X

SEC Proposes Expanded Application of Reg SCI

The SEC proposed amendments to Regulation Systems Compliance and Integrity ("Reg SCI") that would expand the scope of the regulation to cover, among other entities, large broker-dealers, as defined by various measures of size.

Proposed Amendments

The proposed amendments to Reg SCI would:

  • expand the scope of the term "SCI entities" to cover (i) SEC-registered broker-dealers that exceed either a total assets threshold or a transaction activity threshold taking into account certain financial products including NMS stocks, Treasury securities and exchange-listed options, (ii) registered security-based swap data repositories ("SBSDRs") and (iii) exempt clearing agencies;
  • require an SCI entity's relevant policies and procedures to include a program to "manage and oversee" third-party providers, including cloud services providers, that "provide or support SCI or indirect SCI systems";
  • require that an SCI entity (i) establish a business continuity and disaster recovery plan that accounts for the unavailability of any third-party provider "without which there would be a material impact on critical SCI systems" and (ii) include important third-party providers in annual business continuity and disaster recovery testing;
  • provide that an SCI entity must establish a program to "prevent unauthorized access to SCI systems and information";
  • include in the definition of "systems intrusion" additional cyber events (e.g., distributed denial-of-service attacks) and require that SCI entities notify the SEC of such systems intrusions without delay;
  • revise the SCI review to "specify that objective personnel assess the risks to covered systems, internal control design and operating effectiveness, and third-party provider management risks and controls, and require penetration testing at least annually" and
  • update Reg SCI's recordkeeping requirements and Form SCI in accordance with the proposed amendments' requirements.

Commissioner Statements

In support, Chair Gary Gensler argued the proposed amendments would "help promote the capacity, integrity, resiliency, availability, and security of these critical intermediaries." Mr. Gensler highlighted (i) the expanded scope of Reg SCI to "include the largest broker-dealers in [the U.S. securities] markets" and that the "largest broker-dealers in [the U.S. securities] markets would comprise the majority of [the] additional covered entities;" and (ii) a focus on third-party providers of Reg SCI-related services. He noted that since the adoption of Reg SCI in 2014 there has been a "significant growth in reliance" on third-party service providers, and that the proposed amendments would better ensure compliance "regardless of whether the technology and systems they use are internal or come from a third-party service provider." Mr. Gensler also emphasized that the proposal's enhanced requirements for the annual Reg SCI review "could help maintain [key market participants'] technological resiliency."

Commissioner Jaime Lizárraga also supported the proposed amendments, saying they will help "bolster overall resiliency of the U.S. securities markets’ technology infrastructure."

Commissioner Caroline A. Crenshaw called Reg SCI the "mostly-unsung hero" of some potential market disruptions that did not occur. Ms. Crenshaw supported the amendments, saying they would strengthen requirements as to SCI entities’ "policies and procedures, the oversight of third-party service providers, annual reviews, and penetration testing," which she asserted would help ensure the systems used by key market entities remain "robust, resilient, and secure."

In dissent, Commissioner Mark T. Uyeda argued that the entities covered under the proposed amendments "are very different businesses" from the entities currently covered under Reg SCI. He noted that each of the entities covered under the expanded scope is also subject to different, existing regulatory regimes that "cover[] much of the same ground as Reg SCI." He argued that "[a]dding a new layer of regulation, without tailoring to the different business models and their existing regulatory frameworks, is almost certain to result in unnecessary costs." Mr. Uyeda said that (i) SBSDRs are already subject to Exchange Act Rule 13n-6 and the CFTC's SDR System Safeguards Rule and (ii) large broker-dealers are subject to Exchange Act Rule 15c3-5. Mr. Uyeda challenged the SEC's posture as "the most knowledgeable and best positioned to directly oversee registrants' technology." He recommended that the SEC explore improvements on existing rules "as opposed to simply layering on Reg SCI."

Primary Sources

  1. SEC Rule Proposal: Regulation Systems Compliance and Integrity
  2. SEC Fact Sheet: Regulation SCI; Proposed Expansion and Updates
  3. SEC Press Release: SEC Proposes to Expand and Update Regulation SCI
  4. SEC Chair Gary Gensler's Statement on Amendments to Regulation SCI
  5. SEC Commissioner Mark T. Uyeda's Statement on the Proposed Amendments to Regulation Systems Compliance and Integrity

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Gary Gensler
Regulated Activities
Technology (not Cyber) Trading
Regulated Entities
Markets
Sub-Entity
Clearing Organizations, SDRs/SBSDRs
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC