- Sullivan & Cromwell

Transcription

January 9, 2015
Regulation SCI: Final Rules Relating to the
Technology Infrastructure of U.S. Securities
Markets
New, Mandatory Regulatory Framework for the Technological
Systems of Exchanges, Certain Alternative Trading Systems, Plan
Processors and Exempt Clearing Agencies
SUMMARY
On November 19, 2014, the SEC adopted new rules to improve the technological infrastructure of
securities markets. Regulation Systems Compliance and Integrity (“Regulation SCI”) will apply to a range
of market participants, including certain self-regulatory organizations and alternative trading systems. The
final rules create a comprehensive compliance framework that requires an entity subject to
Regulation SCI (an “SCI entity”) to:

establish, maintain and enforce written policies and procedures reasonably designed to ensure that
certain systems of the entity have levels of capacity, integrity, resiliency, availability and security
adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and
orderly markets;

establish, maintain and enforce written policies and procedures reasonably designed to achieve
compliance with the Securities Exchange Act of 1934, the rules and regulations thereunder and the
SCI entity’s rules and governing documents;

take appropriate corrective actions when responsible SCI personnel (as defined in Section II.D below)
have a reasonable basis to conclude that an SCI event (as defined in Section II.C. below) has
occurred; such corrective action would include, at a minimum, mitigating potential harm to investors
and market integrity and devoting adequate resources to remedy the SCI event as soon as
reasonably practicable;

notify the Securities and Exchange Commission within 24 hours of SCI events (other than the de
minimis events which are subject to quarterly reporting), with follow-up notifications culminating in a
final report upon resolution of the event;
New York
Washington, D.C.
Los Angeles Palo Alto London Paris
Tokyo Hong Kong Beijing Melbourne Sydney
www.sullcrom.com
Frankfurt

disseminate information promptly to market members and participants upon any responsible SCI
personnel having a reasonable basis to conclude that a systems disruption or systems compliance
has occurred;

prepare quarterly and supplemental reports regarding material systems changes;

conduct a review of the SCI entity’s compliance with Regulation SCI not less than once each calendar
year;

test business continuity and disaster recovery plans not less than once each calendar year;

comply with recordkeeping requirements; and

make electronic filings on the new Form SCI.
Regulation SCI will become effective on February 3, 2015, and the compliance date for most of its
requirements will be nine months thereafter.
I. BACKGROUND AND SIGNIFICANT REQUIREMENTS
In March 2013, the Securities and Exchange Commission (the “Commission”) published proposed rules
for Regulation SCI.
1
The proposed rules were intended to update, formalize and expand the
Commission’s existing voluntary Automation Review Policy Inspection Program (“ARP Inspection
Program”) and, with respect to a defined group of SCI entities (defined below), to replace the
2
Commission’s ARP Policy Statements and rules concerning systems capacity, integrity and security in
Rule 301(b)(6) of Regulation ATS. In November 2014, the Commission adopted final rules to implement
Regulation SCI.
The Commission’s rulemaking was motivated by a variety of factors:

the fact that markets have evolved to be more dependent upon complex and interconnected
technologies;

its experience with strengths and weaknesses of the voluntary ARP Inspection Program;

recent events involving systems issues at exchanges and other trading venues;

the risks posed by single points of failure in securities markets; and

comments received during the Regulation SCI rulemaking process.
Regulation SCI is significant in that it represents a shift to a system of mandatory requirements, including
immediate and quarterly reporting, in a field where the Commission previously encouraged voluntary
review of technology infrastructure.
The effective date of Regulation SCI is February 3, 2015 (the “Effective Date”). The compliance date for
Regulation SCI will then occur nine months after the Effective Date, except with respect to: ATSs newly
meeting the volume thresholds that result in designation as an SCI ATS (defined below) and the industryor sector-wide coordinated business continuity and disaster recovery testing requirements. ATSs newly
meeting the volume thresholds will be provided an additional six months from the time they first meet the
-2January 9, 2015
Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets
applicable threshold to comply, while SCI entities will have 21 months from the Effective Date to
coordinate industry- and sector-wide testing.
II. KEY DEFINITIONS AND CONCEPTS
The definition of the four categories of SCI entities establishes the universe of organizations that must
comply with the new rules. Other definitions also define the scope of the regulations and the type of
events that trigger the reporting and disclosure requirements.
A. SCI ENTITY
The requirements of Regulation SCI apply to an “SCI entity,” defined to include:

an SCI self-regulatory organization;

an SCI alternative trading system;

a plan processor; or

an exempt clearing agency subject to ARP.
1. SCI Self-Regulatory Organization
An SCI self-regulatory organization (“SCI SRO”) is any national securities exchange registered under
Section 6(b) of the Securities Exchange Act of 1934 (the “Exchange Act”), registered securities
association, registered clearing agency and the Municipal Securities Rulemaking Board.
3
4
The Commission notes that there are 18 registered national securities exchanges, 1 registered national
5
securities association, and 7 registered clearing agencies.
6
2. SCI Alternative Trading System
An SCI alternative trading systems (“SCI ATS”) is an alternative trading system, as defined in Rule 300(a)
of Regulation ATS, which during at least four of the preceding six calendar months:


7
Had with respect to NMS stocks :

Five percent or more in any single NMS stock, and one-quarter percent or more in all NMS
stocks, of the average daily dollar volume reported by applicable reporting plans; or

One percent or more in all NMS stocks of the average daily dollar volume reported by applicable
transaction reporting plans; or
Had with respect to equity securities that are not NMS stocks and for which transactions are reported
to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated
by the self-regulatory organization to which such transactions are reported.
The adopted definition of SCI ATS is similar to the proposed definition except in two notable respects.
First, in response to comments, the definition excludes ATSs that trade only municipal securities or
-3January 9, 2015
corporate debt securities. Second, the definition allows an ATS that meets a volume threshold for the first
time six months to comply with Regulations SCI.
The Commission states that volume thresholds identify those ATSs that could, in the case of an SCI
event, have a significant impact on the overall market or a significant impact on a single NMS stock (and
some impact on the overall market as a whole at the same time). Depending on its structure, it may be
possible for an ATS to limit trading so as not to reach the volume thresholds and thereby not be subject to
Regulation SCI.
With respect to volume thresholds for NMS stock, the two-prong disjunctive definition seeks to capture
two types of ATSs. The first prong of the definition pairs a single NMS stock threshold and an all-NMS
stock threshold so that Regulation SCI will not apply to an ATS that has a large volume only in a single
NMS stock and little volume in other NMS stocks. The second prong then captures ATSs that have
significant trading volume in all NMS stocks. The volume threshold for equity securities that are not NMS
stock is higher because the Commission believes that a systems issue at an SCI entity relating to nonNMS stock would not be as likely to have widespread impact.
3. Plan Processor
Regulation SCI defines “plan processor” as having the meaning set forth in Rule 600(b)(55) of Regulation
NMS, which, in turn, defines plan processor as any self-regulatory organization or securities information
processor acting as an exclusive processor in connection with the development, implementation and/or
operation of any facility contemplated by an effective national market systems plan. In the adopting
release for Regulation SCI (“Adopting Release”)
8
the Commission underscored the requirement of
exclusivity in this definition.
4. Exempt Clearing Agency Subject to ARP
The term “exempt clearing agency subject to ARP” is an entity that has received from the Commission an
exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption
contains conditions that relate to the Commission’s Automation Review Policies (“ARP”). Only one entity
currently falls within this category: the Omego Matching Services – US, LLC.
B. SYSTEMS TO WHICH REGULATION SCI APPLIES
1. SCI Systems
The term “SCI systems” means all computer, network, electronic, technical, automated or similar systems
of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading,
clearance and settlement, order routing, market data, market regulation or market surveillance. The
Commission views the six functions covered by the definition of SCI systems as central to the functioning
of the U.S. securities markets and states in the Adopting Release that the term encompasses systems
operated on behalf of an SCI entity by a third party that directly supports one of the six functions. These
-4January 9, 2015
systems are subject to almost all the rules of Regulation SCI, except those imposed only on critical SCI
systems (defined below).
As observed by some commenters, the definition is relatively broad. However, the concept of “directly
support” does limit its scope somewhat. For instance, the Commission indicates that this differentiates
between those systems that connect to markets and those systems used to “run a business”. The clause
“with respect to securities” was added in response to a comment which suggested that without such
qualification the definition would apply to systems that have practically “no relevance or relation to SEC
markets” and would potentially apply to systems not subject to the Commission’s jurisdiction.
2. Critical SCI Systems
The term “critical SCI systems” means any SCI systems of, or operated by or on behalf of, an SCI entity
that:


Directly support functionality relating to:

Clearance and settlement systems of clearing agencies;

Openings, reopenings and closings on the primary listing market;

Trading halts;

Initial public offerings;

The provision of consolidated market data; or

Exclusively-listed securities; or
Provide functionality to the securities markets for which the availability of alternatives is significantly
limited or nonexistent and without which there would be a material impact on fair and orderly markets.
The Commission believes that it is appropriate to hold systems that pose the greatest risk to markets if
they malfunction to higher standards and the more stringent requirements of Regulation SCI.
Although the first prong lists six central functions, the second prong is open-ended. The Commission
clarified that it is not currently aware of any SCI systems that would fall within this category. Rather, this
language is intended to account for future technological evolution that would create new systems that
should be considered critical SCI systems.
3. Indirect SCI Systems
The term “indirect SCI systems” means any systems of, or operated by or on behalf of, an SCI entity that,
if breached, would be reasonably likely to pose a security threat to SCI systems.
This definition replaces the concept of “SCI security systems” in the proposed rules. The Commission
states that it believes that this modification “reflects that [the term] is intended to cover non-SCI systems
only if they are not appropriately secured and segregated from SCI systems, and therefore could
indirectly pose risk to SCI systems.” In other words, the Commission explained that “[s]ystems that are
-5January 9, 2015
adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide
vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems.”
Indirect SCI systems will be subject to a more limited set of requirements when compared to SCI systems
generally.
C. SCI EVENTS
The occurrence of an SCI event triggers requirements relating to corrective action, reporting to the
Commission and disseminating information to members and participants. The requirements that are
triggered by an SCI event are discussed below in Section III.B. “SCI events” is defined to include three
types of occurrences:

systems disruptions;

