regulation sci: final rules relating to the …...rule 301(b)(6) of regulation ats. in november...

New York Washington, D.C. Los Angeles Palo Alto London Paris Frankfurt

Tokyo Hong Kong Beijing Melbourne Sydney

www.sullcrom.com

January 9, 2015

Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets

New, Mandatory Regulatory Framework for the Technological Systems of Exchanges, Certain Alternative Trading Systems, Plan Processors and Exempt Clearing Agencies

SUMMARY

On November 19, 2014, the SEC adopted new rules to improve the technological infrastructure of

securities markets. Regulation Systems Compliance and Integrity (“Regulation SCI”) will apply to a range

of market participants, including certain self-regulatory organizations and alternative trading systems. The

final rules create a comprehensive compliance framework that requires an entity subject to

Regulation SCI (an “SCI entity”) to:

establish, maintain and enforce written policies and procedures reasonably designed to ensure that certain systems of the entity have levels of capacity, integrity, resiliency, availability and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets;

establish, maintain and enforce written policies and procedures reasonably designed to achieve compliance with the Securities Exchange Act of 1934, the rules and regulations thereunder and the SCI entity’s rules and governing documents;

take appropriate corrective actions when responsible SCI personnel (as defined in Section II.D below) have a reasonable basis to conclude that an SCI event (as defined in Section II.C. below) has occurred; such corrective action would include, at a minimum, mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as reasonably practicable;

notify the Securities and Exchange Commission within 24 hours of SCI events (other than the de minimis events which are subject to quarterly reporting), with follow-up notifications culminating in a final report upon resolution of the event;

http://www.sullcrom.com/

-2- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets

disseminate information promptly to market members and participants upon any responsible SCI personnel having a reasonable basis to conclude that a systems disruption or systems compliance has occurred;

prepare quarterly and supplemental reports regarding material systems changes;

conduct a review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year;

test business continuity and disaster recovery plans not less than once each calendar year;

comply with recordkeeping requirements; and

make electronic filings on the new Form SCI.

Regulation SCI will become effective on February 3, 2015, and the compliance date for most of its

requirements will be nine months thereafter.

I. BACKGROUND AND SIGNIFICANT REQUIREMENTS

In March 2013, the Securities and Exchange Commission (the “Commission”) published proposed rules

for Regulation SCI.1 The proposed rules were intended to update, formalize and expand the

Commission’s existing voluntary Automation Review Policy Inspection Program (“ARP Inspection

Program”) and, with respect to a defined group of SCI entities (defined below), to replace the

Commission’s ARP Policy Statements2

and rules concerning systems capacity, integrity and security in

Rule 301(b)(6) of Regulation ATS. In November 2014, the Commission adopted final rules to implement

Regulation SCI.

The Commission’s rulemaking was motivated by a variety of factors:

the fact that markets have evolved to be more dependent upon complex and interconnected technologies;

its experience with strengths and weaknesses of the voluntary ARP Inspection Program;

recent events involving systems issues at exchanges and other trading venues;

the risks posed by single points of failure in securities markets; and

comments received during the Regulation SCI rulemaking process.

Regulation SCI is significant in that it represents a shift to a system of mandatory requirements, including

immediate and quarterly reporting, in a field where the Commission previously encouraged voluntary

review of technology infrastructure.

The effective date of Regulation SCI is February 3, 2015 (the “Effective Date”). The compliance date for

Regulation SCI will then occur nine months after the Effective Date, except with respect to: ATSs newly

meeting the volume thresholds that result in designation as an SCI ATS (defined below) and the industry-

or sector-wide coordinated business continuity and disaster recovery testing requirements. ATSs newly

meeting the volume thresholds will be provided an additional six months from the time they first meet the


applicable threshold to comply, while SCI entities will have 21 months from the Effective Date to

coordinate industry- and sector-wide testing.

II. KEY DEFINITIONS AND CONCEPTS

The definition of the four categories of SCI entities establishes the universe of organizations that must

comply with the new rules. Other definitions also define the scope of the regulations and the type of

events that trigger the reporting and disclosure requirements.

A. SCI ENTITY

The requirements of Regulation SCI apply to an “SCI entity,” defined to include:

an SCI self-regulatory organization;

an SCI alternative trading system;

a plan processor; or

an exempt clearing agency subject to ARP.

1. SCI Self-Regulatory Organization

An SCI self-regulatory organization (“SCI SRO”) is any national securities exchange registered under

Section 6(b) of the Securities Exchange Act of 1934 (the “Exchange Act”), registered securities

association, registered clearing agency and the Municipal Securities Rulemaking Board.3

The Commission notes that there are 18 registered national securities exchanges,4 1 registered national

securities association,5 and 7 registered clearing agencies.

6

2. SCI Alternative Trading System

An SCI alternative trading systems (“SCI ATS”) is an alternative trading system, as defined in Rule 300(a)

of Regulation ATS, which during at least four of the preceding six calendar months:

Had with respect to NMS stocks7:

Five percent or more in any single NMS stock, and one-quarter percent or more in all NMS stocks, of the average daily dollar volume reported by applicable reporting plans; or

One percent or more in all NMS stocks of the average daily dollar volume reported by applicable transaction reporting plans; or

Had with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported.

