D (Total Initial and Annual
Reporting Burdens).
---------------------------------------------------------------------------
\469\ In 2020, the Commission amended Regulation SCI to add as
SCI entities SCI competing consolidators, defined as competing
consolidators that exceed a five percent consolidated market data
gross revenue threshold over a specified time period. See Market
Data Infrastructure Adopting Release, supra note 24. The Commission
estimated that seven persons would meet the definition of SCI
competing consolidator and be subject to Regulation SCI, two of
which would be Current SCI Entities (as plan processors) and five of
which would be new SCI competing consolidators, if they registered
as competing consolidators and exceeded the threshold. See Extension
Without Change of a Currently Approved Collection: Regulation SCI
and Form SCI; ICR Reference No. 202111-3235-005; OMB Control No.
3235-0703 (Mar. 3, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202111-3235-005 (``2022 PRA
Supporting Statement''). Currently, no competing consolidators have
registered with the Commission. As a result, no competing
consolidators (in addition to the two current plan processors that
are Current SCI Entities) are included as Current SCI Entities. To
the extent that a competing consolidator registers with the
Commission and qualifies as an SCI competing consolidator it would
be subject to the same additional burdens as Current SCI Entities as
a result of the proposed amendments to Regulation SCI. The
additional burdens for Current SCI Entities are set forth in section
IV.D.
\470\ Proposed Collection; Comment Request; Extension:
Regulation SCI, Form SCI; SEC File No. 270-653, OMB Control No.
3235-0703, 87 FR 3132.
---------------------------------------------------------------------------
The following table summarizes the estimated number of Current SCI
Entities and New SCI Entities:
------------------------------------------------------------------------
Type of SCI entity Number
------------------------------------------------------------------------
Current SCI Entities.................................... 47
New SCI Entities:
SBSDR \1\........................................... 3
SCI broker-dealers \2\.............................. 17
Exempt Clearing Agencies \3\........................ 3
---------------
Total New SCI Entities.......................... 23
---------------
Total SCI Entities.............................. 70
------------------------------------------------------------------------
\1\ See supra notes 118, 124 and accompanying text. As noted earlier,
two SBSDRs are currently registered with the Commission. The
Commission estimates for purposes of the PRA that one additional
entity may seek to register as an SBSDR in the next three years, and
so for purposes of this proposal the Commission has assumed three
SBSDR respondents.
\2\ See supra note 219 and accompanying text.
\3\ See supra notes 240 and accompanying text. As noted earlier, the
Commission proposes to expand the scope of ``SCI entity'' to cover two
additional exempt clearing agencies that are not subject to ARP, which
are Euroclear Bank SA/NV and Clearstream Banking, S.A. The Commission
estimates for purposes of the PRA that one additional entity may
receive an exemption from registration as a clearing agency in the
next three years, and so for purposes of this proposal the Commission
has assumed three exempt clearing agency respondents.
[[Page 23206]]
D. Total Initial and Annual Reporting Burdens
As stated above, each requirement to disclose information, offer to
provide information, or adopt policies and procedures constitutes a
collection of information requirement under the PRA. We discuss below
the collection of information burdens associated with the proposed
rules and rule amendments.
1. Rule 1001
The rules under Regulation SCI that would require an SCI entity to
establish policies and procedures are discussed more fully in sections
II.B, and the proposed amendments are discussed more fully in sections
III.A and III.C above.
a. Rule 1001(a)
Current SCI Entities are already required to establish, maintain,
and enforce policies and procedures pursuant to Rule 1001(a) and
therefore already incur baseline initial \471\ and ongoing burden \472\
for complying with Rule 1001(a), so the amendments should only impose a
burden required to comply with the additional requirements.\473\
Presently, none of the New SCI Entities are required to comply with the
policies and procedures requirement of Rule 1001(a), but the proposed
amendments will newly impose the baseline burden to develop and draft
written policies and procedures and review and update annually such
policies and procedures, as well as the additional burden to include
the proposed requirements in the policies and procedures. The
Commission estimates an initial compliance burden of 386 additional
hours \474\ for Current SCI Entities and 890 hours \475\ for New SCI
Entities. The Commission estimates an annual compliance burden of 58
hours \476\ for Current SCI Entities and 145 hours \477\ for New SCI
Entities.\478\ The table below summarizes the initial and ongoing
annual burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\471\ The Commission's currently approved baseline for average
compliance burden per SCI entity to develop and draft the policies
and procedures required by Rule 1001(a) (except for 17 CFR
242.1001(a)(2)(vi) (``Rule 1001(a)(2)(vi)'')) is 534 hours. See
Extension Without Change of a Currently Approved Collection:
Regulation SCI and Form SCI; ICR Reference No. 202111-3235-005; OMB
Control No. 3235-0703 (Mar. 3, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202111-3235-005
(``2022 PRA Supporting Statement''). Rule 1001(a)(2) currently
requires six elements (excluding Rule 1001(a)(2)(vi)) to be included
in the policies and procedures required by Rule 1001(a)(1). The
burden hours for each element would be 89 hours per policy element
(534 hours/6 policy elements).
\472\ The Commission's currently approved baseline for average
compliance burden per SCI entity to review and update the policies
and procedures required by Rule 1001(a) (except for Rule
1001(a)(2)(vi)) is 87 hours. See 2022 PRA Supporting Statement,
supra note 471. The burden hours for each element would be 14.5
hours per policy element (87 hours/6 policy elements).
\473\ The Commission estimates that at the additional burden
would be the result of the additions to Rule 1001(a)(2),
specifically the proposed requirement in the BC/DR plan and the four
proposed additional policy elements. The Commission does not
anticipate that Current SCI Entities or New SCI Entities would incur
any additional burden from the amendment to Rule 1001(a)(4) above
and beyond the burden hours estimated for the policies and
procedures in this release.
\474\ 89 hours x 4 additional policy elements = 356 hours. The
Commission estimates a one-time burden of 30 hours (one-third of 89
hours per policy element) for SCI entities to address the
unavailability of third-party providers in their BC/DR plans. 356
hours + 30 hours = 386 hours. The burden hours include 139
Compliance Manager hours, 139 Attorney hours, 43 Senior System
Analyst hours, 43 Operations Specialist hours, 15 Chief Compliance
Officer hours, and 7 Director of Compliance hours.
\475\ 534 baseline burden hours + 356 additional burden hours =
890 hours. The burden hours include 320 Compliance Manager hours,
320 Attorney hours, 100 Senior System Analyst hours, 100 Operations
Specialist hours, 33 Chief Compliance Officer hours, and 17 Director
of Compliance hours.
\476\ 14.5 hours x 4 additional policy elements = 58 hours. The
burden hours include 19 Compliance Manager hours, 19 Attorney hours,
5 Senior System Analyst hours, 5 Operations Specialist hours, 7
Chief Compliance Officer hours, and 3 Director of Compliance hours.
\477\ 87 baseline burden hours + 58 additional burden hours =
145 hours. The burden hours include 47 Compliance Manager hours, 47
Attorney hours, 13 Senior System Analyst hours, 13 Operations
Specialist hours, 17 Chief Compliance Officer hours, and 8 Director
of Compliance hours.
\478\ The Commission recognizes that the some of the Regulation
SCI requirements and certain proposed requirements in the Exchange
Act Cybersecurity Proposal rule may appear duplicative. The
Commission believes that although the requirements are related, they
are ultimately separate obligations. Thus, the Commission has not
considered the requirements of the Exchange Act Cybersecurity
Proposal rule in formulating its estimates.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) (hours) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 386 18,142
Annual............... 47 58 2,726
New SCI Entities................... Initial.............. 23 890 20,470
Annual............... 23 145 3,335
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities........... Initial.......... 47 \1\ $144,787 $6,804,989
Annual........... 47 \2\ 23,403 1,099,941
New SCI Entities............... Initial.......... 23 \3\ 333,371 7,667,533
[[Page 23207]]
Annual........... 23 \4\ 58,315 1,341,245
----------------------------------------------------------------------------------------------------------------
\1\ (139 Compliance Manager hours x $344) + (139 Attorney hours x $462) + (43 Senior Systems Analyst hours x
$316) + (43 Operations Specialist hours x $152) + (15 Chief Compliance Officer hours x $589) + (7 Director of
Compliance hours x $542) = $144,787. The Commission derived this estimate based on per hour figures from
SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified by Commission staff to
account for an 1,800-hour work-year and inflation, and multiplied by 5.35 to account for bonuses, firm size,
employee benefits, and overhead.
\2\ (19 Compliance Manager hours x $344) + (19 Attorney hours x $462) + (5 Senior Systems Analyst hours x $316)
+ (5 Operations Specialist hours x $152) + (7 Chief Compliance Officer hours x $589) + (3 Director of
Compliance hours x $542) = $23,403.
\3\ (320 Compliance Manager hours x $344) + (320 Attorney hours x $462) + (100 Senior Systems Analyst hours x
$316) + (100 Operations Specialist hours x $152) + (33 Chief Compliance Officer hours x $589) + (17 Director
of Compliance hours x $542) = $333,371.
\4\ (47 Compliance Manager hours x $344) + (47 Attorney hours x $462) + (13 Senior Systems Analyst hours x $316)
+ (13 Operations Specialist hours x $152) + (17 Chief Compliance Officer hours x $589) + (8 Director of
Compliance hours x $542) = $58,315.
The proposed amendments would newly impose a burden on New SCI
Entities to comply with Rule 1001(a)(2)(vi), which requires the
policies and procedures required by Rule 1001(a) to include standards
that result in systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data.\479\ The
Commission estimates that New SCI Entities would incur an initial
burden of 160 hours and an ongoing burden of 145 hours to annually
review and update the policies and procedures.\480\ The table below
summarizes the initial and ongoing annual burden estimates for New SCI
Entities to comply with Rule 1001(a)(2)(vi):
---------------------------------------------------------------------------
\479\ Current SCI Entities would incur no additional burden as
they are already required to include the required standards in their
policies and procedures.
\480\ These estimates are consistent with the Commission-
approved baseline initial and ongoing average compliance burdens per
SCI entity. See 2022 PRA Supporting Statement, supra note 471. The
160 hour initial burden includes 100 Compliance Manager hours, 20
Chief Compliance Officer hours, 10 Director of Compliance hours, and
30 Compliance Attorney hours. The 145 annual burden hours includes
100 Compliance Manager hours, 10 Chief Compliance Officer hours, 5
Director of Compliance hours, and 30 Compliance Attorney hours.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 160 3,680
Annual............... 23 145 3,335
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $60,980 $1,402,540
Annual............ 23 \2\ 52,380 1,204,740
----------------------------------------------------------------------------------------------------------------
\1\ (100 Senior Systems Analyst hours x $316) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) + (30 Compliance Attorney hours x $406) = $60,980.
\2\ (100 Senior Systems Analyst hours x $316) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) + (30 Compliance Attorney hours x $406) = $52,380.
[[Page 23208]]
The Commission estimates that on average, Current SCI Entities
would seek outside legal and/or consulting services to initially update
their policies and procedures for the proposed additional requirements
at a cost of $29,050 per SCI entity,\481\ while New SCI Entities would
seek such services in the initial preparation of the policies and
procedures (including the proposed requirements) at a cost of $73,800
per SCI entity.\482\
---------------------------------------------------------------------------
\481\ The Commission's currently approved baseline for
annualized recordkeeping cost per SCI entity to consult outside
legal and/or consulting services in the initial preparation policies
and procedures required by Rule 1001(a) is $47,000. See 2022 PRA
Supporting Statement, supra note 471. Rule 1001(a)(2) currently
requires seven elements (including Rule 1001(a)(2)(vi)) to be
included in the policies and procedures required by Rule 1001(a)(1).
The cost per element would be approximately $6,700 per policy
element ($47,000 hours/7 policy elements = $6,714). As noted
earlier, the Commission proposes to add four additional elements to
the policies and procedures. $6,700 per policy element x 4
additional policy elements = $26,800. The Commission also estimates
a one-time burden of approximately $2,250 per SCI entity (one-third
of $6,700 per policy element) to address the unavailability of
third-party providers in their BC/DR plans. $26,800 + $2,250 =
$29,050.
\482\ $47,000 + $26,800 = $73,800.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average external (estimated
Respondent type respondents cost per entity respondents x
(entities) average external
cost per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 $29,050 $1,365,350
New SCI Entities.................................... 23 73,800 1,697,400
----------------------------------------------------------------------------------------------------------------
b. Rule 1001(b)
New SCI Entities would be required to meet the requirements of Rule
1001(b), which requires each SCI entity to establish, maintain, and
enforce systems compliance policies. The Commission estimates a
compliance burden of 270 hours initially to design the systems
compliance policies and procedures and 95 hours annually to review and
update such policies and procedures.\483\ The table below summarizes
the initial and ongoing annual burden estimates for New SCI Entities to
comply with Rule 1001(b):
---------------------------------------------------------------------------
\483\ The Commission estimates that the burden for New SCI
Entities is consistent with the Commission's current approved
baselines for the initial and ongoing burdens. For the initial
recordkeeping burden, this baseline is 270 hours (40 Compliance
Attorney hours + 200 Senior System Analyst hours + 20 Chief
Compliance Officer hours + 10 Director of Compliance hours). The
Commission estimated separate baselines for the ongoing
recordkeeping burden for SCI SROs and entities that were not SROs.
Since none of the entities that would potentially be subject to
Regulation SCI as a result of the proposed amendments are SROs, the
Commission is basing its estimates on the baseline for non-SROs. The
Commission's current approved baseline for the ongoing recordkeeping
burden for entities that are not SROs is 95 hours (14 Compliance
Attorney hours + 66 Senior System Analyst hours + 10 Chief
Compliance Officer hours + 5 Director of Compliance hours). See 2022
PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Respondent type Burden type Estimated Burden hours per entities (estimated
respondents entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 270 6,210
Annual............ 23 95 2,185
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $96,640 $2,222,720
Annual............ 23 \2\ 35,140 808,220
----------------------------------------------------------------------------------------------------------------
\1\ (200 Senior Systems Analyst hours x $316) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) + (40 Compliance Attorney hours x $406) = $96,640.
\2\ (66 Senior Systems Analyst hours x $316) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) + (14 Compliance Attorney hours x $406) = $35,140.
In establishing, maintaining, and enforcing the policies and
procedures required by Rule 1001(b), the Commission believes that each
new SCI entity will seek outside legal and/or consulting services in
the initial preparation of such policies and procedures. The total
annualized cost of seeking outside legal and/or consulting services
will be $621,000.\484\
---------------------------------------------------------------------------
\484\ The Commission estimates that the cost for outside legal
and/or consulting services for New SCI Entities is consistent with
the Commission's current approved baselines, which is $27,000 per
new SCI entity. See 2022 PRA Supporting Statement, supra note 471.
$27,000 for the first year x 23 New SCI Entities = 621,000.
---------------------------------------------------------------------------
c. Rule 1001(c)
The proposed amendments would newly impose a burden on New SCI
Entities to develop and maintain policies with Rule 1001(c), relating
to
[[Page 23209]]
the policies for designation of responsible SCI personnel. The
Commission estimates a compliance burden of 114 hours initially to
design the systems compliance policies and procedures and 39 hours
annually to review and update such policies and procedures.\485\ The
table below summarizes the initial and ongoing annual burden estimates
for New SCI Entities to comply with Rule 1001(b):
---------------------------------------------------------------------------
\485\ The Commission's current approved baseline 114 hours for
the initial burden to establish the criteria for identifying
responsible SCI personnel and the escalation procedures (32
Compliance Manager hours + 32 Attorney hours x $412 + 10 Senior
Systems Analyst hours x $282 + 10 Operations Specialist hours x $135
+ 20 Chief Compliance Officer hours x $526 + 10 Director of
Compliance). The Commission's approved baseline is 39 hours for the
ongoing burden to annually review and update the criteria and the
escalation procedures (9.5 Compliance Manager hours + 9.5 Attorney
hours + 2.5 Senior Systems Analyst hours + 2.5 Operations Specialist
hours + 10 Chief Compliance Officer hours + 5 Director of Compliance
hours). See 2022 PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Respondent type Burden type Estimated Burden hours entities (estimated
respondents per entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 114 2,622
Annual............... 23 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $47,672 $1,096,456
Annual............ 23 \2\ 17,427 400,821
----------------------------------------------------------------------------------------------------------------
\1\ (32 Compliance Manager hours x 344) + (32 Attorney hours x $462) + (10 Senior Systems Analyst hours x $316)
+ (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $47,672.
\2\ (9.5 Compliance Manager hours x $344) + (9.5 Attorney hours x $462) + (2.5 Senior Systems Analyst hours x
$316) + (2.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,427.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the policies and procedures required under
Rule 1001(c).
2. Rule 1002
The rules under Regulation SCI that would require an SCI entity to
take corrective action, provide certain notifications and reports, and
disseminate certain information regarding SCI events are discussed more
fully in sections II.B, and the proposed amendments are discussed more
fully in sections III.A and III.C above.
a. Rule 1002(a)
As noted above, Rule 1002(a) requires each SCI entity, upon any
responsible SCI personnel having a reasonable basis to conclude that an
SCI event has occurred, to begin to take appropriate corrective action.
The Commission has previously expressed the view that Rule 1002(a)
would likely result in SCI entities developing and revising their
processes for corrective action.\486\ The Commission believes that the
requirement to take corrective action for these additional systems
intrusions would likely result in SCI entities updating their processes
for corrective action.\487\
---------------------------------------------------------------------------
\486\ See 2022 PRA Supporting Statement, supra note 471.
\487\ The Commission's estimate includes the amendments to the
definition of systems intrusions adding (1) cybersecurity events
that disrupt, or significantly degrade, the normal operation of an
SCI system and (2) significant attempted unauthorized entries into
the SCI systems or indirect SCI systems of an SCI entity. It does
not include the systems intrusions that would previously have been
classified as de minimis events because Current SCI Entities are
already required to take corrective action to resolve such SCI
events.
---------------------------------------------------------------------------
The Commission continues to believe that Rule 1002(a) will likely
result in SCI entities developing and revising their processes for
corrective action as well as review them annually.\488\ Current SCI
Entities are already required to take corrective action pursuant to
Rule 1002(a) and therefore already incur the initial \489\ and ongoing
\490\ baseline burdens for developing and revising their corrective
action process, so the amendments should only impose a one-time burden
required to update the procedures to account for the additional types
of systems intrusions.\491\ The Commission estimates that the one-time
burden for each SCI entity to include in its corrective action process
the proposed systems intrusions would be 20% of the 114 hours baseline
[[Page 23210]]
burden.\492\ Presently, the New SCI Entities are not required to comply
with requirement in Rule 1002(a) to take corrective action, but the
proposed amendments will newly impose these burdens, including the
burden for incorporating the additional systems intrusions into the
corrective action process. For Current SCI Entities, the Commission
estimates a one-time compliance burden of 23 hours. For New SCI
Entities, the Commission estimates an initial burden of 137 hours \493\
and an annual compliance burden of 39 hours \494\ for New SCI Entities.
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\488\ See 2022 PRA Supporting Statement, supra note 471.
\489\ The Commission's currently approved baseline for average
compliance burden per respondent to develop a process for corrective
action is 114 hours (32 Compliance Manager hours + 32 Attorney hours
+ 10 Senior Systems Analyst hours + 10 Operations Specialist hours +
20 Chief Compliance Officer hours + 10 Director of Compliance
hours). See 2022 PRA Supporting Statement, supra note 471.
\490\ The average compliance burden for each SCI entity to
review their process is 39 hours (9 Compliance Manager hours + 9
Attorney hours + 3 Senior Systems Analyst hours + 3 Operations
Specialist hours + 10 Chief Compliance Officer hours + 5 Director of
Compliance hours. See 2022 PRA Supporting Statement, supra note 471.
\491\ The Commission also proposes to remove the option for SCI
entities to classify systems intrusions as de minimis and
potentially report them pursuant to Rule 1002(b)(5) on the quarterly
SCI reports as de minimis events. SCI entities would instead report
these systems intrusions pursuant to Rule 1002(b)(1) through (4).
The Commission believes that the burden for developing a corrective
action plan for these systems intrusions is already incorporated in
the baseline burden estimates. See supra notes 489-490.
\492\ 114 hours x 0.20 = 23 hours. The burden hours include 7
Compliance Manager hours, 6 Attorney hours, 2 Senior Systems Analyst
hours, 2 Operations Specialist hours, 4 Chief Compliance Officer
hours, and 2 Director of Compliance hours.
\493\ 114 baseline burden hours + 23 burden hours for additional
systems intrusions = 137 hours. The burden hours include 39
Compliance Manager hours, 38 Attorney hours, 12 Senior Systems
Analyst hours, 12 Operations Specialist hours, 24 Chief Compliance
Officer hours, and 12 Director of Compliance hours.
\494\ The Commission estimates that the ongoing recordkeeping
burden for each New SCI Entity to review its corrective action
process would be the same as the baseline ongoing recordkeeping
burden of 39 hours. See supra note 490.
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type Burden type respondents per SCI entity respondents x burden
hours per SCI
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... One-time Burden...... 47 23 1,081
New SCI Entities................... Initial.............. 23 137 3,151
Ongoing.............. 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Average internal (estimated
Respondent type Burden type Estimated cost of compliance respondents x
respondents per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ One-time Burden... 47 \1\ $9,556 $449,132
New SCI Entities................ Initial........... 23 \2\ 57,228 1,316,244
Ongoing........... \3\ 17,258 396,934
----------------------------------------------------------------------------------------------------------------
\1\ (7 Compliance Manager hours x 344) + (6 Attorney hours x $462) + (2 Senior Systems Analyst hours x $316) +
(2 Operations Specialist hours x $152) + (4 Chief Compliance Officer hours x $589) + (2 Director of Compliance
hours x $542) = $9,556.
\2\ (39 Compliance Manager hours x 344) + (38 Attorney hours x $462) + (12 Senior Systems Analyst hours x $316)
+ (12 Operations Specialist hours x $152) + (24 Chief Compliance Officer hours x $589) + (12 Director of
Compliance hours x $542) = $57,228.
\3\ (9 Compliance Manager hours x 344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst hours x $316) +
(3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,258.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the requirement to take corrective actions
under Rule 1002(a).
b. Rule 1002(b)(1) Through (4)
As noted earlier, SCI entities have certain reporting obligations
regarding SCI events. Current SCI Entities are already required to
submit the notifications, updates, and reports required by Rule
1002(b)(1) through (4) and therefore already incur a baseline burden.
As a result of the additional systems intrusions, including the
amendments to the definition of systems intrusions and the exclusion of
systems intrusions from de minimis SCI events required to be reported
to the Commission, Current SCI Entities could potentially incur new
burdens pursuant to Rule 1002(b)(1) through (4) reporting additional
SCI events for which they currently either do not report or which they
currently report quarterly as de minimis. As proposed, New SCI Entities
would for the first time be required to provide the submissions
required by Rule 1002(b)(1) through (4) and would bear the existing
burden for compliance with Rule 1002(b)(1) through (4) and the
additional burden to report the proposed systems intrusions.
The Commission estimates that on average each Current SCI Entity
will experience an additional three SCI events each year that are not
de minimis SCI events \495\ and New SCI Entities will experience an
average of eight SCI events each year that are not de minimis SCI
events.\496\
---------------------------------------------------------------------------
\495\ The Commission's currently approved baseline for the
number of SCI events is five events per year that are not de
minimis. See 2022 PRA Supporting Statement, supra note 471. The
Commission estimates that as a result of the additional systems
intrusions that SCI entities would be required to report, the number
of SCI events would increase by three events per year that are not
de minimis.
\496\ The Commission estimates that each New SCI Entity would
experience the baseline burden of five SCI events and three
additional SCI events, for a total of eight SCI events that are not
de minimis.
---------------------------------------------------------------------------
As a result, pursuant to Rule 1002(b)(1), which requires immediate
notification of SCI events, the Commission estimates that each Current
SCI Entity will submit, on average, an additional three notifications
per year beyond the current baseline,\497\ and each New SCI Entity will
submit eight
[[Page 23211]]
notifications per year.\498\ These notifications can be made orally or
in writing, and the Commission estimates that approximately one-fourth
of these notifications will be submitted in writing (i.e.,
approximately one event per year for each Current SCI Entity and two
events per year for each New SCI Entity \499\), and approximately
three-fourths will be provided orally (i.e., approximately two events
per year for each Current SCI Entity \500\ and six events per year for
each New SCI Entity \501\). The Commission estimates that each written
notification will require two hours and each oral notification will
require 1.5 hours.\502\ The Commission estimates a burden of 5 hours
\503\ for each Current SCI Entities and 13 hours \504\ for New SCI
Entities. The table below summarizes the initial and ongoing annual
burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\497\ The Commission's currently approved baseline for the
number of notifications submitted by an SCI entity pursuant to Rule
1002(b)(1) is five notifications per year, with one-fourth of the
five notifications submitted in writing (i.e., approximately one
event per year for each SCI entity), and approximately three-fourths
provided orally (i.e., approximately four events per year for each
SCI entity). See 2022 PRA Supporting Statement, supra note 471. The
Commission estimates that the proposed systems intrusions will
result in each SCI entity submitting three additional notifications,
one for each of the three estimated additional SCI events.
\498\ The Commission estimates that each New SCI Entity will
submit both the current baseline of five notifications and the
additional three notifications, for a total of eight notifications.
See supra note 497 (discussing the 3 additional notifications).
\499\ 8 SCI events / 4 = 2 SCI events reported in writing. The
Commission estimates that each Current SCI Entities already reports
one SCI event per year in writing. See 2022 PRA Supporting
Statement, supra note 471. The Commission therefore estimates that
they would report one additional SCI event in writing. New SCI
Entities would report two SCI events in writing.
\500\ 3 SCI events-1 SCI event reported in writing = 2 SCI
events reported orally.
\501\ 8 SCI events-2 SCI events reported in writing = 6 SCI
events reported orally.
\502\ The Commission-approved baseline for the burden hours for
each notification are 2 hours for written communications (0.5
Compliance Manager hours + 0.5 Attorney hours + 0.5 Senior Systems
Analyst hours + 0.5 Senior Business Analyst hours) and 1.5 hours for
oral communications (0.25 Compliance Manager hours + 0.25 Attorney
hours + 0.5 Senior Systems Analyst hours + (0.5 Senior Business
Analyst hours). See 2022 PRA Supporting Statement, supra note 471.
The Commission does not believe that reporting the proposed systems
intrusions would change the estimated burden hours.
\503\ 1 written notification each year * 2 hours per
notification + 2 oral notifications each year * 1.5 hours per
notification = 5 hours.
\504\ 2 written notification each year * 2 hours per
notification + 6 oral notifications each year * 1.5 hours per
notification = 13 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 5 235
New SCI Entities.......................................... 23 13 299
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $1,737.50 $81,663
New SCI Entities.................................... 23 \2\ 4,499 103,477
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each Current SCI entity to submit an additional written
notification per year is $713.50 (0.5 Compliance Manager hours x $344) + (0.5 Attorney hours x $462) + (0.5
Senior Systems Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $713.50 per written
notification. $713.50 x 1 written notification each year = $713.50.
(0.25 Compliance Manager hours x $344) + (0.25 Attorney hours x $462) + (0.5 Senior Systems Analyst hours x
$316) + (0.5 Senior Business Analyst hours x $305) = $512 per oral notification. $512 x 2 = $1,024.
$713.50 + $1,024 = $1,737.50.
\2\ $713.50 per written notification x 2 written notifications + $512 per written notification x 6 oral
notifications = $4,499.
The Commission estimates that each notification submitted pursuant
to Rule 1002(b)(2) will require 24 hours per SCI entity.\505\ The
Commission estimates an average of 72 hours \506\ for each Current SCI
Entity and 192 hours \507\ for each New SCI Entity to submit the 24
hour written notifications required by Rule 1002(b)(2). The table below
summarizes the initial and ongoing annual burden estimates for Current
SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\505\ The Commission-approved baseline for the burden hours for
each written notification is 24 hours (5 Compliance Manager hours +
5 Attorney hours + 6 Senior Systems Analyst hours + 1 Assistant
General Counsel hour + 1 Chief Compliance Officer hour + 6 Senior
Business Analyst hours) for each SCI entity. See 2022 PRA Supporting
Statement, supra note 471.
\506\ 3 additional notifications x 24 hours per notification =
72 hours. See supra note 497 (discussing the three additional
notifications for each Current SCI Entity).
\507\ 8 notifications x 24 hours per notification = 192 hours.
See supra note 498 (discussing the eight notifications for each New
SCI Entity).
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 72 3,384
New SCI Entities.......................................... 23 192 4,416
----------------------------------------------------------------------------------------------------------------
[[Page 23212]]
The table below summarizes the Commission's estimates for the cost
of compliance associated with the ongoing reporting burden for Current
SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $26,589 $1,249,683
New SCI Entities.................................... 23 \2\ 70,904 1,630,792
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each Current SCI entity to submit an additional written
notification per year is $8,863 per notification ((5 Compliance Manager hours x $344) + (5 Attorney hours x
$462) + (6 Senior Systems Analyst hours x $316) + (1 Assistant General Counsel x $518) + (6 Senior Business
Analyst hours x $305) + (1 Chief Compliance Officer hour x $589)). $8,863 per notification x 3 notifications
each year = $26,589.
\2\ $8,863 per notification x 8 notifications each year = $70,904.
As for Rule 1002(b)(3), the Commission estimates that, based on
past experience, each Current SCI entity will submit 1 additional
written update and 1 additional oral update each year and each New SCI
Entity will submit 2 written updates (on Form SCI) and 2 oral
updates.\508\ The Commission estimates that each written update will
require 6 hours and each oral update will require 4.5 hours.\509\ The
Commission estimates a total burden of 10.5 hours \510\ for Current SCI
Entities and 21 hours \511\ for New SCI Entities. The table below
summarizes the initial and ongoing annual burden estimates for Current
SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\508\ The Commission's currently approved baseline for the
number of updates submitted by an SCI entity pursuant to Rule
1002(b)(3) is one written update and one oral update each year, for
a total of two updates per a year. See 2022 PRA Supporting
Statement, supra note 471. The Commission estimates that as a result
of the three additional SCI events resulting from the additional
systems intrusions each SCI entity is potentially required to be
report, the total number of updates would increase to two written
updates and two oral updates each year, for a total of four updates
per a year.
\509\ The Commission-approved baseline for the burden hours for
each update are 6 hours for the written update (1.5 Compliance
Manager hours + 1.5 Attorney hours + 1.5 Senior Systems Analyst
hours + 1.5 Senior Business Analyst hours) and 4.5 hours for the
oral update (0.75 Compliance Manager hours + 0.75 Attorney hours +
1.5 Senior Systems Analyst hours + 1.5 Senior Business Analyst
hours). See 2022 PRA Supporting Statement, supra note 471. The
Commission does not propose to change the estimated burden hours at
this time and notes that the estimated hours for the Senior Systems
Analyst and Senior Business Analyst regarding the oral update
reflect a correction to a typographical error in the 2022 PRA
Supporting Statement.
\510\ 1 written notification x 6 hours per written notification
+ 1 oral notification x 4.5 hours per oral notification = 10.5
hours.
\511\ 2 written notifications x 6 hours per written notification
+ 2 oral notifications x 4.5 hours per oral notification = 21 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 10.5 493.5
New SCI Entities.......................................... 23 21 483
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance associated with the ongoing reporting burden for Current
SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI entities................................ 47 \1\ $3,677 $172,819
New SCI Entities.................................... 23 \2\ 7,354 169,142
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each SCI entity to submit an additional written update is $2,141
per notification ((1.5 Compliance Manager hours x $344) + (1.5 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (1.5 Senior Business Analyst hours x $305)).
The average internal cost of compliance for each SCI entity to submit an additional oral update is $1,536 ((0.75
Compliance Manager hours x $344) + (0.75 Attorney hours x $462) + (1.5 Senior Systems Analyst hours x $316) +
(1.5 Senior Business Analyst hours x $305)).
$2,141 + $1,536 = $3,677 for each Current SCI Entity to submit two additional updates (one written update and
one oral update).
\2\ $2,141 per written update x 2 written updates per year + $1,536 per oral update x 2 oral updates per year =
$7,354 for each New SCI Entity to submit updates in compliance with Rule 1002(b)(3).
[[Page 23213]]
As for Rule 1002(b)(4), the Commission estimates that Current SCI
Entities will submit an additional 3 reports per year above and beyond
the current baseline \512\ and New SCI Entities will submit 8 reports
per year.\513\ The Commission estimates that compliance with Rule
1002(b)(4) for a particular SCI event will require 35 hours.\514\ The
Commission estimates that each Current SCI Entity will incur 105 hours
\515\ and each New SCI Entity will incur 280 hours \516\ to meet the
requirements of Rule 1002(b)(4). The table below summarizes the initial
and ongoing annual burden estimates for Current SCI Entities and New
SCI Entities:
---------------------------------------------------------------------------
\512\ The Commission's currently approved baseline for the
number of reports submitted by an SCI entity pursuant to Rule
1002(b)(4) is five reports per year. See 2022 PRA Supporting
Statement, supra note 471. The Commission estimates that as a result
of the increase in the estimated number of SCI events from five
events to eight events, SCI entities would potentially be required
to submit an additional three reports per year.
\513\ As noted earlier, the Commission estimates that New SCI
Entities would submit both the baseline estimate of five reports and
the additional three reports, for a total of eight reports.
\514\ The Commission's currently approved baseline for burden
hours each SCI entity would incur to comply with Rule 1002(b)(4) for
each SCI event would be 35 hours (8 Compliance Manager hours + 8
Attorney hours + 7 Senior Systems Analyst hours + 2 Assistant
General Counsel hours + 1 General Counsel hour + 2 Chief Compliance
Officer hours + 7 Senior Business Analyst hours). See 2022 PRA
Supporting Statement, supra note 471. The Commission does not
propose to change the estimated burden hours at this time.
\515\ 3 notifications each year x 35 hours per notification =
105 hours.
\516\ 8 notifications each year x 35 hours per notification =
280 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 105 4,935
New SCI Entities.......................................... 23 280 6,440
----------------------------------------------------------------------------------------------------------------
The Commission estimates that the average internal cost of
compliance per notification is $13,672.\517\ The table below summarizes
the Commission's estimates for the cost of compliance associated with
the ongoing reporting burden for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\517\ (8 Compliance Manager hours x $344) + (8 Attorney hours x
$462) + (7 Senior Systems Analyst hours x $316) + (2 Assistant
General Counsel hours x $518) + (1 General Counsel hour x $663) + (2
Chief Compliance Officer hours x $589) + (7 Senior Business Analyst
hours x $305) = $13,672.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $41,016 $1,927,752
New SCI Entities.................................... 23 \2\ 109,376 2,515,648
----------------------------------------------------------------------------------------------------------------
\1\ $13,672 per notification x 3 notifications each year = $41,016.
\2\ $13,672 per notification x 8 notifications per year = $109,376 average internal cost of compliance for each
New SCI Entity.
c. Rule 1002(b)(5)
The Commission estimates that eliminating systems intrusions from
the SCI events reported as de minimis events \518\ on the quarterly
reports reduces the burden for each SCI entity to submit the quarterly
report by 10% less compared to the current baseline, or 36 hours.\519\
Each Current SCI Entity would experience a decrease in its reporting
burden of 4 hours per quarterly report,\520\ for a total decrease of 16
hours per SCI entity.\521\ As New SCI Entities are not currently
required to meet this burden, they would newly incur a burden of 36
hours per report, for a total burden per SCI entity of 144 hours.\522\
---------------------------------------------------------------------------
\518\ Systems intrusions, whether de minimis or non-de minimis,
would be reported pursuant to Rules 1002(b)(1) through (4), as
discussed earlier. See section III.C.3. The burdens for reporting
all systems intrusions as non-de minimis events is discussed above.
See supra notes 495-517 and accompanying text.
\519\ The Commission's currently approved baseline for the
initial and ongoing reporting burden to comply with the quarterly
report requirement is 40 hours. See 2022 PRA Supporting Statement,
supra note 471. 40 hours x 10% = 36 hours. This estimate includes 7
hours for a Compliance Manager, 7 hours for an Attorney, 9 hours for
a Senior Systems Analyst, 1 hours for an Assistant General Counsel,
9 hours for a Senior Business Analyst, 1 hours for a General
Counsel, and 2 hours for a Chief Compliance Officer.
\520\ 40 hours (baseline estimate)-36 hours (revised estimate) =
4 hours per quarterly report. This estimate includes 0.75 hours for
a Compliance Manager, 0.75 hours for an Attorney, 1 hour for a
Senior Systems Analyst, 0.2 hours for an Assistant General Counsel,
1 hours for a Senior Business Analyst, 0.1 hours for a General
Counsel, and 0.2 hours for a Chief Compliance Officer.
\521\ 4 quarterly submissions per year x 4 hours per submission
= 16 hours decrease per SCI entity.
\522\ 4 quarterly submissions per year x 36 hours per submission
= 144 hours per SCI entity.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per SCI respondents
Estimated Number of Hours per entity (number of (estimated
Respondent type respondents reports report reports x hours per respondents x
(entities) report) burden hours per
SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Current SCI Entities........................................ 47 4 (4) (16) (752)
[[Page 23214]]
New SCI Entities............................................ 23 4 36 144 3,312
--------------------------------------------------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Average internal Total internal cost
cost of compliance of compliance
Estimated Internal cost of per SCI entity (estimated
Respondent type respondents Number of compliance per (number of reports x respondents x
(entities) reports report internal cost of average internal
compliance per cost of compliance
report) per entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
Current SCI entities...................................... 47 4 \1\ $(1,513) \2\ $(6,052) $(284,444)
New SCI entities.......................................... 23 4 \3\ 13,619 \4\ 54,476 1,252,948
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ (0.75 Compliance Manager hours x $344) + (0.75 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316) + (0.2 Assistant General Counsel
hours x $518) + (0.1 General Counsel hour x $663) + (0.2 Chief Compliance Officer hours x $589) + (1 Senior Business Analyst hours x $305) = $1,513.
\2\ $1,513 per notification x 4 notifications each year = $6,052 per Current SCI Entity.
\3\ (6.75 Compliance Manager hours x $344) + (6.75 Attorney hours x $462) + (9 Senior Systems Analyst hours x $316) + (1.8 Assistant General Counsel
hours x $518) + (0.9 General Counsel hour x $663) + (1.8 Chief Compliance Officer hours x $589) + (9 Senior Business Analyst hours x $305) = $13,619.
\4\ $13,619 per notification x 4 notifications each year = $54,476 per New SCI Entity.
The Commission estimates that while SCI entities will handle
internally most of the work associated with Rule 1002(b), SCI entities
will seek outside legal advice in the preparation of certain Commission
notifications. The Commission estimates that the total annual reporting
cost of seeing outside legal advice is $5,800 per SCI entity.\523\
Because Rule 1002(b) will impose approximately 32 reporting
requirements \524\ per SCI entity per year and each required
notification will be require an average of $181.25.\525\ The total
annual reporting costs for Current SCI Entities and New SCI Entities is
summarized below:
---------------------------------------------------------------------------
\523\ The Commission-approved baseline for the annual reporting
cost of seeking outside legal advice is $5,800 per SCI entity. See
2022 PRA Supporting Statement, supra note 471.
\524\ The Commission-approved baseline for the number of
reporting requirements required by Rule 1002(b) is 21 requirements
for each SCI entity. See 2022 PRA Supporting Statement, supra note
471. The proposed amendments add an additional 11 reporting
requirements (3 immediate notifications + 3 24-hour notifications +
2 updates pertaining to an SCI event + 3 interim/final
notifications). 21 + 11 = 32 reporting requirements.
\525\ $5,800 per SCI entity/32 reporting requirements = $181.25
per reporting requirement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI
entity Total cost
(number of burdens (cost
Number of Number of Cost per reporting per SCI
Rule Type of respondent respondents reporting reporting requirements x entity x
requirements requirement cost per number of
reporting respondents)
requirement)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(b)(1)............................ Current SCI Entities.......... 47 3 $181.25 $544 $25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(2)............................ Current SCI Entities.......... 47 3 181.25 544 25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(3)............................ Current SCI Entities.......... 47 2 181.25 363 17,038
New SCI Entities.............. 23 4 181.25 725 16,675
Rule 1002(b)(4)............................ Current SCI Entities.......... 47 3 181.25 544 25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(5)............................ Current SCI Entities.......... 47 0 181.25 0 0
New SCI Entities.............. 23 4 181.25 725 16,675
--------------------------------------------------------------------------------------------------------------------------------------------------------
d. Rule 1002(c)
The Commission anticipates that the proposed amendment will newly
impose the information dissemination requirements of Rule 1002(c)(1) on
New SCI Entities, and New SCI Entities will incur the same burdens that
Current SCI Entities already incur to comply with these
requirements.\526\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\526\ Current SCI Entities are already required to comply with
Rule 1002(c)(1). The burdens for compliance are summarized in the
most recent PRA Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed amendments impose no
additional burden related to this section. The Commission does not
anticipate that New SCI Entities would incur burdens beyond what is
estimated in the 2022 PRA Supporting Statement.
[[Page 23215]]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per respondents
Estimated Number of Hours per SCI Entity (estimated
Rule Respondent type respondents dissemination dissemination (number of respondents x
reports x hours burden hours per
per report) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i)................ New SCI Entities..... 23 3 information \2\ 7 21 483
disseminations \1\.
Rule 1002(c)(1)(ii) and (iii)..... 9 updates \3\........ \4\ 13 117 2,691
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission's currently approved baseline for the number of each SCI entity's information disseminations per year under Rule 1002(c)(1)(i) is
three information disseminations. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission's currently approved baseline is that each information dissemination under Rule 1002(c)(1)(i) would require 7 hours. This includes 1
Compliance Manager hour, 2.67 Attorney hours, 1 Senior System Analyst hour, 0.5 General Counsel hours, 0.5 Director of Compliance hours, 0.5 Chief
Compliance Officer hours, 0.5 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission's currently approved baseline for Rule 1002(c)(1)(ii) and (iii) is that each SCI entity will disseminate three updates for each SCI
event. 3 updates per SCI Event x 3 SCI events = 9 updates each year.
\4\ The Commission's currently approved baseline is that each information dissemination under Rule 1002(c)(1)(ii) and (iii) would require 13 hours. This
includes 2 Compliance Manager hours, 4.67 Attorney hours, 2 Senior System Analyst hour, 1 General Counsel hours, 1 Director of Compliance hours, 1
Chief Compliance Officer hours, 1 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note
471, at 25-26.
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Rule Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i).............. New SCI Entities.. 23 \1\ $9,212 $211,876
Rule 1002(c)(1)(ii) and (iii)... \2\ 51,666 1,188,318
----------------------------------------------------------------------------------------------------------------
\1\ (1 Compliance Manager hours x $344) + (2.67 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316)
+ (0.5 General Counsel hour x $663) + (0.5 Chief Compliance Officer hours x $589) + (0.5 Director of
Compliance hours x $542) + (0.5 Corporate Communications Manager hours x $378) + (0.33 Webmaster hours x $276)
= $3,071. $3,071 per notification x 3 notifications each year = $9,212.
\2\ (2 Compliance Manager hours x $344) + (4.67 Attorney hours x $462) + (2 Senior Systems Analyst hours x $316)
+ (1 General Counsel hour x $663) + (1 Chief Compliance Officer hours x $589) + (1 Director of Compliance
hours x $542) + (1 Corporate Communications Manager hours x $378) + (0.33 Webmaster hours x $276) = $5,741.
$5,741 per notification x 9 notifications each year = $51,666.
With respect to the Rule 1002(c)(2) requirement to disseminate
information regarding systems intrusions, the Commission estimates that
each Current SCI Entity will disseminate information regarding 3
systems intrusions each year and each New SCI Entity will disseminate
information regarding 4 systems intrusions each year.\527\ The
Commission estimates that each dissemination under Rule 1002(c)(2) will
require 10 hours.\528\
---------------------------------------------------------------------------
\527\ The Commission's currently approved baseline for the
number of each SCI entity's information disseminations per year
under Rule 1002(c)(2) is that each SCI entity will disseminate
information about one systems intrusion each year. See 2022 PRA
Supporting Statement, supra note 471. As discussed above, the
Commission estimates an additional three SCI events (i.e., three
additional systems intrusions) as a result of the additional types
of systems intrusions added to the definition systems intrusions in
Rule 1000 and the elimination of systems intrusions from the de
minimis SCI events reported quarterly in Rule 1002(b)(5). The
Commission estimates that each SCI entity would disseminate
information related to four systems intrusions each year. Each
Current SCI Entity would disseminate information for three systems
intrusions beyond the baseline estimate of one systems intrusion. As
New SCI Entities will newly incur this burden, and as a result will
report four systems intrusions.
\528\ The Commission's currently approved baseline is that each
dissemination under Rule 1002(c)(2) will require 10 hours. See 2022
PRA Supporting Statement, supra note 471.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 \1\ 30 1,410
New SCI Entities.......................................... 23 \2\ 40 920
----------------------------------------------------------------------------------------------------------------
\1\ 3 information disseminations x 10 hours per dissemination = 30 hours.
\2\ 4 information disseminations x 10 hours per dissemination = 40 hours.
The Commission estimates that the average internal cost of
compliance per notification is $4,406.\529\ The table below summarizes
the Commission's estimates for the cost of compliance associated with
the ongoing reporting burden for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\529\ (1.5 Compliance Manager hours x $344) + (3.67 Attorney
hours x $462) + (1.5 Senior Systems Analyst hours x $316) + (0.75
General Counsel hour x $633) + (0.75 Director of Compliance hours x
$542) + (0.75 Chief Compliance Officer hours x $589) + (0.75
Corporate Communications Manager hours x $378) + (0.33 Webmasters
hours x $276) = $4,406 per notification.
[[Page 23216]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $13,218 $621,246
New SCI Entities.................................... 23 \2\ 17,624 405,352
----------------------------------------------------------------------------------------------------------------
\1\ $4,406 per notification x 3 information disseminations each year = $13,218.
\2\ $4,406 per notification x 4 information disseminations per year = $17,624.
The Commission believes SCI entities will seek outside legal advice
in the preparation of the information dissemination under Rule 1002(c).
The Commission estimates that the total annual reporting cost of seeing
outside legal advice is $3,320 per SCI entity.\530\ Because Rule
1002(c) will impose approximately 16 third-party disclosure
requirements \531\ per SCI entity per year and each required disclosure
will be require an average of $207.50.\532\ The total annual reporting
costs for Current SCI Entities and New SCI Entities are summarized
below:
---------------------------------------------------------------------------
\530\ The Commission-approved baseline for the annual reporting
cost of seeking outside legal advice is $3,320 per SCI entity. See
2022 PRA Supporting Statement, supra note 471.
\531\ The Commission-approved baseline for the number of
disclosure requirements required by Rule 1002(c) is 13 requirements
for each SCI entity. See 2022 PRA Supporting Statement, supra note
471. The proposed amendments add an additional 3 reporting
requirements (3 additional information disseminations related to 3
additional systems intrusions). 13 + 3 = 16 disclosure requirements.
\532\ $3,320 per SCI entity/16 reporting requirements = $207.50
per reporting requirement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI Total cost
entity (number burdens (cost
Rule Respondent type Number of Number of Cost per of disclosures per SCI entity
respondents disclosures disclosure x cost per x number of
disclosure) respondents)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i)............................ New SCI Entities................. 23 3 $207.50 $622.50 $14,317.50
Rule 1002(c)(1)(ii) and (iii)................. New SCI Entities................. 23 9 207.50 1,867.50 42,952.50
Rule 1002(c)(2)............................... Current SCI Entities............. 47 3 207.50 622.50 29,257.50
New SCI Entities................. 23 4 207.50 830 19,090
--------------------------------------------------------------------------------------------------------------------------------------------------------
As noted above, Regulation SCI requires SCI entities to identify
certain types of events and systems. The Commission believes that the
identification of critical SCI systems, major SCI events, and de
minimis SCI events will impose an initial one-time implementation
burden on new SCI entities in developing processes to quickly and
correctly identify the nature of a system or event. The identification
of these systems and events may also impose periodic burdens on SCI
entities in reviewing and updating the processes. The Commission
anticipates that the because the proposed amendment will newly impose
the requirements of Rule 1002(b) on New SCI Entities, New SCI Entities
will incur the burden to develop processes to comply with these
requirements.\533\ The Commission estimates that each New SCI entity
will initially require 198 hours to establish criteria for identifying
material systems changes and 39 hours to annually to review and update
the criteria.\534\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\533\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section.
\534\ These estimates reflect the Commission-approved baseline.
See 2022 PRA Supporting Statement, supra note 471. The Commission
does not anticipate that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting Statement.
----------------------------------------------------------------------------------------------------------------
Estimated burden
Estimated hours for all
Respondent type Burden type respondents Burden hours entities (estimated
(entities) per entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 198 4,554
Annual............... 23 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
[[Page 23217]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $78,144 $1,797,312
Annual............ 23 \2\ 17,258 396,934
----------------------------------------------------------------------------------------------------------------
\1\ (64 Compliance Manager hours x $344) + (64 Attorney hours x $462) + (20 Senior Systems Analyst hours x $316)
+ (20 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $78,144.
\2\ (9 Compliance Manager hours x $344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst hours x $316) +
(3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,258.
As discussed above in section III.C.3.c, the proposed amendments to
the definition of systems intrusion would require SCI entities to
establish reasonable written criteria to identify significant attempted
unauthorized entries into the SCI systems or indirect SCI systems of an
SCI entity. As this is a new burden for both Current SCI Entities and
New SCI Entities, the Commission estimates an average burden across all
SCI entities of 89 hours \535\ initially to establish the criteria for
identifying material systems changes and 14.5 hours \536\ annually to
review and update the criteria.
---------------------------------------------------------------------------
\535\ This estimate is based on the Commission's burden estimate
for Rule 1001(a), because Rule 1001(a) requires policies and
procedures. See supra notes 474-475 and accompanying text. Rule
1001(a) (excluding Rule 1001(a)(2)(vi)) requires a total of ten
policy elements at a minimum, consisting of six currently required
policy elements and four proposed policy elements. See supra notes
471 and 474. Because the proposed amendment to the definition of
systems intrusion in Rule 1000 requires only one set of written
criteria, the Commission estimates that the initial staff burden to
draft the criteria required to identify significant attempted
unauthorized systems intrusions is one-tenth of the initial staff
burden to draft the policies and procedures required by Rule 1001(a)
(excluding Rule 1001(a)(2)(vi)). 890 hours/10 policy elements = 89
burden hours per policy element. The 89 burden hours includes 25
hours for a Compliance Manager, 25 hours for an Attorney, 8 hours
for a Senior Systems Analyst, and 8 hours for an Operations
Specialist. The Commission also estimates that a Chief Compliance
Officer will spend 15 hours and a Director of Compliance and a
Director of Compliance will spend 8 hours reviewing the policies and
procedures.
\536\ This estimate is based on the Commission's burden estimate
for Rule 1001(a), because Rule 1001(a) requires policies and
procedures. See supra notes 475-476 and accompanying text. Rule
1001(a) (excluding Rule 1001(a)(2)(vi)) requires a total of ten
policy elements at a minimum, consisting of six currently required
policy elements and four proposed policy elements. See supra notes
472 and 475. Because the proposed amendment to the definition of
systems intrusion in Rule 1000 requires only one set of written
criteria, the Commission estimates that the ongoing staff burden to
review and update the criteria required to identify significant
attempted unauthorized systems intrusions is one-tenth of the
ongoing staff burden to review and update the policies and
procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)).
145 hours/10 policy elements = 14.5 burden hours per policy element.
The 14.5 burden hours includes 2 hours for a Compliance Manager, 2
hours for an Attorney, 1 hours for a Senior Systems Analyst, and 1
hours for an Operations Specialist. The Commission also estimates
that a Chief Compliance Officer will spend 5.5 hours and a Director
of Compliance and a Director of Compliance will spend 3 hours
reviewing the policies and procedures.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 89 4,183
Annual............... 47 14.5 681.5
New SCI Entities................... Initial.............. 23 89 2,047
Annual............... 23 14.5 333.5
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ Initial........... 47 \1\ $37,065 $1,742,055
Annual............ 47 \2\ 6,946 326,462
New SCI Entities................ Initial........... 23 \3\ 37,065 852,495
Annual............ 23 \4\ 6,946 159,758
----------------------------------------------------------------------------------------------------------------
\1\ (25 Compliance Manager hours x $344) + (25 Attorney hours x $462) + (8 Senior Systems Analyst hours x $316)
+ (8 Operations Specialist hours x $152) + (15 Chief Compliance Officer hours x $589) + (8 Director of
Compliance hours x $542) = $37,065.
\2\ (2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316) +
(1 Operations Specialist hours x $152) + (5.5 Chief Compliance Officer hours x $589) + (3 Director of
Compliance hours x $542) = $6,946.
\3\ See supra note 1 of this table.
\4\ See supra note 2 of this table.
[[Page 23218]]
3. Rule 1003
The Commission anticipates that the proposed amendment will newly
impose the Rule 1003(a) requirements to report material system changes
on New SCI Entities, and New SCI Entities will incur the same burdens
that Current SCI Entities already incur to comply with these
requirements.\537\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\537\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section. The Commission does not anticipate that New
SCI Entities would incur burdens beyond what is estimated in the
2022 PRA Supporting Statement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per respondents
Estimated Hours per SCI entity (estimated
Rule Respondent type respondents Number of reports report (number of respondents x
(entities) reports x hours burden hours per
per report) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1003(a)(1)................... New SCI Entities..... 23 4 reports (1 per \1\ 125 500 11,500
quarter).
Rule 1003(a)(2)................... \2\ 1 supplemental \3\ 15 15 345
report.
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission's currently approved baseline is that each quarterly report under Rule 1003(a)(1) would require 125 hours. This includes 7.5
Compliance Manager hours, 7.5 Attorney hours, 5 Chief Compliance Officer hours, 75 Senior System Analyst hours, and 30 Senior Business Analyst hours.
See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission's currently approved baseline for Rules 1002(c)(1)(ii) and (iii) is that each SCI entity will submit one supplemental report each
year. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission's currently approved baseline is that the supplemental report under Rule 1003(a)(1) would require 15 hours. This includes 2
Compliance Manager hours, 2 Attorney hours, 1 Chief Compliance Officer hours, 7 Senior System Analyst hours, and 3 Senior Business Analyst hours. See
2022 PRA Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Cost of Average internal (estimated
Rule Respondent type respondents Number of reports compliance cost of compliance respondents x
(entities) per report per entity average internal
cost of compliance
per entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1003(a)(1).................. New SCI Entities.... 23 4 reports (1 per \1\ $41,480 \2\ $167,360 $3,849,280
quarter).
Rule 1003(a)(2).................. 1 supplemental \3\ 5,328 5,328 122,544
report.
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ (7.5 Compliance Manager hours x $344) + (7.5 Attorney hours x $462) + (5 Chief Compliance Officer hours x $589) + (75 Senior Systems Analyst hours x
$316) + (30 Senior Business Analyst hours x $305) = $41,840.
\2\ $41,480 per report x 4 reports each year = $167,360.
\3\ (2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Chief Compliance Officer hours x $589) + (7 Senior Systems Analyst hours x
$316) + (3 Senior Business Analyst hours x $305) = $5,328.
Rule 1003(a)(1) requires each SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material. The Commission
anticipates that the proposed amendment will newly impose these
requirements on New SCI Entities, and New SCI Entities will incur the
same burdens that Current SCI Entities already incur to comply with
these requirements.\538\ The Commission estimates that each New SCI
entity will initially require 114 hours to establish criteria for
identifying material systems changes and 27 hours to annually to review
and update the criteria.\539\ The table below summarizes the burden
that would be newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\538\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section.
\539\ These estimates reflect the Commission-approved baseline.
See 2022 PRA Supporting Statement, supra note 471. The Commission
does not anticipate that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting Statement.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 114 2,622
Annual............... 23 27 621
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for New SCI Entities:
[[Page 23219]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities.................................... 23 \1\ $47,672 $1,096,456
\2\ 12,929 297,367
----------------------------------------------------------------------------------------------------------------
\1\ (32 Compliance Manager hours x $344) + (32 Attorney hours x $462) + (10 Senior Systems Analyst hours x $316)
+ (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $47,672.
\2\ (4.5 Compliance Manager hours x $344) + (4.5 Attorney hours x $462) + (1.5 Senior Systems Analyst hours x
$316) + (1.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $12,929.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the reports required under Rule 1003(a).
As for Rule 1003(b), each Current SCI Entity is already required to
perform an SCI review and therefore already incurs a baseline burden
\540\ for compliance, so the amendments should only impose a burden
required to comply with the additional requirements. Presently, none of
the New SCI Entities are required to comply with the requirements of
Rule 1003(b), but the proposed amendments will newly impose both the
baseline burden to conduct the SCI review and the additional burden to
meet the proposed requirements for the SCI review.
---------------------------------------------------------------------------
\540\ The Commission's currently approved baseline for the
annual recordkeeping burden of conducting an SCI review and
submitting the SCI review to senior management of the SCI entity for
review is 690 hours (35 Compliance Manager hours + 80 Attorney hours
+ 375 Senior Systems Analyst hours + 5 General Counsel hours + 5
Director of Compliance hours + 20 Chief Compliance Officer hours
+170 Internal Audit Manager hours). See 2022 PRA Supporting
Statement, supra note 471.
---------------------------------------------------------------------------
The Commission estimates that the proposed additional requirements
for conducting the SCI review will increase the burden of conducting
the SCI review and submitting the report by 50%. With respect to Rule
1003(b)(1) and (2), the Commission estimates an additional burden for
Current SCI Entities of 345 hours \541\ and 1,035 hours \542\ for New
SCI Entities. The table below summarizes the initial and ongoing annual
burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\541\ 690 hours (baseline burden) x 0.5 = 345 hours. This
estimate includes 17.5 hours for a Compliance Manager, 40 hours for
an Attorney, 187.5 hours for a Senior Systems Analyst, 2.5 hours for
General Counsel, 10 hours for a Chief Compliance Officer, 2.5 hours
for a Director of Compliance, and 85 hours for an Internal Audit
Manager.
\542\ 690 baseline burden hours + 345 additional burden hours =
1,035 hours. This estimate includes 52.5 hours for a Compliance
Manager, 120 hours for an Attorney, 562.5 hours for a Senior Systems
Analyst, 7.5 hours for General Counsel, 30 hours for a Chief
Compliance Officer, 7.5 hours for a Director of Compliance, and 255
hours for an Internal Audit Manager.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type respondents per entity respondents x
burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 345 16,215
New SCI Entities.......................................... 23 1,035 23,805
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Average internal (estimated
Respondent type Estimated cost of compliance respondents x
respondents per entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $123,848 $5,820,856
New SCI Entities.................................... 23 \2\ 371,543 $8,545,489
----------------------------------------------------------------------------------------------------------------
\1\ (17.5 Compliance Manager hours x $344) + (40 Attorney hours x $462) + (187.5 Senior Systems Analyst hours x
$316) + (2.5 General Counsel hours x $663) + (2.5 Director of Compliance hours x $542) + (10 Chief Compliance
Officer hours x $589) + (85 Internal Audit Manager hours x $367) = $123,848.
\2\ (52.5 Compliance Manager hours x $344) + (120 Attorney hours x $462) + (562.5 Senior Systems Analyst hours x
$316) + (7.5 General Counsel hours x $663) + (7.5 Director of Compliance hours x $542) + (30 Chief Compliance
Officer hours x $589) + (255 Internal Audit Manager hours x $367) = $371,543.
With respect to Rule 1003(b)(3), the Commission estimates that the
burden for SCI entities would increase to 25 hours from the current
baseline estimate.\543\ Thus, the Commission estimates an additional
burden for
[[Page 23220]]
Current SCI Entities of 24 hours \544\ and a new burden of 25 hours
\545\ for New SCI Entities. The table below summarizes the initial and
ongoing annual burden estimates for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\543\ The Commission's currently approved baseline to submit the
report for the SCI review to the board of directors is 1 hour (1
Attorney hour). See 2022 PRA Supporting Statement, supra note 471.
The Commission estimates an increase to 25 hours as a result of the
proposed requirement that senior management provide a response to
the SCI review.
\544\ 25 hours (revised estimate) - 1 hour (baseline estimate) =
24 hours. This estimate includes 1 hours for a Compliance Manager, 3
hours for an Attorney, 13 hours for a Senior Systems Analyst, 1
hours for a Chief Compliance Officer, and 6 hours for an Internal
Audit Manager.
\545\ This estimate includes 1 hours for a Compliance Manager, 3
hours for an Attorney, 14 hours for a Senior Systems Analyst, 1
hours for a Chief Compliance Officer, and 6 hours for an Internal
Audit Manager.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 24 1,128
New SCI Entities.......................................... 23 25 575
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $8,629 $405,563
New SCI Entities.................................... 23 \2\ 8,945 205,735
----------------------------------------------------------------------------------------------------------------
\1\ (1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (13 Senior Systems Analyst hours x $316) +
(1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x $367) = $8,629.
\2\ (1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (14 Senior Systems Analyst hours x $316) +
(1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x $367) = $8,945.
Rule 1003(b) imposes recordkeeping costs for SCI entities. The
Commission estimates that while SCI entities will handle internally
some or most of the work associated with compliance with Rule 1003(b),
SCI entities will outsource some of the work associated with an SCI
review. The Commission estimates that the proposed amendments to the
SCI review would increase the annual recordkeeping cost by 50% beyond
the current baseline.\546\ The table below summarizes the Commission's
estimates for the cost of outsourcing for Current SCI Entities and New
SCI Entities:
---------------------------------------------------------------------------
\546\ The Commission-approved baseline for the annual
recordkeeping cost per SCI entity of outsourcing is $50,000. See
2022 PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $25,000 $1,175,000
New SCI Entities.................................... 23 \2\ 75,000 1,725,000
----------------------------------------------------------------------------------------------------------------
\1\ 50,000 (baseline estimate) x 0.5 = $25,000.
\2\ 50,000 (baseline estimate) x 1.5 = $75,000.
4. Rule 1004
The rules under Regulation SCI that would require an SCI entity to
mandate member or participant participation in business continuity and
disaster recovery plan testing are discussed more fully in sections
II.B, and the proposed amendments including third-party providers in
the requirement are discussed more fully in III.C.2 above.
Current SCI Entities are already required to establish standards
and designate members or participants for testing pursuant to Rule 1004
and therefore already incur baseline initial \547\ and ongoing burdens
\548\ for complying with Rule 1004, so the amendments should only
impose a burden required to comply with the additional requirements.
Presently, none of the New SCI Entities are required to comply with the
requirements of Rule 1004, but the proposed amendments will newly
[[Page 23221]]
impose both the baseline burden to establish standards for the
designation of members and participants for BC/DR testing and
coordinate industry or sector-wide basis testing and additional burden
to establish standards for the designation of third-party providers for
BC/DR testing and coordinate industry or sector-wide basis testing for
third-party providers. The Commission estimates an initial compliance
burden of 90 hours \549\ for Current SCI Entities and 450 hours \550\
for New SCI Entities. The Commission estimates an annual compliance
burden of 34 hours \551\ for Current SCI Entities and 169 hours \552\
for New SCI Entities. The table below summarizes the initial and
ongoing annual burden estimates for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\547\ The Commission's currently approved baseline for average
initial compliance burden per respondent with 17 CFR 242.1004(a)
(``Rule 1004(a)'') (i.e., establishment of standards for the
designation of members and participants) and (c) (i.e., the
coordination of testing on an industry- or sector-wide basis) is 360
hours (40 Compliance Manager hours + 60 Attorney hours + 20
Assistant General Counsel hours + 60 Senior Operations Manager hours
+ 140 Operations Specialist hours + 26 Chief Compliance Officer
hours + 14 Director of Compliance hours). See 2022 PRA Supporting
Statement, supra note 471. The estimate of 360 hours includes the
burden for designating members or participants for testing, as
required by 17 CFR 242.1004(b) (``Rule 1004(b)''). Id. at 18 n.50.
\548\ The average annual compliance burden for each SCI entity
to review and update the policies and procedures is 135 hours for
each entity that is not a plan processor. See 2022 PRA Supporting
Statement, supra note 471. None of the New SCI Entities are plan
processors, so the Commission is applying the 135 hour estimate to
the New SCI Entities.
\549\ The Commission estimates that the additional burden to
establish standards for the designation of third-party providers for
BC/DR testing and coordinate testing would be 25% of the 360 hour
baseline burden hours. 360 hours x 0.25 = 90 hours. The burden hours
include 10 Compliance Manager hours, 15 Attorney hours, 5 Assistant
General Counsel hours, 35 Operations Specialist hours, 6 Chief
Compliance Officer hours, 4 Director of Compliance hours, and 15
Senior Operations Manager hours.
\550\ 360 baseline burden hours + 90 additional burden hours =
450 hours.
\551\ The Commission estimates that the additional annual burden
would be 25% of the 135 hour baseline burden hours, or 34 hours (135
hours x 0.25). The burden hours include 3 Compliance Manager hours,
3 Attorney hours, 1 Assistant General Counsel hours, 18 Operations
Specialist hours, 3 Chief Compliance Officer hours, 1 Director of
Compliance hours, and 5 Senior Operations Manager hours.
\552\ 135 baseline burden hours + 34 additional burden hours =
169 hours.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 90 4,230
Annual............... 47 34 1,598
New SCI Entities................... Initial.............. 23 450 10,350
Annual............... 23 169 3,887
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ Initial........... 47 \1\ $30,072 $1,413,384
Annual............ 47 \2\ 10,011 470,517
New SCI Entities................ Initial........... 23 \3\ 150,478 3,460,994
Annual............ 23 \4\ 50,331 1,157,613
----------------------------------------------------------------------------------------------------------------
\1\ (10 Compliance Manager hours x $344) + (15 Attorney hours x $462) + (5 Assistant General Counsel hours x
$518) + (35 Operations Specialist hours x $152) + (6 Chief Compliance Officer hours x $589) + (4 Director of
Compliance hours x $542) + (15 Senior Operations Manager hours x $406) = $30,072.
\2\ (3 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (1 Assistant General Counsel hours x $518)
+ (18 Operations Specialist hours x $152) + (3 Chief Compliance Officer hours x $589) + (1 Director of
Compliance hours x $542) + (5 Senior Operations Manager hours x $406) = $10,011.
\3\ (50 Compliance Manager hours x $344) + (75 Attorney hours x $462) + (25 Assistant General Counsel hours x
$518) + (175 Operations Specialist hours x $152) + (32.5 Chief Compliance Officer hours x $589) + (17.5
Director of Compliance hours x $542) + (75 Senior Operations Manager hours x $406) = $150,478.
\4\ (13 Compliance Manager hours x $344) + (18 Attorney hours x $462) + (6 Assistant General Counsel hours x
$518) + (88 Operations Specialist hours x $152) + (13 Chief Compliance Officer hours x $589) + (6 Director of
Compliance hours x $542) + (25 Senior Operations Manager hours x $406) = $50,331.
The Commission continues to believe that SCI entities (other than
plan processors) would handle internally the work associated with the
requirements of Rule 1004.
5. Rule 1005
Rules 1005 and 1007 impose on SCI entities recordkeeping
requirements related to their compliance with Regulation SCI. These
requirements would be newly imposed on New SCI Entities as a result of
the proposed amendment. The table below summarizes the Commission's
estimates as to the burden that each New SCI Entity would incur to meet
the requirements of Rules 1005 and 1007: \553\
---------------------------------------------------------------------------
\553\ Current SCI Entities are already required to comply with
Rules 1005 and 1007. The burdens for compliance are summarized in
the most recent PRA Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed amendments impose no
additional burden related to this section. The Commission does not
anticipate that New SCI Entities would incur burdens beyond what is
estimated in the 2022 PRA Supporting Statement.
[[Page 23222]]
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type Burden type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 \1\ 170 3,910
Annual............... \2\ 25 575
----------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for each new non-SRO SCI entity to set up or modify a
recordkeeping system is 170 hours. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate for each new non-SRO SCI entity to make, keep, and preserve
records relating to compliance with Regulation SCI, as required by Rule 1005(b), is 25 hours. See 2022 PRA
Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $13,260 $304,980
Annual............ \2\ 1,950 44,850
----------------------------------------------------------------------------------------------------------------
\1\ 170 Compliance Clerk hours x $78 per hour = $13,260.
\2\ 25 Compliance Clerk hours x $78 per hour = $1,950.
The recordkeeping requirements impose recordkeeping costs for SCI
entities other than SCI SROs. The Commission estimates that a New SCI
Entity other than an SCI SRO will incur a one-time cost of $900 for
information technology costs for purchasing recordkeeping software, for
a total of $20,700.\554\
---------------------------------------------------------------------------
\554\ $900 per SCI entity x 21 SCI entities = $18,900.
---------------------------------------------------------------------------
6. Rule 1006
SCI entities submit Form SCI through the Electronic Form Filing
System (``EFFS''), which is also used by SCI SROs to file Form 19b-4
filings. Access to EFFS establishes reporting burdens for all SCI
entities. An SCI entity will submit to the Commission an External
Application User Authentication Form (``EAUF'') to register each
individual at the SCI entity who will access the EFFS system on behalf
of the SCI entity. The Commission is including in its burden estimates
the reporting burden for completing the EAUF for each individual at a
New SCI Entity that will request access to EFFS.\555\ The table below
summarizes the initial and ongoing burdens that would be New SCI
Entities would incur to establish access to EFFS:
---------------------------------------------------------------------------
\555\ Current SCI Entities would already have incurred these
burdens, which are summarized in the most recent PRA Supporting
Statement. See 2022 PRA Supporting Statement, supra note 471. The
proposed amendments impose no additional burden related to this
section. The Commission does not anticipate that New SCI Entities
would incur burdens beyond what is estimated in the 2022 PRA
Supporting Statement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours per Burden hours for all
Number of SCI entity (number respondents
Estimated individuals Time to of individuals (estimated
Respondent type Type of burden respondents requesting complete EAUF requesting access x respondents x
(entities) access time to complete burden hours per
EAUF) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
New SCI Entities.................... Initial............... 23 \1\ 2 \2\ 0.15 0.3 6.9
Annual................ \3\ 1 0.15 3.5
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS initially through the EAUF is
two individuals. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate to complete the EAUF is 0.15 hours. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS annually through the EAUF is
one individual. See 2022 PRA Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
[[Page 23223]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $139 $3,197
Annual............ \2\ 69 1,587
----------------------------------------------------------------------------------------------------------------
\1\ 0.3 Attorney hours x $462 = $139.
\2\ 0.15 Attorney hours x $462 = $69.
Obtaining the ability for an individual to electronically sign a
Form SCI imposes reporting costs for SCI entities. The table below
summarizes the cost for individuals at each New SCI Entity to obtain
digital IDs to sign Form SCI:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI entity
(number of Cost for all
Estimated Number of Cost to obtain individuals respondents
Respondent type respondents individuals to digital ID requesting access x (estimated
(entities) sign form SCI time to complete respondents x burden
EAUF) hours per SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
New SCI Entities....................................... 23 \1\ 2 \2\ $25 $50 $1,150
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for the number of individuals per SCI entity who will sign Form SCI each year is two individuals. See 2022
PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate to obtain a digital ID is $50. See 2022 PRA Supporting Statement, supra note 471.
7. Summary of the Information Collection Burden
The table below summarizes the Commission's estimate of the total
hourly burden, total internal costs of compliance, and external cost
estimates for SCI entities under Regulation SCI.
----------------------------------------------------------------------------------------------------------------
Burden hours Costs of compliance
Rule Respondent type ---------------------------------------------------------------
Initial Annual Initial Annual
----------------------------------------------------------------------------------------------------------------
Policies and procedures Current SCI 18,142 2,726 $6,804,989 $1,099,941
required by Rule 1001(a) Entities. 20,470 3,335 7,667,533 1,341,245
(except Rule 1001(a)(2)(vi)) New SCI Entities
(Recordkeeping).
Policies and procedures New SCI Entities 3,680 3,335 1,402,540 1,204,740
required by Rule
1001(a)(2)(vi)
(Recordkeeping).
Costs for outside legal/ Current SCI N/A N/A 1,365,350 N/A
consulting services in Entities. N/A N/A 1,697,400 N/A
initial preparation of New SCI Entities
policies and procedures
required by Rule 1001(a)
(Recordkeeping).
Policies and procedures Current SCI 18,142 2,726 8,170,339 1,099,941
required by Rule 1001(a) Entities. 24,150 6,670 10,767,473 2,545,985
Total. New SCI Entities
Policies and procedures New SCI Entities 6,210 2,185 2,222,720 808,220
required by Rule 1001(b)
(Recordkeeping).
Costs for outside legal/ New SCI Entities N/A N/A 621,000 0
consulting services in
initial preparation of
policies and procedures
required by Rule 1001(b)
(recordkeeping).
Policies and procedures New SCI Entities 6,210 2,185 2,843,720 808,220
required by Rule 1001(b)
Total.
Policies and procedures New SCI Entities 2,622 897 1,096,456 400,821
required by Rule 1001(c)
(Recordkeeping).
Mandate participation in Current SCI 4,230 1,598 1,413,384 470,517
certain testing required by Entities. 10,350 3,887 3,460,994 1,157,613
Rule 1004 (Recordkeeping). New SCI Entities
SCI Event Notice Required By Current SCI 235 235 81,663 81,663
Rule 1002(b)(1) (Reporting). Entities. 299 299 103,477 103,477
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 25,556 25,556
1001(b)(1) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 235 235 107,219 107,219
Rule 1002(b)(1) Total. Entities. 299 299 136,827 136,827
New SCI Entities
SCI Event Notice Required By Current SCI 3,384 3,384 1,249,683 1,249,683
Rule 1002(b)(2) (Reporting). Entities. 4,416 4,416 1,630,792 1,630,792
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 25,556 25,556
1001(b)(2) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 3,384 3,384 1,275,239 1,275,239
Rule 1002(b)(2) Total. Entities. 4,416 4,416 1,664,142 1,664,142
New SCI Entities
SCI Event Notice Required By Current SCI 493.5 493.5 172,819 172,819
Rule 1002(b)(3) (Reporting). Entities. 483 483 169,142 169,142
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 17,038 17,038
1002(b)(3) (Reporting). Entities. N/A N/A 16,675 16,675
New SCI Entities
[[Page 23224]]
SCI Event Notice Required By Current SCI 493.5 493.5 189,857 189,857
Rule 1002(b)(3) Total. Entities. 483 483 185,817 185,817
New SCI Entities
SCI Event Notice Required By Current SCI 4,935 4,935 1,927,752 1,927,752
Rule 1002(b)(4) (Reporting). Entities. 6,440 6,440 2,515,648 2,515,648
New SCI Entities
External Legal Costs for Current SCI N/A N/A 25,556 25,556
1001(b)(4) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 4,935 4,935 1,953,308 1,953,308
Rule 1002(b)(4) Total. Entities. 6,440 6,440 2,548,998 2,548,998
New SCI Entities
SCI Event Notice Required By Current SCI (752) (752) (284,444) (284,444)
Rule 1002(b)(5) (Reporting). Entities. 3,312 3,312 1,252,948 1,252,948
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 0 0
1002(b)(5) (Reporting). Entities. N/A N/A 16,675 16,675
New SCI Entities
SCI Event Notice Required By Current SCI (752) (752) (284,444) (284,444)
Rule 1002(b)(5) Total. Entities. 3,312 3,312 1,269,623 1,269,623
New SCI Entities
Dissemination of information New SCI Entities 3,174 3,174 1,400,194 1,400,194
required by Rule 1002(c)(1)
(Third-Party Disclosure).
External Legal Costs for Rule New SCI Entities N/A N/A 57,270 57,270
1002(c)(1) (Third-Party
Disclosure).
Dissemination of information New SCI Entities 3,174 3,174 1,457,464 1,457,464
required by Rule 1002(c)(1)
Total.
Dissemination of information Current SCI 1,410 1,410 621,246 621,246
required by Rule 1002(c)(2) Entities. 920 920 405,352 405,352
(Third-Party Disclosure). New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 29,257.50 29,257.50
1002(c)(2) (Third-Party Entities. N/A N/A 19,090 19,090
Disclosure). New SCI Entities
Dissemination of information Current SCI 1,410 1,410 650,503.5 650,503.5
required by Rule 1002(c)(2) Entities. 920 920 424,442 424,442
Total. New SCI Entities
Burden to develop processes to New SCI Entities 4,554 897 1,797,312 396,934
identify the nature of a
system or event.
Establish reasonable written Current SCI 4,183 681.5 1,742,055 326,462
criteria for identifying a Entities. 2,047 333.5 852,495 159,758
significant attempted New SCI Entities
unauthorized systems
intrusion.
Material systems change notice New SCI Entities 11,845 11,845 3,971,824 3,971,824
required by Rule 1003(a)(1)
and (2) (Reporting).
Establish reasonable written New SCI Entities 2,622 621 1,096,456 297,367
criteria for identifying a
material change to its SCI
systems and the security of
indirect SCI systems.
SCI review required by Rule Current SCI 16,215 16,215 5,820,856 5,820,856
1003(b)(1) and (2) Entities. 23,805 23,805 8,545,489 8,545,489
(Recordkeeping). New SCI Entities
SCI review required by Rule Current SCI 1,128 1,128 405,563 405,563
1003(b)(3) (Reporting). Entities. 575 575 205,735 205,735
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 1,175,000 1,175,000
1003(b) (Recordkeeping). Entities. N/A N/A 1,725,000 1,725,000
New SCI Entities
SCI Review Costs (Rule Current SCI 17,343 17,343 7,401,419 7,401,419
1003(b)) Total. Entities. 24,380 24,380 10,476,224 10,476,224
New SCI Entities
Corrective action required by Current SCI 1,081 N/A 449,132 N/A
Rule 1002(a) (Recordkeeping). Entities. 3,151 897 1,316,244 396,934
New SCI Entities
Recordkeeping required by New SCI Entities 3,910 575 304,980 44,850
Rules 1005/1007
(Recordkeeping).
One-time cost to purchase New SCI Entities N/A N/A 20,700 N/A
recordkeeping software Rules
1005/1007 (Recordkeeping).
Total recordkeeping costs New SCI Entities 3,910 575 325,680 44,850
required by Rules 1005/1007.
Request access to EFFS (Rule New SCI Entities 6.9 3.5 3,197 1,587
1006) (Reporting).
Rule 1006--obtain digital IDs New SCI Entities N/A N/A 1,150 1,150
(Reporting).
Total Costs to comply with New SCI Entities 6.9 3.5 4,347 2,737
Rule 1006.
---------------------------------------------------------------
Total......................... Overall Total... 169,576 104,289 68,764,549 41,536,601
Current SCI 54,685 32,054 23,068,011 13,190,021
Entities. 112,845 72,235 45,696,538 28,346,580
New SCI Entities
Per Entity Hourly Burden/Cost. Current SCI 1,163 682 490,808.75 280,639.75
Entities \1\. 4,995 3,141 1,986,806 1,232,460
New SCI Entities
----------------------------------------------------------------------------------------------------------------
\1\ As noted earlier, currently no SCI competing consolidators have registered with the Commission. See supra
note 469. To the extent that a competing consolidator registers with the Commission, its initial and ongoing
burdens as a result of the proposed amendments would be the same as the initial and ongoing burden per entity
calculated for Current SCI Entities.
[[Page 23225]]
In summary, the estimated paperwork related compliance burdens for
SCI entities as a result of the amendments are approximately 170,000
hours and $69 million initially and approximately 104,000 hours and $41
million annually.
E. Collection of Information Is Mandatory
The collections of information pursuant to Regulation SCI is
mandatory as to all entities subject to the rule.
F. Confidentiality of Responses to Collection of Information
The Commission expects that the written policies and procedures,
processes, criteria, standards, or other written documents developed or
revised by SCI entities pursuant to Regulation SCI will be retained by
SCI entities in accordance with, and for the periods specified in 17
CFR 240.17a-1 (``Rule 17a-1'' of the Exchange Act) and Rule 1005, as
applicable. Should such documents be made available for examination or
inspection by the Commission and its representatives, they would be
kept confidential subject to the provisions of applicable law.\556\ In
addition, the information submitted to the Commission pursuant to
Regulation SCI that is filed on Form SCI, as required by Rule 1006,
will be treated as confidential, subject to applicable law, including
amended 17 CFR 240.24b-2 (``Rule 24b-2'').\557\ The information
disseminated by SCI entities pursuant to Rule 1002(c) under Regulation
SCI to their members or participants will not be confidential.
---------------------------------------------------------------------------
\556\ See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the Commission); 5 U.S.C.
552 et seq.
\557\ See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the Commission); 5 U.S.C.
552 et seq. See also Form SCI section IV (including a provision
stating ``Confidential treatment is requested pursuant to 17 CFR
240.24b-2(g) (``Rule 24b-(g)'')).
---------------------------------------------------------------------------
G. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits
comment on the proposed collections of information in order to:
91. Evaluate whether the proposed collections of information are
necessary for the proper performance of the functions of the
Commission, including whether the information would have practical
utility;
92. Evaluate the accuracy of the Commission's estimates of the
burden of the proposed collections of information;
93. Determine whether there are ways to enhance the quality,
utility, and clarity of the information to be collected; and
94. Evaluate whether there are ways to minimize the burden of the
collection of information on those who respond, including through the
use of automated collection techniques or other forms of information
technology.
Persons submitting comments on the collection of information
requirements should direct them to the Office of Management and Budget,
Attention: Desk Officer for the Securities and Exchange Commission,
Office of Information and Regulatory Affairs, Washington, DC 20503, and
should also send a copy of their comments to Vanessa A. Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090, with reference to File Number S7-07-23.
Requests for materials submitted to OMB by the Commission with regard
to this collection of information should be in writing, with reference
to File Number S7-07-23 and be submitted to the Securities and Exchange
Commission, Office of FOIA/PA Services, 100 F Street NE, Washington, DC
20549-2736. As OMB is required to make a decision concerning the
collections of information between 30 and 60 days after publication, a
comment to OMB is best assured of having its full effect if OMB
receives it within 30 days of publication.
V. Economic Analysis
A. Introduction
The Commission is sensitive to the economic effects, including the
costs and benefits, of its rules. When engaging in rulemaking pursuant
to the Exchange Act that requires the Commission to consider or
determine whether an action is necessary or appropriate in the public
interest, section 3(f) of the Exchange Act requires the Commission to
consider, in addition to the protection of investors, whether the
action would promote efficiency, competition, and capital formation. In
addition, section 23(a)(2) of the Exchange Act requires the Commission
in making rules pursuant to the Exchange Act to consider the impact any
such rule would have on competition. The Exchange Act prohibits the
Commission from adopting any rule that would impose a burden on
competition not necessary or appropriate in furtherance of the purposes
of the Exchange Act.
As explained above, the Commission believes that developments in
the U.S. securities markets since the adoption of Regulation SCI in
2014 warrant expanding the scope of Regulation SCI as well as
strengthening the obligations of SCI entities. These developments
include the growth of electronic trading, which allows greater volumes
of securities transactions to take place across a multitude of trading
systems in our markets. In addition, large institutional and other
professional market participants today employ sophisticated methods to
trade electronically on multiple venues simultaneously in ever-
increasing volumes with increasing speed. In recent years, financial
institutions have increasingly used and relied on third parties that
provide information and communications technology systems.\558\
Together, these developments have resulted in greater dispersal,
sophistication, and interconnection of the systems underpinning our
U.S. securities markets, thereby bringing potential new risks.
---------------------------------------------------------------------------
\558\ See, e.g., FINRA, Cloud Computing in the Securities
Industry (Aug. 16, 2021), available at https://www.finra.org/rules-guidance/key-topics/fintech/report/cloud-computing; see also
Franklin Allen et al., A Survey of Fintech Research and Policy
Discussion, 1 Rev. Corp. Fin. 259, 259 (2021) (``Cloud storage and
cloud computing have also played increasing roles in payment
systems, financial services, and the financial system overall'').
See also Financial Stability Board, Regulatory and Supervisory
Issues Relating to Outsourcing and Third-Party Relationships,
(discussion paper Nov. 9, 2020), available at https://www.fsb.org/wp-content/uploads/P091120.pdf.
---------------------------------------------------------------------------
The proposed amendments to Regulation SCI would expand the
definition of ``SCI entity'' to include a broader range of entities
that perform key functions in U.S. securities market infrastructure,
and update certain other definitions and provisions to take account of
technological market developments, including cybersecurity and vendor
management, since the adoption of Regulation SCI in 2014. The proposed
expansion would add to the definition of ``SCI entity'' registered
security-based swap data repositories, and registered broker-dealers
exceeding certain asset and transaction activity thresholds, and the
proposal would expand the category of exempt clearing agencies subject
to Regulation SCI to include all clearing agencies exempted from
registration. Additional proposed amendments to Regulation SCI are
designed to update the requirements of Regulation SCI relating to: (i)
systems classification and lifecycle management; (ii) vendor
management; (iii) cybersecurity; (iv) SCI review; (v) current SCI
industry standards; and (vi) other matters.
The Commission is sensitive to the economic effects of the proposed
expansion and strengthening of Regulation SCI, including its costs and
benefits. As discussed further below, the Commission requests comment
on all
[[Page 23226]]
aspects of the costs and benefits of the proposal, including any
effects the proposed rules may have on efficiency, competition, and
capital formation.
B. Baseline
The Commission proposes to expand the scope of Regulation SCI to
include new entities as well as strengthen the obligations of SCI
entities. In order to assess the benefits and costs that can properly
be attributed to the proposed rules, the Commission begins by
considering the relevant baselines--the current market practices as
well as applicable regulations in the absence of these proposed rules.
1. New SCI Entities
The proposed rules will affect new SCI entities, specifically
SBSDRs, certain broker-dealers, and certain exempt clearing agencies,
in addition to existing SCI entities. The baseline for each category of
entities is discussed in turn, including applicable regulatory
baselines and relevant market descriptions.
a. Registered Security-Based Swap Data Repositories
i. Affected Parties
The Commission proposes to include SBSDRs as SCI entities. SBSDRs
are required for the dissemination of SBS market data to provide price
transparency, limit risk posed to the maintenance of fair and orderly
markets, promote the market stability, prevent market abuses, and
reduce operational risk. They play an important role in transparency in
the market for SBSs and make available to the Commission SBS data that
will provide a broad view of this market and help monitor for pockets
of risk and potential market abuses that might not otherwise be
observed by the Commission and other relevant authorities.
Security-based swaps entail the transfer of financial obligations
between two parties with sometimes a long time horizon. Counterparties
to a security-based swap rely on each other's creditworthiness and bear
this credit risk and market risk until the security-based swap
terminates or expires.\559\ The information provided by SBSDRs, such as
individual counterparty trade and position data, helps the Commission
gain a better understanding of the actual and potential market
risks.\560\ This information also helps the Commission and other
relevant authorities investigate market manipulation, fraud, and other
market abuses.
---------------------------------------------------------------------------
\559\ For cleared trades, the clearing agencies generally step
in the place of the original counterparties and effectively assume
the risk should there be a default.
\560\ See SBSR Adopting Release, supra note 96 (for information
required to be reported by SBSDRs to the Commission).
---------------------------------------------------------------------------
As of February 2023, two data repositories for security-based swap
markets are registered with the Commission. The registered SBSDRs are
Depository Trust & Clearing Corporation Data Repository (``DDR'') and
the ICE Trade Vault (``ITV''). DDR operates as a registered SBSDR for
security-based swap transactions in the credit, equity, and interest
rate derivatives asset classes. ITV operates as a registered SBSDR for
security-based swap transactions in the credit derivatives asset
class.\561\ As of March 2022, 47 entities had registered with the
Commission as security-based swap dealers and pursuant to Regulation
SBSR, they are required to report the trade activities to the
SBSDRs.\562\ In total, these two SBSDRs received approximately 542.6
million reports \563\ between November 2021 and September 2022, from
contracts of 15,593 distinct counterparties.\564\
---------------------------------------------------------------------------
\561\ See DTCC Data Repository (U.S.) LLC; Order Approving
Application, supra note 111; ICE Trade Vault, LLC; Order Approving
Application, supra note 111. Note that additional entities may
register as SBSDRs in the future.
\562\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants, supra note 110 (providing
the list of registered security-based swap dealers and major SBS
participants that was updated as of Mar. 28, 2022).
\563\ The transaction reports include not only the initial
trade, but also life-cycle events.
\564\ Number of reports and number of counterparties are
calculated from trade activities data of the DDR and ITV reports.
Number of counterparties is calculated as the number of unique
counterparties' IDs. Due to data limitation, we only included
reports occurred on or after Nov. 8, 2021.
---------------------------------------------------------------------------
ii. Regulatory Baseline
As discussed above in section III.A.2, SBSDRs are subject to Rule
13n-6, which requires that ``every security-based swap data repository,
with respect to those systems that support or are integrally related to
the performance of its activities, shall establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its systems provide adequate levels of capacity, integrity,
resiliency, availability, and security.'' \565\ The SBSDRs registered
with the Commission are also registered with the CFTC as swap data
repositories and accordingly are also subject to CFTC rules and
regulations related to swap data repositories, including the ``SDR
System Safeguards'' rule.\566\ That rule requires swap data
repositories to establish and maintain emergency procedures,
geographically diverse backup facilities and staff, and a business
continuity and disaster recovery plan that should enable next day
resumption of the swap data repository's operations following the
disruption.\567\
---------------------------------------------------------------------------
\565\ See 17 CFR 240.13n-6.
\566\ See 17 CFR 49.24.
\567\ See 17 CFR 49.24(a).
---------------------------------------------------------------------------
In addition, the rule requires programs of risk analysis and
oversight with respect to its operations and automated systems to
address each of the following categories of risk analysis and
oversight: (1) information security; (2) business continuity and
disaster recovery planning and resources; (3) capacity and performance
planning; (4) systems operations; (5) systems development and quality
assurance; (6) physical security and environmental controls; and (7)
enterprise risk management.\568\ This rule also requires systems
monitoring to identify potential systems disruptions and cybersecurity
attacks via provisions relating to capacity and performance planning,
information security, and physical security and environmental controls.
It also requires swap data repositories to maintain a security incident
response plan that must include, among other items, policies and
procedures for reporting security incidents and for internal and
external communication and information sharing regarding security
incidents, the hand-off and escalation points in its security incident
response process, and the roles and responsibilities of its management,
staff and independent contractors in responding to security
incidents.\569\
---------------------------------------------------------------------------
\568\ See 17 CFR 49.24(b).
\569\ See 17 CFR 49.24.
---------------------------------------------------------------------------
Furthermore, the rule requires regular, periodic testing and review
of business continuity and disaster recovery capabilities.\570\ Under
the rule, both the senior management and the board of directors of a
swap data repository receive and review reports setting forth the
results of the specified testing and assessment. A swap data repository
is required to establish and follow appropriate procedures for the
remediation of issues identified through the review, and for evaluation
of the effectiveness of testing and assessment protocols.\571\
---------------------------------------------------------------------------
\570\ Id.
\571\ 17 CFR 49.24(m) (Internal reporting and review).
---------------------------------------------------------------------------
The System Safeguards rule requires SDRs to conduct testing and
review sufficiency to ensure that their
[[Page 23227]]
automated systems are reliable, secure, and have adequate scalable
capacity.\572\ The System Safeguards rule requires SDRs to conduct
external and internal penetration testing at a frequency determined by
an appropriate risk analysis, but no less frequently than
annually.\573\
---------------------------------------------------------------------------
\572\ See 17 CFR 49.24(j).
\573\ See 17 CFR 49.24(j)(3).
