Skip to Content

Rule

Regulation Systems Compliance and Integrity

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 72252

AGENCY:

Securities and Exchange Commission.

ACTION:

Final rule and form; final rule amendment; technical amendment.

SUMMARY:

The Securities and Exchange Commission (“Commission”) is adopting new Regulation Systems Compliance and Integrity (“Regulation SCI”) under the Securities Exchange Act of 1934 (“Exchange Act”) and conforming amendments to Regulation ATS under the Exchange Act. Regulation SCI will apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (“ATSs”), plan processors, and exempt clearing agencies (collectively, “SCI entities”), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities.

DATES:

Effective date: February 3, 2015.

Compliance date: The applicable compliance dates are discussed in Section IV.F of this release.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

David Liu, Senior Special Counsel, Office of Market Supervision, at (312) 353-6265, Heidi Pilpel, Senior Special Counsel, Office of Market Supervision, at (202) 551-5666, Sara Hawkins, Special Counsel, Office of Market Supervision, at (202) 551-5523, Yue Ding, Special Counsel, Office of Market Supervision, at (202) 551-5842, David Garcia, Special Counsel, Office of Market Supervision, at (202) 551-5681, and Elizabeth C. Badawy, Senior Accountant, Office of Market Supervision, at (202) 551-5612, Division of Trading and Markets, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-7010.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Regulation SCI will, with regard to SCI entities, supersede and replace the Commission's current Automation Review Policy (“ARP”), established by the Commission's two policy statements, each titled “Automated Systems of Self-Regulatory Organizations,” issued in 1989 and 1991.[1] Regulation SCI also will supersede and replace aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act, applicable to significant-volume ATSs that trade NMS stocks and non-NMS stocks.[2] Regulation SCI will require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act. It will also require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. In addition, Regulation SCI will require SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events. Regulation SCI will further require SCI entities to disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity. In addition, Regulation SCI will require SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records. Finally, the Commission also is adopting modifications to the volume thresholds in Regulation ATS [3] for significant-volume ATSs that trade NMS stocks and non-NMS stocks, applying them to SCI ATSs (as defined below), and moving this standard from Regulation ATS to adopted Regulation SCI for these asset classes.

Table of Contents

I. Introduction

II. Background

A. Automation Review Policy Inspection Program

B. Recent Events

III. Overview

IV. Description of Adopted Regulation SCI and Form SCI

A. Definitions Establishing the Scope of Regulation SCI—Rule 1000

1. SCI Entities

a. SCI Self-Regulatory Organization or SCI SRO

b. SCI Alternative Trading System

c. Plan Processor

d. Exempt Clearing Agency Subject to ARP

2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems

a. Overview

b. SCI Systems

c. Critical SCI Systems

d. Indirect SCI Systems (Proposed as “SCI Security Systems”)

3. SCI Events

a. Systems Disruption

b. Systems Compliance Issue

c. Systems Intrusion

B. Obligations of SCI Entities—Rules 1001-1004

1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and Security—Rule 1001(a)

2. Policies and Procedures to Achieve Systems Compliance—Rule 1001(b)

3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information—Rule 1002

a. Triggering Standard

b. Corrective Action—Rule 1002(a)

c. Commission Notification—Rule 1002(b)

d. Dissemination of Information—Rule 1002(c)

4. Notification of Systems Changes—Rule 1003(a)

5. SCI Review—Rule 1003(b)

6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants—Rule 1004

C. Recordkeeping, Electronic Filing on Form SCI, and Access—Rules 1005-1007

1. Recordkeeping—Rules 1005-1007

2. Electronic Filing and Submission of Reports, Notifications, and Other Communications—Rule 1006

3. Access to the Systems of an SCI Entity

D. Form SCI

E. Other Comments Received

F. Effective Date and Compliance Dates

V. Paperwork Reduction Act

VI. Economic Analysis

VII. Regulatory Flexibility Act Certification

VIII. Statutory Authority and Text of Amendments

I. Introduction

The U.S. securities markets attract a wide variety of issuers and broad investor participation, and are essential for capital formation, job creation, and economic growth, both domestically and across the globe. The U.S. securities markets have been transformed by regulatory and related technological developments in recent years. They have, among other things, substantially enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to Start Printed Page 72253market participants.[4] At the same time, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Given the speed and interconnected nature of the U.S. securities markets, a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors.

This transformation of the U.S. securities markets has occurred in the absence of a formal regulatory structure governing the automated systems of key market participants. Instead, for over two decades, Commission oversight of the technology of the U.S. securities markets has been conducted primarily pursuant to a voluntary set of principles articulated in the Commission's ARP Policy Statements,[5] applied through the Commission's Automation Review Policy inspection program (“ARP Inspection Program”).[6]

Section 11A(a)(2) of the Exchange Act,[7] enacted as part of the Securities Acts Amendments of 1975 (“1975 Amendments”),[8] directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.[9] Among the findings and objectives in Section 11A(a)(1) is that “[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations” [10] and “[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.” [11] In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be “so organized” and “[have] the capacity to . . . carry out the purposes of [the Exchange Act].” [12]

In March 2013, the Commission proposed Regulation Systems Compliance and Integrity (“Regulation SCI”) [13] to require certain key market participants to, among other things: (1) Have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the federal securities laws and with their own rules; and (2) provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure. As discussed in further detail below and in the SCI Proposal, Regulation SCI was proposed to update, formalize, and expand the Commission's ARP Inspection Program, and, with respect to SCI entities, to supersede and replace the Commission's ARP Policy Statements and rules regarding systems capacity, integrity and security in Rule 301(b)(6) of Regulation ATS.[14]

A confluence of factors contributed to the Commission's proposal of Regulation SCI and to the Commission's current determination that it is necessary and appropriate at this time to address the technological vulnerabilities, and improve Commission oversight, of the core technology of key U.S. securities markets entities, including national securities exchanges and associations, significant alternative trading systems, clearing agencies, and plan processors. These considerations include: the evolution of the markets to become significantly more dependent upon sophisticated, complex and interconnected technology; the current successes and limitations of the ARP Inspection Program; a significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues,[15] increased concerns over “single points of failure” in the securities markets; [16] and the views of a wide variety of commenters received in response to the SCI Proposal.

The Commission received 60 comment letters on the proposal from national securities exchanges, registered securities associations, registered clearing agencies, ATSs, broker-dealers, institutional and individual investors, industry trade groups, software and technology vendors, and academics.[17] Commenters generally supported the goals of the proposal, but as further discussed below, some expressed concern about various specific elements of the proposal, and recommended certain modifications or clarifications.

After careful review and consideration of the comment letters, Start Printed Page 72254the Commission is adopting Regulation SCI (“Rule”) and Form SCI (“Form”) with certain modifications from the SCI Proposal, as discussed below, to respond to concerns expressed by commenters and upon further consideration by the Commission of the more appropriate approach to further the goals of the national market system by strengthening the technology infrastructure of the U.S. securities markets.

II. Background

A. Automation Review Policy Inspection Program

For over two decades, the Commission's ARP Inspection Program has helped the Commission oversee the technology infrastructure of the U.S. securities markets. This voluntary information technology review program was developed by staff of the Commission to implement the Commission's ARP Policy Statements issued in 1989 and 1991.[18] Through these Policy Statements, the Commission articulated its views on the steps that SROs should take with regard to their automated systems, set forth recommendations for how SROs should conduct independent reviews, and provided that SROs should notify the Commission of material systems changes and significant systems problems.[19] In 1998, the Commission adopted Regulation ATS which, among other things, imposed by rule certain aspects of the ARP Policy Statements on significant-volume ATSs.[20] Further, Commission staff subsequently provided additional guidance regarding various aspects of the ARP Inspection Program through letters to ARP entities, including recommendations regarding reporting planned systems changes and systems issues to the Commission.[21]

Under the ARP Inspection Program, Commission staff (“ARP staff”) conducts inspections of the trading and related systems of national securities exchanges and associations, certain ATSs, clearing agencies, and plan processors (collectively “ARP entities”), attends periodic technology briefings by ARP entities, monitors planned significant system changes, and responds to reports of system failures, disruptions, and other systems problems of ARP entities. The goal of the ARP inspections is to evaluate whether an ARP entity's controls over its information technology resources in nine general areas, or information technology “domains,” [22] is consistent with ARP and industry guidelines. Such guidelines are identified by ARP staff from a variety of information technology publications that ARP staff believes reflects industry standards for securities market participants.[23] At the conclusion of an ARP inspection, ARP staff typically issues a report to the ARP entity with an assessment of the ARP entity's information technology program for its key systems, including any recommendations for improvement.[24]

Because the ARP Inspection Program was established pursuant to Commission policy statements rather than Commission rules, participation in and compliance with the ARP Inspection Program by ARP entities is voluntary. As such, despite its general success in working with SROs to improve their automated systems, there are certain limitations with the ARP Inspection Program. In particular, because of the voluntary nature of the ARP Inspection Program, the Commission is constrained in its ability to assure compliance with ARP standards. The Government Accountability Office (“GAO”) has identified the voluntary nature of the ARP Inspection Program as a limitation and recommended that the Commission make compliance with ARP guidelines mandatory.[25] In addition, as more fully discussed in the SCI Proposal, the evolution of the U.S. securities markets in recent years to become almost entirely electronic and highly dependent on sophisticated trading and other technology, including complex and interconnected routing, market data, regulatory, surveillance and other systems, has posed challenges for the ARP Inspection Program.[26]

B. Recent Events

A series of high-profile recent events involving systems-related issues further highlights the need for market participants to bolster the operational integrity of their automated systems in this area. In the SCI Proposal, the Commission identified several systems problems experienced by SROs and ATSs that garnered significant public attention and illustrated the types and risks of systems issues affecting today's markets.[27] Since Regulation SCI's proposal in March 2013, additional systems problems among market participants have occurred, further underscoring the importance of bolstering the robustness of U.S. market infrastructure to help ensure its stability, integrity, and resiliency.

In particular, since Regulation SCI's proposal, disruptions have continued to occur across a variety of market participants. For example, with respect to the options markets, some exchanges have delayed the opening of trading,[28] Start Printed Page 72255halted trading,[29] or experienced other errors as a result of systems issues,[30] and trading in options was halted due to a systems issue with the securities information processor for options market information.[31] Systems issues have also impacted consolidated market data in the equities markets, including one incident that led to a trading halt in all securities listed on a particular exchange.[32] Systems issues have also affected trading off of national securities exchanges, including an incident where FINRA halted trading in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by an ATS.[33] Systems issues during this time have not been limited to systems disruptions, but have also included allegations of systems compliance issues.[34]

Systems issues are not unique to the U.S. securities markets, with similar incidents occurring in the U.S. commodities markets as well as foreign markets.[35] However, the Commission Start Printed Page 72256believes that it is critical that key U.S. securities market participants bolster their operational integrity to prevent, to the extent reasonably possible, these types of events, which can not only lead to tangible monetary losses,[36] but which commenters believe to have the potential to reduce investor confidence in the U.S. markets.[37]

The SCI Proposal also noted that the risks associated with cybersecurity, and how to protect against systems intrusions, are increasingly of concern to all types of entities.[38] On March 27, 2014, the Commission conducted a Cybersecurity Roundtable (“Cybersecurity Roundtable”).[39] The Cybersecurity Roundtable addressed the cybersecurity landscape and cybersecurity issues faced by participants in the financial markets today, including exchanges, broker-dealers, investment advisers, transfer agents and public companies.[40] Panelists discussed, among other topics, the scope and nature of cybersecurity threats to the financial industry; how market participants can effectively manage cybersecurity threats, including public and private sector coordination efforts and information sharing; the role that government should play to promote cybersecurity in the financial markets and market infrastructure; cybersecurity disclosure issues faced by public companies; and the identification of appropriate best practices and standards with regard to cybersecurity. Although the views of panelists varied, many emphasized the significant risk that cybersecurity attacks pose to the financial markets and market infrastructure today and the need to effectively manage that risk through measures such as testing, risk assessments, adoption of consistent best practices and standards, and information sharing.

III. Overview

The Commission acknowledges that the nature of technology and the level of sophistication and automation of current market systems prevent any measure, regulatory or otherwise, from completely eliminating all systems disruptions, intrusions, or other systems issues.[41] However, given the issues outlined above, the Commission believes that the adoption of, and compliance by SCI entities with Regulation SCI, with the modifications from the SCI Proposal as discussed below, will advance the goals of the national market system by enhancing the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In this respect, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems.

As proposed, Regulation SCI would have applied to “SCI entities” (estimated in the SCI Proposal to be 44 entities), a term which would have included all self-regulatory organizations (excluding security futures exchanges), ATSs that exceed specified volume thresholds, plan processors for market data NMS plans, and certain exempt clearing agencies. The most significant elements of the SCI Proposal [42] would have required each SCI entity to:

  • Implement policies and procedures reasonably designed to ensure that its “SCI systems” and “SCI security systems” have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and Start Printed Page 72257promote the maintenance of fair and orderly markets, with deemed compliance for policies and procedures that are consistent with current SCI industry standards, including identified information technology publications listed on proposed Table A;
  • Implement policies and procedures reasonably designed to ensure that its systems operate in the manner intended, including in compliance with the federal securities laws and rules, and the entity's rules and governing documents, with safe harbors from liability for SCI entities and individuals;
  • Upon any “responsible SCI personnel” becoming aware of the occurrence of an “SCI event” (defined to include systems disruptions, systems compliance issues, and systems intrusions), begin to take appropriate corrective action, including mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as practicable;
  • Report to the Commission the occurrence of any SCI event; and notify its members or participants of certain types of SCI events;
  • Notify the Commission 30 days in advance of “material systems changes” (subject to an exception for exigent circumstances) and provide semi-annual summary progress reports on such material systems changes;
  • Conduct an annual review, to be performed by objective, qualified personnel, of its compliance with Regulation SCI and submit a report of such annual review to its senior management and to the Commission;
  • Designate those of its members or participants that would be required to participate in the testing (to occur at least annually) of its business continuity and disaster recovery plans, and coordinate such testing with other SCI entities on an industry- or sector-wide basis; and
  • Meet certain other requirements, including maintaining records related to compliance with Regulation SCI and providing Commission representatives reasonable access to its systems to assess compliance with the rule.

The Commission received substantial comment on the SCI Proposal from a wide range of entities. Commenters generally expressed support for the goals of the rule, but many suggested that the SCI Proposal's scope was unnecessarily broad and could be more tailored to lower compliance costs and still achieve the goal of reducing significant technology risk in the markets. Broadly speaking, the areas of concern garnering the greatest comment included the: (i) Breadth of certain key proposed definitions; (ii) costs associated with the scope of the proposed rule, including its reporting obligations; (iii) publications designated on Table A as proposed examples of “current SCI industry standards;” (iv) proposed entity safe harbor for systems compliance policies and procedures; (v) breadth of the proposed mandatory testing requirements; and (vi) proposed access provision.[43]

The Commission has carefully considered the views of commenters in crafting Regulation SCI to meet its goals to strengthen the technology infrastructure of the securities markets and improve its resilience when technology falls short. Many of these modifications are intended to further focus the scope of the requirements from the proposal and to lessen the costs and burdens on SCI entities, while still allowing the Commission to achieve its goals. While Section IV below provides a detailed discussion of the changes the Commission has made to the SCI Proposal in adopting Regulation SCI today,[44] broadly speaking, the key changes include:

  • Refining the scope of the proposal by, among other things, revising certain key definitions (including the definition of SCI systems and the definition of SCI ATS to exclude ATSs that trade only municipal securities or corporate debt securities (together, “fixed-income ATSs”)), refining the reporting framework for SCI events, and replacing the proposed 30-day advanced reporting requirement for material systems changes with a quarterly reporting requirement;
  • Modifying the proposal to differentiate certain obligations and requirements, including tailoring certain obligations based on the criticality of a system (by, for example, adopting a new defined term “critical SCI system” for which heightened requirements will apply), and based on the significance of an event (such as adopting a new defined term “major SCI event” for purposes of the dissemination requirements, and establishing differing reporting obligations for SCI events that have had no or a de minimis impact on the SCI entity's operations or on market participants);
  • Modifying the proposed policies and procedures requirements relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance;
  • Refining the scope of SCI entity members and participants that would be required to participate in mandatory business continuity/disaster recovery plan testing; and
  • Eliminating the proposed requirement that SCI entities provide Commission representatives reasonable access to their systems because the Commission can adequately assess an SCI entity's compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI.

In addition, the Commission notes that proposed Regulation SCI consisted of a single rule (Rule 1000) that included subparagraphs ((a) through (f)) addressing the various obligations of the rule. However, for clarity and simplification, adopted Regulation SCI is renumbered as Rules 1000 through 1007, as follows:

  • Adopted Rule 1000 (which corresponds to proposed Rule 1000(a)) contains definitions for terms used in Regulation SCI;
  • Adopted Rule 1001 (proposed Rules 1000(b)(1)-(2)) contains the policies and procedures requirements for SCI entities relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance;
  • Adopted Rule 1002 (proposed Rules 1000(b)(3)-(5)) contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination;
  • Adopted Rule 1003 (proposed Rules 1000(b)(6)-(8)) contains requirements relating to material systems changes and SCI reviews;
  • Adopted Rule 1004 (proposed Rule 1000(b)(9)) contains requirements relating to business continuity and disaster recovery testing;
  • Adopted Rule 1005 (proposed Rule 1000(c)) contains requirements relating to recordkeeping;
  • Adopted Rule 1006 (proposed Rule 1000(d)) contains requirements relating to electronic filing and submission;
  • Adopted Rule 1007 (proposed Rule 1000(e)) contains requirements for service bureaus.

IV. Description of Adopted Regulation SCI and Form SCI

A. Definitions Establishing the Scope of Regulation SCI—Rule 1000

A series of definitions set forth in Rule 1000 relate to the scope of Regulation SCI. These include the definitions for “SCI entity” (as well as the types of entities that are SCI entities, Start Printed Page 72258namely “SCI SRO,” SCI ATS,” “plan processor,” and “exempt clearing agency subject to ARP”), “SCI systems” (and related definitions for “indirect SCI systems” and “critical SCI systems”), and “SCI event” (as well as the types of events that constitute SCI events, namely “systems disruption,” “systems compliance issue,” and “systems intrusion”).[45]

1. SCI Entities

Regulation SCI imposes requirements on entities meeting the definition of “SCI entity” under the rule. Proposed Rule 1000(a) defined “SCI entity” as an “SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP.” [46] The Commission is adopting the definition of “SCI entity” in Rule 1000 as proposed.[47]

Some commenters discussed the definition of SCI entity generally and advocated for an expansion of the proposed definition, asserting that additional categories of market participants may have the potential to impact the market in the event of a systems issue.[48] For example, one commenter suggested that the definition of “SCI entity” be extended to include the ATS and broker-dealer entities covered by the Regulation NMS definition of a “trading center.” [49] Another commenter stated that the Commission should potentially expand the definition of SCI entity to also include dark pools if they met the volume thresholds of ATSs.[50]

Other commenters believed that the scope of the definition should be more limited.[51] For example, one commenter suggested that the definition should only include those entities that are systemically important to the functioning of the U.S. securities markets and should utilize volume thresholds for exchanges and ATSs to make this determination.[52]

Several commenters advocated the adoption of a “risk-based” approach, which would entail categorizing market participants based on the criticality of the functions performed rather than applying Regulation SCI to all “SCI entities” equally.[53] Some commenters suggested replacing the term “SCI entity” with categories of participants based on potential market impact or including in the definition only those participants that are essential to continuous market-wide operation or that are the sole providers of a service in the securities markets.[54] Other commenters agreed with the proposed scope of the term “SCI entity,” but believed that the various requirements under the rule should be tiered based on risk profiles.[55] Several commenters identified various factors that should be considered in conducting a risk-assessment such as whether an entity is a primary listing market, is the sole market where the security is traded, or performs a monopoly or utility type role where there is no redundancy built into the marketplace, among others.[56] Some commenters identified specific functions that they believed to be highly critical to the functioning of the securities markets and thus pose the greatest risk to the markets in the event of a systems issue, including securities information processing, clearance and settlement systems, and trading of exclusively listed securities, among others.[57]

After careful consideration of the comments, the Commission has determined to adopt the overall scope of entities covered by Regulation SCI as proposed.[58] As discussed below, the Commission continues to believe that it is appropriate and would further the goals of the national market system to subject all SROs (excluding securities futures exchanges), ATSs meeting certain volume thresholds with respect to NMS stocks and non-NMS stocks (discussed further below), plan processors, and certain exempt clearing agencies to the requirements of Regulation SCI. The Commission believes that this definition appropriately includes those entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities.[59]

While some commenters supported expanding the definition of SCI entity to encompass various other types of entities, the Commission has determined not to expand the scope of entities subject to Regulation SCI at this time. As noted in the SCI Proposal, Regulation SCI is based, in part, on the ARP Inspection Program, which has included the voluntary participation of all active registered clearing agencies, all registered national securities exchanges, the only registered national securities association—Financial Industry Regulatory Authority (“FINRA”), one exempt clearing agency, and one ATS.[60] The ARP Inspection Program has also included the systems of entities that process and disseminate quotation and transaction data on behalf of the Consolidated Tape Association System (“CTA Plan”), Consolidated Quotation System (“CQS Plan”), Joint Self-Regulatory Organization Plan Start Printed Page 72259Governing the Collection, Consolidation, and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privileges Basis (“Nasdaq UTP Plan”), and Options Price Reporting Authority (“OPRA Plan”).[61] Significant-volume ATSs have also been subject to certain aspects of the ARP Policy Statements pursuant to Regulation ATS.[62] In addition, one entity that has been granted an exemption from registration as a clearing agency has been subject to the ARP Inspection Program pursuant to the conditions of the exemption order issued by the Commission.[63] The scope of the definition of SCI entity is intended to largely reflect the historical reach of the ARP Inspection Program and existing Rule 301 of Regulation ATS, while also expanding the coverage to certain additional entities that the Commission believes play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities. The Commission acknowledged in the SCI Proposal that there may be other categories of entities not included within the definition of SCI entity that, given their increasing size and importance, could pose risks to the market should an SCI event occur.[64] However, as discussed in further detail below,[65] the Commission believes that, at this time, the entities included within the definition of SCI entity, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Although some commenters suggested that Regulation SCI should cover a greater range of market participants,[66] the Commission believes that it is important to move forward now on rules that will meaningfully enhance the technology standards and oversight of key markets and market infrastructure. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the mandatory requirements of Regulation SCI at this time given the potential costs of compliance. This approach will enable the Commission to monitor and evaluate the implementation of Regulation SCI, the risks posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants. As noted in the SCI Proposal, should the Commission decide to propose to apply some or all of the requirements of Regulation SCI to additional types of entities, the Commission will issue a separate release discussing such a proposal and seeking public comment.[67]

With respect to another commenter's recommendation regarding dark pools, to the extent that this commenter intended its comment to refer to ATSs, ATSs would be included within the scope of Regulation SCI if they met the applicable volume thresholds discussed below.[68] To the extent that this commenter intended its comment to refer to other types of non-ATS dark venues where broker-dealers internalize order flow, the Commission notes that it has determined not to extend the scope of Regulation SCI to other types of broker-dealers at this time for the reasons discussed below.[69]

The Commission has also determined not to further limit the scope of entities subject to Regulation SCI as suggested by some commenters. As discussed in more detail below, the Commission continues to believe that each of the identified categories of entities plays a significant role in the U.S. securities markets and/or has the potential to impact investors, the overall market, or the trading of individual securities, and thus should be subject to the requirements of Regulation SCI. Accordingly, the Commission does not agree that it should adopt a “risk-based” approach to further limit the categories of market participants subject to Regulation SCI. The Commission believes that limiting the applicability of Regulation SCI to only the most systemically important entities posing the highest risk to the markets is too limited of a category of market participants, as it would exclude certain entities that, in the Commission's view, have the potential to pose significant risks to the securities markets should an SCI event occur. However, the Commission believes it is appropriate to incorporate risk-based considerations in various other aspects of Regulation SCI. Consistent with the views of some commenters advocating that the requirements of Regulation SCI should be tailored to the specific risk-profile of a particular entity or particular system,[70] the Commission notes that Regulation SCI, as proposed, was intended to incorporate a consideration of risk within its requirements and believes it is appropriate to more explicitly incorporate risk considerations in various provisions of adopted Regulation SCI. For example, as discussed in further detail below, the requirement to have reasonably designed policies and procedures relating to operational capability was designed to permit SCI entities to take a risk-based approach in developing their policies and procedures based on the criticality of a particular system.[71] In addition, the Commission believes that it is appropriate to further incorporate a risk-based approach into other aspects of the regulation, and thus, as discussed below, is adopting a new term—“critical SCI systems”—to identify systems that the Commission believes should be subject to heightened requirements in certain areas.[72] Further, the Commission has determined that certain other definitions (such as the definition of “SCI systems”), and certain requirements of the rule (such as Commission notification for SCI events and material systems changes), should be scaled back and refined consistent with a risk-based approach, as discussed Start Printed Page 72260below. The Commission believes that these modifications, further incorporating risk-based considerations in the requirements and scaling back certain requirements, provide the proper balance between requiring that the appropriate entities are subject to baseline standards for systems capacity, integrity, resiliency, availability, security, and compliance, while reducing the overall burden of the rule for all SCI entities, which is consistent with, and responsive to, the views of those commenters that the Commission take a more risk-based approach to SCI entities.

a. SCI Self-Regulatory Organization or SCI SRO

Proposed Rule 1000(a) defined “SCI self-regulatory organization,” or “SCI SRO,” to be consistent with the definition of “self-regulatory organization” set forth in Section 3(a)(26) of the Exchange Act.[73] This definition covered all national securities exchanges registered under Section 6(b) of the Exchange Act,[74] registered securities associations,[75] registered clearing agencies,[76] and the Municipal Securities Rulemaking Board (“MSRB”).[77] The definition, however, excluded an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, as well as any limited purpose national securities association registered with the Commission pursuant to Exchange Act Section 15A(k).[78] Accordingly, the proposed definition of SCI SRO in Rule 1000(a) included all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associations, all registered clearing agencies, and the MSRB.[79] The definition of “SCI self-regulatory organization” or “SCI SRO” is being adopted in Rule 1000 as proposed.[80]

One commenter suggested that the rule should include volume thresholds for exchanges.[81] Specifically, this commenter recommended that, with regard to exchanges, the definition should include only those exchanges that have five percent or more of average daily dollar volume in at least five NMS stocks for four of the previous six months.[82] Another commenter asked the Commission to adopt certain specific exceptions to the definition of SCI SRO and SCI entity for entities that are dually registered with the CFTC and Commission where the CFTC is the entity's “primary regulator” and for any entity that does not play a “significant role” in the markets subject to the Commission's jurisdiction and that cannot have a “significant impact” on the markets subject to the Commission's jurisdiction.[83]

The Commission does not believe that a trading volume threshold is Start Printed Page 72261appropriate for SCI SROs that are exchanges, but instead believes that Regulation SCI should apply to all SCI SROs. The threshold suggested by the commenter would exclude from Regulation SCI those exchanges with volumes below the suggested threshold; however, the Commission believes that all exchanges play a significant role in our securities markets. For example, all stock exchanges are subject to a variety of specific public obligations under the Exchange Act, including the requirements of Regulation NMS which, among other things, designates the best bid or offer of such exchanges to be protected quotations.[84] Accordingly, every exchange may have a protected quotation that can obligate market participants to send orders to that exchange. Among other reasons, given that market participants may be required to send orders to any one of the exchanges at any given time if such exchange is displaying the best bid or offer, the Commission believes that it is important that the safeguards of Regulation SCI apply equally to all exchanges irrespective of trading volume.

With regard to one commenter's suggestion to except from the definition of SCI SRO those entities dually registered with the CFTC and Commission where the CFTC is the entity's “primary regulator,”[85] the Commission disagrees that such entities should be relieved from the requirements of Regulation SCI solely because they are dually registered.[86] While the CFTC is responsible for overseeing such an entity with regard to its futures activities, it does not have oversight responsibility for the entity's securities-related activities and systems. While the commenter stated that it (as a dual registrant) is already subject to similar requirements to adopt controls and procedures with regard to operational risk and reliability, security, and capacity of its systems pursuant to CFTC regulations, the Commission again notes that such requirements do not apply to such an entity's securities-related systems as such systems are outside of the CFTC's jurisdiction and, as such, such systems would not be subject to inspection and examination by the CFTC for compliance with such requirements.[87] Further, Regulation SCI imposes a notification framework to inform the Commission of SCI events and material systems changes, as well as other requirements unique to Regulation SCI. Accordingly, the Commission believes that such entities should be subject to the requirements of Regulation SCI. In addition, as noted above, this commenter also asked the Commission to create an exception for any entity that does not play a “significant role” in the markets subject to the Commission's jurisdiction and that cannot have a “significant impact” on the markets subject to the Commission's jurisdiction.[88] While the Commission disagrees with excluding SROs from coverage as discussed above, the Commission notes that it is revising the proposed definition of SCI systems to clarify that the term SCI systems encompasses only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance, as discussed below.[89] Accordingly, the Commission believes this change should address the commenter's concerns about the requirements applying to entities whose systems cannot affect the markets subject to the Commission's jurisdiction, i.e., the U.S. securities markets.

b. SCI Alternative Trading System

Proposed Rule 1000(a) defined the term “SCI alternative trading system,” or “SCI ATS,” as an alternative trading system, as defined in § 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks—(i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either—(i) the average daily dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States.[90]

The proposed definition would have modified the thresholds currently appearing in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs.[91] Specifically, Start Printed Page 72262the proposed definition would have: Used average daily dollar volume thresholds, instead of an average daily share volume threshold, for ATSs that trade NMS stocks or equity securities that are not NMS stocks (“non-NMS stocks”); used alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities; lowered the volume thresholds applicable to ATSs for each category of asset class; and moved the proposed thresholds to Regulation SCI. In particular, with respect to NMS stocks, the Commission proposed to change the volume threshold from 20 percent of average daily volume in any NMS stock such that an ATS that traded NMS stocks that met either of the following two alternative threshold tests would be subject to the requirements of proposed Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. With respect to non-NMS stocks, municipal securities, and corporate debt securities, the Commission proposed to reduce the standard from 20 percent to five percent for these types of securities,[92] the same percentage threshold for such types of securities that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.[93]

The proposed definition of “SCI ATS” is being adopted substantially as proposed with regard to ATSs trading NMS stocks and ATSs trading non-NMS stocks, with the addition of a six-month compliance period for entities satisfying the thresholds in the definition for the first time, as discussed in more detail below. However, for the reasons discussed below, the Commission has determined to exclude from the definition of “SCI ATS” ATSs that trade only municipal securities or corporate debt securities and accordingly, such ATSs will not be subject to the requirements of Regulation SCI.

Inclusion of ATSs Generally

Many commenters provided comment on the inclusion of ATSs within the scope of Regulation SCI. Some commenters believed that more ATSs should be covered by Regulation SCI.[94] For example, some commenters suggested that the term “SCI ATS” should include all ATSs, because these commenters believed that they have the potential to negatively impact the market in the event of a systems issue.[95] Moreover, one commenter stated that the Commission should not distinguish between ATSs based on calculated thresholds because an ATS might limit trading on its system so as to avoid being subject to the requirements of Regulation SCI.[96]

Conversely, other commenters stated that fewer, or even no, ATSs should be covered.[97] Such commenters generally argued that there are key differences between ATSs and exchanges, and thus, ATSs should be regulated differently from exchanges and not be included in Regulation SCI with exchanges.[98] The differences identified by commenters included: ATSs' relative market shares and sizes; the fact that ATSs are already subject to various regulations as broker-dealers (including Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation ATS); and certain fundamental economic differences between the two types of entities (including that exchanges can gain revenue from listing and market data, have self-clearing, and have a protected quote).[99] One commenter argued that, if the Commission were to include ATSs in Regulation SCI, it should treat ATSs and SROs equally by allowing ATSs to have the same benefits of SROs, including allowing ATSs to derive an income stream from contributions to the SIP, have access to clearing, and have immunity from lawsuits.[100] Other commenters also noted that, although ATSs have an increasingly large, collective market share, ATSs have not contributed to any of the recent major systems issues that have impacted the market.[101]

Another commenter stated that the SCI Proposal unfairly discriminated against ATSs by including them within the definition of SCI entity.[102] Specifically, although this commenter did not believe that Regulation SCI should be expanded to include more entities, it stated that the SCI Proposal's failure to capture certain entities (such as clearing firms, market makers, block positioners, and order routing firms) that it believed could have a greater impact on market stability in the event of a systems issue, while including ATSs, demonstrates that the proposal is arbitrary, capricious, and unfairly discriminatory in nature.[103]

After careful consideration of the comment letters, the Commission continues to believe that the inclusion of ATSs that trade NMS stocks and non-NMS stocks in Regulation SCI is appropriate.[104] The Commission believes that certain of those ATSs play an important role in today's securities markets, and thus should be subject to the safeguards and obligations of Regulation SCI. As noted in the SCI Proposal, the equity markets have evolved significantly over recent years, resulting in an increase in the number of trading centers and a reduction in the concentration of trading activity.[105] As such, even smaller trading centers, such as certain higher-volume ATSs, now collectively represent a significant source of liquidity for NMS stocks and some ATSs have similar and, in some cases, greater trading volume than some national securities exchanges, with no single national securities exchange executing more than approximately 19 percent of volume in NMS stocks in today's securities markets.[106] Accordingly, the Commission believes that ATSs meeting certain volume thresholds can play a significant role in the securities markets and, given their heavy reliance on automated systems, have the potential to significantly impact investors, the overall market, Start Printed Page 72263and the trading of individual securities should an SCI event occur.

Commenters identified certain differences between exchanges and ATSs, which commenters argued justified different treatment under Regulation SCI for ATSs or exclusion of ATSs from the regulation completely.[107] While the Commission recognizes that there are some fundamental differences between ATSs and exchanges, including certain of those identified by commenters, the Commission does not agree that all ATSs should be excluded from Regulation SCI because, as discussed above, it believes that there are certain significant-volume ATSs that have the potential to significantly impact investors, the overall market, or the trading of individual securities should an SCI event occur. At the same time, the risk-based considerations permitted in adopted Regulation SCI may result in the systems of those ATSs that are subject to Regulation SCI (i.e., SCI ATSs) being subject to less stringent requirements than the systems of SROs or other SCI entities in certain areas. For example, as discussed in further detail below, the Commission is adopting a definition of “critical SCI systems,” which are a subset of SCI systems that are subject to certain heightened requirements under Regulation SCI. This definition is intended to capture those systems that are core to the functioning of the securities markets or that represent “single points of failure” and thus, pose the greatest risk to the markets. The Commission believes that, as currently constituted, relative to the systems of SCI SROs, the systems of SCI ATSs generally would not fall within this category of critical SCI systems, and thus such SCI ATSs would not be subject to the more stringent requirements that would be applicable to the critical SCI systems of other SCI entities. The Commission also notes that other requirements under Regulation SCI are designed to be consistent with a risk-based approach. The Commission believes that this approach recognizes the different roles played by different SCI systems at various SCI entities and, where permitted, allows each SCI entity, including SCI ATSs, to tailor the applicable requirements accordingly.

While some commenters noted that ATSs have not contributed to any of the recent high-profile systems issues,[108] the Commission does not believe that the relative lack of high-profile systems issues at ATSs to date is an indication that ATSs do not have the potential to have a significant impact on the market in the event of a future systems issue.[109]

Other commenters noted the competitive environment of ATSs and argued that, if one ATS experiences a systems issue and becomes temporarily unavailable, trading can be easily rerouted to other venues.[110] The Commission acknowledges that a temporary outage at an ATS (or at a SCI SRO, for that matter) may not lead to a widespread systemic disruption. However, the Commission notes that Regulation SCI is not designed to solely address system issues that cause widespread systemic disruption, but also to address more limited systems malfunctions and other issues that can harm market participants or create compliance issues.[111]

Some commenters also stated that inclusion of ATSs is not necessary because ATSs are already subject to sufficient regulations as broker-dealers, citing Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation ATS.[112] While the Commission acknowledges that these rules similarly impose requirements related to the capacity, integrity and/or security of a broker-dealer's systems and are designed to address some of the same concerns that Regulation SCI is intended to address, the Commission notes that these rules generally take a different approach than Regulation SCI. For example, the obligations of an ATS under Rule 15c3-5 address vulnerability in the national market system that relate specifically to market access,[113] whereas Regulation SCI is designed to further the goals of the national market system more broadly by helping to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets.[114] Thus, the Commission has determined to include ATSs within the scope of Regulation SCI because of their role as markets and a potential significant source of liquidity. With regard to the FINRA rules identified by commenters, the Commission does not believe that these rules, even when considered in combination with Rule 15c3-5, are an appropriate substitute for the comprehensive approach in Regulation SCI for ATSs in their role as markets.[115] Finally, as noted above, Start Printed Page 72264Rule 301(b)(6) of Regulation ATS imposed by rule certain aspects of the ARP Policy Statements on significant-volume ATSs. As described in detail herein, Regulation SCI seeks to expand upon, update, and modernize the requirements of the ARP Policy Statements and Rule 301(b)(6), by, for example, expanding the requirements to a broader set of systems, imposing new requirements for information dissemination regarding SCI events, and requiring Commission notification for additional types of events, among others. Accordingly, the Commission believes that, for SCI ATSs, the existing broker-dealer rules and regulations identified by commenters are complemented by the requirements of Regulation SCI (other than Rule 301(b)(6), which will no longer apply to ATSs that trade NMS stocks and non-NMS stocks), and do not serve as substitutes for the regulatory framework being adopted today.

The Commission also believes that, unlike with respect to exchanges, it is appropriate that Regulation SCI not apply to all ATSs. Exchanges, as self-regulatory organizations, play a special role in the U.S. securities markets, and as such, are subject to certain requirements under the Exchange Act and are able to enjoy certain unique benefits.[116] Accordingly, as discussed above, the Commission believes it is appropriate to subject all national securities exchanges to the requirements of Regulation SCI regardless of trading volume.[117] In contrast, in recognition of the more limited role that certain ATSs may play in the securities markets and the costs that will result from compliance with the requirements of the regulation, the Commission believes that it is appropriate to adopt volume thresholds, as discussed below, to identify those ATSs that have the potential to significantly impact the market should an SCI event occur, therefore warranting inclusion within the scope of the regulation. One commenter, in advocating for the application of the regulation to all ATSs, stated that the Commission should not adopt volume thresholds because ATSs may limit trading so as to avoid being subject to the requirements of Regulation SCI.[118] The Commission does not believe that the possibility of some ATSs structuring their business to fall below the thresholds of the rule is a sufficient justification for applying the rule to all ATSs. The Commission notes that, to the extent that an ATS limits its trading so as not to reach the volume thresholds for SCI ATSs, it would have less potential to impact investors and the market and may appropriately not be subject to the requirements of the rules. As discussed further below, the Commission believes that the dual dollar volume threshold for NMS stocks being adopted today is appropriately designed to ensure that ATSs that have either the potential to significantly impact the market as a whole or the potential to significantly impact the market for a single NMS stock (and have some impact on the market as a whole at the same time) will be subject to the requirements of Regulation SCI. Thus, only those ATSs that limit their trading so as to fall below both the single NMS stock threshold and the broad NMS stocks threshold will not be subject to the requirements of Regulation SCI.

As noted above, one commenter asserted that, if ATSs are subject to the same requirements of Regulation SCI as exchanges, they similarly should be entitled to the benefits afforded to SROs.[119] The Commission notes that, as discussed above, SROs are subject to a variety of obligations as self-regulatory organizations under the Exchange Act—including filing proposed rules with the Commission and enforcing those rules and the federal securities laws with respect to their members—that do not apply to other market participants, including ATSs.[120] Although SRO and non-SRO markets are subject to different regulatory regimes, with a different mix of benefits and obligations, the Commission believes it is appropriate to subject them to comparable requirements for purposes of Regulation SCI given the importance of assuring that the technology of key trading centers, regardless of regulatory status, is reliable, secure, and functions in compliance with the law.[121] At the same time, while questions have been raised as to whether the broader regulatory regimes for exchanges and ATSs should be harmonized, the Commission does not believe it appropriate to delay implementing Regulation SCI or necessary to resolve these issues before proceeding with Regulation SCI. The Commission notes that ATSs have the ability to apply for registration as a SRO should they so wish and, if such application were to be approved by the Commission, such entities could assume the additional responsibilities that are imposed on SROs, as well as avail themselves of the same benefits.

As noted above, one commenter objected to the regulation's inclusion of ATSs while excluding certain other entities that the commenter believed similarly had the potential to impact the market, concluding that the proposal was therefore arbitrary, capricious, and unfairly discriminatory in nature.[122] At the same time, this commenter stated that it did not recommend that additional entities be included within the scope of the regulation.[123] First, as noted above, the Commission has determined to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI because of their unique role as markets rather than because of their role as traditional broker-dealers. All broker-dealers are subject to Rule 15c3-5 and other FINRA rules as noted by some commenters, which impose certain requirements Start Printed Page 72265related to the capacity, integrity and/or security of a broker-dealer's systems appropriately tailored to their role as broker-dealers. Further, as noted above, the scope of Regulation SCI is rooted in the historical reach of the ARP Inspection Program and Rule 301 of Regulation ATS (which applies to significant-volume ATSs).[124] The Commission acknowledged in the SCI Proposal that there may be other categories of broker-dealers not included within the definition of SCI entity that, given their increasing size and importance, could pose a significant risk to the market should an SCI event occur.[125] The Commission solicited comment on whether there are additional categories of market participants that should be subject to all or some of the requirements of Regulation SCI and noted that, were the Commission to decide to apply the requirements of Regulation SCI to such additional entities, it would issue a separate release outlining such a proposal and the rationale therefor.[126] As discussed above, the Commission believes that, at this time, the entities included within the scope of Regulation SCI, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the mandatory requirements of Regulation SCI at this time. As such, while the Commission believes that the types of entities subject to Regulation SCI as adopted are appropriate, the Commission may consider extending the types of requirements in Regulation SCI to additional market participants in the future.

SCI ATS Thresholds

Several commenters discussed the specific proposed volume thresholds for SCI ATSs, and many offered what they believed to be more appropriate alternative methods for including ATSs within Regulation SCI.[127] For example, some commenters urged the Commission to retain the existing 20 percent threshold under Regulation ATS for purposes of Regulation SCI or asked the Commission to provide further explanation as to why the current threshold under Regulation ATS should be altered.[128] One commenter agreed with the Commission that the 20 percent threshold currently in Regulation ATS might be too high, and suggested using a threshold for ATSs trading NMS stocks of five percent or more of the volume in all NMS stocks during a 12-month period, to be determined once a year in the same given month.[129] Another commenter suggested that the Commission apply its ATS threshold for NMS stocks to only the 500 most active securities.[130] An additional recommendation by one commenter with regard to NMS stocks was to include only those ATSs with five percent or more of at least five NMS stocks with an aggregate average daily share volume greater than 500,000 shares and 0.25 percent or more of all NMS stocks for four of the previous six months, or those ATSs that have three percent or more of all NMS stocks in four of the previous six months.[131] Another commenter suggested retaining Rule 301(b)(6) as part of Regulation ATS, but amending the rule by lowering the average daily volume threshold to 2.5 percent.[132]

One commenter requested clarification on the phrase “0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan.” [133] Because there is more than one transaction reporting plan, this commenter asked whether the proposed volume thresholds would be calculated per plan or calculated based on all NMS volume.[134]

Some commenters provided suggestions with regard to the proposed measurement methodology for the thresholds.[135] A few commenters argued that the proposed time period measurement of “at least four of the preceding six calendar months” is cumbersome to apply in practice and believed that the time period should be over a longer term.[136] For example, two commenters stated that the rule should utilize a 12-month measurement period.[137] Conversely, another commenter generally opposed the thresholds stating that all ATSs should be subject to the rule, but noted that if the rule includes a trading volume metric, the measurement period should be much shorter (such as two to four weeks).[138] In addition, one commenter stated that the measurement should be based on number of shares traded rather than dollar value.[139]

Two commenters also suggested that ATSs should be given six months after meeting the given threshold in the definition of SCI ATS to come into compliance with Regulation SCI.[140]

The Commission is adopting the thresholds for ATSs that trade NMS stocks and non-NMSs stock as proposed. In setting the thresholds for Regulation SCI, the Commission believes it is establishing an appropriate and reasonable scope for the application of the regulation. Although commenters provided various suggestions for different thresholds, nothing persuaded the Commission that these suggestions would better accomplish the goals of Regulation SCI than the thresholds the Commission is adopting. As discussed below, the Commission has analyzed the number of entities it believes are likely to be covered by the thresholds it is establishing. The Commission recognizes that these thresholds ultimately represent a matter of judgment by the Commission as it takes the step of promulgating Regulation SCI, and the Commission intends to monitor these thresholds to determine whether they continue to be appropriate.

