Proposed Collection; Comment Request; Extension: Regulation SCI, Form SCI, 84660-84662 [2024-24577]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 89, Number 205 (Wednesday, October 23, 2024)]
[Notices]
[Pages 84660-84662]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-24577]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[SEC File No. 270-653, OMB Control No. 3235-0703]


Proposed Collection; Comment Request; Extension: Regulation SCI, 
Form SCI

Upon Written Request, Copies Available From: Securities and Exchange 
Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 
20549-2736.

    Notice is hereby given that pursuant to the Paperwork Reduction Act 
of 1995 (``PRA'') (44 U.S.C. 3501 et seq.), the Securities and Exchange 
Commission (``Commission'') is soliciting comments on the collection of 
information provided for in Regulation Systems Compliance and Integrity 
(``Regulation SCI'') (17 CFR 242.1000-1007) and Form SCI (17 CFR 
249.1900) under the Securities Exchange Act of 1934 (``Exchange Act'') 
(15 U.S.C. 78a et seq.). The Commission plans to submit this existing 
collection of information to the Office of Management and Budget 
(``OMB'') for extension and approval.
    Regulation SCI requires certain key market participants to, among 
other things: (1) have comprehensive policies and procedures in place 
to help ensure the robustness and resiliency of their technological 
systems, and also that their technological systems operate in 
compliance with the federal securities laws and with their own rules; 
and (2) provide certain notices and reports to the Commission to 
improve Commission oversight of securities market infrastructure.
    Regulation SCI advances the goals of the national market system by 
enhancing the capacity, integrity, resiliency, availability, and 
security of the automated systems of entities important to the 
functioning of the U.S. securities markets, as well as reinforcing the 
requirement that such systems operate in compliance with the Exchange 
Act and rules and regulations thereunder, thus strengthening the 
infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In this respect, Regulation 
SCI establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of such systems.
    Respondents consist of national securities exchanges and 
associations, registered clearing agencies, exempt clearing agencies, 
plan processors, and alternative trading systems. There are currently 
48 respondents, and the Commission staff estimates that, on average, 2 
new respondents may become SCI entities each year, 1 of which would be 
a self-regulatory organization (``SRO''). Accordingly, Commission staff 
estimates that over the next three years there will be an average of 50 
respondents per year.
    In addition, in December 2020, the Commission adopted amendments to 
Regulation SCI in connection with updates to the national market system 
for the collection, consolidation, and dissemination of information 
with respect to quotations for and transactions in national market 
system (``NMS'') stocks (``Infrastructure Amendments''). Specifically, 
the Commission adopted a definition of ``SCI competing consolidator'' 
that will subject competing consolidators to Regulation SCI, after a 
transition period, if they are above a specified consolidated market 
data gross revenue threshold.\1\ The Infrastructure Amendments 
increased the number of respondents to the collections of information 
in Regulation SCI, and the Commission estimates that seven competing 
consolidators will meet this definition and be subject to the 
requirements of Regulation SCI.\2\
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Release No. 34-90610 (December 
9, 2020), 86 FR 18596 (April 9, 2021) (File No. S7-03-20) 
(``Infrastructure Adopting Release'').
    \2\ Some of these respondents were estimated to incur no, or 
only part of, the estimated initial burdens because they were 
already subject to Regulation SCI (i.e., as plan processors, SROs or 
affiliates of SROs).
---------------------------------------------------------------------------