The adopted definition of SCI ATS is similar to the proposed definition except in two notable respects.

First, in response to comments, the definition excludes ATSs that trade only municipal securities or


corporate debt securities. Second, the definition allows an ATS that meets a volume threshold for the first

time six months to comply with Regulations SCI.

The Commission states that volume thresholds identify those ATSs that could, in the case of an SCI

event, have a significant impact on the overall market or a significant impact on a single NMS stock (and

some impact on the overall market as a whole at the same time). Depending on its structure, it may be

possible for an ATS to limit trading so as not to reach the volume thresholds and thereby not be subject to

Regulation SCI.

With respect to volume thresholds for NMS stock, the two-prong disjunctive definition seeks to capture

two types of ATSs. The first prong of the definition pairs a single NMS stock threshold and an all-NMS

stock threshold so that Regulation SCI will not apply to an ATS that has a large volume only in a single

NMS stock and little volume in other NMS stocks. The second prong then captures ATSs that have

significant trading volume in all NMS stocks. The volume threshold for equity securities that are not NMS

stock is higher because the Commission believes that a systems issue at an SCI entity relating to non-

NMS stock would not be as likely to have widespread impact.

3. Plan Processor

Regulation SCI defines “plan processor” as having the meaning set forth in Rule 600(b)(55) of Regulation

NMS, which, in turn, defines plan processor as any self-regulatory organization or securities information

processor acting as an exclusive processor in connection with the development, implementation and/or

operation of any facility contemplated by an effective national market systems plan. In the adopting

release for Regulation SCI (“Adopting Release”)8 the Commission underscored the requirement of

exclusivity in this definition.

4. Exempt Clearing Agency Subject to ARP

The term “exempt clearing agency subject to ARP” is an entity that has received from the Commission an

exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption

contains conditions that relate to the Commission’s Automation Review Policies (“ARP”). Only one entity

currently falls within this category: the Omego Matching Services – US, LLC.

B. SYSTEMS TO WHICH REGULATION SCI APPLIES

1. SCI Systems

The term “SCI systems” means all computer, network, electronic, technical, automated or similar systems

of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading,

clearance and settlement, order routing, market data, market regulation or market surveillance. The

Commission views the six functions covered by the definition of SCI systems as central to the functioning

of the U.S. securities markets and states in the Adopting Release that the term encompasses systems

operated on behalf of an SCI entity by a third party that directly supports one of the six functions. These


systems are subject to almost all the rules of Regulation SCI, except those imposed only on critical SCI

systems (defined below).

As observed by some commenters, the definition is relatively broad. However, the concept of “directly

support” does limit its scope somewhat. For instance, the Commission indicates that this differentiates

between those systems that connect to markets and those systems used to “run a business”. The clause

“with respect to securities” was added in response to a comment which suggested that without such

qualification the definition would apply to systems that have practically “no relevance or relation to SEC

markets” and would potentially apply to systems not subject to the Commission’s jurisdiction.

2. Critical SCI Systems

The term “critical SCI systems” means any SCI systems of, or operated by or on behalf of, an SCI entity

that:

Directly support functionality relating to:

Clearance and settlement systems of clearing agencies;

Openings, reopenings and closings on the primary listing market;

Trading halts;

Initial public offerings;

The provision of consolidated market data; or

Exclusively-listed securities; or

Provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.

The Commission believes that it is appropriate to hold systems that pose the greatest risk to markets if

they malfunction to higher standards and the more stringent requirements of Regulation SCI.

Although the first prong lists six central functions, the second prong is open-ended. The Commission

clarified that it is not currently aware of any SCI systems that would fall within this category. Rather, this

language is intended to account for future technological evolution that would create new systems that

should be considered critical SCI systems.

3. Indirect SCI Systems

The term “indirect SCI systems” means any systems of, or operated by or on behalf of, an SCI entity that,

if breached, would be reasonably likely to pose a security threat to SCI systems.

This definition replaces the concept of “SCI security systems” in the proposed rules. The Commission

states that it believes that this modification “reflects that [the term] is intended to cover non-SCI systems

only if they are not appropriately secured and segregated from SCI systems, and therefore could

indirectly pose risk to SCI systems.” In other words, the Commission explained that “[s]ystems that are


adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide

vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems.”

Indirect SCI systems will be subject to a more limited set of requirements when compared to SCI systems

generally.

C. SCI EVENTS

The occurrence of an SCI event triggers requirements relating to corrective action, reporting to the

Commission and disseminating information to members and participants. The requirements that are

triggered by an SCI event are discussed below in Section III.B. “SCI events” is defined to include three

types of occurrences:

systems disruptions;

systems compliance issues; and

systems intrusions.