With regard to the threshold for ATSs trading NMS stocks, the Commission has determined to adopt this threshold as proposed. After careful consideration of the comments, the Commission continues to believe that this threshold is an appropriate measure of when a market is of sufficient significance so as to warrant the protections and requirements of Regulation SCI.[141] The Start Printed Page 72266Commission is, however, making one technical modification in response to a commenter to clarify that the threshold will be calculated based on all NMS volume, rather than on a per plan basis.[142] The Commission agrees with the commenter that the proposed language should be clarified and, as such, the threshold language within the definition of “SCI ATS” in Rule 1000 is being revised to refer to “applicable effective transaction reporting plans,” rather than “an effective transaction reporting plan.” [143]

Under the adopted definition of SCI ATS, with regard to NMS stocks, an ATS will be subject to Regulation SCI if, during at least four of the preceding six calendar months, it had: (i) Five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans.[144] The Commission continues to believe that this threshold will identify those ATSs that could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time.[145]

While some commenters advocated for thresholds higher than those proposed and/or retaining the 20 percent threshold in Regulation ATS,[146] as the Commission discussed in the SCI Proposal, the securities markets have significantly evolved since the time of the adoption of Regulation ATS, resulting in trading activity in stocks being more dispersed among a variety of trading centers. For example, in today's markets, national securities exchanges, once the predominant type of venue for trading stocks, each account for no more than approximately 19 percent of volume in NMS stocks.[147] By way of contrast, based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014, the trading volume of ATSs accounted for approximately 18 percent of the total dollar volume in NMS stocks, with no individual ATS executing more than five percent.[148] Given this dispersal of trading volume among an increasing number of trading venues, the increasingly interconnected nature of the markets, and the increasing reliance on a variety of automated systems, the Commission believes that there is a heightened potential for systems issues originating from a number of sources to significantly affect the market. Due to these developments, the Commission believes that the 20 percent threshold as adopted in Regulation ATS is no longer an appropriate measure for determining those entities that can have a significant impact on the market and thus should be subject to the protections of Regulation SCI. Rather, the Commission believes that lower volume thresholds are appropriate, and as noted in the SCI Proposal, the Commission believes that the adopted thresholds would include ATSs having NMS stock dollar volume comparable to or in excess of the NMS stock dollar volume of certain national securities exchanges subject to Regulation SCI.[149]

Based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014,[150] the Commission believes that approximately 12 ATSs trading NMS stocks would exceed the adopted thresholds and fall within the definition of SCI entity, accounting for approximately 66 percent of the dollar volume market share of all ATSs trading NMS stocks.[151] The Commission acknowledges that its analysis of the FINRA ATS data did not reveal an obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs. However, for the following reasons, the Commission continues to believe that the adopted thresholds for ATSs trading NMS stock are an appropriate measure to identify those ATSs that should be subject to the requirements of Regulations SCI. First, by imposing both a single NMS stock threshold and an all NMS stocks threshold in the first prong of the definition, the thresholds will help to ensure that Regulation SCI will not apply to an ATS that has a large volume in a small NMS stock and little volume in all other NMS stocks. At the same time, the Commission believes that inclusion of the dual-prong dollar volume thresholds is appropriate. Specifically, it will require not only that ATSs that have significant trading volume in all NMS stocks are subject to the requirements of Regulation SCI, but also that ATSs that have large trading volume in a single NMS stock and could significantly affect the market for that stock are also covered by the safeguards of Regulation SCI provided they have levels of trading in all NMS stocks that could allow such ATSs to also have some impact on the market as a whole. The Commission also believes that, as discussed further below, the adopted thresholds will also appropriately capture not only ATSs that have significant trading volume in active stocks, but also those that have significant trading volume in less active stocks. The Commission believes that a systems issue at an ATS that is a significant market for the trading of a less actively traded stock could similarly impose significant risks to the market for such securities, because a systems outage at such a venue could significantly impede the ability to trade Start Printed Page 72267such securities, thereby having a significant impact on the market for such less-actively traded securities. In addition, the Commission continues to believe that thresholds that account for 66 percent of the dollar volume market share of all ATSs trading NMS stocks is a reasonable level that would not exclude new entrants to the ATS market.[152] Further, as noted above, the thresholds would include ATSs having NMS stock dollar value comparable to the NMS stock dollar volume of the equity exchanges subject to Regulation SCI. Finally, the Commission believes that the adopted thresholds are appropriate to help ensure that entities that have determined to participate (in more than a limited manner) in the national market system as markets that bring buyers and sellers together, are subject to the requirements of Regulation SCI.

As noted above, several commenters provided specific suggestions for alternative standards for determining which ATSs should be included within the scope of Regulation SCI.[153] While the Commission recognizes that some of the suggested alternatives could have certain benefits, it also believes that each recommended standard also has corresponding limitations, and thus believes that the adopted thresholds are an appropriate measure for identifying those ATSs that should be subject to Regulation SCI. First, as described above, the Commission believes that adopting a two-prong standard is necessary to identify those ATSs that, in the event of a systems issue, could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time. The Commission notes that several of the thresholds suggested by commenters lacked such a dual-prong standard (and, in particular, the prong relating to individual NMS stocks) and thus do not provide the advantages associated with the adopted threshold in protecting the trading venues for a single NMS stock. With regard to one commenter's suggestion that the first prong of the threshold should, among other things, consider five NMS stocks, rather than a single stock, the Commission does not believe the commenter has provided any clear rationale for this standard.[154] As discussed, the purpose of the first prong is to identify significant trading venues (or markets) for a single security where a systems disruption could have a significant effect on the market for that security, and setting the threshold to consider five NMS securities could potentially exclude trading venues that host large trading activity for a single NMS security. Additionally, the Commission notes that the suggested alternative approach would be unlikely to have any significant practical effect when used in conjunction with the second prong of the threshold, which looks at trading across all NMS stocks, because the second prong would likely capture an ATS with five percent or more volume in five NMS stocks. With regard to one commenter's suggestion to apply the threshold to only the 500 most active NMS stocks [155] and another commenter's suggestion to include only stocks with an aggregate average daily share volume greater than 500,000,[156] the Commission disagrees that the threshold should be structured to capture only ATSs that have significant trading volume in active stocks. Rather, the first prong of the adopted threshold is designed to capture any ATS that has five percent or more of the trading volume of any NMS stock, irrespective of how actively traded it is, so that Regulation SCI can effectively address risks relating to the trading of all NMS stocks, and not only the most active of NMS stocks. If the Commission were to apply the threshold only to the 500 most active NMS stocks or stocks only with average daily share volumes greater than 500,000, an ATS that, for example, served as the primary venue for the trading of less actively traded NMS stocks, but had negligible market share for more actively traded NMS stocks, would not be subject to Regulation SCI. However, an SCI event that resulted in an outage of such an ATS could have a significant impact on the market for such less actively traded NMS stocks. As such, failure to include such an ATS within the scope of Regulation SCI would be contrary to the goals of the regulation. Finally, with regard to one commenter's suggestion to retain Rule 301(b)(6) as part of Regulation ATS and amend the threshold to 2.5 percent,[157] as discussed throughout this release, Regulation SCI is intended to expand upon the requirements of Rule 301(b)(6) and to supersede and replace such requirements for ATSs that trade NMS stocks.[158] For the reasons noted above, the Commission believes it is appropriate to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI, and the Commission does not believe it is appropriate to retain Rule 301(b)(6) as part of Regulation ATS, thereby subjecting ATSs to a separate and differing set of regulatory requirements than other SCI entities with regard to systems capacity, integrity, resiliency, availability, security, and compliance.[159] For all of the reasons discussed above, the Commission does not believe that any of the alternative standards suggested by commenters would better capture those entities that Start Printed Page 72268have the potential to pose significant risk to the market.

One commenter urged the Commission to utilize number of shares traded rather than dollar value, stating that while most of the world uses value traded, available data for the U.S. equity markets is share-based.[160] The Commission disagrees with this commenter and notes that daily dollar volume is readily available from a number of sources, including the SIPs.[161]

The time measurement period for ATSs that trade NMS stocks and non-NMS stocks is also being adopted as proposed. Thus, ATSs will be subject to Regulation SCI only if they meet the numerical thresholds for at least four of the preceding six months.[162] The Commission notes that the adopted time measurement period is consistent with the current standard in Rule 301(b)(6) of Regulation ATS.[163] The Commission believes that this time measurement period is an appropriate time period over which to evaluate the trading volume of an ATS and should help to ensure that it does not capture ATSs with relatively low trading volume that may have had an anomalous increase in trading on a given day or few days. Contrary to concerns raised by some commenters,[164] under this time measurement methodology, an ATS would not qualify as an SCI entity simply by trading a single large block of an illiquid security during one month (or even two or three months). While one commenter suggested that the time measurement period be shorter and recommended a period of two to four weeks,[165] the Commission believes that this could cause ATSs to fall within the scope of the definition solely as a result of an atypical, short-term increase in trading or a small number of large block trades that is not reflective of ATSs' general level of trading. Specifically, with such a short period of measurement, a short-term spike in trading volume uncharacteristic of an ATS's overall trading volume history could (and if large enough, likely would) skew the overall trading volume for that time period, causing an ATS to meet the volume thresholds and thus become subject to Regulation SCI even though the overall risk posed by the ATS does not warrant it. Further, the Commission believes that such a shorter time measurement period could provide more barriers to entry for ATSs, because new ATSs would not have as long of a time period to develop their business prior to having to incur the costs of compliance associated with being subject to the requirements of Regulation SCI.[166] This potential to incur such costs almost immediately after the initial start of operations could act as a barrier to entry for some new ATSs.

Other commenters recommended a longer measurement period, such as 12 months.[167] The Commission does not believe, however, that a longer time period is necessary or more appropriate to identify those entities that play a significant role in the market for a particular asset class and/or that have the potential to significantly impact investors or the market, warranting inclusion in the scope of Regulation SCI. The Commission believes that the adopted time measurement period provides sufficient trading history data so as to indicate an ATS's significance to the market, and that the structure of the test (i.e., requiring an ATS to meet the threshold for four out of six months) ensures sustainability of such trading levels. In addition, modifying the time measurement period to 12 months (and thus eliminating the four out of six month measurement period) would make such a measure more susceptible to capturing ATSs that have a major but isolated spike in trading during a single month. Specifically, as noted above, a single anomalous large increase in trading volume during one month (or such a spike in two or three months) could never result in an ATS becoming subject to Regulation SCI solely as a result of such a spike in trading, because the ATS would meet the threshold only for one month, rather than the four months required by the rule. On the other hand, a threshold based on an average over 12 months could be skewed by the occurrence of one large spike in trading that results in the overall average for the 12-month period being increased to such a level that it meets the volume threshold levels. Thus, contrary to one commenter's suggestion that a 12-month period would require “a sustained trading level at the threshold,” [168] the Commission believes that the structure of the adopted measurement period test (i.e., four out of six months) may be a better indicator of actual sustained trading levels at the threshold warranting the protections of the rule. Further, the Commission believes that 12 months is a less appropriate time measurement period than the period adopted because, for example, an ATS could have significant trading volume early on during such a time period such that it may pose significant risk to the markets in the event of a systems issue at such an ATS without being subject to Regulation SCI for a significant period of time. The Commission believes that the adopted time period strikes an appropriate balance between being a long enough period so as to not be triggered by atypical periods of increased trading or a few occurrences of very large trades, while also not causing unnecessary delay in requiring that ATSs playing an important role in the market are subject to Regulation SCI.

Finally, as discussed further in Section IV.F, the Commission agrees with commenters that it is appropriate to provide ATSs meeting the volume thresholds in the definition of SCI ATS for the first time a period of time before they are required to comply with Regulation SCI.[169] Thus, consistent with the recommendation of these commenters, the Commission is revising the definition of SCI ATS to provide that an SCI ATS will not be required to comply with the requirements of Regulation SCI until six months after satisfying any of the applicable thresholds in the definition of SCI ATS for the first time.[170]

ATSs Trading Non-NMS Stocks

Some commenters addressed whether Regulation SCI should apply to ATSs trading non-NMS stocks.[171] Specifically, Start Printed Page 72269one commenter stated that the rules should apply only to trading in NMS securities because non-NMS stock trading—which is dispersed among broker-dealers—does not have a single point of failure and is therefore less susceptible to rapid, widespread issues that occur as a result of a high degree of linkage or inter-dependency.[172] Another commenter stated that, with respect to non-NMS stocks (as well as municipal securities and corporate debt securities), the proposed five percent threshold was too low and would unnecessarily include ATSs for these product types that are “not systemic to maintaining fair, orderly, and efficient markets” and asked the Commission to further study the appropriate threshold for these ATSs.[173]

With regard to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, the adopted thresholds remain unchanged from the SCI Proposal. Thus, for such securities, an ATS will be subject to the requirements of Regulation SCI if, during four of the preceding six calendar months, it had five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported.[174] The Commission continues to believe that this threshold will appropriately identify ATSs that play a significant role in the market for those securities and, thus, should be subject to the requirements of Regulation SCI.

Using data from the second quarter of 2014, an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level exceeding $45.2 million daily.[175] Based on data collected from Form ATS-R for the second quarter of 2014, the Commission estimates that two ATSs would exceed this threshold and fall within the definition of SCI entity, accounting for approximately 99 percent of the dollar volume market share of all ATSs trading non-NMS stocks.[176] These thresholds reflect an assessment by the Commission, based on qualitative and quantitative analysis, of the likely consequences of the specific quantitative thresholds included in the definition. From this analysis and in conjunction with considering the views of commenters, the Commission has derived what it believes to be an appropriate threshold to identify those ATSs that should be subject to the requirements of Regulation SCI.

As discussed above, one commenter objected to the inclusion of ATSs trading non-NMS stocks within the scope of Regulation SCI.[177] This commenter argued that non-NMS trading is not susceptible to the issues that Regulation SCI is designed to address because such trading is dispersed among broker-dealers and does not create the types of single points of failure that pose widespread systemic risk.[178] First, as noted above, while the Commission is particularly concerned with systems issues that pose the greatest risk to our markets and have the potential to cause the most widespread effects and damage (such as those that are single points of failure), Regulation SCI is intended to address a broader set of risks of systems issues. Accordingly, the adopted threshold for non-NMS stock ATSs is designed to identify those ATSs that play a significant role in the market for such securities. Further, the Commission disagrees with the commenter's assertion that trading in non-NMS stocks cannot result in widespread disruptions.[179]

While one commenter stated that the five percent threshold was too low, this commenter did not provide an alternative threshold but rather asked the Commission to further study this issue.[180] As noted above, based on qualitative and quantitative analysis, the Commission believes the five percent threshold to be an appropriate measure to determine which ATSs are of sufficient significance in the current market for non-NMS stocks to warrant their inclusion within the scope of Regulation SCI. The Commission notes that it intends to monitor the level of this threshold, and other thresholds being adopted today, to ensure that they continue to be appropriate.

The Commission notes that adoption of a higher threshold for non-NMS stocks than for NMS stocks reflects the Commission's acknowledgement of certain differences between the two markets. In particular, as noted in the SCI Proposal, while the Commission believes that similar concerns about the trading of NMS stocks on ATSs apply to the trading of non-NMS stocks, the Commission also believes that certain characteristics of the market for non-NMS stocks, such as the lower degree of automation, electronic trading, and interconnectedness, generally result in an overall lower risk to the market in the event of a systems issue.[181] In particular, the Commission believes that a systems issue at an SCI entity that trades non-NMS stocks would not be as likely to have as significant or widespread an impact as readily as a systems issue at an SCI entity that trades NMS stocks. Therefore, the Commission believes that there is less risk of market impact in the markets for those securities at this time. As such, the Commission has determined not to adopt the same, more stringent, thresholds that would trigger the requirements of Regulation SCI that the Commission is adopting for ATSs trading NMS stocks. The Commission also believes that imposition of a threshold that is set too low in markets that lack automation could have the unintended effects of discouraging automation in these markets and discouraging new entrants into these markets. Specifically, it could increase the cost of automation in relation to other methods of executing trades, and thus market participants might make a determination that the costs associated with becoming subject to Regulation SCI preclude a shift to automated trading or the development of a new automated trading system, particularly given the expected lower trading volume when beginning operations. Further, the Commission notes that it has traditionally provided special safeguards with regard to NMS stocks in its rulemaking efforts relating to market structure.[182] For these reasons, the Commission believes that it is appropriate at this time to apply a different threshold to ATSs trading NMS stocks than those ATSs trading non-NMS stocks.

Start Printed Page 72270

ATSs Trading Fixed-Income Securities

Several commenters specifically addressed the inclusion of municipal security and corporate debt security ATSs within the scope of Regulation SCI, stating that these ATSs should not be subject to Regulation SCI or that the proposed thresholds should be modified.[183] These commenters identified differences in the nature of fixed-income trading as compared to the markets for NMS securities and concluded that the thresholds were inappropriate and would be detrimental to the market for these types of securities.[184] In particular, commenters stated that inclusion of fixed-income ATSs and/or the adoption of the proposed thresholds would impose unduly high costs on these entities given their size, scope of operations, lack of automation, low speed, and resulting low potential to pose risk to systems.[185] Further, one commenter noted that the cost of compliance for these types of entities would discourage the shift from manual fixed-income trading in the OTC markets to more transparent and efficient automated trading venues.[186]

In addition, one commenter stated that if retail fixed-income ATSs are included in the final rule, a better measurement would be to look at par amount traded rather than volume.[187] Finally, one commenter requested that the Commission clarify that ATSs relating to listed-options are not subject to the obligations of proposed Regulation SCI.[188]

While the adopted definition of SCI ATS remains unchanged from the proposal for NMS stocks and non-NMS stocks, the Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.[189] Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.[190] The Commission believes that this change is warranted given the unique nature of the current fixed-income markets, as noted by several commenters. In particular, fixed-income markets currently rely much less on automation and electronic trading than markets that trade NMS stocks or non-NMS stocks.[191] In addition, the municipal and corporate fixed-income markets tend to be less liquid than the equity markets, with slower execution times and less complex routing strategies.[192] As such, the Commission believes that a systems issue at a fixed-income ATS would not have as significant or widespread an impact as in other markets. Thus, while ensuring the capacity, integrity and security of the systems of fixed-income ATSs is important, the benefits of lowering the threshold applicable to fixed-income ATSs from the current twenty percent threshold in Regulation ATS and subjecting such ATSs to the safeguards of Regulation SCI would not be as great as for ATSs that trade NMS stock or non-NMS stock. As commenters pointed out, the cost of the requirements of Regulation SCI could be significant for fixed-income ATSs relative to their size, scope of operations, and more limited potential for systems risk. The Commission is cognizant that lowering the current threshold applicable to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the requirements of Regulation SCI could have the unintended effect of discouraging automation in these markets and discouraging the entry of new fixed-income ATSs into the market, which could impede the evolving transparency and efficiency of these markets and negatively impact liquidity in these markets.

For these reasons, the Commission believes that it is appropriate to continue to apply the requirements in Rule 301(b)(6) of Regulation ATS to fixed-income ATSs that meet the volume thresholds of that rule and to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI at this time.

c. Plan Processor

Under Proposed Rule 1000(a), the term “plan processor” had the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines “plan processor” as “any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.” [193] The Commission is adopting the definition of “plan processor” as proposed.[194]

The Commission received no comments on the proposed definition of “plan processor.” [195] As noted in the SCI Proposal, the ARP Inspection Program included the systems of the plan processors of four national market system plans—the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan.[196] Start Printed Page 72271Although an entity selected as the processor of an SCI Plan acts on behalf of a committee of SROs, such entity is not required to be an SRO, nor is it required to be owned or operated by an SRO.[197] The Commission believes, however, that the systems of such entities, because they deal with key market data, are central features of the national market system [198] and should be subject to the same systems standards as SCI SROs. The inclusion of plan processors in the definition of SCI entity is designed to ensure that the processor for an SCI Plan, regardless of its identity, is independently subject to the requirements of Regulation SCI. The Commission believes that it is important for such plan processors to be subject to the requirements of Regulation SCI because of the important role they serve in the national market system: Operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of the plan.

Recent SIP incidents further highlighted the importance of plan processors to the U.S. securities markets and the necessity of including such processors within the scope of Regulation SCI.[199] As evidenced by the incidents, the availability of consolidated market data is central to the functioning of the securities markets. The unavailability of a system, such as a plan processor, that is a single point of failure with no backups or alternatives can result in a significant impact on the entire national market system. Accordingly, the Commission believes that that it is essential to ensure that the automated systems of the entities responsible for the consolidation and processing of important market data, namely, plan processors, have adequate levels of capacity, integrity, resiliency, availability, and security.[200]

Further, pursuant to its terms, each SCI Plan is required to periodically review its selection of its processor, and may in the future select a different processor for the SCI Plan than its current processor.[201] Thus, the definition of “plan processor” covers any entity selected as the processor for a current or future SCI Plan.[202]

d. Exempt Clearing Agency Subject to ARP

Proposed Rule 1000(a) defined the term “exempt clearing agency subject to ARP” to mean “an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.” This definition is being adopted as proposed.

As noted in the SCI Proposal, this definition of “exempt clearing agency subject to ARP” currently covers one entity, Omgeo Matching Services—US, LLC (“Omgeo”).[203] In its comment letter, Omgeo stated that it believed its inclusion as an SCI entity was reasonable because clearing agencies that provide matching services, such as Omgeo, perform a critical role in the infrastructure of the U.S. financial markets in handling large amounts of highly confidential proprietary trade data.[204] Omgeo requested, however, that the Commission clarify that other similarly situated clearing agencies would also be subject to the requirements of Regulation SCI, and further requested that the Commission expand the definition of SCI entity, as applied to clearing agencies, to include, without limitation, any entity providing either matching services or confirmation/affirmation services for depository eligible securities that settle in the United States, as contemplated by FINRA Rule 11860.[205]

The Commission notes that the adopted definition of “exempt clearing agency subject to ARP” does provide that any entity that receives from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Automation Review Policies or any Commission regulation that supersedes or replaces the Commission's Automation Review Policies (such as Regulation SCI) would be included within the scope of Regulation SCI. Therefore, clearing agencies that are similarly situated as Omgeo (i.e., those that are subject to an exemption that contains the relevant conditions) will be subject to Regulation SCI.[206] The Commission does not believe, therefore, that an expansion of the definition as suggested by Omgeo is necessary to further clarify that Start Printed Page 72272similarly situated entities will be subject to the requirements of Regulation SCI.

Among the operational conditions required by the Commission in the Omgeo Exemption Order were several that directly related to the ARP policy statements.[207] For the same reasons that it required Omgeo to abide by the conditions relating to the ARP policy statements set forth in the Omgeo Exemption Order, the Commission believes it is appropriate that Omgeo (or any similarly situated exempt clearing agency) should be subject to the requirements of Regulation SCI, and thus is including any “exempt clearing agency subject to ARP” within the definition of SCI entity.

2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems

a. Overview

Regulation SCI, as adopted, distinguishes three categories of systems of an SCI entity: “SCI systems;” “critical SCI systems,” and “indirect SCI systems.” The SCI Proposal broadly defined SCI systems to mean “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.” The SCI Proposal also defined the term SCI security systems (to which only the provisions of Regulation SCI relating to security and intrusions would apply) as: “any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.” [208]

Many commenters stated that the proposed definitions of SCI systems and SCI security systems were too broad and urged the Commission to target systems that pose the greatest risk to the market if they malfunction.[209] After careful consideration of the comments, and as discussed more fully below, the Commission agrees that certain types of systems included in the proposed definition of SCI systems may be appropriately excluded from the adopted definition. However, because U.S. securities market infrastructure is highly interconnected and seemingly minor systems problem at a single entity can spread rapidly across the national market system, the Commission does not believe it is appropriate to apply Regulation SCI only to the most critical SCI systems, as some commenters suggested. Instead, the adopted regulation applies to a broader set of systems than urged by some commenters, but a more targeted set of systems than proposed. In addition, the adopted approach recognizes that some systems pose greater risk than others to the maintenance of fair and orderly markets if they malfunction. To this end, adopted Regulation SCI identifies three broad categories of systems of SCI entities that are subject to the regulation: “SCI systems,” “critical SCI systems,” and “indirect SCI systems,” with each category subject to differing requirements under Regulation SCI.

As discussed more fully below, the adopted definition of “SCI systems” includes those systems that directly support six areas that have traditionally been considered to be central to the functioning of the U.S. securities markets, namely trading, clearance and settlement, order routing, market data, market regulation, and market surveillance. SCI systems are subject to all provisions of Regulation SCI, except for certain requirements applicable only to critical SCI systems.

In addition, the Commission is adopting a definition of “critical SCI systems,” a subset of SCI systems that are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. Guided significantly by commenters' views on those systems that are most critical, the Commission is defining the term “critical SCI systems” as SCI systems that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on primary trading markets; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data (i.e., SIPs); or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.[210] As more fully discussed below, systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets.

In addition, the Commission is adopting a definition of “indirect SCI systems,” in place of the proposed definition of “SCI security systems.” “Indirect SCI systems” are subject only to the provisions of Regulation SCI relating to security and intrusions. The term “indirect SCI systems” is defined to mean “any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems” and, if an SCI entity puts in place appropriate security measures, is intended to refer to few, if any, systems of the SCI entity.

b. SCI Systems

SCI Systems Generally

Proposed Rule 1000(a) defined the term “SCI systems” to mean “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.” [211] After careful consideration of the comments, the Commission is refining the scope of the systems covered by the definition of “SCI systems.” As adopted, the term “SCI systems” in Rule 1000 means “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.”

One commenter generally supported the proposed definition of SCI systems, and stated that the definition should be expanded to include any technology system that has direct market access.[212] In response to this comment, the Commission believes that many systems with direct market access are captured by the adopted definition. However, as Start Printed Page 72273discussed above, the Commission has determined not to propose to expand the scope of Regulation SCI to include other broker-dealer entities and their systems at this time.[213]

Contrary to the commenter who urged expansion of the proposed definition, many commenters believed the term to be too broad and recommended that it be revised in various ways.[214] These commenters argued that the definition was over-inclusive, with some believing that it could potentially apply to all systems of an SCI entity.

Specifically, several commenters recommended that the definition of SCI systems be revised to include a more limited set of systems than proposed.[215] Commenters advocating this general approach provided various suggestions for the specific standard that they believed should apply. For example, among commenters' recommendations were suggestions that the definition of SCI systems should include only those systems: whose failure or degradation would reasonably be expected to have an adverse material impact on the sound operation of financial markets; [216] that are highly critical to functioning as an SCI entity; [217] that have the potential to impact the protection of securities investors and the maintenance of fair and orderly markets; [218] that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance in real-time; [219] that support the SCI entity's “core functions . . . which the SCI entity performs pursuant to applicable Commission regulations;” [220] that are reasonably likely to pose a plausible risk to the markets (namely, systems that route or execute orders, clear and settle trades, or transmit required market data); [221] or that impact the core functions of the overall market, which, according to the commenter, would include exclusive SIPs that transmit market data and systems responsible for primary NMS auction markets that set daily opening and closing prices.[222] In addition, one commenter suggested that the term should be defined as a production system that connects to and is part of the electronic network that comprises the market.[223] This commenter also noted that the definition should distinguish between systems that connect to the markets and those that are used to run a business.[224] Another commenter suggested that, if Regulation SCI were to apply only to exchanges and ATSs, the term should be limited to exchange and ATS systems operated by the entity and should not include, for example, brokerage systems.[225]

The Commission is further focusing the scope of the definition of SCI systems in response to these comments.[226] The Commission is replacing the proposed language referring to “systems . . . whether in production, development, or testing that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance” with the following language: “systems, with respect to securities, that directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.” As such, the adopted definition has been limited to apply to production systems that relate to securities market functions, and in particular to those six functions—trading, clearance and settlement, order routing, market data, market regulation, or market surveillance—that traditionally have been considered to be central to the functioning of the U.S. securities markets, as urged by several commenters.[227] The Commission believes that systems providing these six functions may pose a significant risk to the maintenance of fair and orderly markets if their capacity, integrity, reliability, availability or security is compromised, and therefore that they should be covered by the definition of “SCI systems.”

Although some commenters pointed to the phrase “directly support” in the proposed rule as vague and overbroad,[228] the Commission has retained this phrase in the adopted definition. The term “directly support,” is retained to acknowledge that systems of SCI entities are complex and highly interconnected and that the definition of SCI systems should not exclude functionality or supporting systems on which the six identified categories of systems rely to remain operational.[229] In response to comment that the definition of SCI systems should distinguish between systems that connect to the markets and those that are used to run a business,[230] the Commission notes that the adopted definition would not include systems “used to run a business” if they are not within the six identified categories of market-related production systems and not necessary to their continued functioning. Further, the adopted definition clarifies that SCI systems encompass only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. The Commission believes Start Printed Page 72274that this change appropriately responds to one commenter's concerns that the proposed definition would capture systems operated by an SCI entity that have “practically no relevance or relation to SEC markets” and suggested that the definition should be revised to include only those systems that would directly impact a market that was subject to the Commission's jurisdiction.[231] As a result of this modification, if an SCI SRO does not use its systems to conduct business with respect to securities, its systems would not fall within the definition of “SCI systems.” Further, if an SCI entity operates systems for the trading of both futures and securities, only its trading systems for securities would be subject to the requirements of Regulation SCI.[232]

In addition, one commenter urged that the Commission should initially limit the scope of SCI systems to those systems covered by the ARP Policy Statements (trading, clearance and settlement, and order routing) and phase in other types of systems later.[233] The Commission believes that the adopted definition of SCI systems obviates the need for such an approach, as many systems for which the commenter urged a delay in compliance will not be covered by the regulation, as adopted.

SCI Systems: Inclusions and Exclusions

Various commenters objected to specific categories proposed to be included in the definition of SCI systems. First, many commenters opposed the proposed inclusion of development and testing systems in the definition, noting that issues in development and testing systems would have little or no impact on the operations of SCI entities and that such systems are designed to identify and address problems before they are introduced into production systems.[234] Some commenters argued that inclusion of development and testing systems in the definition of SCI systems would subject such systems to more requirements under Regulation SCI than was necessary and noted that certain other provisions of Regulation SCI would necessarily include reporting information to the Commission on such systems, even without their inclusion in the definition of SCI systems.[235] For example, one commenter stated that application of most provisions of Regulation SCI to testing and development systems would provide little benefit, and noted that updates regarding systems in development and material new features of existing systems could instead be done through the semi-annual reports to the Commission under proposed Rule 1000(b)(8).[236] Similarly, one commenter noted that information regarding the status of systems that are in development and testing would be captured in the notices regarding material systems changes under proposed Rule 1000(b)(6) and in the updates under proposed Rule 1000(b)(8).[237] Alternatively, this commenter suggested that the Commission could require that any testing errors be corrected (and such corrections be retested) prior to implementation of those changes in production.[238]

The Commission believes that certain modifications to the elements of the proposed definition of SCI systems are appropriate. First, in response to comments, the reference to development and testing systems in the proposed definition of SCI systems has been deleted.[239] As commenters pointed out, development and testing systems are generally designed to identify and address problems before new systems or systems changes are introduced into production systems and, by their nature, can often experience issues, both intentional and unplanned, during the testing process. The Commission believes that systems issues that occur with respect to such systems are less likely to have a significant impact on the operations of an SCI entity or on the securities markets as a whole than issues occurring with respect to production systems. Further, subjecting these systems to the Commission notification requirements in adopted Rule 1002(b) could have the unintended effect of deterring SCI entities from fully utilizing the testing and development processes to test new systems and systems changes and develop solutions to issues prior to implementation of such systems or changes in production. At the same time, the Commission notes that, in order to have policies and procedures reasonably designed to achieve capacity, integrity, resiliency, availability, and security for SCI systems in accordance with adopted Rule 1001(a), an SCI entity will be required to have policies and procedures that include a program to review and keep current systems development and testing methodology for SCI systems.[240] Accordingly, review of programs relating to systems development and testing for SCI systems is within the scope of Regulation SCI, and an SCI entity should reasonably expect Commission staff to review such processes and systems during the course of its exams and inspections. In addition, the Commission notes that the definition of SCI review in adopted Rule 1000 and corresponding requirements for an annual SCI review in adopted Rule 1003(b) require an assessment of internal control design and effectiveness, which includes development processes.[241] Further, if development and testing systems are not appropriately walled off from production systems, such systems could be captured under the definition of indirect SCI systems as discussed below and be subject to the requirements of Regulation SCI. If an SCI entity's development and testing systems are not walled off from production systems, the SCI entity should consider whether its policies and procedures should specify safeguards to ensure that its personnel can clearly distinguish the development and testing systems from the production systems, in order to avoid inadvertent errors that may result in an SCI event.

Some commenters also opposed the proposed inclusion of regulatory and surveillance systems within the definition of SCI systems or suggested that the Commission refine or clarify the scope of such systems.[242] Some of these Start Printed Page 72275commenters argued that inclusion of such systems was not necessary because these systems do not operate on a real-time basis or have a real-time impact on trading.[243] Further, one commenter suggested that periodic reporting of material outages or delays in the operation of regulatory and surveillance systems, pursuant to appropriate policies and procedures, would support the goals of Regulation SCI without imposing undue burdens on SCI entities or raising the risk that market participants would purposefully direct order flow to SCI entities experiencing regulatory or surveillance systems issues.[244] Another commenter advocated for replacing the terms “regulation” and “surveillance” with “market regulation” and “market surveillance,” respectively, and asked the Commission to clarify the difference between “regulatory” and “surveillance” systems.[245]

In consideration of these comments, the Commission has determined to limit SCI systems to those systems relating to market regulation and market surveillance rather than including all regulation and surveillance systems. As proposed, the definition contained no such limitations and could potentially be interpreted to cover systems used for member regulation and member surveillance. The Commission does not believe that inclusion of member regulation or member surveillance systems such as those, for example, relating to member registration, capital requirements, or dispute resolution, would advance the goals of Regulation SCI. Issues relating to such systems are unlikely to have the same level of impact on the maintenance of fair and orderly markets or an SCI entity's operational capability as those systems identified in the definition of SCI systems. The Commission believes that this change will more appropriately capture only those regulatory and surveillance systems that are related to core market functions, such as trading, clearance and settlement, order routing, and market data.[246] Another element of the proposed definition of “SCI systems” that some commenters addressed was the inclusion of market data systems. Specifically, one commenter believed that the inclusion of all market data systems was too broad, and argued that only “systems that directly support `the transmission of market data as required by the Exchange Act'” should be included, thus limiting the types of market data systems to those relating to consolidated data and excluding those that transmit proprietary market data.[247] Although the term “market data” is not defined in Regulation SCI, that term generally refers to price information for securities, both pre-trade and post-trade, such as quotations and transaction reports.[248] In response to the commenter urging that only market data systems relating to consolidated data be included, the term “market data” does not refer exclusively to consolidated market data, but includes proprietary market data generated by SCI entities as well. The Commission notes that both consolidated and proprietary market data systems are widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions, and that if a consolidated or a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the maintenance of fair and orderly markets. Therefore, systems of an SCI entity directly supporting proprietary market data or consolidated market data are both within the scope of the definition of SCI systems and subject to Regulation SCI. However, the Commission has repeatedly emphasized the importance of consolidated market data to the national market system and the protection of investors [249] and the severe impact of its unavailability was evidenced by the SIP outage in August 2013.[250] Thus, as discussed below, systems directly supporting functionality related to the provision of consolidated market data are distinguished by their inclusion in the definition of “critical SCI systems.” [251]

Further, one commenter questioned whether the phrase “market data systems” was intended to be limited to data-driven systems devoted to price transparency or whether the Commission also intended to include document-based systems devoted to public disclosure.[252] In response to this comment, the Commission notes that systems providing or directly supporting price transparency are within the scope of SCI systems.[253] However, systems solely providing or directly supporting other types of data, such as systems used by market participants to submit disclosure documents, or systems used by SCI entities to make disclosure documents publicly available, are not within the scope of SCI systems, so long as they do not also directly support price transparency.

Several commenters also argued that the term SCI systems should not include systems operated on behalf of an SCI entity by a third party.[254] Some of these commenters pointed to potential difficulties with meeting the requirements of Regulation SCI with regard to third party systems.[255] One Start Printed Page 72276commenter specifically suggested that the proposal should be limited to those systems under the control of the SCI entity.[256] Another commenter noted that the SCI entity should instead be responsible for managing these relationships through due diligence, contract terms, and monitoring of third party performance.[257] One commenter also requested that the Commission clarify how SCI entities should comply with the oversight of vendor systems as part of Regulation SCI.[258]

Although several commenters argued that the term SCI systems should not include third-party systems, the Commission continues to believe that, if a system is operated on behalf of an SCI entity and directly supports one of the six key functions listed within the definition of SCI system, it should be included as an SCI system subject to the requirements of Regulation SCI. The Commission believes that any system that directly supports one of the six functions enumerated in the definition of SCI system is important to the functioning of the U.S. securities markets, regardless of whether it is operated by the SCI entity directly or by a third party. The Commission believes that permitting such systems to be excluded from the requirements of Regulation SCI would significantly reduce the effectiveness of the regulation in promoting the national market system by ensuring the capacity, integrity, resiliency, availability, and security of those systems important to the functioning of the U.S. securities markets. Further, if the definition did not include systems operated on behalf of an SCI entity, the Commission is concerned that some SCI entities might be inclined to outsource certain of their systems solely to avoid the requirements of Regulation SCI, which would further undermine the goals of Regulation SCI. The Commission agrees with the comment that an SCI entity should be responsible for managing its relationship with third parties operating systems on behalf of the SCI entity through due diligence, contract terms, and monitoring of third party performance. However, the Commission believes that these methods may not be sufficient in all cases to ensure that the requirements of Regulation SCI are met for SCI systems operated by third parties. The fact that they might be sufficient some of the time is therefore not a basis for excluding these systems from the definition of SCI systems. Instead, if an SCI entity determines to utilize a third party for an applicable system, it is responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on behalf of the SCI entity by a third party. The Commission believes that it would be appropriate for an SCI entity to evaluate the challenges associated with oversight of third-party vendors that provide or support its applicable systems subject to Regulation SCI. If an SCI entity is uncertain of its ability to manage a third-party relationship (whether through due diligence, contract terms, monitoring, or other methods) to satisfy the requirements of Regulation SCI,[259] then it would need to reassess its decision to outsource the applicable system to such third party.[260] For example, if a third-party vendor is unwilling to disclose to an SCI entity information regarding the vendor's intellectual property or proprietary system that the SCI entity believes it needs to satisfy the requirements of Regulation SCI, as some commenters suggested might be the case, an SCI entity will need to reassess its relationship with that vendor, because the vendor's unwillingness to provide necessary information or other assurances would not exclude the outsourced system from the definition of SCI systems. Accordingly, the definition of SCI system, as adopted in Rule 1000, retains the reference to systems operated “on behalf of” SCI entities.

Finally, some commenters asked for clarification on miscellaneous aspects of the definition. For example, one commenter requested that the Commission clarify that the definition of SCI system for purposes of Regulation SCI is separate and distinct from the definition of a facility set forth in Section 3(a)(2) of the Exchange Act.[261] The Commission notes that the term “SCI system” under Regulation SCI is distinct from the term “facility” in Section 3(a)(2) of the Exchange Act.[262] Because a facility of an exchange would only fall within the definition of “SCI systems” if it is a system that directly supports any one of the six functions provided in the definition of “SCI systems,” not all systems that are facilities of an exchange will be SCI systems. For example, as noted in the SCI Proposal, the definition of SCI systems would apply to systems of exchange-affiliated routing brokers that are facilities of national securities exchanges.[263] But a system used for member regulation that may meet the definition of a facility under the Exchange Act, would not be within the scope of the definition of “SCI systems.”

Another commenter requested confirmation that internal systems are excluded from the definition of SCI system.[264] The Commission notes that the definition of “SCI system” does not differentiate between “internal systems” and those systems accessed by market participants or other outside parties.[265] The Commission notes that, while some internal systems of an SCI entity may not meet the definition of SCI system, it does not believe that that all internal systems (as described by this commenter) would be outside of the scope of the definition of SCI system.[266]

Other commenters advocated that SCI entities should be permitted to conduct their own risk-based assessment to determine which of their systems should be considered SCI systems.[267] One commenter noted that SCI entities should be required to develop and maintain an established methodology for identifying which systems qualify as SCI systems,[268] while other commenters advocated for coordination with the Commission in establishing criteria to be used in conducting such risk-based assessments or review by the Commission of an SCI entity's own risk-based assessment.[269] The Commission has carefully considered these comments and generally agrees that Start Printed Page 72277certain systems pose greater risk to the markets in the event of a systems issue and are of paramount importance to the functioning of the U.S. securities markets. Rather than include only those in the definition of SCI systems, the Commission believes that it is more prudent to instead identify these systems as “critical SCI systems” subject to certain heightened obligations. Further, adopted Rule 1001(a) requiring SCI entities to have policies and procedures reasonably designed to ensure that their systems have adequate levels of capacity, integrity, resiliency, availability, and security is consistent with a risk-based approach.[270] Specifically, as discussed in further detail below, an SCI entity may tailor its policies and procedures based on the relative criticality of a given SCI system to the SCI entity and to the securities markets generally.[271]

c. Critical SCI Systems

As discussed above, in response to comments, the Commission is incorporating a risk-based approach in certain aspects of Regulation SCI.[272] To that end, the Commission is adopting a definition of “critical SCI systems” to designate SCI systems that the Commission believes should be subject to the highest level of requirements. As a subset of “SCI systems,” “critical SCI systems” are subject to the same provisions as “SCI systems,” except that critical SCI systems are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. In these respects, critical SCI systems are subject to an increased level of obligation as compared to other SCI systems.[273]

Rule 1000 defines “critical SCI systems” as “any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; [274] (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.”

As noted above, many commenters advocated for a risk-based approach to Regulation SCI and either suggested that only the entities or systems that pose the greatest risk to the markets should be within the scope of the regulation or, alternatively, that the requirements of Regulation SCI be tailored to the specific risk-profile of a particular entity or particular system.[275] While the Commission disagrees with commenters who suggested that Regulation SCI should apply only to “critical systems,” as it believes that these are not the only systems that could pose a significant risk to the securities markets, the Commission believes that it is appropriate to hold systems that pose the greatest risk to the markets if they malfunction to higher standards and more stringent requirements under Regulation SCI. Recent events have also demonstrated the importance of certain critical systems functionality, including those that represent “single points of failure” to the securities markets, and the need for more robust market infrastructure, particularly with regard to critical market systems.[276]

The Commission believes that the adoption of the definition of “critical SCI systems” and heightened requirements for such systems recognizes that some systems are critical to the continuous and orderly functioning of the securities markets more broadly and, as such, ensuring their capacity, integrity, resiliency, availability, and security is of the utmost importance. Therefore, as discussed further below, the Commission believes that it is appropriate for such critical SCI systems to be held to heightened requirements (as compared to those for SCI systems) related to capacity, integrity, resiliency, availability, and security generally; rapid recovery following wide-scale disruptions; and disclosure of SCI events. The Commission believes that the definition of critical SCI systems is appropriately designed to identify those SCI systems whose functions are critical to the operation of the markets, including those systems that represent potential single points of failure in the securities markets. Systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets.

The first prong of the definition identifies six specific categories of systems that the Commission believes are the most critical to the securities markets, and the most likely to have widespread and significant market impact should a systems issue occur. These are: clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing market; trading halts; initial public offerings; the provision of consolidated market data (i.e., SIPs); and exclusively-listed securities.

In the context of suggesting the adoption of a risk-based approach for Regulation SCI, some commenters identified those functions that they believed were most critical to the functioning of the markets. Among those identified were clearance and settlement, opening and closing auctions, IPO auctions, the provision of consolidated market data by the SIPs; and trading of exclusively-listed securities.[277] The Commission agrees with commenters who characterized these categories of systems as critical. In addition, as discussed below, the Commission believes that systems that directly support functionality relating to Start Printed Page 72278trading halts should be included in the definition of critical SCI systems.

With respect to “clearance and settlement systems of clearing agencies,” the clearance and settlement of securities is fundamental to securities market activity.[278] Clearing agencies perform a variety of services that help ensure that trades settle on time and at the agreed upon terms. For example, clearing agencies compare transaction information (or report to members the results of exchange comparison operations), calculate settlement obligations (including net settlement), collect margin (such as initial and variation margin), and serve as a depository to hold securities as certificates or in dematerialized form to facilitate automated settlement. Because of their role, clearing agencies are critical central points in the financial system. A significant portion of securities activity flows through one or more clearing agencies. Clearing agencies have direct links to participants and indirect links to the customers of participants. Clearing agencies are also linked to each other through common participants and, in some cases, by operational processes. Safe and reliable clearing agencies are essential not only to the stability of the securities markets they serve but often also to payment systems, which may be used by a clearing agency or may themselves use a clearing agency to transfer collateral.[279] The safety of securities settlement arrangements and post-trade custody arrangements is also critical to the goal of protecting the assets of investors from claims by creditors of intermediaries and other entities that perform various functions in the operation of the clearing agency.[280] Investors are more likely to participate in markets when they have confidence in the safety and reliability of clearing agencies as well as settlement systems.[281] Accordingly, the Commission believes “clearance and settlement systems of clearing agencies” are appropriate for inclusion in the definition of critical SCI systems.[282]

Similarly, reliable openings, reopenings, and closings on primary listing markets are key to the establishment and maintenance of fair and orderly markets. NYSE and Nasdaq, for example, each have an opening cross for their listed securities that solicits trading interest and generates a single auction price that attracts widespread participation and is relied upon as a benchmark by other markets and market participants.[283] Similar processes are used, and heavy levels of participation typically are generated, at the primary listing markets in the reopening cross that follows a trading halt.[284] Closing auctions at the primary listing markets also attract widespread participation, and the closing prices they establish are commonly used as benchmarks, such as to value derivative contracts and generate mutual fund net asset values. As such, during these critical trading periods, market participants rely on the processes of the primary listing markets to effect transactions, and establish benchmark prices that are used in a wide variety of contexts so that the unavailability or disruption of systems directly supporting the opening, reopening and closing processes on the primary listing markets could have widespread detrimental effects.[285]

In addition, the Commission believes that systems directly supporting functionality relating to trading halts [286] are essential to the orderly functioning of the securities markets, and therefore should be included in the definition of critical SCI systems. In the event a trading halt is necessary, it is essential that the systems responsible for communicating the trading halt—typically maintained by the primary listing market—are robust and reliable so that the trading halt is effective across the U.S. securities markets. For example, when there is material “news pending” with respect to an issuer, it is the responsibility of the primary listing market to call a regulatory halt by generating a halt message which, when received by other trading centers, requires them to cease trading the security.[287] Similar responsibilities are placed on the primary listing market with respect to calling trading halts under the National Market System Plan to Address Extraordinary Market Volatility, as well as on plan processors to disseminate this information to the public.[288] Thus, systems which communicate information regarding trading halts provide an essential service in the U.S. markets and, should a systems issue occur affecting the ability of an SCI entity to provide such notifications, the fair and orderly functioning of the securities markets may be significantly impacted.