    Rule 1001(a) requires each SCI entity to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that its SCI systems and, for purposes of security standards, indirect 
SCI systems, have levels of capacity, integrity, resiliency, 
availability, and security, adequate to maintain the SCI entity's 
operational capability and promote the maintenance of fair and orderly 
markets. The Commission staff estimates that the total annual initial 
recordkeeping burden for 7 new respondents will be 4,511 hours, and the 
annual ongoing recordkeeping burden for all 55 respondents will be, on 
average, 12,760 hours. The Commission staff estimates that the 7 new 
respondents would incur, on average, an annual initial internal cost of 
compliance of $1,696,578, as well as outside legal or consulting costs 
of $305,500. In addition, all respondents will incur, on average, an 
estimated ongoing annual internal cost of compliance of $4,801,060.
    Rule 1001(b) requires each SCI entity to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that its SCI systems operate in a manner that complies with the 
Exchange Act and the rules and regulations thereunder and the entity's 
rules and governing documents, as applicable. The Commission staff 
estimates that the total annual initial recordkeeping burden for 7 new 
respondents will be 1,755 hours, and the annual ongoing recordkeeping 
burden for all respondents will be, on average, 8,105 hours. The 
Commission staff estimates that the 7 new respondents would incur an 
initial internal cost of compliance of $628,160, as well as outside 
legal or consulting costs of $175,500. In addition, all respondents 
will incur, on average, an estimated ongoing annual internal cost of 
compliance of $2,881,660.
    Rule 1001(c) requires each SCI entity to establish, maintain, and 
enforce reasonably designed written policies and procedures that 
include the criteria for identifying responsible SCI personnel, the 
designation and documentation of responsible SCI personnel, and 
escalation procedures to quickly inform responsible SCI

[[Page 84661]]

personnel of potential SCI events. The Commission staff estimates that 
the total annual initial recordkeeping burden for 7 new respondents 
will be 741 hours, and the annual ongoing recordkeeping burden for all 
respondents will be, on average, 2,145. The Commission staff estimates 
that the 7 new respondents would incur an initial internal cost of 
compliance of $309,868, and all respondents will incur, on average, an 
estimated ongoing annual internal cost of compliance of $958,485.
    Rule 1004 requires each SCI entity to establish standards for the 
designation of certain members or participants for BC/DR plan testing, 
to designate members or participants in accordance with these 
standards, to require participation by designated members or 
participants in such testing at least annually, and to coordinate such 
testing on an industry- or sector-wide basis with other SCI entities. 
The Commission staff estimates that the total annual initial 
recordkeeping burden for 9 new respondents will be 2,700 hours, and the 
annual ongoing recordkeeping burden for all respondents that are not 
plan processors will be, on average, 7,425 hours. The Commission staff 
estimates that the 7 new respondents would incur an initial internal 
cost of compliance of $902,865. In addition, all respondents that are 
not plan processors will incur, on average, an estimated ongoing annual 
internal cost of compliance of $2,217,600. In addition, the Commission 
staff estimates that the 2 plan processor respondents will incur an 
estimated ongoing annual cost of $108,000 for outside legal services 
($54,000 per plan processor respondent x 2 respondents).
    Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred, to notify the Commission immediately. The Commission staff 
estimates that the total annual ongoing burden for all 55 respondents 
will be, on average, 440 hours. The Commission staff estimates that 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $151,882.50.
    Rule 1002(b)(2) requires each SCI entity, within 24 hours of any 
responsible SCI personnel having a reasonable basis to conclude that 
the SCI event has occurred, to submit a written notification to the 
Commission pertaining to the SCI event on a good faith, best efforts 
basis. These notifications are required to be submitted on Form SCI. 
The Commission staff estimates that the total annual ongoing burden for 
all 55 respondents will be, on average, 6,600 hours. The Commission 