---------------------------------------------------------------------------
The System Safeguards rule also specifies and defines five types of
system safeguards testing that a SDR necessarily must perform to
fulfill the testing requirement: vulnerability testing; penetration
testing; controls testing; security incident response plan testing; and
enterprise technology risk assessment.\574\ SDRs are required to notify
CFTC staff of any system malfunctions, cyber security incidents, or
activation of the business continuity and disaster recovery plan.\575\
A swap data repository must also give CFTC staff advance notice of
planned changes to automated systems that may affect the reliability,
security, or adequate scalable capacity of such systems.\576\ Finally,
the CFTC's System Safeguards rule requires an SDR to follow generally
accepted standards and best practices with respect to the development,
operation, reliability, security, and capacity of automated systems
related to SDR data.\577\
---------------------------------------------------------------------------
\574\ Id.
\575\ See 17 CFR 49.24(g).
\576\ See 17 CFR 49.24(h).
\577\ See 17 CFR 49.24(c).
---------------------------------------------------------------------------
b. Broker-Dealers
i. Affected Parties
The Commission is proposing to expand the application of Regulation
SCI to include certain broker-dealers in the definition of SCI entity.
There are approximately 3,500 broker-dealers registered with the
Commission pursuant to section 15(b) of the Exchange Act as of Q3
2022.\578\ Figure 1 represents the distribution of all registered
broker-dealer firms between Q4 2021 and Q3 2022 by level of total
assets \579\ (Panel A) and by percentage of aggregate total assets
\580\ (Panel B) with firm size (Panel A) and percentage of aggregate
total assets (Panel B) increasing along the x-axis from left to right.
These entities encompass a broad range of sizes, business activities,
and business models.\581\ The distribution of firms \582\ by level of
total assets (Panel A) shows that the vast majority of firms \583\ fall
somewhere within the $30,000 to $450,000,000 dollar range, with a small
minority of firms showing up as a descending long right tail. The
distribution of broker-dealers \584\ by percentage of aggregate total
assets (Panel B) shows that a small number of firms individually had
percentages of aggregate total assets in the high single digits to low
double digits.
---------------------------------------------------------------------------
\578\ See supra note 131.
\579\ The level of total assets is measured by the average
quarterly total assets for each broker-dealer between Q4 2021 and Q3
2022.
\580\ The percentage of aggregate total assets is estimated by
the average quarterly percentage of aggregate total assets for each
broker-dealer between Q4 2021 and Q3 2022.
\581\ See 2022 FINRA Industry Snapshot, supra note 131.
\582\ Panel A of Figures 1 through 5 is represented on a
logarithmic scale for ease of viewing when the distribution is far
less evenly distributed if displayed using a standard x-axis.
\583\ This represents the range of the average quarterly total
assets for firms that fall between the 5th and 95th percentile.
\584\ The number of individual firms in Panel B of Figures 1
through 5 is more visible here due to use of a standard x-axis even
though the y-axis is represented logarithmically. The use of a
logarithmic y-axis does however flatten the overall distribution
with a disproportionate effect on the firms with percentage of
aggregate average daily dollar volume between 0% and 2.5% making it
slightly less obvious upon first glance that the vast majority of
firms actually fall between 0% and 2.5%.
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP14AP23.000
Figures 2 through 5 represent the distribution of firms by level of
transaction activity \585\ as measured by average daily dollar volume
\586\ (Panel A) and the distribution of firms by percentage of
transaction activity \587\ (Panel B) for each of four asset classes
including NMS stocks, exchange-listed options, U.S. Treasury
Securities, and Agency Securities respectively. The distributions of
firms \588\ by level of transaction activity (Panel A) show that the
vast majority of firms \589\ fall somewhere within the $30,000 to $14.4
billion dollar range, $500,000 to $3.1 billion dollar range, $2,000 to
$4.0 billion dollar range, and $500 to $1.2 billion dollar range for
the NMS, stock
[[Page 23228]]
exchange-listed options, U.S. Treasury Securities, and Agency
Securities markets, respectively.
---------------------------------------------------------------------------
\585\ The level of transaction activity in Panel A of Figures 2
through 5 is measured by the average of monthly average daily dollar
volume for each broker-dealer from Jan. 2022 to June 2022.
\586\ These measures are described in more detail in section
III.A.2.b.iii.
\587\ Id.
\588\ See supra note 582.
\589\ This represents the range of the average of monthly
average daily dollar volume for firms that fall between the 5th and
95th percentile.
---------------------------------------------------------------------------
Figures 2 through 5 (Panel B), showing the distribution of broker-
dealers by percentage of aggregate average daily dollar volume,\590\
indicate that a very small number of firms \591\ individually had
percentages of aggregate average daily dollar volume in the high single
digits to low double digits.
---------------------------------------------------------------------------
\590\ The percentage of aggregate average daily dollar volume in
Panel B of figures 2 through 5 is estimated by the average of
monthly percentage for each broker-dealer of aggregate average daily
dollar volume reported to the plan processors (SIPs) of the CTA/CQ
Plans and Nasdaq UTP Plan, OPRA Plan, or FINRA TRACE in each
respective asset class from Jan. 2022 to June 2022.
\591\ See supra note 584.
[GRAPHIC] [TIFF OMITTED] TP14AP23.001
[GRAPHIC] [TIFF OMITTED] TP14AP23.002
[[Page 23229]]
[GRAPHIC] [TIFF OMITTED] TP14AP23.003
[GRAPHIC] [TIFF OMITTED] TP14AP23.004
BILLING CODE 8011-01-C
A substantial number of firms had transaction activity \592\ across
these four markets: 336 had transaction activity in NMS equities,\593\
105 had options transaction activity,\594\ 703 had transaction activity
in U.S. Treasury Securities,\595\ and 461 had transaction activity in
Agency Securities.\596\
---------------------------------------------------------------------------
\592\ The number of firms that had transaction activity here may
be different than the number of firms that reported business lines
on Form BD at least in part due to differences in how business
activities are categorized on Form BD, and also because firms are
able to indicate lines of business based on expected business rather
than current business. With respect to categorical differences, Form
BD does not allow firms to distinguish between NMS and OTC equity
business as both types of stocks can be traded over the counter.
Additionally, Form BD does not distinguish between lines of business
for exchange-traded or OTC options. Finally, Form BD allows firms to
indicate government securities broker or dealer lines of business
but does not allow firms to specify more granularly treasury or
agency securities businesses.
\593\ Estimate is based on Consolidated Audit Trail (CAT) data
from Jan. 2022 to June 2022.
\594\ Id.
\595\ Estimate is based on TRACE for Treasury Securities data
from Jan. 2022 to June 2022 and firm names as of Feb. 1, 2023.
\596\ Estimate is based on regulatory TRACE data from Jan. 2022
to June 2022.
---------------------------------------------------------------------------
ii. Regulatory Baseline
As discussed above in section III.A.2.b.ii, there are already a
number of Exchange Act and FINRA rules that affect how broker-dealers
design and maintain their technology and promote business continuity
and regulatory compliance. These include: Commission broker-dealer
rules; \597\ FINRA supervision rules \598\ (discussed at length in
section III.A.2.b); and FINRA's business continuity and reporting rules
(Rule 4370 and 4530, respectively) discussed previously in section
III.A2.b and further in this section. Furthermore, the Commission's
cybersecurity-related regulations (Regulation S-P and 17 CFR part 248,
subpart C (Regulation S-ID)) are discussed further below.\599\
---------------------------------------------------------------------------
\597\ See supra section III.A.2.b (discussing Rules 17a-3, 17a-
4, 17a-11, 15c3-1, 15c3-3, and 15c3-5 (the Market Access Rule)).
\598\ FINRA rule 3110 and 3130.
\599\ See supra note 156.
---------------------------------------------------------------------------
FINRA Rule 4370 primarily requires that each broker-dealer create
and maintain a written business continuity plan \600\ identifying
procedures relating
[[Page 23230]]
to an emergency or significant business disruption that are reasonably
designed to enable them to meet their existing obligations to customers
with explicit requirements for data back-up and recovery with respect
to mission critical systems as well as an alternate physical location
of employees.\601\ Each broker-dealer must update its plan in the event
of any material change to the member's operations, structure, business
or location. Each member must also conduct an annual review of its
business continuity plan to determine whether any modifications are
necessary in light of changes to the member's operations, structure,
business, or location. FINRA identified that firms \602\ frequently
tested their BC/DRs plans as part of their annual review and also
included key vendors in those tests.\603\ Furthermore, a broker-dealer
must disclose to its customers through public disclosure statements how
its business continuity plan addresses the possibility of a future
significant business disruption and how the member plans to respond to
events of varying scope. Such required business continuity public
disclosure statements \604\ offer some summary information on broker-
dealer actual practices that relate to FINRA Rule 4370. Recent FINRA
exam findings reports \605\ in relation to FINRA Rule 4370 suggest
increasing attention by broker-dealers to operational resiliency issues
and the value of capacity planning, stress testing, and the review of
testing and development methodology.
---------------------------------------------------------------------------
\600\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs) (Oct. 16, 2019),
available at https://www.finra.org/rules-guidance/guidance/reports/2019-report-exam-findings-and-observations. Broker-dealers are
required to conduct an annual review of their business continuity
plans along with recommended testing and evaluation of its
effectiveness with vendor participation.
\601\ FINRA Rules 4370, 3110 (Supervision), and 4511 (General
Requirements), as well as Securities Exchange Act of 1934 (Exchange
Act) Rules 17a-3 and 17a-4.
\602\ FINRA did not disclose the number or identity of these
firms.
\603\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs), supra note 600.
\604\ While broker-dealers are required to provide a brief
summary disclosure statement regarding their BCPs to customers, they
do not disclose the actual BCP. Based on a review of 2021 and 2022
BCP disclosure statements, firms often did not provide any detail on
operational capacity to meet demand surges or any specific
timeframes for resumption of service. They sometimes mention the use
of redundant service centers, data centers, systems, and staff
across geographically diverse locations in case primary centers and
systems go offline; immediate failover to backup systems and plans
to restore services quickly in the event of a technology disruption;
and review of third parties' business contingency plans.
\605\ See FINRA, 2022 Report on FINRA's Examination and Risk
Monitoring Program (Feb. 9, 2022), available at https://www.finra.org/sites/default/files/2022-02/2022-report-finras-examination-risk-monitoring-program.pdf. See also FINRA, 2020 Risk
Monitoring and Examination Priorities Letter (Jan. 9, 2020),
available at https://www.finra.org/rules-guidance/communications-firms/2020-risk-monitoring-and-examination-priorities-letter; FINRA,
Equity Trading Initiatives: Supervision and Control Practices for
Algorithmic Trading Strategies (Mar. 2015), available at https://www.finra.org/sites/default/files/notice_doc_file_ref/Notice_Regulatory_15-09.pdf.
---------------------------------------------------------------------------
FINRA rules relating to supervision \606\ require each member to
establish, maintain, and enforce written procedures to supervise the
types of business in which it engages and the activities of its
associated persons that are reasonably designed to achieve compliance
with applicable securities laws and regulations including Federal
cybersecurity laws and regulations applicable to broker-dealers such as
Regulation S-P \607\ and Regulation S-ID.\608\ As discussed in section
III.D.1.c.i, Regulation S-P's safeguards provisions require broker-
dealers to adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection
of customer records and information.\609\ The Regulation S-P Safeguards
Rule further provides that these policies and procedures must: (1)
insure the security and confidentiality of customer records and
information; (2) protect against any anticipated threats or hazards to
the security or integrity of customer records and information; and (3)
protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to
any customer.\610\ Additionally, the Regulation S-P Disposal Rule
requires broker-dealers that maintain or otherwise possess consumer
report information for a business purpose to properly dispose of the
information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal.\611\ In contrast, Regulation S-ID is more narrowly concerned
with identity theft. Broker-dealers subject to Regulation S-ID must
develop and implement a written identity theft program that includes
policies and procedures to identify and detect relevant red flags.\612\
---------------------------------------------------------------------------
\606\ FINRA Rules 3110 (Supervision) and 3120 (Supervisory
Control Systems).
\607\ See 17 CFR 248.1 through 248.30.
\608\ See 17 CFR 248.201 and 248.202.
\609\ See 17 CFR 248.30(a).
\610\ See 17 CFR 248.30(a)(1) through (3).
\611\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
\612\ See 17 CFR 248.201.
---------------------------------------------------------------------------
Past Commission staff statements \613\ and FINRA guidance \614\
with respect to these rules identify common elements of reasonably
designed cybersecurity policies and procedures including risk
assessment, user security and access,
[[Page 23231]]
information protection, incident response,\615\ and training.\616\
---------------------------------------------------------------------------
\613\ See OCIE, SEC, Cybersecurity: Safeguarding Client Accounts
against Credential Compromise (Sep. 15, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf;
OCIE, SEC, Select COVID-19 Compliance Risks and Considerations for
Broker-Dealers and Investment Advisers (Aug. 12, 2020), available at
https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf; OCIE, SEC, Cybersecurity: Ransomware Alert
(July 10, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf; OCIE, SEC, Report on OCIE
Cybersecurity and Resiliency Observations (Jan. 27, 2020), available
at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf; OCIE,
SEC, OCIE Safeguarding Customer Records and Information in Network
Storage--Use of Third Party Security Features (May 23, 2019),
available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf; OCIE, SEC, Investment Adviser and Broker-
Dealer Compliance Issues Related to Regulation S-P--Privacy Notices
and Safeguard Policies (Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf;
OCIE, SEC, Observations from Cybersecurity Examinations (Aug. 7,
2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf; OCIE, SEC, Cybersecurity: Ransomware
Alert (May 17, 2017), available at https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf; OCIE, SEC, OCIE's 2015
Cybersecurity Examination Initiative (Sep. 15, 2015), available at
https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf; OCIE, SEC, Cybersecurity Examination Sweep Summary
(Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf; OCIE, SEC, OCIE's 2014
Cybersecurity Initiative (Apr. 15, 2014), available at https://
www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert_Appendix_-
4.15.14.pdf.
\614\ See FINRA, Core Cybersecurity Threats and Effective
Controls for Small Firms (May 2022), available at https://www.finra.org/sites/default/files/2022-05/Core_Cybersecurity_Threats_and_Effective_Controls-Small_Firms.pdf;
FINRA, Cloud Computing in the Securities Industry (Aug. 16, 2021),
available at https://www.finra.org/rules-guidance/key-topics/fintech/report/cloud-computing; FINRA, Common Cybersecurity Threats
(July 9, 2019), available at https://www.finra.org/rules-guidance/guidance/common-cybersecurity-threats; FINRA, Report on Selected
Cybersecurity Practices (Dec. 1, 2018), available at https://www.finra.org/rules-guidance/guidance/common-cybersecurity-threats;
FINRA, Report on FINRA Examination Findings (Dec. 6, 2017),
available at https://www.finra.org/sites/default/files/2017-Report-FINRA-Examination-Findings.pdf; FINRA, Small Firm Cybersecurity
Checklist (May 23, 2016), available at https://www.finra.org/compliance-tools/small-firm-cybersecurity-checklist. Cybersecurity
has also been a regular theme of FINRA's Regulatory and Examination
Priorities Letter since 2008 often with reference to Regulation S-P.
Similarly the SEC sponsored a Cybersecurity Roundtable and the
Division of Examination conducted cybersecurity initiative I and II
to assess industry practices and legal and compliance issues
associated with broker-dealer and investment adviser cybersecurity
preparedness.
\615\ See FINRA, 2021 Report on FINRA's Examination and Risk
Monitoring Program (Feb. 01, 2021), available at https://www.finra.org/rules-guidance/guidance/reports/2021-finras-examination-and-risk-monitoring-program/cybersecurity (FINRA
recommended among effective practices with respect to incident
response: Establishing and regularly testing (often using tabletop
exercises) a written formal incident response plan that outlines
procedures for responding to cybersecurity and information security
incidents; and developing frameworks to identify, classify,
prioritize, track and close cybersecurity-related incidents.).
\616\ These categories vary somewhat in terms of nomenclature
and the specific categories themselves across different Commission
and FINRA publications.
---------------------------------------------------------------------------
Consistent with these rules, nearly all broker-dealers that
participated in two Commission exam sweeps in 2015 and 2017 reported
\617\ maintaining some cybersecurity policies and procedures;
conducting some periodic risk assessments to identify threats and
vulnerabilities,\618\ conducting firm-wide systems inventorying or
cataloguing, ensuring regular system maintenance including the
installation of software patches to address security vulnerabilities,
performing some penetration testing,\619\ although both sweeps also
discussed various flaws in compliance. A separate staff statement,
based on observed industry practices, noted that at least some firms
implemented capabilities that are able to control, monitor, and inspect
all incoming and outgoing network traffic to prevent unauthorized or
harmful traffic and implemented capabilities that are able to detect
threats on endpoints.\620\ In the two Commission exam sweeps, many
firms indicated that policies and procedures were vetted and approved
by senior management and that firms provided annual cybersecurity
reports to the board while some also provided ad hoc reports in the
event of major cybersecurity events.\621\ Broadly, many broker-dealers
reported relying on industry standards with respect to cybersecurity
\622\ typically by adhering to a specific industry standard or
combination of industry standards or by using industry standards as
guidance in designing policies and procedures. In the Commission's 2017
sweep, however, weaknesses in policies and procedures and failure to
implement policies and procedures were observed at a majority of the
participating firms.\623\
---------------------------------------------------------------------------
\617\ See Cybersecurity Examination Sweep Summary, supra note
613 (Of 57 examined broker-dealers, the vast majority adopted
written information security policies, conducted periodic audits to
determine compliance with these information security policies and
procedures, conducted risk assessments and reported considering such
risk assessments in establishing their cybersecurity policies and
procedures. With respect to vendors, the majority of the broker-
dealers required cybersecurity risk assessments of vendors with
access to their firms' networks and had at least some specific
policies and procedures relating to vendors.). See also Observations
from Cybersecurity Examinations, supra note 613 (This largely
aligned with the prior 2015 Exam Sweep but is based on additional
data from a mixed group of 75 broker-dealers and investment
advisers. For example, nearly all firms had incident response plans.
Still, it appeared that a number of firms did not appear to fully
remediate some of the high risk observations that they discovered
from these tests and vulnerability scans in a timely manner or
failed to conduct penetration testing regularly).
\618\ See Report on Selected Cybersecurity Practices, supra note
614. According to FINRA's 2018 RCA, 94% of higher revenue firms and
70% of mid-level revenue firms use a risk assessment as part of
their cybersecurity program. The Risk Control Assessment (RCA)
Survey is a voluntary survey conducted by FINRA on an annual basis
with all active member firms.
\619\ Id. According to FINRA's 2018 RCA, 100% of higher revenue
firms include penetration testing as a component in their overall
cybersecurity program.
\620\ See Cybersecurity and Resiliency Observations, supra note
614.
\621\ See Cybersecurity Examination Sweep Summary, supra note
613, and Observations from Cybersecurity Examinations, supra note
613.
\622\ Id. Among the firms that were part of the sweep, nearly
90% used one or more of the NIST, ISO or ISACA frameworks or
standards. More specifically, 65% of the respondents reported that
they use the ISO 27001/27002 standard while 25% use COBIT. Some
firms use combinations of these standards for various parts of their
cybersecurity programs. While the report focused on firm utilization
of cybersecurity frameworks specifically, in many cases, the
referenced frameworks were broader IT frameworks.
\623\ See OCIE, SEC, Observations from Cybersecurity
Examinations (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
---------------------------------------------------------------------------
FINRA Rule 3110's supervisory obligation also extends to member
firms' outsourcing of certain ``covered activities''--activities or
functions that, if performed directly by a member firm, would be
required to be the subject of a supervisory system and written
supervisory procedures pursuant to FINRA Rule 3110. These vendor
management obligations are discussed in further guidance.\624\ As
discussed in section III.A.2.b of this release, FINRA Rule 4530
requires broker-dealer reporting of certain events to FINRA, including,
among other things, compliance issues and other events \625\ where a
broker-dealer has concluded or should have reasonably concluded that a
violation of securities or other enumerated law, rule, or regulation of
any domestic or foreign regulatory body or SRO has occurred. Broker-
dealers affiliated with a banking organization \626\ may also be
affected by a cybersecurity notification requirement. For example, if a
broker-dealer is a subsidiary of a bank holding company, an incident at
the broker-dealer would likely be reported by the bank holding company
to its respective banking regulator.
---------------------------------------------------------------------------
\624\ See Regulatory Notice 21-29: Vendor Management and
Outsourcing, supra note 165; Notice to Members 05-48: Outsourcing,
supra note 165. FINRA found that most firms had adequate privacy and
security language in contracts where customer or firm confidential
data or high-risk systems were at risk. Standard contract language
topics that firms included were: non-disclosure agreements/
confidentiality agreements, data storage, retention, and delivery;
breach notification responsibilities; right-to-audit clauses; vendor
employee access limitations; use of subcontractors; and vendor
obligations upon contract termination. Id.
\625\ While FINRA has urged firms to report material cyber
incidents that do not trigger a reporting obligation to their
regulatory coordinator, current practices are unclear.
\626\ In the simplification of the Volcker Rule, effective Jan.
21, 2020, Commission staff estimated that there were 202 broker-
dealers that were affiliated with banking organizations.
---------------------------------------------------------------------------
Aside from specific dissemination obligations under Regulation SCI
for a limited number of broker-dealers with respect to their related
SCI ATSs, there are no Commission or FINRA requirements for broker-
dealers to disseminate notifications of breaches to members or clients
although many firms do so \627\ pursuant to various state data breach
laws.\628\ Broker-dealers are subject to state laws known as ``Blue Sky
Laws,'' which generally are regulations established as safeguards for
investors against securities fraud.\629\ All 50 states have enacted
laws in recent years requiring firms to notify individuals of data
breaches, standards differ by state, with some states imposing
heightened notification requirements relative to other states.\630\
---------------------------------------------------------------------------
\627\ See Cybersecurity Examination Sweep Summary, supra note
613 (Based on a small sample of firms, the vast majority of broker-
dealers maintained plans for data breach incidents and most had
plans for notifying customers of material events.)
\628\ See Digital Guardian, The Definitive Guide to U.S. State
Data Breach Laws, digitalguardian.com, available at https://info.digitalguardian.com/rs/768-OQW-145/images/the-definitive-guide-to-us-state-data-breach-laws.pdf (last visited Nov. 15, 2022).
\629\ See, e.g., Office of Investor Education and Advocacy,
Commission, Blue Sky Laws, available at https://www.investor.gov/introduction-investing/investing-basics/glossary/blue-sky-laws.
\630\ For example, some states may require a firm to notify
individuals when a data breach includes biometric information, while
others do not. Compare Cal. Civil Code sec. 1798.29 (notice to
California residents of a data breach generally required when a
resident's personal information was or is reasonably believed to
have been acquired by an unauthorized person; ``personal
information'' is defined to mean an individual's first or last name
in combination with one of a list of specified elements, which
includes certain unique biometric data), with Ala. Stat. secs. 8-38-
2, 8-38-4, 8-38-5 (notice of a data breach to Alabama residents is
generally required when sensitive personally identifying information
has been acquired by an unauthorized person and is reasonably likely
to cause substantial harm to the resident to whom the information
relates; ``sensitive personally identifying information'' is defined
as the resident's first or last name in combination with one of a
list of specified elements, which does not include biometric
information).
---------------------------------------------------------------------------
[[Page 23232]]
Additionally, market data, including bids, offers, quotation sizes,
among other types of data, are currently collected from broker-dealers
and consolidated and distributed pursuant to a variety of Exchange Act
rules and joint industry plans.\631\
---------------------------------------------------------------------------
\631\ See, e.g., Rules 601 through 17 CFR 242.604 (``Rule 604'')
of Regulation NMS and 17 CFR 242.301(b)(3) (``Rule 301(b)(3)'') of
Regulation ATS.
---------------------------------------------------------------------------
c. Exempt Clearing Agencies
i. Affected Parties
Certain SCI entities are in the market for clearance and settlement
services. Registered clearing agencies and certain exempt clearing
agencies are already SCI entities. The Commission proposes to extend
Regulation SCI to include all other exempt clearing agencies. The
proposed amendment would have the immediate effect of introducing two
exempt clearing agencies into the scope of Regulation SCI.
There are broadly two types of clearing agencies: registered
clearing agencies and exempt clearing agencies. There are seven
registered and active clearing agencies: DTC, FICC, NSCC, ICC, ICEEU,
the Options Clearing Corp., and LCH SA. There are two other clearing
agencies that are no longer active but both maintain registration with
the Commission.\632\ In addition to these registered clearing agencies,
there are clearing agencies that have received from the Commission an
exemption from registration as a clearing agency under section 17A of
the Exchange Act. There are five exempt clearing agencies: Bloomberg
STP (inactive), ITPMATCH (DTCC), SSCNET (SS&C Technologies), Euroclear
Bank SA/NV, and Clearstream Banking, S.A. Of these exempt clearing
agencies, Bloomberg STP, ITPMATCH (DTCC), and SSCNET (SS&C
Technologies) are subject to Regulation SCI as ``exempt clearing
agencies subject to ARP,'' together with registered clearing agencies.
---------------------------------------------------------------------------
\632\ See BSECC Notice and SCCP Notice, supra note 230.
---------------------------------------------------------------------------
The other two, Euroclear Bank SA/NV, and Clearstream Banking, S.A,
both exempt clearing agencies,\633\ have not been required to comply
with Regulation SCI. Each performs CSD functions and provides clearance
and settlement for U.S. Treasury transactions, subject to volume limits
set forth in their exemptions. Euroclear Bank also provides collateral
management services for U.S. equity transactions involving a U.S.
person and a non-U.S. person.
---------------------------------------------------------------------------
\633\ See Euroclear Exemption, supra note 231 (providing an
exemption to Euroclear Bank SA/NV (successor in name to Morgan
Guaranty Trust Company of NY)); Clearstream Exemption, supra note
231 (providing an exemption to Clearstream Banking, S.A. (successor
in name to Cedel Bank, soci[eacute]t[eacute] anonyme, Luxembourg)).
Furthermore, pursuant to the Commission's statement on CCPs in the
European Union (``EU'') authorized under the European Markets
Infrastructure Regulation (``EMIR''), an EU CCP may request an
exemption from the Commission where it has determined that the
application of SEC requirements would impose unnecessary,
duplicative, or inconsistent requirements in light of EMIR
requirements to which it is subject. See Statement on Central
Counterparties Authorized under the European Markets Infrastructure
Regulation Seeking to Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the Securities Exchange
Act of 1934 supra note 240 (stating that in seeking an exemption, an
EU CCP could provide ``a self-assessment . . . [to] explain how the
EU CCP's compliance with EMIR corresponds to the requirements in the
Exchange Act and applicable SEC rules thereunder, such as Rule 17Ad-
22 and Regulation SCI.'').
---------------------------------------------------------------------------
ii. Regulatory Baseline
The two exempt clearing agencies not subject to ARP are required
per Commission exemptive orders to submit to the Commission a number of
items including transaction volume data,\634\ notification regarding
material adverse changes in any account maintained for customers,\635\
one or more disclosure documents, amendments to its application for
exemption on Form CA-1,\636\ responses to a Commission request for
information,\637\ etc. In the case of one exempt clearing agency, its
exemptive order also requires submission of additional items related to
its systems including quarterly reports describing completed, ongoing,
and planned material system changes,\638\ notification \639\ regarding
systems events; \640\ as well as a requirement to take appropriate
corrective action regarding such systems events. This exempt clearing
agency is also required to maintain policies and procedures that are
reasonably designed to identify, manage, and monitor systems
operational risk; clearly define the roles and responsibilities of
personnel for addressing operational risk; review such policies and
procedures; conduct systems audits and system tests periodically and at
implementation of significant changes; clearly define operational
reliability objectives for the systems; ensure that the systems have
scalable capacity adequate to handle increasing stress volumes and
achieve the systems service-level objectives; establish comprehensive
physical and information security policies that address all potential
vulnerabilities and threats to the systems; and establish a business
continuity plan \641\ for the systems that addresses events posing a
significant risk of disrupting the systems' operations, including
events that could cause a wide-scale or major disruption in the
provision of the clearing agency activities. Such policies and
procedures should be consistent with current information technology
industry standards \642\ and be reasonably designed to ensure that the
systems operate on an ongoing basis in a manner that complies with the
conditions applicable to the systems and with the exempt clearing
agency's rules and governing documents applicable to the clearing
agency activities. This exempt clearing agency must also provide the
[[Page 23233]]
Commission with an annual update regarding policies and procedures.
---------------------------------------------------------------------------
\634\ Id. This is provided in the form of quarterly reports,
calculated on a twelve-month rolling basis, of volume statistics
related to government securities. One exempt clearing agency also
reports volume statistics related to equities.
\635\ Id. This is for customers that are members or affiliates
of members of a U.S. registered clearing agency in the case of one
exempt clearing or US participants in the case of the other.
\636\ Id. This must be filed prior to the implementation of any
change in stated policies, practices, or procedures that makes the
information contained in the original Form CA-1 incomplete or
inaccurate in any material respect.
\637\ Id. This would typically concern a U.S. customer or its
affiliate about whom the Commission has financial solvency concerns.
\638\ This must be filed within 30 calendar days after the end
of each quarter. These reported information represents changes
related to the Clearing Agency Activities during the prior, current,
and subsequent calendar quarters, including the dates or expected
dates of commencement and completion.
\639\ This requires notification of such systems event within 24
hours after occurrence; regular updates until such time as a systems
event is resolved and investigation of the systems event is closed;
interim written notification within 48 hours after the occurrence of
a systems event or promptly thereafter if such a deadline cannot be
met; a written final report within ten business days after the
occurrence of a systems event or promptly thereafter if such a
deadline cannot be met. For systems events characterized as ``bronze
level'' events (i.e., a Systems Event in which the incident is
clearly understood, almost immediately under control, involves only
one business unit and/or entity, and is resolved within a few
hours), the clearing agency is instead required to provide on a
quarterly basis an aggregated list of bronze level events.
\640\ This includes disruptions, compliance issues, or
intrusions of the systems that impact, or is reasonably likely to
impact clearing agency activities.
\641\ The business continuity plan would require the use of a
secondary site designed to ensure two-hour resumption of operation
following disruptive events; regular testing of business continuity
plans; identification, monitoring, and management of the risks that
key participants, other financial market infrastructures, and
service and utility providers might pose to the systems' operations
in relation to the clearing agency activities.
\642\ The exempt clearing agency is required to provide annual
notice to the Commission regarding the industry standards utilized.
These standards consist of information technology practices that are
widely available to information technology professionals in the
financial sector and issued by a widely recognized organization.
---------------------------------------------------------------------------
Additionally, the two exempt clearing agencies not subject to ARP
are subject to Europe's Central Securities Depositories Regulation
(CSDR) which provides a set of common requirements for CSDs operating
securities settlement systems across the EU.\643\ CSDR provides, among
other things, Operational Risk rules (Article 45).\644\ There are more
specific requirements in the CSDR's Regulatory Technical Standards
\645\ including identifying operational risks; \646\ methods to test,
address and minimize operational risks; \647\ IT systems; \648\ and
business continuity.\649\
---------------------------------------------------------------------------
\643\ The two exempt clearing agencies may also be subject to
the EU Regulation, the Digital Operational Resilience Act (DORA),
which went into effect in 2015: See Proposal for a Regulation of the
European Parliament and of the Council on Digital Operational
Resilience for the Financial Sector and Amending Regulations (EC) No
1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595.
\644\ See Commission Regulation No. 909/2014 of July 23, 2014,
on improving securities settlement in the European Union and on
central securities depositories and amending Directives 98/26/EC and
2014/65/EU and Regulation (EU) No 236/2012, art. 45, 2014 O.J. (L
257) 47, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0909.
\645\ See Commission Delegated Regulation 2017/392,
Supplementing Regulation (EU) No 909/2014 of the European Parliament
and of the Council with Regard to Regulatory Technical Standards on
Authorization, Supervisory and Operational Requirements for Central
Securities Depositories. 65 Off. J. Eur. Union 48 (2017) available
at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0392&from=EN.
\646\ Id. art. 45:1.
\647\ Id. art. 45:2.
\648\ Id. art. 45:3.
\649\ Id. art. 45:4.
---------------------------------------------------------------------------
Furthermore, each of these two exempt clearing agencies publish
disclosure framework reports \650\ that purport to describe the
policies and procedures \651\ with respect to the operational risk
framework of the Principles for Financial Market Infrastructures (PFMI)
published by CPSS and IOSCO.\652\
---------------------------------------------------------------------------
\650\ See infra notes 683-684.
\651\ The respective disclosure documents have not been reviewed
by the Commission and its staff for accuracy and may or may not
demonstrate implementation/compliance with international standards.
\652\ Bank for International Settlements (BIS), Principles for
Financial Market Infrastructures: Disclosure Framework and
Assessment Methodology (Dec. 2012), available at https://www.bis.org/cpmi/publ/d106.pdf.
---------------------------------------------------------------------------
2. Existing SCI Entities
a. Affected Parties
In addition to these proposed new SCI entities, Regulation SCI has
applied to entities that facilitate several different markets,
including the market for trading services, the market for listing
services, the market for regulation and surveillance services, the
market for clearance and settlement services, and the market for market
data.\653\ As of this writing, there are 47 SCI entities. These include
35 SCI SROs (including 24 exchanges, 9 registered clearing agencies,
FINRA, and the MSRB), 7 SCI ATSs (including 5 NMS stock ATSs and 2 non-
NMS stock ATSs), 2 plan processors, and 3 exempt clearing agencies
subject to ARP.\654\ All of them are already required to comply with
Regulation SCI, and, as discussed in section V.B.2.b, subsets of these
entities also have other specific rules that apply to them.
---------------------------------------------------------------------------
\653\ 17 CFR 242.1000 (definitions of ``SCI systems'' and
``critical SCI systems'').
\654\ In 2021, the Commission amended Regulation SCI to add
competing consolidators that exceed a 5% consolidated market data
gross revenue threshold over a specified time period as SCI
entities. Currently, no competing consolidators have registered with
the Commission. See Market Data Infrastructure Adopting Release,
supra note 24.
---------------------------------------------------------------------------
The general characteristics of the markets in which the existing
SCI entities operate are described in the SCI Proposing Release \655\
and SCI Adopting Release.\656\ There are, however, broad changes to
these markets--as they pertain to Regulation SCI--that should be noted.
The markets have changed in at least four important ways. First, the
total trading volumes have increased across all types of
securities.\657\ Second, there is an increased reliance on technology
and automation among financial institutions, a trend which accelerated
due to the COVID-19 pandemic.\658\ Third, and relatedly, financial
institutions have become increasingly dependent on third parties--
including cloud service providers--to operate their businesses and
provide their services.\659\ This is, in fact, a general trend among
all global companies, and this trend, too, has been driven in part by
the COVID-19 pandemic.\660\ Fourth, cybersecurity events have grown in
both number and sophistication.\661\ These developments in the market
have significantly increased the negative externalities that may flow
from systems failures.
---------------------------------------------------------------------------
\655\ See SCI Proposing Release, supra note 14, at section V.
See also Market Data Infrastructure Adopting Release, supra note 24,
for a description of competing consolidator market characteristics.
\656\ See SCI Adopting Release, supra note 1, at section VI.
\657\ See, e.g., SIFMA Insights: Electronic Trading Market
Structure Primer, supra note 3 (summarizing electronic trading
history and trends in different markets); SEC, Staff Report on
Equity and Options Market Structure Conditions in Early 2021 (Oct.
14, 2021), available at https://www.sec.gov/files/staff-report-equity-options-market-struction-conditions-early-2021.pdf; see also
U.S. House Committee on Financial Services, Game Stopped: How the
Meme Stock Market Event Exposed Troubling Business Practices,
Inadequate Risk Practices, and the Need for Legislative and
Regulatory Reform (June 2022), available at: https://democrats-financialservices.house.gov/uploadedfiles/6.22_hfsc_gs.report_hmsmeetbp.irm.nlrf.pdf.
\658\ See, e.g., Henning Soller, et al., Innovative Technologies
in Financial Institutions: Risk as a Strategic Issue, McKinsey
Digital (Sep. 25, 2020), available at: https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-forward/innovative-technologies-in-financial-institutions-risk-as-a-strategic-issue (``The current COVID-19 crisis has significantly
accelerated the need for financial institutions to adopt innovative
technologies.'').
\659\ See, e.g., Noah Kessler, Cloud Is on the Rise in Financial
Services and Regulators Are Taking Note, ABA Risk and Compliance
(Sept. 29, 2021), available at https://bankingjournal.aba.com/2021/09/cloud-is-on-the-rise-in-financial-services-and-regulators-are-taking-note/.
\660\ See, e.g., Deloitte, 2021 Global Shared Services and
Outsourcing Survey Report 3, available at https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Process-and-Operations/gx-2021-global-shared-services-report.pdf (``[T]here's an increasing
shift to leverage global, multifunctional, and virtual or remote
models, especially driven by learnings from COVID-19'').
\661\ See, e.g., Chuck Brooks, Alarming Cyber Statistics For
Mid-Year 2022 That You Need To Know, Forbes.com (June 3, 2022),
available at https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2429c57e7864.
---------------------------------------------------------------------------
Current SCI entities are required to report systems intrusions,
either immediately or on a quarterly basis, rather than immediately if
de miminis in impact. However, current SCI entities have not been
reporting attempted intrusions, as they were not required to do so.
b. Regulatory Baseline
The common regulatory baseline for current SCI entities is
Regulation SCI which was adopted in 2014. Regulation SCI requires,
among other things, that these entities establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that their SCI systems have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair and orderly markets and
operate in a manner that complies with the Exchange Act and the rules
and regulations thereunder and the entity's rules and governing
documents, as applicable, and specifies certain minimum requirements
for such policies and procedures. As a policies and procedures based
rule, and one that employs a risk-based approach, Regulation SCI
provides flexibility to allow each SCI entity to determine how
[[Page 23234]]
to best meet the requirements in Rule 1001(a).
In addition, 17 CFR 242.613 (``Rule 613'') of Regulation NMS
requires national securities exchanges and national securities
associations (FINRA) to jointly develop and submit to the Commission a
Consolidated Audit Trail National Market System (CAT NMS) Plan.\662\
---------------------------------------------------------------------------
\662\ 17 CFR 242.613.
---------------------------------------------------------------------------
Under the Commission-approved CAT NMS Plan, the national securities
exchanges and FINRA (the Participants) conduct the activities related
to the CAT through a jointly owned limited liability company,
Consolidated Audit Trail, LLC (``Company'').\663\ FINRA CAT, LLC--a
wholly-owned subsidiary of FINRA--has entered into an agreement with
the Company to act as the plan processor for the CAT. However, the
Participants remain ultimately responsible for the performance of the
CAT and its compliance with any statutes, rules, and regulations.\664\
The Plan Processor must develop three sets of policies and procedures:
(1) the CAT information security program and related data security
policies and procedures; (2) user security and access policies and
procedures; and (3) breach management policies and procedures.\665\
---------------------------------------------------------------------------
\663\ Consolidated Audit Trail, LLC, CAT NMS Plan, secs. 1.1,
3.1, 4.1 (July 2020), available at https://catnmsplan.com/sites/default/files/2020-07/LLC-Agreement-of-Consolidated-Audit-Trail-LLC-as-of-7.24.20.pdf; see also CAT NMS Plan Approval Order, supra note
393; Joint Industry Plan; Order Approving Amendment to the National
Market System Plan Governing the Consolidated Audit Trail,
Securities Exchange Act Release No. 89397 (July 24, 2020), 85 FR
45941 (July 30, 2020).
\664\ CAT NMS Plan, secs. 4.3, 5.1, 6.1. The Participants
jointly own on an equal basis the Company. As such, the CAT's
Central Repository is a facility of each of the Participants, and
also an SCI system of each of the Participants. See SCI Adopting
Release, supra note 1, at 72275 at n. 246; CAT NMS Plan Approval
Order, supra note 393, at 84758.
\665\ CAT NMS Plan, secs. 6.12 and app. D. secs. 4.1 to 4.1.5.
The Plan Processor is subject to certain industry standards with
respect to its information security program, including, among
others, NIST-800-23 (Guidelines to Federal Organizations on Security
Assurance and Acquisition/Use of Test/Evaluated Products), NIST 800-
53 (Security and Privacy Controls for Federal Information Systems
and Organizations), and NIST 800-115 (Technical Guide to Information
Security Testing and Assessment). CAT NMS Plan, app D sec 4.2.
---------------------------------------------------------------------------
First, the Plan Processor must develop and maintain a comprehensive
information security program, to be approved and reviewed at least
annually by an operating committee, which contains certain specific
requirements for the Company related to data security.\666\ As part of
this requirement, the Plan Processor is required to create and enforce
policies, procedures, and control structures to monitor and address CAT
data security, including reviews of industry standards and periodic
penetration testing.\667\ Second, both the Participants and the Plan
Processor must implement user security and access policies and
procedures that include safeguards to secure access and use of the
CAT.\668\ The Plan Processor must also review Participant information
security policies and procedures related to the Company to ensure that
such policies and procedures are comparable to those of the CAT
system.\669\ Finally, the Plan Processor must develop a cyber-incident
response plan and document all information relevant to breaches.\670\
In addition to these policies and procedures requirements, the CAT NMS
Plan requires several forms of periodic review of CAT, including an
annual written assessment,\671\ regular reports,\672\ and an annual
audit.\673\ The Commission has proposed amendments to the CAT NMS Plan
that are designed to enhance the security of the CAT through increased
security requirements as well as limiting the scope of sensitive
information required to be collected by the CAT.\674\
---------------------------------------------------------------------------
\666\ CAT NMS Plan, app. D sec. 4.1.
\667\ Id. sec. 6.2(b)(v) and app. D secs. 4.1 to 4.2.
\668\ Specifically, these safeguards must include: (1)
restrictions on the acceptable uses of CAT Data; (2) role-based
access controls; (3) authentication of individual users; (4)
multifactor authentication and password controls; (5) implementation
of information barriers to prevent unauthorized staff from accessing
CAT Data; (6) separate storage of sensitive personal information and
controls on transmission of data; (7) security-driven monitoring and
logging; (8) escalation of non-compliance or security events; and
(9) remote access controls. Id. at secs. 6.2(b)(v), 6.5(c)(i),
6.5(c)(iii) and (iv) and app. D secs. 4.1 to 4.1.4, 4.1.6, 8.1,
8.1.1, 8.1.3, 8.2, 8.2.2.
\669\ Id. sec. 6.2(b)(vii).
\670\ Id. app. D sec. 4.1.5.
\671\ The Participants are required to provide the Commission
with an annual written assessment of the Plan Processor's
performance, which must include, among other things, an evaluation
of potential technology upgrades and an evaluation of the CAT
information security program. Id. secs. 6.2(a)(v)(G), 6.6(b).
\672\ The Plan Processor is required to provide the operating
committee with regular reports on various topics, including data
security issues and the Plan Processor. Id. secs. 6.1(o),
6.2(b)(vi), 6.2(a)(v)(E), 6.2(b)(vi).
\673\ The Plan Processor is required to create and implement an
annual audit plan that includes a review of all Plan Processor
policies, procedures, control structures, and tools that monitor and
address data security. Id. secs. 6.2(a)(v)(B) and (C), app. D secs.
4.1.3, 5.3.
\674\ Proposed Amendments to the National Market System Plan
Governing the Consolidated Audit Trail to Enhance Data Security,
Release No. 89632 (Aug. 21, 2020), 85 FR 65990 (Oct. 16, 2020).
---------------------------------------------------------------------------
3. Current Market Practice
This section describes current and new SCI entities' market
practices, as relevant to certain of the proposed and existing
provisions. These market practices include entities' compliance efforts
that exceed current regulatory baseline requirements, entities'
adherence to voluntary standards and best practices, and business
practices not directly related to compliance with a regulatory
obligation that nevertheless overlap with the substantive or procedural
requirements of the proposed rule. To the extent the entities' existing
practices already comply with the requirements or proposed requirements
of Regulation SCI, or to the extent those practices might facilitate
such compliance, the benefits and costs of the proposal could be
mitigated. The Commission requests comment on how the new and existing
SCI entities' current market practices affect the baseline against
which the economic effects are measured.
a. Systems Classification and Lifecycle Management
Based on the experience of Commission most current SCI entities
undertake some form of lifecycle management program that includes
acquisition, integration, support, refresh and disposal of covered
systems, as applicable, and the sanitization of end-of-life systems.
b. Third-Party Vendor Management and Oversight
Globally the end-user spending on public cloud services is
estimated to grow 20.4% in 2022 to a total of $494.7 billion, up from
$410.9 billion in 2021.\675\ In terms of market concentration, as of Q1
2022, the three largest CSPs collectively have the market share of 65
percent global spending on cloud computing \676\ and the eight largest
CSPs have roughly 80 percent of the market.\677\ SCI entities employ
cloud service providers. Some of the largest cloud service providers
appear to be familiar with the Regulation SCI requirements with which
SCI entities are obliged to comply.\678\
---------------------------------------------------------------------------
\675\ See Press Release, Gartner.com (Apr. 19, 2020), available
at https://www.gartner.com/en/newsroom/press-releases/2022-04-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-reach-nearly-500-billion-in-2022.
\676\ See Synergy Research Group, Huge Cloud Market Still
Growing at 34% Per Year; Amazon, Microsoft & Google Now Account for
65% of the Total, PR Newswire (Apr. 28, 2022), available at https://
www.prnewswire.com/news-releases/huge-cloud-market-still-growing-at-
34-per-year-amazon-microsoft_google-now-account-for-65-of-the-
total-301535935.html (estimating as of Q1 2022 that the breakdown
is: Amazon Web Services (AWS): 33%; Microsoft Azure: 22%; Google
Cloud: 10%).
\677\ Id.
\678\ For example, see Microsoft Azure, Regulation Systems
Compliance and Integrity (SCI) Cloud Implementation Guide (2019),
available at https://azure.microsoft.com/mediahandler/files/resourcefiles/microsoft-azure-regulation-systems-compliance-and-integrity-sci-cloud-implementation-guide/AzureRegSCIGuidance.pdf; or
Google Cloud, U.S. Securities & Exchange Commission Regulation
Systems Compliance & Integrity (Regulation SCI) (Dec. 2021),
available at https://services.google.com/fh/files/misc/sec_regulation_sci_gcp_whitepaper.pdf.