Companies offer shares of capital stock to the general public for the first time through the IPO process, in which the primary listing market initiates public trading in a company's shares. The IPO is conducted exclusively on that exchange, and secondary market trading cannot commence on any other exchange until the opening trade is printed on the primary listing market.[289] As such, the Commission believes that an exchange's systems that directly support the IPO process and the initiation of secondary market trading are a critical element of the capital formation process and the effective functioning of the securities markets. The Commission believes that these Start Printed Page 72279systems, which are the sole responsibility of the primary listing market, can adversely affect not only the IPO of a particular issuer, but may also result in significant monetary losses and harm to investors if they fail.[290] As noted in the SCI Proposal, systems issues affecting the two recent high-profile IPOs highlighted how disruptions in IPO systems can have a significant impact on the market.[291]

Systems directly supporting the provision of consolidated market data are also critical to the functioning of U.S. securities markets and represent potential single points of failure in the delivery of important market information. When Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would be central features of the national market system.[292] Further, one of the findings of the recent report by the staffs of the Commission and the CFTC on the market events of May 6, 2010 was that “fair and orderly markets require that the standards for robust, accessible, and timely market data be set quite high.” [293] Accurate, timely, and efficient collection, processing, and dissemination of consolidated market data provides the public with ready access to a comprehensive and reliable source of information for the prices and volume of any NMS stock at any time during the trading day.[294] This information helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market system.[295] It also enables investors to monitor the prices at which their orders are executed and serves as a data point that helps them to assess whether their orders received best execution.[296]

Finally, systems directly supporting functionality relating to exclusively-listed securities represent single points of failure in the securities markets, because exclusively-listed securities, by definition, are listed and traded solely on one exchange.[297] As such, a trading disruption on the exclusive listing market necessarily will disrupt trading by all market participants in those securities.[298]

The second prong of the definition is a broader catch-all provision intended to capture any SCI systems, beyond those specifically identified within the first prong of the definition, that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. The Commission is not aware of any SCI systems that would fall under this prong of the critical SCI systems definition at this time, and notes that this prong of the definition is intended to account for further technology advancements and the continual evolution of the securities markets, in recognition that such developments could result in additional or new types of systems that would, similar to the enumerated categories of systems in the first prong of the definition, become so critical to the continuous and orderly functioning of the securities markets such that they should be subject to the requirements of Regulation SCI imposed on those systems specifically enumerated in the first prong of the definition.

The Commission also notes that the definition applies to those systems “of, or operated by or on behalf of, an SCI entity.” This language mirrors the language in the definitions of SCI system and indirect SCI system, and as discussed above, is intended to cover systems that are third-party systems operated on behalf of SCI entities.[299]

d. Indirect SCI Systems (Proposed as “SCI Security Systems”)

Proposed Rule 1000 defined the term “SCI security systems” to mean “any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.” [300] As adopted, Regulation SCI includes the new term “indirect SCI systems,” in place of the proposed term “SCI security systems.” The term “indirect SCI systems” is defined to mean “any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.”

As an initial matter, the Commission has determined to replace the proposed term “SCI security systems” with the adopted term “indirect SCI systems” because it believes that the latter term, in using the word “indirect,” better reflects that it is intended to cover non-SCI systems only if they are not appropriately secured and segregated from SCI systems, and therefore could indirectly pose risk to SCI systems.[301] The adopted definition of indirect SCI systems includes systems “of, or operated by or on behalf of” of an SCI entity that, “if breached, would be reasonably likely to pose a security threat to SCI systems.” As discussed below, in response to comment that the proposed term would cover too many systems unrelated to SCI systems, the adopted term excludes the phrase “share network resources.”

One commenter expressly supported the definition of SCI security systems and urged that it be expanded to include any technology system that has direct market access.[302] In response to this comment, the Commission notes that the adopted definition includes any technology system of, or operated by or on behalf of an SCI entity, that has direct market access if that system meets the definition's test: whether a breach of Start Printed Page 72280that system would be reasonably likely to pose a security threat to SCI systems.

This commenter also suggested that the Commission additionally require SCI entities to have independent security audits performed and allow the auditor to have the ability to define which systems should be included and which can be safely excluded.[303] The Commission is not requiring “independent security audits” to determine which systems would fall within the definition of indirect SCI system as suggested by this commenter,[304] because the Commission believes its adopted rule requiring an annual SCI review addresses the commenter's request. The Commission notes that the adopted annual SCI review requirement requires that such review be performed by objective, qualified personnel, and that it include an assessment of logical and physical security controls for SCI systems and indirect SCI systems. The Commission believes that an SCI entity is generally in the best position to assess in the first instance which of its systems may fall within the definition of indirect SCI systems, and that having an independent third party audit to make that determination should be optional rather than required at this time.

Contrary to the commenter urging expansion of the proposed definition of SCI security systems, many commenters argued that the proposed definition was overbroad,[305] with several of these same commenters suggesting that the term be deleted from the rule entirely.[306] The Commission believes that Regulation SCI warrants inclusion of a definition of indirect SCI systems because an issue or systems intrusion with respect to a non-SCI system still could cause or increase the likelihood of an SCI event with respect to an SCI entity's SCI systems.[307] In particular, because systems that are not adequately walled off from SCI systems may present potential entry points to an SCI entity's network and thus represent potential vulnerabilities to SCI systems, the Commission believes that it is important that the provisions of Regulation SCI relating to security standards and systems intrusions apply to such systems (i.e., indirect SCI systems).

Many commenters objecting to the proposed definition as too broad addressed particular elements of the proposed definition of SCI security systems or provided specific recommendations for modifications or limitations to the definition.[308] For example, some commenters criticized the use of the phrase “share network resources,” noting that it was vague and too broad, potentially encompassing almost any system of an SCI entity.[309] Similarly, one commenter stated that the definition of SCI security system should include only systems that “directly” share network resources with an SCI system.[310] One commenter argued that the definition should only include those systems that are materially and directly connected to the trading operations of an SCI entity.[311] Several commenters recommended that systems that are logically and/or physically separated from SCI systems should be excluded from the definition.[312] Some commenters qualified this position by stating that such systems should be excluded, for example, as long as SCI entities monitor those systems for security breaches and have the ability to shut the system off if they detect a security breach; [313] or provided that the separation is routinely monitored and has appropriate risk controls in place and the system is “air gapped” (i.e., has no point of entry) from the public internet.[314] One commenter believed that the definition should exclude any system with “compensatory controls in place,” which it stated would protect and secure SCI systems from vulnerabilities that could arise from shared network links.[315] Another commenter asked for greater clarity on the extent to which SCI security systems that are isolated from production, such as email and intranet sites, raise security issues that are within the scope of the proposal.[316]

After careful consideration of these comments, the Commission believes that inclusion of the phrase “share network resources” in the proposed definition could be interpreted in a manner that would include almost any system that is part of an SCI entity's network. In response to commenters who expressed concern about the breadth of the proposed definition, the Commission has determined to eliminate the phrase “share network resources” from the definition, so that the adopted result-oriented test depends on whether a system “if breached, would be reasonably likely to pose a security threat to SCI systems.” As a result, the inquiry into whether any system is an indirect SCI system will depend on whether it is effectively physically or logically separated from SCI systems. Systems that are adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems.

The Commission believes that having adequate separation and security controls should protect SCI systems from vulnerabilities caused by other systems. To the extent that non-SCI systems are sufficiently walled off from SCI systems using appropriate security measures, and thus are not reasonably likely to pose a security threat to SCI systems if breached, they would not be included in the definition of indirect SCI systems, and thus would be outside of the scope of Regulation SCI.

The Commission notes that the definition of indirect SCI systems will not include any systems of an SCI entity for which the SCI entity establishes reasonably designed and effective controls that result in SCI systems being logically or physically separated from such non-SCI systems. Thus, the universe of an SCI entity's indirect SCI systems is in the control of each SCI entity, and SCI entities should reasonably expect Commission staff to assess its security controls around SCI systems in connection with an inspection or examination for compliance with Regulation SCI. If these controls are not present or are not reasonably designed, the applicable non-SCI systems would be within the scope of the definition of indirect SCI systems and subject to the security Start Printed Page 72281standards and systems intrusions provisions of Regulation SCI.

Some commenters recommended that, rather than including SCI security systems in the scope of the regulation, the Commission should instead require SCI entities to establish policies and procedures designed to ensure the security of their systems.[317] According to these commenters, such an approach would require an evaluation of the risks posed to SCI systems by non-SCI systems. As noted, the Commission believes that the adopted definition of “indirect SCI systems” will effectively require SCI entities to evaluate the risks posed to SCI systems by non-SCI systems. However, the Commission believes that the adopted approach will incentivize SCI entities to seek to have in place strong security controls around SCI systems. As noted, if an SCI entity designs and implements security controls so that none of its non-SCI systems would be reasonably likely to pose a security threat to SCI systems, then it will have no indirect SCI systems. If, however, an SCI entity does have indirect SCI systems, then certain provisions of Regulation SCI will apply to those indirect SCI systems.[318] The Commission believes this approach to indirect SCI systems is more appropriate than the policies and procedures approach suggested by some commenters because the Commission believes that its approach is more comprehensive as it includes, for example, the requirements to take corrective action, provide notifications to the Commission, and disseminate information for certain SCI events relating to indirect SCI systems which, by definition, if breached, would be reasonably likely to pose a security threat to SCI systems. Another commenter stated that a more precise definition of SCI security systems is important and that it would be valuable for the Commission to work with representatives within the securities industry to collectively craft the most appropriate definition that will ensure that critical security systems are captured.[319] In crafting the definition, the Commission has taken into account comments received, with such commenters representing a wide variety of types of participants in the securities markets, and believes the adopted definition of indirect SCI systems, along with the definition of SCI systems, is responsive to a broad range of commenters' concerns.[320]

Another commenter suggested that the definition be limited to systems “of, or operated by or on behalf of, an SCI entity,” noting that the definition of SCI security systems should have parallel construction to the definition of “SCI systems” and without this phrase, SCI entities would be tasked inappropriately with controlling for systems outside of their effective control.[321] As noted, the adopted definition of “indirect SCI systems” applies to those systems “of, or operated by or on behalf of, an SCI entity.” As a result, the adopted definition of indirect SCI systems provides (as is the case for SCI systems) that systems “of, or operated by or on behalf of” an SCI entity, are included in the definition of indirect SCI systems if their breach would be reasonably likely to pose a security threat to SCI systems.[322] The Commission believes that the addition of this language is warranted to make clear that security of SCI systems is not limited solely to threats from systems operated directly by the SCI entity. If it were, outsourced systems of SCI entities would not be subject to the requirements of Regulation SCI, which would undermine the goals of Regulation SCI.

As discussed in further detail below, unlike SCI systems, those systems meeting the definition of “indirect SCI systems” will only be subject to certain provisions of Regulation SCI. Specifically, references to “indirect SCI systems” are included in the definitions of “responsible SCI personnel,” “SCI review,” and “systems intrusion” in adopted Rule 1000.[323] Rule 1001(a), requiring reasonably designed policies and procedures to ensure operational capability, will apply to indirect SCI systems only for purposes of security standards.[324] In addition, Rule 1002, which relates to an SCI entity's obligations with regard to SCI events, will apply to indirect SCI systems only with respect to systems intrusions.[325] Further, pursuant to Rule 1003(a), the obligations related to systems changes will apply to material changes to the security of indirect SCI systems.[326] In addition, the requirements regarding an SCI review will apply to indirect SCI systems.[327] Finally, Rules 1005 through 1007, relating to recordkeeping and electronic filing and submission of Form SCI, respectively, will also apply to indirect SCI systems.[328] The Commission believes that it is appropriate to subject indirect SCI systems to only these specified provisions because the Commission believes that the primary risk posed by indirect SCI systems is that they may serve as vulnerable entry points to SCI systems. The Commission's objective with respect to indirect SCI systems is to guard against a non-SCI system being breached in a manner that threatens the security of any SCI system. The Commission believes that its approach to defining indirect SCI systems, and requiring SCI entities to consider, address, and report on security changes and intrusions into systems where vulnerabilities have been identified, is tailored to meet this objective.

3. SCI Events

Regulation SCI specifies the types of events—i.e., SCI events—that give rise to certain obligations under the rule, including taking corrective action, reporting to the Commission, and disseminating information about such SCI events.[329] Proposed Rule 1000(a) defined the term “SCI event” as “an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.” [330] The Commission is adopting the definition of “SCI event” as proposed.

Many commenters believed that the proposed definition of “SCI event” was vague [331] or overly broad because it was not limited to capturing material SCI events [332] or events that the commenters believed are truly disruptive and pose a risk to the market.[333] Specifically, Start Printed Page 72282several commenters recommended that the definition of SCI event include a materiality threshold, so that only events determined by the SCI entity to be material would trigger certain obligations under the rule.[334] One commenter stated that the definition of SCI event could be interpreted to include trivial events, and therefore believed that the definition needed clarity.[335] Finally, one commenter suggested that SCI event be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS,[336] which requires a qualifying ATS to notify the Commission of material systems outages and significant systems changes.[337]

After careful consideration of the views of commenters, although the Commission is adopting the definition of “SCI event” as proposed, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to the concerns of commenters about the breadth of the definition.[338] Specifically, and as explained in further detail below, the Commission is incorporating a risk-based approach to the obligations of SCI entities with respect to SCI events.[339]

The Commission is not incorporating a materiality threshold as requested by some commenters,[340] including by limiting the definition of SCI event to only those events that are considered by SCI entities to be truly disruptive to the market.[341] Rather, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events will help to focus the Commission's and SCI entities' resources on the more significant SCI events by providing appropriate exceptions from reporting and dissemination for events that have no or de minimis impacts on an SCI entity's operations or market participants. In addition, the Commission believes that SCI event should not be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS as suggested by one commenter,[342] because Rule 301(b)(6)(ii)(G) requires Commission notification of “material systems outages.” [343] Such an approach would exclude any systems compliance issues or systems intrusions, two types of events that the Commission believes should be included as SCI events. This approach would also create a materiality threshold for systems disruptions, which the Commission believes would not be appropriate, as discussed below.

In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all such events, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity's records of de minimis SCI events may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis SCI events that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which an SCI event causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view such events in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to SCI events that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis SCI events that SCI entities encounter. Moreover, information about trends and notifications of de minimis SCI events generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of SCI events or issues with certain types of SCI systems across SCI entities. This information also will permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of SCI events as de minimis SCI events.

In addition, although the definition of SCI event is unchanged, to address commenters' concerns, the Commission has determined to modify the various components of that definition (i.e., the definition of systems disruption, systems compliance issue, and systems intrusion), in certain respects, as discussed below.

a. Systems Disruption

Proposed Rule 1000(a) would have defined “systems disruption” as “an event in an SCI entity's SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including a switchover to back up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any SCI system; (4) a loss of transaction or clearance and settlement data; (5) significant backups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between systems components or queuing of messages to or from customers of such duration that normal service delivery is affected.” [344] As discussed below, in response to comments, the Commission is substantially modifying the proposed definition of systems disruption in adopted Rule 1000.

One commenter stated that the proposed definition of systems disruption was reasonable, but recommended that it be expanded to encompass disruptions originating from a third party.[345] However, many other commenters believed that the definition of systems disruption was too broad and would include minor events that they believed should be excluded from the Start Printed Page 72283definition.[346] Several commenters suggested ways to limit the scope of the defined term. For example, some commenters suggested limiting the definition to material disruptions.[347] One of these commenters added that systems disruptions should exclude any regularly planned outages occurring during the normal course of business.[348] Another commenter recommended that development and testing environments should be excluded from the definition of systems disruption.[349] One commenter suggested modifying the definition to include only two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.[350]

Two commenters believed that the proposed definition of systems disruption was too rigid and should provide for more flexibility and discretion.[351] Both commenters were skeptical that an event should be reportable solely because it matched the description of one of the seven elements of the definition.[352] One of these commenters noted that the Commission's proposed definition seeks to codify as a formal definition language used by the ARP Inspection Program that was meant to provide flexibility and latitude in determining what constitutes a systems disruption.[353] The other commenter thought that the seven prongs of the proposed definition of “systems disruption” were appropriate considerations in determining whether a systems disruption had occurred, but that an SCI entity should be afforded more discretion and flexibility in determining whether a particular issue meets the definition.[354]

Service Level Agreements

Two commenters believed that the first element of the definition regarding service level agreements should be eliminated.[355] One of these commenters stated that an SCI entity's regulatory requirements should not depend upon the negotiated language of an agreement between business partners, while the other commenter noted that, in some cases, a private contract might have more stringent requirements than required by regulation, which would, in effect, transform such agreements into new regulatory obligations.[356] Other commenters stated this element should be revised to capture only the most significant disruptions to a service level agreement.[357] In addition, one commenter expressed concern that SCI entities may forgo negotiating detailed and stringent service level agreements if the first element were to be adopted as proposed.[358]

Disruptions of Normal Operations

Two commenters stated that the second element of the definition needs clarification because the phrase “disruption of normal operations” is vague and overbroad and therefore could potentially include minor events.[359] Two commenters stated that, if a switchover is utilized and there is no material impact on the core services, then there should not be a requirement to notify the Commission of a systems disruption.[360] One of these commenters added that programming errors that occur prior to production and regularly scheduled maintenance should not be considered disruptions.[361] Several commenters also recommended that testing errors should not be included in the definition,[362] and one commenter stated that testing errors should only be included if they result in a material impact on an SCI entity's operations.[363]

Loss of Use of Any System

One commenter stated that the term “loss of use of any SCI system” is unclear and expressed concern that the lack of clarity may lead to interpretive differences and inconsistencies in application among SCI entities.[364] Three commenters discussed failovers to backup systems, with one commenter stating the Commission should clarify whether this constitutes a loss of use of a system,[365] another commenter stating that it should not be considered a systems disruption,[366] and the third commenter stating that it should only be considered a systems disruption if there is an impact on normal operations.[367]

Loss of Data

Several commenters stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions.[368] One commenter suggested that the rule be revised to include as a systems disruption data that is altered or corrupted in some way.[369] Another commenter stated that this prong of the definition should include a materiality qualifier.[370]

Backups or Delays and Market Data Dissemination

With respect to the fifth and sixth elements of the definition regarding significant backups or delays in processing and a significant diminution of ability to disseminate timely and accurate market data, one commenter expressed support for the inclusion of such performance degradations in the definition of systems disruptions but stated that it believed that the Commission's interpretation of the term “significant” in the SCI Proposal was overly broad because it would encompass delays that are small and, in fact, insignificant.[371]

Start Printed Page 72284

Data Queuing

With respect to the seventh element, one commenter stated that queuing of data is a very good indicator of a problem, but also noted that it is not necessarily being properly monitored by most firms and suggested that the Commission require SCI entities to monitor queue depth.[372] However, several other commenters stated that queuing of data is normal and necessary.[373] Some commenters suggested that the Commission should only require reporting of such queuing if it materially affects the delivery of core services to customers.[374] One commenter asked for additional clarification on this element because all systems have queues to some extent with normal functionality and only certain queues should trigger recovery actions.[375] One commenter expressed concern that language in the SCI Proposal stating that “queuing of data is a warning signal of significant disruption” [376] would make events that are precursors to system disruptions themselves become system disruptions.[377]

Customer Complaints

Several commenters objected to the Commission's discussion in the SCI Proposal regarding customer complaints,[378] stating that the Commission should not consider each instance in which a customer or systems user complains or inquires about a slowdown or disruption of operations as an indicator of a systems disruption.[379] For example, one commenter noted that customer complaints are often ultimately determined to be the result of system errors or discrepancies on the customer's end, and stated that requiring an SCI entity to treat these complaints as significant systems disruptions simply because they are made would impose an unnecessary burden on the SCI entity.[380]

Definition of “Systems Disruption” as Adopted

After careful consideration of the views of commenters, the Commission is removing the seven specific types of systems malfunctions that were proposed to define systems disruption. As adopted, “systems disruption” is defined in Rule 1000 to mean “an event in an SCI entity's SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system.” The Commission has considered commenters' suggestions and feedback with respect to the proposed definition, including the criticisms of various aspects of the seven specific types of systems malfunctions delineated in the SCI Proposal and believes that the adopted definition, which largely follows the definition suggested by a commenter, is appropriate.[381] Specifically, this commenter recommended that the definition of systems disruption be revised to have two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.[382]

The Commission agrees with commenters that the proposed definition of systems disruption had the potential to be both over-inclusive and under-inclusive. The Commission believes that the adopted definition appropriately represents a change in focus of the definition from the prescriptive seven prongs in the SCI Proposal's definition that represented the effects caused by a disruption of an SCI entity's systems to, instead, whether a system is halted or degraded in a manner that is outside of its normal operation. The Commission believes the revised definition sets forth a standard that SCI entities can apply in a wide variety of circumstances to determine in their discretion whether a systems issue should be appropriately categorized as a systems disruption. Further, because the adopted definition of systems disruption takes into account whether a systems problem is outside of normal operations, the Commission also believes that partly addresses the concerns of the commenters suggesting that the definition of systems disruption include a materiality qualifier.[383]

Because the Commission agrees with commenters regarding the difficulties of the proposed definition of “systems disruption,” it is not including any of the specific types of systems malfunctions in the adopted definition of “systems disruption.” Thus, the Commission believes SCI entities would likely find it helpful to establish parameters that can aid them and their staff in determining what constitutes the “normal operation” [384] of each of its SCI systems, and when such “normal operation” has been disrupted or significantly degraded because those parameters have been exceeded. The Commission agrees with commenters who noted that, given its voluntary nature, entities that participate in the ARP Inspection Program are afforded a certain degree of flexibility and discretion in reporting systems outages, and agrees that, given its proposed application to a mandatory rule, the proposed definition limited the flexibility and discretion of SCI entities in a manner that was overly rigid.[385] Although the specific types of systems malfunctions have been removed from the adopted definition of systems disruption, the Commission nonetheless continues to believe, as suggested by one commenter,[386] that the types of systems malfunctions that comprised the proposed definition may be useful to SCI entities to consider as indicia of a systems disruption.

Start Printed Page 72285

As discussed in the SCI Proposal [387] and by certain commenters,[388] the seven categories of malfunctions in the proposed definition of “systems disruption” have their origin in ARP staff guidance regarding when ARP participants should notify the Commission of system outages and represent practical examples that SCI entities should consider to be systems disruptions in many circumstances. The Commission notes that the revised definition is intended to address some commenters' concerns with the particular elements of the definition of systems disruption as originally proposed. For example, under the modified definition, if an SCI system experiences an unplanned outage but fails over smoothly to its backup system such that there is no disruption or significant degradation of the normal operation of the system, the outage of the primary system would not constitute a systems disruption. On the other hand, an SCI entity may determine that, even when a primary system fails over smoothly to its backup system such that users are not impacted by the failover, operating from the backup system without additional redundancy would not constitute normal operation. In this case, the outage of the primary system would fall within the definition of systems disruption. Further, the Commission believes it would be appropriate for an SCI entity to take into account regularly scheduled outages or scheduled maintenance as part of “normal operations.” [389] In particular, a planned disruption to an SCI system that is a part of regularly scheduled outages or scheduled maintenance would not constitute a systems disruption or be subject to the requirements of Regulation SCI, if such regularly scheduled outages or scheduled maintenance are part of the SCI entity's normal operations. With regard to data queuing, to the extent that such queuing is part of the normal functionality of a system and does not cause a disruption or significant degradation of normal operations, it would not be captured by the rule, which is limited to events occurring to an SCI system that are outside its normal operations.[390] Additionally, by eliminating the seven types of malfunctions from the definition as proposed, the Commission has responded to commenters who expressed concern that events that are precursors to system disruptions, such as the queuing of data, would themselves be systems disruptions.[391] Similarly, by eliminating the seven types of malfunctions, the Commission has addressed comments that called for the elimination of specific elements of the proposed definition, such as service level agreements.[392]

Further, the Commission agrees with commenters that customer complaints may be indicia of a systems issue,[393] but that a customer complaint alone would not be determinative of whether a system problem has occurred that meets the definition of systems disruption under Regulation SCI.[394] With respect to the commenters who stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions, the adopted definition would exclude these events if they do not disrupt or significantly degrade the normal operations of an SCI system.[395] However, if loss of transaction or clearance and settlement data disrupts or significantly degrades the normal operation of an SCI system, it would constitute a systems disruption and be subject to the requirements of Regulation SCI (e.g., immediate or quarterly Commission notification, depending on the impact of the disruption).

Several commenters also suggested that testing errors or other disruptions in development and testing environments should be excluded from the definition of systems disruption.[396] The Commission notes that, as discussed above, development and testing systems have been excluded from the definition of SCI systems, and thus such disruptions would not be subject to the requirements of Regulation SCI.[397]

The Commission is not incorporating a materiality threshold into the definition of systems disruption as requested by some commenters.[398] Rather, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems disruption (while stopping short of including a materiality standard).[399] In particular, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events (i.e., quarterly Commission reporting of de minimis systems disruptions, and an exception for de minimis systems disruptions from the information dissemination requirement) will help to focus the Commission's and SCI entities' resources on the more significant systems disruptions. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems disruptions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems disruptions at the SCI entity. An SCI entity's records of de minimis systems disruptions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems disruptions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems disruption causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis SCI events in the aggregate and across multiple SCI Start Printed Page 72286entities is important to the Commission and its staff to be able to gather information about trends related to such systems disruptions that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems disruptions that SCI entities encounter. Moreover, information about trends can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems disruptions with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems disruptions. Moreover, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems further focuses the scope of the definition of systems disruption.[400]

The Commission also believes that it is unnecessary to modify the definition of systems disruption specifically to encompass disruptions originating from a third party, as one commenter suggested.[401] The definition of systems disruption does not limit such events with respect to the source of the disruption, whether an internal source at the SCI entity or an external third party source.

b. Systems Compliance Issue

Proposed Rule 1000(a) would have defined the term “systems compliance issue” as “an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable.” [402] The Commission is adopting the definition of systems compliance issue substantially as proposed, with modifications to refine its scope.

Two commenters stated that the term “systems compliance issue” should be deleted from the definition of SCI event entirely.[403] One of these commenters stated that the inclusion of systems compliance issue as an SCI event would be a departure from the ARP Inspection Program and ARP Policy Statements.[404] The other commenter argued that any report regarding a systems compliance issue is an admission that the SCI entity has violated a law, rule, or one of its governing documents, creating a risk of an enforcement action or other liability for the SCI entity.[405]

Other commenters stated that the proposed definition is too broad and should be refined to include only those issues that are material or significant.[406] Commenters' specific recommendations included limiting the definition to those systems compliance issues that: have a material and significant effect on members; [407] can be reasonably expected to result in significant harm or loss to market participants or impact the operation of a fair and orderly market; [408] or have a materially negative impact on the SCI entity's ability to perform its core functions.[409] One commenter also noted that the term should be specifically defined to take account of an SCI entity's function, such as clearing agencies' ability to comply with Section 17A.[410]

After considering the view of commenters that the proposed definition of systems compliance issue is too broad,[411] the Commission is revising the definition to mean an event that has caused an SCI system to operate “in a manner that does not comply with the Act” and the rules and regulations thereunder and the entity's rules and governing documents, as applicable.[412] The Commission believes the refinement from “federal securities laws” to “the Act” (i.e., the Securities Exchange Act of 1934) will appropriately focus the definition on Exchange Act compliance rather than other areas of the federal securities laws. Although the Commission did not receive specific comment suggesting that it amend the definition of systems compliance issue by using the term “the Act” instead of the broader “federal securities laws,” commenters did suggest that the Commission limit the scope of the definition to only apply to those sections of the Act that are applicable to a particular SCI entity [413] or the SCI entity's rules.[414] The Commission agrees with these commenters insofar as they advocated for focusing the scope to a more specific set of securities laws and for reducing the burden on SCI entities, and further believes this refinement does not compromise the objective of the definition, which is to capture systems compliance issues with respect to SCI entities' obligations under the Exchange Act. The Commission believes that the refinement provides additional clarity to SCI entities that, for purposes of Regulation SCI, their obligations are with respect to compliance with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents.[415]

The Commission disagrees with commenters who suggested removing systems compliance issues from the definition of SCI event altogether.[416] Although systems compliance issues have not been within the scope of the ARP Inspection Program,[417] the Commission believes that inclusion of systems compliance issues in the definition of SCI event and the resulting applicability of the Commission reporting, information dissemination, and recordkeeping requirements to systems compliance issues is important to help ensure that SCI systems are operated by SCI entities in compliance with the Exchange Act, rules thereunder, and their own rules and governing documents.

Start Printed Page 72287

In addition, the Commission is not adopting a materiality qualifier [418] or other limiting threshold [419] in the definition of systems compliance issue as suggested by some commenters. Instead, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems compliance issue.[420] In particular, the Commission believes that the adopted Commission notification requirement and the information dissemination requirement (each of which provides an exception for systems compliance issues that have no or de minimis impacts on an SCI entity's operations or market participants) will help to focus the Commission's and SCI entities' resources on those systems compliance issues with more significant impacts. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems compliance issues, some of which may initially seem to have little or no impact, but which may later prove to be the cause of significant systems compliance issues at the SCI entity. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules, as applicable. Therefore, even if an SCI entity determines that a systems compliance issue has no or a de minimis impact, the Commission believes that it is important that it have ready access to records regarding such de minimis systems compliance issues to allow it to more effectively oversee SCI entities' compliance with the Exchange Act and relevant rules. An SCI entity's records of de minimis systems compliance issues may also be useful to the Commission in that they may, for example, aid the Commission in identifying areas of potential weaknesses, or persistent or recurring problems, at an SCI entity or across multiple SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems compliance issues.

Finally, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems, as described in Section IV.A.2 above, further focuses the scope of the definition of systems compliance issue.

With respect to a commenter's concern that any report regarding a systems compliance issue would be an admission of a violation and thus create a risk of enforcement action or other liability,[421] the Commission notes that the Commission notification requirement is not triggered until a responsible SCI personnel has a reasonable basis to conclude that a systems compliance issue has occurred.[422] The Commission acknowledges that it could consider the information provided to the Commission in determining whether to initiate an enforcement action. However, the Commission notes that the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.[423] With respect to the potential for other types of liability as suggested by this commenter, many entities that fall within the definition of SCI entity already currently disclose to the Commission and their members or participants certain information regarding systems issues, including issues that may potentially give rise to liability.[424] Moreover, the Commission recognizes that compliance with Regulation SCI will increase the amount of information about SCI events available to the Commission and SCI entities' members and participants, and that the greater availability of this information has some potential to increase litigation risks for SCI entities, including the risk of private civil litigation. The Commission believes that the value of disclosure to the Commission, market participants and investors justifies the potential increase in litigation risk. Moreover, the Commission notes that, to the extent members and participants or the public suffer damages when SCI events occur, SCI entities are already subject to litigation risk.

As adopted, Rule 1000 defines “systems compliance issue” as “an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity's rules or governing documents, as applicable.” As noted in the SCI Proposal, a systems compliance issue could, for example, occur when a change to an SCI system is made by information technology staff, without the knowledge or input of regulatory staff, that results in the system operating in a manner that does not comply with the Act and rules thereunder or the entity's rules and other governing documents.[425] For an SCI SRO, systems compliance issues would include SCI systems operating in a manner that does not comply with the SCI SRO's rules as defined in the Act and the rules thereunder.[426] For a plan processor, systems compliance issue would include SCI systems operating in a manner that does not comply with an applicable effective national market system plan. For an SCI ATS or exempt clearing agency subject to ARP, a systems compliance issue would include SCI systems operating in a manner that does not comply with documents such as subscriber agreements and any rules provided to subscribers and users and, for an ATS, described in its Form ATS filings with the Commission.[427]

c. Systems Intrusion

Proposed Rule 1000(a) defined “systems intrusion” as “any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.” [428] The proposed definition is being adopted as proposed, with one technical modification to replace the term “SCI security systems” with “indirect SCI systems.” [429]

While one commenter noted its general support for the inclusion of systems intrusions within the scope of Start Printed Page 72288Regulation SCI,[430] this commenter and others stated that the proposed definition was too broad or vague.[431] Several commenters asserted that the proposed definition would capture too many insignificant and minor incidents.[432] Some commenters recommended limiting the definition to material systems intrusions, and offered various suggestions for how to do so.[433]

One commenter stated that the proposed definition was overbroad because it would include both intentional and unintentional conduct, as well as events that have no adverse impact.[434] Another commenter also stated that the definition should be modified to make clear that an intrusion that is inadvertent would not qualify as a systems intrusion.[435] This commenter further stated that a systems intrusion should be limited to unauthorized access to confidential information or to the SCI systems of an SCI entity that materially disrupts the operations of such systems.[436] Another commenter suggested that the definition focus on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data.[437]

Some commenters noted that the proposed definition of systems intrusion did not take into account the multi-layered nature of today's technology systems. Two commenters stated that the multi-layered protections of systems architecture are designed to anticipate intrusions into the outer layer without material risk or impact, thus intrusions into such a peripheral system should not constitute a systems intrusion under the rule.[438]

Several commenters stated that only successful systems intrusions should be covered in the definition.[439] One commenter suggested that this concept be made explicit in the rule text by adding the term “successful” to the definition.[440] Two commenters, while supporting the inclusion of only successful systems intrusions in the definition, pointed out the value of sharing information regarding unsuccessful systems intrusions, stating that this practice already occurs today among SCI entities, their regulators, and appropriate law enforcement agencies.[441]

As adopted, Rule 1000 defines “systems intrusion” to mean “any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.” This definition is intended to cover any unauthorized entry into SCI systems or indirect SCI systems, regardless of the identity of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI entity), and regardless of whether or not the intrusion was part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI entities. Thus, for example, this definition is intended to cover the introduction of malware or other attempts to disrupt SCI systems or indirect SCI systems provided that such systems were actually breached. In addition, the definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that resulted from weaknesses in the SCI entity's access controls and/or procedures. In response to comments, the Commission emphasizes that the definition of systems intrusion does not include unsuccessful attempts at unauthorized entry because an unsuccessful systems intrusion is much less likely to disrupt the systems of an SCI entity than a successful intrusion. The Commission believes that it is unnecessary and redundant to specifically state in the definition of systems intrusion that unauthorized entries must be “successful” because the term “entry” incorporates the concept of successfully gaining access to an SCI system or indirect SCI system.

Further, the Commission is not incorporating a materiality threshold for the definition of systems intrusion or otherwise limiting the definition of systems intrusion to only those systems intrusions that are major or significant as requested by some commenters. The Commission believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems further focus the scope of the definition of systems intrusion. Further, because any unauthorized entry into an SCI system or indirect SCI system is a security breach of which the Commission, having responsibility for oversight of the U.S. securities markets, should be notified, the Commission is not including a materiality threshold. In addition, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems intrusion.[442] By not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems intrusions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity's records of de minimis systems intrusions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems intrusions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems intrusion causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis systems intrusions in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to such systems intrusions that could not otherwise be properly discerned. Information about trends will Start Printed Page 72289assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems intrusions that SCI entities encounter. Moreover, information about trends and notifications of de minimis systems intrusions generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems intrusions or issues with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems intrusions.

The Commission also is not distinguishing between intentional and unintentional systems intrusions, as suggested by some commenters.[443] The Commission acknowledges that intentional systems intrusions may result in more severe disruptions to the systems of an SCI entity than unintentional or inadvertent intrusions. On the other hand, the Commission believes that it should be notified of successful unintentional or inadvertent systems intrusions because they can still indicate weaknesses in a system's security controls. To the extent that these systems intrusions have no or a de minimis impact on the SCI entity's operations or on market participants, they will only be subject to a quarterly reporting requirement and will be excepted from the information dissemination requirement.[444]

Additionally, the Commission does not agree that the definition of systems intrusion should be limited to unauthorized access to confidential information [445] or should be focused on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data [446] because the Commission believes that these modifications would create a definition that would limit the Commission's ability to be aware of events that fall outside the limited definition that commenters suggested but that could, for example, have industry-wide implications. Similarly, with respect to the comment that intrusions into a peripheral system should not constitute a systems intrusion because the multi-layered protections of systems architecture are designed to anticipate intrusions into the outer layer and help prevent material risk or impact,[447] the Commission believes that its discussion of indirect SCI systems in Section IV.A.2.d above responds to commenters' concerns by explaining that systems intrusions into an indirect SCI system could cause or increase the likelihood of an SCI event with respect to an SCI system. And to the extent a system intrusion occurs with respect to an SCI system or indirect SCI system but the SCI entity's multi-layered systems architecture helps prevent material risk or impact, the Commission notes that de minimis systems intrusions (if such a system intrusion was determined to be de minimis) would be subject to less frequent Commission reporting requirements and would not be subject to the information dissemination requirements.

B. Obligations of SCI Entities—Rules 1001-1004

Proposed Rules 1000(b)(1)-(9) are renumbered as adopted Rules 1001-1004. Adopted Rule 1001 corresponds to proposed Rules 1000(b)(1)-(2) and contains the policies and procedures requirements for SCI entities with respect to operational capability and the maintenance of fair and orderly markets (Rule 1001(a)), systems compliance (Rule 1001(b)), and identification and designation of responsible SCI personnel and escalation procedures (Rule 1001(c)).[448] Adopted Rule 1002 corresponds to proposed Rules 1000(b)(3)-(5) and contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination. Adopted Rule 1003 corresponds to proposed Rules 1000(b)(6)-(8) and contains requirements relating to material systems changes and SCI reviews. Finally, adopted Rule 1004 corresponds to proposed Rule 1000(b)(9) and contains requirements relating to business continuity and disaster recovery plan testing, including requiring participation of designated members or participants of SCI entities in such testing.

1. Policies and Procedures To Achieve Capacity, Integrity, Resiliency, Availability and Security—Rule 1001(a)

a. Proposed Rule 1000(b)(1)

Proposed Rule 1000(b)(1) would have required an SCI entity to: (1) Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets; and (2) include certain required elements in such policies and procedures. As proposed, these policies and procedures were required to provide for: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.

Proposed Rule 1000(b)(1)(i) also provided that an SCI entity's applicable policies and procedures would be deemed to be reasonably designed if they were consistent with “current SCI industry standards.” Proposed Rule 1000(b)(1)(ii) provided that “current SCI industry standards” were to be comprised of “information technology practices that are widely available for free to information technology professionals in the financial sector . . . and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely Start Printed Page 72290recognized organization.” [449] The SCI Proposal also included, on “Table A,” a list of publications that the Commission had preliminarily identified as examples of current SCI industry standards in each of nine information security domains.[450] The SCI Proposal stated that an SCI entity, taking into account its nature, size, technology, business model, and other aspects of its business, could, but would not be required to, use the publications listed on Table A to establish, maintain, and enforce reasonably designed policies and procedures that satisfy the requirements of proposed Rule 1000(b)(1).[451] The SCI Proposal also stated that “current SCI industry standards” were not limited to those identified in the publications on Table A and could include other publications meeting the proposed criteria for “current SCI industry standards.” [452] In addition, proposed Rule 1000(b)(1)(ii) stated that compliance with “current SCI industry standards” would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1).[453]

b. Comments Received on Proposed Rule 1000(b)(1) and Commission Response

i. Policies and Procedures Generally—Rules 1001(a)(1) and (3)

The Commission received a wide range of comments on proposed Rule 1000(b)(1). With respect to policies and procedures generally, some commenters believed the proposal was too prescriptive.[454] Several characterized it as a “one-size-fits-all” approach that did not adequately take into account differences between SCI entities and SCI entity systems.[455] Several commenters objecting to the rule as too prescriptive urged that the adopted rule incorporate a risk-based framework, so that SCI entities and/or systems of greater criticality would be required to adhere to a stricter set of policies and procedures than SCI entities and/or systems of lesser criticality.[456] These commenters maintained that each SCI entity should have discretion to calibrate its policies and procedures based on its own assessment of the criticality of the SCI entity and its systems to market stability, or that the Commission should “tier” the obligations of SCI entities or SCI entity systems based on their market function.[457]

In contrast, some commenters stated that the Commission's proposed approach was too vague or insufficient.[458] For example, one commenter characterized the minimum elements of policies and procedures in proposed Rule 1000(b)(1)(A)-(F) as “so vague that they will fail to provide any meaningful improvement in technological systems.” [459] Another commenter stated that the proposed scope of required policies and procedures was appropriate, but that further elaboration on the details was warranted.[460] One commenter stated that the proposed rule lacked adequate discussion of what it means for policies and procedures to be reasonably designed “to maintain . . . operational capability and promote the maintenance of fair and orderly markets.” [461]

The Commission has carefully considered the views of commenters on its proposed policies and procedures approach to ensuring adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems). The Commission agrees with commenters who stated that requiring SCI entities to have policies and procedures relating to the capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) should not be a “one-size-fits-all” approach and, as discussed in detail below, is therefore clarifying that the adopted rule is consistent with a risk-based approach, as it allows an SCI entity's policies and procedures to be tailored to a particular system's criticality and risk. As noted above, while some commenters characterized the proposed rule as too vague and sought further specificity, others found the rule to be too prescriptive. The Commission believes that the adopted rule provides an appropriate balance between these two opposing concerns by providing a framework that identifies the minimum areas that are required to be addressed by an SCI entity's policies and procedures without prescribing the specific policies and procedures that an SCI entity must follow, or detailing how each element in Rule 1001(a)(2) should be addressed. Given the various types of systems at SCI entities, each of which represent a different level of criticality and risk to each SCI entity and to the securities markets more broadly, the adopted rule seeks to provide flexibility to SCI entities to design their policies and procedures consistent with a risk-based approach, as discussed in further detail below. At the same time, because the Commission believes that additional guidance on how an SCI entity may comply with the rule is warranted in certain areas, the Commission is providing further guidance below. In response to comment, the Commission is adopting Rule 1001(a) with modifications that it believes will better provide SCI entities with sufficient flexibility to develop their policies and procedures to achieve robust systems, while also providing guidance on how an SCI entity may comply with the final rule. Specifically, adopted Rule 1001(a) is modified to: (i) Clarify that the rule is consistent with a risk-based approach that requires more robust policies and procedures for higher-risk systems and provides an SCI entity with flexibility to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems; (ii) make clear that an SCI entity's reasonable policies and procedures remain subject to ongoing self-assessment; (iii) provide increased flexibility in the manner in which an SCI entity may satisfy the minimum elements of required policies and procedures; and (iv) revise the criteria for “current SCI industry standards.” In addition, proposed Table A is recharacterized and will be issued as staff guidance that will evolve over time.

Response to Commenters Advocating a Risk-Based Approach

Adopted Rule 1001(a)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures Start Printed Page 72291reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. The text of this part of the rule is largely unchanged from the proposal. Although several commenters expressed concern that the proposed rule would have imposed a “one-size-fits-all” approach, requiring all SCI entities to hold all of their SCI systems to the same standards,[462] this was not the intent of proposed Rule 1000(b)(1), nor is it what adopted Rule 1001(a)(1) requires. By requiring an SCI entity to have policies and procedures “reasonably designed” and “adequate” to maintain operational capability and promote the maintenance of fair and orderly markets, the adopted rule provides an SCI entity with flexibility to determine how to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems.[463] Although the adopted rule does not assign differing obligations to an SCI entity based on its registration status, or its general market function, as some commenters urged, by allowing each SCI entity to tailor its policies and procedures accordingly, the adopted approach recognizes that there are differences between, and varying roles played by, different systems at various SCI entities. In tandem with the refined definition of “SCI systems,” the modified definition of “SCI security systems” (adopted as “indirect SCI systems”), and the new definition of “critical SCI systems,[464] adopted Rule 1001(a)(1) explicitly recognizes that policies and procedures that are “reasonably designed” and “adequate” to maintain operational capability and promote the maintenance of fair and orderly markets for critical SCI systems may differ from those that are “reasonably designed” and “adequate” to maintain operational capability and promote the maintenance of fair and orderly markets for other SCI systems, or indirect SCI systems. As such, the Commission believes that its adopted approach in Regulation SCI is consistent with a risk-based approach, and that adopted Regulation SCI may result in the systems of certain SCI entities (for example, those that have few or no critical SCI systems) generally being subject to less stringent policies and procedures than the systems of other SCI entities. Thus, a risk assessment is appropriate for an SCI entity to determine how to tailor its policies and procedures for its SCI systems and indirect SCI systems.