staff estimates that respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $2,427,325.
    Rule 1002(b)(3) requires each SCI entity to provide updates to the 
Commission pertaining to an SCI event on a regular basis, or at such 
frequency as reasonably requested by a representative of the 
Commission, until the SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed. The Commission staff 
estimates that the total annual ongoing burden for all 55 respondents 
will be, on average, 578 hours. The Commission staff estimates that all 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $202,235.
    Rule 1002(b)(4) requires each SCI entity to submit written interim 
reports, as necessary, and a written final report regarding an SCI 
event to the Commission. These reports are required to be submitted on 
Form SCI. The Commission staff estimates that the total annual ongoing 
burden for all 55 respondents will be, on average, 9,625 hours. The 
Commission staff estimates that all respondents will incur, on average, 
an estimated ongoing annual internal cost of compliance of $3,795,800.
    Rule 1002(b)(5) requires each SCI entity to submit to the 
Commission quarterly reports containing a summary description of any 
systems disruption or systems intrusion that has had, or the SCI entity 
reasonably estimates would have, no or a de minimis impact on the SCI 
entity's operations or on market participants. These reports are 
required to be submitted on Form SCI. The Commission staff estimates 
that the total annual ongoing burden for all 55 respondents will be, on 
average, 8,800 hours. The Commission staff estimates that respondents 
will incur, on average, an estimated ongoing annual internal cost of 
compliance of $3,329,040.
    In addition, the Commission staff estimates that all 55 respondents 
will incur, on average, annual costs of $319,000 for outside legal 
advice in preparation of certain notifications required by Rule 
1002(b).
    Rule 1002(c)(1)(i) requires each SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event (other than a systems intrusion) has occurred, to disseminate 
certain information to its members or participants. The Commission 
staff estimates that the total annual ongoing burden for all 55 
respondents will be, on average, 1,155 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $506,815.
    Rule 1002(c)(1)(ii) requires each SCI entity, when known, to 
promptly disseminate additional information about an SCI event (other 
than a systems intrusion) to its members or participants. Rule 
1002(c)(1)(iii) requires each SCI entity to provide to its members or 
participants regular updates of any information required to be 
disseminated under Rules 1002(c)(1)(i) and (ii) until the SCI event is 
resolved. The Commission staff estimates that the total annual ongoing 
burden for all 55 respondents will be, on average, 6,435 hours. The 
Commission staff estimates that all respondents will incur, on average, 
an estimated ongoing annual internal cost of compliance of $2,841,795.
    Rule 1002(c)(2) requires each SCI entity to disseminate certain 
information regarding a systems intrusion to its members or 
participants, and provides an exception when the SCI entity determines 
that dissemination of such information would likely compromise the 
security of its SCI systems or indirect SCI systems, or an 
investigation of the systems intrusion, and documents the reasons for 
such determination. The Commission staff estimates that the total 
annual ongoing burden for all 55 respondents will be, on average, 550 
hours. The Commission staff estimates that all respondents will incur, 
on average, an estimated ongoing annual internal cost of compliance of 
$242,330.
    In addition, the Commission staff estimates that all 55 respondents 
will incur, on average, annual costs of $182,600 for outside legal 
advice in preparation of certain notifications required by Rule 
1002(c).
    Rule 1003(a)(1) requires each SCI entity to submit to the 
Commission quarterly reports describing completed, ongoing, and planned 
material changes to its SCI systems and security of indirect SCI 
systems during the prior, current, and subsequent calendar quarters. 
These reports are required to be submitted on Form SCI. The Commission 
staff estimates that the total annual ongoing burden for all 55 
respondents will be, on average, 27,500 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $9,204,800.
    Rule 1003(a)(2) requires each SCI entity to promptly submit a 
supplemental report notifying the Commission of a material error in or 
material omission from a report