The definitions of SCI event and its component categories do not contain a materiality qualifier. Instead,

the Commission adopted a risk-based approach with respect to the obligations of an SCI entity with

respect to an SCI event (for example, the limited notification requirements for de minimis SCI events).

Moreover, SCI events that qualify as major SCI events will trigger additional obligations for the SCI entity.

1. Systems Disruption

A “systems disruption” is an event in an SCI entity’s SCI systems that disrupts, or significantly degrades,

the normal operation of an SCI system. The adopted definition represents a shift from the prescriptive

proposed definition which specified seven specific types of malfunctions as systems disruptions.

The Commission views the final definition as a more flexible standards-based approach that gives SCI

entities greater flexibility and discretion in determining when a systems disruption has occurred. The

Commission encourages SCI entities to establish parameters that establish what constitutes normal

operations of each SCI system and when such normal operations have been disrupted or significantly

degraded.

2. Systems Compliance Issues

A “systems compliance issue” is an event at an SCI entity that has caused any SCI system of such entity

to operate in a manner that does not comply with the Exchange Act and the rules and regulations

thereunder, or the entity’s rules or governing documents, as applicable. According to the Commission, a

systems compliance issue could occur, for example, when a change to an SCI system is made by

information technology staff, without the knowledge or input of regulatory staff, that results in a system

operating in contravention of the Exchange Act and the rules thereunder or the SCI entity’s rules or

governing documents.


3. Systems Intrusion

A “systems intrusion” is any unauthorized entry into the SCI systems or indirect systems of an SCI entity.

The Commission emphasizes that the definition covers any unauthorized entry “regardless of the identity

of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI

entity),” and “whether or not the intrusion was part of a cyber attack, potential criminal activity, or other

unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI

entities.” However, the Commission indicates in the Adopting Release that the definition does not include

unsuccessful attempts at unauthorized entry.

4. Major SCI Events

The term “major SCI event” means an SCI event that has had, or the SCI entity reasonably estimates

would have, any impact on a critical SCI system, or a significant impact on the SCI entity’s operations or

on market participants. The occurrence of major SCI events triggers heightened information

dissemination requirements.

D. RESPONSIBLE SCI PERSONNEL

Regulation SCI defines “responsible SCI personnel” to mean, for a particular SCI system or indirect SCI

system impacted by an SCI event, senior managers of the SCI entity having responsibility for the system,

and their designees.

An SCI entity’s policies and procedures will need to include criteria for identifying responsible SCI

personnel. As explained further in Section III.B below, identification of a responsible SCI personnel is

significant because their having a reasonable basis to conclude that an SCI event has occurred will

trigger certain obligations for the SCI entity, including taking corrective action and disseminating

information to participants and members. The Commission states that an SCI entity’s policies and

procedures must also provide for escalation procedures to “quickly inform” SCI personnel of potential SCI

events.

III. OBLIGATIONS OF SCI ENTITIES

A. POLICIES AND PROCEDURES

Rule 1001 specifies written policies and procedures that the SCI entity must establish, maintain and

enforce. These policies and procedures can be divided into two categories. The first concerns the

robustness of an SCI entity’s systems, while the second concerns the operational compliance of an SCI

entity’s SCI systems with the Exchange Act and the rules and regulations thereunder and the entity’s

rules and governing documents, as applicable.


1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and Security

Rule 1001(a) provides that each SCI entity shall establish, maintain, and enforce written policies and

procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards,

indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security adequate to

maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.

Rule 1000(a)(4) provides that policies and procedures will be considered reasonably designed if they “are

consistent with current SCI industry standards.” Industry standards are, in turn, to be based on

“information technology practices that are widely available to information technology professionals in the

financial sector and issued by an authoritative body that is a U.S. governmental entity or agency,

association of U.S. governmental entities or agencies, or widely recognized organization.”

Concurrent with the publication of the Adopting Release, the Commission issued staff guidance on

current SCI industry standards.9 The guidance lists particular publications that the Commission believes

best represent SCI industry standards at this time. The Commission views the list as providing

transparency initially on how the staff will prepare for and conduct its inspections pursuant to Regulation

SCI.

In developing its written policies and procedures, an SCI entity must include the following seven minimum

elements:

the establishment of reasonable current and future technological infrastructure capacity planning estimates;

periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner;

a program to review and keep current systems development and testing methodology for such systems;

regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made disasters;

business continuity and disaster recovery plans that are resilient and geographically diverse and that are reasonably designed to achieve next-business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption;

standards that result in such systems being designed, developed, tested, maintained, operated and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and

monitoring of such systems to identify potential SCI events.

The final rules also require the SCI entity to periodically review the effectiveness of the policies and

procedures, and take prompt action to remedy deficiencies.


2. Policies and Procedures to Achieve Systems Compliance

Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies and procedures

reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange

Act and the rules and regulations thereunder and the entity’s rules and governing documents, as

applicable.

Like Rule 1001(a), the policies and procedures must include at least the following four features:

testing of all SCI systems and any changes to SCI systems prior to implementation;

a system of internal controls over changes to SCI systems;

a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Exchange Act and the rules and regulations thereunder, and the SCI entity’s rules and governing documents; and

a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing and controls designed to detect and prevent systems compliance issues.

In response to concerns raised by commentators, the Commission emphasizes in the Adopting Release

that the mere occurrence of an SCI event will not necessarily result in a violation of Rule 1001(b).

According to the Commission, while the occurrence of a systems compliance issue may be probative of

the reasonableness of an SCI entity’s policies and procedures, it is not determinative.

The topic of a safe harbor from liability for SCI entities and their personnel received significant comment.

After considering the comments, the Commission determined not to adopt a safe harbor from liability for

SCI entities because, among other reasons, Rule 1001(b) requires policies and procedures “reasonably

designed” to ensure compliance with the Exchange Act (rather than policies and procedures that operate

in a manner that complies with the Exchange Act as proposed).

The proposed safe harbor for individuals, however, was retained with certain modifications. The individual

safe harbor, as adopted, provides that personnel of an SCI entity will be deemed not to have aided,

abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of

Rule 1001(b) if the person:

has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures; and

was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect.

Because Regulation SCI imposes obligations only on SCI entities, the Commission has designed the

individual safe harbor to cover so-called “secondary liability” – for example, aiding and abetting. The safe

harbor extends to all personnel of an SCI entity and, according to the Commission, this would encompass


not only employees, but also contractors, consultants and similar non-employees that act in a capacity

similar to an SCI entity’s employees. In adopting the safe harbor, the Commission explicitly rejected a

proposal by commentators to limit liability of SCI personnel to willful or intentional misconduct.

B. OBLIGATIONS TRIGGERED BY SCI EVENTS

If a responsible SCI personnel has a reasonable basis to conclude that an SCI event has taken place, the

SCI entity then must begin to take corrective action, notify the Commission, and disseminate information

to participants and members.

The proposed rule suggested that an SCI entity’s obligations would be triggered when its SCI personnel

“become aware” of an SCI event. In response to comments, the Commission modified the standard to a

“reasonable basis to conclude” because such an approach allows an SCI entity to perform an initial

analysis and assessment as to whether an SCI event has occurred, rather than taking immediate action

upon a responsible SCI personnel becoming aware of an SCI event.

1. Corrective Action

Appropriate corrective action includes, at a minimum, mitigating harm to investors and market integrity

resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as

reasonably practicable. Unlike certain other requirements in Regulation SCI, this provision does not

specify in detail the specific actions that must be taken. Rather, it imposes a duty to act on the SCI entity

coupled with flexibility to determine the specific steps necessary to mitigate the harm of the SCI event.

2. Commission Notification

An SCI entity generally will be obligated to give the Commission immediate notice when any responsible

SCI personnel has a reasonable basis to conclude that an SCI event has occurred and share information

on a regular basis until the SCI event has been resolved. However, for SCI events that have had, or the

SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or

on market participants, Commission notifications are more limited and are based on a quarterly reporting

paradigm.

a. SCI Events

Initial steps that must be taken upon any responsible SCI personnel having a reasonable basis to

conclude that an SCI event has occurred include immediate notification to the Commission. The

immediacy of the requirement is tempered by the threshold trigger that gives SCI personnel some time to

form a reasonable basis to conclude that an SCI event has taken place. However, once that reasonable

basis exists, the Commission must be notified immediately even if the situation occurs outside normal

business hours. The Commission recognizes that this immediate notice may be informal and specifically

clarifies in the Adopting Release that the requirement can be satisfied via telephone or e-mail. The

immediate notification must, however, be followed-up with a written notification within 24 hours of any


responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred. The

written notification is subject to a good faith, best efforts standard and must include a description of the

SCI event, including the system(s) affected and, to the extent available as of the time of the notification:

the SCI entity’s current assessment of the types and numbers of market participants potentially affected by the SCI event;

the potential impact of the SCI event on the market;

a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event;

the time the SCI event was resolved or time frame within which the SCI event is expected to be resolved; and

any other pertinent information known by the SCI entity about the SCI event.

The addition of a “good faith, best efforts” standard is a modification from the proposed rules. This

acknowledges that written notification provided within 24 hours may prove in retrospect to be incomplete

or inaccurate. The Commission states that SCI entities should not be penalized for “unintentional

inaccuracies or omissions” in the initial notifications. However, the Commission indicates that the “best

efforts” standard will help ensure an SCI entity will make a diligent and timely attempt to provide all the

information required by the written notification requirement.

The notification requirements also include an obligation to provide updates relating to such SCI events on

a regular basis, or at such frequency as reasonably requested by a representative of the Commission to

correct any materially incorrect information previously provided, or when new material information is

discovered, including, but not limited to, any of the information that should have been provided at the time

of the 24-hour written notification.