The Commission also believes that requiring an SCI entity to tailor its policies and procedures so that they are reasonably designed and adequate will entail that an SCI entity assess the relative criticality and risk of each of its SCI systems and indirect SCI systems. Evaluation of the risk posed by any particular SCI system to the SCI entity's operational capability and the maintenance of fair and orderly markets will be the responsibility of the SCI entity in the first instance. The Commission believes this approach will achieve the goal of improving Commission review and oversight of U.S. securities market infrastructure, but will do so within a more focused framework than as proposed. By being subject to requirements for a more targeted set of SCI systems, and guided by consideration of the relative risk of each of its SCI systems, SCI entities may more easily determine how to allocate their resources to achieve compliance with the regulation than they would have under the proposed regulation.

As noted above, one commenter urged the Commission to discuss what it means for policies and procedures to be reasonably designed “to maintain . . . operational capability and promote the maintenance of fair and orderly markets.” [465] This commenter characterized the proposed standard of “maintaining operational capability” as an “introspective standard relevant to the applicable SCI entity,” and the proposed standard of “promoting the maintenance of fair and orderly markets” as implying “some incremental responsibility to the collective market.” [466] The Commission agrees with this commenter's characterization and believes that it is appropriate for SCI entities to assess the risk of their systems taking into consideration both objectives, which are related and complementary.[467] Specifically, the Commission believes that it is important that an SCI entity's policies and procedures are reasonably designed to ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities. At the same time, an SCI entity's own operational capability can have broader effects and, as entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities,[468] the Commission believes that the policies and procedures should also be reasonably designed to promote the maintenance of fair and orderly markets.

Periodic Review

Some commenters expressed concern that, when an SCI entity's policies and procedures fail to prevent an SCI event, the Commission might use such failure as the basis for an enforcement action, charging that the policies and procedures were not reasonable.[469] One commenter suggested that the Commission's focus should be on an entity's adherence to its own set of policies and procedures, developed based on “experience, annual SCI reviews, and other inputs,” rather than a “set of generic standards.” [470]

In response to these comments, the Commission notes that the reasonably designed policies and procedures approach taken in adopted Rule 1001(a) does not require an entity to guarantee flawless systems. But the Commission believes it should be understood to require diligence in maintaining a reasonable set of policies and procedures that keeps pace with changing technology and circumstances and does not become outdated over time. The Commission is therefore adopting a requirement for periodic review by an SCI entity of the effectiveness of its policies and procedures required by Rule 1001(a), and prompt action by the SCI entity to Start Printed Page 72292remedy deficiencies in such policies and procedures.[471] An SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency in its policies and procedures immediately after the deficiency occurred if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered, as required by Rule 1001(a)(3).

Further, the occurrence of a systems disruption or systems intrusion will not necessarily mean that an SCI entity has violated Rule 1001(a), or that it will be subject to an enforcement action for violation of Regulation SCI. The Commission will exercise its discretion to initiate an enforcement action if the Commission determines that such action is warranted, based on the particular facts and circumstances. While a systems problem may be probative as to the reasonableness of an SCI entity's policies and procedures, it is not determinative.

ii. Minimum Elements of Reasonable Policies and Procedures—Rule 1001(a)(2)

Proposed Rule 1000(b)(1)(i) would have required that an SCI entity's policies and procedures provide for, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. References to “systems” in the proposed rule were to the proposed definition of SCI systems, and with respect to security standards only, the proposed definition of SCI security systems.

Adopted Rule 1001(a)(2) includes the items formerly proposed as Rules 1001(b)(1)(i)(A)-(F) as renumbered Rules 1001(2)(i)-(vi) and a new item (vii), relating to monitoring of SCI systems. Proposed items (A), (D), and (E) are revised in certain respects in response to comment. In addition, the Commission discusses below each of the adopted provisions of Rule 1001(a)(2) in the context of the adopted definitions of SCI systems and indirect SCI systems, where relevant.[472]

Capacity Planning

The SCI Proposal stated that policies and procedures for the establishment of reasonable current and future capacity planning (proposed item (A)) would help an SCI entity determine its systems' ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity.[473] One commenter expressed support for the requirement in proposed item (A),[474] and another commenter recommended that proposed item (A) be revised to make clear that SCI entity capacity planning estimates apply to “technology infrastructure” capacity, as opposed to capacity with respect to non-technology infrastructure of an SCI entity.[475] Because the Commission intended proposed item (A) to relate to capacity planning for SCI systems, rather than capacity planning more broadly (for example, in relation to an SCI entity's office space), the Commission is including this suggested clarification in adopted Rule 1001(a)(2)(i), and thus requires that an SCI entity's policies and procedures include the establishment of reasonable current and future technology infrastructure capacity planning estimates.

Stress Testing

A few commenters raised concerns about proposed item (B), which required periodic capacity stress tests.[476] Some of these commenters urged that the adopted rule provide an SCI entity with flexibility to determine, using a risk-based assessment, when capacity stress tests are appropriate.[477] Others suggested that capacity stress tests be required in specified circumstances or time frames, such as when new capabilities are released into production,[478] whenever required system capacity increases by 10 percent, on a quarterly basis, or in conjunction with any material systems change.[479] One commenter suggested that SCI entities should supplement dynamic stress and load testing with static analysis, a technique used to help uncover structural weaknesses in software.[480] In proposing item (B), the Commission intended for SCI entities to engage in a careful risk-based assessment (as suggested by some commenters) [481] of its SCI systems to determine when to stress test its systems.[482] Rule 1001(a)(2)(ii), as adopted, affords SCI entities the flexibility to consider the factors suggested by commenters, as appropriate for their specific systems and circumstances.[483] The adopted rule does not prescribe a particular frequency or trigger for stress testing; however, because the Commission believes that, in light of the variability in SCI systems, an SCI entity's experience with its particular systems Start Printed Page 72293and assessment of risk in this area will dictate when capacity stress testing is warranted. The requirement for periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner is therefore adopted as proposed as Rule 1001(a)(2)(ii).

Systems Development and Testing Methodology

In the SCI Proposal, the Commission explained that proposed item (C), which would require SCI entities to have policies and procedures for a “program to review and keep current systems development and testing methodology,” would help an SCI entity monitor and maintain systems capacity and availability.[484] The Commission is adopting the language of this item as proposed as Rule 1001(a)(2)(iii).

Two commenters supported this requirement as proposed.[485] Another commenter argued that sufficient controls were in place with respect to production systems, as proposed, and therefore that separate policies and procedures specifically for the development and testing environment would be unnecessary and duplicative.[486] This commenter added that, if development and testing systems were not excluded from the definition of SCI systems altogether, then the policies and procedures requirements regarding systems development and testing methodology should not apply separately to these environments. The Commission agrees with this comment, and believes it logically follows that policies and procedures requiring a program to review and keep current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, are important if development and testing systems are excluded from the definition of SCI systems, as they are under the adopted regulation.[487] An SCI entity's systems development and testing methodology is a core part of the systems development life cycle for any SCI system. Therefore, the Commission believes that if an SCI entity did not have a program to review and keep current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, its ability to assess the capacity, integrity, reliability, availability and security of its SCI systems and indirect SCI systems, as applicable, would be undermined. In complying with this adopted requirement, an SCI entity may wish to consider how closely its testing environment simulates its production environment; whether it designs, tests, installs, operates, and changes SCI systems through use of appropriate development, acquisition, and testing controls by the SCI entity and/or its third-party service providers, as applicable; whether it identifies and corrects problems detected in the development and testing stages; whether it verifies change implementation in the production stage; whether development and test environments are segregated from SCI systems in production; and whether SCI entity personnel have adequately segregated roles between the development and/or test environment, and the production environment.

Reviews of SCI Systems and Indirect SCI Systems

The SCI Proposal explained that proposed item (D), which would have required an SCI entity to establish, maintain, and enforce policies and procedures to review and test regularly SCI systems (and SCI security systems, as applicable), including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, would assist an SCI entity in ascertaining whether such systems are and remain sufficiently secure and resilient.[488] Proposed item (D) garnered a range of comments. Some commenters addressing this item focused on internal SCI entity testing,[489] whereas others focused more broadly on industry-wide testing and testing of backup systems.[490]

With respect to comments on internal testing, one commenter suggested that the proposed requirement be expanded beyond testing to cover a range of “quality assurance activities” with each release of software into production.[491] Two commenters advocated for requiring an SCI entity to focus on identifying structural deficiencies, which they stated pose much greater risks than functional deficiencies.[492] A few commenters urged that groups independent of the team that designed and developed the systems should be involved in testing to offer a diverse perspective.[493] One of these commenters further suggested that enforcement of the policies governing development and testing activities should be conducted by a “process audit” role that evaluates compliance with policies, provides guidance to development and testing teams on how to comply, and reports on compliance to senior management.[494]

After careful consideration of the comments, the Commission is adopting this provision with modifications as Rule 1001(a)(2)(iv). Specifically, adopted Rule 1001(a)(2)(iv) requires an SCI entity's reasonably designed policies and procedures to include “[r]egular reviews and testing, as applicable, of [its SCI systems and, for purposes of security standards, indirect SCI systems], including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.”

As adopted, this provision will afford an SCI entity greater flexibility, through the addition of the phrase “as applicable,” to determine how to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters. Specifically, the adopted rule replaces the proposed rule's requirement that an SCI entity conduct “regular reviews and testing” of relevant systems (including backup systems) with a more flexible requirement that an SCI entity conduct “regular reviews and Start Printed Page 72294testing, as applicable” of relevant systems, including backup systems. In response to some commenters' concerns that the proposed requirement focused too much on regular testing and not enough on other methods to assess systems operation,[495] the adopted rule provides an SCI entity the flexibility to determine an assessment methodology that would be most appropriate for a given system, or particular functionality of a system. Thus, consistent with commenters' views, the adopted provision does not specifically require both regular reviews and regular testing in connection with an SCI entity's identification of vulnerabilities. Instead, the provision requires reviews or testing (or both) to occur as applicable, so long as the approach is effective to identify vulnerabilities in SCI systems, and indirect SCI systems, as applicable.

While Rule 1001(a)(2)(iv) specifically identifies reviews and testing as means to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, it does not dictate the precise manner or frequency of reviews and testing, and does not prohibit an SCI entity from determining that there are methods other than reviews and testing that may be effective in identifying vulnerabilities. For example, reviews and testing would each be one of the methods that an SCI entity could employ, and each SCI entity would be able to determine which method(s) are most appropriate for each SCI system (or indirect SCI system, as applicable) or particular functionality of a given system, as well as the frequency with which such method(s) should be employed.[496] In addition, in response to commenters advocating that SCI entities should focus on identifying structural vulnerabilities or weaknesses,[497] an SCI entity may also find it useful to conduct reviews of its software and systems architecture and design to assess whether they have flaws or dependencies that constitute structural risks that could pose a threat to SCI systems' operational capability.[498] Likewise, an inspection by an SCI entity of its physical premises may be a method of assessing some of the vulnerabilities listed in the rule (such as physical hazards).

Business Continuity and Disaster Recovery

Proposed item (E) would have required an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The Commission received significant comment on this aspect of the proposal, with several commenters questioning or challenging the principle that securities market infrastructure resilience is achieved by requiring both geographic diversity and specific recovery times for the backup and recovery capabilities of all SCI entities.[499] Although several commenters were supportive of the broad goals of the proposed requirement,[500] others maintained that, because the national market system has built-in redundancies, the proposed geographic diversity and resumption requirements need not apply to all SCI entities to ensure securities market resilience.[501] Some of these commenters urged that the specific redundancy requirement implicit in the proposed geographic diversity provision should apply to a more limited set of SCI entities.[502] In addition, some commenters stated that proposed time frames were too inflexible.[503]

The Commission has carefully considered commenters' views and is revising this provision from the proposal to: (i) Specify that the stated recovery timeframes in Regulation SCI are goals, rather than inflexible requirements; [504] and (ii) provide that the stated two-hour recovery goal applies to critical SCI systems generally. In addition, the Commission is adopting the geographic diversity requirement, which does not specify any minimum distance for an SCI entity's backup and recovery facilities, as proposed. As explained below, the Commission continues to believe that geographic diversity of physical facilities is an important component of every SCI entity's BC/DR plan.

Recovery Timeframes as Goals

Several commenters addressing proposed item (E) focused their comments specifically on the proposed recovery timeframes.[505] A few commenters that are clearing agencies specifically expressed concern about the proposed requirement for the two-hour resumption of clearance and settlement services, urging that the two-hour standard be a goal rather than a requirement.[506] One commenter noted Start Printed Page 72295that the “Interagency White Paper itself recognizes that `various external factors surrounding a disruption such as time of day, scope of disruption, and status of critical infrastructure—particularly telecommunications can affect actual recovery times,' and concludes that `[r]ecovery-time objectives provide concrete goals to plan for and test against . . . they should not be regarded as hard and fast deadlines that must be met in every emergency situation.' ” [507] Several commenters suggested that SCI entities generally be given more discretion to decide when to resume trading following a wide-scale disruption.[508] Other commenters stated more broadly that the proposed recovery timeframes were too rigid and inconsistent with the Interagency White Paper and the 2003 BCP Policy Statement.[509] Other commenters similarly noted that it might be in the public interest and consistent with the protection of investors and the maintenance of fair and orderly markets for the markets to remain closed following a wide-scale disruption.[510]

In response to comments that the proposed two-hour recovery time frame was too inflexible,[511] the Commission is eliminating the proposed requirement that an SCI entity must “ensure” next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The Commission acknowledges that a hard and fast resumption timeframe may not be achievable in each and every case, given the variety of disruptions that potentially could arise and pose challenges even for well-designed business continuity and disaster recovery. For this reason, the Commission is revising the proposed requirement by replacing it with a requirement that an SCI entity have policies and procedures that include “business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.” Replacement of the phrase “to ensure” with the phrase “reasonably designed to achieve” means that Regulation SCI's enumerated recovery timeframes are concrete goals, consistent with the Interagency White Paper and 2003 BCP Policy Statement.[512] As such, the rule's specified recovery timeframes are the standards against which the reasonableness of business continuity and disaster recovery (“BC/DR”) plans will be assessed by the Commission and its inspection staff. Moreover, as recovery goals, rather than hard and fast deadlines, the enumerated time frames in the rule will continue to allow for SCI entities to account for the specific facts and circumstances that arise in a given scenario to determine whether it is appropriate to resume a system's operation following a wide-scale disruption.

Recovery Timeframe Distinctions

In the SCI Proposal, the Commission solicited comment on whether the proposed next business day resumption of trading following a wide-scale disruption and proposed two-hour resumption of clearance and settlement services following a wide-scale disruption were appropriate.[513] The Commission also solicited comment on whether it should consider revising the proposed next business day resumption requirement for trading to a shorter period for certain entities that play a significant role within the securities markets.[514] One commenter stated that it agreed with imposing more stringent requirements for resumption of clearance and settlement services than for trading services following a wide-scale disruption.[515] However, this commenter also urged more broadly that the Commission take into account the criticality of the functions performed by an SCI entity to the maintenance of fair and orderly markets in order to tailor the obligations of the rule more effectively.[516] According to this commenter, “[n]otification and remediation requirements . . . should be tailored to the time sensitivity of each of the functions performed, not applied uniformly across all activities of an SCI entity.” This commenter identified “highly critical functions” as including the primary listing exchanges, trading of securities on an exclusive basis, securities information processors, clearance and settlement agencies, distribution of unique post-trade transparency information, and real-time market surveillance,” and urged the Commission to “leverage the best practices of the Interagency White Paper, and expand them to include the [highly] critical functions. . . .” [517] Other commenters also urged the Commission to consider the criticality of SCI systems functionality and tailor requirements accordingly.[518] One Start Printed Page 72296commenter noted that the August 2013 Nasdaq SIP outage revealed each of SIAC and Nasdaq (in their roles as plan processors) as a potential “single point of failure” in the national market system, and specifically urged improved backup capabilities for these systems.[519] Another commenter, in the context of questioning the need for all markets to have geographically diverse backups, acknowledged that specific redundancy might be appropriate in certain areas, such as where an instrument is traded only on one exchange or in the case of a primary market during the open and closing periods of the market.[520]

The Commission has carefully considered these comments and believes they support revising the proposed rule to provide that the two-hour recovery goal specified in the adopted rule, as the standard against which BC/DR plans are to be assessed, should apply not only to “clearance and settlement services,” but more generally to the functions performed by critical SCI systems. Given that the securities markets are dependent upon the reliable operation of critical SCI systems, the Commission believes it is reasonable to distinguish the two-hour and next-business day recovery goals in a manner consistent with other provisions of adopted Regulation SCI: Specifically, to have the shorter recovery goal apply to critical SCI systems, and the longer recovery goal apply to resumption of trading by non-critical SCI systems. The Commission also notes that, because the proposed recovery timeframes are being adopted as concrete goals that the policies and procedures must be reasonably designed to achieve, rather than hard and fast requirements, the adopted approach is somewhat more flexible than that proposed. Accordingly, adopted Rule 1001(a)(2)(v) holds BC/DR plans for critical SCI systems (as defined in Rule 1000) to a higher standard than BC/DR plans for resumption of trading operations more generally. Specifically, an SCI entity responsible for a given critical SCI system will be expected to design BC/DR plans that contemplate resumption of critical SCI system functionality to meet a recovery goal of two hours or less. The Commission believes that this approach is consistent with the broader risk-based approach urged by commenters.[521] The Commission also believes that its approach to holding critical SCI systems to stricter resiliency standards than other systems is an appropriate measure that responds not only to comments received, but also to recent events highlighting the effects of malfunctions in critical SCI systems.[522]

Two commenters requested clarification on the expectations for resumption of SCI systems that are not related to trading, clearance, or settlement.[523] In response to this comment, the Commission notes that the adopted definition of SCI systems has been refined from the proposed definition of SCI systems and that all SCI systems could be considered to be “related to” trading. However, systems that directly support market regulation and/or market surveillance will not be held to the resumption goals of Rule 1001(a)(2)(v) (unless they are critical SCI systems) because the Commission believes that the resumption of trading and critical SCI systems could occur following a wide-scale disruption without the immediate availability of market regulation and/or market surveillance systems (unless they are critical SCI systems). However, systems that directly support trading, order routing, and market data would be subject to the next-business day resumption goal, unless they are also critical SCI systems, in which case they would be subject to the two-hour resumption goal.

One commenter questioned what the expectations are with respect to next-day resumption if an SCI entity loses functionality towards the end of the trading day.[524] In response to this comment, the Commission notes that neither the next-business day resumption of trading goal nor the two-hour recovery goal for critical SCI systems is dependent on the time of day that the loss of functionality occurs. Consistent with the Interagency White Paper and 2003 BCP Policy Statement, however, the Commission acknowledges that the time of day of a disruption can affect actual recovery times.[525] The Commission believes it is important, particularly with respect to clearing agencies, that SCI entities endeavor to take all steps necessary to effectuate end of day settlement.

Geographic Diversity To Ensure Resilience

Several commenters addressing proposed item (E) expressed concern about the proposed geographic diversity requirement.[526] Some commenters cited a reluctance on the part of SCI entity members or participants to incur the cost or assume the risk of connecting to a backup site that would only be used infrequently.[527] In addition, some commenters cited concerns, such as challenges to market makers generating quotes, if a backup site did not have the same low latency as the primary site.[528] One of these commenter suggested that allowing other fully operational exchanges to fill in and perform the duties of an exchange experiencing an outage would offer the advantages of continued operation on tested systems and the introduction of fewer variables.[529] Another of these commenters argued that, in many respects, the goal of resilient and redundant markets is already in place due to the existence of multiple competing and interconnected venues, operating as a collective system under Regulation NMS.[530]

One commenter agreed that it is a best business practice for a market to have backup disaster recovery facilities and robust BC/DR plans, but stated that “significant geographic diversity” should not be an absolute requirement,” because a wide-scale disruption in New York or Chicago would make next day resumption difficult, even with a geographically diverse backup.[531] This commenter noted that the more remote the backup, the more difficult it would be to staff such a facility, and even more so in a surprise disaster, unless the backup was fully staffed at all times.[532] Several commenters also argued that SCI entities that are ATSs are less critical to market stability, and therefore Start Printed Page 72297should be subject to less stringent geographic diversity and recovery requirements.[533] One commenter suggested eliminating the reference to “geographic diversity” in favor of requiring “comprehensive business continuity and disaster recovery plans with recovery time objectives of the next business day for trading and two hours for clearance and settlement,” and emphasizing as guidance that geographic diversity of physical facilities would be an expected component of any such plan.[534]

The Commission has carefully considered commenters' views on the proposed geographic diversity requirement and continues to believe that geographic diversity of physical facilities is an important component of every SCI entity's BC/DR plan.[535] The Commission believes that challenges to recovery are increased when a disruption impacts a broad geographic area, and therefore that an SCI entity's arrangements to assure resilience in the event of a wide-scale disruption cannot reliably be achieved without geographic diversity of its BC/DR resources.[536] The Commission does not agree with commenters who argued that the existence of multiple competing and interconnected venues operating as a collective system under Regulation NMS obviates the need for geographic diversity at the individual SCI entity level.[537] For example, a wide-scale disruption, such as a natural disaster or man-made attack, could affect a large number of SCI entities, and absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational, so that the continued maintenance of fair and orderly markets could be impacted. The Commission notes that some of the practical difficulties commenters cited as the basis for objecting to a backup site requirement, such as the cost and operational risk of maintaining a redundant connection to an SCI entity backup facility that would be used infrequently, are concerns raised on behalf of SCI entity members and participants.[538] In response to commenters who expressed concern regarding the cost for members or participants to co-locate their systems at backup sites to replicate the speed and efficiency of the primary site, the Commission emphasizes that adopted Rule 1001(a)(2)(v) does not require an SCI entity to require members or participants to use the backup facility in the same way it uses the primary facility. Rather, the assessment of the effectiveness of a BC/DR plan that includes geographically diverse backup facilities is whether it is reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.

In response to comments that geographic diversity should be encouraged but not required for all SCI entities, the Commission does not believe that it would be appropriate to eliminate the proposed requirement that SCI entities maintain geographically diverse backup and recovery capabilities (which the Commission understands many SCI entities already have) because, as stated, absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational following a wide-scale disruption. In response to comment that ATSs are less critical to market stability, and therefore should be subject to less stringent geographic diversity and recovery requirements, the Commission notes that ATSs that do not have critical SCI systems will be subject to less stringent geographic diversity and recovery requirements than SCI entities that do.[539] However, because the Commission believes that SCI ATSs have the potential to significantly impact investors, the overall market, and the trading of individual securities as a result of an SCI event, the Commission believes that these entities are appropriate for inclusion in the definition of SCI entity and for the application of the geographic diversity requirement.[540]

Like the proposed rule, the adopted rule does not specify any particular minimum distance or geographic location that would be necessary to achieve geographic diversity.[541] However, as stated in the SCI Proposal, the Commission continues to believe that backup sites should not rely on the same infrastructure components, such as for transportation, telecommunications, water supply, and electric power.[542] The Commission also continues to believe that an SCI entity should have a reasonable degree of flexibility to determine the precise nature and location of its backup site depending on the particular vulnerabilities associated with those sites, and the nature, size, technology, business model, and other aspects of its business.” [543] In response to comment that a geographically diverse backup facility is impractical if key personnel do not live sufficiently close to the backup facility, the Commission notes that adopted Regulation SCI does not require an SCI entity to have a geographically diverse backup facility so distant from the primary facility that the SCI entity may not rely primarily on the same labor pool to staff both facilities if it believed it to be appropriate.[544] Given that the Commission did not propose a specified minimum distance to achieve geographic diversity, the Commission believes that the geographic diversity requirement is reasonable and appropriate for all SCI entities. The Start Printed Page 72298geographic diversity requirement is therefore adopted as proposed.

In sum, the Commission believes that adopted Rule 1001(a)(2)(v), requiring an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, is consistent with, and builds upon, both the Interagency White Paper and the 2003 BCP Policy Statement by applying their principles to SCI entities in today's trading environment, one with a heavy reliance on technological infrastructure. The Commission believes that individual SCI entity resilience is fundamental to achieving the goal of improving U.S. securities market infrastructure resilience.

Robust Standards for Market Data

Proposed item (F), requiring an SCI entity to have standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, received little comment. One commenter supported the proposed requirement, subject to further clarification about what constitutes market data.[545] Another commenter believed that this proposed requirement is redundant because SROs and other market participants are already subject to substantial requirements for market data.[546]

While consolidated market data is collected and distributed pursuant to a variety of Exchange Act rules and joint industry plans,[547] the Commission does not believe that existing requirements have the same focus on ensuring the operational capability of the systems for collecting, processing, and disseminating market data. Thus, the Commission believes that this provision, while consistent with existing rules, acts as a complement to such requirements and is not redundant. Further, as explained above, the term “market data” is not intended to include only consolidated market data, but proprietary market data as well and, as such, SCI systems directly supporting proprietary market data or consolidated market data are subject to the requirements of item (F). As stated in the SCI Proposal, the Commission believes that the accurate, timely, and efficient processing of data is important to the proper functioning of the securities markets. The Commission continues to believe that it is important that each SCI entity's market data systems are reasonably designed to maintain market integrity and that the proposed requirement would facilitate that goal.[548] This element, requiring that an SCI entity's policies and procedures include standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, is adopted as proposed, as Rule 1001(a)(2)(vi).

Monitoring

The Commission is adopting an additional provision, designated as Rule 1001(a)(2)(vii), that requires an SCI entity's policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. Several commenters argued that Regulation SCI should allow entities to adopt and follow escalation procedures instead of providing that obligations under Regulation SCI are triggered by one employee's awareness of a systems issue.[549] The Commission is modifying Regulation SCI in three respects in response to these comments: revising the definition of responsible SCI personnel to focus on senior managers; requiring that an SCI entity have policies and procedures to identify, designate, and escalate potential SCI events to responsible SCI personnel; and explicitly requiring policies and procedures for monitoring.[550] The requirement that an SCI entity have policies and procedures to provide for monitoring of SCI systems and, for purposes of security standards, indirect SCI systems, is added to make explicit that escalation of a systems problem should occur not only if a systems problem is identified by chance, but rather that an SCI entity should have a monitoring process in place so that systems problems are able to be identified as a matter of standard operations and pursuant to parameters reasonably established by the SCI entity. In addition, the Commission believes that the reliability of escalation of potential SCI events to designated responsible SCI personnel for determination as to whether they are, in fact, SCI events is likely to be more effective when it occurs in connection with established procedures for monitoring of SCI systems and indirect SCI systems and pursuant to a process for the communication of systems problems by those who are not responsible SCI personnel to those who are. The Commission notes that several commenters discussed the role that technology staff play in monitoring and identifying potential systems problems and escalating issues up the chain of command to management as well as legal and/or compliance personnel. Although systems monitoring may already be routine in many SCI entities, there are expected benefits of monitoring and thus it is appropriate to require an SCI entity's policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. The Commission believes that monitoring in tandem with escalation to responsible SCI personnel is an appropriate approach to ensuring SCI compliance. As noted, the requirement that an SCI entity have policies and procedures for monitoring provides an SCI entity with flexibility to establish parameters that define the types of systems problems to which technology personnel should be alert, as well as the frequency and duration of monitoring. The Commission also believes this requirement is consistent with a risk-based approach, and that an SCI entity's policies and procedures for monitoring may be tailored to the relative criticality of SCI systems, with critical SCI systems likely to be subject to relatively more rigorous policies and procedures for monitoring than other SCI systems.

iii. Policies and Procedures Consistent With “Current SCI Industry Standards”—Rule 1001(a)(4)

Proposed Rule 1000(b)(1)(ii) stated that an SCI entity's policies and procedures would be deemed to be reasonably designed if they are consistent with “current SCI industry standards,” such as those listed on proposed Table A. “Current SCI industry standards” were not limited to those listed on proposed Table A, but Start Printed Page 72299were proposed to be required to be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The rule further stated that “compliance with such current SCI industry standards . . . shall not be the exclusive means to comply with the requirements of paragraph (b)(1).”

The goal of proposed Rule 1000(b)(1)(ii) was to provide guidance to SCI entities on policies and procedures that would meet the articulated standard of being “reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.” The proposal sought to provide this guidance by identifying example information technology publications describing processes, guidelines, frameworks, and/or standards that SCI entities could elect to look to in developing its policies and procedures. Proposed Table A set forth an example of one set of technology publications that the Commission preliminarily believed was an appropriate set of reference documents. The SCI Proposal acknowledged that “current SCI industry standards” would not be limited to the publications identified on proposed Table A. As such, an SCI entity's choice of a current SCI industry standard in a given domain or subcategory thereof could appropriately be different from those contained in the publications identified in proposed Table A.[551] Many commenters, however, objected to the proposed objective criteria for reference publications, and/or one or more of the specific publications listed on proposed Table A. The Commission has carefully considered commenters' views and is adopting Rule 1000(b)(1)(ii), renumbered as Rule 1001(a)(4), with certain modifications as described below.

Criteria for Identifying SCI Industry Standards: Comments Received and Commission Response

Some commenters disagreed with the Commission's proposal to require SCI industry standards to be “comprised of information technology practices that are widely available for free to information technology professionals in the financial sector.” Several commenters argued that there were significant disadvantages to requiring that standards be available free of charge.[552] One of these commenters stated that requiring standards to be available for free “may encourage SCI entities to use standards that may be outdated when more suitable standards may be available and would be more appropriate.” [553] Another of these commenters stated that “the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard or framework and bears no significance to the maintenance of fair and orderly markets.” [554]

Two standard setting organizations commented regarding the use of consensus standards, citing OMB Circular No. A-119, which directs agencies to use voluntary consensus standards (i.e., standards developed by professional standards organizations), and urged the Commission to eliminate the requirement that SCI industry standards be “available for free.” [555] Another commenter similarly urged that it was important for SCI entities to use publications generated by professional organizations that regularly update their standards and employ open processes for gathering industry input.[556]

The Commission agrees that the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard, and also that SCI entities should be encouraged to use appropriate standards developed by professional organizations that regularly update their standards and employ open processes for gathering industry input. While the Commission did not propose to require that particular standards be used, in response to comment, the Commission is adopting Rule 1001(a)(4) without the criterion in the SCI Proposal that a technology standard be available free of charge. The other criteria are adopted as proposed. Thus, to qualify as an “SCI industry standard,” a publication must be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The Commission believes that this criterion is sufficiently flexible to include technology practices issued by professional organizations, including the professional organizations referenced by commenters.[557]

Proposed Table A: Comments Received

The SCI Proposal stated that written policies and procedures that are consistent with the relevant examples of SCI industry standards contained in the publications identified in Table A would be deemed to be “reasonably designed” for purposes of proposed Rule 1000(b)(1).[558] Proposed Table A listed publications covering nine inspection areas, or “domains,” that Commission staff historically has evaluated under the ARP Inspection Program.[559]

Proposed Table A elicited significant and varied comment. Some commenters objected generally to the Table A framework.[560] Others objected more specifically to Table A's proposed content,[561] and some commenters objected to Table A as a premature attempt to establish consensus on SCI industry standards where consensus has not yet emerged.[562]

Table A Framework and Process

One group of commenters suggested that, in lieu of the publications identified in Table A, the Commission should characterize policies and procedures as reasonably designed if they comply with “generally accepted standards.” [563] Another commenter similarly suggested that the Commission replace the proposed rule's reference to “current SCI industry standards” with Start Printed Page 72300the phrase “generally accepted technology principles,” and delete Table A and the proposed Table A criteria.[564] These commenters viewed proposed Table A as flawed in concept.[565] Specifically, one of these commenters expressed concern that the standards set forth in Table A might not keep pace with a constantly evolving technological landscape and that, despite this evolution, Commission staff might take a checklist approach to its review of policies and procedures, which would result in unintended consequences.[566]

The other commenter stated that it was more common, and more appropriate in any industry that relies heavily on technology, for an entity to review a variety of different standards for frameworks or best practices, and then adopt a derivative of multiple standards, customizing them for the systems at issue.[567] According to this commenter, SCI entities would be unlikely to comply with all aspects of any particular standard in Table A at any particular time, thereby “obviating its usefulness.” [568]

Other commenters argued that the Table A concept was flawed because Table A would always be on the verge of being outdated. For example, one commenter characterized the proposed Table A publications as “soon-to-be outdated” and stated that it is crucial that SCI entity policies and procedures be “forward-looking” and able to respond to future threats.[569] Another commenter stated that the proposed process for updating Table A [570] would not be sufficiently nimble to assure that SCI entities adhere to the best possible then-current standards, and suggested that the Commission defer to the expertise of the organizations that have established the listed standards and rely on the updates provided by these organizations.[571] Another commenter stated that any “hard coded” solutions are likely to become obsolete very quickly.[572]

After careful consideration of these comments, the Commission acknowledges that the proposed framework for identifying and updating publications on Table A may not be sufficiently nimble to assure that its list of publications does not become obsolete as technology and standards change. The Commission agrees that, in an industry that relies heavily on technologies that are constantly evolving, the prescription of hard-coded solutions that may become quickly outdated is not the better approach. However, because several commenters stated that there is currently a lack of consensus on what constitutes generally accepted standards or principles in the securities industry,[573] the Commission continues to believe that there is value in identifying example publications for SCI entities to consider looking to in establishing policies and procedures that are consistent with “current SCI industry standards.” [574]

After considering the potential disadvantages of “hard-coding” Table A in a Commission release, and the potential benefits of providing further guidance to SCI entities on the meaning of “current SCI industry standards,” the Commission has determined that, rather than the Commission issuing Table A in this release, Commission staff should issue guidance to assist SCI entities in developing policies and procedures consistent with “current SCI industry standards” in a manner that is consistent with the Commission's response to comments received on proposed Table A, as discussed in this Section IV.B.1.b.iii, and periodically update such guidance as appropriate. The Commission believes that guidance issued by the Commission staff will have the advantage of easier updating and allow for emerging consensus on standards more focused on the securities industry. Thus, concurrent with the Commission's adoption of Regulation SCI, Commission staff is issuing guidance to SCI entities on developing policies and procedures consistent with “current SCI industry standards.” [575]

Table A Publications

Many commenters who did not urge elimination of Table A altogether addressed the content of proposed Table A. Those commenters did not express opposition to the identification of certain inspection areas or domains on proposed Table A, but some commenters identified issues with specific publications listed on Table A.[576] Specifically, two commenters stated that the NIST publication listed for the Systems Development Methodology domain was outdated.[577] One of these commenters objected to this publication as reflecting a burdensome staged process to software development that favors the “waterfall methodology” over “agile” software development, which generally uses more “nimble processes” and is more typical in the financial services industry today.[578] Another commenter noted that this publication had both strengths and weaknesses.[579] Two commenters objected to the FFIEC's Operations IT Examination Handbook in the capacity planning domain as too generic.[580] One commenter objected to the inclusion of FFIEC's Audit IT Examination Handbook.[581] Another commenter stated more broadly that the proposed Table A publications focus too heavily Start Printed Page 72301on firm-level risks and do not take into account the technological and economic stability of the U.S. market as a whole.[582]

In addition, several commenters suggested specific additions to the proposed list of publications on Table A.[583] For example, more than one commenter suggested the following standards as appropriate for inclusion on Table A: COBIT/ISACA; [584] ISO-27000; [585] ISO 25000; [586] and NFPA-1600.[587] Other standards or publications mentioned by commenters as useful, particularly in the area of software quality or software security, include the CISQ Software Quality Specification,[588] the Capability Maturity Model Integration (CMMI) framework, [589] “SANS 20 Critical Security Controls,” [590] “CWE/SANS Top 25 Most Dangerous Software Errors,” [591] the Open Source Security Testing Methodology Manual (OSSTMM),[592] the BITS Financial Services Roundtable Software Assurance Framework (January 2012),[593] the “Build Security In Maturity Model” (BSTMM),[594] Microsoft's SDL,[595] and resources for defining secure software development practices from organizations such as OWASP, WASC and SAFECode,[596] and publications issued by Scrum Alliance,[597] the Association for Software Testing (AST),[598] the Institute of Electrical and Electronics Engineers (IEEE),[599] and the Association for Computing Machinery (ACM).[600] In addition, one commenter suggested a standard currently being drafted by AT 9000, a working group which focuses on trading safety, regulatory requirements, and achieving efficiency and effectiveness of systems involved in automated trading.[601]

A few commenters opposed referencing standards in Regulation SCI at the outset and instead supported establishing a process that they believed would, after a certain period of time, yield a coherent set of standards.[602] One of these commenters urged that best practices should evolve from the Commission's experience with the annual SCI review process and experience with the ARP program, because such best practices will be specific to the securities industry and reflect the actual practices of SCI entities.[603] Finally, several commenters suggested that the Commission establish a working group to develop SCI industry standards.[604]

The Commission has carefully considered these comments, and continues to believe that there is value in identifying publications for SCI entities to consider looking to in establishing reasonable policies and procedures, because doing so will provide guidance on how an SCI entity may comply with adopted Rule 1001(a). The Commission therefore believes that issuance of staff guidance that does this, as discussed above, will be useful for SCI entities. However, after careful consideration of commenters' views regarding the publications on proposed Table A, the Commission believes it is useful to characterize how such staff guidance should be used by SCI entities. In particular, the Commission understands that some commenters who objected to the proposed Table A concept and/or the proposed Table A content were more broadly taking issue with the characterization of certain of the documents on proposed Table A, such as the NIST 800-53 document, as a “standard,” rather than a “framework” or a “process.” [605] The Commission believes that many commenters implicitly were questioning why certain identified technology frameworks (such as NIST 800-53) were being labeled as, and thereby elevated to, an example of “current SCI industry standards” when many SCI entities were already following ISO 27000, COBIT, or other technology standards that they viewed as more specific, relevant, and/or cost effective than the NIST frameworks identified on proposed Table A.[606] In response to these comments, the Commission believes it is appropriate that the staff's guidance be characterized as listing examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing industry standards. Thus, the Commission believes it is appropriate if Commission staff were to list publications that provide guidance to SCI entities on suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system.

With respect to the publications commenters suggested for inclusion on proposed Table A, the Commission is not disputing the value of such standards, and believes that each, when considered with respect to a particular system at an SCI entity, may contain appropriate standards for the SCI entity to use as, or incorporate within, its Start Printed Page 72302policies and procedures.[607] The Commission notes that the guidance is intended to be used as a baseline from which the staff may work with SCI entities and other interested market participants to build consensus on industry-specific standards, as discussed more fully below. Further, the Commission believes that the goal of providing general and flexible guidance to SCI entities does not necessitate providing a lengthy list of all the publications that meet the criteria set forth in Rule 1001(a)(4).[608]

The Commission continues to believe that it may be appropriate for an SCI entity to choose to adhere to a standard or guideline in a given domain or subcategory thereof that is different from those contained in the staff guidance, and emphasizes that nothing that the staff may include in its guidance precludes an SCI entity from adhering to standards such as ISO 27000, COBIT, or others referenced by commenters to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a).[609] Moreover, adopted Rule 1001(a)(4) explicitly provides that compliance with current SCI industry standards (i.e., including those publications identified by the Commission staff) is not the exclusive method of compliance with Rule 1001(a). Accordingly, an SCI entity's determination not to adhere to some or all of the publications included in the staff guidance in developing its policies and procedures does not necessarily mean that its policies and procedures will be deficient or unreasonable for purposes of Rule 1001(a)(1). Importantly, the publications listed by Commission staff should be understood to provide guidance to SCI entities on selecting appropriate controls for applicable systems, as well as suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system. Thus, for example, the Commission believes it would be reasonable for the most robust controls to be selected and implemented for “critical SCI systems,” as compared to other types of SCI systems, and the Commission believes it would be appropriate that the staff's guidance include publications that require more rigorous controls for higher-risk systems. The staff guidance is not intended to be static, however. As the Commission staff works with SCI entities, as well as members of the securities industry, technology experts, and interested members of the public, and as technology standards continue to evolve, the Commission anticipates that the Commission staff will periodically update the staff guidance as appropriate.

Another way in which the publications identified by Commission staff should provide guidance to SCI entities is by providing transparency on how the staff will, at least initially, prepare for and conduct inspections relating to Regulation SCI. As discussed in the SCI Proposal and above,[610] for over two decades, ARP staff has conducted inspections of ARP entity systems, with a goal of evaluating whether an ARP entity's controls over its information technology resources in each domain are consistent with ARP and industry guidelines,[611] as identified by ARP staff from a variety of information technology publications that ARP staff believed were appropriate for securities market participants.[612] With the adoption of Regulation SCI, and the resultant transition away from the voluntary ARP Inspection Program to an inspection program under Regulation SCI, the Commission believes it is helpful to establish consistency in its approach to examining SCI entities for compliance with Regulation SCI. Importantly, establishing consistency does not mean that the Commission will take a one-size-fits-all or checklist approach. Because the publications identified by Commission staff should be general and flexible enough to be compatible with many widely-recognized technology standards that SCI entities currently use, the Commission believes the publications identified by Commission staff should provide guidance for an SCI entity to self-assess whether its policies and procedures comply with Rules 1001(a)(1)-(2). Moreover, because use of the publications identified by Commission staff is not mandatory, the staff guidance should not be regarded as establishing a checklist, the use of which could result in unintended consequences, but rather a basis for considering how an SCI entity's selected standards relate to the guidance provided by Commission staff and whether they are appropriate standards for use by that particular SCI entity for a given system.

The Commission believes that it would be appropriate that the publications initially identified by Commission staff at a minimum include the nine inspection areas, or “domains,” that the Commission identified on Table A in the SCI Proposal and that are relevant to SCI entities' systems capacity, integrity, resiliency, availability, and security, namely: Application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology.

The Commission believes it would be appropriate that each publication identified by Commission staff be identified with specificity and include the particular publication's date, volume number, and/or publication number, as the case may be. Thus, for SCI entities that establish or self-assess their policies and procedures in reliance on the guidance provided by the publications identified by Commission staff, the Commission believes that the publications should be the relevant publications until such time as the list is updated by Commission staff. Of course, SCI entities may elect to use publications describing processes, guidelines, frameworks, and/or standards other than those identified by Commission staff to develop policies and procedures that satisfy the requirements of Rules 1001(a)(1)-(2).

As stated in the SCI Proposal, however, the Commission continues to believe that the development of securities-industry specific standards is a worthy goal. Although some commenters urged the Commission not to adopt Table A at the outset, and instead establish a process to achieve that end,[613] the Commission believes that the better approach is for Commission staff to provide examples of publications through its guidance that form a baseline and remain open to emerging consensus on industry-specific standards. In response to the Start Printed Page 72303commenter that suggested that the Commission leverage the annual SCI review process and the SCI inspection process to yield a coherent set of industry-specific standards that could be referenced on Table A, the Commission believes that such an approach could serve as an appropriate input into the future development of such standards.[614] In response to the commenter who stated that the proposed Table A publications do not take into account the technological and economic stability of the U.S. market as a whole,[615] the Commission notes that the technological stability of individual SCI entities, in tandem with a heightened focus on critical SCI systems, are necessary prerequisites to achieving such market-wide goals. Accordingly, the Commission believes that the publications identified by Commission staff today should serve as an appropriate initial set of publications, processes, guidelines, frameworks, and standards for SCI entities to use as guidance to develop their policies and procedures under Rule 1001(a). With this guidance as a starting point, the Commission expects that the Commission staff will seek to work with members of the securities industry, technology experts, and interested members of the public towards developing standards relating to systems capacity, integrity, resiliency, availability, and security appropriately tailored for the securities industry and SCI entities, and periodically issue staff guidance that updates the guidance with such standards.

2. Policies and Procedures To Achieve Systems Compliance—Rule 1001(b)

Proposed Rule 1000(b)(2)(i) would have required each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable.

Proposed Rule 1000(b)(2) also would have included safe harbors for an SCI entity and its employees. Specifically, proposed Rule 1000(b)(2)(ii) provided that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if the SCI entity: (1) Established policies and procedures reasonably designed to provide for specified elements; (2) established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (3) reasonably discharged the duties and obligations incumbent upon it by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that the SCI entity's policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable.

In addition, proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect.

After careful consideration of the comments, proposed Rule 1000(b)(2) is adopted as Rule 1001(b) with modifications, as discussed below.

a. Reasonable Policies and Procedures To Achieve Systems Compliance

The Commission received significant comment on its proposal to require that SCI entities establish, maintain, and enforce written policies and procedures reasonably designed to ensure systems compliance. Some commenters supported the broad goals of a policies and procedures requirement to help ensure that SCI systems operate as intended.[616] Other commenters questioned whether any set of policies and procedures could guarantee perfect operational compliance.[617] One commenter emphasized that no set of policies and procedures can guarantee 100% operational compliance and that, historically, the Commission has allowed entities to use a reasonableness standard so that policies and procedures are required to be reasonably designed to promote compliance, and the same should be used for the underlying predicate requirement in Regulation SCI.[618] A few commenters expressed concern that, in instances where an SCI entity's policies and procedures failed to prevent SCI events, the Commission might use such failures as the basis for an enforcement action, charging that the policies and procedures were not reasonable.[619] One commenter believed that compliance with Regulation SCI should be measured against a firm's adherence to its own set of policies and procedures that are in keeping with SCI system objectives, and such policies should be reviewed and updated as part of the annual SCI review process.[620] Another commenter requested that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events, stating that compliance with Regulation SCI and compliance with other federal securities laws and rules must remain distinct.[621]

Whereas adopted Rule 1001(a) [622] concerns the robustness of the SCI entity's systems, adopted Rule 1001(b) [623] concerns the operational compliance of an SCI entity's SCI systems with the Exchange Act, the rules and regulations thereunder, and Start Printed Page 72304the SCI entity's governing documents. The Commission continues to believe, as stated in the SCI Proposal, that a rule requiring SCI entities to establish, maintain, and enforce policies and procedures reasonably designed to ensure operational compliance will help to: ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; [624] reinforce existing SRO rule filing processes to assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate; and assist SCI SROs in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS.[625] It will similarly help other SCI entities (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) to achieve operational compliance with the Exchange Act, the rules and regulations thereunder, and their governing documents.