---------------------------------------------------------------------------
[[Page 23235]]
Both new and existing SCI entities may have existing agreements
with third-party providers that govern the obligations and expectations
as between an SCI entity and a third-party provider it utilizes. These
documents may not currently be consistent with the SCI entity's
requirements under the proposed amendments Regulation SCI. Some SCI
entities may currently rely on a third-party provider's standard
contract or SLA, which may not been drafted with Regulation SCI's
requirements in mind. Similarly, some existing agreements between the
SCI entity and a third-party provider may provide the third-party
provider with the contractual right to be able to make decisions that
would negatively impact an SCI entity's obligations in the third-party
provider's ``commercially reasonable discretion.'' Likewise, existing
agreements may include defined terms that differ from those under the
proposed amendments.
Regardless of their size, SCI entities typically enter into
contracts with third-party providers to perform a specific function for
a given time frame at a set price. At the conclusion of a contract, it
may be renewed if both parties are satisfied. Because prices typically
increase over time, there may be some need to negotiate a new fee for
continued service. Negotiations also occur if additional services are
requested from a given third-party provider. In the instance where
additional services are required mid-contract, for example, due to
increased regulatory requirements, the third-party provider may be able
to separately bill for the extra work that it must incur to provide the
additional service, particularly if that party is in a highly
concentrated market for that service and can wield market power.
Alternatively, the service provider may be forced to absorb the
additional cost until the contract can be renegotiated. This may be the
case because that condition is specified in the contract with the SCI
entity.
Request for Comment
95. The Commission requests that commenters provide relevant data
on the number of third-party providers available to SCI entities by
their types of services they offer or by the types of systems, such as
critical SCI systems, SCI systems, and indirect SCI systems.
96. To what extent do third-party providers compete with each other
for SCI entities?
c. SCI Review
With respect to business continuity and disaster recovery plan
reviews, FINRA Rule 4370 requires a broker-dealer to conduct an annual
review of its business continuity plan. FINRA has observed that some
broker-dealers \679\ engaged in annual testing to evaluate the
effectiveness of their business continuity plans.\680\ With respect to
broker-dealer reporting to their boards regarding cybersecurity
policies and procedures and cybersecurity incidents, the board
reporting frequency ranged from quarterly to ad-hoc among the firms
FINRA reviewed.\681\ Approximately two-thirds of the broker-dealers
(68%) examined in a 2015 survey had an individual explicitly assigned
as the firm's CISO which might suggest extensive executive leadership
engagement.
---------------------------------------------------------------------------
\679\ FINRA did not disclose the number or identity of the firms
but it is likely that larger firms have more robust systems and
practices given their greater resources.
\680\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs), supra note 600.
\681\ See Report on Cybersecurity Practices, supra note 621. At
a number of firms, the board received annual cybersecurity-related
reporting while other firms report on a quarterly basis. A number of
firms also provide ad hoc reporting to the board in the event of
major cybersecurity events.
---------------------------------------------------------------------------
d. Current SCI Industry Standards
As of 2015, the majority of broker-dealers reported utilizing one
or more frameworks with respect to cybersecurity \682\ either mapping
directly to the standard or using it as reference point. Some of the
standards such as COBIT may have broad application to various areas of
IT but it is unclear to what extent broker-dealers utilize such
standards beyond cybersecurity.
---------------------------------------------------------------------------
\682\ See supra note 622. Among the firms that were part of the
FINRA sweep, nearly 90% used one or more of the NIST, ISO or ISACA
frameworks or standards. More specifically, 65% of the respondents
reported that they use the ISO 27001/27002 standard while 25% use
COBIT. Some firms use combinations of these standards for various
parts of their cybersecurity programs. The COBIT standard, for
example, is focused more on information technology governance than
cybersecurity per se. In addition, several firms underscored the
utility of the PCI Standard as well as the SANS Top 20.
---------------------------------------------------------------------------
Also, each of the two exempt clearing agencies (Euroclear Bank SA/
NV, and Clearstream Banking, S.A.) publish disclosure framework
reports,\683\ that purport to describe the policies and procedures
relating to the 24 principles and five responsibilities set forth in
the Principles for Financial Market Infrastructures (PFMI) published by
CPSS and IOSCO.\684\ The PFMI establishes new international standards
for financial market infrastructures (FMIs) including payment systems
that are systemically important, central securities depositories,
securities settlement systems, central counterparties and trade
repositories and prescribes the form and content of the disclosures
expected of financial market infrastructures. Most relevant, principle
17 on operational risk offers guidelines on policies and procedures to
identify, monitor, and manage operational risks, vulnerabilities, and
threats; capacity planning; stress testing; systems development and
testing methodology; business continuity and disaster recovery planning
and testing; vendor risk management; and board supervision of risk
management, etc.
---------------------------------------------------------------------------
\683\ Clearstream, Principles for financial market
infrastructures: Disclosure Framework (Dec. 23, 2020), available at
https://www.clearstream.com/resource/blob/1386778/3458c1c468e5f40ddf5dc970e8da4af2/cpmi-iosco-data.pdf; Euroclear
Bank, Disclosure Framework CPMI IOSCO 2020 (June 2020), available at
https://www.euroclear.com/content/dam/euroclear/About/business/PA005-Euroclear-Bank-Disclosure-Framework-Report.pdf.
\684\ Bank for International Settlements (BIS), Principles for
Financial Market Infrastructures: Disclosure Framework and
Assessment Methodology (Dec. 2012), available at https://www.bis.org/cpmi/publ/d106.pdf.
---------------------------------------------------------------------------
e. Penetration Testing
Current SCI entities are required to conduct penetration testing as
part of its SCI review \685\ once every three years.\686\ Among the new
SCI entities, two SBSDRs that are currently registered as SDRs are
subject to CFTC's rules, which require conducting penetration testing
of the systems with the scope of those rules at least once every year.
---------------------------------------------------------------------------
\685\ Specifically, paragraph (b)(1) of Rule 1003 currently
requires that ``[p]enetration test reviews of the network,
firewalls, and production systems shall be conducted at a frequency
of not less than once every three years. . .''. Rule 1003(b)(1).
\686\ See SCI Adopting Release, supra note 1, at 72344.
---------------------------------------------------------------------------
4. Other Affected Parties
In addition to new and existing SCI entities, the proposed
amendments may indirectly affect other parties, namely third-party
service providers to which SCI systems functionality is outsourced. As
discussed in depth above, an SCI entity may decide to outsource certain
functionality to, or utilize the support or services of, a third-party
provider (which would include both affiliated providers as well as
vendors unaffiliated with the SCI entity) for a variety of reasons,
including cost efficiencies,
[[Page 23236]]
increased automation, particular expertise, or functionality that the
SCI entity does not have in-house. Based on Commission staff
experience, the Commission believes that these third-party providers,
play a growing role with respect to SCI systems and indirect SCI
systems, and the Commission anticipates that third-party providers will
likely arise to provide other types of functionality, service, or
support to SCI entities that are not contemplated yet today.\687\
---------------------------------------------------------------------------
\687\ It has long been recognized that the financial services
industry is increasingly relying on service providers through
various forms of outsourcing. See, e.g., Bank for International
Settlements, Outsourcing in Financial Services (Feb. 15, 2005),
available at https://www.bis.org/publ/joint12.htm. Recent estimates
suggest that the aggregate contract value of outsourcing in the
financial services industry is on the order of $10 to $20 billion.
See, e.g., Business Wire, Insights on the Finance and Accounting
Outsourcing Global Market to 2026 (Jan. 14, 2022), available at
https://www.businesswire.com/news/home/20220114005440/en/Insights-
on-the-Finance-and-Accounting-Outsourcing-Global-Market-to-2026_-
Featuring-Accenture-Capgemini-and-Genpact-Among-Others_-
ResearchAndMarkets.com.
---------------------------------------------------------------------------
Due to data limitations, we are unable to quantify or characterize
in much detail the structure of these various service provider
markets.\688\ The Commission lacks specific information on the exact
extent to which third-party service providers are retained, the
specific services they provide, and the costs for those services beyond
the estimates discussed above for cloud service providers. We also do
not have information about the market for these services, including the
competitiveness of such markets. We request information from commenters
on the services related to SCI systems and indirect systems provided by
third parties to new and existing SCI entities, the costs for those
services, and the nature of the market for these services.
---------------------------------------------------------------------------
\688\ Although certain regulatory filings may shed a limited
light on the use of third-party service providers, we are unaware of
any data sources that provide detail on the overall picture for each
of the new and existing SCI entities.
---------------------------------------------------------------------------
C. Analysis of Benefits and Costs of Proposed Amendments
The proposed amendments both expand the scope of Regulation SCI to
reach new entities and also strengthen existing requirements in
Regulation SCI that would apply to both old and new entities. This
section explores the benefits and costs of these changes. First, we
discuss the general benefits and costs of the proposed amendments to
Regulation SCI. Next, we discuss the expansion of Regulation SCI to
certain new SCI entities and the rationale for it. Finally, we analyze
the specific benefits and costs of applying each provision of amended
Regulation SCI to each of the proposed new SCI entities and current SCI
entities.\689\ The Commission encourages commenters to identify,
discuss, analyze, and supply relevant data, information, or statistics
regarding the benefits and costs.
---------------------------------------------------------------------------
\689\ For purposes of measuring the benefits and costs of the
proposed rule on both existing and new SCI entities, this analysis
assumes that market participants are compliant with existing
applicable Commission, FINRA, CFTC, and other applicable rules,
including those requiring registration and the rules and regulations
applicable to such registered entities. To the extent that some
entities engaged in activities including crypto asset securities are
not, but should be, FINRA or Commission registered entities, they
may incur additional costs to comply with existing registration
obligations that are distinct from the costs associated with the
proposed rule amendments and are not discussed in this analysis.
Similarly, any benefits from coming into compliance with existing
registration obligations are also not discussed in this analysis.
For such entities, we expect the benefits and costs specifically
associated with the proposed rule amendments to be same as those
described below for existing and new SCI entities that are currently
registered.
---------------------------------------------------------------------------
The Commission is providing both a qualitative assessment and
quantified estimates, including ranges, of the potential economic
effects of the proposal where feasible. The overall magnitude of the
economic effects will depend, in part, on the extent to which the new
and current SCI entities already have in place practices that are
aligned with the requirements of Regulation SCI, including the proposed
amendments. New SCI entities' costs of implementing Regulation SCI
could also differ with the number and size of their systems affected.
In many cases it is difficult to quantify the economic effects,
particularly those beyond the costs estimated in the Paperwork
Reduction Act analysis. As explained in more detail below, the
Commission in certain cases does not have, and does not believe it can
reasonably obtain, data or information necessary to quantify certain
effects. For instance, the Commission finds it impracticable to
quantify many of the benefits associated with amended Regulation SCI.
Indeed, we lack information that would allow us to predict the
reduction in frequency and severity of SCI events or the specific cost
savings that might arise from avoiding the harm Regulation SCI is
designed to prevent. Further, even in cases where the Commission has
some data, quantification is not practicable due to the number and type
of assumptions necessary to quantify certain economic effects, which
render any such quantification unreliable. The Commission requests that
commenters provide relevant data and information to assist the
Commission in quantifying the economic consequences of proposed
amendments to Regulation SCI.
1. General Benefits and Costs of Proposed Amendments
Regulation SCI promotes the capacity, integrity, resiliency,
availability, and security of SCI systems, as well as transparency
about systems problems when they do occur, and thereby promote
investors' confidence in market transactions. SCI events can today have
broad impacts because of the growth of electronic trading, which allows
increased volumes of securities transactions in a broader range of
asset classes, at increasing speed, by a variety of trading platforms;
\690\ changes in the way SCI entities employ technology, including the
increasing importance of third-party service providers to ensure
reliable, resilient, and secure systems; \691\ a significant increase
in cybersecurity events across all types of companies, including SCI
entities; \692\ and an evolution of the threat environment.\693\ A
joint report from the World Economic Form and Deloitte states that
``new interconnections and collective dependencies on certain critical
providers significantly contribute to the number of vulnerable nodes
that could threaten and exploit the financial system's essential
functions.'' \694\
---------------------------------------------------------------------------
\690\ See section I and supra note 3.
\691\ See sections III.B, III.B.2.a.
\692\ See section III.B.3.
\693\ See id.
\694\ See World Economic Forum, Beneath the Surface: Technology-
Driven Systemic Risks and the Continued Need for Innovation (Oct.
28, 2021) at 14, available at https://www.weforum.org/reports/beneath-the-surface-technology-driven-systemic-risks-and-the-continued-need-for-innovation/; see also Henning Soller, et al.,
Innovative Technologies in Financial Institutions: Risk as a
Strategic Issue, McKinsey Digital (Sep. 25, 2020), available at:
https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-forward/innovative-technologies-in-financial-institutions-risk-as-a-strategic-issue.
---------------------------------------------------------------------------
Expanding Regulation SCI to new SCI entities will help to ensure
that the core technology systems of these newly designated SCI entities
are robust, resilient, and secure--especially for those entities that
have not already adopted comparable measures on their own--and would
also help to improve Commission oversight of the core technology of key
entities in the U.S. securities markets.\695\
---------------------------------------------------------------------------
\695\ For example, some expert views suggest that current SCI
entities' compliance with Regulation SCI likely prepared those
entities to be more resilient and more prepared to face times of
increased volatility--beyond what their prudent business practices
may have allowed. For example, one industry publication notes that
even as financial firms ``updated their [business continuity
planning] after the Sept. 11, 2001, terrorist attacks and superstorm
Hurricane Sandy in 2012, when these events exposed cracks in Wall
Street's contingency plans,'' they were still ``more prepared during
COVID-19 thanks to Regulation SCI for Systems, Compliance and
Integrity.'' See, e.g., Is Remote Trading Leading to a Paradigm
Shift on the Trading Desk?, supra note 2. Similarly, a senior
executive at FINRA stated in an interview that he found most
surprising the resiliency of the market during COVID-19 and said ``a
lot of credit goes to the SEC for [the market's resiliency] with
respect to adopting [Regulation SCI].'' FINRA, Podcast: Market
Structure & COVID-19: Handling Increased Volatility and Volumes, at
24:38-25:08 (Apr. 28, 2020), available at https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus
(featuring an interview with FINRA's then-Executive VP of Market
Regulation and Transparency Services, Tom Gira).
---------------------------------------------------------------------------
[[Page 23237]]
The Commission is also proposing amendments to update Regulation
SCI in order to strengthen its requirements. These amendments would
benefit markets and market participants by reducing the likelihood,
severity, and duration of market disruptions arising from systems
issues, among both current and new SCI entities, whether such events
may originate from natural disasters, third-party provider service
outages, cybersecurity events, hardware or software malfunctions, or
any other sources.\696\ Decreasing the number of trading interruptions
can improve price discovery and liquidity because such interruptions
interfere with the process through which relevant information gets
incorporated into security prices and, may thereby, temporarily disrupt
liquidity flows.\697\ Trading interruptions in one security can also
affect securities trading in other markets. For example, an
interruption in the market for index options and other securities that
underlie derivatives securities could harm the price discovery process
for derivatives securities, and liquidity flows between the stock
market and derivatives markets could be restricted. For this reason,
market-based incentives alone are unlikely to result in optimal
provision of SCI-related services. In this context, having plans and
procedures in place to prepare for and respond to system issues is
beneficial,\698\ and the proposed amendments to Regulation SCI would
help ensure that the infrastructure of the U.S. securities markets
remains robust, resilient, and secure. A well-functioning financial
system is a public good.
---------------------------------------------------------------------------
\696\ For example, the Ponemon Institute's 2016 Cost of Data
Center Outages report estimates the average cost per minute of an
unplanned outage was $8,851 for the average data center the
Institute surveyed in 2016. See Ponemon Institute, 2016 Cost of Data
Center Outages 14 (Jan. 19, 2016) available at https://www.vertiv.com/globalassets/documents/reports/2016-cost-of-data-center-outages-11-11_51190_1.pdf. Also, although it is difficult to
estimate the total cost of a cyberattack at an SCI entity, a
potential effect of a cyberattack involving an SCI entity is a data
breach. According to the IBM's 2022 Cost of a Data Breach report,
the average cost of a data breach in the United States is $9.44
million, and the report added that ``[f]or 83% of companies, it's
not if a data breach will happen, but when. Usually more than
once.'' See IBM, 2022 Cost of a Data Breach, available at https://
www.ibm.com/reports/data-
breach#:~:text=Average%20cost%20of%20a%20data,million%20in%20the%2020
20%20report. Relatedly, another study reports that in 2020 the
average loss in the financial services industry was $18.3 million
per company per incident. The average cost of a financial services
data breach was $5.85 million. See Jennifer Rose Hale, The Soaring
Risks of Financial Services Cybercrime: By the Numbers, Diligent
(Apr. 9, 2021), available at https://www.diligent.com/insights/financial-services/cybersecurity/#.
\697\ See Osipovich, Alexander, NYSE Glitch Causes Erroneous
Prices in Hundreds of Stocks, Wall St. J. (online edition) (Jan. 24,
2023), available at https://www.wsj.com/articles/dozens-of-nyse-stocks-halted-in-opening-minutes-after-wild-price-swings-11674585962
(retrieved from Factiva database).
\698\ For example, according to the IBM Report, in the context
of system issues arising from cybersecurity events, having an
incident response plan and ``testing that plan regularly can help
[each firm] proactively identify weaknesses in [its] cybersecurity
and shore up [its] defenses'' and ``save millions in data breach
costs.'' See 2022 Cost of a Data Breach, supra note 696. See also
Alex Asen et al., Are You Spending Enough on Cybersecurity (Feb. 19,
2020), available at https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity (noting ``[a]s the world becomes ever
more reliant on technology, and as cybercriminals refine and
intensify their attacks, organizations will need to spend more on
cybersecurity'').
---------------------------------------------------------------------------
The Commission recognizes that the proposed amendments to
Regulation SCI would impose costs on SCI entities, as well as costs on
certain members, participants, customers (in the case of SCI broker-
dealers), or third-party providers of SCI entities. The majority of
these costs would be direct compliance costs, which are discussed in
detail below for each requirement of proposed Regulation SCI. For
current SCI entities, these costs would relate to the areas of
Regulation SCI that are being amended. For new SCI entities, the costs
would relate to complying with the entirety of Regulation SCI,
including the proposed amendments. For current SCI entities, these
costs may be mitigated to the extent the SCI entity's current business
practices are already consistent with the proposed requirements, and
if, as a result of compliance, the SCI entity avoids the costs
associated with a systems failure or breach. Likewise, for new SCI
entities, these costs may be mitigated to the extent the SCI entity's
current business practices are already consistent with the requirements
of Regulation SCI, including the proposed amendments, and if, as a
result of compliance, the SCI entity avoids the costs associated with a
systems failure or breach.
Some portion of compliance costs could be economic transfers. This
may be the case if compliance with a particular provision entails
making use of certain third-party providers, and the market for third-
party provider services is not itself competitive.\699\ In such a case,
third-party providers would make economic profits from the services
they offer and the fees they charge, and some of the services fees
charged would be economic transfers from SCI entities to third-party
providers.
---------------------------------------------------------------------------
\699\ See, e.g., Yoon-Ho Alex Lee, SEC Rules, Stakeholder
Interests, and Cost-Benefit Analysis, 10 Mkts L.J. 311 (2015),
available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2541805 (retrieved from SSRN Elsevier
database; Yoon-Ho Alex Lee, The Efficiency Criterion of Securities
Regulation: Investor Welfare or Total Surplus?, 57 Ariz. L. Rev. 85
(2015), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2406032 (retrieved from SSRN Elsevier
database.
---------------------------------------------------------------------------
The proposed amendments could have other potential costs. For
example, entities covered by the proposed rule frequently would need to
make systems changes to comply with new and amended rules and
regulations under Federal securities laws and SRO rules. For entities
that meet the definition of SCI entity, because they would need to
comply with the proposed amendments when they make systems changes, the
proposed amendments could increase the costs and time needed to make
systems changes to comply with new and amended rules and regulations.
The Commission requests comment on the nature of such additional costs
and time.
Request for Comment
The Commission requests comment on all aspects of the Overall
Benefits and Costs of Proposed Amendments discussion. In addition, the
Commission is requesting comment on the following specific aspects of
the discussion:
97. For new SCI entities, what activities do you currently perform
(either because you are required to or you have chosen to voluntarily)
that are already consistent with the requirements of Regulation SCI?
98. For new SCI entities and current SCI entities, can compliance
with Regulation SCI result in the benefits the Commission describes in
the analysis?
99. Are commenters aware of any data that can be used to quantify
any aspects of benefits?
100. The Commission seeks commenters' views regarding the
prospective costs, as well as the potential benefits, of applying
Regulation SCI to SBSDRs. Are there characteristics specific to SBSDRS
or the SBS market that would make applying Regulation SCI broadly or
any specific provision or proposed new provision Regulation SCI
challenging for
[[Page 23238]]
SBSDRs? How much time would an SBSDR reasonably need to come into
compliance with Regulation as proposed? Commenters should quantify the
costs of applying Regulation SCI to SBSDRs, to the extent possible.
Commenters are urged to address specifically each requirement of
Regulation SCI and note whether it would be reasonable to apply each
such requirement to SBSDRs and what the benefits and costs of such
application would be.
101. For current SCI entities, what activities do you currently
perform that are already consistent with the proposed amendments that
seek to strengthen the obligations of SCI entities?
102. Are the Commission's estimates of incremental compliance costs
owing to these proposed reasonable? Please note that the Commission
does not purport to estimate the total costs of all activities SCI
entities will perform in promoting the capacity, integrity, resiliency,
availability, and security of their automated systems. The Commission's
estimates pertain only to the increase in costs that will arise
directly as a result of having to comply with the specific provisions
of the proposed rules to the extent the covered entity has not already
been performing such activities on its own or pursuant to other
relevant rules or regulations.
103. What activities do you currently perform that go beyond the
proposed amendments to Regulation SCI?
104. For current SCI entities, will compliance with the proposed
amendments to Regulation SCI result in performing activities that go
significantly above and beyond their current approach to promoting the
capacity, integrity, resiliency, availability, and security of their
automated systems? In other words, will these new rules require a
significant rearranging of their resources beyond what they are already
complying with voluntarily?
105. What are the costs of Regulation SCI? Are commenters aware of
any data that can be used to quantify any aspects of costs?
2. Expansion to New SCI Entities
The Commission proposes to expand the definition of SCI entity to
encompass SBSDRs, certain broker-dealers, and additional clearing
agencies exempted from registration. These entities are key market
participants that play a significant role in the U.S. securities
markets and, in the event of a systems issues, they have the potential
to impact investors, the overall market, or the trading of individual
securities. Under the proposed amendments, the new SCI entities would
become subject to all provisions of Regulation SCI, including the
provisions that the Commission proposes to amend for SCI entities, as
discussed in section III.C of this release. We discuss in this section
the entities to which Regulation SCI would be extended, including the
rationale for doing so. The benefits and costs associated with applying
each of the Regulation SCI requirements to these entities are
subsequently discussed in section V.D.3.
The Commission preliminarily estimates that as a result of the
proposed amendments to the definition of ``SCI entity'' in Rule 1000,
there would be a total of 21 new SCI entities that would become subject
to the requirements of Regulation SCI. These include 2 SBSDRs, 17 SCI
broker-dealers, and 2 exempt clearing agencies.\700\ Generally,
inclusion of these new SCI entities in the amended definition is
expected to help ensure systems resiliency at such entities and reduce
the potential for incidents at these entities to have broad, disruptive
effects across the securities markets and for investors. Furthermore,
applying Regulation SCI to these entities increases market protections
by establishing these obligations under the Exchange Act so that the
Commission may enforce them directly and examine for compliance and
provides a uniform requirement for all SCI entities.
---------------------------------------------------------------------------
\700\ The Commission is estimating 23 new SCI entities in the
PRA section based on the PRA's forward-looking requirement to
account for persons to whom a collection of information is addressed
by the agency within any 12-month period. But for purposes of the
Economic Analysis, this section analyzes the baseline of existing
entities that will be new SCI entities and then predicts the cost to
those entities if the rule were to be adopted. Accordingly the
Economic Analysis assumes 21, rather than 23, new SCI entities.
---------------------------------------------------------------------------
a. SBSDRs
Currently, two SBSDRs are registered with the Commission and are
subject to Rule 13n-6. The SBSDRs registered with the Commission are
also registered with the CFTC as swap data repositories (SDRs) and
accordingly, with respect to systems of concern to the CFTC, are
subject to CFTC rules and regulations related to swap data
repositories, including the CFTC's System Safeguards rule.
Systems failures at SBSDRs can limit access to data, call into
question the integrity of data, and prevent market participants from
being able to report transaction data, and receive transaction data,
and thereby have a large impact on market confidence, risk exposure,
and market efficiency. For example, were an SBSDR to experience a
systems issue, market participants could be prevented from receiving
timely information regarding accurate prices for individual SBSs--such
as aggregate market exposures to referenced entities (instruments),
positions taken by individual entities or groups, and data elements
necessary for a person to determine the market value of the
transaction.\701\ This could contribute to market instability.
---------------------------------------------------------------------------
\701\ See Access to Data Obtained by Security-Based Swap Data
Repositories, Securities Exchange Act Release No. 78716 (Aug. 29,
2016), 81 FR 60585, 60594, 60605-6 (Sep. 2, 2016). In that release,
the Commission estimates that approximately 300 relevant authorities
may make requests for data from security-based swap data
repositories.
---------------------------------------------------------------------------
Having SBSDRs comply with Regulation SCI would reduce the risk of
system issues at SBSDRs and allow continued transparency and access to
data. As noted above in the baseline, SBSDRs are currently subject to
Rule 13n-6, which requires an SBSDR to ``establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its systems provide adequate levels of capacity, integrity,
resiliency, availability, and security.'' However, as described in
detail below, the requirements of Regulation SCI that go beyond those
required in Rule 13n-6--such as policies and procedures that include
specific elements for infrastructure planning, up-to-date system
development and testing methodology, regular systems reviews and
testing, BC/DR planning, monitoring for SCI events, and standards to
facilitate successful collection, processing, and dissemination of
market data--should deliver benefits beyond those currently achieved
through Rule 13n-6.
The coverage of SBSDRs under the proposed amendments to Regulation
SCI would augment the current principles-based requirements for
policies and procedures on operational risk with detailed, more
specific requirements to help ensure that SBSDR market systems are
robust, resilient, and secure and that policies and procedures in place
at SBSDRs meet requirements necessary to maintain the robustness of
critical systems.
b. SCI Broker-Dealers
The Commission proposes to include certain broker-dealers--to be
referred to as ``SCI broker-dealers''--in the definition of SCI entity.
This expansion would be limited to broker-dealers that exceed one or
more size thresholds. The first proposed threshold is a total assets
test. This test scopes within Regulation SCI any broker-dealers with
five percent
[[Page 23239]]
(5%) or more of the total assets \702\ of all security brokers and
dealers during at least two of the four preceding calendar quarters
ending March 31, June 30, September 30, and December 31. The second
proposed threshold is a transaction activity test. This test scopes
within Regulation SCI any broker-dealer that transacted ten percent
(10%) or more of the total average daily dollar volume by applicable
reporting entities during at least four of the preceding six calendar
months in any of the following asset classes: NMS stocks, exchange-
listed options contracts, Agency Securities, or U.S. Treasury
Securities.
---------------------------------------------------------------------------
\702\ See supra note 169.
---------------------------------------------------------------------------
The Commission proposes to limit the definition of ``SCI systems''
for an SCI broker-dealer that qualifies as an SCI entity that satisfies
only one or more transaction activity thresholds.\703\ Specifically,
only those systems that relate to the asset class for which the trading
activity threshold is met (i.e., NMS stocks, exchange-listed options
contracts, Treasury Securities, or Agency Securities) would be ``SCI
systems'' or ``indirect SCI systems.'' \704\ Broker-dealers may have
multiple business lines and transact in different types of securities,
and the proposal reflects the Commission's preliminary conclusion that
systems related to asset classes that do not meet the rule's
transaction activity threshold are unlikely to pose risk to the
maintenance of fair and orderly markets if the systems with respect to
that type of security were unavailable (assuming the systems for the
distinct asset class are separate) relative to the burden of complying
with the regulation's more stringent requirements.
---------------------------------------------------------------------------
\703\ See section III.A.2.b(iv).
\704\ See section III.A.2.b(iv). As explained above in section
III.A.2.b.v, although crypto asset securities are not a separately
enumerated asset class for the volume threshold, the SCI systems and
indirect SCI systems pertaining to crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities would be subject to Regulation SCI, including as
it is proposed to be amended, as discussed in section III. C, with
respect to the asset class for which the SCI broker-dealer satisfies
the threshold.
---------------------------------------------------------------------------
In contrast, no such limitation applies to an SCI broker-dealer
that qualifies as an SCI entity because it satisfies the total assets
threshold. In this case, broker-dealers that qualify as SCI entities
due to the total assets threshold are subject to Regulation SCI
requirements for all of its applicable systems, regardless of the asset
classes such systems relate to.\705\ As discussed in section
III.A.2.b.iii, this approach with respect to the total assets threshold
takes into consideration the multiple roles that the largest broker-
dealers play in the U.S. securities markets. Not only do some of the
largest broker-dealers generate liquidity in multiple types of
securities, but many also operate multiple types of trading platforms.
Entities with assets at this level also take risks that they may seek
to hedge across asset classes, in some cases using ``central risk
books'' for that and other purposes, and engage in routing substantial
order flow to other trading venues. For these reasons, the Commission
believes that systems issues at firms having assets at this level could
have the potential to impact investors, the overall market, and the
trading of individual securities, following a systems failure in any
market in which they operate.
---------------------------------------------------------------------------
\705\ As explained above, any system of an SCI broker-dealer
meeting the total asset threshold that pertains to any type of
security, including crypto asset securities, that meets the
definition of SCI systems or indirect SCI systems would be covered
by Regulation SCI.
---------------------------------------------------------------------------
The Commission estimates that there would be 17 SCI broker-dealers,
five of which would satisfy both the total assets threshold and at
least one of the transaction activity thresholds, and twelve others of
which would satisfy at least one of the transaction activity
thresholds.\706\ As discussed in section V.B.1.b.i, figure 6 (Panel A)
shows the distribution of all registered broker-dealer firms between Q4
2021 and Q3 2022 by level of total assets. Figure 6 (Panel B)
represents the distribution of all registered broker-dealer firms by
percentage of aggregate total assets.\707\ It shows that five firms
accounted for roughly half of broker-dealer aggregate total assets and
thus each could pose a substantial risk to the maintenance of fair and
orderly markets in the event of a systems issue. During all four
quarters from Q4 2021 to Q3 2022, all five firms reported to the
Commission, on Form X-17A-5 (Sec. 249.617), total assets in an amount
that equals five percent (5%) or more of the total assets of all
security brokers and dealers.\708\ Figures 7 through 10 represent the
distribution by level of transaction activity as measured by average
daily dollar volume \709\ (Panel A) and the distribution of firms by
percentage of transaction activity \710\ (Panel B) for each of four
asset classes including NMS stocks, exchange-listed options, U.S.
Treasury Securities, and Agency Securities respectively.\711\ These
figures clearly show that a few firms consistently accounted for a
significant percentage of transaction activity over the six month
period and thus each could pose a substantial risk to the maintenance
of fair and orderly markets in the event of a systems issue. During at
least four months of the six month period, six NMS stocks trading
firms, six exchange-listed options contracts trading firms, four U.S.
Treasury Securities trading firms, and six Agency Securities trading
firms transacted average daily dollar volume in an amount that equals
ten percent (10%) or more of the total average daily dollar of the
corresponding markets. Most of these firms transacted more than ten
percent (10%) during all six months.\712\
---------------------------------------------------------------------------
\706\ See section III.A.2.b(iv).
\707\ Panel A and Panel B in figure 6 show the same information
as in figure 1 in section V.B.1.b.i., but with 5% threshold lines
added. The threshold line in Panel A shows the average of 5% of
aggregate total assets in each quarter from Q4 2021 to Q3 2022.
\708\ Each of these firms would satisfy the proposed total
assets thresholds for an ``SCI broker-dealer''. See section
III.A.2.b.iii (discussing proposed thresholds for an ``SCI broker-
dealer'').
\709\ These measures are described in more detail in section
III.A.2.b.iii.
\710\ Id.
\711\ Panel A and Panel B in figures 7 through 10 show the same
information as in figures 2 through 5 in section V.B.1.b.i., but
with 10% threshold lines added. The threshold line in each Panel A
shows the average of 10% of aggregate average daily dollar volume
reported to the plan processors (SIPs) of the CTA/CQ Plans and
Nasdaq UTP Plan, OPRA Plan, or FINRA TRACE in each respective asset
class from Jan. 2022 to June 2022. The threshold line in each Panel
B equals 10%.
\712\ Each of these firms would satisfy the proposed transaction
activity thresholds for an ``SCI broker-dealer''. See section
III.A.2.b.iii (discussing proposed thresholds for an ``SCI broker-
dealer'').
---------------------------------------------------------------------------
These large broker-dealers, by virtue of the total assets or
transaction activity each represents over a period of time, play a
significant role in the orderly functioning of U.S. securities markets.
If such a broker-dealer was adversely affected by a system issue, then
the impact could not only affect the broker-dealer's own customers, but
also disrupt the overall market, by compromising or removing
significant liquidity from the market, interrupting the price discovery
process, or indirectly contributing to capacity issues at other broker-
dealers.\713\
---------------------------------------------------------------------------
\713\ See section III.A.2.b(iv).
---------------------------------------------------------------------------
Application of Regulation SCI is expected to reduce the likelihood
of system issues at these largest broker-dealers as well as mitigate
the effects of any such event. While it is possible that these broker-
dealers may have systems in place due to market-based incentives, there
are reasons to believe that these incentives may be insufficient.
First, as mentioned in section V.C.1, a well-functioning financial
system is a public good.\714\ Second, investment in SCI
[[Page 23240]]
systems takes the form of a hidden-action problem. As such, due to
principal-agent conflict, it may not be possible for customers or
counterparties to observe the degree of investment in SCI systems and
thus to provide market-based discipline from underinvestment. In this
case, a broker-dealer's investment in SCI systems would offer benefits
to customers and counterparties who might incur switching costs to find
a different broker if a substantial systems issue occurred. These
benefits are likely to be especially high for market participants who
rely on a single counterparty (such as is sometimes the case in
Treasury securities and prime brokerage relationships), and for retail
investors who have invested in the relationship with a single retail
broker.
---------------------------------------------------------------------------
\714\ Since broker-dealers are not compensated for the positive
impact that their systems investments have on other entities, they
lack sufficient incentives to invest on others' behalf. See, for
instance, Mazaher Kianpour et al., Advancing the concept of
cybersecurity as a public good, 116 Simulation Modeling Practice and
Theory 102493 (2022).
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP14AP23.005
[GRAPHIC] [TIFF OMITTED] TP14AP23.006
[[Page 23241]]
[GRAPHIC] [TIFF OMITTED] TP14AP23.007
[GRAPHIC] [TIFF OMITTED] TP14AP23.008
[GRAPHIC] [TIFF OMITTED] TP14AP23.009
[[Page 23242]]
BILLING CODE 8011-01-C
c. Additional Exempt Clearing Agencies
The proposed amendments would expand the scope of exempt clearing
agencies covered by Regulation SCI to include two new exempt clearing
agencies: Euroclear Bank SA/NV and Clearstream Banking, S.A. These
exempt clearing agencies are not currently subject to Regulation SCI
because Regulation SCI was initially limited to those exempt clearing
agencies that were ``subject to ARP'' and these exempt clearing
agencies are not subject to ARP. At the time it adopted Regulation SCI,
the Commission stated it was taking a measured approach in applying
requirements primarily to entities already covered under the ARP
Inspection Program.\715\
---------------------------------------------------------------------------
\715\ SCI Adopting Release, supra note 1, at 72259.
---------------------------------------------------------------------------
The exempt clearing agencies not subject to ARP that the Commission
proposes to scope into Regulation SCI provide CSD functions for
transactions in U.S. securities between U.S. and non-U.S. persons using
similar technologies as registered clearing agencies that are subject
to Regulation SCI.\716\ The technology systems that underpin operations
of these exempt clearing agencies are critical systems that centralize
and automate clearance and settlement functions for the global
financial markets.\717\ Such systems concentrate risk in the clearing
agency.\718\ A disruption to a clearing agency's operations, or failure
on the part of a clearing agency to meet its obligations, could
therefore serve as a source of contagion, resulting in significant
costs not only to the clearing agency itself and its participants but
also to other market participants across the U.S. financial
system.\719\ For example, an SCI event could cause a delay or
disruption in the settlement process with respect to certain
securities, leading to a decrease in liquidity. Trading firms could be
unwilling or unable to enter into new positions should prior trades
suffer settlement timing delays requiring posting of additional margin
at clearing agencies and the assumption of additional risk by trading
firms.
---------------------------------------------------------------------------
\716\ See section III.A.2.c.
\717\ See section III.A.2.c.
\718\ See generally Albert J. Menkveld & Guillaume Vuillemey,
The Economics of Central Clearing, 13 Ann. Rev. Fin. Econ. 153
(2021), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3957021 (retrieved from SSRN Elsevier
database). See also Paolo Saguato, Financial Regulation, Corporate
Governance, and the Hidden Costs of Clearinghouses, 82 Ohio St. L.J.
1071, 1074-75 (2022), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3269060 (retrieved from SSRN Elsevier
database) (``[T]he decision to centralize risk in clearinghouses
made them critical for the stability of the financial system, to the
point that they are considered not only too-big-to-fail, but also
too-important-to-fail institutions.'').
\719\ See generally Dietrich Domanski, et al., Central Clearing:
Trends and Current Issues, BIS Q. Rev. (Dec. 2015), available at
https://www.bis.org/publ/qtrpdf/r_qt1512g.pdf (describing links
between CCP financial risk management and systemic risk); Darrell
Duffie, et al., Policy Perspectives on OTC Derivatives Market
Infrastructure, Fed. Res. Bank N.Y. Staff Rep. No. 424, at 9 (Mar.
2010), available at https://ssrn.com/abstract=1534729 (retrieved
from SSRN Elsevier database) (``If a CCP is successful in clearing a
large quantity of derivatives trades, the CCP is itself a
systemically important financial institution. The failure of a CCP
could suddenly expose many major market participants to losses. Any
such failure, moreover, is likely to have been triggered by the
failure of one or more large clearing agency participants, and
therefore to occur during a period of extreme market fragility.'');
Craig Pirrong, The Inefficiency of Clearing Mandates, Policy
Analysis No. 655, at 11-14, 16-17, 24-26 (July 2010), available at
https://www.cato.org/pubs/pas/PA665.pdf (stating, among other
things, that ``CCPs are concentrated points of potential failure
that can create their own systemic risks,'' that ``[a]t most,
creation of CCPs changes the topology of the network of connections
among firms, but it does not eliminate these connections,'' that
clearing may lead speculators and hedgers to take larger positions,
that a CCP's failure to effectively price counterparty risks may
lead to moral hazard and adverse selection problems, that the main
effect of clearing would be to ``redistribute losses consequent to a
bankruptcy or run,'' and that clearing entities have failed or come
under stress in the past, including in connection with the 1987
market break); Glenn Hubbard et al., Report of the Task Force on
Financial Stability 96, Brookings Inst.(June 2021), available at
https://www.brookings.edu/wp-content/uploads/2021/06/financial-stability_report.pdf (``In short, the systemic consequences from a
failure of a major CCP, or worse, multiple CCPs, would be severe.
Pervasive reforms of derivatives markets following 2008 are, in
effect, unfinished business; the systemic risk of CCPs has been
exacerbated and left unaddressed.''); Froukelien Wendt, Central
Counterparties: Addressing their Too Important to Fail Nature (IMF
Working Paper No. 15/21, Jan. 2015), available at https://www.imf.org/external/pubs/ft/wp/2015/wp1521.pdf (assessing the
potential channels for contagion arising from CCP
interconnectedness); Manmohan Singh, Making OTC Derivatives Safe--A
Fresh Look (IMF Working Paper No. 11/66, Mar. 2011), at 5-11,
available at https://www.imf.org/external/pubs/ft/wp/2011/wp1166.pdf
(retrieved from SSRN Elsevier database) (addressing factors that
could lead central counterparties to be ``risk nodes'' that may
threaten systemic disruption).
---------------------------------------------------------------------------
Notably, Euroclear Bank SA/NV and Clearstream Banking, S.A. are
already subject to Europe's CSDR, which has Operational Risk rules
(Article 45) that includes many requirements that may align with those
in Regulation SCI.\720\ Additionally, the Commission exemptive order
for one of the exempt clearing agencies requires certain provisions
that are consistent with those in Regulation SCI.
---------------------------------------------------------------------------
\720\ The two exempt clearing agencies may also be subject to
the EU Regulation, the Digital Operational Resilience Act (DORA),
which went into effect in 2015: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595.
---------------------------------------------------------------------------
3. Specific Benefits and Costs of Regulation SCI Requirements for All
SCI Entities
a. Rule 1001--Policies and Procedures
Rule 1001(a) through (c) sets forth requirements relating to the
written policies and procedures that SCI entities are required to
establish, maintain, and enforce. New SCI entities will need to comply
with these requirements for the first time. In addition, the Commission
is proposing to amend portions of Rule 1001(a), which will affect
existing SCI entities as well. We discuss the benefits and costs of
applying existing provisions to new SCI entities, as well as the
benefits and costs of the amendments for both new and existing
entities, below. We also discuss below the economic effects of these
changes specific to the new SCI entities.
i. Benefits
(1) Provisions Applicable Only to New SCI Entities
Rule 1001 requires certain policies and procedures for SCI
entities. We consider here the provisions under Rule 1001 that we are
not amending and therefore will only have an impact on SCI entities,
relative to the baseline. We separately consider the provisions that we
propose to amend in the following section, for both new and existing
SCI entities.
(i) Capacity, Integrity, Resiliency, Availability, and Security (Rule
1001(a)(1), (a)(2)(i) Through (iv), (vi), and (vii))
Rule 1001(a)(1) requires that each SCI entity establish, maintain,
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems and, for purposes of security standards,
indirect SCI systems, have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance of fair and orderly
markets. Rule 1001(a)(2)(i) through (iv), (vi), and (vii) prescribe
certain minimum requirements for an SCI entity's policies and
procedures. The Commission is not amending paragraphs (a)(1) and
(a)(2)(i) through (iv), (vi), or (vii), and therefore current SCI
entities will not be affected whereas new SCI entities will become
subject to these provisions for the first time.
Generally, the requirements to establish policies and procedures in
Rule 1001(a)(1) should help ensure more robust systems that help reduce
the risk and incidence of systems issues affecting the markets by
imposing requirements on new entities that are
[[Page 23243]]
not currently subject to Regulation SCI and by covering systems and
events that are not currently within the scope of existing regulations
and current practices.\721\ In addition, the required policies and
procedures may help new SCI entities recover more quickly from SCI
events that do occur.
---------------------------------------------------------------------------
\721\ The potential adverse effects of systems failures are
described in section V.C.2. for each type of new SCI entity.
Benefits to new SCI entities from a reduction in the risk and
incidents of systems issues would arise from a reduction in these
adverse effects.
---------------------------------------------------------------------------
Application of Rule 1001(a)(2)(i) through (iv), (vi), and (vii) to
the new SCI entities is expected to benefit securities markets and
market participants by leading to the establishment, maintenance, and
enforcement of policies and procedures for these entities related to
current and future capacity planning; periodic stress testing; systems
development and testing methodology; and reviews and testing to
identify vulnerabilities; standards for market data collection,
processing, and dissemination; and monitoring to identify potential
systems problems. These requirements should reduce the risk and
incidence of systems issues, such as systems disruptions and systems
intrusions. This, in turn, could reduce interruptions in the price
discovery process and liquidity flows. Systems issues that directly
inhibit execution facilities, order matching, and dissemination of
market data could cause slow executions or delayed orders, or cause
inoperability of an SCI entity for a period of time. If executions were
delayed by a systems disruption in an SCI system related to a trading,
order routing, clearance and settlement, or market data system, given
the magnitude of the transaction activity in which SCI entities
consistently engage, the delay could have cascading effects disruptive
to the broader market.\722\
---------------------------------------------------------------------------
\722\ See supra note 197.
---------------------------------------------------------------------------
In addition, Rule 1001(a)(2)(vi) provides that an SCI entity's
policies and procedures must include standards that result in systems
being designed, developed, tested, maintained, operated, and surveilled
in a manner that facilitates the successful collection, processing, and
dissemination of market data. Rule 1001(a)(2)(vi) is expected to help
ensure that timely and accurate market data are made available by new
SCI entities. Market participants rely on market data in a variety of
ways, including for making markets, formulating trading algorithms, and
placing orders, among others. Although new SCI entities currently
facilitate the successful collection, processing, and dissemination of
market data, improvements in timeliness and accuracy of the generation
of market data inputs would help further ensure pricing efficiencies
and uninterrupted liquidity flows in markets.
Similarly, by requiring policies and procedures for monitoring
systems to identify potential SCI events, Rule 1001(a)(2)(vii) may help
ensure that new SCI entities identify potential SCI events, which could
allow them to prevent some SCI events from occurring or to take timely
appropriate corrective action after the occurrence of SCI events. As
discussed above, reducing the frequency and duration of SCI events or
reducing the duration of SCI events that disrupt markets would reduce
pricing inefficiencies and promote price discovery and liquidity.
In general, setting forth policies and procedures with regard to
capacity planning, stress testing, systems development and testing
methodology, and reviews and testing to identify vulnerabilities could
yield benefits to market participants and new SCI entities, including a
potential reduction in the likelihood, duration, or severity of SCI
events, thus helping to contain losses from these events, as described
above.\723\ Capacity planning and stress testing are necessary to help
an SCI entity determine its systems' ability to process transactions in
an accurate, timely, and efficient manner, and thereby help ensure
market integrity. Development and testing systems are important in
ensuring the reliability and resiliency of SCI systems. The potential
adverse effects of systems failures are described in section V.C.2. for
each type of new SCI entity. More reliable and resilient systems should
help reduce the occurrence of SCI events and improve systems uptime for
the new SCI entities, and thus possibly result in a reduction in losses
due to SCI events and a reduction in these adverse effects.