[[Page 84662]]

previously submitted under Rule 1003(a)(1). These reports are required 
to be submitted on Form SCI. The Commission staff estimates that the 
total annual ongoing burden for all 55 respondents will be, on average, 
825 hours. The Commission staff estimates that all respondents will 
incur, on average, an estimated ongoing annual internal cost of 
compliance of $293,040.
    Rule 1003(b)(1) requires each SCI entity to conduct an SCI review 
of its compliance with Regulation SCI not less than once each calendar 
year, with an exception for penetration test reviews, which are 
required to be conducted not less than once every three years. Rule 
1003(b)(1) also provides an exception for assessments of SCI systems 
directly supporting market regulation or market surveillance, which are 
required to be conducted at a frequency based on the risk assessment 
conducted as part of the SCI review, but in no case less than once 
every three years. Rule 1003(b)(2) requires each SCI entity to submit a 
report of the SCI review to senior management no more than 30 calendar 
days after completion of the review. The Commission staff estimates 
that the total annual ongoing burden for all 55 respondents will be, on 
average, 37,950 hours. The Commission staff estimates that all 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $13,623,225.
    Rule 1003(b)(3) requires each SCI entity to submit the report of 
the SCI review to the Commission and to its board of directors or the 
equivalent of such board, together with any response by senior 
management, within 60 calendar days after its submission to senior 
management. These reports are required to be submitted on Form SCI. The 
Commission staff estimates that the total annual ongoing burden for all 
55 respondents will be, on average, 55 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $25,410.
    In addition, the Commission staff estimates that all respondents 
will incur, on average, annual costs of $2,750,000 for outside legal 
advice in preparation of certain notifications required by Rule 
1003(b).
    Rule 1006 requires each SCI entity, with a few exceptions, to file 
any notification, review, description, analysis, or report to the 
Commission required under Regulation SCI electronically on Form SCI 
through the EFFS. An SCI entity will submit to the Commission an EAUF 
to register each individual at the SCI entity who will access the EFFS 
system on behalf of the SCI entity. The Commission staff estimates that 
the total annual initial burden for 7 new respondents will be 2 hours, 
and the annual ongoing burden for all respondents will be, on average, 
8 hours. The Commission staff estimates that the 7 new respondents 
would incur an initial internal cost of compliance of $903. In 
addition, all 55 respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $3,795, as well as 
outside costs to obtain a digital ID of $2,750.
    Rule 1002(a) requires each SCI entity, upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred, to begin to take appropriate corrective action. The 
Commission staff estimates that the total annual initial recordkeeping 
burden for 7 new respondents will be 741 hours, and the annual ongoing 
recordkeeping burden for all 55 respondents will be, on average, 2,145 
hours. The Commission staff estimates that the 7 new respondents would 
incur an initial internal cost of compliance of $309,868. In addition, 
all 55 respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $949,190.
    Rule 1003(a)(1) requires each SCI entity to establish reasonable 
written criteria for identifying a change to its SCI systems and the 
security of indirect SCI systems as material. The Commission staff 
estimates that the total annual initial recordkeeping burden for 7 new 
respondents will be 741 hours, and the annual ongoing recordkeeping 
burden for all 55 respondents will be, on average, 1,485 hours. The 
Commission staff estimates that the 7 new respondents would incur an 
initial internal cost of compliance of $309,868. In addition, all 55 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $711,095.
    Regulation SCI also requires SCI entities to identify certain types 
of events and systems. The Commission staff estimates that the total 
annual initial recordkeeping burden for 7 new respondents will be 1,287 
hours, and the annual ongoing recordkeeping burden for all 55 
respondents will be, on average, 2,145 hours. The Commission staff 
estimates that the 7 new respondents would incur an initial internal 
cost of compliance of $507,936. In addition, all 55 respondents will 
incur, on average, an estimated ongoing annual internal cost of 
compliance of $949,190.
    Rules 1005 and 1007 establish recordkeeping requirements for SCI 
entities other than SROs. The Commission staff estimates that for 6 new 
respondents that are not SROs the average annual initial burden would 
be 935 hours, and the annual ongoing burden for all 19 respondents will 
be, on average, 475 hours. The Commission staff estimates that 6 new 
respondents would incur an estimated internal initial internal cost of 
compliance of $72,930, as well as a one-time cost of $5,400 to modify 
existing recordkeeping systems. In addition, all 19 respondents will 
incur, on average, an estimated ongoing internal cost of compliance of 
$37,050.
    The Commission estimates that the increase in the number of SCI 
entities raises the total industry annual burden hours to 150,619 hours 
and costs to $3,848,749 respectively.
    Written comments are invited on: (a) whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the Commission, including whether the information 
shall have practical utility; (b) the accuracy of the Commission's 
estimates of the burden of the proposed collection of information; (c) 
ways to enhance the quality, utility, and clarity of the information to 
be collected; and (d) ways to minimize the burden of the collection of 
information on respondents, including through the use of automated 
collection techniques or other forms of information technology. 
Consideration will be given to comments and suggestions submitted by 
December 23, 2024.
    An agency may not conduct or sponsor, and a person is not required 
to respond to, a collection of information under the PRA unless it 
displays a currently valid OMB control number.
    Please direct your written comments to: Austin Gerig, Director/
Chief Information Officer, Securities and Exchange Commission, c/o 
Tanya Ruttenberg, 100 F Street NE, Washington, DC 20549, or send an 
email to: [email protected].

    Dated: October 18, 2024.
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2024-24577 Filed 10-22-24; 8:45 am]
BILLING CODE 8011-01-P