The Commission notes that Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities. The Commission discussed in Section IV.A.3.b the rationale for further focusing the definition of systems compliance issue (i.e., replacing the reference to operating “in the manner intended, including in a manner that complies with the federal securities laws” with a reference to operating “in a manner that complies with the Act”). To provide consistency between the definition of systems compliance issue and the requirement for policies and procedures to ensure systems compliance, the Commission is similarly revising Rule 1001(b)(1) to require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate “in a manner that complies with the Act” and the rules and regulations thereunder and the entity's rules and governing documents, as applicable.

As noted above, some commenters expressed concern that an SCI entity would be found to be in violation of Rule 1001(b) if an SCI event occurs.[626] Consistent with the discussion above regarding Rule 1001(a), the Commission emphasizes that the occurrence of a systems compliance issue at an SCI entity does not necessarily mean that the SCI entity has violated Rule 1001(b) of Regulation SCI. As stated in the SCI Proposal, an SCI entity will not be deemed to be in violation of Rule 1001(b) solely because it experienced a systems compliance issue.[627] The Commission also notes that Rule 1001(b) requires systems compliance policies and procedures to be reasonably designed.[628] The Commission acknowledges that reasonable policies and procedures will not ensure the elimination of all systems issues, including systems compliance issues. While a systems compliance issue may be probative as to the reasonableness of an SCI entity's policies and procedures, it is not determinative. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.

In response to one commenter's request that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events,[629] the Commission notes that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI event. In particular, whether an SCI entity violated Regulation SCI does not affect the determination of whether the underlying SCI event also caused the SCI entity to violate other laws or rules, and compliance with Regulation SCI is not a safe harbor or other shield from liability under other laws or rules. Thus, even if the occurrence of an SCI event does not cause an SCI entity to be found to be in violation of Regulation SCI, the SCI entity may still be liable under other Commission rules or regulations, the Exchange Act, or SRO rules for the underlying SCI event.[630]

b. Proposed Safe Harbor for SCI Entities

i. Comments Received

In the SCI Proposal, the Commission solicited comment on the proposed approach to include safe harbor provisions in proposed Rule 1000(b)(2) and specifically asked whether commenters agreed with the proposed inclusion of safe harbors.[631] Many commenters specifically addressed the safe harbors in proposed Rule 1000(b)(2). Two commenters urged elimination of the proposed safe harbors.[632] One of these commenters stated that the safe harbors were framed so generally that they would be easy to invoke.[633] This commenter also stated that inclusion of a safe harbor provision for compliance standards would unnecessarily and severely limit the Commission's ability to deter violations through meaningful enforcement actions.[634] The other commenter stated that, if a safe harbor is adopted, the Commission should be as specific as possible in establishing how to qualify for the safe harbor, and recommended that Commission guidance ensure that SCI entities are actively building and improving upon safety systems and not simply checking boxes and doing the minimal amount necessary to ensure compliance.[635]

In contrast, several commenters supported the inclusion of a safe harbor in proposed Rule 1000(b)(2) in theory, but objected to the proposed Start Printed Page 72305approach.[636] Some commenters stated that the proposed safe harbor, with its prescriptive requirements, would evolve into the de facto rule itself as SCI entities decide to adhere to the requirements of the safe harbor rather than risk a potential enforcement action stemming from an SCI event.[637] One of these commenters noted that the safe harbor merely further defined the elements that the policies and procedures must have by providing a list of points that reasonably designed policies and procedures must cover.[638] This commenter believed that including a requirement for reasonably designed policies and procedures and providing a safe harbor when those policies and procedures are reasonably designed is inherently circular, and expressed concern about liability under Regulation SCI whenever there is a systems or technology malfunction or error.[639] This commenter also compared the proposed SCI entity safe harbor to other rules, stating that the other rules requiring policies and procedures recognize the need for those policies and procedures to be reasonably designed in light of the manner in which business is conducted.[640] This commenter further noted that, if the Commission intends that all SCI entities conform to the standards articulated in the safe harbor, the Commission should set them forth as express provisions of the rule, although this commenter believed that such an approach would be misguided because it would create strictures that impose protocols that may not be suitable for certain market participants.[641]

Several other commenters expressed concern that the proposed safe harbors were unclear.[642] One group of commenters noted that the provisions in the proposed safe harbors were vague, subjective, and merely duplicate elements that would result from a logical interpretation of Rule 1000(b)(1),[643] which these commenters believed offered no safe harbor protection at all.[644] Another commenter stated that the use of a reasonableness standard with respect to the design of systems and the discharge of duties under an SCI entity's policies and procedures would mean that an SCI entity and its employees would never know with certainty whether they met the terms of the safe harbor.[645] Another commenter similarly stated that SCI entities cannot know if they have complied with the safe harbor unless more guidance is provided on the concept of “reasonable policies and procedures” and the Commission explains what constitutes adequate testing, monitoring, assessments, and review for each system.[646] One commenter agreed with the need for a safe harbor but stated that the proposed safe harbor is not sufficiently robust because it contains “vague and extensive requirements that are overly subjective” and the Commission therefore would be “likely to review an SCI entity's interpretation of the safe harbor in the event of a systems issue with the benefit of 20/20 hindsight.” [647] This commenter expressed concern that the occurrence of a significant systems event would mean that an exchange did not have reasonable policies and procedures and would be outside the terms of the proposed safe harbor.[648]

A few commenters suggested specific alternatives to the proposed safe harbors.[649] One commenter recommended that the Commission adopt a safe harbor with objective criteria to protect SCI entities from enforcement actions under Regulation SCI except in cases of intentional or reckless non-compliance or patterns of non-compliance with Regulation SCI, or if an SCI entity fails to implement reasonable corrective action in response to a written communication from the Commission regarding Regulation SCI.[650] This commenter urged that, even if the Commission does not include the suggested safe harbor, the adopting release should clearly state that the Commission will not pursue enforcement actions against SCI entities that establish, maintain, and enforce compliance policies and procedures or act in good faith, notwithstanding a violation of Regulation SCI.[651]

One group of commenters similarly recommended that the Commission adopt an objective safe harbor.[652] These commenters noted that minor mistakes and unintentional errors occur in the daily operations of running a business, and a safe harbor should provide protection to SCI entities that follow the policies and procedures as intended, including in the resolution and containment of such mistakes and errors.[653] These commenters believed that it should be sufficient for an SCI entity to qualify for the safe harbor if it adopts policies and procedures reasonably designed to comply with Regulation SCI and does not knowingly violate such policies and procedures.[654] These commenters further requested that the Commission clarify its views on the protections of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI and expand the safe harbor to explicitly cover such instances.[655]

One commenter suggested simplifying the safe harbor to require only that an SCI entity adopt reasonable policies and procedures to comply with proposed Regulation SCI, which should include reasonable ongoing responsibilities related to testing and monitoring.[656] Another commenter believed that the safe harbor should grant immunity from enforcement penalties for all problems that are self-reported by SCI entities and individuals.[657] One commenter suggested that Regulation SCI should: (1) Encourage parties to discover and Start Printed Page 72306remediate technology errors and malfunctions, and/or deficiencies in their policies and procedures; (2) avoid ipso facto liability under Regulation SCI for failures by technology or systems; and (3) require some form of causation in order for liability to attach.[658] This commenter also recommended that the Commission provide safe harbors from liability under both proposed Rules 1000(b)(1) and (2) where either: (1) The SCI entity or SCI personnel discovers and remediates a problem without regulatory intervention and assuming no underlying material violation; or (2) no technology error or problem has occurred, but the policies and procedures might benefit from improvements.[659] According to this commenter, the remediation safe harbor should also apply to underlying technology problems if the SCI entity had complied with Regulation SCI.[660] One commenter expressed concern that, without a safe harbor and a guarantee of immunity, the disclosures to the Commission required under Regulation SCI would provide a roadmap for litigation against non-SRO entities.[661]

ii. Elimination of Proposed Safe Harbor for SCI Entities and Specification of Minimum Elements

As discussed in greater detail below, after careful consideration of the comments, and in light of the more focused scope of Regulation SCI, the Commission has determined not to adopt the proposed safe harbor for SCI entities.[662] Rather, Rule 1001(b) sets forth non-exhaustive minimum elements that an SCI entity must include in its systems compliance policies and procedures. The Commission recognizes that the precise nature, size, technology, business model, and other aspects of each SCI entity's business vary. Therefore, the minimum elements are intended to be general in order to accommodate these differences, and each SCI entity will need to exercise judgment in developing and maintaining specific policies and procedures that are reasonably designed to achieve systems compliance. The Commission also believes that SCI entities should consider the evolving nature of the securities industry, as well as industry practices and standards, in developing and maintaining such policies and procedures. As such, the elements specified in Rule 1001(b) are non-exhaustive, and each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed.

In the SCI Proposal, the Commission stated that, “[b]ecause of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities' rules and governing documents, the Commission preliminarily believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in order to provide greater clarity as to how they can ensure that their conduct will comply with [Rule 1000(b)(2)].” [663]

One reason that the Commission is not adopting the proposed safe harbor for SCI entities is that the Commission has focused the scope of Regulation SCI as adopted. For example, adopted Rule 1001(b) requires policies and procedures that are reasonably designed to ensure compliance with “the Act”—rather than operating “in the manner intended, including in a manner that complies with the federal securities laws” as was proposed—and the rules and regulations thereunder, and the SCI entity's rules and governing documents. Therefore, the requirement under adopted Rule 1001(b) is more targeted than the requirement under proposed Rule 1000(b)(2), and alleviates some of the concern regarding the “breadth of the federal securities laws and rules and regulations thereunder” that was expressed in the SCI Proposal. The Commission expects that SCI entities are familiar with their obligations under the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. In addition, as discussed in Section IV.A.2.b above, the Commission has further focused the scope of SCI systems, which also alleviates some of the concern regarding the “complexity of SCI systems” that was expressed in the SCI Proposal.[664]

Further, as noted above, in the SCI Proposal, the Commission stated its preliminary belief that it would be appropriate to provide an explicit safe harbor for SCI entities in order to provide greater clarity on how they could comply with proposed Rule 1000(b)(2).[665] Rather than achieving this goal, commenters argued that the proposed safe harbor merely further defined the elements that the policies and procedures must have, and did not include sufficient guidance or specificity to SCI entities seeking to rely on it.[666] For example, one commenter noted that the policies and procedures specified in the safe harbor would still need to be “reasonably designed.” [667] Further, the Commission acknowledges some commenters' concern that the proposed safe harbor, “with its prescriptive requirements,” could evolve into the de facto rule itself.[668]

As discussed above, the Commission is not adopting a safe harbor for SCI entities. Rather, adopted Rule 1001(b)(1) requires an SCI entity to have reasonably designed policies and procedures to achieve systems compliance and adopted Rule 1001(b)(2) specifies non-exhaustive, general minimum elements that an SCI entity must include in its systems compliance policies and procedures. These minimum elements are based on the elements contained in the proposed safe harbor for SCI entities, but modified in Start Printed Page 72307response to concerns raised by commenters. As adopted, Rules 1001(b)(1) and (b)(2) specify the minimum elements of reasonably designed policies and procedures to achieve systems compliance, and at the same time provide flexibility by permitting an SCI entity to establish policies and procedures that are reasonably designed based on the nature, size, technology, business model, and other aspects of its business. Moreover, the Commission believes that, by specifying non-exhaustive, general minimum elements of systems compliance policies and procedures, the rule will encourage SCI entities to actively build and improve upon the compliance of their systems rather than limit their compliance to bright-line tests or the fixed elements of a safe harbor, and encourage the evolution of sound practices over time. In addition, the Commission notes that there currently are no publicly available written industry standards regarding systems compliance that are applicable to all SCI entities that can serve as the basis for a clear, objective safe harbor, as there is with current SCI industry standards (e.g., the publications listed in staff guidance) relating to operational capability. Even if such standards existed, the Commission believes that the specificity necessary to achieve the goal of a clear, objective safe harbor would disincentivize SCI entities from continuing to improve their systems over time. Finally, the Commission believes that, because the minimum elements specified in Rule 1001(b)(2) are non-exhaustive, Rule 1001(b) can accommodate the possibility that, as technology evolves, additional or updated elements could become appropriate for SCI entities to include in their systems compliance policies and procedures to ensure that such policies and procedures remain reasonably designed on an ongoing basis.

iii. Response to Other Comments on the SCI Entity Safe Harbor

With respect to commenters who requested clarification on the protection of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI,[669] as noted above, the Commission clarifies that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI events under other laws and rules. Specifically, Regulation SCI imposes new requirements on SCI entities and is not intended to alter the standards for determining liability under other laws or rules. Therefore, if an SCI entity is in compliance with Regulation SCI but inadvertently violates another law or rule, whether or not the SCI entity will be liable under the other law or rule depends on the standards for determining liability under such law or rule. Because the new requirements under Regulation SCI are separate and distinct from existing requirements under other laws or rules, Regulation SCI is not a shield from liability under such laws or rules.

The Commission also does not believe that it would be appropriate to provide a safe harbor for all problems that are self-reported by SCI entities and individuals or that are discovered and remediated without regulatory intervention, as suggested by commenters.[670] In particular, Rule 1001(b) is intended to help ensure that SCI entities operate their systems in compliance with the Exchange Act and relevant rules in the first place, and thus is not only focused on helping to ensure that SCI entities appropriately respond to a compliance issue (e.g., by taking corrective action or reporting the issue to the Commission) after it has occurred and impacted the market or market participants. Therefore, the Commission does not believe that the suggested self-report or remediation safe harbors will effectively further this intent of Rule 1001(b). In particular, the Commission notes that reporting and remediation of SCI events are separately required under Rules 1002(b) and (a) of Regulation SCI, respectively. The purposes of Rule 1002(b) include keeping the Commission informed of SCI events after they have occurred. Moreover, Rule 1002(a) is intended to ensure that SCI entities remedy a systems issue and mitigate the resulting harm after the issue has already occurred. The Commission believes that, if an SCI entity is protected from liability under Rule 1001(b) simply because it self-reported systems compliance issues or discovered and remediated systems compliance issues without regulatory intervention, the SCI entity will not be effectively incentivized to have reasonably designed policies and procedures to ensure systems compliance in the first place. As discussed above, the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.

As discussed above, some commenters expressed concern that the occurrence of a significant systems issue would mean that an SCI entity did not have reasonable policies and procedures and therefore suggested “objective” safe harbors.[671] The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with these laws and rules. The Commission does not believe that Rule 1001(b) would further this goal to the same degree if the Commission were to adopt commenters' safe harbor suggestions (i.e., an SCI entity is deemed to be in compliance with Rule 1001(b) so long as: The SCI entity is not knowingly out of compliance; such non-compliance is not intentional, reckless, or in bad faith; or there is no pattern of non-compliance) because, with these suggested “objective” safe harbors, SCI entities may not be effectively incentivized to establish, maintain, and enforce reasonably designed policies and procedures to ensure systems compliance. Moreover, the Commission notes that Rule 1001(b) requires “reasonably designed” policies and procedures, which already provides flexibility to SCI entities in complying with the rule. The Commission also emphasizes again that, while it is eliminating the safe harbor for SCI entities, the occurrence of a systems compliance issue may be probative, but is not determinative, of whether an SCI entity violated Regulation SCI. As noted above, an SCI entity would not be Start Printed Page 72308deemed to be in violation of Rule 1001(b)(1) merely because it experienced a systems compliance issue. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.

Further, as noted above, one commenter recommended that the Commission provide a safe harbor where no technology error or problem has occurred, but the policies and procedures might benefit from improvements.[672] The Commission believes that there may be instances where an SCI entity's policies and procedures might benefit from improvement, even though they are reasonably designed. In such instances, the SCI entity is in compliance with Rule 1001(b) and therefore does not need a safe harbor. At the same time, the Commission notes that there may be instances where no technology error or problem has occurred, but an SCI entity's policies and procedures with regard to systems compliance might nonetheless be deficient and not satisfy the requirements of Rule 1001(b). The Commission does not believe that it would be appropriate to provide a safe harbor in these instances. As noted above, Rule 1001(b) is intended to help ensure that SCI entities operate their SCI systems in compliance with the Exchange Act and relevant rules. The Commission does not believe that a safe harbor that effectively insulates deficient policies and procedures will further the intent of this rule. Further, the Commission notes that one requirement of Rule 1001(b)(1) is that an SCI entity “maintain” its policies and procedures. To explicitly set forth an SCI entity's obligation to review and update its policies and procedures, similar to Rule 1001(a), the Commission is adopting a requirement for periodic review by an SCI entity of the effectiveness of its systems compliance policies and procedures, and prompt action by the SCI entity to remedy deficiencies in such policies and procedures.[673] The Commission notes that an SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency immediately after the deficiency occurred, if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise appropriately reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered.

Finally, as noted above, one commenter believed that, without a safe harbor and a guarantee of immunity (such as the regulatory immunity of SROs), information provided to the Commission pursuant to Rule 1000(b)(4)(iv) would provide a roadmap for litigation. As discussed below in Section IV.B.3.c, the Commission acknowledges that, if an SCI entity experiences an SCI event, it could become the subject of litigation (including private civil litigation). At the same time, the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law.[674] On the other hand, the Commission acknowledges that it could consider the information provided to the Commission pursuant to Rule 1002(b) in determining whether to initiate an enforcement action. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the requirement for Commission notification of systems compliance issues is intended to assist the Commission in its oversight of such compliance. With respect to the regulatory immunity of SROs, the Commission notes that, although courts have found that SROs are entitled to absolute immunity from private claims under certain circumstances,[675] if an SRO fails to comply with the provisions of the Exchange Act, the rules or regulations thereunder, or its own rules, the Commission is still authorized to impose sanctions.[676] As such, like other SCI entities, SROs are not immune from Commission sanctions. Finally, as discussed in detail above, the Commission does not believe that it would be appropriate to provide a safe harbor for all problems that are self-reported to the Commission by SCI entities and individuals.

c. Minimum Elements of Reasonable Policies and Procedures

The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that, to qualify for the safe harbor, the SCI entity's policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable. In the SCI Proposal, the Commission asked whether each element of the proposed safe harbor for SCI entities was appropriate.[677] Several commenters addressed one or more of the proposed safe harbor elements.

As discussed above, rather than adopting the proposed safe harbor for SCI entities, the Commission is specifying non-exhaustive, general Start Printed Page 72309minimum elements that an SCI entity must include in its systems compliance policies and procedures. The minimum elements are based on the proposed safe harbor. These elements are: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Each of these elements is discussed below.

As noted above, some commenters requested more guidance or certainty regarding the safe harbor elements (e.g., by including bright-line tests and minimum standards).[678] As discussed above in Section IV.B.2.b, the Commission is not adopting a safe harbor but is specifying the minimum elements that an SCI entity must include in its systems compliance policies and procedures. By generally requiring policies and procedures to be reasonably designed and specifying non-exhaustive, general minimum elements of systems compliance policies and procedures, the Commission intends to provide specificity on how to comply with Rule 1001(b), and at the same time provide a reasonable degree of flexibility to SCI entities in establishing and maintaining policies and procedures that are appropriately tailored to each SCI entity.

Regarding elements (1) and (2) of the proposed safe harbor, a few commenters opposed the inclusion of a requirement that an SCI entity conduct periodic testing of systems absent systems changes.[679] One commenter stated that it performs testing prior to implementation of trading systems changes in the production environment and conducts regression testing to ensure that the changes did not introduce any undesired side-effects.[680] This commenter explained that the proposed periodic testing requirement would impose additional cost and not provide any benefit.[681] One commenter believed that the pre- and post-implementation testing components of the safe harbor, which would apply to all systems changes, could potentially drive SCI entities to take a narrow view of what constitutes a systems change.[682] Another commenter sought further guidance from the Commission on the scope of periodic testing of all SCI systems and whether, for example, systems testing would be required following a systems change if the SCI entity has already provided notice of the systems change to the Commission.[683] One commenter requested clarification that the testing described in proposed Rules 1000(b)(2)(ii)(A)(1) and (2) refers to testing to ensure that SCI systems operate in the manner intended, and noted that testing should not be required to be periodic, but instead should be based on the relative risks of non-compliance arising from any changes being introduced into production or any changes to the applicable laws or rules.[684] One commenter stated that it believed that the frequency and type of testing under proposed Rules 1000(b)(2)(ii)(A)(1) and (2) are open to interpretation.[685]

After consideration of the views of commenters, the Commission believes that testing of SCI systems and changes to such systems prior to implementation is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, elements (1) and (2) of the proposed safe harbor were intended to help SCI entities to identify potential problems before such problems have the ability to impact markets and investors.[686] The Commission believes that testing prior to implementation of SCI systems and prior to implementation of any SCI systems changes would likely be an important component for achieving this goal and it is included as a required element of systems compliance policies and procedures.[687] In contrast, the Commission believes that the value of the proposed element for additional testing in the absence of systems changes may be variable, depending on the SCI system or change to an SCI system at issue.[688] At the same time, each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed, including whether its policies and procedures should provide for testing of certain systems changes after their implementation to ensure that they operate in compliance with the Exchange Act and relevant rules.

With regard to element (3) of the proposed safe harbor, one commenter stated that it is unclear what minimum standards are required for the internal controls under proposed Rule 1000(b)(2)(ii)(A)(3).[689] As discussed above, the Commission believes it is appropriate to set forth minimum elements of systems compliance policies and procedures that are broad enough to provide SCI entities with reasonable flexibility to design their policies and procedures based on the nature, size, technology, business model, and other aspects of their businesses. Therefore, while the Commission believes that a system of internal controls over changes to SCI systems is appropriate for inclusion as a required element of systems compliance policies and Start Printed Page 72310procedures, the Commission is not specifying the minimum standard for internal controls. As stated in the SCI Proposal, a system of internal controls and ongoing monitoring of systems functionality are intended to help ensure that an SCI entity adopts a framework that will help it bring newer, faster, and more innovative SCI systems online without compromising due care, and to help prevent SCI systems from becoming noncompliant resulting from, for example, inattention or failure to review compliance with established written policies and procedures. The Commission believes that such internal controls would likely include, for example, protocols that provide for: Communication and cooperation between legal, business, technology, and compliance departments in an SCI entity; appropriate authorization of systems changes by relevant departments of the SCI entity prior to implementation; review of systems changes by legal or compliance departments prior to implementation; and monitoring of systems changes after implementation.

With regard to elements (4)-(6) of the proposed safe harbor, one commenter noted that the proposed requirement related to ongoing monitoring was too broad and should be eliminated or revised to be more flexible.[690] This commenter noted that the proposal for “monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended” is potentially quite broad and seems to suggest some form of independent validation.[691] Another commenter asked the Commission to clarify how the testing requirements in proposed Rules 1000(b)(2)(ii)(1) and (2) (testing prior to and after implementation) differ from those in proposed Rule 1000(b)(2)(ii)(A)(5) (assessments of systems compliance by personnel familiar with applicable laws and rules).[692] One commenter noted that the monitoring, assessments, and reviews under proposed Rules 1000(b)(2)(ii)(A)(4), (5), and (6) are unclear.[693] Two commenters sought guidance on how an SCI entity could satisfy the requirements related to reviews and assessments by legal and compliance personnel (i.e., proposed Rules 1000(b)(2)(ii)(A)(5) and (6)).[694] One of these commenters suggested that each SCI entity be given the discretion to determine the level of familiarity necessary to qualify as personnel able to undertake the assessments and which personnel are regulatory personnel, and asked whether these two categories of personnel are different.[695] Another commenter also sought clarification on the meaning of the term “regulatory personnel” and suggested that each SCI entity should have discretion in determining which of its employees constitute regulatory personnel.[696] One commenter expressed concern that review by regulatory personnel of SCI systems would unreasonably expose non-technology persons to potential liability if an SCI entity suffers a malfunction.[697]

After consideration of the views of commenters, the Commission believes that “a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents” is appropriate for inclusion as a required element of systems compliance policies and procedures. In particular, rather than “ongoing monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended” and also “assessments of SCI systems compliance . . . ,” the Commission believes that “a plan for assessments” of SCI systems compliance would be more appropriate.[698] The Commission notes that “a plan for assessments” could include, for example, not only a plan for monitoring, but also a plan for testing or assessments, as appropriate, and at a frequency (e.g., periodic or continuous) that is based on the SCI entity's risk assessment of each of its SCI systems.[699] The Commission is not specifying the manner and frequency of assessments that must be set forth in such plan because the Commission believes that each SCI entity will likely be in the best position to assess and determine the assessment plan that is most appropriate for its SCI systems. The Commission emphasizes that the nature and frequency of the assessments contemplated by an SCI entity's plan will vary based on a range of factors, including the entity's governance structure, business lines, and legal and compliance framework. The plan for assessments does not require the SCI entity to conduct a specific kind of assessment, nor does it require that assessments be performed at a certain frequency. The plan, however, may address the specific reviews required by Rule 1003(b)(1).

In addition, in response to a commenter's concern that the proposed safe harbor element of “monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended” is potentially quite broad and seems to suggest some form of independent validation, the Commission notes that it is not requiring SCI entities to include independent validation in their assessment plans.[700] However, if an SCI entity determines that its reasonably designed systems compliance policies and procedures should provide for independent validation in its assessment plan under certain circumstances, then the SCI entity should design its policies and procedures accordingly. In that case, pursuant to Rule 1001(b), which requires an SCI entity to establish, maintain, and enforce its written policies and procedures, the SCI entity would be required to enforce its own policies and procedures, including those related to independent validation.

In addition, the Commission believes that “a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues” is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, assessments of SCI systems compliance by personnel familiar with applicable laws and rules Start Printed Page 72311and regulatory personnel review of SCI systems design, changes, testing, and controls are intended to help foster coordination between the information technology and regulatory staff of an SCI entity so that SCI events and other issues related to SCI systems would be more likely to be addressed by a team of staff in possession of the requisite range of knowledge and skills.[701] They are also intended to help ensure that an SCI entity's business interests do not undermine regulatory, surveillance, and compliance functions and, more broadly, the requirements of the Exchange Act, during the development, testing, implementation, and operation processes for SCI systems.[702] The Commission believes that a plan of coordination and communication between regulatory and other personnel, including by responsible SCI personnel, would further these same goals.

The Commission expects that an SCI entity will determine for itself the responsible SCI personnel and other personnel who have sufficient knowledge of relevant laws and rules to be able to effectively implement systems assessments,[703] such that the SCI entity's policies and procedures are reasonably designed to ensure that SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).[704] Similarly, the Commission expects that an SCI entity will determine for itself the regulatory and other personnel, including responsible SCI personnel, who have sufficient knowledge with respect to the legal and technical aspects of systems design, changes, testing, and controls to engage in coordination and communication regarding such operations, such that the SCI entity's policies and procedures are reasonably designed to ensure that its SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).[705]

One commenter sought clarity on how an SCI entity would satisfy the requirement that it does “not have reasonable cause to believe the policies and procedures were not being complied with.” [706] Another commenter stated that there is no guidance for SCI entities on how to appropriately follow the procedures that they have developed and stated that as proposed, it would be reasonable to interpret the safe harbor as excluding any SCI entity that suffers a significant systems event.[707] One commenter believed that the Commission should resolve any potential ambiguity between the requirements of proposed Rule 1000(b)(2)(ii)(C)(1) (requiring SCI entities to reasonably discharge the duties and obligations set forth in the policies and procedures) and proposed Rule 1000(b)(2)(ii)(C)(2) (requiring that SCI entities not have reasonable cause to believe such policies and procedures were not being complied with).[708] As discussed throughout this section, the Commission is not adopting the proposed safe harbor for SCI entities. Therefore, as adopted, Rule 1001(b) does not include the provisions of proposed Rules 1000(b)(2)(ii)(B) and (C). Further, the Commission believes that proposed Rules 1000(b)(2)(ii)(B) and (C) reiterated the requirements for SCI entities to establish, maintain, and enforce their systems compliance policies and procedures, and provided an example of how SCI entities could satisfy these requirements. For example, the SCI Proposal noted that proposed Rules 1000(b)(2)(ii)(B) and (C) specified that an SCI entity's policies and procedures must be reasonably designed to achieve SCI systems compliance, and that, as part of such policies and procedures, the SCI entity must establish and maintain systems for applying those policies and procedures, and enforce its policies and procedures, in a manner that would reasonably allow it to prevent and detect violations of the policies and procedures.[709] The Commission believes that Rule 1001(b), as adopted, provides flexibility to SCI entities regarding their methods for establishing, maintaining, and enforcing their systems compliance policies and procedures.

d. Individual Safe Harbor

Proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect.

In the SCI Proposal, the Commission asked whether commenters agreed with the requirements of the proposed safe harbor for employees of SCI entities, and whether a similar safe harbor should be available to individuals other than employees of SCI entities.[710] Some commenters specifically addressed the proposed safe harbor for individuals.[711] Several commenters urged that individuals not be subject to liability under Regulation SCI absent an intentional act of willful misconduct.[712] Two commenters questioned the need for a safe harbor for individuals generally,[713] and one commenter stated Start Printed Page 72312that inclusion of a safe harbor would unnecessarily and severely limit the Commission's ability to deter violations through meaningful enforcement actions.[714] Two commenters questioned why the proposed safe harbor for individuals was limited to SCI entity employees.[715] One commenter expressed concern that the proposed safe harbor for individuals could be counterproductive and create an environment of second-guessing and distrust, where employees act in a way to avoid potential liability (i.e., each person would be effectively deputized to police others' actions).[716] A few commenters added that the proposed safe harbor for individuals, and the resulting implication of potential individual liability, may have the unintended consequence of limiting the ability of SCI entities to hire the best available talent in information technology, risk-management, and compliance disciplines.[717] One commenter questioned why the proposed safe harbor for individuals would apply only to actions of aiding any other person and not apply to any actions of the reporting individual.[718]

After careful consideration of these comments, the Commission is adopting the individual safe harbor with certain modifications. With respect to the commenter who expressed concern that a safe harbor would “unnecessarily and severely” limit the Commission's ability to deter violations through meaningful enforcement actions,[719] the Commission notes that Regulation SCI only imposes obligations directly on SCI entities and the Commission is not adopting a safe harbor for SCI entities. Further, personnel of SCI entities qualify for the individual safe harbor under Rule 1001(b) only if they satisfy certain requirements.[720] In particular, in connection with a Commission finding that an SCI entity violated Rule 1001(b), the individual safe harbor will not apply if an SCI entity personnel failed to reasonably discharge his or her duties and obligations under the policies and procedures. In addition, for an SCI entity personnel who is responsible for or has supervisory responsibility over an SCI system, the individual safe harbor also will not apply if he or she had reasonable cause to believe that the policies and procedures related to such an SCI system were not in compliance with Rule 1001(b) in any material respect. Therefore, the Commission does not believe that the individual safe harbor will “unnecessarily and severely” limit the Commission's ability to deter violations.

With respect to commenters who questioned the need for an individual safe harbor because Rule 1001(b) imposes an obligation on SCI entities,[721] the Commission agrees that Regulation SCI imposes direct obligations on SCI entities, and does not impose obligations directly on personnel of SCI entities. At the same time, as with all other violations of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. The Commission is therefore revising the individual safe harbor to clarify that personnel of an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by “an SCI entity” (rather than “any other person”) of Rule 1001(b) if the elements of the safe harbor are satisfied.

As noted above, one commenter questioned why the proposed safe harbor for individuals would only apply to actions of aiding another and not apply to any direct violative action of the reporting individual.[722] The Commission notes that the individual safe harbor only applies to actions of aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity because Regulation SCI does not impose any direct obligations on personnel of SCI entities. Therefore, individuals could not be found to be in violation of Regulation SCI, except through aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity of Regulation SCI.

With respect to commenters who suggested extending the individual safe harbor to contractors, consultants, and other non-employees used by SCI entities in connection with their SCI systems,[723] the Commission agrees with these comments and is extending the safe harbor to all “personnel of an SCI entity,” rather than only persons employed by an SCI entity, as was proposed. Specifically, the Commission believes that contractors, consultants, and other similar non-employees may act in a capacity similar to an SCI entity's employees, and thus should be able to avail themselves of the individual safe harbor if they satisfy its requirements.

To be covered by the individual safe harbor, for which the individual has the burden of proof, personnel of an SCI entity must: (i) Have reasonably discharged the duties and obligations incumbent upon such person by the SCI entity's policies and procedures; and (ii) be without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Element (i) of the adopted individual safe harbor is substantively unchanged from the proposal. For the reasons discussed below in this section, element (ii) of the adopted individual safe harbor specifies that it applies only to a person who is responsible for or has supervisory responsibility over an SCI system. In addition, rather than requiring an individual to be without reasonable cause to believe that systems compliance policies and procedures “were not being complied with in any material respect” as proposed, element (ii) of the adopted safe harbor requires the applicable personnel to be without reasonable cause to believe that the relevant systems compliance policies and procedures “were not established, maintained, or enforced” in accordance with Rule 1001(b) in any material respect. The Commission notes that element (ii) of the adopted safe harbor tracks the language of the general requirement under Rule 1001(b) that an SCI entity “establish, maintain, and enforce” written policies and procedures reasonably designed to ensure systems compliance, and appropriately reflects the responsibilities of a person who is responsible for or has supervisory responsibility over an SCI system.[724]

Start Printed Page 72313

The Commission believes that it is appropriate to not provide a safe harbor to a person with responsibility over an SCI system if such person had reasonable cause to believe that the policies and procedures for such system were not established, maintained, or enforced as required by Rule 1001(b) in a material respect. The limited application of this element to such personnel (rather than to any person employed by an SCI entity as proposed) is intended to mitigate commenters' concerns that the proposed safe harbor would create an environment of distrust and limit the ability of SCI entities to hire high quality personnel.[725] In particular, personnel who are not responsible for and do not have supervisory responsibility over SCI systems can qualify for the individual safe harbor, regardless of their belief regarding the reasonableness of the SCI entity's systems compliance policies and procedures. Therefore, such personnel would not be “deputized to police” the actions of other personnel, as a commenter believed they would.[726] Further, with respect to personnel who are responsible for or have supervisory responsibility over an SCI system, such personnel likely already have the responsibility to supervise others' activities related to that SCI system, which would provide such personnel with information to form a reasonable belief regarding the reasonableness of the policies and procedures. Because Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities, the Commission believes that it is appropriate for supervisory personnel to be knowledgeable regarding the entity's policies and procedures regarding systems compliance, which may be accomplished through training provided by the SCI entity. Moreover, the Commission believes it is appropriate in the context of the safe harbor that, if a person with responsibility over an SCI system becomes aware of potential material non-compliance of the SCI entity's policies and procedures related to that system, such person should take action to review and address, or direct other personnel to review and address, such material non-compliance. Finally, to further mitigate commenters' concern that potential individual liability may limit the hiring ability of SCI entities,[727] as noted above, personnel of an SCI entity will not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Regulation SCI merely because the SCI entity experienced a systems compliance issue, whether or not the person was able to take advantage of the individual safe harbor.

As noted above, with respect to a personnel of an SCI entity who is not responsible for and does not have supervisory responsibility over SCI systems, the safe harbor provides that such personnel shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if such person has reasonably discharged the duties and obligations incumbent upon him or her by the systems compliance policies and procedures. Therefore, unlike personnel who are responsible for or have supervisory responsibility over SCI systems, these persons would not be liable even if the SCI entity itself did not have reasonably designed systems compliance policies and procedures or did not enforce its policies and procedures, as long as they discharged their duties and obligations under the policies and procedures in a reasonable manner.[728] The Commission believes this safe harbor is appropriate because the persons who will seek to rely on this safe harbor are those who do not have responsibility for the establishment, maintenance, and enforcement of the policies and procedures, or the actions of other personnel of the SCI entity.

With respect to commenters who argued that individuals should not be subject to liability under Regulation SCI absent an intentional act of willful misconduct,[729] the Commission notes again that Regulation SCI imposes direct obligations only on SCI entities, and not on individuals. However, as with all other violations of provisions of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. As discussed above in the context of SCI entities, all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. The Commission does not believe that the rule would further this goal to the same degree if the Commission adopts commenters' suggestions for the individual safe harbor (i.e., personnel of an SCI entity are permitted to cause an SCI entity to be out of compliance with Rule 1001(b) so long as the personnel did not act intentionally or willfully).

3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information—Rule 1002

Adopted Rule 1002, which corresponds to proposed Rules 1000(b)(3)-(5), requires an SCI entity to take corrective action, notify the Commission, and disseminate information regarding certain SCI events.

a. Triggering Standard

As proposed, the obligation of an SCI entity to take corrective action (proposed Rule 1000(b)(3)), notify the Commission (proposed Rule 1000(b)(4)), and disseminate information (proposed Rule 1000(b)(5)) would have been triggered upon “any responsible SCI personnel becoming aware of” an SCI event.[730] Proposed Rule 1000(a) defined “responsible SCI personnel” to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of an SCI entity having responsibility for such system.[731] In the SCI Proposal, the Commission noted that this proposed definition was intended to include any personnel of the SCI entity having responsibility for the specific system(s) impacted by a given SCI event.[732] The Commission stated that such personnel would include any technology, business, or operations staff with responsibility for such systems, and with respect to systems compliance issues, any regulatory, legal, or compliance personnel with legal or compliance responsibility for such systems.[733] The Commission also Start Printed Page 72314explained that “responsible SCI personnel” would not be limited to managerial or senior-level employees of the SCI entity and could include junior personnel with responsibility for a particular system.[734]

After considering the views of commenters, the Commission is modifying the proposed standard for triggering corrective action, Commission notification, and dissemination of information obligations in adopted Rule 1002, including by amending the definition of responsible SCI personnel, as discussed below.

Responsible SCI Personnel

Many commenters expressed concern that the proposed definition of responsible SCI personnel was too broad.[735] These commenters generally urged the Commission to revise the scope of the definition to cover only those employees in management or supervisory roles that have responsibility over an SCI system, rather than including relatively junior or inexperienced employees.[736] Some of these commenters stated that junior employees and/or technology personnel may not have the training or breadth of knowledge or experience necessary to identify, analyze, and determine whether a systems issue is an SCI event under the rule.[737] Similarly, one commenter advocated limiting responsible SCI personnel to employees with full knowledge and authority over a system.[738] Some commenters also suggested that SCI entities should have the discretion to decide which employees are responsible SCI personnel.[739]

Similarly, several commenters emphasized the importance of escalation policies and procedures, pursuant to which technology staff or junior employees could assess a systems problem and escalate the issue up the chain of command to management as well as legal and/or compliance personnel, who will help determine whether a systems issue was an SCI event and whether the obligations under Regulation SCI are triggered.[740] These commenters argued that the rule should allow entities to adopt and follow such escalation procedures rather than triggering the obligations under Regulation SCI upon one employee's awareness of a systems issue.[741] One commenter also asserted that limiting the definition of responsible SCI personnel would be appropriate if the Commission also required a robust escalation procedure.[742]

Some commenters also expressed concern about the potential liability that responsible SCI personnel could face if the rule were adopted as proposed, given the breadth of the definition of “responsible SCI personnel.” [743] Specifically, commenters asserted that, as a result of including junior and information technology personnel within the definition and the potential liability of such individuals, the proposed provision would make it more difficult for SCI entities to attract and retain high quality information technology employees.[744] Another commenter noted that responsible operations or technical personnel may not be in a position to make legal determinations about when a compliance issue has arisen.[745]

After consideration of the views of commenters, the Commission has revised the term “responsible SCI personnel” to mean, “for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).” [746] The Commission agrees that the proposed definition of responsible SCI personnel was broad and, consistent with the views of some commenters, believes that it is appropriate to instead focus the adopted definition on senior personnel of SCI entities that have responsibility for a particular system.[747] The Commission believes that adopting a more focused definition of responsible SCI personnel to include only senior managers having responsibility for a given system (and their designees) addresses commenters' concerns that the obligations of the rule could have been triggered upon the awareness of junior or inexperienced employees who lack the knowledge or experience to be able to make a determination regarding whether an SCI event had, in fact, occurred.[748] The Commission believes that the revised definition is a better approach than the proposed definition because, consistent with suggestions from some commenters, it will appropriately allow SCI entities to adopt procedures that would require personnel of an SCI entity to escalate a systems issue to senior individuals who are responsible for a particular system and who have the ability and authority to appropriately analyze and assess the issue affecting the SCI system or indirect SCI system, and their designees, as applicable.[749]

The Commission also notes that, consistent with some commenters' recommendations, under the adopted rule, SCI entities will be afforded flexibility to determine which personnel to designate as “responsible SCI personnel.” [750] Specifically, SCI entities will need to affirmatively identify one or more senior managers that have responsibility for each of its SCI systems or indirect SCI systems.[751] In addition, the Commission notes that the definition of responsible SCI personnel affords SCI entities with the flexibility to designate one or more other personnel as designees for a given system.[752] The Commission believes that it is important to include designees within the definition of responsible SCI personnel to provide an SCI entity with the flexibility that it may need, and Start Printed Page 72315which the Commission believes is necessary, given the varying sizes, natures, and complexities of each SCI entity. A senior manager may name a designee (or designees) who would also have responsibility for a given system with regard to Regulation SCI, for example, if the senior manager is absent, is occupied with other oversight responsibilities for a period of time, or because of other practical limitations, is otherwise unavailable to assess the SCI entity's obligations under Regulation SCI at a given point in time. The Commission believes it is likely that the designation of a designee and such designee's particular responsibilities with regard to an SCI system or indirect SCI system would be addressed by an SCI entity's policies and procedures, as discussed below. However, the Commission notes that while the definition of “responsible SCI personnel” does not permit the senior manager having responsibility for an applicable system to disclaim responsibility under the rule by delegating it fully to one or more designees (i.e., the adopted rule reads “and their designees” rather than “or their designees”), it may assist SCI entities in fulfilling their responsibilities under Regulation SCI by allowing them to delegate to personnel other than senior managers such that those designees can also serve in the role of responsible SCI personnel.

The Commission further believes that the modifications to the definition addresses some commenters' concerns regarding the potential liability of junior SCI personnel, as the obligations of the rule are now triggered only when senior managers, rather than junior employees, having responsibility for a particular system have a reasonable basis to conclude that an SCI event has occurred.[753] Further, the Commission reiterates that Regulation SCI imposes direct obligations on SCI entities and does not impose obligations directly on personnel of SCI entities. For these reasons, the Commission believes that an SCI entity's ability to attract and retain employees should not be negatively affected by the requirements of Regulation SCI, as adopted.[754] The Commission also reiterates that the occurrence of an SCI event may be probative, but is not determinative of whether an SCI entity violated Regulation SCI.[755]

In light of the more focused definition of responsible SCI personnel and consistent with commenters' suggestions,[756] the Commission believes it is appropriate to also adopt a policies and procedures requirement with respect to the designation of responsible SCI personnel and escalation procedures. As discussed above, many commenters highlighted the importance of escalation procedures and advocated for their use as an alternative to the adoption of a broader definition of responsible SCI personnel.[757] Specifically, the Commission is adopting Rule 1001(c), which requires each SCI entity to “[e]stablish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events.” The Commission believes that it is important for an SCI entity's policies and procedures to have a defined set of criteria for identifying responsible SCI personnel so that such personnel are identified in a consistent manner across all of an SCI entity's operations and with regard to all of its SCI systems and indirect SCI systems. The Commission believes that SCI entities are best suited to establish the appropriate criteria for such a designation but notes that such criteria could include, for example, consideration of the level of knowledge, skills, and authority necessary to take the required actions under the rules. The Commission also believes it is important for policies and procedures to include the designation and documentation of responsible SCI personnel, so that it is clear to all employees of the SCI entity who the designated responsible SCI personnel are for purposes of the escalation procedures and so that Commission staff can easily identify such responsible SCI personnel in the course of its inspections and examinations and other interactions with SCI entities. The Commission also believes that, given the more focused definition of responsible SCI personnel, escalation procedures to quickly inform responsible SCI personnel of potential SCI events are necessary to help ensure that the appropriate person(s) are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. Such escalation procedures would establish the means by which, and actions required for, escalating information regarding a systems issue that may be an SCI event up the chain of command to the responsible SCI personnel, who will be responsible for determining whether an SCI event has occurred and what resulting obligations may be triggered. The Commission notes that each SCI entity may establish escalation procedures that conform to its needs, organization structure, and size. By requiring that responsible SCI personnel are “quickly inform[ed]” of potential SCI events, the Commission intends to require that escalation procedures emphasize promptness and ensure that responsible SCI personnel are informed of potential SCI events without delay. At the same time, the rule does not prescribe a specific time requirement in order to give flexibility to SCI entities in recognition that immediate notification may not be possible or feasible. Further, similar to adopted Rules 1001(a) and 1001(b), Rule 1001(c) requires that an SCI entity periodically review the effectiveness of the policies and procedures related to responsible SCI personnel, and to take prompt action to remedy deficiencies in such policies and procedures.