Furthermore, the use of inadequately tested software in production
could result in substantial losses to market participants if it does
not function as intended. For instance, if software malfunctions, it
might not execute or route orders as intended and also could have
unintended effects on quoted prices and the actual prices at which
orders execute. Additionally, if a system's capacity thresholds are
improperly estimated, it may become congested, resulting in higher
indirect transaction costs due to lower execution quality (e.g.,
decrease in order fill rates).
---------------------------------------------------------------------------
\723\ See section V.D.1.
---------------------------------------------------------------------------
The Commission recognizes that the new SCI entities are subject to
existing policies and procedures obligations as discussed in the
baseline. Pursuant to those obligations, the new SCI entities may
already engage in practices that are similar to certain requirements
under Regulation SCI. To the extent that the existing policies and
procedures are similar to those reflected in Regulation SCI, the
magnitude of the costs and benefits discussed above that stem from the
application of those policies and procedures will be correspondingly
reduced. However, costs and benefits that arise from obligations under
Regulation SCI that differ from those existing obligations, such as
reporting to the Commission will be maintained.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and doing so
would benefit participants in the securities markets in which these
entities operate. Applying Regulation SCI to these entities increases
market protections by establishing these obligations under the Exchange
Act so that the Commission may enforce them directly and examine for
compliance and provides a uniform mandatory requirement that will
ensure their continued application.
In addition, some new SCI entities may already be voluntarily
implementing policies and procedures consistent with the requirements
of Regulation SCI. The magnitude of the benefits (and associated costs,
as discussed below) from the policy and procedure requirements in Rule
1001(a)(1) and (a)(2)(i) through (iv), (vi), and (vii) for the new SCI
entities (and the costs, as discussed below), will therefore depend on
the extent to which their current operations already align with the
rule's requirements, given both existing regulation and current
practice. However, the Commission believes the application of
Regulation SCI is still necessary. For example, while SBSDRs that also
function as SDRs in the swap markets, may currently apply the CFTC
rules to their securities-based swap markets as well as their swaps
markets, the CFTC rules only apply to their swap market SDR systems.
Therefore, applying Regulation SCI to SBSDRs would help to ensure that
the systems relevant to the securities markets are subject to a
requirement to have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair
[[Page 23244]]
and orderly markets and are subject to enhanced Commission oversight.
Additionally, with respect to SBSDRs, the requirements of
Regulation SCI are more specific and comprehensive than the principles-
based requirements of Rule 13n-6. The requirements of Regulation SCI
would thus exist and operate in conjunction with Rule 13n-6, helping
ensure that SBSDR market systems are robust, resilient, and secure and
enhancing Commission oversight of the these systems.
Similarly, application of Regulation SCI to broker-dealers would
complement existing requirements and enhance the policies and
procedures already in place for these entities. For example, the Market
Access Rule prescribes specific controls and procedures around a
broker-dealer entering orders on an exchange or ATS, but the policy and
procedure requirements of Regulation SCI are broader in scope and are
designed to ensure that the key technology pervasive and important to
the functioning of the U.S. securities markets is robust, resilient,
and secure. Further, the SCI review requirement obligates an SCI entity
to assess the risks of its systems and effectiveness of its technology
controls at least annually, identify weaknesses, and ensure compliance
with the safeguards of Regulation SCI. In addition, with respect to the
requirements concerning the collection, processing, and dissemination
of market data, Regulation SCI extends beyond existing requirements to
include SCI systems directly supporting proprietary market data, which
will provide additional benefits to market participants. Further while
Rule 17a-3 has a notification requirement when a broker-dealer fails to
make and keep current the records required by that Rule, Regulation SCI
more directly addresses mitigating the impact of technology failures
with respect to SCI systems and indirect SCI systems (which include
systems that are not used to make and keep current the records required
by Rule 17a-3) and requires notifications to the Commission for a
different set of events--systems intrusions, systems compliance issues,
and systems disruptions--than the notification requirements of 17 CFR
240.17a-11 (``Rule 17a-11'').
Likewise, while FINRA Rule 4370 requires broker-dealers to maintain
business contingency and disaster recovery plans, it does not include
the requirement that the business continuity and disaster recovery
plans be reasonably designed to achieve next business day resumption of
trading and two-hour resumption of critical SCI systems following a
wide-scale disruption, nor does it require the functional and
performance testing and coordination of industry or sector-testing of
such plans, which are instrumental in achieving the goals of Regulation
SCI with respect to SCI entities.
Finally, with respect to the exempt clearing agencies not subject
to ARP, subjecting these entities to the policy and procedure
requirements of Regulation SCI will ensure that uniform, minimum
requirements regarding capacity, integrity, resiliency, availability,
and security applies to all exempt clearing agencies. Although some of
the conditions underlying the exemptive orders for the two exempt
clearing agencies that would be subject to Regulation SCI under the
proposed amendments may be consistent with Regulation SCI's policy and
procedure requirements, the conditions vary across the agencies and in
their similarity to the Regulation SCI requirements. As these exempt
clearly agencies and other entities that they interact with become more
technologically innovative and interconnected, applying a uniform,
minimum set of requirements will improve the Commission's oversight and
better ensure the resiliency of the markets in which they operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule (a)(2)(i) through (iv), (vi), and (vii) of Regulation SCI
to the new SCI entities would create a uniform, mandatory framework
under the Commission's oversight thereby furthering the goals of
Regulation SCI to strengthen the technology infrastructure of the U.S.
securities markets and improve its resilience.
(ii) Systems Compliance (Rule 1001(b))
Rule 1001(b)(1) requires each SCI entity to establish, maintain,
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder, and the entity's
rules and governing documents, as applicable. Rule 1001(b)(2)(i)
through (iv) provides that an SCI entity's policies and procedures
under Rule 1001(b)(1) must include, at a minimum: (i) testing of all
SCI systems and any changes to SCI systems prior to implementation;
(ii) a system of internal controls over changes to SCI systems; (iii) a
plan for assessments of the functionality of SCI systems designed to
detect systems compliance issues, including by responsible SCI
personnel and by personnel familiar with applicable provisions of the
Exchange Act and the rules and regulations thereunder and the SCI
entity's rules and governing documents; and (iv) a plan of coordination
and communication between regulatory and other personnel of the SCI
entity, including by responsible SCI personnel, regarding SCI systems
design, changes, testing, and controls designed to detect and prevent
systems compliance issues.
These provisions remain unchanged and do not create any new
requirement for current SCI entities. New SCI entities, however, would
become subject to these provisions for the first time. The Commission
recognizes that new SCI entities currently take various measures to
ensure that their systems operate in a manner that complies with
relevant laws and rules. The specific requirements of Rule 1001(b) will
further ensure that new SCI entities operate their SCI systems in
compliance with the Exchange Act and relevant rules. For example, the
tests under Rule 1001(b)(2)(i) should help new SCI entities to identify
potential compliance issues before new systems or systems changes are
implemented; the internal controls under 17 CFR 242.1001(b)(2)(ii)
(``Rule 1001(b)(2)(ii)'') should help to ensure that new SCI entities
remain vigilant against compliance challenges when changing their
systems and resolve potential noncompliance before the changes are
implemented; and the systems assessment plans under 17 CFR
242.1001(b)(2)(iii) (``Rule 1001(b)(2)(iii)'') and the coordination and
communication plans under Rule 1001(b)(2)(iv) should help technology,
regulatory, and other relevant personnel of new SCI entities to work
together to prevent compliance issues, and to promptly identify and
address compliance issues if they occur.\724\ To the extent that new
SCI entities operate market regulation and market surveillance systems,
and to the extent that compliance with Rule 1001(b) reduces the
occurrence of systems compliance issues, Rule 1001(b) should advance
investor protection.\725\
---------------------------------------------------------------------------
\724\ See SCI Adopting Release, at 72422.
\725\ See id. at 72410 and 72422; see also section III.A.2.b.ii
(policies and procedures, including those for system compliance, are
expected to strengthen broker-dealers' operational capabilities
independent of any specific SCI event affecting their technology
supporting trading, clearance and settlement, order routing, market
data, market regulation, and market surveillance).
---------------------------------------------------------------------------
(iii) Responsible SCI Personnel (17 CFR 242.1001(c)(1) (``Rule
1001(c)(1)''))
Rule 1001(c)(1) requires an SCI entity to establish, maintain, and
enforce reasonably designed written policies and procedures that
include the criteria
[[Page 23245]]
for identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI events.
This provision remains unchanged and does not create any new
requirement for current SCI entities. New SCI entities, however, will
become subject to this provision for the first time.
Requiring policies and procedures to identify and designate
responsible SCI personnel and to establish escalation procedures to
quickly inform such personnel of potential SCI events should help to
effectively determine whether an SCI event occurred and what
appropriate actions should be taken without unnecessary delay. As such,
Rule 1001(c)(1) is expected to reduce the duration of SCI events as new
SCI entities become aware of them and take appropriate corrective
actions more quickly. The reduction in the duration of SCI events would
benefit markets and their participants as it would promote pricing
efficiency and price discovery.
The Commission recognizes that the new SCI entities currently have
certain regulatory obligations that may align with certain requirements
of Rule 1001(c)(1), as described in the baseline, and in addition the
new SCI entities may already be voluntarily implementing policies and
procedures that may align with certain requirements of Rule 1001(c)(1).
For example, SBSDRs and exempt clearing agencies may have policies and
procedures that identify roles and responsibilities for key personnel
as well as appropriate escalation procedures including designation and
documentation of responsible personnel as noted above.\726\ Likewise,
as discussed above,\727\ broker-dealers may have policies and
procedures for designating employees with specific roles and
responsibilities and escalation procedures documented in their incident
response plans. As discussed above, the extent of these benefits (and
related costs, as discussed below) would depend in part on how closely
the existing policies and procedures of the new SCI entities align with
the specific requirements of Rule 1000(c)(1).
---------------------------------------------------------------------------
\726\ See sec. V.B.1.a.ii and V.B.1.c.ii.
\727\ See section V.B.1.b.ii.
---------------------------------------------------------------------------
(iv) Periodic Reviews of Policies and Procedures and Prompt Remedial
Actions (Rule 1001(a)(3), (b)(3), (c)(2))
Rule 1001(a)(3), (b)(3), and (c)(2) require each SCI entity to
periodically review the effectiveness of the policies and procedures
required under Rule 1001(a) through (c) related to capacity, integrity,
resiliency, availability, and security; systems compliance; and
responsible SCI personnel, respectively, and to take prompt action to
remedy deficiencies in such policies and procedures. These provisions
remain unchanged since the adoption of Regulation SCI in 2014, but new
SCI entities will become subject to them for the first time.
Requiring periodic review of the policies and procedures and
remedial actions to address any deficiencies in the policies and
procedures would help to ensure that new SCI entities maintain robust
policies and procedures and update them when necessary so that the
benefits of Rule 1001(a) through (c) as discussed in section V.C.1
should continue to be realized. For example, Rule 1001(a)(3), (b)(3),
and (c)(2) should help to decrease the number of trading interruptions
due to system issues in new SCI entities. It should lead to fewer
interruptions in the price discovery process \728\ and liquidity flows,
thus, may result in fewer periods with pricing inefficiencies. Further,
because interruptions in liquidity flows and the price discovery
process in one security can affect securities trading in other markets,
reducing trading interruptions could have broad effects.
---------------------------------------------------------------------------
\728\ The price discovery process involves trading--buyers and
sellers arriving at a transaction price for a specific asset at a
given time. Thus, generally, any trading interruptions would
interfere with the price discovery process.
---------------------------------------------------------------------------
As with the other requirements of Regulation SCI previously
discussed, the Commission acknowledges that the new SCI entities are
subject to existing regulations, and the extent of the benefits (and
costs, as discussed below) will depend on how closely their current
policies and procedures align with the requirements for review and
remedial action under Rule 1001(a)(3), (b)(3), and (c)(2). The SBSDRs
registered with the Commission are registered with the CFTC as swap
data repositories (SDRs) and, with respect to systems of concern to the
CFTC, are subject to CFTC's rules that require these entities to
conduct periodic reviews of automated systems and business continuity-
disaster recovery capabilities.\729\ While such entities may apply the
CFTC rules to the entirety of their repositories, the CFTC rules do not
apply to the SBSDR and its security-based swap related systems.
Therefore, applying Rule 1001(a)(3), (b)(3), and (c)(2) to SBSDRs would
ensure periodic reviews of the effectiveness of policies and procedures
specifically related to SCI systems and create a uniform, mandatory
framework under the Commission's oversight.
---------------------------------------------------------------------------
\729\ See 17 CFR 49.24(j); 17 CFR 49.24(m); 17 CFR 49.24(b)(3).
---------------------------------------------------------------------------
Similarly, SCI broker-dealers also are required under FINRA Rule
4370 to conduct an annual review of the business continuity and
disaster recovery plans.\730\ Further, as noted above, the two exempt
clearing agencies are required to report at least on an annual basis to
the competent authority regarding their compliance with CSDR, including
on their operational risk management framework and systems and their
information security framework.\731\ The exempt clearing agencies must
also periodically test and review the operational arrangements and
policies and procedures with users. Additionally, the exemptive order
for one of the exempted clearing agencies requires a review of policies
and procedures and reporting on the status of policies and procedures
to the Commission. To the extent that that the broker-dealers and the
exempt clearing agencies increase the scope of the review of their
policies and procedures related to capacity, integrity, resiliency,
availability, and security; systems compliance; and responsible SCI
personnel, and take prompt action to remedy deficiencies, the exempt
clearing agencies, broker-dealers and their customers will benefit from
application of Rule 1001(a)(3), (b)(3), and (c)(2) and create a
uniform, mandatory framework under the Commission's oversight.
---------------------------------------------------------------------------
\730\ See sec. V.B.1.b.ii.
\731\ See sec. V.B.1.c.ii.
---------------------------------------------------------------------------
(2) Amended Provisions Applicable to Current and New SCI Entities
The Commission is proposing to amend Rule 1001(a)(2)(v)--to add to
that provision a requirement that business continuity and disaster
recovery plans be reasonably designed to address the unavailability of
any third-party provider that provides functionality, support, or
service to the SCI entity without which there would be a material
impact on any of its critical SCI systems--and add several new
provisions in Rule 1001(a)(2), including proposed Rule 1001(a)(2)(viii)
(systems classifications and lifecycle management programs); proposed
Rule 1001(a)(2)(ix) (third-party provider management program); proposed
Rule 1001(a)(2)(x) (a program to prevent the unauthorized access to
such systems and information residing therein); and proposed Rule
1001(a)(2)(xi) (identification of the relevant current industry
standard claimed as a safe harbor, if any). In addition, we are
[[Page 23246]]
proposing to amend Rule 1001(a)(4) to clarify that policies and
procedures that are consistent with current SCI industry standards
provide a safe harbor with respect to the requirement that such
policies and procedures be reasonably designed. These amendments would
impact both new and existing SCI entities.
(i) Business Continuity and Disaster Recovery Plans (Rule
1001(a)(2)(v))
Rule 1001(a)(2)(v) currently requires SCI entities' policies and
procedures to set forth business continuity and disaster recovery plans
that include maintaining backup and recovery capabilities sufficiently
resilient and geographically diverse and that are reasonably designed
to achieve next business day resumption of trading and two-hour
resumption of critical SCI systems following a wide-scale disruption.
The Commission is proposing to also require that such plans are
reasonably designed to address the unavailability of any third-party
provider that provides functionality, support, or service to the SCI
entity, without which there would be a material impact on any of its
critical SCI systems.
With respect to the existing requirements that will remain
unchanged, these would only affect new SCI entities and not create any
new requirement for current SCI entities. Requiring business continuity
and disaster recovery plans increases the likelihood that the markets
in which they participate will continue to function, and SCI systems
can resume operation in a timely manner, even when there are
significant outages to SCI systems. Rule 1001(a)(2)(v), among other
things, is expected to help ensure prompt resumption of all critical
SCI systems, which in turn is expected to help minimize interruptions
in trading and clearance and settlement after a wide-scale disruption.
Notably, in the case of a wide-scale disruption, multiple SCI entities
may be affected by the same incident at the same time. Given that U.S.
securities market infrastructure is concentrated in relatively few
areas, such as New York City, New Jersey, and Chicago, maintaining
backup and recovery capabilities that are geographically diverse could
facilitate resumption in trading and critical SCI systems following
wide-scale market disruptions.\732\ Reducing the frequency and duration
of trading interruptions would promote pricing efficiency, price
discovery, and liquidity flows in markets.
---------------------------------------------------------------------------
\732\ As discussed in section III.C.2, the geographic diversity
of data center sites is an important consideration even where an SCI
entity uses CSPs as its business continuity and disaster recovery
service providers.
---------------------------------------------------------------------------
With respect to the new requirement on the unavailability of third-
party providers, both new and current SCI entities will be affected.
Financial institutions, including SCI entities, have become
increasingly dependent on third parties--such as cloud service
providers--to operate their businesses and provide their services.\733\
The proposed requirement for business continuity and disaster recovery
plans to address the unavailability of any third-party provider would
help ensure that SCI entities are appropriately prepared for
contingencies relating to a third-party provider with respect to
critical SCI systems., including the potential for an extended outage,
if, for example the third-party provider goes into bankruptcy or
dissolves, or if it breaches its contract and decides to suddenly,
unilaterally, and/or permanently cease to provide the SCI entity's
critical SCI systems with functionality, support, or service.
---------------------------------------------------------------------------
\733\ See supra sec. V.B.4. and note 687.
---------------------------------------------------------------------------
The Commission understands that some new SCI entities are already
subject to similar requirements and may already have policies and
procedures that may align with Rule 1001(a)(2)(v),\734\ while others
may need to make more significant changes to their current policies,
procedures and practices. As discussed above, the extent of the
benefits (and costs, as discussed below) will depend on how closely the
new SCI entities' current policies and procedures align with the
requirements of 1001(a)(2)(v), including the proposed amendment. With
respect to SBSDRs, which are also registered as SDRs with the CFTC, the
CFTC's System Safeguard rule sets forth requirements for swap data
repositories to establish and maintain emergency procedures,
geographically diverse \735\ backup facilities, and a business
continuity-disaster recovery plan that allows for the timely recovery
and resumption of next day operations following the disruption. While
such entities may apply the CFTC rules to the entirety of their
repositories, the CFTC rules do not apply to the SBSDR and its
security-based swap related systems. Therefore, Rule 1001(a)(2)(v)
would help ensure SBSDR's have in place for their SCI systems business
continuity and disaster recovery plans that meet the minimum
requirements set forth in the rule and create a uniform, mandatory
framework under the Commission's oversight. The proposed amendment
would ensure that these plans specifically address the unavailability
of any third-party provider that provides functionality, support, or
service to the SBSDR's SCI systems, without which there would be a
material impact on any of its critical SCI systems.
---------------------------------------------------------------------------
\734\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
\735\ SDRs deemed critical by the CFTC require geographically
diverse backup facilities and staff.
---------------------------------------------------------------------------
SCI broker-dealers are likewise required to create and maintain a
written business continuity plan under FINRA Rule 4370.\736\ Currently
required business continuity public disclosure statements \737\
generally indicate that some backup systems are geographically diverse,
but limited information is disclosed with respect to a specific
timeline for resumption of service in the event of a disruption.
Similarly, these required business continuity public disclosure
statements generally do not provide information on specific BC/DR plans
to address the unavailability of any third-party provider, as would be
required under the proposed amendment. Applying the requirements of
Rule 100(a)(2)(v) to broker-dealers may reduce the frequency and
duration of trading interruptions, which would promote pricing
efficiency, price discovery, and liquidity flows in markets. Further,
the proposed amendment to Rule 1001(a)(2)(v) would help ensure broker-
dealers have business continuity and disaster recovery plans in place
to address the unavailability of any third-party provider that provides
functionality, support, or service to the SCI systems.
---------------------------------------------------------------------------
\736\ See section V.B.1.b.ii.
\737\ While broker-dealers are required to provide a brief
summary disclosure statement regarding their BCPs to customers, they
do not disclose the actual BCP. Based on a review of 2021 and 2022
BCP disclosure statements, firms often do not provide any detail on
operational capacity to meet demand surges or any specific
timeframes for resumption of service.
---------------------------------------------------------------------------
Finally, as discussed above, the exempt clearing agencies are
currently required to maintain a business continuity policy and
disaster recovery plan that ensures two hour resumption of critical
operations and geographically diverse backup systems and monitor and
test it at least annually.\738\ The exempt clearing agencies are also
required to address the unavailability of any critical third-party
provider.\739\ Application of Rule 1000(a)(2)(v), including the
proposed amendment, would help ensure exempt clearing agencies have
business continuity and disaster recovery plans in place to address the
unavailability of any third-
[[Page 23247]]
party provider that provides functionality, support, or service to the
SCI systems and thus would likely incrementally reduce the frequency
and duration of trading interruptions and promote pricing efficiency,
price discovery, and liquidity flows in markets.
---------------------------------------------------------------------------
\738\ See sec. V.b.1.e.ii.
\739\ Id.
---------------------------------------------------------------------------
(ii) Systems Classification and Lifecycle Management (Proposed Rule
1001(a)(2)(viii))
Proposed Rule 1001(a)(2)(viii) provides that an SCI entity's
policies and procedures must provide for the maintenance of a written
inventory and classification of all SCI systems, critical SCI systems,
and indirect SCI systems as such, and a program with respect to the
lifecycle management of such systems, including the acquisition,
integration, support, refresh, and disposal of such systems, as
applicable. This is a new provision and applies to both current SCI
entities and new SCI entities.
A foundational and essential step for an SCI entity to be able to
meet its obligations under Regulation SCI is to be able to clearly
identify the different types of its systems that are subject to
differing obligations under Regulation SCI. Reasonably designed systems
classification and lifecycle management policies and procedures, which
include vulnerability and patch management, reduce the risk of SCI
system defects and operational issues. The systems classification
requirement would promote more efficient and timely compliance with the
remaining provisions of Regulation SCI. The lifecycle management
requirement would also ensure that sensitive information (including
software configuration info, middleware, etc.) is not inadvertently
revealed, potentially compromising the security of an SCI entity's data
and network--and would further enhance the systems' integrity,
resiliency, and security. The Commission understands that one of the
first steps many current SCI entities would take to comply with
Regulation SCI is to develop a classification of their systems in
accordance with the definitions of each type of system in SCI, but not
all SCI entities maintain such a list. Accordingly, the extent of the
benefits described above will depend on whether existing entities have
taken such steps and how closely they align with the proposed
requirements.
With respect to new SCI entities, broker-dealers are required to
maintain policies and procedures per Regulation S-P and S-ID, as
discussed above.\740\ In two Commission exam sweeps, the Commission
staff observed that most broker-dealers already inventory, catalog, and
classify the risks of their systems and had a process in place for
ensuring regular system maintenance, including the installation of
software patches to address security vulnerabilities.\741\ Furthermore,
identification of mission critical systems is required by FINRA rule
4370. Accordingly, there would be an incremental benefit (and cost)
from applying this particular provision of Regulation SCI to the
broker-dealers. Additionally, the practice of inventorying and
classifying systems might also encourage the firm to invest in
supplemental security measures to reduce the number of indirect SCI
systems, which would result in an incremental and upfront or short-term
cost.
---------------------------------------------------------------------------
\740\ See sec. V.B.1.b.ii.
\741\ Id.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, exempt clearing agencies are
required by CSDR to prepare a list with all the processes and
activities that contribute to the delivery of the services they
provide; and identify and create an inventory of all the components of
their IT systems that support the processes and activities. This likely
would represent an incremental benefit (and cost). Additionally, the
practice of inventorying and classifying systems might also encourage
the firm to invest in supplemental security measures to reduce the
number of indirect SCI systems to reduce the long-time compliance
burden which would result in an incremental and upfront or short-term
cost.
(iii) Third-Party Provider Management (Proposed Rule 1001(a)(2)(ix))
Proposed Rule 1001(a)(2)(ix) concerns policies and procedures for
effective third-party provider management and would newly apply to both
existing and new SCI entities. As discussed above, financial
institutions have been increasingly outsourcing parts of their
services.\742\ When a market participant chooses to outsource a
particular component of its operation to a third-party vendor, the
vendor may offer components of services (of certain quality) at a
cheaper rate than the market participant can supply on its own or where
the market participant may lack the expertise or ability to provide
them. If this is done properly and with full information, it can result
in an efficient outcome without compromising the service quality below
what is required under Regulation SCI.
---------------------------------------------------------------------------
\742\ See supra sec. V.B.4. and note 687.
---------------------------------------------------------------------------
But in some cases, if there is information asymmetry--especially
with respect to service quality--market dynamics among SCI entities
result on the provision of sub-optimal services. This may be the case
for a number of reasons, including imperfect communication between the
SCI entity and its third-party provider. First, a third-party provider
providing its service to an SCI entity may lack the knowledge of the
level of resiliency and capacity the SCI entity must maintain. Second,
an SCI entity may lack the knowledge of the robustness of the third-
party provider's operation. Third, the market for these services may
not be competitive, and an SCI entity looking to outsource these
services may not have other comparable choices. Failure to ensure that
policies and procedures are adequate to reduce these risks may result
in unidentified security weaknesses, the inability to analyze potential
security events, and delayed business continuity and disaster recovery.
Proposed Rule 1001(a)(2)(ix) would require each SCI entity to have
a program to manage and oversee third-party providers that provide
functionality, support or service, directly or indirectly, for its SCI
systems and, for purposes of security standards, its indirect SCI
systems. Each SCI entity would be required to undertake a risk-based
assessment of each third-party provider's criticality to the SCI
entity, including analyses of third-party provider concentration, of
key dependencies if the third-party provider's functionality, support,
or service were to become unavailable or materially impaired, and of
any potential security, including cybersecurity, risks posed. The
Commission believes that specifically requiring each SCI entity to
undertake a risk-based assessment of each of its third-party providers'
criticality to the SCI entity will help it more fully understand the
risks and vulnerabilities of utilizing each third-party provider, and
provide the opportunity for the SCI entity to better prepare in advance
for contingencies should the provider's functionality, support, or
service become unavailable or materially impaired.
Again, the extent of these benefits may depend on whether an SCI
entities' existing practices, and applicable regulations, are
consistent with the requirements of proposed Rule 1001(a)(2)(ix). As
noted above, SBSDRS that are dually registered as SDRs with the CFTC
are also subject to the CFTC
[[Page 23248]]
System Safeguards rule, which requires a SDR to undertake program of
risk analysis and oversight of outsourcing and vendor management
affecting its operations and automated systems.\743\ A dual-registered
entity's outsourced systems for processing SDR data might also be SCI
systems if such systems also process SBSDR data. Accordingly, an SDR's
adherence to the System Safeguard Rule's provision for vendor
management and outsourcing is reasonably likely to reduce the benefit
(and the cost, as discussed below) of complying with proposed Rule
1001(a)(2)(ix).
---------------------------------------------------------------------------
\743\ 17 CFR 49.24(b)(6).
---------------------------------------------------------------------------
Similarly, as discussed above, broker-dealers are already subject
to general vendor management obligations in accordance with FINRA Rule
3110 and obligations under Regulation S-P \744\ and thus some of their
current practices may be consistent with some of the requirements of
Rule 1001(a)(ix). However, those rules are different in scope and
purpose than the proposed amendment to Regulation SCI.\745\ For
example, while FINRA rules already require initial and ongoing due
diligence, third-party provider contract review and ongoing third-party
risk assessment, proposed Rule 1001(a)(2)(ix) also requires an
additional risk-based assessment of each third-party provider's
criticality to the SCI entity. Accordingly, proposed Rule
1001(a)(2)(ix) may restrict usage of particular third-party providers,
if and when they are unwilling or unable to comply with Regulation
SCI's third-party provider requirements.
---------------------------------------------------------------------------
\744\ See supra sec. V.B.1.b.ii.
\745\ See sec. III.A.2.b.ii. and III.D.
---------------------------------------------------------------------------
Finally, as discussed in V.B.1.c.ii, the two exempt clearing
agencies are required by CSDR to have arrangements for the selection
and substitution of IT third-party service providers and proper
controls and monitoring tools which seems within the scope of proposed
Rule 1001(a)(2)(ix) initial and ongoing due diligence provisions. The
exempt clearing agencies are also required to identify critical
utilities providers and critical service providers that may pose risks
to tier operations due to dependency on them which seems within the
scope of ongoing third-party risk assessment. In light of the existing
requirements for exempt clearing agencies discussed in the baseline,
any benefits (and associated costs, as discussed below) from the
proposed amendment are likely to be relatively small with respect to
critical service providers. However, the benefit would likely be larger
with respect to non-critical service providers where the requirements
are less specific.
(iv) Security (Proposed Rule 1001(a)(2)(x))
Since the adoption of Regulation SCI in 2014, the financial system
has become more digitized and consequently cybersecurity has become a
significant concern for financial firms, investors, and regulatory
authorities.\746\ In addition, the COVID-19 pandemic and accelerated
move to working from home increased the demand for digital services and
reliance of SCI entities on third-party providers including CSPs.
Moving the majority of activities to the online or digitized
environment has increased the risk of cybersecurity events.\747\
According to the Bank for International Settlements, the financial
sector had the second-largest share of COVID-19-related cybersecurity
events between March and June 2020.\748\ The Commission is proposing a
new paragraph (a)(2)(x) of Rule 1001 that would require policies and
procedures of SCI entities include a program to prevent the
unauthorized access to SCI systems and, for purposes of security
standards, indirect SCI systems and information residing therein. This
would be a new provision and would apply to both current SCI entities
and new SCI entities.
---------------------------------------------------------------------------
\746\ See supra sec. III.C.3.
\747\ I[ntilde]aki Aldasoro et al., COVID-19 and Cyber Risk in
the Financial Sector, BIS Bull. No. 37 (Jan. 14, 2021), available at
https://www.bis.org/publ/bisbull37.pdf.
\748\ Id. The health sector is ranked first in term of the
cyberattacks.
---------------------------------------------------------------------------
The Commission anticipates that the primary benefit of the proposed
rule would be to ensure that all SCI entities, including the new SCI
entities, have policies and procedures to enhance their preparedness
against cybersecurity threats. The proposed requirements to develop
policies and procedures that are specifically designed to prevent the
unauthorized access to SCI systems and information residing therein,
would better protect SCI entities against cybersecurity threats. Such
policies and procedures can strengthen the security surrounding their
information systems and the data contained within, aiding in the
prevention of unauthorized access; minimizing the damage from
cybersecurity events; and improving incident recovery time.
Another significant benefit is that any such unauthorized access
should be reported to the Commission. Thus, this rule, together with
the Commission notification requirement in Rule 1002(b), as amended,
will help the Commission better understand which entities are most
affected by cybersecurity events, what the current trends may be, and
provide the Commission with information that may aid in subsequent
guidance or rulemaking to further strengthen the affected entities from
future cybersecurity events and disruptions to their business
operations. Indeed, as we stated in section B.2.a, it is the
Commission's understanding that current SCI entities have been
reporting de minimis system intrusions on a quarterly basis, rather
than immediately, as permitted under the current requirements of
Regulation SCI. Current SCI entities are not required to report
attempted intrusions.
The extent of these benefits will depend on how consistent the
existing policies and procedures of both current and new SCI entities
are with the requirements of proposed Rule 1001(a)(2)(x). The
Commission believes that many existing SCI entities already have most
or all of such policies and procedures in place as part of their
security protocols; thus the benefits (and the associated costs) of
applying the proposed Rule 1001(a)(2)(x) may be reduced.
Among new SCI entities, both registered SBSDRs have stated they
have policies and procedures addressing access management.\749\ To the
extent that SBSDRs already have access management policies and
procedures that are aligned with the requirements of proposed Rule
1001(a)(2)(x), the proposed rule would offer limited benefits. Further,
as discussed in section V.B.1.b.ii, broker-dealers are required to
maintain policies and procedures addressing security issues per
Regulation S-P and S-ID, although those regulations and the required
policies and procedures are different in scope and purpose. The extent
of the benefits of proposed Rule 1001(a)(2)(x) would thus depend on how
consistent the broker-dealer's current policies and procedures are with
the requirements of the proposed Rule.
---------------------------------------------------------------------------
\749\ 17 CFR 49.24(b)(2). See Security-Based Swap Data
Repositories; ICE Trade Vault, LLC; Notice of Filing of Application
for Registration as a Security-Based Swap Data Repository, available
at https://www.sec.gov/rules/other/2021/34-91331.pdf; Security-Based
Swap Data Repositories; DTCC Data Repository (U.S.), LLC; Notice of
Filing of Application for Registration as a Security-Based Swap Data
Repository, available at https://www.sec.gov/rules/other/2021/34-91071.pdf.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, the two exempt clearing
agencies are required to maintain information security frameworks
describing mechanisms to detect and prevent cyber-attacks and a plan in
response to cyber-attacks. The information security
[[Page 23249]]
framework includes among other requirements access controls to the
system and adequate safeguards against intrusions and data misuse.
Therefore, proposed Rule 1001(a)(2)(x) may offer only limited
incremental benefits.\750\
---------------------------------------------------------------------------
\750\ See section V.B.1.c.ii.
---------------------------------------------------------------------------
(v) Current SCI Industry Standards (Proposed Rule 1001(a)(2)(xi)) and
Safe Harbor for Policies and Procedures Consistent With SCI Industry
Standards (Rule 1001(a)(4))
Proposed Rule 1001(a)(2)(xi) would provide that an SCI entity's
policies and procedures must include an identification of the current
SCI industry standard(s) with which each such policy and procedure is
consistent, if any. This requirement would be applicable if the SCI
entity is taking advantage of the safe harbor provision, Rule
1001(a)(4). We are also proposing to amend the text of Rule 1001(a)(4),
which deems an SCI entity's policies and procedures under Rule 1001(a)
to be reasonably designed if they are consistent with current SCI
industry standards, to make clear that its reference to and definition
of ``current SCI industry standards'' provides a safe harbor for SCI
entities with respect to their Rule 1001(a) policies and procedures.
Proposed Rule 1001(a)(2)(xi) and the amendment to Rule 1001(a)(4) would
apply to both current SCI entities and new SCI entities.
Rule 1001(a)(4) specifically states that compliance with current
SCI industry standards is not the exclusive means to comply with the
requirements of Rule 1001(a). Therefore, Rule 1001(a)(4) provides
flexibility to allow each SCI entity to determine how to best meet the
requirements in Rule 1001(a), taking into account, for example, its
nature, size, technology, business model, and other aspects of its
business. SCI entities can choose the technology standards that best
fit with their business, promoting efficiency. The ability of SCI
entities to rely on widely recognized technology standards, if they
choose to do so, will provide guidance to SCI entities on policies and
procedures that would meet the articulated standard of being
``reasonably designed to ensure that their systems have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets.''
In addition, the flexibility of this requirement leaves room for
industry-wide innovation, while encouraging each SCI entity to conform
to an industry standard that is most appropriate for itself given the
entity's scope of operation and particular characteristics. These
standards currently in place may require protocols that go beyond the
level that would have been chosen by an entity that is driven by
profit-maximizing or cost-saving motives. Furthermore, as industry
standards continue to evolve, Regulation SCI helps to ensure that SCI
entities are motivated to adhere to the changing standards that reflect
the changes in market conditions and technology. The Commission
understands that many existing SCI entities rely on industry standards,
typically by adhering to a specific industry standard or combination of
industry standards for a particular technology area or by using
industry standards as guidance in designing policies and procedures.
Thus, overall benefits and costs to existing SCI entities will be
incremental, and the benefits and costs are likely to be greater for
entities that do not already rely on industry standards and lesser for
entities that already adhere closely to industry standards.
Among new entities, both SBSDR entities are also registered with
the CFTC as SDRs, and as such are subject to the CFTC's System
Safeguard rule in their capacity as SDRs. The System Safeguard rule
requires SDRs to follow generally accepted standards and best practices
with respect to the development, operation, reliability, security, and
capacity of automated systems.\751\ While not required, it is likely
that dual-registered SDRs/SBSDRs are following these requirements for
SBSDRs given the CFTC requirements for SDRs. Therefore, it is likely
that SBSDRs already have policies and procedures consistent with
existing industry standards.
---------------------------------------------------------------------------
\751\ See 17 CFR 49.24.
---------------------------------------------------------------------------
As discussed above, broker-dealers are required to have certain
policies and procedures pursuant to Regulation S-P and S-ID.\752\ The
2015 FINRA report on cybersecurity practices observed that broker-
dealers reported relying on industry standards with respect to
cybersecurity requirements, typically by adhering to a specific
industry standard or combination of industry standards or by using
industry standards as a reference point for designing policies and
procedures.\753\ To the extent that any broker-dealers do not rely on
industry standards or only selectively, applying Rule 1001(a)(4) and
proposed Rule 1001(a)(2)(xi) will likely increase broker-dealer
adherence to industry standards and improve overall compliance with
Rule 1001.
---------------------------------------------------------------------------
\752\ See sec. V.B.1.b.ii.
\753\ See section V.B.1.b.ii.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, the two exempt clearing
agencies are required by CSDR to rely on internationally recognized
technical standards and industry best practices with respect to its IT
systems. As such, it is likely that they already have policies and
procedures that are consistent with one or more industry standards. The
proposed amendment may have some incremental benefit and improve
overall compliance with Rule 1001.
ii. Costs
The policies and procedures requirements of Regulation SCI would
impose certain compliance costs on new SCI entities, which are expected
to change at least some of their current practices to comply. In
addition, the proposed amendments to certain provisions in Rule 1001
would impose additional costs on new and existing SCI entities. We
discuss these costs below.
(1) Compliance Costs for New SCI Entities
Some of the new SCI entities are already subject to existing
regulatory requirements that are similar to the requirements in Rule
1001, including the proposed amendments. To the extent these entities
already have policies and procedures that are consistent with the Rule
1001 requirements, they could incur lower costs to comply with the
requirements of Rule 1001 than entities without such existing policies
and procedures. Similarly, the compliance costs associated with Rule
1001 may vary across SCI entities depending on the degree to which
their current voluntary practices are already consistent with the
requirements of Rule 1001.The compliance costs of Rule 1001 may further
depend on the complexity of SCI entities' systems (e.g., the compliance
costs will be higher for SCI entities with more complex systems). They
may also depend, to a large extent, on the scale as well as the
relative criticality of a given SCI entity's systems. We discuss below
the costs for new SCI entities to comply with Rule 1001, including the
proposed amendments; this includes PRA costs as well as additional
compliance costs.
First, with respect to PRA costs, the Commission estimates total
initial costs of approximately $13.4 million and annual costs of
approximately $3.5
[[Page 23250]]
million for all new SCI entities.\754\ In addition to the compliance
costs estimated as part of the PRA analysis, the Commission
acknowledges there may, in some cases, be other compliance costs. In
the SCI Adopting Release, the Commission formed estimates of non-PRA
compliance costs for complying with Rule 1001(a) and (b),\755\ which
are instructive for determining such costs now for the new SCI
entities. The Commission believed then, and continues to do so now,
that the costs of complying with Rule 1001(c) are fully captured in the
PRA cost estimates. The Commission's estimates then were based on
extensive discussions with industry participants as well as information
contained in the comment letters submitted during the rulemaking
process. After carefully considering all comments, the Commission
concluded that to comply with all requirements underlying the policies
and procedures required by Rule 1001(a) and (b), other than paperwork
burdens, on average, each SCI entity will incur an initial cost of
between approximately $320,000 and $2.4 million and an ongoing annual
cost of between approximately $213,600 and $1.6 million.\756\ Adjusted
for inflation since 2014, the initial cost would be between
approximately $407,000 and $3.1 million, and the ongoing annual cost
would be between approximately $272,000 and $2.0 million.\757\
---------------------------------------------------------------------------
\754\ See section IV.D.7. These are the estimated costs to
comply with Rule 1001(a) through (c). For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\755\ According to the 2014 adopting release, these non-PRA
compliance costs include, for example, establishing current and
future capacity planning estimates, capacity stress testing,
reviewing and keeping current systems development and testing
methodology, regular reviews and testing to detect vulnerabilities,
testing of all SCI systems and changes to SCI systems prior to
implementation, implementing a system of internal controls,
implementing a plan for assessments of the functionality of SCI
systems, implementing a plan of coordination and communication
between regulatory and other personnel of the SCI entity, including
by responsible SCI personnel, designed to detect and prevent systems
compliance issues, and hiring additional staff. See SCI Adopting
Release, supra note 1, at 72416 n. 1939.
\756\ Id.
\757\ SEC inflation calculations are based on annual GDP price
index data from Table 1.1.4. in the National Income and Product
Accounts from the Bureau of Economic Analysis, and on inflation
projections from The Budget and Economic Outlook: 2023 to 2033,
published by the Congressional Budget Office in February 2023.
---------------------------------------------------------------------------
In the 2014 adopting release, the Commission acknowledged that its
cost estimates reflect a high degree of uncertainty because the
compliance costs may depend on the complexity of SCI entities' systems
(e.g., the compliance costs will be higher for SCI entities with more
complex systems). The initial compliance costs associated with Rule
1001 could also vary across SCI entities depending on the degree of
that their current practices are already consistent with the
requirements of Rule 1001.\758\ The Commission explained the difficulty
of gauging the degree to which an SCI entity was already taking
measures consistent with Regulation SCI, which would affect the
compliance costs with respect to Rule 1001. These considerations
continue to apply to the Commission's estimate of any non-PRA costs for
new SCI entities, which span multiple markets and vary a great deal in
terms of the services they provide and the operations they perform.
These new SCI entities face different baselines depending on the
applicable regulatory requirements that they are subject to and the
market practices each SCI entity has been following.
---------------------------------------------------------------------------
\758\ These estimates in the SCI Adopting Release were in turn
based on the preliminary estimates included in the SCI Proposing
Release, supra note 14, at 18171. However, one important assumption
the SCI Proposing Release made was to assume that certain SCI
entities ``already [had or had] begun implementation of business
continuity and disaster recovery plans that include maintaining
backup and recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day resumption of
trading and two-hour resumption of clearance and settlement services
following a wide-scale disruption.'' Id. at note 633. In the SCI
Adopting Release, however, in order to accommodate the cost
considerations of those SCI entities that did not already have
geographically diverse backup facilities, the Commission estimated
the average cost to be approximately $1.5 million annually for such
SCI entities. See SCI Adopting Release, supra note 1, at 72420. In
the section discussing Rule 1001(a)(2)(v) below, the Commission
estimates the comparable estimate to be between $1.5 million and
$1.8 million. This additional estimate range only applies to SCI
entities that do not already have geographically diverse backup
facilities and would be in addition to the non-paperwork burden
estimates discussed in the current section.
---------------------------------------------------------------------------
Given these considerations, the Commission believes that the
estimates from 2014 are still appropriate estimates for the non-PRA
costs associated with Rule 1001(a) and (b) of Regulation SCI without
the proposed amendments for the new SCI entities. There are reasons to
believe that these ranges should be increased for inflation \759\ and
technological changes since 2014, such as greater interconnectivity,
that have expanded the scope for testing, leading to greater costs.
However, there are also reasons to believe that as of 2023 these ranges
may have come down.
---------------------------------------------------------------------------
\759\ For example, GDP Price Index data from the Bureau of
Economic Analysis (BEA) and projections from the Congressional
Budget Office show that, economy-wide, prices increased by about 27%
from 2014 to 2023.
---------------------------------------------------------------------------
First, some components of costs may be lower in 2023 because of
technological improvements since 2014.\760\ Second, the experience of
the current 47 SCI entities complying with Regulation SCI since 2014
has likely generated a useful industry knowledge base for new SCI
entities, including common practices, industry standards, and cost-
saving measures. From this perspective, the cost of learning would be
lower, including the start-up cost. Third, the Commission understands
that many financial institutions that are not subject to Regulation SCI
have voluntarily begun to conform to one or more industry standards and
adopted written policies and procedures related to ensuring capacity,
integrity, resiliency, availability, and security of their systems.
Indeed, the Commission understands--based on the Commission's
discussions with industry participants--that the changes in the
market--including greater automation and interconnectivity and an
overall need to expand the scope of testing--have already incentivized
many SCI entities to improve their internal protocols and to increase
their technology expenditures. For example, the growing risk of
cybersecurity events has already led many corporate executives to
significantly increase their cybersecurity budgets.\761\ From this
perspective, although the overall security and IT spending may have
increased manifold for SCI entities over the years, the Commission
estimates that the magnitude of compliance costs owing to the adoption
of Regulation SCI
[[Page 23251]]
for new SCI entities, over and above their current expenses, may not
necessarily have increased significantly as a result since 2014.
---------------------------------------------------------------------------
\760\ See Matt Rosoff, Why is Tech Getting Cheaper?, weforum.org
(Oct. 16, 2015), available at https://www.weforum.org/agenda/2015/10/why-is-tech-getting-cheaper/. For example, price has been
dropping for cloud computing services over the last years. See Jean
Atelsek, et al., Major Cloud Providers and Customers Face Cost and
Pricing Headwinds, spglobal.com (May 10, 2022), available at https://www.spglobal.com/marketintelligence/en/news-insights/research/major-cloud-providers-and-customers-face-cost-and-pricing-headwinds;
see also David Friend, The Coming Era of Simple, Fast, Incredibly
Cheap Cloud Storage, Cloudtweaks.com (Nov. 15, 2022, 9:12 a.m.),
available at https://cloudtweaks.com/2018/02/fast-incredibly-cheap-cloud-storage/ (describing the significant price drop for cloud
storage as of 2018, and explaining that ``the prices for cloud
storage are heading in the same direction.''). These trends may be
reversing. See Jean Atelsek, et al., (``Rising energy costs and
supply chain woes threaten to push up costs for the cloud
hyperscalers in building and operating their data centers;
therefore, cloud infrastructure prices are poised to increase.'');
Frederic Lardinois, Google Cloud Gets More Expensive, TechCrunch+
(Mar. 14, 2022, 11:54 p.m.), available at https://techcrunch.com/2022/03/14/inflation-is-real-google-cloud-raises-its-storage-prices/
.
\761\ For example, according to one source, as of 2020, ``55% of
enterprise executives [were planning] to increase their
cybersecurity budgets in 2021 and 51% are adding full-time cyber
staff in 2021.'' Louis Columbus, The Best Cybersecurity Predictions
for 2021 Roundup, Forbes.com (Dec. 15, 2020), available at https://www.forbes.com/sites/louiscolumbus/2020/12/15/the-best-cybersecurity-predictions-for-2021-roundup/?sh=6d6db8b65e8c.
---------------------------------------------------------------------------
Taking these varied considerations into account, the Commission
estimates that, adjusted for inflation since 2014, the 2014 figures
remain reasonable ranges for non-PRA costs associated with Rule 1001(a)
and (b) in 2023, without accounting for the proposed amendments in Rule
1001(a). In other words, the Commission estimates that a new SCI entity
in 2023 will incur an initial non-PRA cost of between approximately
$407,000 and $3.1 million and an ongoing annual non-PRA cost of between
approximately $272,000 and $2.0 million to comply with the original
provisions of Regulation SCI from 2014.
To account for the proposed amendments, the Commission
preliminarily estimates that, based on staff experience with current
SCI entities' compliance practices, the non-PRA cost of complying with
the amended provisions could be up to approximately 20% of the
estimated non-PRA cost for complying with the original (i.e.,
unamended) Rule 1001(a). Accordingly, the Commission estimates that a
new SCI entity would incur an additional initial cost of between
approximately $81,000 and $611,000 and an additional ongoing annual
cost of between approximately $54,000 and $407,000 to comply with the
amended provisions of Rule 1001(a).\762\ Combined with the non-PRA
costs estimates above for complying with the rest of Rule 1001(a) and
(b), a new SCI entity will incur an additional initial non-PRA cost of
between approximately $489,000 and $3.7 million \763\ and an additional
ongoing annual non-PRA cost of between approximately $326,000 and $2.4
million, plus the PRA costs estimated above.\764\ The Commission
estimates that, in the aggregate, all new SCI entities will incur a
total initial non-PRA cost of between approximately $10.3 million and
$77.0 million to comply with the policies and procedures required by
Rule 1001(a) and (b).\765\ In addition, the Commission estimates that,
in the aggregate, new SCI entities will incur total annual ongoing non-
PRA cost of between approximately $6.9 million and $51.3 million.\766\
Depending on the price-sensitivity of their customers and the
availability of alternative providers, new SCI entities may pass on
some of these costs to their customers.\767\
---------------------------------------------------------------------------
\762\ These figures are 20% of the range from the Regulation SCI
Adopting Release, adjusted for inflation from 2014 to 2023.
\763\ These figures are 120% of the range from the Adopting
Release of Regulation SCI, adjusted for inflation since 2014.
\764\ These figures are approximately 120% of the range from the
Adopting Release of Regulation SCI, adjusted for inflation since
2014.
\765\ The Commission currently estimates there are 23 new SCI
entities, two of which are excluded from the economic analysis as
explained above. The range of $10.3 million and $77.0 million
represents 21 times the per-entity initial cost range from the
Regulation SCI Adopting Release, adjusted for inflation since 2014.
\766\ The range of $6.9 million and $51.3 million represents 21
times the per-entity ongoing annual cost range from the Regulation
SCI Adopting Release, adjusted for inflation since 2014.
\767\ See, e.g., Jonathan Baker, Orley Ashenfelter, David
Ashmore & Signe-Mary McKernan, Identifying the Firm-Specific Cost
Pass-Through Rate, Federal Trade Commission. Bureau of Economics 1
(1998), available at https://www.ftc.gov/sites/default/files/documents/reports/identifying-firm-specific-cost-pass-through-rate/wp217.pdf.
---------------------------------------------------------------------------
In addition, with respect to the periodic reviews required by Rule
1001(a)(3), (b)(3), and (c)(2), there may be additional indirect costs
if an SCI entity takes prompt or unplanned remedial action following
the discovery of deficiencies in its policies and procedures.
Specifically, the new SCI entities may need to delay or shift their
resources away from profitable projects and reallocate their resources
towards taking prompt or unplanned remedial actions required by the
rules. It is nevertheless difficult to assess such indirect costs
imposed on SCI entities because the Commission lacks information
necessary to provide a reasonable estimate and such indirect costs will
be circumstance-specific.
(2) Compliance Costs for Existing SCI Entities
Existing SCI entities should incur new costs only to comply with
the proposed amendments to Rule 1001(a). With respect to PRA costs, the
Commission estimates total initial costs of approximately $8.2 million
and annual costs of approximately $1.1 million for all current SCI
entities.\768\ For non-PRA costs associated with these amendments, the
Commission estimates that the non-PRA cost of complying with the
amended provisions could be up to approximately 20% of the estimated
non-PRA cost for complying with the original (i.e., unamended) Rule
1001(a), as explained above. Accordingly, the Commission estimates that
an existing SCI entity would incur an additional initial non-PRA cost
of between approximately $81,000 and $611,000 and an additional ongoing
annual non-PRA cost of between approximately $54,000 and $407,000 to
comply with the amended provisions of Rule 1001(a).\769\ The Commission
in turn estimates that, in the aggregate, current SCI entities will
incur a total initial non-PRA cost of between approximately $3.8
million and $28.7 million to comply with the policies and procedures
required by Rule 1001(a) and (b).\770\ In addition, the Commission
estimates that, in the aggregate, current SCI entities will incur total
annual ongoing non-PRA cost of between approximately $2.6 million and
$19.1 million.\771\
---------------------------------------------------------------------------
\768\ See section IV.D.7. These include costs for existing
entities to comply only with Rule 1001(a), and for new entities to
comply with Rule 1001(a) through (c).
\769\ These figures are 20% of the range from the Regulation SCI
Adopting Release, adjusted for inflation since 2014.
\770\ The Commission currently estimates there are 47 current
SCI entities. The range of $3.8 million and $28.7 million represents
47 times the per-entity cost range from the SCI Adopting Release,
adjusted for inflation since 2014.
\771\ The range of $2.6 million and $19.1 million represents 47
times the per-entity cost range from the SCI Adopting Release,
adjusted for inflation since 2014.
---------------------------------------------------------------------------
(3) Other Costs for All SCI Entities and Other Affected Parties
Proposed Rule 1001(a)(2)(ix) could raise costs of third-party
service providers insofar as they may have to renegotiate contracts and
change the terms of their services to accommodate the requirements of
SCI entities. SCI entities could also incur costs in enforcing their
third-party provider management program. In particular, to the extent
that accommodating the terms and conditions that would be demanded by
SCI entities under proposed Rule 1001(a)(2)(ix) would be costly to
third-party service providers, SCI entities could face higher prices
from third-party providers, though any change in prices would also
depend upon market conditions (such as the level of competition amongst
third-party service providers for the type of services sought after by
the SCI entity, the relative bargaining power of the SCI entity in
negotiations with third-party service providers, new entry into the
market for third-party services, and willingness of service providers
to absorb costs or pass costs to other customers).
Request for Comment
106. For current SCI entities, do you agree that the Commission's
specified ranges reasonably capture the non-paperwork burden costs
owing to Rule 1001(a) and (b) that you have incurred above and beyond
amounts you were already spending to ensure your SCI systems' capacity,
integrity, resiliency, availability, and security under the existing
requirements of Regulation SCI?
[[Page 23252]]
107. For new SCI entities, do you agree that the Commission's
specified ranges reasonably capture the non-paperwork burden costs
owing to Rule 1001(a) and (b) that you expect to incur above and beyond
the amounts you were already spending to ensure your SCI systems'
capacity, integrity, resiliency, availability, and security under the
existing requirements of Regulation SCI?
108. For current and new SCI entities, do you agree that the
Commission's specified ranges for the non-paperwork cost of complying
with the proposed amendments to Rule 1001(a) and (b), at 20 percent of
the specified ranges for Rule 1001(a) and (b), reasonably capture such
costs that you expect to incur, above and beyond amounts you are
already spending to ensure your SCI systems' capacity, integrity,
resiliency, availability, and security owing to the proposed
amendments?
109. If you are a current SCI entity and currently inventory and
classification of all SCI systems, critical SCI systems, and indirect
SCI systems, how does your activity differ from the requirements of the
rule proposal? What have been the benefits and costs of this activity?
110. If you are a current SCI entity and have a program with
respect to the lifecycle management of SCI systems, does it address the
acquisition, integration, support, refresh, and disposal of such
systems, as applicable? How does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
111. If you are a current SCI entity and you currently have a
third-party provider management program to ensure that your SCI systems
contractors perform their work in accordance with the requirements of
Regulation SCI, how does your activity differ from the requirements of
the rule proposal? What have been the benefits and costs of this
activity?
112. If you are a current SCI entity and you currently require an
initial and periodic review of contracts with service providers for
consistency with your obligations under Regulation SCI, how does your
activity differ from the requirements of the rule proposal? What have
been the benefits and costs of this activity?
113. If you are a current or proposed SCI entity and you currently
conduct a risk-based assessment of each third-party provider's
criticality, to your operations, how does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
114. If you are a current SCI entity and your policies and
procedures include a program to prevent the unauthorized access to SCI
systems and information residing therein, how does your activity differ
from the requirements of the rule proposal? What have been the benefits
and costs of this activity?
115. The Commission requests that commenters provide relevant data
and analysis to assist us in determining the economic consequences of
the proposed amendments related to third-party providers' management.
In particular, the Commission requests data and analysis regarding the
costs SCI entities and third-party providers may incur, and benefits
they may receive, from the proposed amendments.
116. Do you agree with the Commission's analysis of the benefits of
the proposed amendments related to third-party providers' management?
Why or why not? Please explain in detail.
117. Do you agree with the Commission's analysis of the costs of
the proposed amendments related to third-party providers' management?
Why or why not? Please explain in detail.
b. Rule 1002--Corrective Action, Commission Notification, and
Information Dissemination
Regulation SCI requires SCI entities to take appropriate corrective
actions in response to SCI events (Rule 1002(a)), notify the Commission
of SCI events (Rule 1002(b)), and disseminate information regarding
certain major SCI events to all members or participants of an SCI
entity and certain other SCI events to affected members or participants
(Rule 1002(c)). Rule 1000, in turn, defines SCI events to include
systems disruptions, systems compliance issues, and systems intrusions.
The Commission is proposing two amendments that affect these
provisions. First, it is proposing to expand the definition of systems
intrusion in Rule 1000. Second, it is proposing to amend Rule
1002(b)(5) to eliminate the exception to the reporting requirement for
de minimis systems intrusions and instead require the reporting of all
systems intrusions, whether de minimis or not, within the time frames
specified in paragraphs (b)(1) through (4).
New SCI entities will need to comply with these requirements of
Rules 1000 and 1002, and their proposed amendments, for the first time.
Existing SCI entities will need to apply the new definition of systems
intrusion in Rule 1000 to the requirements of Rule 1002, including the
amendments to Rule 1002(c). We discuss below the benefits and costs of
these provisions and amendments for new and existing SCI entities.
i. Benefits
(1) Rule 1000--Definition of SCI Events
In general, the definition of SCI event (and its component parts)
in Rule 1000 circumscribe the scope of the substantive requirements in
Rule 1002. Therefore, many of the costs and benefits associated with
the definitions are incorporated in the discussion of the substantive
requirements. The benefits associated with scoping the substantive
requirements for Rule 1002 through the specific definitions of systems
disruption, systems compliance issue, and systems intrusion are
discussed at length in the 2014 SCI Adopting Release \772\ and would
apply to the new SCI entities. We summarize those benefits here and
discuss the benefits for both new and current SCI entities resulting
from expanding the definition of systems intrusion.
---------------------------------------------------------------------------
\772\ See SCI Adopting Release, supra note 1, at 72423-27.
---------------------------------------------------------------------------
Systems Disruption. Rule 1000 of Regulation SCI currently defines a
``systems disruption'' as an event in an SCI entity's SCI systems that
disrupts, or significantly degrades, the normal operation of an SCI
system. This definition would remain unchanged. As the Commission noted
in 2014, the definition sets forth a standard that SCI entities can
apply in a wide variety of circumstances to determine in their
discretion whether a systems issue should be appropriately categorized
as a systems disruption. The inclusion of systems disruptions in the
definition of SCI event, along with the requirements Rule 1002 should
help effectively reduce the severity and duration of events for new SCI
entities that harm pricing efficiency, price discovery, and liquidity
and help Commission oversight of the securities markets.
Systems Compliance Issues. Under Rule 1000, a systems compliance
issue is an event at an SCI entity that has caused any SCI system of
such entity to operate in a manner that does not comply with the Act
and the rules and regulations thereunder or the entity's rules or
governing documents, as applicable. The Commission stated in 2014 that
inclusion of systems compliance issues in the definition of SCI event
and the resulting applicability of the Commission reporting,
information dissemination, and recordkeeping requirements are important
to help ensure that SCI
[[Page 23253]]
systems are operated by SCI entities in compliance with the Exchange
Act, rules thereunder, and their own rules and governing documents.
System Intrusion. Rule 1000 of Regulation SCI currently defines a
``systems intrusion'' as any unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity. The Commission is proposing to
expand the definition of systems intrusions to include any
cybersecurity attack that disrupts, or significantly degrades, the
normal operation of an SCI system. This revision includes cybersecurity
events that cause disruption on an SCI entity's SCI systems or indirect
SCI systems, whether or not the event resulted in an entry into or
access to such systems. In addition, the proposed revised definition
would include any significant attempted unauthorized entry into the SCI
systems or indirect SCI systems of an SCI entity, as determined by the
SCI entity pursuant to established reasonable written criteria. This
revision is intended to capture unsuccessful, but significant, attempts
to enter an SCI entity's SCI systems or indirect SCI systems. The
definition, including the proposed amendments, will apply to new SCI
entities for the first time while the proposed amendments will apply to
existing SCI entities.
In the SCI Adopting Release, the Commission discussed the benefits
of including a system intrusion in the definition of an SCI event for
which the requirements of Rule 1002 apply. These same benefits extend
to the new SCI entities. Specifically, the Commission stated that
unauthorized access, destruction, and manipulation of SCI systems and
indirect SCI systems could adversely affect the markets and market
participants because intruders could force systems to operate in
unintended ways that could create significant disruptions in securities
markets. Therefore, the inclusion of systems intrusions in the
definition of SCI events can help reduce the risk of such adverse
effects for new SCI entities.
The proposed changes, which would apply to new and current SCI
entities, would update the definition to include additional types of
incidents that are currently considered to be cybersecurity events that
are not included in the current definition. If an incident meets the
definition, it must then comply with the requirements for corrective
action, Commission notice, and information dissemination in Rule 1002.
The proposed changes to the definition would thus ensure that the
Commission and its staff are made aware when an SCI entity is the
subject of a significant cybersecurity threat, including those that may
be ultimately unsuccessful, which would provide important information
regarding threats that may be posed to other entities in the securities
markets, including other SCI entities. Because such cybersecurity
events can cause serious harm and disruption to an SCI entity's
operations, the Commission believes that the definition of systems
intrusion should be broadened to include cybersecurity events that may
not entail actually entering or accessing the SCI entity's SCI systems
or indirect SCI systems, but still cause disruption or significant
degradation, as well as significant attempted unauthorized entries. By
requiring SCI entities to submit SCI filings for these new types of
systems intrusions, the Commission believes that the revised definition
of systems intrusion would also provide the Commission and its staff
more complete information to assess the security status of the SCI
entity, and also assess the impact or potential impact that
unauthorized activity could have on the security of the SCI entity's
affected systems as well on other SCI entities and market participants.
(2) Rule 1002--Corrective Action, Commission Notice, Information
Dissemination
As noted, Rule 1002 prescribes certain required actions for SCI
entities upon any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred. The requirements of Rule
1002(a) and (c) remain substantively unchanged from current Regulation
SCI except additional events are scoped into the Rules for existing SCI
entities through the proposed expanded definition of systems intrusion.
These provisions will therefore primarily affect new SCI entities. We
discuss generally the benefits of the expanded definition above and do
not repeat those here.\773\
---------------------------------------------------------------------------
\773\ The SCI Adopting Release considered the benefits and costs
of the specific definitions for each type of SCI event. See SCI
Adopting Release, supra note 1, at 72404-08. Those costs and
benefits remain the same for new SCI entities to which these
definitions would apply and are not repeated here, except with
respect to the definition of systems intrusions, which the
Commission proposes to amend. To the extent that the primary effect
of these definitions is realized through the requirements in Rule
1002 to take corrective action, notify the Commission, and
disseminate information, we discuss the effects of applying those
requirements on new SCI entities below.
---------------------------------------------------------------------------
Corrective Action (Rule 1002(a)). Rule 1002(a) requires an SCI
entity to begin to take appropriate corrective action upon any
responsible SCI personnel having a reasonable basis to conclude that an
SCI event has occurred. Rule 1002(a) also requires corrective action to
include, at a minimum, mitigating potential harm to investors and
market integrity resulting from the SCI event, and devoting adequate
resources to remedy the SCI event as soon as reasonably practicable.
Thus, it would not be appropriate for an SCI entity to delay the start
of corrective action once its responsible SCI personnel have a
reasonable basis to conclude that an SCI event has occurred, and the
SCI entity would be required to focus on mitigating potential harm to
investors and market integrity resulting from the SCI event and
devoting adequate resources to remedy the SCI event as soon as
reasonably practicable. This provision remains unchanged for existing
SCI entities, except to the extent they must comply with the
requirements for additional events scoped in under the expanded
definition of systems intrusion, as noted above. For both current and
new SCI entities, the benefits of expanding the definition to include
certain types of systems intrusions that are not covered by Regulation
SCI would include a potential reduction in the length or severity of
systems disruptions caused by these types of intrusions and would thus
reduce the negative effects of those interruptions on the SCI entity
and on market participants.
The corrective action requirement of Regulation SCI will likely
reduce the length of systems disruptions, systems compliance issues,
and systems intrusions, and thus reduce the negative effects of those
interruptions on the SCI entity and market participants. Additionally,
to the extent that corrective action could involve wide-scale systems
upgrades, some SCI entities may potentially seek to accelerate capital
expenditures, for example, by updating their systems with newer
technology earlier than they might have otherwise to comply with
Regulation SCI. As such, Rule 1002(a) could further help ensure that
SCI entities invest sufficient resources as soon as reasonably
practicable to address systems issues.
New SCI entities will become subject to Rule 1002(a) for the first
time. The Commission believes that new SCI entities already have a
variety of procedures in place to take corrective actions when system
issues occur. However, Rule 1002(a) may require modifications to those
existing practices in part because the rule specifies the
[[Page 23254]]
timing and enumerates certain goals for corrective action.\774\
---------------------------------------------------------------------------
\774\ See SCI Adopting Release, supra note 1, at 72423.
---------------------------------------------------------------------------
Commission Notification (Rule 1002(b)). Rule 1002(b) requires an
SCI entity to notify the Commission of the SCI event immediately upon
any responsible SCI personnel having a reasonable basis to conclude
that an SCI event has occurred. Within 24 hours of any responsible SCI
personnel having a reasonable basis to conclude that an SCI event has
occurred, an SCI entity is required to submit to the Commission a more
detailed written notification, on a good faith, best efforts basis,
pertaining to the SCI event. Until such time as the SCI event is
resolved and the SCI entity's investigation of the SCI event is closed,
the SCI entity is required to provide updates regularly, or at such
frequency as requested by a representative of the Commission. The SCI
entity is also required to submit a detailed final written notification
after the SCI event is resolved and the SCI entity's investigation of
the event is closed (and an additional interim written notification, if
the SCI event is not resolved or the investigation is not closed within
a specified period of time). Finally, paragraph (b)(5) currently
provides an exception to the reporting requirements of paragraphs
(b)(1) through (4) for de minimis SCI events, and SCI entities are
currently required to submit a summary to the Commission with respect
to systems disruptions and systems intrusions only on a quarterly
basis. The Commission is proposing to amend this provision to require
SCI entities to exclude systems intrusions from this exception so that
SCI entities will need to report systems intrusions, whether de minimis
or not, within the time frames specified in paragraphs (b)(1) through
(4). This would eliminate quarterly reporting for de minimis systems
intrusions. Thus, for current SCI entities, the difference concerns the
time frame for, and manner of, reporting de minimis systems intrusions
while new SCI entities will be subject to the entire Commission
notification regime for the first time.
For the new SCI entities, Rule 1002(b) as a whole would enhance the
effectiveness of Commission oversight of the operation of these
entities. For example, SCI events notification results in greater
transparency for the Commission, including ensuring that the Commission
has a view into problems at particular SCI entities for regulatory
purposes as well as perspective on the effect of a single problem to
the market at-large.\775\ Further, the requirements of submitting
notifications pertaining to the SCI events to the Commission, set forth
by Rule 1002(b), could help prevent systems failures from being
dismissed as momentary issues, because notification would help focus
the SCI entity's attention on the issue and encourage allocation of SCI
entity resources to resolve the issue as soon as reasonably
practicable.
---------------------------------------------------------------------------
\775\ See SCI Adopting Release, supra note 1, at 72424 (citing
letter by David Lauer).
---------------------------------------------------------------------------
Both new and current SCI entities would be subject to the new
reporting requirements under the proposed revisions to Rule 1001(b)(5).
These revisions eliminate the need for entities to determine if an
intrusion (which should be rare and also may be difficult to assess)
meets the de minimis threshold before it notifies the Commission, and
instead would require reporting to the Commission for all systems
intrusions at the time of the event, which will provide more timely
information to the Commission. This may result in more frequent
reporting for systems intrusions while also eliminating quarterly
reporting of systems intrusions, as compared to the baseline.
Information Dissemination (Rule 1002(c)). Rule 1002(c) currently
requires an SCI entity to disseminate information regarding certain
major SCI events to all of its members or participants and certain
other SCI events to affected members or participants. Specifically,
promptly after any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred, an SCI entity is required
to disseminate certain information regarding the SCI event. When
certain additional information becomes known, the SCI entity is
required to promptly disseminate such information to those members or
participants (or, as proposed, in the case of an SCI broker-dealer,
customers) of the SCI entity that any responsible SCI personnel has
reasonably estimated may have been affected by the SCI event. Until the
SCI event is resolved, the SCI entity is required to provide regular
updates on the required information. In the case of a major SCI event,
where the impact is most likely to be felt by many market participants,
dissemination of information to all members, participants, or
customers, as applicable, of the SCI entity is required. A major SCI
event is defined to mean an SCI event that has any impact on a critical
SCI system or a significant impact on the SCI entity's operations or on
market participants.
The information dissemination requirement currently does not apply
to SCI events to the extent that they relate to market regulation or
market surveillance systems and de minimis SCI events. The Commission
is proposing to add to these exceptions for the information
dissemination requirement, a systems intrusion that is a significant
attempted unauthorized entry into the SCI systems or indirect SCI
systems. Accordingly, Rule 1002(c) remains mostly unchanged for
existing SCI entities, except to the extent they must comply with the
requirements for additional events scoped in under the expanded
definition of systems intrusion (the benefits of which are discussed
above) and except for systems intrusions that are significant attempted
unauthorized entries, which are exempted from the information
dissemination requirements. New SCI entities, however, will become
subject to the information dissemination requirements for the first
time.
Rule 1002(c) is expected to help market participants--specifically
the members, participants, or customers, as applicable of new SCI
entities estimated to be affected by an SCI event and, in the case of
major SCI events, all members, participants, or customers of a new SCI
entity--to better evaluate the operations of SCI entities by requiring
certain information about the SCI event to be disclosed. Furthermore,
increased awareness of SCI events through information disseminated to
members, participants, or customers, as applicable, should provide new
SCI entities additional incentives to maintain robust systems and
minimize the occurrence of SCI events. More robust SCI systems and the
reduction in the occurrence of SCI events at new SCI entities could
reduce interruptions in price discovery processes and liquidity flows.
For example, in 2014, a commenter stated that sharing information about
hardware failures, systems intrusions, and software glitches will alert
others in the industry about such problems and help reduce system-wide
costs of diagnosing problems, as well as result in improved responses
to technology problems.\776\
---------------------------------------------------------------------------
\776\ See SCI Adopting Release, supra note 1, at 72426 n. 931
(citing letter from James Angel).
---------------------------------------------------------------------------
With respect to the new exception for significant attempted
unauthorized entries, which impacts new and existing SCI entities, the
Commission is concerned that disseminating information about
unsuccessful attempted entries to members or
[[Page 23255]]
participants of an SCI entity would create unnecessary distractions,
particularly since the SCI entity's security controls were able, in
fact, to repel the cybersecurity event. In addition, disseminating
information regarding unsuccessful intrusions could result in the
threat actors being unnecessarily alerted that they have been detected,
which could make it more difficult to identify the attackers and halt
their efforts on an ongoing, more permanent basis.
The Commission recognizes that many of the new SCI entities are
currently subject to other regulatory requirements to maintain policies
and procedures that address the provisions required by these rules, as
discussed in detail above.\777\ Similarly, some existing SCI entities
engage in current market practices consistent with the expanded
definition of systems intrusion.
---------------------------------------------------------------------------
\777\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1002(a) through (c) for the new SCI entities (and the costs, as
discussed below), will therefore depend on the extent to which their
current operations already align with the rule's requirements, given
both existing regulation and current practice.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and that
doing so would benefit participants in the securities markets in which
these entities operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule 1002(a) through (c) of Regulation SCI to the new SCI
entities would enhance and build on any existing policies and
procedures, thereby furthering the goals of Regulation SCI to
strengthen the technology infrastructure of the U.S. securities markets
and improve its resilience.
ii. Costs
We discuss below the costs of complying with the requirements of
Rule 1002, applying the definitions in Rule 1000, including the amended
definition of systems intrusion. Because the definitions themselves
have no associated costs, all of the costs associated with the amended
definition flow through the substantive requirements. New SCI entities
will need to comply with these requirements for the first time whereas
costs for the existing SCI entities are attributed to the expanded
definition of systems intrusion and the amendment to Rule 1002(b)(5).
Relative to the current practice and baseline, the proposed rule
expansion of the definition of the intrusion would likely result in
more frequent reporting by the SCI entities to the Commission, which is
reflected in the costs estimates below.
Corrective Action (Rule 1002(a)). Rule 1002(a) could impose
modestly higher costs for new SCI entities in responding to SCI events
relative to their current practice. In the PRA analysis, the Commission
estimates those costs as approximately $1.2 million in initial and $0.4
million in annual costs.\778\ Furthermore, if Regulation SCI reduces
the frequency and severity of SCI events in the future, the cost of
corrective action could similarly decline over time. Nevertheless, the
Commission lacks data regarding the degree to which Regulation SCI will
reduce the frequency and severity of SCI events at new SCI entities.
---------------------------------------------------------------------------
\778\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
In addition, if a new SCI entity is required to take corrective
action sooner than it might have without the requirements of Regulation
SCI, this may impose indirect costs (i.e., opportunity costs) to such
SCI entities because they may have to delay or reallocate their
resources away from profitable projects and direct their resources
toward taking corrective action required by the rule. It is difficult
to assess indirect costs imposed on new SCI entities without having
comprehensive and detailed information on the value of the potential
foregone projects of those SCI entities. The facts and circumstances of
each specific SCI event will be different.
Existing SCI entities may incur new costs associated with
corrective action for additional systems intrusions scoped in under the
expanded definition. The Commission estimates a one-time total cost of
approximately $0.5 million for all existing SCI entities to update
their procedures to account for additional types of systems
intrusions.\779\
---------------------------------------------------------------------------
\779\ See section IV.D.2.b, IV.D.7.
---------------------------------------------------------------------------
To the extent new SCI entities currently undertake correction
action consistent with the Rule 1002(a) requirements, they could incur
lower PRA costs to comply with the requirements of Rule 1002(a) than
entities without such existing requirements. Similarly, to the extent
many existing SCI entities currently undertake corrective action
consistent with the expanded definition of systems intrusion, they
could incur lower PRA costs to comply with the amended requirements of
Rule 1002(a) than entities without such existing requirements.
Notification of SCI Events (Rule 1002(b)). The compliance costs
associated with Rule 1002(b) are attributed to the paperwork burden of
Commission notifications of SCI events, including recordkeeping and
submission of quarterly reports with respect to de minimis SCI events,
as applicable. For new SCI entities, these costs include costs to
comply with the notification requirements, as amended, for the first
time. Existing SCI entities would incur costs complying with the
amendment to Rule 1002(b)(5) as well as the costs associated with
notification for new events scoped in under the expanded definition of
systems intrusions. These are discussed in detail in section IV.
For Rule 1002(b)(1), the Commission estimates approximately $0.1
million in initial and annual costs for existing and new SCI entities
alike.\780\ For Rule 1002(b)(2), the Commission estimates approximately
$1.3 million in initial and annual costs for existing SCI entities and
$1.5 million in initial and annual costs for new SCI entities.\781\ For
Rule 1002(b)(3), the Commission estimates approximately $0.2 million in
initial and annual costs for existing SCI entities and $0.2 million in
initial and annual costs for new SCI entities.\782\ For Rule
1002(b)(4), the Commission estimates approximately $2.0 million in
initial and annual costs for existing SCI entities and $2.3 million in
initial and annual costs for new SCI entities.\783\ Finally, for Rule
1002(b)(5), the Commission estimates a savings for existing SCI
entities, as noted above, and approximately $1.2 million in initial and
annual costs for new SCI entities.\784\
---------------------------------------------------------------------------
\780\ See section IV.D.7; see also supra note 700.
\781\ See id.
\782\ Id.
\783\ Id.
\784\ Id.
---------------------------------------------------------------------------
To the extent new SCI entities currently provide notification
consistent with the Rule 1002(b) requirements, they could incur lower
PRA costs to comply with the requirements of Rule 1002(b) than entities
without such existing practices.
Information Dissemination (Rule 1002(c)). While some new SCI
entities currently provide their members or participants and, in some
cases, market
[[Page 23256]]
participants or the public more generally, with notices of certain
systems issues (e.g., system outages), Rule 1002(c) may impose new
requirements that they have not currently implemented. As such, the
requirements of Rule 1002(c) will impose costs--which are attributed to
paperwork burdens--on new SCI entities with respect to preparing,
drafting, reviewing, and making the information available to members or
participants, or, in the case of an SCI broker-dealer, customers. For
new SCI entities the Commission estimates approximately $1.3 million in
costs, initially and annually, for disseminating information about SCI
events and systems affected, as required by Rule 1002(c)(1).\785\ For
new entities, the Commission also estimates approximately $1.6 million
in initial costs and $0.4 million in annual costs to develop processes
to identify the nature of a critical system, major SCI event, or a de
minimis SCI event for purposes of disseminating this information.\786\
---------------------------------------------------------------------------
\785\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\786\ See section IV.D.2.d, IV.D.7; see also supra note 700.
---------------------------------------------------------------------------
Existing SCI entities may incur new costs associated with
information dissemination for additional systems intrusions scoped in
under the expanded definition. The Commission estimates approximately
$0.7 million in initial and annual PRA costs for existing SCI entities,
and $0.4 million in initial and annual costs for new SCI entities, for
disseminating information about system intrusions as required by the
proposed revisions to Rule 1002(c)(2).\787\ These costs are discussed
in more detail in section IV.
---------------------------------------------------------------------------
\787\ See section IV.D.7; supra note 700.
---------------------------------------------------------------------------
To the extent new SCI entities currently disseminate information
consistent with the Rule 1002(c) requirements, they could incur lower
PRA costs to comply with the requirements of Rule 1002(c) than entities
without such existing requirements. Similarly, to the extent many
existing SCI entities currently disseminate information consistent with
the expanded definition of systems intrusion, they could incur lower
PRA costs to comply with the amended requirements of Rule 1002(c) than
entities without such existing practices.
Identification of Nature of System or Event. To comply with the
requirements of Rule 1002, SCI entities need to identify certain types
of events and systems issues, including whether the event is de
minimis. Current SCI entities would already have such processes in
place to comply with the existing requirements of Regulation SCI. The
Commission understands that many new SCI entities likely already have
some internal procedures for determining the severity of a systems
issue.
As a new SCI entity must determine whether an SCI event has
occurred and whether it is a de minimis SCI event, Rule 1002 may impose
one-time implementation costs on new SCI entities associated with
developing a process or modifying its existing process to ensure that
they are able to quickly and correctly make such determinations, as
well as ongoing costs in reviewing the adopted process. As explained in
detail in section IV, we estimate new SCI entities would incur an
initial PRA cost of $1,641,024 and an ongoing annual PRA cost of
$362,418 to develop these processes.
To the extent new SCI entities currently have a process in place
for identifying certain types of events and system issues consistent
with the relevant Rule 1002 requirements, they could incur lower PRA
costs to comply with the relevant requirements of Rule 1002 than
entities without such existing requirements.
c. Rule 1003--Material Systems Changes and SCI Review
i. Reports to the Commission (Rule 1003(a))
Rule 1003(a)(1) requires an SCI entity to provide quarterly reports
to the Commission describing completed, ongoing, and planned material
systems changes to its SCI systems and the security of indirect SCI
systems, during the prior, current, and subsequent calendar quarters.
Rule 1003(a)(1) also requires an SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the
security of its indirect SCI systems as material. Rule 1003(a)(2)
requires an SCI entity to promptly submit a supplemental report to
notify the Commission of a material error in or material omission from
a previously submitted report. These requirements remain unchanged. New
SCI entities, however, will become subject to them for the first time.
We discuss the benefits and costs of applying these provisions to new
SCI entities below.
(1) Benefits
The notification requirement would be beneficial because it permits
the Commission and its staff to have up-to-date information regarding
an SCI entity's systems development progress and plans, to aid in
understanding the operations and functionality of the systems, and any
material changes thereto, without requiring SCI entities to submit a
notification to the Commission for each material systems change.\788\
---------------------------------------------------------------------------
\788\ See SCI Adopting Release, supra note 1, at 72337-38.
---------------------------------------------------------------------------
The Commission recognizes that some of the new SCI entities are
currently subject to other material systems change notification
requirements and that most, if not all, new SCI entities have some
internal processes for documenting systems changes as discussed in
detail above.\789\ Accordingly, the Commission notification
requirements in Rule 1003(a) would be new for most but not all of the
new SCI entities.
---------------------------------------------------------------------------
\789\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1003(a) for the new SCI entities (and the costs, as discussed below),
will therefore depend on the extent to which their current operations
already align with the rule's requirements, given both existing
regulation and current practice.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and doing so
would benefit participants in the securities markets in which these
entities operate. Overall, applying the specific and comprehensive
requirements set forth in Rule 1003(a) of Regulation SCI to the new SCI
entities would complement any existing requirements and enhance any
reporting of material systems changes already in place for these
entities.
Costs
The compliance costs of Rule 1003(a) primarily entail costs
associated with preparing and submitting Form SCI in accordance with
the instructions thereto. The initial and ongoing PRA cost estimates
associated with preparing and submitting Form SCI with regard to
material systems changes under Rule 1003(a)(1) and (2) are discussed in
detail in section V. The Commission does not expect Rule 1003(a) would
impose significant costs on SCI entities other than those discussed in
section IV. For new SCI entities, the Commission estimates
approximately $1.0 million in initial PRA costs and $0.3 million in
annual PRA costs to establish
[[Page 23257]]
reasonable written criteria for identifying material changes to SCI
systems and to the security of indirect SCI systems.\790\ For new SCI
entities, the Commission also estimates approximately $3.6 million
initially and annually in PRA costs associated with material system
change notices.\791\ The Commission acknowledges that the actual cost
for each new entity may differ depending on their existing processes
for documenting system changes and whether the necessary information is
readily available. The Commission does not expect Rule 1003(a) to
impose significant costs on new SCI entities besides the costs
discussed here. To the extent new SCI entities are currently subject to
other material systems change notification regulatory requirements and
have existing processes for documenting systems changes that align with
the Rule 1003(a) requirements, they could incur lower costs to comply
with the requirements of Rule 1003(a) than entities without such
existing requirements.
---------------------------------------------------------------------------
\790\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\791\ Id.
---------------------------------------------------------------------------
ii. Annual SCI Review (Rules 1000 and 1003(b))
Rule 1003(b) requires SCI entities to conduct an annual SCI review
and works in conjunction with the definition of ``SCI review'' from
Rule 1000. Under the current definition, SCI review includes ``(1) A
risk assessment with respect to such systems of an SCI entity; and (2)
An assessment of internal control design and effectiveness of its SCI
systems and indirect SCI systems to include logical and physical
security controls, development processes, and information technology
governance, consistent with industry standards.'' \792\ Rule 1003(b)(1)
then requires an annual SCI review, ``provided, however, that (i)
Penetration test reviews . . . shall be conducted at a frequency of not
less than once every three years; and (ii) Assessment of SCI systems
directly supporting market regulation or market surveillance shall be
conducted at a frequency based upon the risk assessment conducted as
part of the SCI review, but in no case less than once every three
years.'' \793\ Rule 1003(b)(2) and (3) require each SCI entity to
submit its annual SCI review report to, respectively, ``senior
management of the SCI entity for review'' and ``to the Commission and
to the board of director of the SCI entity, or the equivalent of such
board'' within specified time frames.\794\
---------------------------------------------------------------------------
\792\ 17 CFR 242.1000.
\793\ 17 CFR 242.1003(b)(1).
\794\ 17 CFR 242.1003(b)(2) and (3).
---------------------------------------------------------------------------
The Commission proposes to make changes to the definition of ``SCI
review.'' Specifically, under the proposed amendment, ``SCI review''
would include, for both SCI systems and indirect SCI systems, an annual
assessment, using appropriate risk management methodology, of risks
related to capacity, integrity, resiliency, availability, and security,
and internal control design and operating effectiveness, and annual
penetration test reviews (increased from at least one review every
three years), and a review of third-party provider management risks and
controls. Rule 1003(b) would also be amended to require more specific
information to be included in the SCI review report, including a list
of the controls reviewed and a description of each such control; the
findings of the SCI review, including, at a minimum, assessments of the
risks described above; a summary, including the scope of testing and
resulting action plan, of each penetration test review; and a
description of each deficiency and weakness identified by the SCI
review. In addition, the revisions would make mandatory that a response
from senior management to the report is included when it is submitted
to the Commission and board, whereas previously the language appeared
permissive.
(1) Benefits
The SCI review requirement would have SCI entities assess the
relative strengths and weaknesses of their systems which may help, in
turn, improve systems and reduce the number of SCI events. The
reduction in occurrence of SCI events could reduce interruptions in the
price discovery process and liquidity flows, as discussed above. In
addition, the efficiency of the Commission's oversight (e.g.,
inspection) of SCI entities' systems would be enhanced.
The proposed increase in the frequency of penetration testing
reviews, which applies to both new and existing SCI entities, should
better prepare SCI entities against cyber threats, which are increasing
in numbers and becoming more sophisticated. For this reason, the
proposed amendment is expected to further strengthen the security,
integrity, and resilience of all SCI entities. Having an annual
penetration testing requirement can help SCI entities reduce the
likelihood of costly data breaches.\795\ For instance, according to one
industry source, RSI Security, a penetration test ``can measure [the
entity's] system's strengths and weaknesses in a controlled environment
before [the entity has] to pay the cost of an extremely damaging data
breach.'' \796\
---------------------------------------------------------------------------
\795\ See, e.g., Mirza Asrar Baig, How Often Should You
Pentest?, Forbes.com (Jan. 22, 2021), available at https://www.forbes.com/sites/forbestechcouncil/2021/01/22/how-often-should-you-pentest/?sh=b667999573c6.
\796\ RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (Mar. 5, 2020), available at https://
blog.rsisecurity.com/what-is-the-average-cost-of-penetration-
testing/#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%2
0of%20a%20large%20company.
---------------------------------------------------------------------------
The requirement to review third-party provider management risks and
controls will work in conjunction with the proposed amendment to Rule
1001(a)(2) requiring inclusion of a third-party provider management.
The additional benefit of requiring an annual review of third-party
provider management risks and controls is to ensure the benefits
provided by the amendment to Rule 1001(a)(2) are properly realized and
further increasing the likelihood that third-party providers provide
functionality, support or services that are consistent with the
requirements of Regulation SCI.
The Commission understands that many existing SCI entities have
already adopted practices that may align with some of the provisions of
the proposed amendment to Rule 1003(b).
The Commission also understands that many new SCI entities
currently undertake annual systems reviews and that senior management
and/or the board of directors or a committee thereof reviews reports of
such reviews as discussed in detail above.\797\ However, the scope of
the systems reviews, and the level of senior management and/or board
involvement in such reviews, can vary.
---------------------------------------------------------------------------
\797\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1003(b) for the new SCI entities (and the costs, as discussed below)
and the benefits from the amended policy and procedure requirements in
Rule 1003(b) for the existing SCI entities, will therefore depend on
the extent to which their current operations already align with the
rule's requirements, given both existing regulation and current
practice.
For example, with respect to broker-dealers, prior Commission and
FINRA exam results indicate that many if not most large broker-dealers
conduct risk assessments of internal control design and effectiveness.
Additionally, some
[[Page 23258]]
broker-dealers provide annual cybersecurity reports to the board. The
Commission understands that nearly all large broker-dealers conduct
penetration testing \798\ of systems considered critical although not
all firms conduct such testing annually. Many of these current market
practices align with the policy and procedure requirements of
Regulation SCI discussed in this section.
---------------------------------------------------------------------------
\798\ Supra note 619. According to FINRA's 2018 RCA, 100% of
higher revenue firms include penetration testing as a component in
their overall cybersecurity program. Other factors these firms
consider in evaluating the relevance of penetration testing include
the degree to which they manage or store confidential or critical
data such as trading strategies, customer PII, information about
mergers and acquisitions or confidential information from other
entities (for example, in the case of clearing firms).
---------------------------------------------------------------------------
While some of the existing regulations that apply to the proposed
new SCI entities or current market practices may be consistent with or
similar to some of the policy and procedure requirements of Regulation
SCI discussed in this section, the Commission believes it is
nevertheless appropriate to apply these policy and procedure
requirements to the new SCI entities and that doing so would benefit
participants in the securities markets in which these entities operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule 1003(b) of Regulation SCI to the new SCI entities would
enhance and build on any existing policies and procedures, thereby
furthering the goals of Regulation SCI to strengthen the technology
infrastructure of the U.S. securities markets and improve its
resilience.
(2) Costs
New SCI entities will incur costs to comply with the review
requirements for the first time, and existing SCI entities will incur
costs to comply with the amended provisions. The initial and ongoing
paperwork burden associated with conducting an SCI review, submitting a
report of the SCI review to senior management of the SCI entity for
review, and submitting a report of the SCI review and the response by
senior management to the Commission and to the board of directors of
the SCI entity or the equivalent of such board is discussed in detail
in section IV. For existing SCI entities, the Commission estimates
approximately $7.4 million in initial and annual costs, while for new
SCI entities the Commission estimates approximately $9.6 million in
initial and annual costs.\799\ The paperwork burden estimates provided
here for new SCI entities include the costs of complying with the
proposed amended versions of the Rule, namely the proposed additional
requirements for conducting the SCI review, the requirement that SCI
entities include more specific information in their SCI review reports,
and related recordkeeping.\800\
---------------------------------------------------------------------------
\799\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\800\ See section IV.D.3.
---------------------------------------------------------------------------
To the extent new SCI entities currently undertake annual systems
reviews and that senior management and/or the board of directors or a
committee thereof reviews reports of such reviews consistent with the
Rule 1003(a) requirements, they could incur lower PRA costs to comply
with the requirements of Rule 1003(a) than entities without such
existing practices. Similarly, to the extent many existing SCI entities
have already adopted practices that are consistent with some of the
provisions of the proposed amendment to Rule 1003(b), they could incur
lower PRA costs to comply with the requirements of Rule 1003(a) than
entities without such existing practices.
With respect to the increased frequency for the penetration test
review, this requirement will impose non-paperwork compliance costs in
addition to those captured by the PRA estimates for both new and
existing SCI entities. For example, RSI Security explains that
penetration testing ``can cost anywhere from $4,000-$100,000,'' and
``[o]n average, a high quality, professional [penetration testing] can
cost from $10,000-$30,000.'' \801\ RSI Security, however, was clear
that the magnitudes of these costs can vary with size, complexity,
scope, methodology, types, experience, and remediation measures.\802\
Another source estimates a ``high-quality, professional [penetration
testing to cost] between $15,000-$30,000,'' while emphasizing that
``cost varies quite a bit based on a set of variables.'' \803\ This is
in line with a third source, which states that ``[a] true penetration
test will likely cost a minimum of $25,000.'' \804\ The Commission
preliminarily believes that the cost of penetration testing will range
between $25,000 and $100,000 for new and existing SCI entities, in
light of the complexity and scope required, although the costs may be
somewhat lower depending on the frequency with which such testing and
review are currently conducted by new and existing SCI entities. The
Commission acknowledges the non-paperwork costs of the proposed
increase in the frequency of a penetration test review, and seeks
feedback on these costs.
---------------------------------------------------------------------------
\801\ See RSI Security, supra note 796.
\802\ See id.
\803\ Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.), available at
https://www.securitymetrics.com/blog/how-much-does-pentest-cost.
\804\ Mitnick Security, What Should You Budget for a Penetration
Test? The True Cost, Mitnick Security Blog, (Jan. 29, 2021, 5:13
a.m.), available at https://www.mitnicksecurity.com/blog/what-should-you-budget-for-a-penetration-test-the-true-cost.
---------------------------------------------------------------------------
Request for Comment
118. For current and proposed SCI entities, how often do you
(already) perform penetration testing and how much does it cost?
d. Rule 1004--Business Continuity and Disaster Recovery Plan Testing
Rule 1004(b) requires the testing of an SCI entity's business
continuity and disaster recovery plans at least once every 12 months.
Rule 1004(a) and (b) require participation in such testing by those
members or participants that an SCI entity reasonably determines are,
taken as a whole, the minimum number necessary for the maintenance of
fair and orderly markets in the event of the activation of its BC/DR
plans. Rule 1004(c) requires an SCI entity to coordinate such testing
on an industry- or sector-wide basis with other SCI entities.\805\ The
Commission is proposing to amend Rule 1004 to require that third-party
providers also participate in such testing. Therefore, for current SCI
entities, the difference is to include third-party providers in its
testing. For new SCI entities, the entire provision is a new
obligation. We discuss below the benefits and costs of applying this
provision, including the proposed amendments, to new and existing SCI
entities.