As discussed in Section IV below, an SCI entity may request confidential treatment of information

included in a Form SCI. An SCI entity is not required (but may) submit the initial communication to the

Commission on the occurrence of an SCI event and the related updates on Form SCI. To the extent an

SCI entity does not utilize Form SCI for those communications, the Commission in the Adopting Release

indicates that it will keep such communications confidential to the extent permitted by law. Accordingly,

SCI entities providing these communications other than on Form SCI should expressly request

confidentiality in accordance with the Commission’s rules and regulations.10

Ultimately, a report must be submitted when the SCI event is resolved and the SCI entity’s investigation

of the SCI event is closed. The notification in this report must include:

a detailed description of:

the SCI entity’s assessment of the types and number of market participants affected by the SCI event;

the SCI entity’s assessment of the impact of the SCI event on the market;


the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event;

the time the SCI event was resolved;

the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and

any other pertinent information known by the SCI entity about the SCI event;

a copy of any information disseminated pursuant to Rule 1002(c) of Regulation SCI by the SCI entity to date regarding the SCI event to any of its members or participants; and

an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.

There are specific timing requirements relating to the final report. If an SCI event is not resolved or the

SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the

SCI event, then the SCI entity must submit an interim written notification relating to such SCI event to the

Commission within 30 calendar days after the occurrence of the SCI event. The interim written notification

must include the information required in the final report to the extent known at that time. Upon the ultimate

resolution of the SCI event and the closure of the investigation, a final written notification must be

provided within five business days.

b. SCI Events that have no or a de minimis impact on SCI entity’s operations or on market participants

Notification requirements do not apply to any SCI event that has had or the SCI entity reasonably

estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants.

For such events, the SCI entity is required to make, keep and preserve records relating to all such SCI

events and to submit to the Commission a report, within 30 calendar days after the end of each calendar

quarter, containing a summary description of such systems disruptions and systems intrusions, including

the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions

and systems intrusions during the applicable calendar quarter. The Commission notes that whether an

SCI event is within the de minimis exception will depend on all the facts and circumstances, and that

relevant factors could include:

whether critical SCI systems are impacted;

the duration of the SCI event;

whether there is loss in redundancy;

whether an alternative trading system is available following a systems disruption;

the size of the affected market trading volume;

whether the processes for trade completion or clearance or settlement are adversely impacted;

whether settlement is completed on time;

whether an event is resolved before the market opens;

whether a post-trade event is resolved before the market closes;


whether a failover, despite being successful, results in a system operating without a back-up; and

the number of securities symbols adversely affected.

The Commission stresses in the Adopting Release that the notifications are not subject to a “materiality”

qualifier and that a materiality threshold would likely exclude from notification “a large number of SCI

events that are not de minimis.”

3. Dissemination of Information

Subject to certain exceptions, an SCI entity is required to disseminate certain information to its members

or participants upon any responsible SCI personnel having a reasonable basis to conclude that an SCI

event has occurred. The information that must be disclosed differs depending on the type of SCI event,

with one set of rules applying to systems disruptions and systems compliance issues and another

qualified requirement applying to systems intrusions.

Regardless of the type of SCI event, the information that must be disseminated must be sent to those

members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated

may have been affected by the SCI event. Further, prompt disclosure is required to any additional

members or participants that any SCI responsible officer subsequently reasonably estimates may have

been affected by the SCI event.

However, for major SCI events, the information must be promptly disseminated by the SCI entity to all its

members or participants. The Commission indicates that posting information on a website accessible to,

at a minimum, all of an SCI entity’s members or participants, will meet the requirement for major SCI

events.

a. Systems Disruptions and Systems Compliance Issues

Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that

is a systems disruption or systems compliance issue has occurred, the SCI entity must disseminate

information about the systems affected by the SCI event and a summary description of the SCI event.

The Commission indicates in the Adopting Release that the “requirement for prompt dissemination, as

opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to

determine an efficient way to disseminate information to multiple potentially affected persons or

participants, as the case may be, in a timely manner.”

When known, the SCI entity must promptly further disseminate a detailed description of the SCI event,

the SCI entity’s current assessment of the types and numbers of market participants potentially affected

by the SCI event and a description of the progress of its corrective action for the SCI event, and when the

SCI event has been or is expected to be resolved. Until the SCI event is resolved, the SCI entity will have

an obligation to provide regular updates of any information that it must disseminate.


b. Systems Intrusions

Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that

is a systems intrusion has occurred, the SCI entity must disseminate a summary description of the

systems intrusion, including a description of the corrective action taken by the SCI entity and when the

system intrusion has been or is expected to be resolved. However, if the SCI entity determines that

dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or

indirect SCI systems, or an investigation of the systems intrusion, then the SCI entity need not promptly

disseminate such information. In order to qualify for this exception, an SCI entity must document the

reasons for its determination that it should not disseminate information promptly.

The Commission states in the Adopting Release that it views the permitted delay for disclosing systems

intrusions as only allowing a delay in dissemination of information and not completely relieving the SCI

entity of its obligation to ever disseminate information. The Commission emphasizes that only a delay is

possible since the circumstances allowing for such an exception would not continue indefinitely.

c. Reporting Exceptions

The requirement to provide the reports to members or participants does not apply to:

SCI events that relate to market regulation or market surveillance; or

any SCI event that the SCI entity reasonably determines will have no or a de minimis impact on the SCI entity’s operations or market participants.