Becomes Aware

Several commenters criticized the proposed requirement that certain obligations under Regulation SCI be triggered when a responsible SCI personnel “becomes aware” of an SCI event. Some commenters stated that the standard was vague and lacked clarity regarding when, exactly, responsible SCI personnel would be deemed to become aware of an SCI event.[758] Further, some commenters noted that the “becomes aware” standard emphasized immediate action over methodical escalation, diagnosis, and resolution procedures.[759] As noted above, several commenters emphasized the importance of escalation policies and procedures, and argued that the rule should allow entities to adopt and follow such escalation procedures rather Start Printed Page 72316than triggering the obligations under Regulation SCI upon one employee's awareness of a systems issue.[760] Another commenter suggested specific revisions to the triggering standard so that the phrase “responsible SCI personnel becoming aware” would be eliminated entirely and replaced with “SCI entity having a reasonable basis to conclude,” which it believed would allow for escalation through a normal chain of command.[761]

With regard to the Commission notification requirements specifically,[762] one commenter suggested that SCI entities should only be required to notify the Commission “upon confirming the existence of an SCI event,” [763] while another commenter stated that the rule should require notification to the Commission as soon as reasonably practicable after responsible personnel becomes aware of the SCI event.[764] Similarly, one commenter believed that the “becomes aware” standard was problematic because it would require notification before an SCI entity has accurate information upon which to act.[765]

After consideration of the views of commenters, the Commission has determined to revise the triggering standard so that SCI entities will be required to comply with the obligations of adopted Rule 1002 upon responsible SCI personnel having “a reasonable basis to conclude” that an SCI event has occurred, as suggested by a commenter.[766] This standard permits an SCI entity to gather relevant information and perform an initial analysis and assessment as to whether a systems issue may be an SCI event, rather than requiring an SCI entity to take corrective action, notify the Commission, and/or disseminate information about an SCI event immediately upon responsible SCI personnel becoming aware of an SCI event.[767] Thus, the Commission believes that the “reasonable basis to conclude” standard should provide some additional flexibility and time for judgment to determine whether there is a “reasonable basis to conclude” in contrast to the “becomes aware” standard which many commenters noted would be difficult to apply in practice due to the difficulty of determining when an individual, in fact, “becomes aware” of an SCI event.[768] Further, the Commission believes that, consistent with commenters' recommendations, the revised standard, in conjunction with the revised definition of “responsible SCI personnel,” will allow an SCI entity to adopt and follow its internal escalation policies and procedures to inform senior SCI entity personnel of systems issues, and allow meaningful assessment of the issues by such senior management prior to triggering obligations of the rule.[769] At the same time, the Commission believes that the obligations of the rule will continue to be triggered in a timely manner because the Commission is adopting a separate requirement in Rule 1001(c), as noted above, for escalation procedures to quickly inform responsible SCI personnel of potential SCI events.

b. Corrective Action—Rule 1002(a)

Proposed Rule 1000(b)(3) required an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable.[770] The corrective action requirement is being adopted substantially as proposed, but with the triggering standard modified as discussed above.[771]

Two commenters supported the corrective action provision generally.[772] Several commenters stated that the proposed requirement put too great an emphasis on immediately taking corrective action at the expense of thoroughly analyzing the SCI event and its cause, considering potential remedies, and/or acting in accordance with internal policies and procedures before committing to a plan to take corrective action.[773] One group of commenters suggested that the rule should make clear that “corrective action” should also include a variety of other potential actions, such as communicating with responsible parties, diagnosing the root cause, disclosing to members and the public, and mitigating potential harm by following their policies and procedures.[774] Another commenter stated that, in certain circumstances, it is “aggressive to presume that one individual's knowledge should prompt an immediate response by the SCI [e]ntity at large.” [775] This commenter further stated that a standard requiring an SCI entity to mitigate potential harm to investors is extremely vague.[776]

As adopted, Rule 1002(a) requires an SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting Start Printed Page 72317from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission continues to believe that this provision of Regulation SCI is important to make clear that each SCI entity has the obligation to respond to SCI events with appropriate steps necessary to remedy the problem or problems causing such SCI event and mitigate the negative effects of the SCI event, if any, on market participants and the securities markets more broadly. As discussed below, the specific steps that an SCI entity will need to take to mitigate the harm will be dependent on the particular systems issue, its causes, and the estimated impact of the event, among other factors. To the extent that a systems issue affects not only the particular users of an SCI system, but also has a more widespread impact on the market generally, as may be likely with regard to systems issues affecting critical SCI systems, the SCI entity will need to consider how it might mitigate any potential harm to the overall market to help ensure market integrity. For example, an SCI entity would need to take steps to regain a system's ability to process transactions in an accurate, timely, and efficient manner, or to ensure the accurate, timely, and efficient collection, processing, and dissemination of market data.

As noted above, many of the comments on this requirement are related to the standard for triggering the obligation to take corrective action under this provision, namely “upon any SCI responsible personnel becoming aware of” an SCI event. As discussed above, the Commission has further focused the scope of the term “responsible SCI personnel” in response to commenters' concerns that the term was too broad and could inappropriately capture junior and/or inexperienced employees. Further, as discussed above, the Commission has revised the “becomes aware” standard to instead trigger obligations when responsible personnel have “a reasonable basis to conclude” an SCI event has occurred. As explained above, the Commission believes that these important modifications are responsive to commenters' concerns that the corrective action requirement could be triggered upon the knowledge of only one individual or a junior employee of a systems issue without sufficient time to analyze and assess the systems problem and follow internal escalation procedures. Under the adopted standard, only when (i) suspected systems problems are escalated to senior managers of the SCI entity who have responsibility for the SCI system or indirect SCI system experiencing an SCI event and their designees, and (ii) such personnel have “a reasonable basis to conclude” that an SCI event has occurred are the appropriate corrective actions required by Rule 1002(a) triggered.

Further, in response to commenters who stated that the proposed rule places too large an emphasis on immediate corrective action,[777] in addition to the modifications noted above which are intended to allow for appropriate time for an SCI entity to perform an initial analysis and preliminary investigation into a potential systems issue before the obligations under Rule 1002(a) are triggered, the Commission notes that it does not use the term “immediate” in either the proposed or adopted rules. Rather, the Commission emphasizes that the rule requires that corrective action be taken “as soon as reasonably practicable” once the triggering standard has been met. The Commission believes that, because the facts and circumstances of each specific SCI event will be different, this standard ensures that an SCI entity will take necessary corrective action soon after an SCI event, but not without sufficient time to first consider what is the appropriate action to remedy the SCI event in a particular situation and how such action should be implemented.

Moreover, the Commission has considered the comment that the rule prescribe in more specificity the particular types of corrective action that must be taken by an SCI entity and believes that it is appropriate to adopt, as proposed, a rule that requires more generally that “appropriate” corrective action be taken and requires that, at a minimum, the SCI entity take appropriate steps to mitigate potential harm to investors and market integrity resulting from the SCI event and devote adequate resources to remedy the SCI event. The Commission notes that the rule is designed to afford flexibility to SCI entities in determining how to best respond to a particular SCI event in order to remedy the problem causing the SCI event and mitigate its effects. As a general matter, though, the Commission agrees that such corrective action would likely include a variety of actions, such as those identified by one group of commenters, including determining the scope of the SCI event and its causes, making a determination regarding its known and anticipated impact, following adequate internal diagnosis and resolution policies and procedures, and taking additional action to respond as each SCI entity deems appropriate.[778] The Commission also notes that certain other specific types of corrective action identified by such commenters are already required by other provisions of Regulation SCI, such as communicating and escalating the issue to responsible personnel and making appropriate disclosures to members or participants regarding the SCI event.[779]

c. Commission Notification—Rule 1002(b)

i. Proposed Rule 1000(b)(4)

Proposed Rule 1000(b)(4) addressed the Commission notification obligations of an SCI entity upon any responsible SCI personnel becoming aware of an SCI event.[780] Specifically, proposed Rule 1000(b)(4)(i) required an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimated would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion (“immediate notification SCI event”), to notify the Commission of such SCI event, which could be done orally or in writing (e.g., by email). Proposed Rule 1000(b)(4)(ii) required an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) required an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event was resolved.

Proposed Rule 1000(b)(4)(iv) detailed the types of information that was required for written notifications under proposed Rule 1000(b)(4).[781] In Start Printed Page 72318addition, proposed Rule 1000(b)(4)(iv)(C) required an SCI entity to provide a copy of any information disseminated regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site.

As described below, adopted Rule 1002(b) retains the general framework of proposed Rule 1000(b)(4) for Commission notification of SCI events, but makes several modifications in response to comments.

Comments Regarding Commission Notification of SCI Events

One commenter generally supported proposed Rule 1000(b)(4), stating that it would enhance transparency and might allow the Commission to see patterns in small, seemingly non-material SCI events that are worthy of attention.[782] However, many other commenters expressed concerns about proposed Rule 1000(b)(4).[783] Many of these commenters stated that the scope of proposed Rule 1000(b)(4) was too broad, and that the notification requirement would lead to over-reporting to the Commission.[784] Commenters also suggested various ways to revise the reporting requirement. For example, several commenters recommended requiring notification to the Commission only for “material” or “significant” events.[785] For example, one commenter recommended reporting most SCI events as part of the annual SCI review process, while focusing Commission notification on material SCI events.[786] Similarly, another commenter suggested that SCI entities should only be required to report information relating to “impactful” systems disruptions in an annual report to the Commission rather than in near real time reports.[787] Another commenter recommended requiring notification only for systems issues that warrant notification to an SCI entity's subscribers or participants.[788] Some commenters recommended a risk-based approach under which each SCI event would be subject to a risk-based assessment, in which the obligation to notify the Commission would be based on the attendant risk, with only material events requiring notification.[789]

Commenters also identified potential problems resulting from a notification requirement that they perceived as too broad. For example, one commenter stated that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, which would diminish an SCI entity's ability to be responsive to investors and damage market efficiency.[790] Similarly, several commenters stated that the proposed Commission notification provision would require SCI entities to divert resources to comply with the requirement which, in turn, would risk delaying resolution of the SCI event that is being reported on.[791] Other commenters suggested that the proposed rule would result in large volumes of data and reporting, which would present challenges to, and burdens on, SCI entities as well as Commission staff.[792] One commenter also questioned the extent to which the reported information provided by the notifications would be useful to the Commission.[793]

Some commenters focused their comments on the proposal's requirements for Commission reporting of systems intrusions and offered alternative approaches to reporting systems intrusions. One commenter stated that, in order to limit the number of notifications, SCI entities should be required to investigate and keep a record of all systems intrusions that did not cause a material disruption of service, or that were a malicious (but unsuccessful) attempt in gaining unauthorized access to confidential data, and make these records available to the Commission staff if requested.[794] Another commenter recommended that non-material systems intrusions be recorded within the SCI entity's records.[795] Another commenter suggested that systems intrusions in a development or testing environment should only be reportable if there is a likelihood that the same issue or vulnerabilities exist in the current production environment and cannot be verified within a certain period, such as, for example, 24 to 48 hours.[796] In addition, one commenter suggested that, for systems intrusions, rather than impose the Commission notification requirement on SCI entities, the Commission should instead require SCI entities to establish policies and procedures reasonably designed to prevent, detect, and respond to systems intrusions.[797]

One commenter stated that the Commission should support the enhancement of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) [798] and another commenter suggested that non-material cyber-relevant events be provided to and disseminated through FS-ISAC rather than the Commission.[799] Some commenters further suggested that certain systems intrusions should be reported to FS-ISAC.[800]

Other commenters stated that reporting a systems compliance issue is Start Printed Page 72319reporting a legal conclusion, and that requiring an SCI entity to do so would overburden them with extensive technical and legal analysis and potentially expose those entities to Commission sanctions or litigation.[801] Several commenters expressed concerns regarding the confidentiality of the information provided pursuant to proposed Rule 1000(b)(4), and stated that the such information should be confidential and protected from public disclosure.[802] One of these commenters requested that the Commission confirm in the final rule that the information will remain confidential.[803]

Commenters also raised other general concerns and made suggestions with regard to proposed Rule 1000(b)(4). One commenter argued that the proposed rules could cause SCI entities to release information before all relevant factors are known, which could be counterproductive and harmful.[804] Another commenter was concerned that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event.[805] Another commenter suggested that the proposed requirement is onerous and costly and thus, to realize benefits, the Commission, based on notifications received from SCI entities, should provide regular summary-level feedback that communicates the types, frequency, severity, and impact of market incidents across all reporting entities and other related data on the root cause of problems.[806] Another commenter suggested that the Commission provide examples, such as publications and reference blueprints, which could be useful to SCI entities as they attempt to understand the types of SCI events that warrant Commission notification.[807] Finally, some commenters broadly questioned the Commission's legal authority to adopt Regulation SCI as proposed, asserting, among other things that the Commission's proposed notification requirement was beyond its legal authority.[808]

ii. Rule 1002(b)

After careful consideration of the comments on proposed Rule 1000(b)(4), the Commission is adopting Rule 1002(b), with several modifications in response to comments.[809]

Overview

The Commission notes that, even without the modifications the Commission is making in adopted Rule 1002(b), the proposed Commission notification rule would require Commission notice of fewer SCI events than as proposed as a result of the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, and the revised triggering standard discussed above. In addition, the Commission has determined to refine the scope of the adopted Commission notification requirement by incorporating a risk-based approach that requires SCI entities, for purposes of Commission notification, to divide SCI events into two main categories: SCI events that “[have] had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants” (“de minimis” SCI events); and SCI events that are not de minimis SCI events. De minimis SCI events will not be subject to an immediate Commission notification requirement as proposed. Instead, all de minimis SCI events will be subject to recordkeeping requirements, and de minimis systems disruptions and de minimis systems intrusions will be subject to a quarterly reporting obligation, as set forth in adopted Rule 1002(b)(5). For SCI events that are not de minimis, Commission notification will be governed by adopted Rules 1002(a)(1)-(4), which is substantially similar to proposed Rules 1000(b)(4)(ii)-(iv), but relaxed in certain respects in response to comment, as discussed below.

Effect of Revised Definitions and Revised Triggering Standard on Commission Notification Requirement

The Commission believes that the revisions made to a number of definitions already focus the scope of the Commission notification requirement in adopted Rule 1002(b) from the SCI Proposal. For example, elimination of member regulation and member surveillance systems from the adopted definition of SCI systems will substantially reduce the potential number of SCI events that would be subject to Commission notification under the proposal.[810] Likewise, systems problems that would otherwise meet the definition of SCI event do not meet the definition of an SCI event if they occur in the development or testing environment.[811] In addition, the Commission believes that the revised definition of “systems disruption” and “systems compliance issue” also will result in fewer systems issues being identified as SCI events.[812] In tandem with the revised definitions, the Commission also believes that the revised triggering standard for notification of SCI events, which affords an SCI entity time to evaluate whether a potential SCI event is an actual SCI event, will also result in fewer SCI events being subject to the requirements of Rules 1002(b)(1)-(4).[813] The Commission believes that these changes respond to comments that proposed Rule 1000(b)(4) was overbroad and overly burdensome for SCI entities.[814]

Exclusion of De Minimis SCI Events From Immediate Notification Requirements: Adopted Rule 1002(b)(5)

Adopted Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. For such de minimis events, Rule 1002(b)(5) requires that an SCI entity: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems Start Printed Page 72320disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter.

The Commission believes that this exception will result in a less burdensome reporting framework for de minimis SCI events than for other SCI events, and therefore responds to comment that the proposed reporting framework was too burdensome. The Commission believes that the quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will reduce the frequency and volume of SCI event notices submitted to the Commission and also will allow both the SCI entity and its personnel, as well as the Commission and its staff, to focus their attention and resources on other, more significant SCI events. Consistent with taking a risk-based approach in other aspects of Regulation SCI, the Commission believes this modification from the SCI Proposal will result in more focused Commission monitoring of SCI events than if this aspect of the SCI Proposal was adopted without modification. Further, by reducing the number of SCI event notices provided to the Commission on an immediate basis as compared to the SCI Proposal, the adopted rule should also impose lower compliance costs and fewer burdens than if this aspect of the SCI Proposal was adopted without modification.

However, the Commission has determined not to incorporate a materiality threshold as requested by some commenters,[815] to limit the Commission reporting requirements to those events that are considered by SCI entities to be truly disruptive to the markets, as suggested by other commenters,[816] or to limit the Commission reporting requirement only to those events that warrant notification to an SCI entity's subscribers or participants, as suggested by still other commenters.[817] The Commission has made this determination because while there may be SCI events with little apparent impact on an SCI entity's operations or on market participants and the burden on an SCI entity to provide immediate notice to the Commission every time such an event occurs may not justify the benefit of providing such notice to the Commission on an immediate basis, the Commission does not believe that such de minimis events are irrelevant or that the Commission should never be made aware of them. To fulfill its oversight role, the Commission believes that the Commission and its staff should regularly be made aware of de minimis systems disruptions and de minimis systems intrusions and should have ready access to records regarding de minimis systems compliance issues that SCI entities are facing and addressing because, as the regulator of the U.S. securities markets, it is important that the Commission and its staff have access to information regarding all SCI events (including de minimis SCI events) and their impact on the technology systems and systems compliance of SCI entities, which may also provide useful insights into learning about indications of more impactful SCI events. The Commission has, however, determined to distinguish the timing of its receipt of information regarding SCI events based on their impact: those SCI events that an SCI entity reasonably estimates to have a greater impact are subject to “immediate” notification upon responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred; and those SCI events that an SCI entity reasonably estimates to have no or a de minimis impact are subject to recordkeeping obligations, and for de minimis systems disruptions and de minimis systems intrusions, a quarterly summary notification. Despite commenters' arguments to the contrary that de minimis SCI events do not warrant the Commission's and its staff's attention, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions and review of records regarding de minimis systems compliance issues is beneficial to the Commission and its staff in understanding SCI entity systems operations at the level of the individual SCI entity, as well as across the spectrum of SCI entities, and to monitor compliance with the Exchange Act and rules thereunder. The Commission notes that, while it is not requiring that de minimis systems compliance issues be submitted to the Commission in quarterly reports, Commission staff may request records relating to such de minimis systems compliance issues as necessary. The Commission encourages and does not intend to inhibit an evaluation by SCI entities of systems compliance issues, including de minimis systems compliance issues, which may inherently involve legal analysis.

As noted, some commenters focused specifically on systems intrusions, urging the Commission to modify or significantly reduce the instances in which notice of systems intrusions would be required,[818] or provide that non-material systems intrusions not be reported at all, and only be recorded by the SCI entity.[819] The Commission believes that the recordkeeping and quarterly reporting requirement for de minimis systems intrusions described in Rule 1002(b)(5) is partially responsive to these comments, but also believes that notice of intrusions in SCI systems and indirect SCI systems is important to allow the Commission and its staff to detect patterns or understand trends in the types of systems intrusions that may be occurring at multiple SCI entities. However, as compared to what would have been required if the SCI Proposal was adopted without modification, the Commission expects that the exception from the immediate reporting requirement provided for de minimis SCI events under Rule 1002(b)(5) will result in a much lower number of systems intrusions that SCI entities will be required to immediately report to the Commission than commenters believed,[820] and will achieve this result without compromising the Commission's interest in receiving more timely notification of impactful SCI events.

In addition, some commenters suggested that certain types of systems intrusions or non-material SCI events be reported exclusively to FS-ISAC or to both the Commission and FS-ISAC, and some advocated that the Commission support the enhancement of FS-ISAC.[821] The Commission believes that FS-ISAC, and other information sharing services play an important role in assisting SCI entities and other entities with respect to security issues. Consistent with views shared by several members of the third panel at the Cybersecurity Roundtable, to the extent SCI entities determine that such information sharing services are useful, the Commission encourages SCI entities to cooperate with and share information relating to information security threats and related issues with such entities to Start Printed Page 72321further enhance their utility.[822] At the same time, for the reasons discussed above,[823] the Commission believes that it is important that the Commission directly receive information regarding systems intrusions from SCI entities, through immediate notifications or quarterly reports, as applicable.

In response to comments that recordkeeping of non-material SCI events would be more appropriate than reporting, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will better achieve the goal of keeping Commission staff informed regarding the nature and frequency of SCI events that arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity's operations or on market participants. Importantly, submission and review of regular reports will facilitate Commission staff comparisons among SCI entities and thereby permit the Commission and its staff to have a more holistic view of the types of systems operations challenges that were posed to SCI entities in the aggregate.

With regard to de minimis systems compliance issues, however, the Commission believes the goals of Regulation SCI can be achieved through the SCI entity's obligation to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issues. The Commission believes that systems compliance issues generally are more specific to a particular entity's systems and rules and less likely, as compared to systems disruptions and systems intrusions, to raise market-wide issues that could affect several SCI entities. Accordingly, information on such events are less likely to provide valuable insight into trends and risks across the industry and, therefore, the Commission believes that the benefits of receiving quarterly reports on such de minimis systems compliance issues would be less relative to de minimis systems disruptions and de minimis systems intrusions. Further, the Commission notes that, based on Commission staff's experience with notifications of compliance-related issues at SROs, the Commission believes that SCI entities will experience a relatively small number of systems compliance issues each year, and thus, its regular examinations of SCI entities will provide an adequate mechanism for reviewing and addressing de minimis systems compliance issues affecting SCI entities. As noted above, Commission staff may request records relating to such de minimis systems compliance issues as necessary.

In response to the concerns raised by one commenter that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, the Commission believes that these concerns have been mitigated by the numerous changes made from the proposal, such as the adoption of a quarterly reporting framework for de minimis systems disruptions and de minimis systems intrusions and revised definitions of the terms SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, in addition to the reduction in the obligations SCI entities have with respect to reporting requirements.[824] In addition, ARP entities today are able to regularly notify the Commission of systems related issues, such as systems outages, and the Commission therefore believes that the notification requirements will not require a majority of SCI entities to develop policies and procedures that are incongruous with their current practice. Moreover, the Commission believes that providing SCI entities with 30 days after the end of each quarter is adequate time for an SCI entity to prepare its report without unduly diverting SCI entity resources away from focusing on SCI events occurring in real time.[825]

The Commission believes that requiring SCI entities to report de minimis systems disruptions and de minimis systems intrusions quarterly balances the interest of SCI entities in having a limited reporting burden for such types of events with the Commission's interest in oversight of the information technology programs and systems compliance of SCI entities.[826] Similarly, the Commission believes that requiring recordkeeping of de minimis systems compliance issues allows the Commission to adequately monitor compliance with the Exchange Act and rules thereunder, while reducing the burdens on SCI entities with regard to providing information to the Commission on such de minimis systems compliance issues. Accordingly, the Commission has determined to exclude certain SCI events from the immediate Commission reporting requirements, subject to certain recordkeeping and reporting requirement for such events, as applicable.[827]

As described above, the de minimis exception from the immediate Commission notification requirements applies to systems compliance issues as well as systems disruptions and systems intrusions. The Commission believes that this approach strikes a balance that will help focus the Commission's and SCI entities' resources on those systems compliance issues with more significant impacts. Even if an SCI entity determines that the impact of the systems compliance issue is none or negligible, however, the Commission believes that it should have ready access to records regarding such systems compliance issues, and notes that Rule 1002 requires that an SCI entity take corrective action with respect to all SCI events, including de minimis systems compliance issues.[828]

The Commission recognizes that in many cases, the discovery of a potential systems compliance issue may be of a different nature than the discovery of potential systems disruptions or systems intrusions, as the latter types of events often have an immediately apparent and negative impact on the operations of a given system of the SCI entity. In contrast, in many instances, a systems compliance issue may require the involvement of various personnel Start Printed Page 72322(potentially including compliance and/or legal personnel) and a period of time may be required to afford such personnel the chance to perform a preliminary legal analysis to analyze whether a systems compliance issue had, in fact, occurred. Because Rule 1002(b)(1) only requires notification to the Commission when responsible SCI personnel have a “reasonable basis to conclude” that a non-de minimis SCI event has occurred, the Commission believes it is appropriate for an SCI entity to notify the Commission of a non-de minimis systems compliance issue after it has conducted such a preliminary legal analysis, unless the nature of the issue makes it readily identifiable as a systems compliance issue.[829] Further, if an SCI entity determines that a systems compliance issue is de minimis, such event will not be required to be reported immediately to the Commission, but rather the SCI entity will be required to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issue. Thus, the Commission believes that, as adopted, the requirements with respect to systems compliance issues are reasonable because SCI entities are afforded flexibility to assess and understand potential SCI events and are not required to notify the Commission prior to forming a reasonable basis to conclude that an SCI event has occurred. The Commissions also believes that, as part of its oversight of the securities markets, it should have access to information regarding de minimis systems compliance issues when requested. And, although some commenters expressed concern that a systems compliance issue is a legal conclusion that requires time to analyze and could possibly expose the entity to liability if reported,[830] as discussed above, the Commission believes these concerns will be mitigated by the revised triggering standard for the obligations in Rule 1002.[831] However, while commenters are correct that the occurrence of a systems compliance issue may expose an SCI entity to liability,[832] the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.

Commission Legal Authority

As noted above, some commenters broadly questioned the Commission's legal authority to adopt certain provisions of Regulation SCI as proposed, including those relating to Commission notification of SCI events, as well as Commission notification of material systems changes.[833] Section 11A(a)(2) of the Exchange Act directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act. Among the findings and objectives in Section 11A(a)(1) is that “[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations” and “[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.” In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be “so organized” and “[have] the capacity to . . . carry out the purposes of [the Exchange Act].”

Consistent with this statutory authority, the Commission is adopting Regulation SCI to require, among other things, that SCI entities: (1) Provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure; and (2) have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the Exchange Act, rules thereunder, and with their own rules and governing documents. These requirements are important to furthering the directives in Section 11A(a)(2) of the Exchange Act that the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act, including the economically efficient execution of securities transactions.

As discussed in Section I, the U.S. securities markets have been transformed in recent years by technological advancements that have enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to market participants. Central to these technological advancements have been changes in the automated systems that route and execute orders, disseminate quotes, clear and settle trades, and transmit market data. At the same time, however, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Accordingly, in today's securities markets, properly functioning technology is central to the maintenance of fair and orderly markets, the national market system, and the efficient and effective market operations and the execution of securities transactions. While the Commission's ARP Inspection Program has been active in this area, the Commission has not adopted rules specific to these matters. The Commission believes that the adoption of Regulation SCI, with the modifications from the SCI Proposal as discussed above, and compliance with the regulation by SCI entities, will further the goals of the national market system. It will help to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important Start Printed Page 72323to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In addition, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of these systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. For these reasons, the Commission disagrees with the comments questioning the Commission's legal authority to adopt Regulation SCI.

More specifically, the Commission disagrees with comment regarding its legal authority under Rule 1002(b) related to Commission notification of SCI events. As discussed above, having immediate notice and continuing updates of non-de minimis SCI events, quarterly reports related to de minimis systems disruptions and de minimis systems intrusions, and recordkeeping requirements for de minimis SCI events, directly enables the Commission to have more effective oversight of the systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. In this respect, Rule 1002(b) is integral to furthering the statutory purposes of Section 11A of the Act under which the Commission is directed to act. Moreover, the Commission underscores that the adopted Commission notification provisions would require immediate Commission notice of fewer SCI events than as proposed because the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue have been refined from the proposal, and de minimis SCI events are not subject to immediate notice.

Some commenters also questioned the Commission's legal authority to require Commission notification of material systems changes.[834] As discussed in more detail below, the material systems change reports are intended to make the Commission and its staff aware of significant systems changes at SCI entities, and thereby improve Commission oversight of U.S. securities market infrastructure, which directly furthers the findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.[835] The Commission believes that the adopted material systems change notification requirement will allow the Commission to more efficiently and effectively participate in discussions with SCI entities when systems issues occur and will allow Commission staff to effectively prepare for inspections and examinations of SCI entities. Moreover, Rule 1003(a), as adopted, differs significantly from the proposed requirements as it no longer requires 30-day advance notification, but rather requires quarterly reports of material systems changes. As such, the requirement is designed not to result in “close, minute regulation of computer systems and computer security.” [836] Additionally, the Commission notes that Regulation SCI does not provide for a new review or approval process for SCI entities' material systems changes.[837]

Immediate Commission Notification—Proposed Rule 1000(b)(4)(i)

Commenters also specifically discussed proposed Rule 1000(b)(4)(i) regarding reporting to the Commission on immediate notification SCI events. One commenter stated that it generally supported the immediate notification requirement of proposed Rule 1000(b)(4)(i) in the case of material SCI events,[838] but other commenters were critical.[839] For example, some commenters stated that the Commission should adopt a materiality threshold which would only require an SCI entity to immediately report material SCI events.[840] Similarly, one group of commenters suggested a tiered method that would reserve immediate notification to the Commission for truly critical events “where the Commission's input would contribute to an expedient resolution,” while requiring SCI entities to have written policies and procedures that focus the SCI entity's attention primarily on taking corrective measures during an SCI event and maintaining records to provide information to the Commission and members and participants as appropriate.[841] Two commenters suggested that different reporting standards should apply to different types of systems, suggesting, for example, that immediate notification should be required only for higher priority systems.[842]

One commenter questioned the adequacy of the Commission's asserted basis and purpose for requiring notification for the vast majority of SCI events.[843] In this commenter's view, the Commission's asserted rationale for the Commission notification requirement [844] would only support requiring immediate notification for a limited number of SCI events, where the Commission's involvement is necessary.[845] For other SCI events, in which the Commission would only be gathering and analyzing submitted information, the commenter stated that the Commission's rationale for requiring immediate notification is insufficient.[846]

Some commenters addressed the use of the term “immediately” in the proposed rule. One commenter characterized the proposed immediate reporting requirements as rigid, and questioned why reporting could not occur “promptly” with follow-up as reasonably requested by the Commission staff.[847] Another commenter stated that immediate notification is unrealistic and predicted Start Printed Page 72324that it could trigger an innumerable amount of false alarms.[848]

Other commenters addressed SCI events that occur outside of normal business hours. Two commenters believed that an SCI entity should not be required to notify the Commission of an SCI event outside of normal business hours.[849] Other commenters stated that material events should require immediate notification to the Commission, but all other types of events should be reported by the next business day.[850]

One commenter stated that immediate notification of an SCI event may be difficult where an SCI entity uses a third party to operate its systems, and therefore believed that an SCI entity should not be responsible for reporting an SCI event caused by a third party unless there is a material impact to the market or the SCI entity's ability to meet its service level agreements.[851] This commenter stated that the rule should permit SCI entities flexibility on how to address third party issues and requested further guidance from the Commission in this area.[852]

Immediate Notification of SCI Events: Adopted Rule 1002(b)(1)

Adopted Rule 1002(b)(1) requires each SCI entity to notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred (unless it is a de minimis SCI event). Such notification may be provided orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI). Although many commenters were critical of the immediate notification provision, Rule 1002(b)(1) substantially retains the requirements of proposed Rule 1000(b)(4)(i), but is modified in certain respects in response to comments.

The Commission has considered the views of commenters who stated that the Commission should require immediate notification only for material SCI events, or when Commission involvement would contribute to an expedient resolution.[853] Given the Commission's oversight responsibilities over SCI entities and the U.S. securities market generally, the notification rule is not intended to be limited to instances in which SCI entities might believe that it would be useful for the Commission to provide input. SCI event notifications also serve the function of providing the Commission and its staff with information about the potential impact of an SCI event on the securities markets and market participants more broadly, which potential impacts may not be readily apparent or important to the SCI entity reporting such an event. Moreover, the Commission believes that there will be instances in which an SCI entity will not know the significance of an SCI event at the time of the occurrence of an event, or whether such event (or, potentially, the aggregated impact of several SCI events occurring, for example, across many SCI entities) will warrant the Commission's input or merit the Commission's awareness, nor does the Commission believe it should be solely within an SCI entity's discretion to make such a determination. And SCI entities retain the flexibility to revise their initial assessments should they subsequently determine that the event in question was incorrectly initially assessed to be a de minimis event (or incorrectly initially assessed to not be a de minimis event). Consequently, the Commission does not agree with commenters who stated that only material SCI events should be reported to the Commission immediately.[854]

The Commission has also considered comments that the term “immediately” as used in proposed Rule 1000(b)(4) is rigid and unrealistic.[855] The Commission, in adopting Rule 1002(b), has retained the requirement that SCI entities must notify the Commission immediately; however, as discussed in detail above,[856] the triggering standard has been modified so that the notification obligations of Rule 1002(b) are triggered only upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. The Commission believes this modification responds to commenters concerns that the “immediate” reporting requirement is too rigid or would pose practical difficulties, as it allows additional time for escalation to senior SCI entity personnel and for the performance of preliminary analysis and assessment regarding whether an SCI event has, in fact, occurred before requiring notification to the Commission. As such, the Commission believes that the immediate notification requirement of Rule 1002(b)(1) will not unduly cause “false alarms,” as one commenter stated.[857] At the same time, the Commission believes that the immediate notification requirement, as adopted, will help ensure that the Commission and its staff are kept apprised of SCI events after they occur, and as their impact unfolds and is mitigated and, ultimately, as the SCI entity engages in corrective action to resolve the SCI events. Additionally, the Commission notes that immediate notifications made pursuant to Rule 1002(b)(1) may be made orally (e.g., by telephone) or in a written form (e.g., by email or on Form SCI).[858] The Commission notes that, by not prescribing the precise method of communication for an immediate notification, SCI entities are afforded the flexibility to determine the most effective and efficient method to communicate with the Commission.

The Commission has also considered comments that immediate notification should not be required outside of normal business hours, or that it should only be required outside of normal business hours in the case of material SCI events.[859] The Commission notes that the adopted rule will afford SCI entities considerable flexibility in how to communicate an immediate notification to the Commission—that is, SCI entities may satisfy the immediate Start Printed Page 72325notification requirement simply by communicating with the Commission via telephone or email. In addition, because an SCI entity's obligation to report to the Commission is not triggered until responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred,[860] the Commission does not believe that timely notification, even outside of normal business, is so onerous that it necessitates allowing a full business day to comply. Particularly because it has determined to exclude de minimis SCI events from the immediate notification requirement, the Commission believes that it is reasonable to require that an SCI event (except those specified in Rule 1002(b)(5)) be reported to the Commission orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI) when responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, even if such communication may be outside of normal business hours. Because the rule provides flexibility to more easily enable communication—by permitting oral notification—of the fact of an SCI event to the Commission, and because only non-de minimis SCI events are subject to this requirement, the Commission believes notice to the Commission is appropriate sooner rather than later. In addition, as discussed above, the Commission believes that there may be situations where the severity of an SCI event may not be immediately apparent to an SCI entity experiencing the event, but the Commission, from its unique position, may determine as a result of receiving multiple immediate notifications, each related to an SCI event of a similar nature, that the SCI event is part of a pattern of a larger, more significant occurrence. The Commission is therefore adopting Rule 1002(b) to require that an SCI entity notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, without an exception for periods outside of normal business hours.

In addition, as noted above, the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law [861] and, as noted in Sections IV.B.1.b.i and IV.B.2.a, the occurrence of an SCI event does not necessarily mean that an SCI entity has violated Regulation SCI.

The Commission disagrees with the commenter who stated that the Commission should not require SCI entities to be responsible for reporting an SCI event caused by a third party because immediate notification would be difficult.[862] An SCI event, whether or not caused by a third party system, by definition relates to an SCI system or indirect SCI system. As explained in Section IV.A.2 above (discussing the definitions of “SCI systems” and “indirect SCI systems”), the Commission has adopted the definition of SCI systems to include, specifically, those systems of SCI entities that would be reasonably likely to impact the protection of investors and the maintenance of fair and orderly markets and an SCI entity's operational capability, and has not excluded third party systems from the definition. As stated above, if an SCI entity is uncertain of its ability to manage a third-party relationship to satisfy the requirements of Regulation SCI, then it would need to reassess its decision to outsource the applicable system to such third party.[863]

In response to comment that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event,[864] the Commission notes that rule does not include such a requirement. In addition, the Commission also disagrees with the commenter who stated that, for systems disruptions, notifications should not be required from each separate entity where a disruption impacts multiple SCI entities.[865] Excusing immediate notification where a given event seems to be affecting multiple SCI entities would not be appropriate because the Commission, as the centralized receiver of notifications, will be the entity that will be in a position to determine whether, in fact, SCI entities are concurrently experiencing the same SCI event. Moreover, even if a given event affects multiple SCI entities, it may be the case that the event impacts each SCI entity and the affected systems in a different manner, and thus the Commission believes it is important to receive individual notifications from each affected SCI entity.

Written Commission Notification: Proposed Rule 1000(b)(4)(ii)

Commenters also specifically discussed and suggested alternatives to proposed Rule 1000(b)(4)(ii), which would have required an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification pertaining to such SCI event to the Commission. Many commenters stated that the proposed 24-hour time frame was too short or burdensome.[866] Several commenters specifically suggested that the Commission extend the time frame to allow SCI entities to attend to the SCI event without also devoting resources to notifying the Commission, suggesting different time frames they believed to be appropriate.[867] One commenter suggested that SCI entities be given until 24 to 48 hours after final resolution of the SCI event to submit a written notification.[868] Another commenter similarly recommended that, where real-time notification is needed, written notification should not be required unless an SCI event remains unresolved after a reasonable period (such as 10 or 15 days).[869]

Some commenters also suggested that, if the Commission retains the 24-hour requirement, it should require provision of less information. For example, one commenter suggested that SCI entities should only be required to provide whatever information is sufficiently reliable at that time.[870] Two other commenters stated that SCI entities should not be required to include an estimate of the markets and participants Start Printed Page 72326impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity.[871] Another commenter recommended that the rule require only a brief written summary that is one or two paragraphs, which could be supplemented by oral communications and a longer summary within 15 days after an SCI event has been fully resolved.[872]

With respect to the information provided to the Commission via notification of an SCI event, one commenter suggested that the rule provide a safe harbor for entities and employees for either inadvertent omissions in a submitted report, or when a good faith, documented determination is made that no report is required.[873] One commenter stated that that the Commission should expressly provide that initial written submissions are to be made on a best efforts basis and SCI entities will incur no liability or penalty for any unintentional inaccuracies or omissions contained in these submissions.[874] Some commenters stated that entities should not be liable for information that is later found to be incomplete or inaccurate.[875]

Some commenters [876] questioned the purpose of requiring that information disseminated to members and participants (under proposed Rule 1000(b)(5)) be copied and attached to Form SCI as part of notifications to the Commission, and considered it “an overly broad inclusion of communications” that would have “a chilling effect on communications between the SCI entities and their members and participants,” [877] while another commenter argued that, when an exchange is having a technology issue, many members may be reaching out to the exchange's staff with requests for information and status. Therefore, that commenter questioned the feasibility, need, and potential impact of the proposed requirement that SCI entities provide a copy of any information disseminated to date regarding the SCI event to their members or participants.[878]

One commenter stated that, to reduce the cost of compliance, the Commission should accept the same notifications of service interruptions that an ATS already provides to its subscribers.[879]

Commenters also provided suggestions for limiting the circumstances for which 24-hour written notification would be required under proposed Rule 1000(b)(4)(ii). One commenter stated that only SCI events that materially impact an SCI entity's operations or market participants should be subject to the 24-hour written notification requirement, but questioned whether 24 hours was realistic even for those events.[880] One commenter suggested that proposed Rule 1000(b)(4)(ii) only apply to significant SCI events and that other events only be subject to a recordkeeping requirement.[881] In addition, some commenters suggested that if an SCI entity has provided oral notification to the Commission, it should not be required to file written notice within 24 hours after the initial report unless reasonably requested by the Commission.[882]

Written Notification Within 24 Hours: Adopted Rule 1002(b)(2)

Adopted Rule 1002(b)(2) requires an SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a written notification pertaining to such SCI event to the Commission. Rule 1002(b)(2) allows for such written notifications to be made on a good faith, best efforts basis and requires that it include: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of the notification: the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event.

The Commission has considered comments stating that 24 hours is too short and burdensome a duration for an SCI entity to submit a compliant written notification.[883] The Commission understands commenters' concerns that SCI entities may still be actively investigating and working to resolve an SCI event and that information it initially provides to the Commission about an SCI event may not ultimately prove correct.[884] Therefore, in line with commenters' concerns regarding a good faith and best efforts standard,[885] the Commission has modified the 24-hour written notification requirement in adopted Rule 1002(b) to make clear that the written notification should be provided on a “good faith, best efforts basis.” This modification acknowledges that a written notification provided within 24 hours may provide only a preliminary assessment of the SCI event, that additional information may come to light after the initial 24-hour period, and that the initial assessment may prove in retrospect to be incorrect or incomplete. Consequently, the adopted rule requires that the written notification provided within 24 hours be submitted on a good faith, best efforts basis, and does not require that the written notification be a comprehensive or complete assessment of the SCI event (unless, of course, an SCI entity has completed a full assessment by such time). The Commission believes that a “good faith” standard will help to ensure that SCI entities will not be accountable for unintentional inaccuracies or omissions contained in these submissions, and a “best efforts” standard will help to ensure that SCI entities will make a diligent and timely attempt to provide all the information required by the written notification requirement. The Commission also notes that an SCI entity will not need to submit a written notification where an SCI entity documents that an SCI event is determined to be a de minimis SCI event, other than including de minimis systems disruptions and de minimis systems intrusions in the quarterly report required by Rule 1002(b)(5). As discussed in further detail below, in the event that new information comes to light or previously reported information is found to be materially incorrect, adopted Rule 1002(b)(3) requires an SCI entity to update the information at that Start Printed Page 72327time, and does not require that such updates be written.[886] The Commission believes these modifications will help ensure that SCI entities are able to provide the information required by Rule 1002(b)(2) within 24 hours, and therefore the Commission is not modifying the timeframe to extend beyond 24 hours, as requested by several commenters.[887] Moreover, because the information need only be provided on a good faith, best efforts basis and, pursuant to Rule 1002(b)(3), updates can be provided on a regular basis to correct any materially incorrect information previously provided or when new material information is discovered, the Commission disagrees with commenters that stated that the information required by Rule 1002(b) should be provided only after resolution of the SCI event. The Commission continues to believe that Rule 1002(b)(2)'s requirement to provide information to the Commission within 24 hours is appropriately tailored to help the Commission and its staff quickly assess the nature and the scope of an SCI event and will contribute to more timely and effective Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets, and that this would particularly be the case for SCI events that are not yet resolved.[888]

Adopted Rule 1002(b)(2) is also responsive to comments urging the Commission to require less information in a 24-hour written notification.[889] Specifically, whereas proposed Rule 1000(b)(4) required a detailed description of the SCI event, adopted Rule 1002(b)(2)(i) specifies that an SCI entity must only provide “a description of the SCI event, including the system(s) affected.” Additional information is only required to the extent available as of the time of the notification, which includes an “SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event.” [890] This information is the type of necessary information that SCI entities are able to provide in a short timeframe and that the Commission has come, over time, to rely upon to properly assess systems issues.

Additionally, the Commission notes that adopted Rule 1002(b) does not require that an SCI entity provide the Commission, at the time of the initial notice to the Commission, with its current assessment of the SCI event, including a discussion of the determination of whether it is subject to a dissemination requirement, as proposed in Rule 1000(b)(4).

The Commission has also determined to further refine the scope of information that needs to be reported in the 24-hour written notification by requiring that the following items instead be included in the final report under Rule 1002(b)(4), rather than in the 24-hour written notification required by Rule 1002(b)(2): A description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.[891]

In response to commenters who suggested that the Commission limit the events for which 24-hour written notification would be required to material events,[892] the Commission notes that it has partially responded to such comments by providing an exception to the immediate notification requirement for de minimis events in Rule 1002(b)(5). The Commission believes that this exception should reduce the overall number of SCI events subject to immediate notification requirements as compared to what would have been required if the SCI Proposal was adopted without modification and, consequently, the requirement to submit a written notification within 24 hours of an SCI event, thereby alleviating some of the burdens about which commenters expressed concerns. Moreover, the Commission believes that a materiality threshold would likely exclude from the 24-hour written notification a large number of SCI events that are not de minimis SCI events but that the Commission, as part of its oversight role, should be updated on so that the Commission and its staff can quickly assess the nature and scope of those SCI events and potentially assist the SCI entity in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets. The Commission reemphasizes that the information to be provided under the 24-hour written notification would represent the SCI entity's preliminary assessment—performed on a good faith, best efforts basis—of the SCI event, and only certain key information is required under the 24-hour written notification, with “other pertinent information” required only where “known by the SCI entity” within the 24-hour timeframe. For these reasons, the Commission has determined not to adopt a materiality threshold for the requirement that an SCI entity update the Commission within 24 hours after it has a reasonable basis to conclude that an SCI event has occurred.

Additionally, the Commission disagrees with those commenters who stated that written notification should only be required when reasonably requested by the Commission.[893] The Commission believes that it should be notified of all SCI events and that all SCI events (other than those specified in Rule 1002(b)(5)) should be subject to the 24-hour written notification requirement because, by articulating in a single notification what is currently known about an SCI event and the steps expected to be taken to respond to the SCI event, the Commission will be better able to assess the nature and scope of, and respond to, SCI events and potentially assist SCI entities in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets.