---------------------------------------------------------------------------
\805\ One avenue for coordinating such testing is through
SIFMA's voluntary Industry-Wide Business Continuity Test. See SIFMA,
Industry-Wide Business Continuity Test (Oct. 15, 2022), available at
https://www.sifma.org/resources/general/industry-wide-business-continuity-test/.
---------------------------------------------------------------------------
i. Benefits
As discussed above, requiring the new SCI entities to test their
BC/DR plans would likely improve backup infrastructure and lead to
fewer market-wide shutdowns, which should help facilitate continuous
liquidity flows in markets, reduce pricing errors, and thus improve the
quality of the price discovery process.\806\ Moreover, Rule 1004 would
help ensure fair and orderly markets in the event of the activation of
BC/DR plans.
---------------------------------------------------------------------------
\806\ See sec. V.C.1.; see also SCI Adopting Release, supra note
1, at 72429.
---------------------------------------------------------------------------
In addition, for both new and existing SCI entities, the proposed
requirement to establish standards for the
[[Page 23259]]
designation of third-party providers and their participation in the
currently scheduled functional and performance testing of the operation
of BC/DR plans will help those SCI entities ensure that their efforts
to develop effective BC/DR plans are not undermined by a lack of
participation by third-party providers that the SCI entity believes are
necessary to the successful activation of such plans.
Although the Commission finds it impracticable to quantify these
benefits in dollar terms,\807\ the Commission believes it would be
helpful to consider the cost of an unplanned outage. For example, the
Commission considers a reduced occurrence of a potential outage as a
benefit of complying with Regulation SCI. As discussed above, one
source of cost estimates for an unplanned outage is the Ponemon
Institute's 2016 Cost of Data Center Outages report.\808\ According to
the report, the total cost per minute of an unplanned outage was $8,851
for the average data center the Institute surveyed in 2016.\809\ This
implies a cost of $531,060 per hour of an unplanned outage at the
time.\810\ Moreover, outages themselves can also last far longer than
one hour. For example, natural disasters, such as hurricanes, can often
lead to lengthy outages lasting 200 to 400 hours.\811\ Taken together,
this data suggests potentially significant benefits to having an
adequate policy and procedure in place to ensure business continuity
and disaster relief plans for SCI entities.
---------------------------------------------------------------------------
\807\ As discussed in section V.D.1. multiple factors would
affect the harm to the overall economy from an unplanned outage at
an SCI entity.
\808\ See supra note 696.
\809\ Id. at 14.
\810\ The report also showed that this figure was increasing
over time. The same figure was $5,617/min in 2010 and $7,908/min in
2013. See id.
\811\ See Data Foundry, How Much Should You Spend On Business
Continuity and Disaster Recovery (Dec. 12, 2019), available at
https://www.datafoundry.com/blog/much-spend-business-continuity-disaster-recovery.
---------------------------------------------------------------------------
The benefits from the BC/DR requirements in Rule 1004 for the
current and new SCI entities (and the costs, as discussed below) will
depend on the extent to which their current operations already align
with the rule's requirements, given both existing regulation and
current practice. Based on discussion with industry participants, the
Commission understands that some existing SCI entities already require
third-party service provider participation in testing despite not being
required to do so currently under Regulation SCI. For these SCI
entities, there may be incremental benefits from making the third-party
service provider participation a requirement under the Regulation and
ensuring that they continue to include these parties in such testing
going forward.
Some new SCI entities, either due to existing regulatory
requirements or on their own volition, also already require some of
their members or participants, as well as third-party providers, to
participate in performance testing of BC/DR plans or offer the
opportunity to do so on a voluntary basis, although such participation
may be limited in nature (e.g., testing for connectivity to backup
systems). However, existing requirements for the new SCI entities may
differ from the requirements of Rule 1004. For example, FINRA Rule 4370
does not require the functional and performance testing and
coordination of industry or sector-testing of such plans.
With respect to SBSDRs, the requirements of Regulation SCI are more
specific and comprehensive in terms of testing business continuity and
disaster recovery plans than the principles-based requirements of Rule
13n-6. The requirements of Regulation SCI would thus exist and operate
in conjunction with Rule 13n-6 and help ensure that SBSDR market
systems are robust, resilient, and secure and enhance Commission
oversight of these systems. Moreover, to the extent the systems of
SBSDRs that relate to the securities-based swap markets function
separately (or could function separately in the future) from the
systems of SDRs that relate to the swaps markets, applying Rule 1004 to
these entities would help to ensure effective testing of BC/DR plans
for the specific systems relevant to the securities markets and would
subject these systems to enhanced Commission oversight.
Similarly, the Commission recognizes that exempt clearing agencies
that this rule proposal would newly scope into Regulation SCI are
currently required to have BC/DR plans and test them at least annually
with the participation of customers, critical utilities, critical
service providers, other clearing agencies, other market
infrastructures, and any other institution with which interdependencies
have been identified in the business continuity policy. Overall,
applying the specific and comprehensive requirements set forth in Rule
1004 would complement existing requirements and enhance the BC/DR plans
tests already in place for these entities.
ii. Costs
The mandatory testing of SCI entity BC/DR plans, including backup
systems, as required under amended Rule 1004, will result in costs to
SCI entities. For current SCI entities, the increase in the cost would
come from the requirement to include designated third-party providers
in when testing their BC/DR plans--to the extent they have not been
doing so. In addition, because the proposed requirements of Rule 1004
would require participation by various other parties, including
designated members, participants, and other third parties, these
parties may also bear costs of Rule 1004. We discuss these various
costs below.
Costs to New and Existing SCI Entities. It is the Commission's
understanding that some new SCI entities already engage with their
members, participants or customers, as applicable, or third-party
providers when testing BC/DR plans. Furthermore, as mentioned above,
market participants, including new SCI entities, already coordinate
certain BC/DR plans testing to an extent. However, Rule 1004 mandates
participation in testing for new SCI entities that do not currently
participate, requires coordination when testing BC/DR plans, and
requires their members, market participants, or their third-party
providers participate.
In particular, Rule 1004 requires SCI entities to designate their
members, participants, or third-party providers to participate in BC/DR
plans testing and to coordinate such testing with other SCI entities on
an industry- or sector-wide basis. The requirement of member,
participant, or third-party provider designation in BC/DR plans testing
under Rule 1004 may impose new costs even for those that currently have
BC/DR plan testing, as an SCI would have to allocate resources towards
initially establishing and later updating standards for the designation
of its members and participants and third-party providers for testing.
For example, systems reconfiguration for functional and performance
testing and establishing an effective coordinated test script could be
a complex process and result in additional costs, but it is an
important first step in establishing robust and effective BC/DR plans
testing. Furthermore, the requirement to coordinate industry- or
sector-wide testing would impose additional administrative costs
because an SCI entity would be required to notify its members,
participants, or third-party providers and also organize, schedule, and
manage the coordinated testing.
Many of the costs associated with Rule 1004 are costs estimated in
the PRA in section IV. For existing SCI entities the Commission
estimates approximately $1.4 million in initial costs and $0.5 million
in annual costs,
[[Page 23260]]
while for new SCI entities the Commission estimates approximately $3.2
million in initial costs and $1.1 million in annual costs.\812\ In
addition to the PRA costs, the Commission believes that new SCI
entity's may incur non-paperwork costs associated with the mandatory
testing of BC/DR plans, including backup systems; however, the
Commission finds it impracticable to provide a quantified estimate of
these specific non-paperwork costs for new SCI entities because the
Commission does not have detailed information regarding the current
level of engagement by members or participants in BC/DR testing and the
associated costs, or the details of the BC/DR testing that new SCI
entities would implement pursuant to Rule 1004.
---------------------------------------------------------------------------
\812\ See section IV.D.4. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
In addition, both new and existing SCI entities may incur costs
beyond the PRA costs to comply with the requirement that third-party
providers be included in the testing requirement. The Commission
acknowledges that there will be significant variations in incremental
cost for new and existing SCI entities beyond the costs of complying
with the rest of the testing requirements, depending on the
relationship of each SCI entity with the third-party provider and the
need to revise any contractual agreement between them. But in any
situation where a third-party provider is already required to provide a
continuous service plan (such as 24/7 connectivity), the incremental
cost of having the third-party provider participate in the BC/DR
testing should be modest. To the extent existing and new SCI entities
already have BC/DR plan testing that align with the Rule 1004
requirements, they could incur lower costs to comply with the
requirements of Rule 1004 than entities without such existing BC/DR
plan testing.
Costs to SCI Entity Members, Participants, and Third-Party
Providers. Rule 1004 will also impose costs on SCI entity designated
members, participants and third-party providers. Although members,
participants, and third-party providers will incur costs as a result of
Rule 1004, those that are likely to be designated to participate in
business continuity and disaster recovery plans testing are those that
conduct a high level of activity with the SCI entity or those that play
an important role for the SCI entity and who are more likely to have
already established connections to the SCI entity's backup site. It is
the Commission's understanding that most of the larger members,
participants, and third-party providers already have established
connectivity with the SCI entity's backup site and already monitor and
maintain such connectivity, and thus the additional connectivity costs
imposed by Rule 1004 would be modest to these members or
participants.\813\ The Commission, however, finds it impracticable to
provide a quantified estimate of the specific costs for SCI entity
members, participants or third-party providers associated with the
mandatory testing required by Rule 1004 as such data or information is
not required to be provided by SCI entities to the Commission under
Regulation SCI. Nevertheless, the Commission preliminarily believes,
for similar reasons as provided in the section discussing non-paperwork
burden estimates for Rule 1001(a) and (b), that the figures from 2014
remain reasonable approximations for new SCI entities in 2023, after
adjusting for inflation since 2014.\814\
---------------------------------------------------------------------------
\813\ See SCI Adopting Release, supra note 1, at 72430.
\814\ After adjusting for inflation since 2014, the cost of BD/
DR plan testing ranges from approximately $31,000 to $76,000 per
year, per member or participant. The aggregate annual cost for
designated members and participants to participate in BC/DR testing
is approximately $84.0 million after adjusting for inflation since
2014.
---------------------------------------------------------------------------
Because SCI entities have an incentive to limit the imposition of
the cost and burden associated with testing to the minimum necessary to
comply with the rule, given the option, most SCI entities would likely,
in the exercise of reasonable discretion, prefer to designate the
fewest number of members, participants, or third-party providers to
participate in testing and meet the requirements of the rule, than to
designate more.
The Commission believes that the cost associated with Rule 1004 is
unlikely to induce the designated members or participants to reduce the
number of SCI entities through which they trade and adversely affect
price competitiveness in markets. As noted above, the Commission also
recognizes that costs to some SCI entity members, participants, or
third-party providers associated with Rule 1004 could vary depending on
the BC/DR plans being tested, and to the extent they participate. Based
on industry sources, the Commission understands that most of the larger
members or participants of SCI entities already maintain connectivity
with the backup systems of SCI entities.\815\ However, the Commission
understands that there is a lower incidence of smaller members or
participants maintaining connectivity with the backup sites of SCI
entities. As such, the Commission believes that the compliance costs
associated with Rule 1004 would be higher for those members,
participants, or third-party providers that are designated for testing
by SCI entities who would need to invest in additional infrastructure
to participate in such testing.\816\
---------------------------------------------------------------------------
\815\ SCI Adopting Release, supra note 1, at 72430.
\816\ Id.
---------------------------------------------------------------------------
As discussed above, Rule 1001(a) does not require backup facilities
of SCI entities fully duplicate the features of primary
facilities.\817\ Further as discussed in section IV.B.6, SCI entity
members, participants, or third-party providers are not required by
Regulation SCI to maintain the same level of connectivity with the
backup sites of an SCI entity as they do with the primary sites. In the
event of a wide-scale disruption in the securities markets, the
Commission acknowledges that SCI entities and their members,
participants, or third-party providers may not be able to provide the
same level of service as on a normal trading day. However, when BC/DR
plans are in effect due to a wide-scale disruption in the securities
markets, the requirements of Rule 1004 should help ensure adequate
levels of service and pricing efficiency, to facilitate trading and
maintain fair and orderly markets without imposing excessive costs on
SCI entities and market participants by requiring them to maintain the
same connectivity with the backup systems as with the primary
sites.\818\
---------------------------------------------------------------------------
\817\ SCI Adopting Release, supra note 1, at 72353.
\818\ See id.
---------------------------------------------------------------------------
Request for Comment
119. If you are a current or proposed SCI entity and you currently
require any of your service providers to participate in your scheduled
business continuity or disaster recovery testing, how does your
activity differ from the requirements of the rule proposal? What have
been the benefits and costs of this activity?
120. If you are a current or proposed SCI entity and your business
continuity or disaster recovery plans address the unavailability of
your third-party providers, how does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
e. Rules 1005 Through 1007--Recordkeeping and Electronic Filing
Rules 1005 through 1007 relate to recordkeeping requirements,
filing and submission requirements, and
[[Page 23261]]
requirements for service bureaus. SCI entities are required by Rule
1005 of Regulation SCI to make, keep, and preserve certain records
related to their compliance with Regulation SCI.\819\ Rule 1006 of
Regulation SCI provides for certain requirements relating to the
electronic filing on Form SCI, of any notification, review,
description, analysis, or report to the Commission required to be
submitted under Regulation SCI.\820\ Rule 1007 of Regulation SCI
requires a written undertaking when records are required to be filed or
kept by an SCI entity under Regulation SCI, or are prepared or
maintained by a service bureau or other recordkeeping service on behalf
of the SCI entity.\821\
---------------------------------------------------------------------------
\819\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
\820\ See 17 CFR 242.1006.
\821\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
Rule 1005(c) currently requires that the recordkeeping period
survives even if an SCI entity ceases to do business or ceases to be
registered under the Exchange Act. The Commission proposes to amend
Rule 1005(c) so that this record retention provision also applies to an
SCI entity that remains in business as a registered entity but
``otherwise [ceases] to be an SCI entity.'' Therefore, for existing SCI
entities, this is the only difference from the current recordkeeping
requirement in Rule 1005(c). For new SCI entities, all of the
requirements in Rules 1005 through 1007 are new obligations. We discuss
below the benefits and costs of applying these provisions to new and
existing SCI entities.
i. Benefits
The Commission believes that Rules 1005 and 1007 would allow
Commission staff to inspect and examine the new SCI entities for their
compliance with Regulation SCI, and would increase the likelihood that
Commission staff can identify conduct inconsistent with Regulation SCI.
Preserved information should provide the Commission with an additional
source to help determine the causes and consequences of one or more SCI
events and better understand how such events may have impacted trade
execution, price discovery, liquidity, and investor participation.
Consequently, the Commission believes that the requirements of Rules
1005 and 1007 would help ensure compliance of the new SCI entities with
Regulation SCI and help realize the potential benefits (e.g., better
pricing efficiency, price discovery, and liquidity flows) of the
regulation.
Rule 1006 requires SCI entities to electronically file all written
information to the Commission on Form SCI.\822\ Rule 1006 would provide
a uniform manner in which the Commission receives--and SCI entities
provide--written notifications, reviews, descriptions, analyses, or
reports required by Regulation SCI. Rule 1006 should add efficiency for
the new SCI entities in drafting and submitting the required reports,
and for the Commission in reviewing, analyzing, and responding to the
information provided.
---------------------------------------------------------------------------
\822\ Except for notifications submitted pursuant to Rule
1002(b)(1) and (3).
---------------------------------------------------------------------------
The Commission recognizes that all of the new SCI entities are
currently subject to the Commission and other regulatory recordkeeping
requirements.\823\ However, records relating to Regulation SCI may not
be specifically addressed in the recordkeeping requirements of certain
rules. The benefits from the recordkeeping requirements in Rules 1005
and 1007 for the new SCI entities (and the costs, as discussed below),
will therefore depend on the extent to which their current operations
already align with the rule's requirements, given both existing
regulation and current practice.
---------------------------------------------------------------------------
\823\ See, e.g., 17 CFR 240.17a-3 and 240.17a-4, applicable to
broker-dealers.
---------------------------------------------------------------------------
The proposed amendment to Rule 1005(c) will apply to new and
existing SCI entities. Although many SCI events may be resolved in a
short time frame, there may be other SCI events that may not be
discovered for an extended period of time after their occurrences, or
may take significant periods of time to fully resolve. In such cases,
having an SCI entity's records available after it has ceased to be an
SCI entity or be registered under the Exchange Act would add to the
scope of historical records available for review in the event of an SCI
event. This is a particular issue for entities whose coverage under the
rule might vary over time, depending on when the entities--or their
systems--meet the rule's coverage thresholds. For these entities,
uniform record retention periods will also facilitate comparative
review of risk and compliance trends. These benefits will be limited if
entities and systems of entities tend to continue meeting coverage
requirements over time, without a break in coverage.
ii. Costs
The recordkeeping requirements of Rules 1005 and 1007 will impose
additional costs, including a one-time cost to set up or modify an
existing recordkeeping system to comply with Rules 1005 and 1007. The
initial and ongoing compliance costs associated with the recordkeeping
requirements are attributed to paperwork burdens, which are discussed
in section IV above.\824\
---------------------------------------------------------------------------
\824\ When monetized, the paperwork burden associated with all
recordkeeping requirements would result in approximately $278,460
initially and $40,950 annually for all new SCI entities in the
aggregate. The Commission estimates that a New SCI Entity other than
an SCI SRO will incur a one-time cost of $900 for information
technology costs for purchasing recordkeeping software, for a total
of $18,900. See section IV.D.7. For purposes of this Economic
Analysis, there is two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
With respect to Rule 1006, all costs associated with Form SCI are
attributed to the paperwork burdens discussed in section IV. For
existing SCI entities the Commission estimates approximately $21.0
million in initial costs and $12.0 million in annual costs, while for
new SCI entities the Commission estimates approximately $41.7 million
in initial costs and $25.8 million in annual costs.\825\
---------------------------------------------------------------------------
\825\ See section IV.D.7; supra note 700.
---------------------------------------------------------------------------
Every new SCI entity will be required to have the ability to
electronically submit Form SCI through the EFFS system, and every
person designated to sign Form SCI will be required to have an
electronic signature and a digital ID. The Commission believes that
this requirement will not impose an additional burden on new SCI
entities, as these entities likely already prepare documents in an
electronic format that is text searchable or can readily be converted
into a format that is text searchable.
The Commission also believes that many new SCI entities currently
have the ability to access the EFFS system and electronically submit
Form SCI, such that the requirement to submit Form SCI electronically
will not impose significant new implementation or ongoing costs.\826\
The Commission also believes that some of the persons who will be
designated to sign Form SCI already have digital IDs and the ability to
provide an electronic signature. To the extent that some persons do not
have digital IDs, the additional cost to obtain and maintain digital
IDs is accounted for in the paperwork burden, discussed in section IV
above.\827\
---------------------------------------------------------------------------
\826\ The initial and ongoing costs associated with various
electronic submissions of Form SCI for the new SCI entities are
discussed in the Paperwork Reduction Act section above. See supra
section IV.D.6.
\827\ See id.
---------------------------------------------------------------------------
[[Page 23262]]
D. Efficiency, Competition, and Capital Formation Analysis
As previously discussed in section C, the proposed amendments to
Regulation SCI would reduce the impact of market disruptions arising as
a result of natural disasters, third-party provider service outages,
cybersecurity events, hardware or software malfunctions. We expect that
the proposed amendments will reduce the frequency, severity, and
duration of systems issues that occur in the context of these events,
and will thus decrease the number of trading interruptions. The
proposed amendments will thus improve market efficiency, price
discovery, and liquidity, because trading interruptions interfere with
the process through which information gets incorporated into security
prices. In addition, by reducing trading interruptions, the proposed
amendments will have beneficial effects across markets, because of the
interconnectedness of securities markets. For example, an interruption
in the market for equity securities could harm the price discovery
process in the options markets, reducing the flow of liquidity across
markets. As a result, we expect the proposed amendments, if adopted,
would improve price efficiency in securities markets.\828\
---------------------------------------------------------------------------
\828\ See sections V.D.1 and V.D.3.
---------------------------------------------------------------------------
Prices that accurately convey information about fundamental value
improve the efficiency with which capital is allocated across projects
and firms, thus promoting capital formation. In addition, we expect the
proposed amendments to encourage capital formation by reinforcing
investors' confidence in market transactions.
The proposed amendments to Regulation SCI could affect competition
among SCI entities because the compliance costs could differ among SCI
entities. For example, current SCI entities are expected to face
smaller incremental compliance costs than new SCI entities. New SCI
entities that have been subject to similar regulations could also face
smaller incremental compliance costs than those who have not. Even
among new SCI entities, certain provisions can be more costly for some
than others. For example, the initial compliance costs of the systems
resumption requirements could differ among new SCI entities.
Specifically, as mentioned above, Rule 1004's BC/DR testing
requirements may require greater incremental costs for smaller SCI
entities that have not already been engaged in BC/DR testing. Lastly,
some of the new SCI entities may already have practices that are
aligned with at least some of the requirements under amended Regulation
SCI compared to the baseline, reducing their incremental compliance
costs.
In addition to competition among SCI entities, the compliance costs
imposed by the proposed amendments to Regulation SCI could have an
effect on competition where SCI entities and non-SCI entities compete,
such as in the markets for trading services (e.g., broker-dealers).
Specifically, since non-SCI entities do not have to incur the
compliance costs associated with Regulation SCI, SCI entities could
find it difficult to pass on their own compliance costs to investors or
customers without losing investors or customers to non-SCI entities.
This would adversely affect the profits of SCI entities. That said, by
expanding the set of SCI entities, the proposed amendments would ensure
that, where there is currently competition between existing SCI
entities and the new entities under this proposed rule then these
competing entities are subject to similar SCI compliance requirements.
The proposed threshold-based tests for scoping a broker-dealer into
Regulation SCI could bring about a potential unintended effect of
deterring growth among broker-dealers and discouraging potential
benefits of scale economies. For example, to the extent a certain
broker-dealer may take otherwise-unwanted steps to keep its trading
volumes or asset level low, or spin off entities and not realize scale
economies, all for the purpose of avoiding being subject to regulation,
this can be inefficient for the economy. Likewise, the proposal to
apply regulation SCI to all exempt clearing agencies would mean that
any entity that seeks to become a clearing agency will automatically be
subject to Regulation SCI and will thus bear the associated compliance
cost.
The compliance costs associated with Rule 1004 could raise barriers
to entry and affect competition among members or participants of SCI
entities. Specifically, to the extent that members or participants
could be subject to designation in BC/DR plan testing and could incur
additional compliance costs, the member or participant designation
requirement of Rule 1004 could raise barriers to entry. In addition, as
discussed above, the compliance costs of the rule will likely be higher
for smaller members or participants of SCI entities compared to larger
members or participants of SCI entities. The adverse effect on
competition may be mitigated to some extent, as the most likely members
or participants to be designated for testing are larger members or
participants who already maintain connectivity with an SCI entity's
backup systems. Further, the adverse effect on competition for smaller
members or participants could be partially mitigated to the extent that
larger firms, which are members of multiple SCI entities, could incur
additional compliance costs as these larger member firms could be
subject to multiple designations for business continuity and disaster
recovery plan testing.\829\
---------------------------------------------------------------------------
\829\ Id. at 72433.
---------------------------------------------------------------------------
E. Reasonable Alternatives
In formulating our proposal, we have considered various
alternatives. Those alternatives are discussed below and we have also
requested comments on certain of these alternatives.
1. Limiting the Scope of the Regulation SCI Provisions for New SCI
Entities
The Commission has considered whether all of the obligations set
forth in Regulation SCI should apply to the new SCI entities or whether
only certain requirements should be imposed, such as those requiring
written policies and procedures, notification of systems problems,
business continuity and disaster recovery testing, and penetration
testing.\830\ For example, the Commission has considered if SBSDRs
should be subject to full Regulation SCI requirements, similar to SCI
plan processors, or should be subject to only some of the Regulation
SCI requirements, given differing levels of automation and stages of
regulatory development of the SBS market.
---------------------------------------------------------------------------
\830\ Such an approach is similar to that taken regarding the
competing consolidators in Market Data Consolidator rule. The Market
Data Consolidator rule subjects competing consolidators that do not
meet the earning thresholds to some, but not all, obligations that
apply to competing consolidators. 17 CFR 242.614.
---------------------------------------------------------------------------
The Commission believes that these alternatives would reduce some
of the benefits as well as some of the costs compared to the proposed
rules. The lower costs from limiting the Regulation SCI requirements,
such as periodic reviews of policies and procedures or Commission
notification, for some new entities could result in lower barriers to
entry and could increase competition in the relevant markets compared
to the proposed rules. However, taking into consideration the large
size of the new SCI entities and, therefore, their externalities on
some other SCI entities in case of system failure, the Commission
believes these effects on the competition may not be significant enough
to warrant forgoing benefits
[[Page 23263]]
(such as timely notifications to the Commission) in addition to the
reduced effectiveness of the regulation. Moreover, not requiring
specific SCI requirements for certain new SCI entities would likely
result in less uniform treatment across current and new SCI entities
performing similar functions.\831\
---------------------------------------------------------------------------
\831\ See supra section III.A.2.
---------------------------------------------------------------------------
2. Mandating Compliance With Current SCI Industry Standards
The Commission has considered the alternative of mandating
compliance with current SCI industry standards. This alternative would
require that the policies and procedures of SCI entities required under
Rule 1001(a) comply with ``current SCI industry standards'' rather than
simply making such compliance a safe harbor under Rule 1001(a)(4).\832\
This alternative would ensure that an SCI entity have policies and
procedures consistent with current SCI industry standards. These
standards likely have the advantage of economy of scale as several
entities in that industry adopted the standards and thus the standards
benefit from more innovative efficiencies than in-house standards.
Moreover, mapping policies and procedures to the industry standard
would help facilitate the Commission's inspection and enforcement
capabilities.
---------------------------------------------------------------------------
\832\ Proposed Rule 1000(a)(4) defines ``current SCI industry
standards'' as ``information technology practices that are widely
available to information technology professionals in the financial
sector and issued by an authoritative body that is a U.S.
governmental entity or agency, association of U.S. governmental
entities or agencies, or widely recognized organization.''
---------------------------------------------------------------------------
Based on Commission staff experience, however, this alternative
would not be an appropriate solution for all SCI entities. One reason
is that given the differences exhibited by various SCI entities and the
complexity of each SCI entity's operations, it may not be suitable for
each one to find a current SCI industry standard that suits its needs
without substantial modification and customization. To this extent, the
Commission sees a great value in allowing each SCI entity to customize
its policies and procedures to address the specific operational risks
it faces. It is the Commission's understanding that a number of current
SCI entities have developed and implemented policies and procedures
largely based on industry standards, but they have also customized them
based on the size, risks, and unique characteristics of SCI entities.
For this reason, mandating compliance with a current SCI industry
standard may be an inefficient approach. For the larger and more
complex-structured SCI entities, losing flexibility to design systems
or develop policies and procedures by mandating the industry standards
could also result in less effective policies and procedures or
adversely affect integrity, resiliency, availability, or security of
SCI systems.
3. Requiring Diversity of Back-Up Plan Resources
With respect to critical SCI systems, the Commission has considered
mandating multi-vendor backups. This alternative would require that SCI
entities that utilize third-party providers to operate critical SCI
systems have geographically diverse backup systems that are operated by
a different third-party provider (e.g., multi-cloud). As previously
discussed, there can be significant advantages for an entity moving its
systems from an on-premises, internally run data center to cloud
service providers (CSPs), which may include cost efficiencies,
automation, increased security, and resiliency, and the ability to
leverage the opportunity to reengineer or otherwise update their
systems and applications to run more efficiently.\833\
---------------------------------------------------------------------------
\833\ See section III.C.2.
---------------------------------------------------------------------------
However, each SCI entity is obligated to satisfy the requirements
of Regulation SCI for systems operated on behalf the SCI entity by a
third party. This necessarily requires an individualized assessment of
the costs and risks associated with managing the CSP relationship, and
determining that the CSPs' backup and recovery capabilities are
sufficiently resilient, geographically diverse, and reasonably designed
to achieve timely recovery following a wide-scale disruption.\834\
Further, while reducing the risk of over-reliance on a single vendor
and the chance of system failures-for example, due to the same
vulnerabilities within a vendor--a multi-cloud strategy would add
additional costs including negotiation, contract, deployment, and
management costs; and it is the Commission's understanding that multi-
cloud architecture could introduce more complexity and, accordingly,
operational and cybersecurity risks into the SCI back-up systems.\835\
In place of a prescriptive alternative of mandating multi-vendor
backups, the Commission is proposing, in Rule 1001(a)(2)(v) and (ix), a
more flexible approach under which each SCI entity must consider CSPs
and other third-party providers as part of a risk-based assessment of
the providers' criticality and their role in the entity's business
continuity and disaster recovery planning.
---------------------------------------------------------------------------
\834\ See id.
\835\ For example, security breach possibilities could increase
because of the interconnection of SCI systems between multi cloud
providers.
---------------------------------------------------------------------------
4. Penetration Testing Frequency
With respect to the penetration testing frequency, the Commission
has considered requiring longer (e.g., every 2 years) or shorter
(quarterly, every 6 months) frequencies for penetration testing, rather
than the currently proposed annual (a reduction from the current rule
of every three years). When the Commission adopted Regulation SCI in
2014, the Commission decided to require penetration test reviews ``not
less than once every three years in recognition of the potentially
significant costs that may be associated with the performance of such
tests.'' \836\ Nevertheless, as mentioned above, markets have changed
since the adoption of Regulation SCI. In particular, cybersecurity has
become a more pervasive concern for all types of businesses, including
SCI entities. In addition, the Commission understands that industry
practices with respect to penetration testing has evolved such that
tests occur on a much more frequent basis, as businesses confront the
threat of cybersecurity events on a wider scale. To this extent, the
Commission has considered whether penetration testing should be
conducted at least once quarterly, every 6 months, or every 2 years.
---------------------------------------------------------------------------
\836\ SCI Adopting Release, supra note 1, at 72344.
---------------------------------------------------------------------------
The Commission understands industry practices generally tend to
recommend at least one penetration test review a year. Requiring
penetration test reviews more frequently could further strengthen
security and reduce cybersecurity events at SCI entities. Nevertheless,
the Commission believes that requiring all SCI entities to conduct such
reviews more than once every year may be too much of a drain on the
institution's resources, due to the estimated cost of $10,000 to
$30,000 per test,\837\ and given the wide scope of annual testing to be
conducted as part of an annual review under proposed Rule 1003(b).\838\
Moreover, while some entities may need to perform multiple tests each
year on different components of their environment, for other entities a
requirement for multiple tests may be counterproductive, if the testing
cycle
[[Page 23264]]
does not provide time to implement security investments.
---------------------------------------------------------------------------
\837\ See section V.D.3.c.
\838\ See proposed Rules 1000, 1001(a)(2)(iv) (penetration
testing as part of an annual review under Rule 1003(b) must include
testing of ``network, firewalls, and production systems, including
of any vulnerabilities of . . . SCI systems and indirect SCI
systems,'' including vulnerabilities ``pertaining to internal and
external threats, physical hazards, and natural or manmade
disasters'').
---------------------------------------------------------------------------
5. Attestation for Critical SCI System Vendors
Given the importance of critical SCI systems and SCI entities'
increasing reliance on third-party providers, the Commission has
considered requiring attestation (such as by an SCI entity's chief
executive officer or general counsel) that contracts with third-party
providers for critical SCI systems comply with the SCI entity's
obligations under Regulation SCI. Such an attestation requirement would
further ensure that SCI entities are negotiating contract terms with
third-party providers for critical SCI systems in a manner that is
consistent with Regulation SCI's requirements. However, an attestation
requirement for each such contract may have limited value, and may be
overly time-consuming and resource-intensive, relative to the value of
the attestation requirement.
The value of an attestation requirement will be limited, given that
proposed Rule 1001(a)(2)(ix) would require each SCI entity to have a
program to manage and oversee third-party providers, or to the extent
that they already provide attestations to their customers (which, in
turn, may vary to the degree that they are in competition with like
entities). At the same time, an attestation requirement may have
significant costs.
For SCI entities these costs may include the direct costs of
updating their oversight processes in order to ensure that their
attestations are accurate and in compliance; training their in-house
personnel on the third-party service provider's methods for operating
critical IT systems; and conducting oversight of the service provider's
subcontractors as well as oversight of the service provider itself. SCI
entities may also incur costs if they move critical system functions
in-house or consolidate vendors to reduce the risk or burden of the
attestation requirement, which could result in lower-quality or less
efficient services. Furthermore, requiring the attestation by SCI
entity's senior officers could increase the due diligence cost of the
attestation requirement. Senior officers making attestations may
require additional liability insurance, higher compensation or lower
incentive pay as a share of overall compensation. Finally, the service
providers themselves may face increased costs as part of their efforts
to help the SCI entity make the relevant attestation, including
contract renegotiation costs, upgrading operations, and responding to
information requests from the SCI entity. These costs, in turn, might
be passed to the SCI entity and ultimately to its participants,
members, or customers.
The Commission believes the additional costs could be
disproportionate to the benefits of an attestation requirement. For
these reasons, the Commission has decided against including an
attestation requirement.
6. Transaction Activity Threshold for SCI Broker-Dealers
With respect to the transaction activity threshold used to scope
broker-dealers within Regulation SCI as discussed in section III.A.2.b,
the Commission has considered as an alternative whether to set a higher
(more limited) or lower (more expansive) threshold than the proposed
10% threshold. For example, the Commission has considered if only
broker-dealers with transaction activity thresholds above 15% should be
included as SCI broker-dealers \839\ but determined that this would
fail to scope within Regulation SCI some of the largest and most
significant broker-dealers that pose technological vulnerabilities and
risks to the maintenance of fair and orderly markets. This would have
the effect of decreasing costs moderately for broker-dealers no longer
within the scope of Regulation SCI at the expense of a significant
decrease in benefits otherwise associated with the improvements to fair
and orderly markets, as described above.
---------------------------------------------------------------------------
\839\ The Commission believes that the proposed threshold of 5%
of total assets is a reasonable approach to identifying the largest
broker-dealers. See section III.A.2.b.iii (discussing proposed
thresholds for an ``SCI broker-dealer''). The Commission has
considered as an alternative to further scope in the broker-dealers
with transaction activity thresholds above 15%. Regulation SCI would
only be applicable to an estimated ten broker-dealers based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Jan. 2022 to June 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Jan. 2022 to June
2022, regulatory TRACE data from Jan. 2022 to June 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
Similarly, the Commission has also considered whether all broker-
dealers with transaction activity thresholds above 5% should be
included as SCI broker-dealers,\840\ but determined that this would
scope within Regulation SCI several broker-dealers that are not among
the most significant broker-dealers that pose technological
vulnerabilities and risks to the maintenance of fair and orderly
markets. This would have the effect of increasing costs for marginal
firms without a comparable increase in benefits associated with an
improvement of fair and orderly markets.
---------------------------------------------------------------------------
\840\ The Commission believes that the proposed threshold of 5%
of total assets is a reasonable approach to identifying the largest
broker-dealers. See section III.A.2.b.iii (discussing proposed
thresholds for an ``SCI broker-dealer''). The Commission has
considered as an alternative to further scope in the broker-dealers
with transaction activity thresholds above 5%. Regulation SCI would
only be applicable to an estimated 29 broker-dealers based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Jan. 2022 to June 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Jan. 2022 to June
2022, regulatory TRACE data from Jan. 2022 to June 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
In addition, with respect to the transaction activity threshold
used to scope broker-dealers within Regulation SCI as discussed in
section III.A.2.b, the Commission has also considered as an alternative
whether to apply the proposed 10% threshold to principal trades only,
rather than all transactions. Accordingly, the Commission considered
whether to include as an SCI entity any registered broker-dealer that,
irrespective of the size of its balance sheet, consistently trades for
its own account at a substantially high level in certain enumerated
asset classes, scaled as a percentage of total average daily dollar
volume, as reported by applicable reporting organizations. Under the
alternative, ten broker-dealer firms \841\ would have been scoped in as
``SCI broker-dealers,'' which are among the 17 ``SCI broker-dealers''
subject to the proposed Regulation SCI.
---------------------------------------------------------------------------
\841\ The estimated ten broker-dealer firms are based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Apr. 2022 to Sept. 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Apr. 2022 to Sept.
2022, regulatory TRACE data from Apr. 2022 to Sept. 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
This alternative approach to the transaction activity threshold
would identify those broker-dealers that
[[Page 23265]]
generate significant liquidity in specified types of securities markets
and could also be considered a proxy for those that also engage in
substantial agency trading and other business. Because the alternative
would also scope in fewer broker-dealers as SCI entities, this
alternative would also impose fewer total costs compared to the
proposed approach.
However, the Commission preliminarily believes that limiting the
extension of Regulation SCI to broker-dealers that engage in
significant trading activity for their own account in one or more of
the enumerated asset classes and generate significant liquidity on
which fair and orderly markets rely would fail to acknowledge the
substantial role that executing brokers acting as agents also play in
the markets. Accordingly, the alternative approach would fail to scope
within Regulation SCI some of the largest and most significant broker-
dealers that pose technological vulnerabilities and risks to the
maintenance of fair and orderly markets. In the Commission's view,
using all transaction activity rather than limiting the analysis to
principal trades is a more appropriate measure for estimating the
significance of a broker-dealer's footprint in the markets and the
effect that its sudden unavailability could have on the fair and
orderly market functioning.
Thus, while the alternative would likely scope in fewer broker-
dealers as SCI entities, and thus reduce the aggregate costs of
extending Regulation SCI, compared to the proposal, it would also limit
the extensive benefits, discussed above, associated with applying
Regulation SCI to additional broker-dealers that play a critical role
in the market.
7. Limitation on Definition of ``SCI Systems'' for SCI Broker-Dealers
Additionally, the Commission considered leaving the original
definition of ``SCI systems'' unrevised such that any broker-dealer
that were to only meet or exceed the trading activity threshold of 10%
for any asset class would have been subject to Regulation SCI
requirements for all of its systems, not only those systems with
respect to the type of securities for which an SCI broker-dealer
satisfies the trading activity threshold. Leaving the definition
unrevised would scope in SCI broker-dealer systems with respect to
classes of securities with a lower volume of trading, for which system
unavailability is less likely to pose a risk to the maintenance of fair
and orderly markets. This would have the effect of increasing costs for
SCI broker-dealers with limited trading activity in one or more other
cases of securities, while yielding a potential benefit in terms of
risk reduction with respect to the maintenance of fair and orderly
markets.
VI. Regulatory Flexibility Act Certification
The Regulatory Flexibility Act (``RFA'') \842\ requires Federal
agencies, in promulgating rules, to consider the impact of those rules
on small entities. Section 603(a) \843\ of the Administrative
Procedures Act,\844\ as amended by the RFA, generally requires the
Commission to undertake a regulatory flexibility analysis of all
proposed rules, or proposed rule amendments, to determine the impact of
such rulemaking on ``small entities.'' \845\ Section 605(b) of the RFA
states that this requirement shall not apply to any proposed rule or
proposed rule amendment which, if adopted, would not have a significant
economic impact on a substantial number of small entities.\846\
---------------------------------------------------------------------------
\842\ 5 U.S.C. 601 et seq.
\843\ 5 U.S.C. 603(a).
\844\ 5 U.S.C. 551 et seq.
\845\ Although section 601(b) of the RFA defines the term
``small entity,'' the statute permits agencies to formulate their
own definitions. The Commission has adopted definitions for the term
``small entity'' for purposes of Commission rulemaking in accordance
with the RFA. Those definitions, as relevant to this proposed
rulemaking, are set forth in 17 CFR 240.0-10 (``Rule 0-10'').
\846\ See 5 U.S.C. 605(b).
---------------------------------------------------------------------------
A. ``Small Entity'' Definitions
For purposes of Commission rulemaking in connection with the RFA, a
small entity includes an exchange that has been exempt from the
reporting requirements of Rule 601 under Regulation NMS, and is not
affiliated with any person (other than a natural person) that is not a
small business or small organization. A small entity also includes a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the date in the prior fiscal year
as of which its audited financial statements were prepared pursuant to
17 CFR 240.17a-5(d) (``Rule 17a-5(d)'' under the Exchange Act),\847\
or, if not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last business day of the preceding fiscal year (or in the time
that it has been in business, if shorter); and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization. Furthermore, a small entity includes a
securities information processor that: (1) had gross revenues of less
than $10 million during the preceding fiscal year (or in the time it
has been in business, if shorter); (2) provided service to fewer than
100 interrogation devices or moving tickers at all times during the
preceding fiscal year (or in the time that it has been in business, if
shorter); and (3) is not affiliated with any person (other than a
natural person) that is not a small business or small organization
under 17 CFR 240.0-10.\848\ A small entity additionally includes a
clearing agency that (1) Compared, cleared and settled less than $500
million in securities transactions during the preceding fiscal year (or
in the time that it has been in business, if shorter); (2) had less
than $200 million of funds and securities in its custody or control at
all times during the preceding fiscal year (or in the time that it has
been in business, if shorter); and (3) is not affiliated with any
person (other than a natural person) that is not a small business or
small organization as defined in 17 CFR 240.0-10.\849\
---------------------------------------------------------------------------
\847\ 17 CFR 240.17a-5(d).
\848\ 17 CFR 240.0-10(g).
\849\ 17 CFR 240.0-10(d).
---------------------------------------------------------------------------
B. Current SCI Entities
Currently, SCI entities comprise SCI SROs, SCI ATSs, plan
processors, SCI competing consolidators, and certain exempt clearing
agencies. The Commission believes that none of these entities would be
considered small entities for purposes of the RFA.
1. SCI SROs
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI SROs, which is defined as any national securities
exchange, registered securities association, or registered clearing
agency, or the Municipal Securities Rulemaking Board; provided however,
that for purposes of 17 CFR 242.1000, the term SCI self-regulatory
organization shall not include an exchange that is notice registered
with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose
national securities association registered with the Commission pursuant
to 15 U.S.C. 78o-3(k).\850\ Currently, there are 35 SCI SROs.
---------------------------------------------------------------------------
\850\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
Based on the Commission's existing information about the entities
that are subject to proposed Regulation SCI, the Commission believes
that SCI SROs would not fall within the definition of ``small entity''
as described above.
As stated, the Commission has defined a ``small entity'' as an
exchange that has been exempt from the reporting requirements of Rule
601 of Regulation NMS and is not affiliated with any
[[Page 23266]]
person (other than a natural person) that is not a small business or
small organization.\851\ None of the national securities exchanges
registered under section 6 of the Exchange Act that would be subject to
the proposed rule and form is a ``small entity'' for purposes of the
RFA.
---------------------------------------------------------------------------
\851\ See paragraph (e) of Rule 0-10.
---------------------------------------------------------------------------
There is only one national securities association (FINRA), and the
Commission has previously stated that it is not a small entity as
defined by 13 CFR 121.201.\852\
---------------------------------------------------------------------------
\852\ See, e.g., Securities Exchange Act Release No. 62174 (May
26, 2010), 75 FR 32556, 32605 n.416 (June 8, 2010) (``FINRA is not a
small entity as defined by 13 CFR 121.201.'').
---------------------------------------------------------------------------
As stated, a small entity includes, when used with reference to a
clearing agency, a clearing agency that: (1) compared, cleared, and
settled less than $500 million in securities transactions during the
preceding fiscal year; (2) had less than $200 million of funds and
securities in its custody or control at all times during the preceding
fiscal year (or at any time that it has been in business, if shorter);
and (3) is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\853\
---------------------------------------------------------------------------
\853\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently registered with the Commission, the Commission
preliminarily believes that such entities exceed the thresholds
defining ``small entities'' set out above. While other clearing
agencies may emerge and seek to register as clearing agencies, the
Commission preliminarily does not believe that any such entities would
be ``small entities'' as defined in Exchange Act Rule 0-10.
2. The MSRB
The Commission's rules do not define ``small business'' or ``small
organization'' for purposes of entities like the MSRB. The MSRB does
not fit into one of the categories listed under the Commission rule
that provides guidelines for a defined group of entities to qualify as
a small entity for purposes of Commission rulemaking under the
RFA.\854\ The RFA in turn, refers to the Small Business Administration
(``SBA'') in providing that the term ``small business'' is defined as
having the same meaning as the term ``small business concern'' under
section 3 of the Small Business Act.\855\ The SBA provides a
comprehensive list of categories with accompanying size standards that
outline how large a business concern can be and still qualify as a
small business.\856\ The industry categorization that appears to best
fit the MSRB under the SBA table is Professional Organization. The SBA
defines a Professional Organization as an entity having average annual
receipts of less than $15 million. Within the MSRB's 2021 Annual Report
the organization reported total revenue exceeding $35 million for
fiscal year 2021.\857\ The Report also stated that the organization's
total revenue for fiscal year 2020 exceeded $47 million.\858\ The
Commission is using the SBA's definition of small business to define
the MSRB for purposes of the RFA and has concluded that the MSRB is not
a ``small entity.''
---------------------------------------------------------------------------
\854\ See Rule 0-10.
\855\ See 5 U.S.C. 601(3).
\856\ See 13 CFR 121.201. See also SBA, Table of Small Business
Size Standards Marched to North American Industry Classification
System Codes, available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (outlining the list of small business
size standards within 13 CFR 121.201).
\857\ See MSRB, 2021 Annual Report, 16, available at https://msrb.org/-/media/Files/Resources/MSRB-2021-Annual-Report.ashx.
\858\ Id.
---------------------------------------------------------------------------
3. SCI ATSs
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI ATSs (which are required to be registered as broker-
dealers) that during at least four of the preceding six calendar
months: (1) Had with respect to NMS stocks: (i) Five percent (5%) or
more in any single NMS stock, and one-quarter percent (0.25%) or more
in all NMS stocks, of the average daily dollar volume reported by
applicable transaction reporting plans, which represents the sum of all
reported bought and all reported sold dollar volumes; or (ii) One
percent (1%) or more in all NMS stocks of the average daily dollar
volume reported by applicable transaction reporting plans, which
represents the sum of all reported bought and all reported sold dollar
volumes; or (2) Had with respect to equity securities that are not NMS
stocks and for which transactions are reported to a self-regulatory
organization, five percent (5%) or more of the average daily dollar
volume as calculated by the self-regulatory organization to which such
transactions are reported. All NMS stock and non-NMS stock ATSs are
required to register as broker-dealers.