C. NOTIFICATIONS OF SYSTEMS CHANGES

Rule 1003(a) establishes a system of quarterly notification to the Commission about completed, ongoing

or planned material systems changes. This feature of the final rules represents a notable shift from the

proposed rules based on the comments that the Commission received. As proposed, the rule would have

required the SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30

calendar days before implementing any planned material systems changes. The pre-notification

requirements in the proposed rules were to be coupled with two reports per year on systems changes.

The final rules do not include any pre-notification requirements. Consistent with the elimination of a pre-

notification requirement, the Commission indicates that the Commission staff will not use the reports to

require approvals of prospective system changes or delay the implementation of systems changes.

1. Criteria to identify a material systems change

Regulation SCI does not include a specified definition for what constitutes a material systems change, as

initially proposed. Instead, final rules provide SCI entities a degree of flexibility in determining what

constitutes a material systems change. The final rules require an SCI entity to establish reasonable

written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as

material. Reports relating to such changes must be in accordance with these established, written criteria.


These criteria (as with other policies and procedures of the SCI entity) will be subject to review by the

Commission staff.

2. Quarterly and Supplemental Reports

Within 30 calendar days after the end of each calendar quarter, each SCI entity must submit to the

Commission a report describing completed, ongoing and planned material changes to its SCI systems,

and the security of indirect systems during the prior, current and subsequent calendar quarters, including

the dates or expected dates of commencement and completion. Additionally, an SCI entity must promptly

submit a supplemental report notifying the Commission of a material error in or material omission in its

previously submitted quarterly report.

The Commission emphasizes in the Adopting Release that the quarterly reports need only to “describe”

the material systems changes and the dates or expected dates of their commencement and completion.

This, according to the Commission, gives “each SCI entity reasonable flexibility in determining precisely

how to describe its material systems changes in the report in a manner that best suits the needs of that

SCI entity as well as the needs of the Commission and its staff.”

D. SCI REVIEWS

An SCI entity must conduct an SCI review of its compliance with Regulation SCI not less than once each

calendar year subject to two limited exceptions discussed below. An SCI review is defined as a review,

following established procedures and standards, that is performed by objective personnel having

appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which contains

the following:

a risk assessment with respect to such systems of an SCI entity; and

an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.

According to the Commission, the “established procedures and standards” will be identified and

established by the SCI entity itself.

The Commission has clarified that “objective personnel” does not necessarily require review by an

independent third party. According to the Commission, this provision does, however, require that the

review be performed by “persons who have not been involved in the development, testing, or

implementation of such systems being reviewed” because such objectivity would put a person in a better

position to identify weaknesses and deficiencies. The Commission states that any personnel with a

conflict of interest that has not been adequately mitigated to allow for objectivity should be excluded from

the independent review. In this regard, the Commission indicates that SCI entities can have policies and


procedures in place to mitigate conflicts of interest or to help ensure departments or specified personnel

(such as internal audit) are appropriately insulated from such conflicts.

A report on the SCI review must be submitted to senior management of the SCI entity no more than 30

calendar days after completion of the review. Senior management is defined in this context to include an

SCI entity’s Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel

and Chief Compliance Officer (or their equivalents).

Within 60 calendar days after submission of such report to senior management of the SCI entity, the

report, along with any response by senior management to the report, must be submitted to the

Commission and to the board of directors (or equivalent) of the SCI entity. The final rules do not require

certification of the report, but the Adopting Release includes a warning that “it is unlawful for any person

to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any

material fact in such reports or responses.”

Two aspects of an SCI Review are subject to a longer cycle. First, penetration test reviews of the network,

firewalls and production systems of the SCI must be conducted at a frequency of not less than once every

three years. Second, assessments of SCI systems directly supporting market regulation or market

surveillance must be conducted at a frequency based upon the risk assessment conducted as part of the

SCI review, but in no case less than once every three years.

E. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS TESTING REQUIREMENTS FOR MEMBERS OR PARTICIPANTS

Regulation SCI requires SCI entities to engage in business continuity and disaster recovery planning and

to work with others to ensure the effectiveness of such efforts.

Notably, SCI entities must cause the participation of certain of their members or participants in such

testing. Rule 1004 requires the SCI entity to establish standards for the designation of those members or

participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for

the maintenance of fair and orderly markets in the event of the activation of such plans. The SCI entity

must then designate members or participants pursuant to such standards and require participation by

such designated members or participants in scheduled functional and performance testing of the

operations of such plans, in the manner and frequency specified by the SCI entity (but not less than every

twelve months). The Commission indicates, consistent with the proposing release, that functional and

performance testing would include testing not only connectivity, but also testing of an SCI entity’s

systems, such as order entry, execution, clearance and settlement, order routing, and transmission and

receipt of market data. However, the Commission also indicates that this testing would not require a full

test of the functional and performance characteristics of each back-up facility to be conducted all at once

and in coordination with other SCI entities at the same time. Rather, according to the Commission, the

final rule requires coordinated, annual testing of whether the back-up facilities of SCI entities can function


and perform in the event of widespread disruption. The Commission also notes that performance testing

is not synonymous with “stress testing.”