In response to the comment that the Commission should accept the same notifications of service interruptions that an ATS provides to its Start Printed Page 72328subscribers,[894] the Commission believes that SCI ATSs can use the types of information contained in ATS notices to subscribers when completing Form SCI, but nevertheless believes that it is more useful and efficient for the Commission and its staff to be able to have all SCI event notifications standardized in a single format (i.e., Form SCI).

As discussed above, the information required under the adopted 24-hour written notification requirement has been refined as compared with the requirements in the proposal. Consequently, the Commission believes that SCI entities should be able to provide the Commission with this information in a written format, and does not agree that such information should be provided in an oral format, as requested by some commenters, regardless of the manner in which the immediate notification was provided to the Commission.[895] The Commission emphasizes that regular updates provided under Rule 1002(b)(3) may, however, be provided either orally or in written form.[896]

In response to commenters that stated SCI entities should not be required to include an estimate of the market participants impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity,[897] the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law, including amended Rule 24b-2.[898] Moreover, the requirement to provide a 24-hour written notification does not itself create a risk of civil liability, but the Commission acknowledges that the information provided to it may be subject to FOIA requests.

Regarding the comment that the requirement to include an estimate of the markets and participants impacted by an SCI event or to quantify such impact would be difficult to compute, likely inaccurate, and of little use to the Commission,[899] the Commission disagrees. The rule requires an SCI entity to provide its current assessment of the types and number of market participants potentially affected by the SCI event and the potential impact of the SCI event on the market, to the extent this information is available as of the time of the notification, rather than an exact computation. In addition, the rule does not require that the assessment be submitted only if the SCI entity ensures that it is free of inaccuracies. Further, contrary to the commenter's suggestion, the Commission believes that such estimates will be of significant use to the Commission and its staff in understanding the potential severity of the SCI event. In addition, because the SCI entity is likely to be in the best position to assess an SCI event, the Commission also believes that an assessment of the impact of an SCI event on markets and participants is useful because it afford the Commission the opportunity to learn the SCI entity's perspective on the potential or actual impact of an SCI event.[900]

Written Commission Updates: Proposed Rule 1000(b)(4)(iii)

Commenters also addressed proposed Rule 1000(b)(4)(iii), which required an SCI entity to provide the Commission written updates pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event was resolved. Some commenters urged the Commission to provide clarity on the definition of “resolved.” [901] For example, one commenter suggested that the Commission should define the resolution of an SCI event to be when the affected SCI systems have been normalized,[902] and another commenter stated that there should be a precise definition of when an SCI event is resolved and that definition should be linked directly to the definition of the SCI event itself.[903] Other commenters expressed concern that the continuing update requirement could divert resources from resolution of the SCI event and suggested that updates be required only to the extent they would not interfere with event resolution.[904] One commenter stated that continual updates should only be necessary if the SCI entity had not resolved the event within a reasonable period, such as 10 to 15 days.[905]

Other commenters addressed the method of providing updates. For example, one commenter stated that only oral communication should be required when an SCI event is ongoing, and that the rule should allow a written supplement to a final or post mortem report if additional information comes to light regarding the SCI event.[906] Another commenter suggested that updates should be permitted to be in writing or provided orally based on the judgment of the SCI entity.[907] Finally, one commenter stated that requests for updates regarding SCI events should only be permitted to come from senior staff at the Commission.[908]

Regular Updates: Adopted Rule 1002(b)(3)

Rule 1002(b)(3) requires that, until such time as an SCI event is resolved, and the SCI entity's investigation of the SCI event is closed, an SCI entity provide the Commission with updates pertaining to the SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission. Updates are required to correct any materially incorrect information previously provided, or when new material information is discovered, including not limited to, any of the information listed in Rule 1002(b)(2)(ii).

While the Commission recognizes that providing the Commission with such updates imposes an additional reporting requirement on SCI entities, the Commission also believes that updates are important to allow the Commission to fully monitor the SCI event. In addition, the Commission believes that the update requirement will encourage SCI entities to formalize their processes for gathering information on SCI events, which will help to ensure that responsible SCI personnel receive accurate and updated information on SCI events as they are being resolved, and further, that this process may be helpful to SCI entities when providing information about SCI events to their members or participants. Also, because the Commission has revised the requirements of the 24-hour notification to allow SCI entities to provide information on a good faith, best efforts basis and has limited the scope of information required in that report as discussed above, the Commission believes that updates to the Commission to correct materially incorrect information previously reported or when new material information is Start Printed Page 72329discovered as required by the rule is important to keep the Commission up to date with accurate information, including the following: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Consequently, the Commission does not agree with the commenter who suggested that updates should be only required if an SCI event has not been resolved within a reasonable amount of time, such as 10 to 15 days.[909]

The Commission believes that updates regarding this information are important to enhance the Commission's oversight of the securities markets and its informed and continued understanding of an SCI event. Moreover, the Commission underscores that updates are only required to the extent that they correct any materially incorrect information previously provided or when new material information is discovered, including but not limited to, any of the information listed in Rule 1002(b)(2)(ii), thereby alleviating the burden to SCI entities of providing such updates absent such circumstances.[910] The Commission has also eased the requirements of the proposed update provision by eliminating the proposed requirements that an SCI entity attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site; a description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Instead, these information requirements must only be provided as part of the final report required by Rule 1002(b)(4), and the Commission therefore believes that burdens associated with the continuing update requirement will be streamlined because SCI entities will not need to devote resources to providing written updates while an SCI event is ongoing.

At the same time, the Commission is cognizant of the burdens associated with requiring written updates and therefore has revised the update requirement in adopted Rule 1002(b)(3) to remove the proposed requirement that such updates be provided in written form. Thus, submission of updates may be provided either orally or in written form, and will result in a lighter burden on SCI entities than the proposed requirement, and is responsive to commenters that suggested that SCI entity resources would be better directed to resolving an SCI event.[911]

In response to comment that the Commission provide guidance to clarify when an SCI event has been “resolved” [912] and in line with the particular comment that the concept of resolution should be linked directly to the definition of the SCI event itself,[913] the Commission believes that an SCI event is resolved when the event no longer meets the definitions of a systems disruption, systems intrusion, or systems compliance issue, as defined in Rule 1000, and that an SCI entity's Rule 1002(b) reporting obligations are completed when an SCI entity submits a final report as required by Rule 1002(b)(4). Further, the Commission does not believe that it is necessary to prescribe that requests to SCI entities regarding updates should come solely from senior Commission staff, as suggested by one commenter.[914] The Commission believes that requiring an SCI entity to update the Commission at such frequency as reasonably requested by a representative of the Commission provides appropriate flexibility to the Commission to request additional information as necessary, but does not anticipate that requests will be made by multiple members of the Commission staff because the Commission expects that such requests would be coordinated by a particular group of Commission staff that are assigned to handle specific reports from SCI entities.

Final Report: Adopted Rule 1002(b)(4)

Adopted Rule 1002(b)(4) requires that if an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the SCI entity's investigation regarding the SCI event, the SCI entity is to submit a final written notification pertaining to such SCI event to the Commission (“final report”). The final report is required to include: (i) A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Rule 1002(b)(4) also specifies that, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, then, the SCI entity is required to submit a written notification pertaining to such SCI event to the Commission within 30 days after the occurrence of the SCI event containing the information required in Rules 1002(b)(4)(i)-(iii), to the extent known at the time. Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, the SCI entity is required to submit a final written notification pertaining to such SCI event to the Commission containing the information specified in the rule.

As an initial matter, the Commission notes that several of the items that are specifically required to be described in the final report (as specified in adopted Rule 1002(b)(4)) were proposed to be required to be provided to the Commission under proposed Rule 1000(b)(4)(ii), within a shorter time frame.[915] The Commission believes that Start Printed Page 72330the adopted rule, by requiring that this information be submitted to the Commission after resolution of an SCI event and closure of the SCI entity's investigation, will encourage SCI entities to devote resources first to resolving the SCI event, and providing status reports when required, and then to preparing a comprehensive final report. In particular, as some commenters suggested, certain information would be more accurate, and therefore more useful, if provided after an SCI event is resolved.[916] The Commission believes that the information required under Rule 1002(b)(4) will provide the Commission with a comprehensive analysis to more fully understand and assess the impact caused by the SCI event. In addition, the Commission ordinarily would expect an SCI entity to include the root cause of an SCI event as part of “any other pertinent information” known about the SCI event. The Commission also believes that certain of the information requested by Rule 1002(b)(4) is more suitable to be provided after, rather than prior to, resolution of an SCI event. Specifically, much of the information required by Rule 1002(b)(4) (an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss) can only be comprehensively known after the final resolution of an SCI event.[917]

Similarly, the Commission is revising the proposed requirement that SCI entities provide to the Commission a copy of any information disclosed by the SCI entity to date regarding the SCI event to any of its members or participants. First, rather than requiring that SCI entities provide a copy of “any information disclosed by the SCI entity,” the adopted rule requires that SCI entities provide a copy of any information “disseminated pursuant to paragraph (c) of [Rule 1002]” by the SCI entity to date regarding the SCI event to any of its members or participants. The Commission believes that this refined requirement will more appropriately capture only the information needed for the Commission to assess compliance with the dissemination requirements of Rule 1002(c). Further, to limit the burden on, and provide additional flexibility to, SCI entities as they resolve SCI events, the adopted rule does not require this information to be included as part of a Form SCI submission until the final report is to be submitted to the Commission. The Commission believes that it is sufficient to require that this information be included in the final report because it is an important part of the record of an SCI event and SCI entity's response to such event.[918] As noted above, one commenter questioned the purpose of this requirement and expressed concern that it may negatively impact open communication between an SCI entity and its members and participants,[919] while another commenter questioned the feasibility, need, and potential impact of this requirement in light of the numerous communications that SCI entities will engage in with their members or participants.[920] While the Commission recognizes that it is possible that the requirement could have some chilling effect on such communications, it believes that this information is important for SCI entities to share with the Commission because it is an efficient means for the Commission to assess whether SCI entities are complying with the dissemination requirements of Rule 1002(c). Further, the Commission believes that, by requiring that SCI entities provide a copy only of information disseminated pursuant to Rule 1002(c) (rather than all information disclosed to members or participants regarding the SCI event), it addresses one commenter's concern that it would be difficult, unnecessary, and could impede open communication, to provide the Commission with a copy of all information disclosed to members or participants, which could include hundreds of individual communications via email or telephone for each SCI event.

The Commission also believes that, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, it is reasonable to require that an SCI entity submit within thirty business days after the occurrence of the SCI event the information required in Rule 1002(b)(4)(ii), to the extent known at the time, because this timeframe provides SCI entities with flexibility to continue their investigation while also apprising the Commission of relevant information discovered during the course of the SCI entity's investigation. Moreover, the rule takes into account the Commission's recognition that an SCI entity's investigation regarding an SCI may not yet be complete despite the fact that the SCI event itself has resolved. In such cases, within five business days after the SCI event has resolved and the investigation regarding the SCI event has closed, the Commission believes that it is reasonable and necessary to provide it with a comprehensive and complete understanding of the SCI event. Consequently, SCI entities are required to submit a final written notification that contains all information required by Rule 1002(b).

Goals of Adopted Commission Notification Rule

As discussed in greater detail above, the Commission has carefully considered the views of commenters as well as what it believes is necessary for the Commission and its staff with respect to the timing and content of notifications regarding SCI events, and believes that the adopted rule will be less burdensome for SCI entities than if the proposed rule was adopted without modification, while still resulting in meaningful notice to the Commission and its staff with information about SCI events in a timely manner that permits the Commission to fulfill its oversight role.

With regard to comments on the resource and efficiency demands of the notification requirements,[921] the Commission believes that while SCI entities will need to devote resources to fulfilling the notification requirements, the Commission does not believe that these resources will diminish SCI entities' ability to respond to SCI events because it is the Commission's Start Printed Page 72331experience that the staff that engages in corrective action is generally distinct from the staff that has been charged with notifying the Commission of systems issues. Consequently, the Commission does not believe that, due to this requirement, staff that engages in corrective action will be unable to fulfill its responsibilities after implementation of Regulation SCI.

The Commission believes that adopted Rules 1002(b)(1)-(4) are responsive to concerns that the proposed Commission notification requirements would have required SCI entities to notify the Commission of information before all relevant facts are known.[922] As discussed, in tandem with the revised triggering standard, which affords an SCI entity time to assess whether an SCI event has occurred,[923] the adopted rule affords an SCI entity the flexibility to gather information for the 24-hour written notification on a good faith best, efforts basis,[924] and adopted Rule 1002(b)(3) makes clear that an SCI entity is required to update the Commission to correct any materially inaccurate information previously provided, or when pertinent new information is discovered, until such time as the SCI event is resolved, and the SCI entity's investigation of the SCI event is closed. Further, the final report for a given SCI event is only required once, when both the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, with an interim report required only when an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event. Taken together, the Commission believes that Rule 1002(b) does not require reporting before all relevant fact are known, which one commenter suggested would be counterproductive and harmful.[925] Instead, the Commission believes that the rule is designed to provide SCI entities with a process that gives them sufficient time to submit information to the Commission when known. In addition, and in response to comment questioning the usefulness of the notification requirement for the Commission,[926] the Commission believes that adopted Rule 1002(b) will foster a system for comprehensive reporting of SCI events, which should enhance the Commission's review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. The Commission also believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. Some commenters suggested that the Commission provide to SCI entities regular summary-level feedback on SCI entities' notifications [927] or provide examples of the types of SCI events that warrant notification.[928] To the extent it believes that guidance or other information, including summary-level feedback, publications, or reference blueprints, would be appropriate to share, the Commission or its staff may do so in the future.

d. Dissemination of Information—Rule 1002(c)

i. Proposed Rule 1000(b)(5)

Proposed Rule 1000(b)(5) would have required an SCI entity to provide specified information relating to “dissemination SCI events” to SCI entity members or participants. The term “dissemination SCI event” was proposed to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.

Proposed Rule 1000(b)(5)(i)(A) would have required an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, to disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. Proposed Rule 1000(b)(5)(i)(B) would have required an SCI entity to further disseminate to its members or participants, when known: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would have further required an SCI entity to provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). In the case of a systems intrusion, the proposed rule permitted a limited delay in dissemination if the dissemination would compromise the security of the SCI entity's systems.[929] Except for the delay in dissemination of information for systems intrusions in specified circumstances, the proposed rule did not distinguish dissemination obligations based on the severity or impact of a dissemination SCI event.

ii. Comments Regarding Information Dissemination

Two commenters generally supported proposed Rule 1000(b)(5).[930] One commenter characterized it as “one of the major benefits of th[e] proposal.” [931] Another commenter suggested broadening the proposal to require an SCI entity to reveal dissemination SCI events to the public at large, and not just to its members or participants.[932] This commenter believed that public dissemination of the facts of an SCI event would help enhance investor confidence by preventing speculation and misinformation, and would provide important learning opportunities for the industry and other SCI entities.[933]

In contrast, many commenters urged the Commission to revise the proposed dissemination requirement.[934] For example, a few commenters expressed concern that the proposal would require dissemination of too much information too soon.[935] One of these commenters stated that the proposed rule would be counterproductive and harmful because Start Printed Page 72332it would cause the release of information before all relevant facts are known and suggested dissemination should only be required when the SCI entity has credible information that can be acted upon.[936] Another commenter suggested that dissemination should only be required when the information to be disseminated is certain and clear.[937] Another commenter urged that, if immediate dissemination is required, then the information required to be disseminated should be limited to communication of the basic fact that there is a systems issue and additional information will be provided when known.[938]

Several commenters opposed requiring information dissemination to all members and participants.[939] For example, some commenters urged that an SCI entity be required to provide information only to members or participants actually impacted by an SCI event, or that interact with the SCI system impacted, rather than to all members or participants of an SCI entity.[940] One commenter recommended that an SCI entity be required to disseminate information only to persons reasonably likely to be affected by a significant systems issue.[941] Two commenters stated that SCI entities should have reasonable discretion to determine who among their members and participants should receive notification of an SCI event, as well as the manner and timing for providing notice.[942] A few commenters more broadly expressed concern that the proposed rule would result in over-reporting of information about SCI events and would have limited usefulness.[943] Some of these commenters stated that the proposed approach would result in SCI entity members and participants becoming immunized to the notifications because they would receive too many notifications and therefore would not focus on the truly significant events.[944]

Several commenters suggested that the Commission apply the proposed dissemination requirement to fewer types of SCI events.[945] For example, several commenters stated that information dissemination should only be required for material or significant SCI events.[946] One commenter suggested that, for an SCI event that is “de minimis,” information dissemination to members or participants should not be required at all.[947] This commenter suggested that a de minimis SCI event would be one that is limited in impact, brief in duration, or involves little or no member or participant harm.[948] Another commenter noted that, as proposed, Commission notification would be required for a systems disruption if the systems disruption had a “material impact” on the SCI entity's operations or on market participants, whereas information dissemination to members or participants would be required if an SCI entity reasonably estimated that the systems disruption would result “in significant harm or loss to market participants.” [949] This commenter criticized the differing standards for Commission notification and member/participant notification and suggested that the Commission clarify the standards or adopt a uniform standard for both types of notifications.[950]

Several commenters specifically opposed the proposed dissemination requirement for systems compliance issues. Some commenters urged that an SCI entity be required to disseminate information only for material or significant systems compliance issues.[951] One of these commenters stated that prompt dissemination of information regarding systems compliance issues to members or participants might lead to widespread dissemination of extraneous and potentially inaccurate information.[952]

Regarding systems intrusions, a few commenters stated that dissemination of systems intrusions information could raise significant risks and security concerns.[953] One commenter recommended that a dissemination requirement apply only in the case of members, participants, or clients for whom confidential data was disclosed, processing was impacted, or where such member, participant, or client could take further action to mitigate the risk of such disclosure.[954] This commenter also expressed support for the limited exception for intrusions that would compromise an investigation or resolution of the systems intrusion, noting that once dissemination would no longer compromise an investigation or the resolution of the issue, the entity should notify materially affected members, participants, or clients.

One commenter stated that information should not be disseminated regarding disruptions in regulatory or surveillance systems, nor should information be disseminated about intrusions or compliance issues, arguing that the information could be misused, or if disseminated too soon, could be inaccurate and misleading.[955] Two other commenters also expressed concern that information dissemination should not be required when the information provided might be misused to the detriment of the markets or investors, such as with respect to systems intrusions or issues relating to surveillance systems.[956]

iii. Rule 1002(c)

In the SCI Proposal, the Commission stated that the intended purpose of the proposed rule was twofold: To aid members or participants of SCI entities Start Printed Page 72333in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action; and to provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events.[957] Although commenters generally did not object to the Commission's stated rationale for proposed Rule 1000(b)(5), several commenters suggested that the proposed approach did not adequately consider circumstances in which the proposed information dissemination might not be helpful to the market or market participants, or could be detrimental to the markets or market participants. One commenter, however, urged that public dissemination of information regarding SCI events would help to prevent speculation and misinformation regarding such events.[958]

The Commission has carefully considered the views of commenters with respect to proposed Rule 1000(b)(5), and has determined to adopt it as Rule 1002(c), with several modifications in response to comment. In particular, the Commission has determined to eliminate the definition of “dissemination SCI event” from the final rule and adopt an information dissemination requirement that scales dissemination obligations in accordance with the nature and severity of an SCI event. In response to comment that the proposed rule would result in over-reporting of information about SCI events and have limited usefulness, the Commission has further focused the rule from the proposal by requiring dissemination of information about SCI events that are not major SCI events only to affected SCI entity members and participants, and excepting de minimis SCI events and SCI events regarding market regulation or market surveillance systems from the information dissemination requirement.[959] In the case of a “major SCI event,” the Commission agrees with the commenter who stated that requiring dissemination should help to prevent speculation and misinformation regarding such events.[960] Therefore, in the case of a “major SCI event,” the adopted rule requires an SCI entity to disseminate information to all of its members or participants. At the same time, as with other SCI events, any SCI event that meets the definition of major SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants is excepted from the information dissemination requirement.[961] The Commission believes the revised approach will better achieve the purpose of maximizing the utility of information disseminated to SCI entity members and participants while simultaneously reducing compliance burdens for SCI entities.

Rule 1002(c)(1): Information Dissemination for Systems Disruptions and Systems Compliance Issues

Adopted Rule 1002(c)(1) generally addresses dissemination requirements for systems disruptions and systems compliance issues. Rule 1002(c)(1)(i) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, to disseminate information about such SCI event, unless an exception applies. When the dissemination obligation is triggered,[962] Rule 1002(c)(1)(i) requires an SCI entity to disseminate to the persons specified in Rule 1002(c)(3) information on the system(s) affected by the SCI event and a summary description of the SCI event. Thereafter, Rule 1002(c)(1)(ii) provides that, when known, an SCI entity shall promptly further disseminate: A detailed description of the SCI event; the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) provides that, until resolved, an SCI entity shall provide regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii). The specified types of information and the update requirements are unchanged from the proposal. The Commission continues to believe that, for the dissemination of information to be meaningful, it is necessary for an SCI entity to describe the SCI event in sufficient detail to permit a member or participant to determine whether and how it was affected by the SCI event and make appropriate decisions based on that determination.[963] Adopted Rule 1002(c)(1)(i) requires that the information initially disseminated include the systems affected by the SCI event and a summary description of the SCI event, and only after responsible SCI personnel have a reasonable basis to conclude that a systems disruption or systems compliance issue has occurred. Implicit in this requirement is that the disseminated information be accurate. Without the dissemination of accurate information, the impact on the SCI entity's members or participants or the market may be more pronounced because market participants may not recognize that an SCI event is occurring, or may mistakenly attribute unusual market activity to some other cause.

Adopted Rule 1002(c)(1) also requires that required information be disseminated “promptly.” [964] Although the Commission agrees that SCI entities should not prematurely disseminate information regarding an SCI event, lest it be inaccurate, speculative, misleading, or otherwise unhelpful, as some commenters were concerned about,[965] the Commission does not agree with the commenter who suggested that information dissemination be provided at a time chosen by the SCI entity.[966] The Commission believes that accurate information that is timely is more likely to aid a market participant in determining whether its trading activity has been or might be impacted by the occurrence of an SCI event than accurate information that is delayed. However, as compared to Commission notification, which is required to be provided immediately after an SCI entity has a reasonable basis to conclude that an SCI event has occurred, and which notice may be provided orally, dissemination of information to SCI entity members or participants is required to be provided promptly. The requirement for prompt dissemination, as opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to determine an efficient way to disseminate information to multiple potentially affected members or participants, or all of its members or participants, as the case may be, in a timely manner. Likewise, as new information becomes Start Printed Page 72334known, immediate updates are not required, but an SCI entity is obligated to also disseminate updated information “promptly” after it is known. The Commission believes that adopted Rule 1002(c)(1) strikes an appropriate balance by requiring an SCI entity to disseminate specific information about SCI events, but also permits an SCI entity to have time to check relevant facts before disseminating that information. The Commission therefore believes that adopted Rule 1002(c)(1) is responsive to comment that the proposed rule would have required release of information too soon, before it is determined to be credible, or before relevant facts were known.[967]

Rule 1002(c)(2): Information Dissemination for Systems Intrusions

Adopted Rule 1002(c)(2) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems intrusion has occurred, to disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. This rule applies to systems intrusions that are not de minimis events. In response to commenters stating that information about a systems intrusion in many cases will be sensitive and raise security concerns, and those urging that the dissemination requirement apply only in limited cases,[968] the Commission notes that, although it does not wholly exclude systems intrusions from the dissemination requirement, the rule permits a delay in dissemination of any information about a systems intrusion if dissemination would compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and the SCI entity documents the reason for such determination.[969] Adopted Rule 1002(c)(2) also provides that the content of the required disclosure for a systems intrusion is less detailed than required for other types of SCI events. These provisions are unchanged from the SCI Proposal.[970] As stated in the SCI Proposal, the Commission continues to believe that there may be circumstances in which the dissemination of information related to a systems intrusion should be delayed to avoid compromising the investigation or resolution of a systems intrusion.[971] Also, as stated in the SCI Proposal, the affirmative documentation required by Rule 1002(c)(2) is important to allow the Commission to ensure that SCI entities are not improperly invoking the limited exception provided by Rule 1002(c)(2).[972] This delayed dissemination provision permits an SCI entity to delay providing information about an intrusion to its members or participants to protect legitimate security concerns. However, under Rule 1002(c)(2), if an SCI entity cannot, or can no longer, determine that information dissemination as required by Rule 1002(c)(2) would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, no delay (or further delay, if applicable) in dissemination is permitted.[973] Pursuant to Rule 1002(c)(2), information about a systems intrusion is required to be disseminated eventually, as the Commission believes that circumstances permitting a delay (i.e., dissemination of information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion), will not continue indefinitely.[974]

Rule 1002(c)(3): To Whom Information Is To Be Disseminated

Adopted Rule 1002(c)(3) provides that the information required to be provided under Rules 1002(c)(1) and (2) promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event. The rule further requires that, for major SCI events, such information shall be disseminated by the SCI entity to all of its members or participants. As noted, several commenters urged that an SCI entity be required to disseminate information relating to an SCI event only to those members or participants affected by the SCI event.[975] Some suggested that an SCI entity have discretion to determine who should receive information regarding SCI events,[976] and one suggested that SCI events warrant public disclosure.[977] Others expressed more general concern that the breadth of the proposed dissemination requirement would result in over-reporting of information about SCI events because they believed that SCI entities would over-report out of an abundance of caution [978] or that SCI entity members and participants would become immunized to reports of SCI events and not focus on significant events.[979]

After careful consideration of the comments, the Commission believes that, to maximize the utility of information dissemination, a more tailored approach to who should receive information about an SCI event is warranted, based on an SCI event's impact. Because information about an SCI event is likely to be of greatest value to those market participants affected by it, who can use such information to evaluate the event's impact on their trading and other activities and develop an appropriate response, adopted Rule 1002(c)(3) requires prompt dissemination to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event. With respect to more serious SCI events, however, the Commission believes that dissemination to all members or participants of an SCI entity is warranted. Accordingly, under adopted Regulation SCI, certain SCI events will be defined as “major SCI events.”

Adopted Rule 1000 defines “major SCI event” as “an SCI event that has Start Printed Page 72335had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or (2) a significant impact on the SCI entity's operations or on market participants.” The Commission believes that dissemination of information regarding a major SCI event to all members or participants of an SCI entity is appropriate because major SCI events are likely to impact a large number of market participants (e.g., with respect to critical SCI systems, a disruption of consolidated market data or the clearance and settlement system, or an event significantly impacting the operations of an exchange).[980] As noted, one commenter suggested broadening the proposed rule to generally require an SCI entity to reveal dissemination SCI events (other than intrusions) to the public at large. This commenter expressed the view that public dissemination of the facts of an SCI event would help “enhance investor confidence by presenting the facts of the SCI event, preventing speculation and misinformation, and informing the public of corrective action being taken” and would “serve as an important collective learning opportunity” that would allow for “SCI [e]ntities and market participants [to] learn from [the event] . . . and build upon their policies and controls as appropriate.” This commenter stated further that such an “industry protocol would help strengthen and enhance the integrity and security of our markets.” [981] The Commission agrees with this commenter that it is appropriate for an SCI entity to present the facts, prevent speculation and misinformation, and provide transparency about corrective action being taken when the impact of an SCI event is most likely to be felt by many market participants (i.e., when it is a major SCI event). In the context of a major SCI event, the Commission believes these goals can be achieved by requiring an SCI entity to disseminate information to all of its members or participants (as opposed to the “public at large”). Moreover, the Commission believes it is appropriate to require dissemination of information on major SCI events to all of the SCI entity's members or participants because these market participants are the most likely to act on this information. Based on the experience of the Commission and its staff, when an entity disseminates information about a systems issue to all of its members or participants (e.g., on the entity's Web site), and that information has the potential to affect the market and investors more broadly (including market participants that may not be members or participants of the SCI entity reporting the event), such information is routinely picked up by financial or other media outlets, and also may be relayed to market participants for whom such information is relevant (e.g., by members or participants of SCI entities to their own clients). Therefore, the Commission believes that when information about a systems issue with broad potential impact is disseminated to all of an SCI entity's member or participants, such dissemination is tantamount to public dissemination.[982] As such, the Commission believes that it can achieve the purposes of the rule without requiring public dissemination, and believes that any additional gain in benefits from public dissemination would be minimal. Rule 1002(c)(3) does not specify how an SCI entity is to disseminate information to all of its members or participants when required to do so, but the Commission believes that posting the information on a Web site accessible to, at a minimum, all of its member or participants (for example, on a “systems status alerts” page) would meet the rule's requirements.[983]

For an SCI event that is neither a major SCI event nor an event identified in Rule 1002(c)(4), however, the information specified in Rule 1002(c)(1) or (2), as applicable, is required to be disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event.[984] The Commission believes that an SCI entity is generally in the best position to identify those of its members or participants that are or are reasonably likely to be affected by such events. Under this approach, as commenters urged, members or participants not reasonably estimated to be affected by such events will not be the recipients of information likely to be irrelevant to them. The Commission believes that SCI entities will be able to analyze which members or participants are or reasonably likely will be impacted, and the rule requires SCI entities to disseminate information to such members or participants. The requirement that information is to be disseminated only to those members or participants that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event (other than a major SCI event or a de minimis SCI event) addresses the concern raised by some commenters that members and participants will become immunized by receiving irrelevant notifications [985] because, under the adopted approach, members or participants should only receive notifications relevant to them.

Whereas the proposed rule would have required dissemination of information about certain SCI events to all SCI entity members and participants, the adopted rule requires dissemination only to those members and participants reasonably estimated to be affected by an SCI event (other than a major SCI event or a de minimis SCI event). Because it is possible that an SCI entity's reasonable estimate of members or participants affected may change as an SCI event unfolds, the adopted rule also requires prompt dissemination of information to newly identified members or participants reasonably estimated to be affected by an SCI event.[986] This provision reflects the view that newly identified affected members or participants should receive prompt dissemination of information about an SCI event, just as those originally identified as affected members or participants. Although compliance with this requirement may result in an SCI entity disseminating information at several different times to Start Printed Page 72336different members and participants, consistent with commenters' suggestions, the Commission believes that this requirement is appropriately tailored to result in information dissemination being provided to the relevant members or participants of an SCI entity.[987]

If an SCI event is a de minimis event—i.e., is an SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants—the adopted rule does not impose any dissemination requirement.[988]

Adopted Rule 1002(c)(4): Exceptions to the General Rules on Information Dissemination

Adopted Rule 1002(c)(4) provides that the requirements of Rules 1002(c)(1)-(3) shall not apply to: (i) SCI events to the extent they relate to market regulation or market surveillance systems; or (ii) any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. The Commission has added the exception in adopted Rule 1002(c)(4)(i) in response to comments that information should not be disseminated regarding disruptions in regulation and surveillance systems, because dissemination of such information to an SCI entity's members or participants or the public at large could encourage prohibited market activity.[989] The Commission notes that the exception for market regulation or market surveillance systems is limited to dissemination of information about SCI events related to market regulation or market surveillance systems. Information about an SCI event that impacts other SCI systems would still be required to be disseminated in accordance with Rule 1002(c) even if that same SCI event also impacts market regulation or market surveillance systems.

The exception in Rule 1002(c)(4)(ii) for de minimis SCI events is consistent with the Commission's approach to excluding de minimis SCI events from the immediate Commission notification requirements in Rule 1002(b), and is therefore responsive to comment that notification and dissemination of systems disruptions were subject to differing standards under the proposal,[990] as well as to the comment that a de minimis SCI event should not be subject to dissemination.[991] With respect to the comment that dissemination should only be required for material or significant SCI events,[992] while the Commission is not limiting the dissemination requirement as suggested by these commenters, the exception for de minimis SCI events is responsive to this comment, to an extent. Moreover, the Commission believes that a materiality threshold would likely exclude from the information dissemination requirement a large number of SCI events that are not de minimis SCI events, but that an SCI entity's members or participants should be made aware of so that they can quickly assess the nature and scope of those SCI events and identify the appropriate response, including ways to mitigate the impact of the SCI events. The Commission also believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems significantly focus the scope of the Commission dissemination requirements from the SCI Proposal.

Consistent with its statements in the SCI Proposal, the Commission notes that the requirements relating to dissemination of information in Regulation SCI relate solely to Regulation SCI.[993] Nothing in adopted Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities or their affiliates under other federal securities laws or regulations. Accordingly, in the case of an SCI event, SCI entities or their affiliates subject to the public company reporting requirements of Section 13 or Section 15(d) of the Exchange Act would need to comply with their disclosure obligations pursuant to those provisions (including, for example, with respect to Regulation S-K and Forms 10-K, 10-Q, and 8-K) in addition to their disclosure and reporting obligations under Regulation SCI.[994] In addition, the Commission also wishes to highlight that the requirements of Rule 1002(c) address to whom and when SCI entities are obligated under Regulation SCI to disseminate information. Subject to any applicable laws or regulations, SCI entities still retain the flexibility to disseminate information—e.g., to their members or participants, the public, or market participants that interact with the affected SCI systems—at any time they determine to be appropriate.

4. Notification of Systems Changes—Rule 1003(a)

a. Proposed Definition of Material Systems Change, Proposed Rules 1000(b)(6) and (b)(8)(ii)

Proposed Rule 1000(a) would have defined the term “material systems change” as a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. In the SCI Proposal, the Commission set forth examples that it preliminarily believed could be included within the proposed definition of material systems change.[995]

Start Printed Page 72337

Proposed Rule 1000(b)(6)(i) would have required an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes, including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes. If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change had become materially inaccurate, proposed Rule 1000(b)(6)(ii) would have required the SCI entity to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. A written notification to the Commission made pursuant to proposed Rule 1000(b)(6) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto.

Proposed Rule 1000(b)(8)(ii) would have required each SCI entity to submit to the Commission a report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. A written notification to the Commission made pursuant to proposed Rule 1000(b)(8)(ii) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto.

b. Quarterly and Supplemental Material Systems Change Reports—Rule 1003(a)

i. Adopted Rule 1003(a)(1): Quarterly Material Systems Change Reports

Many commenters viewed the proposed 30-day advance notification requirement for material systems changes as burdensome.[996] For example, one commenter believed that the Commission significantly underestimated the number of material systems changes, and suggested that the proposal might require reporting of as many as 60 material systems changes per week, rather than that same amount per year, as the Commission estimated in the SCI Proposal.[997] Some commenters stated that many SCI entities implement frequent agile modifications rather than major episodic or “waterfall” changes, and therefore viewed the proposed 30-day advance notification requirement as favoring a model that employs waterfall changes over agile changes.[998] Several commenters stated more broadly that the proposed requirement would mandate constant reporting that would stifle innovation, interfere with an SCI entity's natural planning and development process, and potentially do more harm than good by curtailing an SCI entity's ability to respond to systems issues with appropriate fixes.[999] Several commenters also expressed concern that the burden of reporting would incentivize an SCI entity to change its systems less often instead of making smaller and more frequent iterative systems adjustments, which they believed would be inconsistent with current software best practices, curtail innovation, and expose their systems to increased risk.[1000] One commenter questioned the purpose of the proposed requirement, stating that the Commission has not presented any empirical evidence that major or material technology changes by SCI entities are in fact the leading cause of market disruption, and that non-material systems changes by SCI entities and non-SCI entities have a high likelihood of causing market disruptions, but they are not captured by the proposal.[1001] At the same time, this commenter stated that providing 30-day advance notification of these non-material systems changes would hamstring SCI entities.[1002]

Some commenters also noted that Regulation ATS already requires an ATS to report material changes to the operation of the ATS at least 20 calendar days prior to their implementation.[1003] One of these commenters noted that it is common for an ATS to finalize the systems specifications for a change close to when the ATS wants to go live with the change, but the ATS must wait 20 days before implementation, and occasionally the questions from Commission staff can further delay implementation.[1004] This commenter expressed concern that Regulation SCI would lengthen the notification requirement to 30 calendar days and broaden the requirement to include any significant systems change, not just a material change to the operation of the ATS.[1005]

The Commission continues to believe that it is important to receive notifications of planned and implemented material changes to SCI systems or the security of indirect SCI systems in connection with its oversight of U.S. securities market infrastructure.[1006] However, after considering the views of commenters regarding the 30-day advance notification requirement, the Commission is instead adopting a quarterly reporting requirement, which will permit the Commission and its staff to have up-to-date information regarding an SCI entity's systems development progress and plans, to aid in understanding the operations and functionality of the systems and any material changes thereto, without requiring SCI entities to submit a notification to the Commission for each Start Printed Page 72338material systems change.[1007] Specifically, Rule 1003(a)(1) requires an SCI entity, within 30 calendar days after the end of each calendar quarter, to submit to the Commission a report describing completed, ongoing, and planned material systems changes to its SCI systems and security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion.[1008]

The Commission believes that elimination of the 30-day advance notification requirement for material systems changes is responsive to commenters who were concerned that the proposed approach was unsuited to the agile systems development methodology that some SCI entities use today. In particular, an SCI entity will have the ability to implement material systems changes without having to individually report each material systems change to the Commission 30 days in advance, which commenters noted could lead SCI entities to favor the waterfall methodology of systems changes over the agile methodology.[1009] The Commission also believes that the adopted quarterly reporting requirement provides more flexibility to SCI entities with respect to the timing of implementing material systems changes. In particular, SCI entities will not be required to wait 30 calendar days after notifying the Commission in order to implement a material systems change. Therefore, the adopted rule is responsive to commenters who stated that the proposed rule would stifle innovation, interfere with an entity's planning and development process, and expose SCI entities' systems to risk. Moreover, the Commission believes that elimination of the proposed 30-day advance notification requirement is responsive to commenters' concern that ATSs are already required to report material changes to the operation of the ATSs at least 20 calendar days prior to implementation, and that proposed Regulation SCI would extend the advance notification period to 30 calendar days.[1010]

The Commission also believes that adopting the quarterly reporting requirement instead of the 30-day advance notification requirement lessens SCI entities' burden of compliance as compared to the proposal.[1011] For example, rather than submitting a Form SCI for each material systems change, an SCI entity is now required to submit four reports each year pursuant to Rule 1003(a)(1) and, as applicable, supplemental reports pursuant to Rule 1003(a)(2). To the extent certain material systems changes are related or similar, an SCI entity will not be required to separately notify the Commission of each change. Instead, the SCI entity can describe such related changes within the single quarterly report. The Commission also believes that this quarterly report process will provide the Commission and its staff with a more efficient framework to review material systems changes that are described in the larger context afforded by such periodic reports, rather than parsing every submission that reports a material systems change.[1012]

One commenter expressed concern that the proposed exception for exigent circumstances was too narrow.[1013] Because adopted Rule 1003(a)(1) requires quarterly reports of material systems changes rather than 30-day advance notification of each material systems change, the Commission is not adopting the proposed “exigent circumstances” exception. Specifically, the Commission notes that the purpose of the exception was to accommodate situations where it would not be prudent or desirable for an SCI entity to delay a systems change simply to provide 30-day advance notification of the change. At the same time, the Commission notes that, because Rule 1003(a)(1) requires in part a description of completed, ongoing, and planned material systems changes during the prior and current calendar quarters, an SCI entity's quarterly report will be required to include a description of all material changes to its SCI systems or the security of its indirect SCI systems, including those that have been implemented in response to exigent circumstances during the prior and current calendar quarters.

Several commenters suggested possible alternatives to the proposed requirements related to material systems changes. Some commenters suggested eliminating the proposed advance notification requirement for material systems changes.[1014] One of these commenters explained that information regarding material systems changes would be available to the Commission during an inspection, but stated that, if an advance notification requirement is adopted, it should be folded into the proposed semi-annual reporting requirement.[1015] Another commenter similarly urged that the Commission require only semi-annual reporting of material systems changes, as proposed in Rule 1000(b)(8).[1016] One commenter supported the reporting of material systems changes in the annual SCI review report.[1017] One commenter believed that information related to systems changes should be reported periodically.[1018] Another commenter noted that if the Commission retains the 30-day advance notification requirement, it should be limited to material systems changes of only higher priority SCI systems and that Start Printed Page 72339notifications of changes to lower criticality systems could be provided at the time of the change or periodically.[1019]

Some commenters suggested that the Commission provide more flexibility and allow SCI entities more time to report material systems changes.[1020] One commenter supported giving SCI entities discretion to determine the appropriate timing and format for reporting changes to the Commission, and stated that the current practice under ARP to submit quarterly reports that cover changes for the previous and upcoming quarters has proven effective in keeping the Commission staff apprised of planned and completed systems changes.[1021]

One commenter suggested that SCI entities be required to keep records of all systems changes and technical issues, and make that information available to the Commission upon request.[1022] If the Commission decides to retain the notification requirement, this commenter recommended that it be satisfied through periodic (ideally, quarterly) reporting of material systems changes.[1023] One commenter believed the Commission should allow all 30-day advance notifications regarding pending material systems changes to be communicated orally, and only submitted in writing after development and testing is completed and the feature is finalized.[1024]

The Commission believes that the adopted quarterly reporting requirement is responsive to commenters who requested additional flexibility or time for material systems change notifications, as well as to commenters who suggested that such notices be submitted on a periodic or quarterly basis.[1025] The Commission does not agree with the commenters who suggested that the Commission completely eliminate the advance notification requirements. The Commission believes that advance notifications of planned material systems changes will help ensure that the Commission has up-to-date information regarding important future systems changes at an SCI entity, to aid in its understanding of the operations and functionality of the systems post-change.[1026] As adopted, Rule 1003(a)(1) requires an SCI entity to provide the Commission with advance notification of planned material systems changes in the current and subsequent quarters through the quarterly reports. As noted above, after considering the views of commenters, the Commission is not adopting the proposed 30-day advance notification requirement for each material systems change.

The Commission is also not adopting commenters' suggestion that material systems changes be reported semi-annually or annually.[1027] As noted in the SCI Proposal, proposed Rule 1000(b)(8)(ii) required semi-annual reports because the proposal would have separately required information relating to each planned material systems change to be submitted at least 30 calendar days before its implementation.[1028] Thus, in the SCI Proposal, the Commission stated its preliminary view that requiring ongoing summary reports more frequently would not be necessary.[1029] At the same time, the Commission expressed the concern that a longer period of time would permit significant updates and milestones relating to systems changes to occur without notice to the Commission.[1030] Because the Commission is not adopting the 30-day advance notification requirement, the Commission believes that it is appropriate to require more frequent reports of material systems changes than on a semi-annual basis. Further, as noted above, some commenters suggested quarterly reports, which is consistent with the practice of some entities under the ARP Inspection Program.[1031]

The Commission does not agree with the commenter who suggested that Regulation SCI should only require SCI entities to keep records of all systems changes and make that information available to the Commission upon request.[1032] Similarly, the Commission does not agree with commenters who suggested that SCI entities be given discretion to determine the timing of the reports.[1033] The Commission believes that quarterly reporting of material systems changes will help ensure that the Commission has, on an ongoing basis, a comprehensive view and up-to-date information regarding material systems changes at an SCI entity.

With respect to the commenter who suggested that all 30-day advance material systems change notifications should be provided orally, and submitted in writing only after the changes are fully tested and implemented,[1034] the Commission notes that it is not adopting the proposed 30-day advance notification requirement for material systems changes.

With respect to the commenter who suggested giving SCI entities discretion to determine the format for reporting changes to the Commission,[1035] the Commission notes that Rule 1003(a) does not prescribe a specific style that the quarterly reports should take. The Commission intends for the quarterly report to allow the Commission and its staff to gain a sufficient level of understanding of the material systems changes that have been implemented, are on-going, and are planned for the future, which would aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and any changes to such systems. In particular, the Commission notes that Rule 1003(a)(1) only specifically requires the quarterly reports to “describe” the material systems changes and the dates or expected dates of their commencement and completion. Therefore, Rule 1003(a)(1) gives each Start Printed Page 72340SCI entity reasonable flexibility in determining precisely how to describe its material systems changes in the report in a manner that best suits the needs of that SCI entity as well as the needs of the Commission and its staff.[1036] In addition, to the extent the Commission seeks additional information about a given change noted in a quarterly report, an SCI entity would be required to provide Commission staff with such information in accordance with Rule 1005 (Recordkeeping Requirements Related to Compliance with Regulation SCI).[1037]

The Commission also notes that the quarterly reports are required to include descriptions of material systems changes during the prior calendar quarter that were completed, ongoing, or planned. Therefore, if a report for the first quarter of a given year discusses the SCI entity's plan to implement a particular series of material changes to an SCI system, Rule 1003(a)(1) requires that, in the report for the second quarter of that year, the SCI entity describe the material systems changes that were completed, ongoing, and planned in the first quarter, including the planned changes discussed in the prior quarter's report, as applicable.