systems compliance issues; and

systems intrusions.
The definitions of SCI event and its component categories do not contain a materiality qualifier. Instead,
the Commission adopted a risk-based approach with respect to the obligations of an SCI entity with
respect to an SCI event (for example, the limited notification requirements for de minimis SCI events).
Moreover, SCI events that qualify as major SCI events will trigger additional obligations for the SCI entity.
1. Systems Disruption
A “systems disruption” is an event in an SCI entity’s SCI systems that disrupts, or significantly degrades,
the normal operation of an SCI system. The adopted definition represents a shift from the prescriptive
proposed definition which specified seven specific types of malfunctions as systems disruptions.
The Commission views the final definition as a more flexible standards-based approach that gives SCI
entities greater flexibility and discretion in determining when a systems disruption has occurred. The
Commission encourages SCI entities to establish parameters that establish what constitutes normal
operations of each SCI system and when such normal operations have been disrupted or significantly
degraded.
2. Systems Compliance Issues
A “systems compliance issue” is an event at an SCI entity that has caused any SCI system of such entity
to operate in a manner that does not comply with the Exchange Act and the rules and regulations
thereunder, or the entity’s rules or governing documents, as applicable. According to the Commission, a
systems compliance issue could occur, for example, when a change to an SCI system is made by
information technology staff, without the knowledge or input of regulatory staff, that results in a system
operating in contravention of the Exchange Act and the rules thereunder or the SCI entity’s rules or
governing documents.
-6January 9, 2015
3. Systems Intrusion
A “systems intrusion” is any unauthorized entry into the SCI systems or indirect systems of an SCI entity.
The Commission emphasizes that the definition covers any unauthorized entry “regardless of the identity
of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI
entity),” and “whether or not the intrusion was part of a cyber attack, potential criminal activity, or other
unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI
entities.” However, the Commission indicates in the Adopting Release that the definition does not include
unsuccessful attempts at unauthorized entry.
4. Major SCI Events
The term “major SCI event” means an SCI event that has had, or the SCI entity reasonably estimates
would have, any impact on a critical SCI system, or a significant impact on the SCI entity’s operations or
on market participants. The occurrence of major SCI events triggers heightened information
dissemination requirements.
D. RESPONSIBLE SCI PERSONNEL
Regulation SCI defines “responsible SCI personnel” to mean, for a particular SCI system or indirect SCI
system impacted by an SCI event, senior managers of the SCI entity having responsibility for the system,
and their designees.
An SCI entity’s policies and procedures will need to include criteria for identifying responsible SCI
personnel. As explained further in Section III.B below, identification of a responsible SCI personnel is
significant because their having a reasonable basis to conclude that an SCI event has occurred will
trigger certain obligations for the SCI entity, including taking corrective action and disseminating
information to participants and members. The Commission states that an SCI entity’s policies and
procedures must also provide for escalation procedures to “quickly inform” SCI personnel of potential SCI
events.
III. OBLIGATIONS OF SCI ENTITIES
A. POLICIES AND PROCEDURES
Rule 1001 specifies written policies and procedures that the SCI entity must establish, maintain and
enforce. These policies and procedures can be divided into two categories. The first concerns the
robustness of an SCI entity’s systems, while the second concerns the operational compliance of an SCI
entity’s SCI systems with the Exchange Act and the rules and regulations thereunder and the entity’s
rules and governing documents, as applicable.
-7January 9, 2015
1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and
Security
Rule 1001(a) provides that each SCI entity shall establish, maintain, and enforce written policies and
procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards,
indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security adequate to
maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.
Rule 1000(a)(4) provides that policies and procedures will be considered reasonably designed if they “are
consistent with current SCI industry standards.” Industry standards are, in turn, to be based on
“information technology practices that are widely available to information technology professionals in the
financial sector and issued by an authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely recognized organization.”
Concurrent with the publication of the Adopting Release, the Commission issued staff guidance on
9
current SCI industry standards. The guidance lists particular publications that the Commission believes
best represent SCI industry standards at this time. The Commission views the list as providing
transparency initially on how the staff will prepare for and conduct its inspections pursuant to Regulation
SCI.
In developing its written policies and procedures, an SCI entity must include the following seven minimum
elements:

the establishment of reasonable current and future technological infrastructure capacity planning
estimates;

periodic capacity stress tests of such systems to determine their ability to process transactions in an
accurate, timely, and efficient manner;

a program to review and keep current systems development and testing methodology for such
systems;

regular reviews and testing, as applicable, of such systems, including backup systems, to identify
vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made
disasters;

business continuity and disaster recovery plans that are resilient and geographically diverse and that
are reasonably designed to achieve next-business day resumption of trading and two-hour
resumption of critical SCI systems following a wide-scale disruption;

standards that result in such systems being designed, developed, tested, maintained, operated and
surveilled in a manner that facilitates the successful collection, processing, and dissemination of
market data; and

monitoring of such systems to identify potential SCI events.
The final rules also require the SCI entity to periodically review the effectiveness of the policies and
procedures, and take prompt action to remedy deficiencies.
-8January 9, 2015
2. Policies and Procedures to Achieve Systems Compliance
Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange
Act and the rules and regulations thereunder and the entity’s rules and governing documents, as
applicable.
Like Rule 1001(a), the policies and procedures must include at least the following four features:

testing of all SCI systems and any changes to SCI systems prior to implementation;

a system of internal controls over changes to SCI systems;