There are seven SCI ATS currently. As stated, a small entity also
includes a broker-dealer with total capital (net worth plus
subordinated liabilities) of less than $500,000 on the date in the
prior fiscal year as of which its audited financial statements were
prepared pursuant to Rule 17a-5(d) under the Exchange Act,\859\ or, if
not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last business day of the preceding fiscal year (or in the time
that it has been in business, if shorter); and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization. Applying this test for broker-dealers, the
Commission believes that none of the SCI ATSs currently trading were
operated by a broker-dealer that is a ``small entity.''
---------------------------------------------------------------------------
\859\ 17 CFR 240.17a-5(d).
---------------------------------------------------------------------------
Plan Processors
As discussed in section II.B.1 above, Regulation SCI currently
applies to plan processors, which are ``any self-regulatory
organization or securities information processor acting as an exclusive
processor in connection with the development, implementation and/or
operation of any facility contemplated by an effective national market
system plan.'' \860\ Currently, there are two plan processors subject
to Regulation SCI.
---------------------------------------------------------------------------
\860\ See 17 CFR 242.1000; 17 CFR 242.600(b)(67).
---------------------------------------------------------------------------
The current plan processors are SIAC a subsidiary of NYSE Group,
Inc., and Nasdaq Stock Market LLC, a subsidiary of Nasdaq, Inc. In
addition, even if other entities do become plan processors, the
Commission preliminarily believes that most, if not all, plan
processors would be large business entities or subsidiaries of large
business entities, and that every plan processor (or its parent entity)
would have gross revenues in excess of $10 million and provide service
to 100 or more interrogation devices or moving tickers. Therefore, the
Commission preliminarily believes that none of the current plan
processors or potential plan processors would be considered small
entities.
SCI Competing Consolidators
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI competing consolidators. While no SCI competing
consolidators have yet to register, as discussed in the adopting
release for the Market Data Infrastructure rule, the Commission
estimates, and continues to estimate, that up to 10 entities will
register as competing consolidators.\861\
---------------------------------------------------------------------------
\861\ See Market Data Infrastructure Adopting Release, supra
note 24, at 18808.
---------------------------------------------------------------------------
As discussed in the Market Data Infrastructure final rule, ``based
on the Commission's information about the 10 potential entities the
Commission
[[Page 23267]]
estimates may become competing consolidators, the Commission believes
that all such entities will exceed the thresholds defining `small
entities' set out above.'' \862\ The Commission continues to believe
this analysis is accurate, and that ``[c]ompeting consolidators will be
participating in a sophisticated business that requires significant
resources to compete effectively.'' \863\ Accordingly, the Commission
believes that any such registered competing consolidators will exceed
the thresholds for ``small entities'' set forth in 17 CFR 240.0-10.
---------------------------------------------------------------------------
\862\ Id.
\863\ Id. at 18808-09.
---------------------------------------------------------------------------
Exempt Clearing Agencies
As discussed in section II.B.1 above, Regulation SCI currently
applies to certain clearing agencies, specifically, exempt clearing
agencies subject to ARP. There are currently 3 exempt clearing agencies
subject to Regulation SCI, and the Commission estimates that Regulation
SCI will apply to two more if the proposed rules are finalized. The
Commission believes that all the clearing agencies, both those to which
Regulation SCI currently applies and those to which it will, exceed the
thresholds defining `small entities' set out above.
C. Proposed SCI Entities
The proposed expansion of the definition of the term ``SCI entity''
would include SBSDRs and SCI broker-dealers, as well as additional
clearing agencies exempted from registration. The Commission
preliminarily believes that none of these would be considered small
entities for purposes of the RFA.
1. SBSDRs
As discussed in section III.A.2.a above, in 2015, the Commission
established a regulatory framework for SBSDRs, under which SBSDRs are
registered securities information processors and disseminators of
market data in the SBS market. There are currently two registered
SBSDRs that would be subject to Regulation SCI.
The two currently registered SBSDRs are subsidiaries of large
business entities.\864\ In addition, even if other entities do register
as SBSDRs, for purposes of Commission rulemaking, the Commission
believes that none of the SBSDRs will be considered small
entities.\865\
---------------------------------------------------------------------------
\864\ See supra note 111.
\865\ See SBSDR Adopting Release, supra note 96, 80 FR 14548-49
(providing that in the Proposing Release, the Commission stated that
it did not believe that any persons that would register as SBSDRs
would be considered small entities. The Commission stated that it
believed that most, if not all, SBSDRs would be part of large
business entities with assets in excess of $5 million and total
capital in excess of $500,000. As a result, the Commission certified
that the proposed rules would not have a significant impact on a
substantial number of small entities and requested comments on this
certification. The Commission did not receive any comments that
specifically addressed whether 17 CFR 240.13n-1 through 240.13n-12
(``Rules 13n-1 through 13n-12'') and Form SBSDR would have a
significant economic impact on small entities. Therefore, the
Commission continues to believe that Rules 13n-1 through 13n-12 and
Form SBSDR will not have a significant economic impact on a
substantial number of small entities. Accordingly, the Commission
hereby certifies that, pursuant to 5 U.S.C. 605(b), Rules 13n-1
through 13n-12, Form SBSDR will not have a significant economic
impact on a substantial number of small entities.).
---------------------------------------------------------------------------
2. SCI Broker-dealers
As discussed in section III.A.2.b above, the proposed definition of
an SCI broker-dealer would be a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act which: (1) in
at least two of the four preceding calendar quarters, ending March 31,
June 30, September 30, and December 31, reported to the Commission, on
Form X-17A-5 (Sec. 249.617), total assets in an amount that equals
five percent (5%) or more of the total assets of all security brokers
and dealers; or (2) during at least four of the preceding six calendar
months: (i) with respect to transactions in NMS stocks, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the average daily dollar volume reported by or pursuant to
applicable effective transaction reporting plans, provided, however,
that for purposes of calculating its activity in transactions effected
otherwise than on a national securities exchange or on an alternative
trading system, the broker-dealer shall exclude transactions for which
it was not the executing party; or (ii) with respect to transactions in
exchange-listed options contracts, transacted average daily dollar
volume in an amount that equals ten percent (10%) or more of the
average daily dollar volume reported by an applicable effective
national market system plan; or (iii) with respect to transactions in
U.S. Treasury Securities, transacted average daily dollar volume in an
amount that equals ten percent (10%) or more of the total average daily
dollar volume made available by the self-regulatory organizations to
which such transactions are reported; or (iv) with respect to
transactions in Agency securities, transacted average daily dollar
volume in an amount that equals ten percent (10%) or more of the total
average daily dollar volume made available by the self-regulatory
organizations to which such transactions are reported.\866\
---------------------------------------------------------------------------
\866\ Such broker-dealer would not be required to comply with
the requirements of Regulation SCI until six months after the SCI
broker-dealer satisfied either threshold for the first time.
---------------------------------------------------------------------------
The Commission preliminarily estimates that 17 entities would
satisfy one or more of these thresholds. Applying the test for broker-
dealers stated above, the Commission believes that none of the
potential SCI broker-dealers would be considered small entities.
3. Exempt Clearing Agencies
For the purposes of Commission rulemaking, a small entity includes,
when used with reference to a clearing agency, a clearing agency that:
(1) compared, cleared, and settled less than $500 million in securities
transactions during the preceding fiscal year; (2) had less than $200
million of funds and securities in its custody or control at all times
during the preceding fiscal year (or at any time that it has been in
business, if shorter); and (3) is not affiliated with any person (other
than a natural person) that is not a small business or small
organization.\867\
---------------------------------------------------------------------------
\867\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently exempted from registration with the Commission, the
Commission preliminarily believes that such entities exceed the
thresholds defining ``small entities'' set out above. While other
clearing agencies may emerge and seek to register as clearing agencies,
the Commission preliminarily does not believe that any such entities
would be ``small entities'' as defined in Exchange Act Rule 0-10.
D. Certification
For the foregoing reasons, the Commission certifies that the
proposed amendments to Rules 1000, 1001, 1002, 1003, 1004, and 1005,
and Form SCI if adopted, would not have a significant economic impact
on a substantial number of small entities for purposes of the RFA.
The Commission invites commenters to address whether the proposed
rules would have a significant economic impact on a substantial number
of small entities, and, if so, what would be the nature of any impact
on small entities. The Commission requests that commenters provide
empirical data to support the extent of such impact.
Statutory Authority
Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and
particularly, sections 2, 3, 5, 6, 11A, 13, 15, 15A, 17,
[[Page 23268]]
17A, and 23(a) thereof (15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78m, 78o,
78o-3, 78q, 78q-1, and 78w(a)), the Commission proposes amendments to
Regulation SCI under the Exchange Act and Form SCI under the Exchange
Act, and to amend Regulation ATS under the Exchange Act, and 17 CFR
parts 242 and 249.
List of Subjects in 17 CFR Parts 242 and 249
Brokers, Reporting and recordkeeping requirements, Securities.
For the reasons stated in the preamble, title 17, chapter II of the
Code of Federal Regulations is proposed to be amended as follows:
PART 242--REGULATIONS M, SHO, ATS, AC, NMS, AND SBSR AND CUSTOMER
MARGIN REQUIREMENTS FOR SECURITY FUTURES
0
1. The authority citation for part 242 continues to read as follows:
Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2),
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g),
78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a-23, 80a-29, and
80a-37.
0
2. Amend Sec. 242.1000 by:
0
a. Adding in alphabetical order the definitions of ``Agency Security''
and ``Exempt clearing agency'';
0
b. Removing the definition of ``Exempt clearing agency subject to
ARP'';
0
c. Adding in alphabetical order the definitions of ``Registered
security-based swap data repository'' and ``SCI broker-dealer'';
0
d. Revising the definitions of ``SCI entity'', ``SCI review'', ``SCI
systems'', and ``Systems intrusion''; and
0
e. Adding in alphabetical order the definition of ``U.S. Treasury
Security''.
The additions and revisions read as follows:
Sec. 242.1000 Definitions.
* * * * *
Agency Security means a debt security issued or guaranteed by a
U.S. executive agency, as defined in 5 U.S.C. 105, or government-
sponsored enterprise, as defined in 2 U.S.C. 622(8).
* * * * *
Exempt clearing agency means an entity that has received from the
Commission an exemption from registration as a clearing agency under
section 17A of the Exchange Act.
* * * * *
Registered security-based swap data repository means any security-
based swap data repository, as defined in 15 U.S.C. 78c(a)(75), that is
registered with the Commission pursuant to 15 U.S.C. 78m(n) and Sec.
240.13n-1 of this chapter.
* * * * *
SCI broker-dealer means a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act, which:
(1) In at least two of the four preceding calendar quarters, ending
March 31, June 30, September 30, and December 31, reported to the
Commission, on Form X-17A-5 (Sec. 249.617 of this chapter), total
assets in an amount that equals five percent (5%) or more of the total
assets of all security brokers and dealers. For purposes of this
paragraph (1), total assets of all security brokers and dealers shall
mean the total assets, as calculated and made publicly available by the
Board of Governors of the Federal Reserve, or any subsequent provider
of such information, for the associated preceding calendar quarter; or
(2) During at least four of the preceding six calendar months:
(i) With respect to transactions in NMS stocks, transacted average
daily dollar volume in an amount that equals ten percent (10%) or more
of the average daily dollar volume reported by or pursuant to
applicable effective transaction reporting plans, provided, however,
that for purposes of calculating its activity in transactions effected
otherwise than on a national securities exchange or on an alternative
trading system, the broker-dealer shall exclude transactions for which
it was not the executing party;
(ii) With respect to transactions in exchange-listed options
contracts, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
reported by an applicable effective national market system plan;
(iii) With respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume made
available by the self-regulatory organizations to which such
transactions are reported; or
(iv) With respect to transactions in Agency Securities, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the total average daily dollar volume made available by the
self-regulatory organizations to which such transactions are reported.
(3) Provided, however, that such SCI broker-dealer shall not be
required to comply with the requirements of Regulation SCI until six
months after the end of the quarter in which the SCI broker-dealer
satisfied paragraph (1) of this definition for the first time or six
months after the end of the month in which the SCI broker-dealer
satisfied paragraph (2) of this definition for the first time.
* * * * *
SCI entity means an SCI self-regulatory organization, SCI
alternative trading system, plan processor, exempt clearing agency, SCI
competing consolidator, SCI broker-dealer, or registered security-based
swap data repository.
* * * * *
SCI review means a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems, and which review, using appropriate risk
management methodology, contains:
(1) With respect to each SCI system and indirect SCI system of the
SCI entity, assessments performed by objective personnel of:
(i) The risks related to the capacity, integrity, resiliency,
availability, and security;
(ii) Internal control design and operating effectiveness, to
include logical and physical security controls, development processes,
systems capacity and availability, information technology service
continuity, and information technology governance, consistent with
industry standards; and
(iii) Third-party provider management risks and controls; and
(2) Penetration test reviews performed by objective personnel of
the network, firewalls, and production systems, including of any
vulnerabilities of its SCI systems and indirect SCI systems identified
pursuant to Sec. 242.1001(a)(2)(iv);
(3) Provided, however, that assessments of SCI systems directly
supporting market regulation or market surveillance shall be conducted
at a frequency based upon the risk assessment conducted as part of the
SCI review, but in no case less than once every three years.
* * * * *
SCI systems means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support trading,
clearance and settlement, order routing, market data, market
regulation, or market surveillance; provided, however, that with
respect to an SCI broker-dealer that satisfies only the requirements of
paragraph (2) of the definition of ``SCI
[[Page 23269]]
broker-dealer,'' such systems shall include only those systems with
respect to the type of securities for which an SCI broker-dealer
satisfies the requirements of paragraph (2) of the definition.
* * * * *
Systems intrusion means any:
(1) Unauthorized entry into the SCI systems or indirect SCI systems
of an SCI entity;
(2) Cybersecurity event that disrupts, or significantly degrades,
the normal operation of an SCI system; or
(3) Significant attempted unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity, as determined by the SCI
entity pursuant to established reasonable written criteria.
U.S. Treasury Security means a security issued by the U.S.
Department of the Treasury.
0
3. Amend Sec. 242.1001 by revising paragraph (a) to read as follows:
Sec. 242.1001 Obligations related to policies and procedures of SCI
entities.
(a) Capacity, integrity, resiliency, availability, and security.
(1) Each SCI entity shall establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that its SCI
systems and, for purposes of security standards, indirect SCI systems,
have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational capability
and promote the maintenance of fair and orderly markets.
(2) Policies and procedures required by paragraph (a)(1) of this
section shall include, at a minimum:
(i) The establishment of reasonable current and future
technological infrastructure capacity planning estimates;
(ii) Periodic capacity stress tests of such systems to determine
their ability to process transactions in an accurate, timely, and
efficient manner;
(iii) A program to review and keep current systems development and
testing methodology for such systems;
(iv) Regular reviews and testing, as applicable, of such systems,
including backup systems, to identify vulnerabilities pertaining to
internal and external threats, physical hazards, and natural or manmade
disasters;
(v) Business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse and that are reasonably designed to achieve next
business day resumption of trading and two-hour resumption of critical
SCI systems following a wide-scale disruption; and that are reasonably
designed to address the unavailability of any third-party provider that
provides functionality, support, or service to the SCI entity without
which there would be a material impact on any of its critical SCI
systems;
(vi) Standards that result in such systems being designed,
developed, tested, maintained, operated, and surveilled in a manner
that facilitates the successful collection, processing, and
dissemination of market data;
(vii) Monitoring of such systems to identify potential SCI events;
(viii) The maintenance of a written inventory and classification of
all SCI systems, critical SCI systems, and indirect SCI systems as
such, and a program with respect to the lifecycle management of such
systems, including the acquisition, integration, support, refresh, and
disposal of such systems, as applicable;
(ix) A program to manage and oversee third-party providers that
provide functionality, support or service, directly or indirectly, for
any such systems, including: initial and periodic review of contracts
with such third-party providers for consistency with the SCI entity's
obligations under Regulation SCI; and a risk-based assessment of each
third-party provider's criticality to the SCI entity, including
analyses of third-party provider concentration, of key dependencies if
the third-party provider's functionality, support, or service were to
become unavailable or materially impaired, and of any potential
security, including cybersecurity, risks posed;
(x) A program to prevent the unauthorized access to such systems
and information residing therein; and
(xi) An identification of the current SCI industry standard(s) with
which each such policy and procedure is consistent, if any.
(3) Each SCI entity shall periodically review the effectiveness of
the policies and procedures required by this paragraph (a), and take
prompt action to remedy deficiencies in such policies and procedures.
(4) For purposes of this paragraph (a), such policies and
procedures shall be deemed to be reasonably designed if they are
consistent with current SCI industry standards, which shall be composed
of information technology practices that are widely available to
information technology professionals in the financial sector and issued
by an authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization. Compliance with such current SCI industry
standards as a safe harbor, however, shall not be the exclusive means
to comply with the requirements of paragraph (a) of this section.
* * * * *
0
4. Amend Sec. 242.1002 by:
0
a. In paragraph (b)(4)(ii)(B), removing the words ``or participants''
and adding in their place ``participants, or, in the case of an SCI
broker-dealer, customers'';
0
b. Revising paragraph (b)(5) and (c)(3);
0
c. In paragraph (c)(4)(i), removing the ``or'' after the semicolon;
0
d. In paragraph (c)(4)(ii), removing the period and adding in its place
``; or''; and
0
e. Adding paragraph (c)(4)(iii).
The revision and additions read as follows:
Sec. 242.1002 Obligations related to SCI events.
* * * * *
(b) * * *
(5) The requirements of paragraphs (b)(1) through (4) of this
section shall not apply to any systems disruption or systems compliance
issue that has had, or the SCI entity reasonably estimates would have,
no or a de minimis impact on the SCI entity's operations or on market
participants. For such events, each SCI entity shall:
(i) Make, keep, and preserve records relating to all such systems
disruptions or systems compliance issues; and
(ii) Submit to the Commission a report, within 30 calendar days
after the end of each calendar quarter, containing a summary
description of such systems disruptions, including the SCI systems
affected by such systems disruptions during the applicable calendar
quarter.
(c) * * *
(3) The information required to be disseminated under paragraphs
(c)(1) and (2) of this section promptly after any responsible SCI
personnel has a reasonable basis to conclude that an SCI event has
occurred, shall be promptly disseminated by the SCI entity to those
members, participants, or, in the case of an SCI broker-dealer,
customers of the SCI entity that any responsible SCI personnel has
reasonably estimated may have been affected by the SCI event, and
promptly disseminated to any additional members, participants, or, in
the case of an SCI broker-dealer, customers that any responsible SCI
personnel subsequently reasonably estimates may have been affected by
the SCI event; provided, however, that for major SCI events, the
information required to be disseminated under paragraphs (c)(1) and (2)
of this section shall be promptly disseminated by the
[[Page 23270]]
SCI entity to all of its members, participants, or, in the case of an
SCI broker-dealer, customers.
(4) * * *
(iii) A systems intrusion that is a significant attempted
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity.
0
5. Amend Sec. 242.1003 by revising paragraph (b) to read as follows:
Sec. 242.1003 Obligations related to systems changes; SCI review.
* * * * *
(b) SCI review. Each SCI entity shall:
(1) Conduct an SCI review of the SCI entity's compliance with
Regulation SCI not less than once each calendar year for each calendar
year during which it was an SCI entity for any part of such calendar
year;
(2) Submit a report of the SCI review required by paragraph (b)(1)
of this section to senior management of the SCI entity for review no
more than 30 calendar days after completion of such SCI review. Such
report of the SCI review shall include:
(i) The dates the SCI review was conducted and the date of
completion;
(ii) The entity or business unit of the SCI entity performing the
review;
(iii) A list of the controls reviewed and a description of each
such control;
(iv) The findings of the SCI review with respect to each SCI system
and indirect SCI system, which shall include assessments of: the risks
related to the capacity, integrity, resiliency, availability, and
security; internal control design and operating effectiveness; and an
assessment of third-party provider management risks and controls;
(v) A summary, including the scope of testing and resulting action
plan, of each penetration test review conducted as part of the SCI
review; and
(vi) A description of each deficiency and weakness identified by
the SCI review; and
(3) Submit to the Commission, and to the board of directors of the
SCI entity or the equivalent of such board, the report of the SCI
review required by paragraph (b)(2) of this section, together with the
date the report was submitted to senior management and the response of
senior management to such report, within 60 calendar days after its
submission to senior management of the SCI entity.
Sec. 242.1004 [Amended]
0
6. Amend Sec. 242.1004 by:
0
a. In the section heading, adding ``, and third-party providers'' to
the end of the heading;
0
b. In paragraph (a), after the word ``participants'', adding ``, and
third-party providers''; and
0
c. In paragraph (b), after both instances of the word ``participants''
adding ``, and third-party providers''.
Sec. 242.1005 [Amended]
0
7. Amend Sec. 242.1005 in paragraph (c) by:
0
a. Between ``business'' and ``ceasing,'' removing the ``or'' and adding
a comma in its place; and
0
b. Immediately before ``an SCI entity'' adding ``or otherwise ceasing
to be an SCI entity,''.
PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934
0
8. The general authority citation for part 249 continues to read as
follows:
Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C.
5461 et seq.; 18 U.S.C. 1350; Sec. 953(b) Pub. L. 111-203, 124 Stat.
1904; Sec. 102(a)(3) Pub. L. 112-106, 126 Stat. 309 (2012), Sec. 107
Pub. L. 112-106, 126 Stat. 313 (2012), Sec. 72001 Pub. L. 114-94,
129 Stat. 1312 (2015), and secs. 2 and 3 Pub. L. 116-222, 134 Stat.
1063 (2020), unless otherwise noted.
* * * * *
0
9. Revise Form SCI (referenced in Sec. 249.1900).
Note: Form SCI is attached as Appendix A to this document. Form
SCI will not appear in the Code of Federal Regulations.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
Appendix A--Form SCI
Securities and Exchange Commission
Washington, DC 20549
Form SCI
Page 1 of ___
File No. SCI-{name{time} -
YYYY-###
SCI Notification and Reporting by: {SCI entity name{time}
Pursuant to Rules 1002 and 1003 of Regulation SCI under the
Securities Exchange Act of 1934
[ballot] Initial
[ballot] Withdrawal
Section I: Rule 1002--Commission Notification of SCI Event
A. Submission Type (select one only)
[ballot] Rule 1002(b)(1) Initial Notification of SCI event
[ballot] Rule 1002(b)(2) Notification of SCI event
[ballot] Rule 1002(b)(3) Update of SCI event: ####
[ballot] Rule 1002(b)(4) Final Report of SCI event
[ballot] Rule 1002(b)(4) Interim Status Report of SCI event
If filing a Rule 1002(b)(1) or Rule 1002(b)(3) submission,
please provide a brief description:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
B. SCI Event Type(s) (select all that apply)
[ballot] Systems compliance issue;
[ballot] Systems disruption
[ballot] Systems intrusion
C. General Information Required for (b)(2) filings.
(1) Has the Commission previously been notified of the SCI event
pursuant to 1002(b)(1)? yes/no
(2) Date/time SCI event occurred: mm/dd/yyyy hh:mm am/pm
(3) Duration of SCI event: hh:mm, or days
(4) Please provide the date and time when a responsible SCI
personnel had reasonable basis to conclude the SCI event occurred:
mm/dd/yyyy hh:mm am/pm
(5) Has the SCI event been resolved? yes/no
(a) If yes, provide date and time of resolution: mm/dd/yyyy hh:mm
am/pm
(6) Is the investigation of the SCI event closed? yes/no
(a) If yes, provide date of closure: mm/dd/yyyy
(7) Estimated number of market participants potentially affected by
the SCI event: ####
(8) Is the SCI event a major SCI event (as defined in Rule 1000)?
yes/no
D. Information about impacted systems:
Name(s) of system(s):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Type(s) of system(s) impacted by the SCI event (check all that
apply):
[ballot] Trading
[ballot] Clearance and settlement
[ballot] Order routing
[ballot] Market data
[ballot] Market regulation
[ballot] Market surveillance
[ballot] Indirect SCI systems (please describe):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Are any critical SCI systems impacted by the SCI event (check all
that apply)? Yes/No
(1) Systems that directly support functionality relating to:
[ballot] Clearance and settlement systems of clearing agencies
[ballot] Openings, reopenings, and closings on the primary listing
market
[ballot] Trading halts
[ballot] Initial public offerings
[ballot] The provision of consolidated market data
[ballot] Exclusively-listed securities
(2) [ballot] Systems that provide functionality to the securities
markets for which the availability of alternatives is significantly
limited or nonexistent and without which there would be a material
impact on fair and orderly markets (please describe):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Section II: Periodic Reporting (select one only)
A. Quarterly Reports: For the quarter ended: mm/dd/yyyy
[ballot] Rule 1002(b)(5)(ii): Quarterly report of systems
disruptions with no or a de minimis impact.
[[Page 23271]]
[ballot] Rule 1003(a)(1): Quarterly report of material systems
changes
[ballot] Rule 1003(a)(2): Supplemental report of material systems
changes
B. SCI Review Reports
[ballot] Rule 1003(b)(3): Report of SCI review, together with the
response of senior management
Date of completion of SCI review: mm/dd/yyyy
Date of submission of SCI review to senior management: mm/dd/yyyy
Section III: Contact Information
Provide the following information of the person at the {SCI
entity name{time} prepared to respond to questions for this
submission:
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
Additional Contacts (Optional)
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
Section IV: Signature
Confidential treatment is requested pursuant to Rule 24b-2(g).
Additionally, pursuant to the requirements of the Securities
Exchange Act of 1934, {SCI Entity name{time} has duly caused this
{notification{time} {report{time} to be signed on its behalf by
the undersigned duly authorized officer:
Date:
By (Name)
Title (______)
``Digitally Sign and Lock Form''
------------------------------------------------------------------------
------------------------------------------------------------------------
Exhibit 1: Rule 1002(b)(2) Within 24 hours of any responsible
Notification of SCI Event. Add/ SCI personnel having a reasonable
Remove/View. basis to conclude that the SCI
event has occurred, the SCI entity
shall submit a written notification
pertaining to such SCI event to the
Commission, which shall be made on
a good faith, best efforts basis
and include:
(a) a description of the SCI event,
including the system(s) affected;
and
(b) to the extent available as of
the time of the notification:
the SCI entity's current
assessment of the types and
number of market participants
potentially affected by the SCI
event; the potential impact of
the SCI event on the market; a
description of the steps the SCI
entity has taken, is taking, or
plans to take, with respect to
the SCI event; the time the SCI
event was resolved or timeframe
within which the SCI event is
expected to be resolved; and any
other pertinent information
known by the SCI entity about
the SCI event.
Exhibit 2: Rule 1002(b)(4) Final When submitting a final report
or Interim Report of SCI Event. pursuant to either Rule
Add/Remove/View. 1002(b)(4)(i)(A) or Rule
1002(b)(4)(i)(B)(2), the SCI entity
shall include:
(a) a detailed description of:
the SCI entity's assessment of
the types and number of market
participants affected by the SCI
event; the SCI entity's
assessment of the impact of the
SCI event on the market; the
steps the SCI entity has taken,
is taking, or plans to take,
with respect to the SCI event;
the time the SCI event was
resolved; the SCI entity's
rule(s) and/or governing
document(s), as applicable, that
relate to the SCI event; and any
other pertinent information
known by the SCI entity about
the SCI event;
(b) a copy of any information
disseminated pursuant to Rule
1002(c) by the SCI entity to
date regarding the SCI event to
any of its members,
participants, or, in the case of
an SCI broker-dealer, customers;
and
(c) an analysis of parties that
may have experienced a loss,
whether monetary or otherwise,
due to the SCI event, the number
of such parties, and an estimate
of the aggregate amount of such
loss.
When submitting an interim report
pursuant to Rule
1002(b)(4)(i)(B)(1), the SCI entity
shall include such information to
the extent known at the time.
Exhibit 3: Rule 1002(b)(5)(ii) The SCI entity shall submit a
Quarterly Report of DeMinimis SCI report, within 30 calendar days
Events. Add/Remove/View. after the end of each calendar
quarter, containing a summary
description of systems disruptions
that have had, or the SCI entity
reasonably estimates would have, no
or a de minimis impact on the SCI
entity's operations or on market
participants, including the SCI
systems affected by such systems
disruptions during the applicable
calendar quarter.
Exhibit 4: Rule 1003 (a) Quarterly When submitting a report pursuant to
Report of Systems Changes. Add/ Rule 1003(a)(1), the SCI entity
Remove/View. shall provide a report, within 30
calendar days after the end of each
calendar quarter, describing
completed, ongoing, and planned
material changes to its SCI systems
and the security of indirect SCI
systems, during the prior, current,
and subsequent calendar quarters,
including the dates or expected
dates of commencement and
completion. An SCI entity shall
establish reasonable written
criteria for identifying a change
to its SCI systems and the security
of indirect SCI systems as material
and report such changes in
accordance with such criteria.
When submitting a report pursuant to
Rule 1003(a)(2), the SCI entity
shall provide a supplemental report
of a material error in or material
omission from a report previously
submitted under Rule 1003(a)(1).
Exhibit 5: Rule 1003(b)(3) Report The SCI entity shall provide the
of SCI review. Add/Remove/View. report of the SCI review, together
with the date the report was
submitted to senior management and
the response of senior management
to such report, within 60 calendar
days after its submission to senior
management of the SCI entity.
Exhibit 6: Optional Attachments. This exhibit may be used in order to
Add/Remove/View. attach other documents that the SCI
entity may wish to submit as part
of a Rule 1002(b)(1) initial
notification submission or Rule
1002(b)(3) update submission.
------------------------------------------------------------------------
General Instructions for Form SCI
A. Use of the Form
Except with respect to notifications to the Commission made
pursuant to Rule 1002(b)(1) or updates to the Commission made
pursuant to Rule 1002(b)(3), any notification, review, description,
analysis, or report required to be submitted pursuant to Regulation
SCI under the Securities Exchange Act of 1934 (``Act'') shall be
filed in an electronic format through an electronic form filing
system (``EFFS''), a secure website operated by the Securities and
Exchange Commission (``Commission''). Documents attached as exhibits
filed through the EFFS system must be in a text-searchable format
without the use of optical character recognition. If, however, a
portion of a Form SCI submission (e.g., an image or diagram) cannot
be made available in a text-searchable format, such portion may be
submitted in a non-text searchable format.
B. Need for Careful Preparation of the Completed Form, Including
Exhibits
This form, including the exhibits, is intended to elicit
information necessary for Commission staff to work with SCI entities
to ensure the capacity, integrity, resiliency, availability,
security, and compliance of their automated systems. An SCI entity
must provide all the information required by the form, including the
exhibits, and must present the information in a clear and
comprehensible manner. A filing that is incomplete or similarly
deficient may be returned to the SCI entity. Any filing so returned
shall for all purposes be deemed not to have been filed with the
Commission. See also Rule 0-3 under the Act (17 CFR 240.0-3).
C. When To Use the Form
Form SCI is comprised of six types of required submissions to
the Commission pursuant to Rules 1002 and 1003. In addition, Form
SCI permits SCI entities to submit to the Commission two additional
types of submissions pursuant to Rules 1002(b)(1) and 1002(b)(3);
however, SCI entities are not required to use Form SCI for these two
types of submissions to the Commission. In filling out Form SCI, an
SCI
[[Page 23272]]
entity shall select the type of filing and provide all information
required by Regulation SCI specific to that type of filing.
The first two types of required submissions relate to Commission
notification of certain SCI events:
(1) ``Rule 1002(b)(2) Notification of SCI Event'' submissions
for notifications regarding systems disruptions, systems compliance
issues, or systems intrusions (collectively, ``SCI events''), other
than any systems disruption or systems compliance issue that has
had, or the SCI entity reasonably estimates would have, no or a de
minimis impact on the SCI entity's operations or on market
participants; and
(2) ``Rule 1002(b)(4) Final or Interim Report of SCI Event''
submissions, of which there are two kinds (a final report under Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or an interim status
report under Rule 1002(b)(4)(i)(B)(1)).
The other four types of required submissions are periodic
reports, and include:
(1) ``Rule 1002(b)(5)(ii)'' submissions for quarterly reports of
systems disruptions which have had, or the SCI entity reasonably
estimates would have, no or a de minimis impact on the SCI entity's
operations or on market participants;
(2) ``Rule 1003(a)(1)'' submissions for quarterly reports of
material systems changes;
(3) ``Rule 1003(a)(2)'' submissions for supplemental reports of
material systems changes; and
(4) ``Rule 1003(b)(3)'' submissions for reports of SCI reviews.
Required Submissions for SCI Events
For 1002(b)(2) submissions, an SCI entity must notify the
Commission using Form SCI by selecting the appropriate box in
Section I and filling out all information required by the form,
including Exhibit 1. 1002(b)(2) submissions must be submitted within
24 hours of any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred.
For 1002(b)(4) submissions, if an SCI event is resolved and the
SCI entity's investigation of the SCI event is closed within 30
calendar days of the occurrence of the SCI event, an SCI entity must
file a final report under Rule 1002(b)(4)(i)(A) within five business
days after the resolution of the SCI event and closure of the
investigation regarding the SCI event. However, if an SCI event is
not resolved or the SCI entity's investigation of the SCI event is
not closed within 30 calendar days of the occurrence of the SCI
event, an SCI entity must file an interim status report under Rule
1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of
the SCI event. For SCI events in which an interim status report is
required to be filed, an SCI entity must file a final report under
Rule 1002(b)(4)(i)(B)(2) within five business days after the
resolution of the SCI event and closure of the investigation
regarding the SCI event. For 1002(b)(4) submissions, an SCI entity
must notify the Commission using Form SCI by selecting the
appropriate box in Section I and filling out all information
required by the form, including Exhibit 2.
Required Submissions for Periodic Reporting
For 1002(b)(5)(ii) submissions, an SCI entity must submit
quarterly reports of systems disruptions which have had, or the SCI
entity reasonably estimates would have, no or a de minimis impact on
the SCI entity's operations or on market participants. The SCI
entity must select the appropriate box in Section II and fill out
all information required by the form, including Exhibit 3.
For 1003(a)(1) submissions, an SCI entity must submit its
quarterly report of material systems changes to the Commission using
Form SCI. The SCI entity must select the appropriate box in Section
II and fill out all information required by the form, including
Exhibit 4.
Filings made pursuant to Rule 1002(b)(5)(ii) and Rule 1003(a)(1)
must be submitted to the Commission within 30 calendar days after
the end of each calendar quarter (i.e., March 31st, June 30th,
September 30th and December 31st) of each year.
For 1003(a)(2) submissions, an SCI entity must submit a
supplemental report notifying the Commission of a material error in
or material omission from a report previously submitted under Rule
1003(a). The SCI entity must select the appropriate box in Section
II and fill out all information required by the form, including
Exhibit 4.
For 1003(b)(3) submissions, an SCI entity must submit its report
of its SCI review, together with the date the report was submitted
to senior management and the response of senior management to such
report, to the Commission using Form SCI. A 1003(b)(3) submission is
required within 60 calendar days after the report of the SCI review
has been submitted to senior management of the SCI entity. The SCI
entity must select the appropriate box in Section II and fill out
all information required by the form, including Exhibit 5.
Optional Submissions
An SCI entity may, but is not required to, use Form SCI to
submit a notification pursuant to Rule 1002(b)(1). If the SCI entity
uses Form SCI to submit a notification pursuant to Rule 1002(b)(1),
it must select the appropriate box in Section I and provide a short
description of the SCI event. Documents may also be attached as
Exhibit 6 if the SCI entity chooses to do so. An SCI entity may, but
is not required to, use Form SCI to submit an update pursuant to
Rule 1002(b)(3). Rule 1002(b)(3) requires an SCI entity to, until
such time as the SCI event is resolved and the SCI entity's
investigation of the SCI event is closed, provide updates pertaining
to such SCI event to the Commission on a regular basis, or at such
frequency as reasonably requested by a representative of the
Commission, to correct any materially incorrect information
previously provided, or when new material information is discovered,
including but not limited to, any of the information listed in Rule
1002(b)(2)(ii). If the SCI entity uses Form SCI to submit an update
pursuant to Rule 1002(b)(3), it must select the appropriate box in
Section I and provide a short description of the SCI event.
Documents may also be attached as Exhibit 6 if the SCI entity
chooses to do so.
D. Documents Comprising the Completed Form
The completed form filed with the Commission shall consist of
Form SCI, responses to all applicable items, and any exhibits
required in connection with the filing. Each filing shall be marked
on Form SCI with the initials of the SCI entity, the four-digit
year, and the number of the filing for the year (e.g., SCI Name-
YYYY-XXX).
E. Contact Information; Signature; and Filing of the Completed Form
Each time an SCI entity submits a filing to the Commission on
Form SCI, the SCI entity must provide the contact information
required by Section III of Form SCI. Space for additional contact
information, if appropriate, is also provided.
All notifications and reports required to be submitted through
Form SCI shall be filed through the EFFS. In order to file Form SCI
through the EFFS, SCI entities must request access to the
Commission's External Application Server by completing a request for
an external account user ID and password. Initial requests will be
received by contacting (202) 551-5777. An email will be sent to the
requestor that will provide a link to a secure website where basic
profile information will be requested. A duly authorized individual
of the SCI entity shall electronically sign the completed Form SCI
as indicated in Section IV of the form. In addition, a duly
authorized individual of the SCI entity shall manually sign one copy
of the completed Form SCI, and the manually signed signature page
shall be preserved pursuant to the requirements of Rule 1005.
F. Withdrawals of Commission Notifications and Periodic Reports
If an SCI entity determines to withdraw a Form SCI, it must
complete Page 1 of the Form SCI and indicate by selecting the
appropriate check box to withdraw the submission.
G. Paperwork Reduction Act Disclosure
This collection of information will be reviewed by the Office of
Management and Budget in accordance with the clearance requirements
of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a
person is not required to respond to, a collection of information
unless it displays a currently valid control number. The Commission
estimates that the average burden to respond to Form SCI will be
between one and 125 hours, depending upon the purpose for which the
form is being filed. Any member of the public may direct to the
Commission any comments concerning the accuracy of this burden
estimate and any suggestions for reducing this burden.
Except with respect to notifications to the Commission made
pursuant to Rule 1002(b)(1) or updates to the Commission made
pursuant to Rule 1002(b)(3), it is mandatory that an SCI entity file
all notifications, reviews, descriptions, analyses, and reports
required by Regulation SCI using Form SCI. The Commission will keep
the information collected pursuant to Form SCI confidential to the
extent permitted by law. Subject to the provisions of the Freedom of
[[Page 23273]]
Information Act, 5 U.S.C. 522 (``FOIA''), and the Commission's rules
thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not
generally publish or make available information contained in any
reports, summaries, analyses, letters, or memoranda arising out of,
in anticipation of, or in connection with an examination or
inspection of the books and records of any person or any other
investigation.
H. Exhibits
List of exhibits to be filed, as applicable:
Exhibit 1: Rule 1002(b)(2)--Notification of SCI Event. Within 24
hours of any responsible SCI personnel having a reasonable basis to
conclude that the SCI event has occurred, the SCI entity shall
submit a written notification pertaining to such SCI event to the
Commission, which shall be made on a good faith, best efforts basis
and include: (a) a description of the SCI event, including the
system(s) affected; and (b) to the extent available as of the time
of the notification: the SCI entity's current assessment of the
types and number of market participants potentially affected by the
SCI event; the potential impact of the SCI event on the market; a
description of the steps the SCI entity has taken, is taking, or
plans to take, with respect to the SCI event; the time the SCI event
was resolved or timeframe within which the SCI event is expected to
be resolved; and any other pertinent information known by the SCI
entity about the SCI event.
Exhibit 2: Rule 1002(b)(4)--Final or Interim Report of SCI
Event. When submitting a final report pursuant to either Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall
include: (a) a detailed description of: the SCI entity's assessment
of the types and number of market participants affected by the SCI
event; the SCI entity's assessment of the impact of the SCI event on
the market; the steps the SCI entity has taken, is taking, or plans
to take, with respect to the SCI event; the time the SCI event was
resolved; the SCI entity's rule(s) and/or governing document(s), as
applicable, that relate to the SCI event; and any other pertinent
information known by the SCI entity about the SCI event; (b) a copy
of any information disseminated pursuant to Rule 1002(c) by the SCI
entity to date regarding the SCI event to any of its members,
participants, or, in the case of an SCI broker-dealer, customers;
and (c) an analysis of parties that may have experienced a loss,
whether monetary or otherwise, due to the SCI event, the number of
such parties, and an estimate of the aggregate amount of such loss.
When submitting an interim report pursuant to Rule
1002(b)(4)(i)(B)(1), the SCI entity shall include such information
to the extent known at the time.
Exhibit 3: Rule 1002(b)(5)(ii)--Quarterly Report of De Minimis
SCI Events. The SCI entity shall submit a report, within 30 calendar
days after the end of each calendar quarter, containing a summary
description of systems disruptions that have had, or the SCI entity
reasonably estimates would have, no or a de minimis impact on the
SCI entity's operations or on market participants, including the SCI
systems affected by such SCI events during the applicable calendar
quarter.
Exhibit 4: Rule 1003(a)--Quarterly Report of Systems Changes.
When submitting a report pursuant to Rule 1003(a)(1), the SCI entity
shall provide a report, within 30 calendar days after the end of
each calendar quarter, describing completed, ongoing, and planned
material changes to its SCI systems and the security of indirect SCI
systems, during the prior, current, and subsequent calendar
quarters, including the dates or expected dates of commencement and
completion. An SCI entity shall establish reasonable written
criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material and report such changes
in accordance with such criteria. When submitting a report pursuant
to Rule 1003(a)(2), the SCI entity shall provide a supplemental
report of a material error in or material omission from a report
previously submitted under Rule 1003(a); provided, however, that a
supplemental report is not required if information regarding a
material systems change is or will be provided as part of a
notification made pursuant to Rule 1002(b).
Exhibit 5: Rule 1003(b)(3)--Report of SCI Review. The SCI entity
shall provide the report of the SCI review, together with the date
the report was submitted to senior management and the response of
senior management to such report, within 60 calendar days after its
submission to senior management of the SCI entity.
Exhibit 6: Optional Attachments. This exhibit may be used in
order to attach other documents that the SCI entity may wish to
submit as part of a Rule 1002(b)(1) initial notification submission
or Rule 1002(b)(3) update submission.
I. Explanation of Terms
Critical SCI systems means any SCI systems of, or operated by or
on behalf of, an SCI entity that: (1) directly support functionality
relating to: (i) clearance and settlement systems of clearing
agencies; (ii) openings, reopenings, and closings on the primary
listing market; (iii) trading halts; (iv) initial public offerings;
(v) the provision of market data by a plan processor; or (vi)
exclusively-listed securities; or (2) provide functionality to the
securities markets for which the availability of alternatives is
significantly limited or nonexistent and without which there would
be a material impact on fair and orderly markets.
Indirect SCI systems means any systems of, or operated by or on
behalf of, an SCI entity that, if breached, would be reasonably
likely to pose a security threat to SCI systems.
Major SCI event means an SCI event that has had, or the SCI
entity reasonably estimates would have: (1) any impact on a critical
SCI system; or (2) a significant impact on the SCI entity's
operations or on market participants.
Responsible SCI personnel means, for a particular SCI system or
indirect SCI system impacted by an SCI event, such senior manager(s)
of the SCI entity having responsibility for such system, and their
designee(s).
SCI entity means an SCI self-regulatory organization, SCI
alternative trading system, plan processor, exempt clearing agency,
SCI competing consolidator, SCI broker-dealer, or registered
security-based swap data repository.
SCI event means an event at an SCI entity that constitutes: (1)
a systems disruption; (2) a systems compliance issue; or (3) a
systems intrusion.
SCI review means a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems, and which review, using appropriate risk
management methodology, contains: (1) with respect to each SCI
system and indirect SCI system of the SCI entity, assessments
performed by objective personnel of: (A) the risks related to
capacity, integrity, resiliency, availability, and security; (B)
internal control design and operating effectiveness, to include
logical and physical security controls, development processes,
systems capacity and availability, information technology service
continuity, and information technology governance, consistent with
industry standards; and (C) third party provider management risks
and controls; and (2) penetration test reviews performed by
objective personnel of the network, firewalls, and production
systems, including of any vulnerabilities of its SCI systems and
indirect SCI systems identified pursuant to paragraph Sec.
242.1001(a)(2)(iv); (3) provided, however, that assessments of SCI
systems directly supporting market regulation or market surveillance
shall be conducted at a frequency based upon the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years.
SCI systems means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support
trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance; provided, however, that
with respect to an SCI broker-dealer that satisfies only the
requirements of paragraph (2) of the definition of ``SCI broker-
dealer,'' such systems shall include only those systems with respect
to the type of securities for which an SCI broker-dealer satisfies
the requirements of paragraph (2) of the definition.
Systems Compliance Issue means an event at an SCI entity that
has caused any SCI system of such entity to operate in a manner that
does not comply with the Act and the rules and regulations
thereunder or the entity's rules or governing documents, as
applicable.
Systems Disruption means an event in an SCI entity's SCI systems
that disrupts, or significantly degrades, the normal operation of an
SCI system.
[[Page 23274]]
Systems Intrusion means any: (1) unauthorized entry into the SCI
systems or indirect SCI systems of an SCI entity; (2) cybersecurity
event that disrupts, or significantly degrades, the normal operation
of an SCI system; or (3) significant attempted unauthorized entry
into the SCI systems or indirect SCI systems of an SCI entity, as
determined by the SCI entity pursuant to established reasonable
written criteria.
[FR Doc. 2023-05775 Filed 4-13-23; 8:45 am]
BILLING CODE 8011-01-P