The Commission indicated in the Adopting Release the manner in which SCI entities can mandate the

participation of members or participants. According to the Commission, SCI SROs may use their

rulemaking authority, while all SCI entities should be able to implement this requirement through their

contractual arrangements with participants or members. Commentators raised numerous concerns over

the impact of the rule on members and participants that may be required to participate in the testing,

including that some members may be overburdened by multiple testing requests and that some entities

may withdraw as members or participants due to the cost. The Commission rejected these comments

noting, among other things, SCI entities will have an incentive to limit the scope of testing to the minimum

number of participants or members to comply with the rule and that it is “unlikely” a firm that meets the

testing standard would withdraw from testing.

Rule 1004 also requires an SCI entity to coordinate the testing of its business continuity and disaster

recovery plans on an industry- or sector-wide basis with other SCI entities. As described in Section I, the

compliance date for this particular requirement is 21 months from the Effective Date given the anticipated

logistical difficulties of pursuing coordinated efforts.

F. RECORDKEEPING AND ACCESS

An SCI SRO must make, keep and preserve all documents relating to its compliance with Regulation SCI

as prescribed in Rule 17a-1 under the Exchange Act. The Commission views the existing recordkeeping

obligations of SCI SROs pursuant to this rule as sufficient for purposes of Regulation SCI.

An SCI entity that is not an SCI SRO must:

make, keep and preserve at least one copy of all documents, including any correspondences, memoranda, papers, books, notices, accounts and other such records relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems;

keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and

upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to these recordkeeping requirements.

As part of its recordkeeping obligations, an SCI entity is responsible for ensuring that third parties that

operate an SCI system or indirect SCI system on its behalf provide the records required to be made, kept

and preserved under Regulation SCI to representatives of the Commission. The Commission indicates

that to fulfill this obligation, an SCI entity would need to have contractual provisions to require the third

party to maintain the required records and provide the required documents to representatives of the

Commission. Similarly, the final rules require that if required records are prepared or maintained by a


service bureau or recordkeeping service on behalf of an SCI entity, the SCI entity must cause the service

bureau or other recordkeeping service to submit a written undertaking, in a form acceptable to the

Commission, signed by a duly authorized person of such service bureau or recordkeeping service, to

permit the Commission and its representatives to examine such records during normal business hours

and to promptly furnish to the Commission and its representatives true, correct and current electronic files

(in a form acceptable to the Commission or its representatives) or hard copies of the records. The final

rules also provide that the preservation and maintenance of the records by a service bureau or

recordkeeping service does not relieve an SCI entity from its recordkeeping obligations under Regulation

SCI.

Provisions of the proposed rules that would have required an SCI entity to provide Commission

representatives reasonable access to its SCI systems and SCI security systems to assess compliance

with Regulation SCI were not adopted in the final rules. This shift was in response to comments that

noted such access was antithetical to one of the purposes of Regulation SCI—maintaining the security of

such systems. The Commission concluded that such access was not required in the final rules since the

Commission could sufficiently achieve the objectives of such access through its examination authority

and through the recordkeeping requirements of the final rules.

IV. ELECTRONIC FILINGS AND FORM SCI

Except with respect to the requirements for immediate notice to the Commission of SCI events and

updates to the Commission regarding SCI events, any notification, review, description, analysis or report

to the Commission required to be submitted under Regulation SCI must be filed electronically on Form

SCI, include all information prescribed in Form SCI and the instructions thereto, and contain an electronic

signature. The Form SCI does not need to have tagged data like XBRL, but must be in a text-searchable

format.

There is one Form SCI that is meant to accommodate the various sorts of filings that may be required

under Regulation SCI. Accordingly, the form includes short questions that identify the sort of filing that is

being made. The sort of filing that is being made also determines which questions must be answered in

the form.

In addition to the short questions, Form SCI contemplates the inclusion of exhibits for certain types of

filings. There are six types of exhibits:

Exhibit 1: Rule 1002(b)(2) Notification of SCI Event.

Exhibit 2: Rule 1002(b)(4) Final or Interim Report of SCI Event.

Exhibit 3: Rule 1002(b)(5)(ii) Quarterly Report of De minimis SCI Events.

Exhibit 4: Rule 1003(a) Quarterly Report of Systems Changes.


Exhibit 5: Rule 1003(b)(3) Report of SCI Review.

Exhibit 6: Optional Attachments.