a plan for assessments of the functionality of SCI systems designed to detect systems compliance
issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of
the Exchange Act and the rules and regulations thereunder, and the SCI entity’s rules and governing
documents; and

a plan of coordination and communication between regulatory and other personnel of the SCI entity,
including by responsible SCI personnel, regarding SCI systems design, changes, testing and controls
designed to detect and prevent systems compliance issues.
In response to concerns raised by commentators, the Commission emphasizes in the Adopting Release
that the mere occurrence of an SCI event will not necessarily result in a violation of Rule 1001(b).
According to the Commission, while the occurrence of a systems compliance issue may be probative of
the reasonableness of an SCI entity’s policies and procedures, it is not determinative.
The topic of a safe harbor from liability for SCI entities and their personnel received significant comment.
After considering the comments, the Commission determined not to adopt a safe harbor from liability for
SCI entities because, among other reasons, Rule 1001(b) requires policies and procedures “reasonably
designed” to ensure compliance with the Exchange Act (rather than policies and procedures that operate
in a manner that complies with the Exchange Act as proposed).
The proposed safe harbor for individuals, however, was retained with certain modifications. The individual
safe harbor, as adopted, provides that personnel of an SCI entity will be deemed not to have aided,
abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of
Rule 1001(b) if the person:

has reasonably discharged the duties and obligations incumbent upon such person by the SCI
entity’s policies and procedures; and

was without reasonable cause to believe that the policies and procedures relating to an SCI system
for which such person was responsible, or had supervisory responsibility, were not established,
maintained, or enforced in accordance with Rule 1001(b) in any material respect.
Because Regulation SCI imposes obligations only on SCI entities, the Commission has designed the
individual safe harbor to cover so-called “secondary liability” – for example, aiding and abetting. The safe
harbor extends to all personnel of an SCI entity and, according to the Commission, this would encompass
-9January 9, 2015
not only employees, but also contractors, consultants and similar non-employees that act in a capacity
similar to an SCI entity’s employees. In adopting the safe harbor, the Commission explicitly rejected a
proposal by commentators to limit liability of SCI personnel to willful or intentional misconduct.
B. OBLIGATIONS TRIGGERED BY SCI EVENTS
If a responsible SCI personnel has a reasonable basis to conclude that an SCI event has taken place, the
SCI entity then must begin to take corrective action, notify the Commission, and disseminate information
to participants and members.
The proposed rule suggested that an SCI entity’s obligations would be triggered when its SCI personnel
“become aware” of an SCI event. In response to comments, the Commission modified the standard to a
“reasonable basis to conclude” because such an approach allows an SCI entity to perform an initial
analysis and assessment as to whether an SCI event has occurred, rather than taking immediate action
upon a responsible SCI personnel becoming aware of an SCI event.
1. Corrective Action
Appropriate corrective action includes, at a minimum, mitigating harm to investors and market integrity
resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as
reasonably practicable. Unlike certain other requirements in Regulation SCI, this provision does not
specify in detail the specific actions that must be taken. Rather, it imposes a duty to act on the SCI entity
coupled with flexibility to determine the specific steps necessary to mitigate the harm of the SCI event.
2. Commission Notification
An SCI entity generally will be obligated to give the Commission immediate notice when any responsible
SCI personnel has a reasonable basis to conclude that an SCI event has occurred and share information
on a regular basis until the SCI event has been resolved. However, for SCI events that have had, or the
SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or
on market participants, Commission notifications are more limited and are based on a quarterly reporting
paradigm.
a. SCI Events
Initial steps that must be taken upon any responsible SCI personnel having a reasonable basis to
conclude that an SCI event has occurred include immediate notification to the Commission. The
immediacy of the requirement is tempered by the threshold trigger that gives SCI personnel some time to
form a reasonable basis to conclude that an SCI event has taken place. However, once that reasonable
basis exists, the Commission must be notified immediately even if the situation occurs outside normal
business hours. The Commission recognizes that this immediate notice may be informal and specifically
clarifies in the Adopting Release that the requirement can be satisfied via telephone or e-mail. The
immediate notification must, however, be followed-up with a written notification within 24 hours of any
-10January 9, 2015
responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred. The
written notification is subject to a good faith, best efforts standard and must include a description of the
SCI event, including the system(s) affected and, to the extent available as of the time of the notification:

the SCI entity’s current assessment of the types and numbers of market participants potentially
affected by the SCI event;

the potential impact of the SCI event on the market;

a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI
event;

the time the SCI event was resolved or time frame within which the SCI event is expected to be
resolved; and

any other pertinent information known by the SCI entity about the SCI event.
The addition of a “good faith, best efforts” standard is a modification from the proposed rules. This
acknowledges that written notification provided within 24 hours may prove in retrospect to be incomplete
or inaccurate. The Commission states that SCI entities should not be penalized for “unintentional
inaccuracies or omissions” in the initial notifications. However, the Commission indicates that the “best
efforts” standard will help ensure an SCI entity will make a diligent and timely attempt to provide all the
information required by the written notification requirement.
The notification requirements also include an obligation to provide updates relating to such SCI events on
a regular basis, or at such frequency as reasonably requested by a representative of the Commission to
correct any materially incorrect information previously provided, or when new material information is
discovered, including, but not limited to, any of the information that should have been provided at the time
of the 24-hour written notification.
As discussed in Section IV below, an SCI entity may request confidential treatment of information
included in a Form SCI. An SCI entity is not required (but may) submit the initial communication to the
Commission on the occurrence of an SCI event and the related updates on Form SCI. To the extent an
SCI entity does not utilize Form SCI for those communications, the Commission in the Adopting Release
indicates that it will keep such communications confidential to the extent permitted by law. Accordingly,
SCI entities providing these communications other than on Form SCI should expressly request
confidentiality in accordance with the Commission’s rules and regulations.
10
Ultimately, a report must be submitted when the SCI event is resolved and the SCI entity’s investigation
of the SCI event is closed. The notification in this report must include:

a detailed description of:

the SCI entity’s assessment of the types and number of market participants affected by the SCI
event;

the SCI entity’s assessment of the impact of the SCI event on the market;
-11January 9, 2015

the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event;

the time the SCI event was resolved;

the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event;
and

any other pertinent information known by the SCI entity about the SCI event;

a copy of any information disseminated pursuant to Rule 1002(c) of Regulation SCI by the SCI entity
to date regarding the SCI event to any of its members or participants; and

an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the
SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.
There are specific timing requirements relating to the final report. If an SCI event is not resolved or the
SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the
SCI event, then the SCI entity must submit an interim written notification relating to such SCI event to the
Commission within 30 calendar days after the occurrence of the SCI event. The interim written notification
must include the information required in the final report to the extent known at that time. Upon the ultimate
resolution of the SCI event and the closure of the investigation, a final written notification must be
provided within five business days.
b. SCI Events that have no or a de minimis impact on SCI entity’s operations or
on market participants
Notification requirements do not apply to any SCI event that has had or the SCI entity reasonably
estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants.
For such events, the SCI entity is required to make, keep and preserve records relating to all such SCI
events and to submit to the Commission a report, within 30 calendar days after the end of each calendar
quarter, containing a summary description of such systems disruptions and systems intrusions, including
the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions
and systems intrusions during the applicable calendar quarter. The Commission notes that whether an
SCI event is within the de minimis exception will depend on all the facts and circumstances, and that
relevant factors could include:

whether critical SCI systems are impacted;

the duration of the SCI event;

whether there is loss in redundancy;

whether an alternative trading system is available following a systems disruption;

the size of the affected market trading volume;

whether the processes for trade completion or clearance or settlement are adversely impacted;

whether settlement is completed on time;

whether an event is resolved before the market opens;

whether a post-trade event is resolved before the market closes;
-12January 9, 2015

whether a failover, despite being successful, results in a system operating without a back-up; and

the number of securities symbols adversely affected.
The Commission stresses in the Adopting Release that the notifications are not subject to a “materiality”
qualifier and that a materiality threshold would likely exclude from notification “a large number of SCI
events that are not de minimis.”
3. Dissemination of Information
Subject to certain exceptions, an SCI entity is required to disseminate certain information to its members
or participants upon any responsible SCI personnel having a reasonable basis to conclude that an SCI
event has occurred. The information that must be disclosed differs depending on the type of SCI event,
with one set of rules applying to systems disruptions and systems compliance issues and another
qualified requirement applying to systems intrusions.
Regardless of the type of SCI event, the information that must be disseminated must be sent to those
members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated
may have been affected by the SCI event. Further, prompt disclosure is required to any additional
members or participants that any SCI responsible officer subsequently reasonably estimates may have
been affected by the SCI event.
However, for major SCI events, the information must be promptly disseminated by the SCI entity to all its
members or participants. The Commission indicates that posting information on a website accessible to,
at a minimum, all of an SCI entity’s members or participants, will meet the requirement for major SCI
events.
a. Systems Disruptions and Systems Compliance Issues
Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that
is a systems disruption or systems compliance issue has occurred, the SCI entity must disseminate
information about the systems affected by the SCI event and a summary description of the SCI event.
The Commission indicates in the Adopting Release that the “requirement for prompt dissemination, as
opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to
determine an efficient way to disseminate information to multiple potentially affected persons or
participants, as the case may be, in a timely manner.”
When known, the SCI entity must promptly further disseminate a detailed description of the SCI event,
the SCI entity’s current assessment of the types and numbers of market participants potentially affected
by the SCI event and a description of the progress of its corrective action for the SCI event, and when the
SCI event has been or is expected to be resolved. Until the SCI event is resolved, the SCI entity will have
an obligation to provide regular updates of any information that it must disseminate.
-13January 9, 2015
b. Systems Intrusions
Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that
is a systems intrusion has occurred, the SCI entity must disseminate a summary description of the
systems intrusion, including a description of the corrective action taken by the SCI entity and when the
system intrusion has been or is expected to be resolved. However, if the SCI entity determines that
dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or
indirect SCI systems, or an investigation of the systems intrusion, then the SCI entity need not promptly
disseminate such information. In order to qualify for this exception, an SCI entity must document the
reasons for its determination that it should not disseminate information promptly.
The Commission states in the Adopting Release that it views the permitted delay for disclosing systems
intrusions as only allowing a delay in dissemination of information and not completely relieving the SCI
entity of its obligation to ever disseminate information. The Commission emphasizes that only a delay is
possible since the circumstances allowing for such an exception would not continue indefinitely.
c. Reporting Exceptions
The requirement to provide the reports to members or participants does not apply to:

SCI events that relate to market regulation or market surveillance; or

any SCI event that the SCI entity reasonably determines will have no or a de minimis impact on the
SCI entity’s operations or market participants.
C. NOTIFICATIONS OF SYSTEMS CHANGES
Rule 1003(a) establishes a system of quarterly notification to the Commission about completed, ongoing
or planned material systems changes. This feature of the final rules represents a notable shift from the
proposed rules based on the comments that the Commission received. As proposed, the rule would have
required the SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30
calendar days before implementing any planned material systems changes. The pre-notification
requirements in the proposed rules were to be coupled with two reports per year on systems changes.
The final rules do not include any pre-notification requirements. Consistent with the elimination of a prenotification requirement, the Commission indicates that the Commission staff will not use the reports to
require approvals of prospective system changes or delay the implementation of systems changes.
1. Criteria to identify a material systems change
Regulation SCI does not include a specified definition for what constitutes a material systems change, as
initially proposed. Instead, final rules provide SCI entities a degree of flexibility in determining what
constitutes a material systems change. The final rules require an SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as
material. Reports relating to such changes must be in accordance with these established, written criteria.
-14January 9, 2015
These criteria (as with other policies and procedures of the SCI entity) will be subject to review by the
Commission staff.
2. Quarterly and Supplemental Reports
Within 30 calendar days after the end of each calendar quarter, each SCI entity must submit to the
Commission a report describing completed, ongoing and planned material changes to its SCI systems,
and the security of indirect systems during the prior, current and subsequent calendar quarters, including
the dates or expected dates of commencement and completion. Additionally, an SCI entity must promptly
submit a supplemental report notifying the Commission of a material error in or material omission in its
previously submitted quarterly report.
The Commission emphasizes in the Adopting Release that the quarterly reports need only to “describe”
the material systems changes and the dates or expected dates of their commencement and completion.
This, according to the Commission, gives “each SCI entity reasonable flexibility in determining precisely
how to describe its material systems changes in the report in a manner that best suits the needs of that
SCI entity as well as the needs of the Commission and its staff.”
D. SCI REVIEWS
An SCI entity must conduct an SCI review of its compliance with Regulation SCI not less than once each
calendar year subject to two limited exceptions discussed below. An SCI review is defined as a review,
following established procedures and standards, that is performed by objective personnel having
appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which contains
the following:

a risk assessment with respect to such systems of an SCI entity; and

an assessment of internal control design and effectiveness of its SCI systems and indirect SCI
systems to include logical and physical security controls, development processes, and information
technology governance, consistent with industry standards.
According to the Commission, the “established procedures and standards” will be identified and
established by the SCI entity itself.
The Commission has clarified that “objective personnel” does not necessarily require review by an
independent third party. According to the Commission, this provision does, however, require that the
review be performed by “persons who have not been involved in the development, testing, or
implementation of such systems being reviewed” because such objectivity would put a person in a better
position to identify weaknesses and deficiencies. The Commission states that any personnel with a
conflict of interest that has not been adequately mitigated to allow for objectivity should be excluded from
the independent review. In this regard, the Commission indicates that SCI entities can have policies and
-15January 9, 2015
procedures in place to mitigate conflicts of interest or to help ensure departments or specified personnel
(such as internal audit) are appropriately insulated from such conflicts.
A report on the SCI review must be submitted to senior management of the SCI entity no more than 30
calendar days after completion of the review. Senior management is defined in this context to include an
SCI entity’s Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel
and Chief Compliance Officer (or their equivalents).
Within 60 calendar days after submission of such report to senior management of the SCI entity, the
report, along with any response by senior management to the report, must be submitted to the
Commission and to the board of directors (or equivalent) of the SCI entity. The final rules do not require
certification of the report, but the Adopting Release includes a warning that “it is unlawful for any person
to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any
material fact in such reports or responses.”
Two aspects of an SCI Review are subject to a longer cycle. First, penetration test reviews of the network,
firewalls and production systems of the SCI must be conducted at a frequency of not less than once every
three years. Second, assessments of SCI systems directly supporting market regulation or market
surveillance must be conducted at a frequency based upon the risk assessment conducted as part of the
SCI review, but in no case less than once every three years.
E. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS TESTING REQUIREMENTS FOR
MEMBERS OR PARTICIPANTS
Regulation SCI requires SCI entities to engage in business continuity and disaster recovery planning and
to work with others to ensure the effectiveness of such efforts.
Notably, SCI entities must cause the participation of certain of their members or participants in such
testing. Rule 1004 requires the SCI entity to establish standards for the designation of those members or
participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for
the maintenance of fair and orderly markets in the event of the activation of such plans. The SCI entity
must then designate members or participants pursuant to such standards and require participation by
such designated members or participants in scheduled functional and performance testing of the
operations of such plans, in the manner and frequency specified by the SCI entity (but not less than every
twelve months). The Commission indicates, consistent with the proposing release, that functional and
performance testing would include testing not only connectivity, but also testing of an SCI entity’s
systems, such as order entry, execution, clearance and settlement, order routing, and transmission and
receipt of market data. However, the Commission also indicates that this testing would not require a full
test of the functional and performance characteristics of each back-up facility to be conducted all at once
and in coordination with other SCI entities at the same time. Rather, according to the Commission, the
final rule requires coordinated, annual testing of whether the back-up facilities of SCI entities can function
-16January 9, 2015
and perform in the event of widespread disruption. The Commission also notes that performance testing
is not synonymous with “stress testing.”
The Commission indicated in the Adopting Release the manner in which SCI entities can mandate the
participation of members or participants. According to the Commission, SCI SROs may use their
rulemaking authority, while all SCI entities should be able to implement this requirement through their
contractual arrangements with participants or members. Commentators raised numerous concerns over
the impact of the rule on members and participants that may be required to participate in the testing,
including that some members may be overburdened by multiple testing requests and that some entities
may withdraw as members or participants due to the cost. The Commission rejected these comments
noting, among other things, SCI entities will have an incentive to limit the scope of testing to the minimum
number of participants or members to comply with the rule and that it is “unlikely” a firm that meets the
testing standard would withdraw from testing.
Rule 1004 also requires an SCI entity to coordinate the testing of its business continuity and disaster
recovery plans on an industry- or sector-wide basis with other SCI entities. As described in Section I, the
compliance date for this particular requirement is 21 months from the Effective Date given the anticipated
logistical difficulties of pursuing coordinated efforts.
F. RECORDKEEPING AND ACCESS
An SCI SRO must make, keep and preserve all documents relating to its compliance with Regulation SCI
as prescribed in Rule 17a-1 under the Exchange Act. The Commission views the existing recordkeeping
obligations of SCI SROs pursuant to this rule as sufficient for purposes of Regulation SCI.
An SCI entity that is not an SCI SRO must:

make, keep and preserve at least one copy of all documents, including any correspondences,
memoranda, papers, books, notices, accounts and other such records relating to its compliance with
Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and
indirect SCI systems;

keep all such documents for a period of not less than five years, the first two years in a place that is
readily accessible to the Commission or its representatives for inspection and examination; and

upon request of any representative of the Commission, promptly furnish to the possession of such
representative copies of any documents required to be kept and preserved by it pursuant to these
recordkeeping requirements.
As part of its recordkeeping obligations, an SCI entity is responsible for ensuring that third parties that
operate an SCI system or indirect SCI system on its behalf provide the records required to be made, kept
and preserved under Regulation SCI to representatives of the Commission. The Commission indicates
that to fulfill this obligation, an SCI entity would need to have contractual provisions to require the third
party to maintain the required records and provide the required documents to representatives of the
Commission. Similarly, the final rules require that if required records are prepared or maintained by a
-17January 9, 2015
service bureau or recordkeeping service on behalf of an SCI entity, the SCI entity must cause the service
bureau or other recordkeeping service to submit a written undertaking, in a form acceptable to the
Commission, signed by a duly authorized person of such service bureau or recordkeeping service, to
permit the Commission and its representatives to examine such records during normal business hours
and to promptly furnish to the Commission and its representatives true, correct and current electronic files
(in a form acceptable to the Commission or its representatives) or hard copies of the records. The final
rules also provide that the preservation and maintenance of the records by a service bureau or
recordkeeping service does not relieve an SCI entity from its recordkeeping obligations under Regulation
SCI.
Provisions of the proposed rules that would have required an SCI entity to provide Commission
representatives reasonable access to its SCI systems and SCI security systems to assess compliance
with Regulation SCI were not adopted in the final rules. This shift was in response to comments that
noted such access was antithetical to one of the purposes of Regulation SCI—maintaining the security of
such systems. The Commission concluded that such access was not required in the final rules since the
Commission could sufficiently achieve the objectives of such access through its examination authority
and through the recordkeeping requirements of the final rules.
IV. ELECTRONIC FILINGS AND FORM SCI
Except with respect to the requirements for immediate notice to the Commission of SCI events and
updates to the Commission regarding SCI events, any notification, review, description, analysis or report
to the Commission required to be submitted under Regulation SCI must be filed electronically on Form
SCI, include all information prescribed in Form SCI and the instructions thereto, and contain an electronic
signature. The Form SCI does not need to have tagged data like XBRL, but must be in a text-searchable
format.
There is one Form SCI that is meant to accommodate the various sorts of filings that may be required
under Regulation SCI. Accordingly, the form includes short questions that identify the sort of filing that is
being made. The sort of filing that is being made also determines which questions must be answered in
the form.
In addition to the short questions, Form SCI contemplates the inclusion of exhibits for certain types of
filings. There are six types of exhibits:

Exhibit 1: Rule 1002(b)(2) Notification of SCI Event.

Exhibit 2: Rule 1002(b)(4) Final or Interim Report of SCI Event.

Exhibit 3: Rule 1002(b)(5)(ii) Quarterly Report of De minimis SCI Events.

Exhibit 4: Rule 1003(a) Quarterly Report of Systems Changes.
-18January 9, 2015

Exhibit 5: Rule 1003(b)(3) Report of SCI Review.