The Form SCI must include an electronic signature of a duly authorized individual of the SCI entity. The

SCI entity is required to maintain a manually executed version of the signature page, which must be

executed before the Form SCI is filed and must be retained as required by the record retention rules of

Regulation SCI. The Commission indicates in the Adopting Release that the signature is not intended as

a verification of the accuracy and completeness of the information in the Form SCI; rather, the electronic

signature requirement is intended to ensure that the person executing the Form SCI has been properly

authorized to submit Form SCI filings on behalf of the SCI entity.

Finally, in connection with the electronic filing requirements of Regulation SCI, the Commission adopted

certain amendments to Rule 24b-2 of the Exchange Act to allow information submitted by Form SCI to be

treated as confidential by the Commission and not to require a paper submission of a confidential

treatment request. An SCI entity may request confidential treatment of information submitted on Form SCI

by completing Section IV of Form SCI. Such requests will lead the Commission to treat the information

confidentially to the extent it is permitted to do so by law.

V. POTENTIAL FOR ADDITIONAL RULEMAKING CONCERNING BROKER DEALERS, SECURITY-BASED SWAP DATA REPOSITORIES AND SECURITY-BASED SWAP EXECUTION FACILITIES

In the proposing release, the Commission sought comment on applying Regulation SCI to security-based

swap data repositories, security-based swap execution facilities and broker-dealers (other than SCI

ATSs). The Commission received extensive comment on whether these entities should be subject to

Regulation SCI. The Commission indicates that it would proceed with separate rule makings if it

determines that any of those categories of entities should be subject to Regulation SCI.

* * *

Copyright © Sullivan & Cromwell LLP 2015


ENDNOTES

1 Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083, available at

http://www.sec.gov/rules/proposed/2013/34-69077.pdf.

2 Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24,

1989), 54 FR 29185 (May 9, 1991) and 56 FR 22490 (May 15, 1991) (together, “ARP Policy Statements”).

3 An exchange that is notice registered with the Commission or a limited-purpose national

securities association is excluded.

4 These are: BATS Exchange, Inc., BATS Y-Exchange, Inc., Boston Options Exchange LLC, the

Chicago Board Options Exchange, Inc., C2 Options Exchange, Incorporated, Chicago Stock Exchange, Inc., EDGA Exchange, Inc., EDGX Exchange, Inc., International Securities Exchange, LLC, Miami International Securities Exchange, LLC, NASDAQ OMX BX, Inc., NASDAQ OMX PHLX LLC, NASDAQ Stock Market LLC, National Stock Exchange, Inc., the New York Stock Exchange LLC, NYSE MKT LLC, NYSE Arca, Inc. and ISE Gemini, LLC.

5 The Financial Industry Regulatory Authority.

6 These are: Depository Trust Company, Fixed Income Clearing Corporation, National Securities

Clearing Corporation, Options Clearing Corporation, ICE Clear Credit, ICE Clear Europe and Chicago Mercantile Exchange.

7 NMS stock is any security (other than an option) for which transaction reports are collected,

processed and made available pursuant to an effective transaction reporting plan.

8 Securities Exchange Act Release No. 73639 (November 19, 2014), 79 FR 72252-01, available at

http://www.sec.gov/rules/final/2014/34-73639.pdf.

9 Staff Guidance on Current SCI Industry Standards (November 19, 2014), available at

http://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.

10 See, for example, Rule 83 of the Commission’s Rules of Practice and Procedure.

http://www.sec.gov/rules/proposed/2013/34-69077.pdf

http://www.sec.gov/rules/final/2014/34-73639.pdf

http://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf

-21- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets SC1:3757426.4

ABOUT SULLIVAN & CROMWELL LLP

Sullivan & Cromwell LLP is a global law firm that advises on major domestic and cross-border M&A,

finance, corporate and real estate transactions, significant litigation and corporate investigations, and

complex restructuring, regulatory, tax and estate planning matters. Founded in 1879, Sullivan &

Cromwell LLP has more than 800 lawyers on four continents, with four offices in the United States,

including its headquarters in New York, three offices in Europe, two in Australia and three in Asia.

CONTACTING SULLIVAN & CROMWELL LLP

This publication is provided by Sullivan & Cromwell LLP as a service to clients and colleagues. The

information contained in this publication should not be construed as legal advice. Questions regarding

the matters discussed in this publication may be directed to any of our lawyers listed below, or to any

other Sullivan & Cromwell LLP lawyer with whom you have consulted in the past on similar matters. If

you have not received this publication directly from us, you may obtain a copy of any past or future

related publications from Nathalie-Claire Chiavaroli ([email protected], +1-212-558-3976) in our

New York office.

CONTACTS

New York

David J. Gilberg 212-558-4680 [email protected]

David B. Harms 212-558-3882 [email protected]

Erik D. Lindauer 212-558-3548 [email protected]

Kenneth M. Raisler 212-558-4675 [email protected]

Robert W. Reeder III 212-558-3755 [email protected]

Rebecca J. Simmons 212-558-3175 [email protected]

Frederick Wertheim 212-558-4974 [email protected]

mailto:[email protected]








regulation sci: final rules relating to the …...rule 301(b)(6) of regulation ats. in november...

Documents