Exhibit 6: Optional Attachments.
The Form SCI must include an electronic signature of a duly authorized individual of the SCI entity. The
SCI entity is required to maintain a manually executed version of the signature page, which must be
executed before the Form SCI is filed and must be retained as required by the record retention rules of
Regulation SCI. The Commission indicates in the Adopting Release that the signature is not intended as
a verification of the accuracy and completeness of the information in the Form SCI; rather, the electronic
signature requirement is intended to ensure that the person executing the Form SCI has been properly
authorized to submit Form SCI filings on behalf of the SCI entity.
Finally, in connection with the electronic filing requirements of Regulation SCI, the Commission adopted
certain amendments to Rule 24b-2 of the Exchange Act to allow information submitted by Form SCI to be
treated as confidential by the Commission and not to require a paper submission of a confidential
treatment request. An SCI entity may request confidential treatment of information submitted on Form SCI
by completing Section IV of Form SCI. Such requests will lead the Commission to treat the information
confidentially to the extent it is permitted to do so by law.
V. POTENTIAL FOR ADDITIONAL RULEMAKING CONCERNING BROKER DEALERS, SECURITYBASED SWAP DATA REPOSITORIES AND SECURITY-BASED SWAP EXECUTION FACILITIES
In the proposing release, the Commission sought comment on applying Regulation SCI to security-based
swap data repositories, security-based swap execution facilities and broker-dealers (other than SCI
ATSs). The Commission received extensive comment on whether these entities should be subject to
Regulation SCI. The Commission indicates that it would proceed with separate rule makings if it
determines that any of those categories of entities should be subject to Regulation SCI.
*
*
*
Copyright © Sullivan & Cromwell LLP 2015
-19January 9, 2015
ENDNOTES
1
Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083, available at
http://www.sec.gov/rules/proposed/2013/34-69077.pdf.
2
Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24,
1989), 54 FR 29185 (May 9, 1991) and 56 FR 22490 (May 15, 1991) (together, “ARP Policy
Statements”).
3
An exchange that is notice registered with the Commission or a limited-purpose national
securities association is excluded.
4
These are: BATS Exchange, Inc., BATS Y-Exchange, Inc., Boston Options Exchange LLC, the
Chicago Board Options Exchange, Inc., C2 Options Exchange, Incorporated, Chicago Stock
Exchange, Inc., EDGA Exchange, Inc., EDGX Exchange, Inc., International Securities Exchange,
LLC, Miami International Securities Exchange, LLC, NASDAQ OMX BX, Inc., NASDAQ OMX
PHLX LLC, NASDAQ Stock Market LLC, National Stock Exchange, Inc., the New York Stock
Exchange LLC, NYSE MKT LLC, NYSE Arca, Inc. and ISE Gemini, LLC.
5
The Financial Industry Regulatory Authority.
6
These are: Depository Trust Company, Fixed Income Clearing Corporation, National Securities
Clearing Corporation, Options Clearing Corporation, ICE Clear Credit, ICE Clear Europe and
Chicago Mercantile Exchange.
7
NMS stock is any security (other than an option) for which transaction reports are collected,
processed and made available pursuant to an effective transaction reporting plan.
8
Securities Exchange Act Release No. 73639 (November 19, 2014), 79 FR 72252-01, available at
http://www.sec.gov/rules/final/2014/34-73639.pdf.
9
Staff Guidance on Current SCI Industry Standards (November 19, 2014), available at
http://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.
10
See, for example, Rule 83 of the Commission’s Rules of Practice and Procedure.
-20January 9, 2015
ABOUT SULLIVAN & CROMWELL LLP
Sullivan & Cromwell LLP is a global law firm that advises on major domestic and cross-border M&A,
finance, corporate and real estate transactions, significant litigation and corporate investigations, and
complex restructuring, regulatory, tax and estate planning matters.
Founded in 1879, Sullivan &
Cromwell LLP has more than 800 lawyers on four continents, with four offices in the United States,
including its headquarters in New York, three offices in Europe, two in Australia and three in Asia.
CONTACTING SULLIVAN & CROMWELL LLP
This publication is provided by Sullivan & Cromwell LLP as a service to clients and colleagues. The
information contained in this publication should not be construed as legal advice. Questions regarding
the matters discussed in this publication may be directed to any of our lawyers listed below, or to any
other Sullivan & Cromwell LLP lawyer with whom you have consulted in the past on similar matters. If
you have not received this publication directly from us, you may obtain a copy of any past or future
related publications from Nathalie-Claire Chiavaroli ([email protected], +1-212-558-3976) in our
New York office.
CONTACTS
New York
David J. Gilberg
212-558-4680
[email protected]
David B. Harms
212-558-3882
[email protected]
Erik D. Lindauer
212-558-3548
[email protected]
Kenneth M. Raisler
212-558-4675
[email protected]
Robert W. Reeder III
212-558-3755
[email protected]
Rebecca J. Simmons
212-558-3175
[email protected]
Frederick Wertheim
212-558-4974
[email protected]
-21January 9, 2015
SC1:3757426.4

- Sullivan & Cromwell

Transcription

Similar documents

The SCI way of volunteering - SCI Archives

Customer`s recommendations using the SCI technology:

AJANTA PUBLIC SCHOOL DATE SHEET

Welcome and Welcome Back - Silverthorn Collegiate Institute

Boyle`s and Charles`s Gas Law Virtual Lab

Sample Grade 8 Teaching-Learning Cycle / Unit Plan for Literacy... Essential Question(s):

Thursday, January 27, 2011 - Oak Creek Whitetail Ranch

The SCI Veritas - Silverthorn Collegiate Institute