Several commenters expressed concern that the proposed 30-day advance notification requirement would potentially give the Commission new authority to “reject” a Form SCI filing describing material systems changes, similar to the way the Commission may reject an improperly filed proposed rule change pursuant to Rule 19b-4 under the Exchange Act.[1038] Three commenters requested that the Commission clarify how proposed Rule 1000(b)(6) would relate to Rule 19b-4, suggesting that there may be unnecessary redundancy between the two processes.[1039] Another commenter suggested limiting the types of changes that would require 30-day advance notification to those changes that are already required to be filed with the Commission as proposed rule changes for immediate effectiveness under Section 19(b)(3)(A) of the Exchange Act (excluding those filings that would not become operative for 30 days after the date of the filing because those filings would already provide the Commission with 30 days' advance notification of the material systems changes).[1040] This commenter also noted that where a material systems change would be filed for approval under Section 19(b)(2) of the Exchange Act, the Section 19(b)(2) approval process provides the Commission sufficient notification of the systems change.[1041] One commenter stated that proposed Rule 1000(b)(6) was improperly premised on the notion that the Commission should be responsible for a minutely-detailed understanding of the IT infrastructure of SCI entities and for assessing prospective changes in advance of their implementation.[1042]

The Commission disagrees with commenters who believed that material systems change reports are redundant given the rule filing requirements of Rule 19b-4 under the Exchange Act, or that material systems change reports should not be required if the SCI entity submitted certain types of rule filings regarding the same change.[1043] The Commission acknowledges that some systems changes require proposed rule changes under Rule 19b-4, and some Rule 19b-4 proposed rule changes result in systems changes. However, based on Commission staff's experience with the ARP Inspection Program and the rule filing process, the Commission believes that the type of information regarding systems changes included in rule filings is different from the type of information that will be included in reports on material systems changes. In particular, the technical details or specifications of SCI systems and indirect SCI systems are generally not specifically set forth in the rules of an SCI SRO. Therefore, technical information regarding systems changes is usually not set forth in rule filings. In addition, the Commission notes that the rule filing process and the material systems change reports serve different purposes. In particular, the material systems change reports are intended to inform the Commission and its staff of important technical changes to an SCI entity's systems. On the other hand, the rule filing process provides notice of changes to an SCI entity's rules, including, for example, the statutory basis for such changes, and in some cases seeks approval by the Commission of the rule changes. Therefore, if an SCI SRO submits a rule filing regarding a particular systems change and the change is also included in a material systems change report, the information included in the rule filing may not necessarily further the goal of the material systems change reporting requirement, and the information included in the material systems change report may not necessarily assist in the Commission's review of the rule filing. Moreover, commenters' concern regarding the redundancy between the rule filing process and the material systems change reports stemmed from concerns regarding the 30-day advance notification requirement. As discussed above, the Commission is not adopting a 30-day advance notification requirement.

The Commission also reiterates that the material systems change reports are intended to inform the Commission and its staff of such changes and help the Commission in its oversight of U.S. securities market infrastructure. Regulation SCI does not provide for a new approval process for SCI entities' material systems changes. As such, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI,[1044] or to delay implementation of material systems changes pursuant to any provision of Regulation SCI.[1045]

Three commenters questioned the Commission's legal authority to adopt the proposed material systems change notification requirements, including, in particular, those set forth in proposed Rule 1000(b)(6).[1046] For the reasons Start Printed Page 72341discussed above in Section IV.B.3.c, the Commission disagrees with these comments and believes that adopted Rule 1003(a) will assist the Commission in its oversight of U.S. securities market infrastructure consistent with its legal authority under the Exchange Act.

In light of the 30-day advance notification requirement in proposed Rule 1000(b)(6), some commenters suggested eliminating the semi-annual reporting requirement in proposed Rule 1000(b)(8)(ii) because they considered it duplicative and unnecessary.[1047] One commenter believed that the required semi-annual reporting requirement was excessive and should instead be incorporated into the annual reporting obligations in proposed Rule 1000(b)(8)(i).[1048] As discussed above, the Commission is adopting a quarterly reporting requirement under Rule 1003(a)(1) and is not adopting the proposed 30-day advance notification requirement. Therefore, the Commission is not adopting the requirement in proposed Rule 1000(b)(8)(ii) for semi-annual progress reports.

ii. Definition of Material Systems Change

Commenters generally opposed the proposed definition of material systems change. Many commenters stated their belief that the term was too broad and would therefore necessitate an excessive number of notifications of material systems changes.[1049] Some commenters believed that the definition should be revised and offered a variety of suggestions.[1050] Several commenters advocated for creating a risk-based definition whereby, for example, notifications are only required for those material systems changes that pose a risk to critical operations of an entity.[1051] One commenter suggested that the requirement focus on SCI systems only.[1052] One commenter stated that SCI entities should be afforded flexibility to establish reasonable standards for defining material systems changes for their systems.[1053]

Several commenters sought guidance from the Commission on the materiality threshold, which commenters believed was unclear, explaining, for example, that the term “material” appears both in the term “material systems change” and in the definition of that term.[1054] Similarly, several commenters requested that the Commission provide more guidance on the meaning of “material” in the context of systems changes because, although the wording of the proposed definition contained the concept of “materiality,” the commenters believed some of the examples provided in the SCI Proposal to be non-material.[1055] One commenter asked that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid receiving notices of all systems changes, material or otherwise.[1056] One commenter asked that the Commission clarify the meaning of “material” and confirm that prior notification would not be required for changes that do not pertain to the production environment.[1057]

Rather than adopting a detailed definition of material systems change as proposed, Rule 1003(a)(1) requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and to report to the Commission those changes the SCI entity identified as material in accordance with such criteria. This change is responsive to a commenter's suggestion that SCI entities should be granted flexibility to establish reasonable standards for determining whether a systems change is material. In addition, the Commission does not believe that it is appropriate to adopt a precise definition for the term “material systems change” because SCI entities differ in nature, size, technology, business model, and other aspects of their businesses. The Commission notes that there currently is no industry definition of “material systems change” that is applicable to all SCI entities that can serve as the basis for a precise definition of the term “material systems change” in Regulation SCI, and believes that whether a systems change is material is dependent on the facts and circumstances, such as the reason for the change and how it may impact operations. Moreover, requiring SCI entities to establish their own reasonable criteria for identifying material systems changes reflects the Commission's view that an SCI entity is in the best position to determine, in the first instance, whether a change, or series of changes, is material in the context of its systems. Because adopted Rule 1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to commenters' concern that the proposed definition was too broad and would result in an excessive number of notifications, and to commenters' suggestion that the definition should be revised.

Further, the Commission's determination to not adopt the proposed definition of material systems change mitigates commenters' concern that the proposed definition was unclear. In particular, by eliminating the proposed definition of material systems change, the Commission seeks to eliminate the confusion caused by the proposed definition of this term, which contained the word “material.” Moreover, some commenters requested additional clarity on the definition of material systems change because they believed that some of the examples the Commission provided in the SCI Proposal were not material systems changes. Because adopted Rule 1003(a)(1) requires SCI entities to establish reasonable written criteria for identifying material systems changes, SCI entities will not be required to identify material systems changes in accordance with the detailed definition and examples from the SCI Start Printed Page 72342Proposal. Rather, an SCI entity will have reasonable discretion in establishing the written criteria in order to capture the systems changes that it believes are material. Specifically, the Commission believes that adopted Rule 1003(a) is sufficiently flexible to allow each SCI entity to identify changes that it believes are material, which may include some of the suggestions identified by the commenters if an SCI entity determines such changes to be appropriate to include in its criteria for identifying material systems changes. For example, if an SCI entity reasonably believes that its systems changes are material if they involve significant functional enhancements, major technology infrastructure changes, or changes requiring member/participant notifications, and such criteria is set forth in the SCI entity's reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria. Likewise, if an SCI entity reasonably believes that some of the examples of material systems changes identified in the SCI Proposal can appropriately serve as criteria for identifying material systems changes, and such criteria is set forth in the SCI entity's reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria.

In response to a commenter's suggestion that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid notification of all systems changes, material or otherwise, the Commission notes that Rule 1003(a)(1) specifically requires SCI entities to identify material systems changes and report only material systems changes. With respect to a commenter's question regarding whether prior notification would be required for changes that do not pertain to the production environment, the Commission notes that SCI systems do not include development and testing systems, although indirect SCI systems could include development and testing systems if they are not walled-off from SCI systems. Therefore, Rule 1003(a) could apply to material changes to the security of development and testing systems that are not walled-off from SCI systems. Finally, with respect to a commenter's suggestion that Rule 1003(a) focus only on SCI systems, the Commission believes that notifications of material systems changes regarding the security of indirect SCI systems is important to the Commission's oversight of U.S. securities market infrastructure. At the same time, the Commission notes that Rule 1003(a)(1) provides that each SCI entity establish its own reasonable criteria for identifying a change to the security of its indirect SCI systems as material. Therefore, to the extent that an SCI entity determines that certain changes to the security of its indirect SCI systems are not material in accordance with its reasonable written criteria, such changes are not required to be reported to the Commission.

As with an SCI entity's other policies and procedures under Regulation SCI, Commission staff may review an SCI entity's established criteria relating to the materiality of a systems change (e.g., in the course of an examination) to determine whether it agrees with the SCI entity's assessment that such criteria is reasonable and in compliance with the requirements of Rule 1003(a). The Commission believes that, by providing SCI entities flexibility in establishing the criteria and reviewing SCI entities' established criteria, it strikes the proper balance between granting discretion to SCI entities and ensuring that SCI entities carry out their obligations under Regulation SCI.

iii. Adopted Rule 1003(a)(2): Supplemental Material Systems Change Reports

A commenter who advocated for a quarterly reporting requirement noted that quarterly updates would disclose material deviations from plans described in a previous report, including those stemming from inaccuracies in prior reports.[1058] Another commenter similarly noted that periodic reporting of any inaccuracies is sufficient for oversight purposes.[1059] The Commission believes that there may be circumstances in which an SCI entity realizes that information previously provided to the Commission in a quarterly report was materially inaccurate or that the quarterly report omitted material information. The Commission believes that it should, on an ongoing basis, have complete and correct information regarding material systems changes at an SCI entity, rather than waiting until the next quarterly report to receive corrected information, as suggested by these commenters. The Commission is therefore adopting Rule 1003(a)(2), which requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). The Commission notes that the supplemental report requirement applies only if the error or omission in a prior report is material.

5. SCI Review—Rule 1003(b)

Proposed Rule 1000(b)(7) required an SCI entity to conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review.[1060] Further, proposed Rule 1000(b)(8)(i) required an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity.[1061]

Proposed Rule 1000(a) defined the term “SCI review” to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.[1062] In addition, the proposed definition provided that such review must include penetration test reviews of the SCI entity's network, firewalls, and production systems at a frequency of not less than once every three years.[1063]

The Commission is adopting the provisions relating to SCI reviews with modifications in response to comment. In addition, the Commission is adopting a definition of “senior management” in Rule 1000 for purposes of the SCI review requirement.

Some commenters expressed support for the proposed requirements for SCI reviews,[1064] with a few advocating that the SCI review be conducted by an independent third party, rather than “objective personnel.” [1065] One commenter noted that it agreed that annual SCI reviews and reports can have a meaningful impact on improving Start Printed Page 72343technology and business practices.[1066] Another commenter expressed support for proposed Rule 1000(b)(7), but asked for clarification that any review of a processor under an NMS plan be performed independently of reviews of the same entity in other capacities (e.g., as an exchange or other SCI entity).[1067]

With regard to the suggestion that the Commission adopt a requirement that SCI reviews be conducted by an independent third party rather than “objective personnel” as proposed,[1068] the Commission continues to believe that it is appropriate to permit SCI reviews to be performed by personnel of the SCI entity or an external firm, provided that such personnel are, in fact, objective and, as required by rule, have the appropriate experience to conduct reviews of SCI systems and indirect SCI systems. Experienced personnel should have the knowledge and skills necessary to conduct such reviews. In the SCI Proposal, the Commission noted that to satisfy the criterion that an SCI review be conducted by “objective personnel,” it should be performed by persons who have not been involved in the development, testing, or implementation of such systems being reviewed.[1069] The Commission continues to believe that persons who were not involved in the process for development, testing, and implementation of the systems being reviewed would generally be in a better position to identify weaknesses and deficiencies that were not identified in the development, testing, and implementation stages. The Commission believes that, given the requirement that such personnel be “objective,” any personnel with conflicts of interest that have not been adequately mitigated to allow for objectivity should be excluded from serving in this role. In particular, the Commission believes that a person or persons conducting an SCI review should not have a conflict of interest that interferes with their ability to exercise judgment, express opinions, and present recommendations with impartiality. While the Commission recognizes that, as one commenter asserted, all personnel of an SCI entity could be viewed as having some level of conflict of interest,[1070] the Commission believes that SCI entities can have appropriate policies and procedures in place to mitigate such conflicts or to help ensure that certain departments and/or specified personnel (such as internal audit departments) are appropriately insulated from such conflicts so as to be able to objectively conduct SCI reviews.[1071]

Accordingly, the Commission believes that the goals of Regulation SCI can be achieved through reviews by either internal objective personnel or external objective personnel. Taking into consideration the advantages and disadvantages associated with each approach, each SCI entity should make its own determination regarding the levels of review or assurance that can be provided by different personnel, the best means to ensure their objectivity, and whether it is appropriate to incur the additional costs of an independent third party review. An SCI entity may, for example, determine that it is appropriate to utilize personnel not employed by the SCI entity (i.e., third parties) to conduct such review each year or only on a less frequent, periodic basis (e.g., every three years), or only with regard to certain of its systems. In addition, with regard to one commenter's suggestion that an SCI review should be performed independently for each capacity in which an SCI entity acts, the Commission notes that the definition of SCI review and provisions of Rule 1003(b) require that an SCI entity perform a review, following established procedures and standards, for compliance with Regulation SCI that includes a risk assessment of the SCI entity's SCI systems and indirect SCI systems and an assessment of internal control design and effectiveness of such systems and does not require an SCI entity that serves in two different capacities with respect to Regulation SCI to conduct two independent SCI reviews. The Commission believes that, as a practical matter, an SCI entity may determine that, to comply with these requirements, it is necessary to conduct separate assessments and analysis for each capacity of the SCI entity, because the standards used, risk assessments, applicable policies and procedures, and assessment of internal control design and effectiveness are different with regard to the distinct and differing functions of the SCI entity in each capacity. For example, an entity that meets both the definition of an SCI SRO and a plan processor may determine that it is necessary to conduct separate reviews for each function performed, because, for instance, the findings of a risk assessment determine that certain SCI systems fall into the category of “critical SCI systems” with regard to the functions of the plan processor, but not with regard to the functions of the SRO. At the same time, the Commission notes that, even where separate reviews are conducted, there may be certain overlap in conducting such reviews (for example, the entity may use the same objective reviewer for each function performed), such reviews may be conducted at the same time, and a single SCI review report may contain findings for each capacity.

While other commenters also supported some form of review, many of these commenters stated that the term SCI review is defined too broadly and/or that the SCI review requirements should allow more flexibility.[1072] Some commenters expressed concerns about the need to review all systems on an annual basis, which they argued could be costly, burdensome, and unnecessary.[1073] Several commenters suggested the adoption of a risk-based approach for determining the scope of the review, which would entail conducting a risk assessment to determine which systems should be reviewed and how often.[1074] Under such an approach, the highest risk systems would be reviewed more frequently than other, less critical systems, which could be reviewed less frequently than annually or on a rotational basis. Similarly, one Start Printed Page 72344commenter recommended that SCI reviews should be focused only on those core systems capable of having a material impact on members or participants, and “adjacent” systems should not be subject to the review process.[1075]

After considering the views of commenters, the Commission has determined to adopt the provisions relating to SCI reviews with modifications in response to comment.[1076] Thus, adopted Rule 1003(b) requires an SCI entity to conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year.[1077] However, the Commission notes that, because it has revised the scope of the definition of “SCI systems” as described above, fewer systems of each SCI entity will be subject to the SCI review, thereby focusing the overall scope of the SCI review requirement.[1078] Further, to address some commenters' concerns about the burdens and inflexibility of the proposed rule and the recommendation that the proposed rule utilize a more risk-based approach, the adopted rule is being revised to allow assessments of SCI systems directly supporting market regulation or market surveillance to be conducted, based upon a risk-assessment, at least once every three years, rather than annually.[1079] SCI entities would be required to determine the specific frequency with which to conduct assessments of these systems depending on the risk assessment that they conduct as part of the annual SCI review, provided that these systems are assessed at least once every three years. The Commission believes that market regulation and market surveillance systems have the potential to pose less risk to an entity or the market than other SCI systems. While the Commission believes that these systems are essential to investor protection and market integrity and that they can pose a significant risk to the markets in the event of a systems issue, the Commission also believes that certain market regulation and market surveillance systems may not have as immediate or widespread of an impact on the maintenance of fair and orderly markets or an entity's operational capability as the other categories of systems included within the definition of SCI systems. While a systems issue affecting a trading system could result in the immediate inability of a market, and thus market participants, to continue trading on such system and potentially impact trading on other markets as well, the Commission believes that the temporary disruption or failure of a SCI entity's market regulation and/or market surveillance systems in the wake of a wide-scale disruption would likely not have as direct an impact on market participants' ability to continue to trade. Thus, after considering commenters' views regarding the costs and burdens of the proposed SCI review requirements, as well as the suggestion that the Commission incorporate more of a risk-based approach in Regulation SCI, the Commission believes that a longer frequency of review of these systems may be appropriate in cases where the risk assessment conducted as part of the SCI review results in such a determination. The Commission also notes that, as originally proposed the rule would have required penetration test reviews of the SCI entity's network, firewalls and development, testing, and production systems at a frequency of not less than once every three years in recognition of the potentially significant costs that may be associated with the performance of such tests.[1080] However, consistent with modifications to the definition of SCI systems, references to development and test systems have been deleted in adopted Rule 1003(b)(1)(i).[1081] The Commission notes that SCI entities may, however, determine that based on its risk assessment, it is appropriate and/or necessary to conduct such penetration test reviews more frequently than once every three years.

The Commission is not, however, adopting a broader risk-based approach to determine the required frequency of an SCI review (i.e., for SCI systems other than market regulation and market surveillance systems), as suggested by some commenters.[1082] The Commission believes that a critical element to ensuring the capacity, integrity, resiliency, and availability of SCI systems and indirect SCI systems is conducting an annual objective review to assess the risks of an SCI entity's systems and the effectiveness of its internal information technology controls and procedures. Such reviews will not only assist the Commission in improving its oversight of the technology infrastructure of SCI entities, but also each SCI entity in assessing the effectiveness of its information technology practices, helping to ensure compliance with the safeguards provided by the requirements of Regulation SCI, identifying potential areas of weakness that require additional or modified controls, and determining where to best devote resources. Further, the Commission believes that the competitive environment of today's securities markets drives SCI entities to continually update, modify, and introduce new technology and systems, often in an effort to meet specific business needs and achieve “quick-to-market” results, potentially without Start Printed Page 72345adequate focus on ensuring the continuous integrity of its systems. In addition, given today's fast-paced nature of technological advancement, existing controls can quickly become obsolete or ineffective and the relative criticality or risk nature of a system can change over time as well.[1083] Further, as one commenter noted, it is not uncommon for entities to experience repeated unsuccessful attempts to gain access to their systems,[1084] which the Commission believes can expose certain vulnerabilities not identified previously and, if successful, also create new vulnerabilities and risk. For these reasons, the Commission believes that it is appropriate to require an SCI entity to conduct an SCI review of its applicable systems not less than once every 12 months.[1085]

Further, the Commission notes that, as described in detail above, Regulation SCI is consistent with a risk-based approach in several areas, and thus, a risk assessment is appropriate in order to determine the standards and requirements applicable to a given SCI system. As such, the Commission believes that it is appropriate to require SCI entities to conduct a risk-based assessment with regard to its SCI systems and indirect SCI systems as part of its SCI review at least annually to help ensure that SCI entities are meeting the requirements of Regulation SCI.[1086]

For the reasons noted above, the Commission believes it is appropriate to require that SCI reviews be conducted at least annually, rather than utilizing a risk-based approach to determine the frequency of the required SCI review.[1087] At the same time, the Commission notes that this provision is consistent with a risk-based approach in that SCI entities may design the scope and rigor of the SCI review for a particular system based on its risk assessment of such system, provided that the review meets the requirements of the rule, such as including an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards [1088] and performing penetration test reviews at least once every three years.[1089]

Some commenters sought clarification on various aspects of the SCI review requirement. One commenter stated that the term SCI review, as proposed, expanded significantly on what is required under ARP and asked for greater specificity as to the objectives and intended scope of the SCI review.[1090] This commenter suggested, as an alternative, that the Commission establish an “agreed upon procedures” approach, which would involve outlining specific SCI review objectives and procedures that would be performed by an objective reviewer.[1091] One commenter also requested that the Commission clarify whether there is a distinction between the existing ARP report and the SCI review and whether the ARP practice of on-site inspections would be eliminated.[1092]

With regard to the comment seeking clarity on the scope of the review as compared to what is done under the current ARP Inspection Program,[1093] as noted in the SCI Proposal, the requirement for an annual SCI review was intended to formalize a practice in place under the current ARP Inspection Program in which SROs conduct annual systems reviews following established audit procedures and standards that result in the presentation of a report to senior SRO management on the recommendations and conclusions of the review.[1094] Specifically, the ARP Policy Statements called for each SRO to have its automated systems reviewed annually by an “independent reviewer” [1095] and stated that independent reviews and analysis should: “(1) Cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology and vulnerability assessment; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.” [1096] Similar to (1) above, the definition of SCI review requires the review to contain an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. Consistent with element (2), an SCI review must be performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems and must be performed following established procedures and standards. Finally, like item (3), Rule 1003(b)(2)-(3) requires SCI entities to submit a report of the SCI review to senior management after completion of the review, and following submission to senior management, to submit a report of the SCI review to the Commission, along with any response by senior management. Senior management, after reviewing the report, should note, in addition to any other response that may be made, any material inaccuracy or omission that, to their knowledge, is in the report. In this regard, the Commission recognizes that senior managers, by virtue of their positions and experience, may have differing levels of knowledge regarding their entity's SCI systems and indirect SCI systems and compliance with Regulation SCI.

While the SCI review requirement in Rule 1003 is based on the ARP review and report, a greater number of automated systems meeting the definition of SCI system or indirect SCI system would be subject to the SCI review requirements because the scope of Regulation SCI expands upon the current ARP Inspection Program. The Commission notes that the SCI review is not a substitute for inspections and Start Printed Page 72346examinations conducted by Commission staff, and therefore SCI entities should expect that technology systems inspections and examinations will continue following the adoption of Regulation SCI. Along with notifications of material systems changes under adopted Rule 1003(a) and SCI event notifications pursuant to adopted Rule 1002(b), one purpose of SCI reviews will be to aid the Commission and its staff in understanding the operations and risks associated with the applicable systems of an SCI entity.

In addition, as noted above, one commenter, in seeking further clarity on the scope of the SCI review requirement, suggested that the Commission take an “agreed upon approach” which would outline more specific review objectives and procedures that would be performed by the objective reviewer. The Commission believes that an SCI entity should have the ability to design the specific parameters of an SCI review within the confines of the general framework of the rule, including identifying its own review objectives and procedures, given the SCI entity's in-depth knowledge of, and familiarity with, its own systems and their attendant risks. As such, the adopted rule is designed to provide a general framework for the scope of the SCI review by specifying that the review must include a risk assessment of SCI systems and indirect SCI systems and an assessment of the internal control design and effectiveness of its systems in certain areas.[1097] At the same time, the rule provides flexibility by permitting the review to be conducted “following established procedures and standards,” which would be identified and established by the SCI entity itself.[1098]

Some commenters expressed views on the provisions requiring SCI entities to submit reports of the SCI review to senior management of the SCI entity and to the Commission. Specifically, two commenters supported the proposed requirement that reports of the SCI review be submitted to senior management of the SCI entity no later than 30 days after completion of the SCI review.[1099] One commenter urged that senior management of an SCI entity certify the report before it is submitted to the Commission in order to promote accountability at the highest ranks of the SCI entity.[1100] Another commenter believed that 45 days for submission of such reports to senior management would be more appropriate as a target timeframe given the complexity of the issues addressed in an SCI review, and that should this target fail to be met, the Board of Directors Audit Committee (or similar governing body) should be informed of the reason therefor.[1101] Two commenters recommended that the distribution cycle within proposed Rule 1000(b)(8)(i) be modified so that individual, focused audit reports resulting from rotational reviews could be bundled and distributed to the Commission on a regular basis (semi-annually or quarterly).[1102]

The Commission does not believe that it is necessary to require senior management certification of the report of the SCI review, as suggested by one commenter.[1103] Adopted Rules 1003(b)(2)-(3) require that the SCI entity submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review, and that the SCI entity submit a report of the SCI review, together with any response by senior management, to the Commission and the board of directors of the SCI entity or the equivalent of such board within 60 calendar days after its submission to senior management. Because reports of SCI reviews and any responses by senior management are required to be filed using Form SCI under the Exchange Act and Regulation SCI, it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in such reports or responses.[1104]

The Commission recognizes that senior management certifications are used in other regulatory contexts, including in some Commission rules and regulations.[1105] However, at this time, the Commission believes that, in light of the other requirements for an SCI entity, the goals of Regulation SCI can be achieved without the imposition of an additional requirement on SCI entities for senior management certification. Specifically, the Commission believes that the adopted requirements promote the responsibility and accountability of senior management of an SCI entity by helping to ensure that senior management receives and reviews reports of SCI reviews, is made aware of issues relating to compliance with Regulation SCI, and is encouraged to promptly establish plans for resolving such issues.

The Commission is also adopting a definition of “senior management” in Rule 1000 to make clear which individuals at an SCI entity must receive and review the report of the SCI review. The Commission believes that, in the context of the SCI review requirement, senior management should not be limited to a single individual or officer of an SCI entity. Thus, “senior management,” for purposes of adopted Rule 1003(b) is defined as an SCI entity's Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel, and Chief Compliance Officer, or the equivalent of such employees or officers of an SCI entity. The Commission believes that, in order to achieve the goals of the rule to promote increased awareness and oversight of the technology infrastructure at an SCI entity by its most senior employees and officers, it is important that the SCI entity's senior management team receive and carefully review reports of SCI reviews. The Commission believes that these employees and officers, or their functional equivalent, represent the executive, technology, legal, and compliance functions that are necessary to effectively review the reports of SCI reviews. The Commission also believes that awareness by an SCI entity's senior management of SCI reviews and issues with Regulation SCI compliance should help to promote a focus by senior management on such reviews and issues, enhance communication and coordination regarding such reviews and issues among business, technology, legal, and compliance personnel, and, in turn, strengthen the capacity, integrity, resiliency, and availability of the systems of SCI entities. To help ensure that persons at the highest levels of an SCI entity are made aware of any issues raised in the SCI review, the Commission is also adopting a requirement for each SCI entity to submit to its board of directors or the equivalent of such board a report of the SCI review and any response by senior management within 60 calendar days after the submission of the report to senior management of the SCI entity.

With regard to one commenter's suggestion that SCI entities should be given 45 days rather than 30 days to submit the report of the SCI review to senior management (and that it should be only a target timeframe rather than a Start Printed Page 72347requirement),[1106] the Commission notes that the 30-day timeframe is based on the Commission's experience with the current ARP Inspection Program that an ARP entity is able to consider the review and prepare a report for senior management consideration prior to the submission to the Commission.[1107] The Commission acknowledges that a greater number of systems will be subject to the SCI review requirement than the current ARP Inspection Program given the definitions of SCI system and indirect SCI system,[1108] and that the issues addressed in an SCI review may be complex. However, the Commission notes that the adopted timeframe, while based on experience with the current ARP Inspection Program, also takes into account these factors.[1109] Further, the Commission believes that the complexity of the issues presented during an SCI review would more likely affect the timing of conducting and completing the SCI review, rather than the timing for submitting a report of the review to senior management. The Commission, therefore, continues to believe that this requirement is appropriate. The Commission also notes that the requirement to submit the annual report to the Commission within 60 calendar days after its submission to senior management is similarly based on the Commission's experience with the ARP Inspection Program that this time period is a sufficient period to enable senior management to consider such review or report before submitting it to the Commission.[1110] Because an SCI entity will already have prepared the report and any response by senior management for filing with the Commission, the Commission believes that an SCI entity will not need significant additional time to submit the same report and response to its board of directors or the equivalent of such board.

Contrary to the suggestion of some commenters, the Commission does not believe it is appropriate to allow an SCI entity to delay the submission of SCI review reports to the Commission in order to bundle several reports together and submit them on a quarterly or semi-annual basis. Rather, the Commission believes that it is important to receive such reports in a timely manner after completion of the SCI review, so that the Commission is made aware of potential areas of weakness in an SCI entity's systems that may pose risk to the entity or the market as a whole, as well as areas of non-compliance with the provisions of Regulation SCI, without undue delay.

With respect to clearing agencies, two commenters noted that the SCI review requirement potentially might overlap with staff guidance for clearing agencies that calls for an annual report on internal controls and recommended that the Commission consider further coordination on potential redundancies.[1111] The Commission notes that the section in the guidance provided in the Announcement for Standards for the Registration of Clearing Agencies referenced by commenters is distinct from the adopted SCI review requirement, as such section in the guidance relates to the review and evaluation of clearing agencies' accounting controls.[1112] In contrast, the SCI review requirement involves a risk assessment and assessment of internal control design and effectiveness of all of an SCI entity's SCI systems and indirect SCI systems.

Finally, it should be noted that the required review and timely reporting to the Commission will enable the Commission and Commission staff to monitor the quality of compliance with Regulation SCI, thoroughness and robustness of SCI reviews, and the responses of senior management to such reviews. Accordingly, the Commission will be in a position to consider enhancing these regulatory requirements in the future, if necessary.

6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants—Rule 1004

Adopted Rule 1004 addresses testing of SCI entity business continuity and disaster recovery plans, including backup systems, by SCI entity members or participants. Rule 1004 corresponds to proposed Rule 1000(b)(9), and is adopted with certain modifications in response to comment, as discussed below.

a. Proposed Rule 1000(b)(9)

Proposed Rule 1000(b)(9)(i) required each SCI entity, with respect to its BC/DR plans, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) further required each SCI entity to coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would have additionally required each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans, to participate in the testing of such plans, and notify the Commission of such designations and its standards for such designation on Form SCI.

b. Comments and Commission Response

The Commission received significant comment on proposed Rule 1000(b)(9) and is adopting it with revisions, as Rule 1004. As more fully discussed below, the adopted rule requires designation of a more limited set of SCI entity members and participants for mandatory participation in BC/DR testing than the proposed rule. Further, the adopted rule does not require an SCI entity to file designation standards or member/participant designations with the Commission on Form SCI, as was proposed, but instead an SCI entity must keep records of its standards and designations. The scope, frequency, and coordination aspects of the proposed rule are adopted as proposed.

i. Mandatory BC/DR Testing Generally

Some commenters expressed general support for the goals of proposed Rule 1000(b)(9).[1113] One commenter in particular stated that “[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible.” [1114] According to this commenter, broader mandatory participation in testing would be “one of the most valuable parts of Regulation SCI and will do the most to ensure improved market network reliability.”[1115] Another commenter Start Printed Page 72348expressed support for broad participation in BC/DR testing, but also expressed concern that the testing requirement would put SCI entities at a competitive disadvantage versus non-SCI entities.[1116]

Several commenters objected to the proposed mandatory testing requirement for SCI ATSs.[1117] For example, two commenters suggested that few ATSs are critical enough to warrant inclusion in the proposed mandatory testing requirement.[1118] One commenter urged that only SCI entities that provide market functions on which other market participants depend be subject to the requirements for separate backup and recovery capabilities.[1119] Another commenter stated that the added benefit of requiring fully redundant backup systems is almost impossible to measure while the cost of implementation is significant, and added further that fully redundant systems and increased testing do not guarantee a flawless backup plan.[1120]

Two commenters stated that the current voluntary coordinated testing organized by SIFMA [1121] already attracts significant participation without any mandate in place.[1122] However, a different commenter noted the difficulties it has encountered in fostering participation in its voluntary disaster recovery exercises, and stated that, despite encouraging users to participate in its disaster recovery exercises, participation levels were only 20 percent of its targeted high volume client base.[1123] One commenter sought clarification on whether the requirements of proposed Rule 1000(b)(9) would apply only to trading and clearance systems, or would extend to other SCI systems as well.[1124] Two commenters asked whether third parties that perform critical market functions for an SCI entity, such as data vendors and service bureaus, would be subject to the proposed requirement.[1125] One commenter stated that testing by an SCI entity of its business continuity capabilities should not be required to be coordinated with members.[1126] According to this commenter, “[t]he entire point of [business continuity plan testing] would be to not coordinate it with customers, and assess whether operations out of [backup] facilities was seamless to members and other market participants.” [1127] One commenter stated that it would be more appropriate for SCI entities' members and participants to be responsible for their own business continuity plans and testing.[1128] The Commission has carefully considered commenters' views on the need for all SCI entities to be subject to the proposed mandatory testing requirement. The Commission continues to believe that adopted Rule 1004 should apply to all SCI entities.

Whereas adopted Rule 1001(a)(2)(v) requires that each SCI entity's policies and procedures include BC/DR plans and specifies recovery goals and geographic diversity requirements for such plans,[1129] adopted Rule 1004 sets forth certain minimum requirements for SCI entity testing of its BC/DR plans. Adopted Rule 1004, like proposed Rule 1000(b)(9), aims to reduce the risks associated with an SCI entity's decision to activate its BC/DR plans and help to ensure that such plans operate as intended, if activated, by requiring that an SCI entity include participation by certain members and participants in testing of the SCI entity's BC/DR plans. Although some commenters, including several ATSs, argued that ATSs should be excluded from requiring members or participants to test because, according to these commenters, ATSs are less critical to the orderly functioning of the markets than other SCI entities,[1130] the Commission believes that eliminating any category of SCI entity—including SCI ATSs—from the testing requirement would undermine the goal of maintaining fair and orderly markets in the wake of a wide-scale disruption, and assuring the smooth and effective implementation of an SCI entity's BC/DR plans.[1131] The Commission continues to believe that a testing participation requirement will help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a lack of participation by members or participants that the SCI entity believes are necessary to the successful activation of such plans.[1132] As stated in the SCI Proposal, the Commission believes that a factor in the shutdown of the equities and options markets in the wake of Superstorm Sandy was the exchanges' belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers.[1133] And, although testing protocols were in place and the chance to participate in such testing was available, the member participation rate was low.[1134] The Commission does not agree with comments that seamless operation of backup facilities should not require coordination of testing, or that the fact that members and participants have their own BC/DR plans and testing means that they should not be required, if designated, to participate in the testing of an SCI entity's BC/DR plans.[1135] The Commission continues to believe that testing of the effectiveness of back-up arrangements in recovering from a wide-scale disruption is a sound principle, and that, without the participation of significant members or participants of SCI entities, the effectiveness of such testing could be Start Printed Page 72349undermined. Based on its experience with the ARP Inspection Program, the Commission understands that many SCI entities have already made significant investments in their backup facilities.[1136] The Commission believes that the requirements of Rule 1004 will help to ensure that such facilities will be effective in the event they are needed.[1137]

In response to commenters who questioned the need for mandatory participation by SCI entity members and participants,[1138] the Commission believes that current voluntary industry-led testing has been useful because it annually brings together a wide variety of market participants, including many SCI entities, and involves a range of asset classes.[1139] The current industry-led testing program coordinated by SIFMA therefore could provide a foundation for the development of the testing required by Rule 1004. However, because participation rates by members and participants in voluntary testing generally has been low, the Commission believes that a mandatory participation requirement is the best means to achieve effective and coordinated BC/DR testing with assured participation by the more significant SCI entity members and participants.[1140] In addition, although the Commission generally agrees with the comment that “[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible,” [1141] because of the burden and costs of requiring participation by all SCI entity members and participants, regardless of their market significance, the Commission believes it is appropriate to adopt a more measured approach to mandatory participation in BC/DR testing.[1142] The Commission is therefore adopting a BC/DR testing designation requirement that applies to all SCI entities, but does not apply to all members and participants of SCI entities, as discussed below.[1143]

ii. SCI Entity Designation of Members or Participants for Participation in BC/DR Testing—Rules 1004(a)-(c)

Several commenters raised concerns about the proposed requirement that SCI entities exercise discretion to designate members or participants for participation in coordinated BC/DR testing under proposed Rule 1000(b)(9).[1144] After careful consideration of the views of commenters, the Commission is adopting the requirement that SCI entities designate certain members or participants to participate in testing BC/DR plans with certain modifications from the proposal. As proposed, the rule would have required each SCI entity to designate those members or participants it “deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans . . .” The Commission has determined instead to require that each SCI entity designate those members or participants “that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.” This change is broadly consistent with the suggestion of one commenter to revise the criteria for designation to those firms “critical to the operation of the SCI entity.” [1145] However, the Commission believes that the adopted standard is more appropriate in that it focuses on the ability of the SCI entity to maintain fair and orderly markets under its BC/DR plan.[1146]

Several commenters suggested eliminating SCI entity discretion and setting forth in the rule clear, objective criteria (such as trading volume) for which members or participants would be required to participate in testing.[1147] One commenter suggested that the Commission require that all members or participants that represent a meaningful percentage of the volume in the marketplace participate in the testing in order to capture the more significant market participants, while recognizing the financial burden such testing may pose for smaller entities.[1148] This commenter believed that giving discretion to SCI entities in this area might lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing.[1149] On the other hand, another commenter commented that the discretion contemplated by the proposal keeps the rule flexible enough to accommodate SCI entities conducting a diverse range of business activities.[1150] This commenter also suggested that SCI entities should not be required to report to the Commission who they have designated to test, and instead should only be required to keep a record of who they have designated.[1151]

In response to commenters who were concerned about the discretionary aspect of the designation requirement,[1152] the Commission believes the SCI entity is in the best position to determine which of its members or participants collectively represent sufficient liquidity for the SCI entity to maintain fair and orderly markets in a BC/DR scenario following a wide-scale disruption. The Commission believes such determinations require the exercise of reasonable judgment by each SCI entity, and are not well-suited for a “one-size-fits-all” objective measure determined by the Commission. For example, if the Commission were to establish an objective measure (e.g., based on a specified percentage of trading volume), Start Printed Page 72350it might represent a meaningful percentage for some SCI entities, but not for others. Thus, the rule requires that each SCI entity establish standards for the designation of those members or participants that the SCI entity “reasonably” determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans. This adopted provision is in lieu of the proposed requirement, which would have required an SCI entity to designate those members or participants it “deems necessary” for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans. Because the adopted rule requires an SCI entity's determination to be reasonable, it provides some degree of flexibility to SCI entities but also imposes a check on SCI entity discretion, which the Commission believes should help prevent an SCI entity's designations from being overly limited. In response to concerns that a discretionary designation requirement would lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing, the Commission believes that this is unlikely to occur because each SCI entity will be subject to the same requirement and will be required to make a reasonable determination that the designated members or participants are those that are the minimum necessary for it to maintain fair and orderly markets in the event of activation of its BC/DR plans. Further, the Commission believes that broad participation in BC/DR testing will enhance the utility of the testing, and that allowing non-designated members or participants the opportunity to participate in such testing generally will further this goal. Therefore, the Commission encourages SCI entities to permit non-designated members or participants to participate in the testing of the SCI entity's BC/DR plans if they request to do so.

Consistent with the recommendation of one commenter, however, the Commission has determined not to require that each SCI entity notify the Commission of its designations and its standards for designation on Form SCI as proposed. Instead, an SCI entity's standards, designations, and updates, if applicable, would be part of its records and therefore available to the Commission and its staff upon request.[1153] Unlike de minimis systems disruptions and de minimis systems intrusions, which may occur with regularity (and for which a quarterly summary report would aid Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets), the establishment of standards for designation, the designations themselves, and updates to such standards or designations are likely to occur less frequently. Thus, the Commission believes it is sufficient for the Commission to review records relating to such designations when the Commission determines that it is necessary to do so to fulfill its oversight role, such as during its examination of an SCI entity.[1154] More broadly, the Commission believes this revision is generally consistent with modifications that the Commission has made in response to comment that proposed Regulation SCI would have required unnecessary and burdensome notice and reporting submissions.

Some commenters questioned whether many SCI entities, particularly non-SROs and ATSs, have the authority to require their members or participants to participate in such testing.[1155] Another commenter more generally stated that it was unclear how an SCI entity could enforce a requirement that its customers engage in BC/DR testing.[1156] In response to these comments, the Commission believes that SCI SRO rulemaking authority and non-SRO contractual arrangements would enable SCI entities to implement this requirement.[1157] Specifically, SROs have the authority, and legal responsibility, under Section 6 of the Exchange Act, to adopt and enforce rules (including rules to comply with Regulation SCI's requirements relating to BC/DR testing) applicable to their members or participants that are designed to, among other things, foster cooperation and coordination with persons engaged in regulating, clearing, settling, processing information with respect to, and facilitating transactions in securities, to remove impediments to and perfect the mechanism of a free and open market and a national market system, and, in general, to protect investors and the public interest.[1158] Further, SCI entities that are not SROs have the ability to include provisions in their contractual agreements with their participants (such as their subscriber or participant agreements) requiring such parties to engage in BC/DR testing.

Other commenters focused on the potential impact of the rule on the members or participants designated to participate in testing. One commenter pointed out that, without clearly defined industry level coordination, some members or participants may be overburdened by being subject to multiple individual tests with various SCI entities.[1159] Another commenter asked the Commission to clarify what the obligation is for firms that are members or participants at multiple SCI entities.[1160] Several commenters expressed concern that the Commission underestimated the costs and burdens of the proposed testing.[1161] According to some of these commenters, under the proposal, certain firms, such as market makers and other firms performing important market functions, could be required to maintain connections to the backup sites of a number of SCI entities, at significant cost.[1162] A group of commenters requested that the scope be targeted to only cover those instances in which an SCI entity determines to enact its disaster recovery plans.[1163] One commenter agreed that the designation requirement could be relaxed and still achieve the provision's aim, because the bulk of the liquidity at a market center is provided by a small number of firms.[1164] Another commenter asked the Commission to give designated firms the Start Printed Page 72351ability to opt-out if they have a good reason.[1165]

The Commission believes that adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion to identify those members or participants that, taken as a whole, are the “minimum necessary” for the maintenance of fair and orderly markets in the event of the activation of such plans is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal. Because the Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. On balance, the Commission believes that adopted rule will incentivize SCI entities to designate those members and participants that are in fact the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of their BC/DR plans, and that this should reduce the number of designations to which any particular member or participant would be subject, as compared to the SCI Proposal, and would potentially simplify efforts for SCI entities to coordinate BC/DR testing, as required by adopted Rule 1004(d). Despite the modifications from the proposal, it remains possible, as some commenters noted, that firms that are members of multiple SCI entities will be the subject of multiple designations, and that multiple designations could require certain firms to maintain connections to and participate in testing of the backup sites of multiple SCI entities. The Commission believes this possibility, though real, may be mitigated by the fact that multiple designations are likely to be made to firms that are already connected to one or more SCI entity backup facilities, since they represent significant members or participants of the applicable SCI entities; and that, because some SCI entity backup facilities are located in close proximity to each other, multiple connections to such backup facilities may be less costly than if SCI entity backup facilities were not so located. The Commission recognizes that there will be greater costs to a firm being designated by multiple SCI entities to participate in the testing of their BC/DR plans than to a firm designated by only one SCI entity. However, the Commission believes that these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such SCI entity's BC/DR plans is necessary to evaluate whether such plans are reliable and effective. The designation of a firm to participate in the BC/DR testing of an SCI entity means that such firm is significant, as the SCI entity has reasonably determined it to be included in the set of its members or participants that is, “taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.” Nonetheless, the Commission acknowledges that there may be instances in which an SCI entity has reasonably designated a firm to participate in BC/DR testing, and the firm is unwilling to bear the cost of participation in BC/DR testing with a given SCI entity. In such instances, there may be firms that opt out of such testing by withdrawing as a member or subscriber of one or more SCI entities, but the Commission believes that is unlikely. In particular, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI's BC/DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test.[1166] Moreover, the Commission does not agree with the suggestion made by one commenter that the Commission give designated firms the ability to “opt-out” if they have a good reason,[1167] because the ability to opt-out in this manner would render participation in BC/DR testing voluntary which, as discussed above, is unlikely to result in adequate BC/DR testing.[1168] The Commission continues to believe, as stated in the SCI Proposal, that “unless there is effective participation by certain of its members or participants in the testing of [BC/DR] plans, the objective of ensuring resilient and available markets in general, and the maintenance of fair and orderly markets in particular, would not be achieved.” [1169] Although the Commission recognizes that testing of a BC/DR plan does not guarantee flawless execution of that plan, the Commission believes that a tested plan is likely to be more reliable and effective than an inadequately tested plan.[1170]

iii. Scope, Timing, and Frequency of BC/DR Testing—Rule 1004(b)

The SCI Proposal specified that the type of testing for which designees would be required to participate was “scheduled functional and performance testing of the operation of [BC/DR] plans, in the manner and frequency specified by the SCI entity, at least once every 12 months.” [1171] After careful consideration of the views of commenters, the Commission is adopting the scope, frequency, and timing requirements in the rule as proposed. Specifically, adopted Rule 1004(b) requires that an SCI entity's designees participate in “scheduled functional and performance testing of the operation of [BC/DR] plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months.”

In the SCI Proposal, the Commission noted that functional testing is commonly understood to examine whether a system operates in accordance with its specifications, whereas performance testing examines whether a system is able to perform under a particular workload.[1172] The Commission added that functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.[1173] With regard to the proposed scope of testing, several commenters expressed specific concerns about the requirement for “functional and performance” testing of BC/DR Start Printed Page 72352plans.[1174] Specifically, one commenter expressed concern about the logistical challenges of conducting functional and performance testing at the same time.[1175] Two commenters expressed concern that requiring firms to perform industry-wide, end-to-end testing by processing transactions in their disaster recovery systems would introduce risk to the markets because such testing would increase the chance that test transactions could inadvertently be introduced into production systems.[1176] Another commenter stated that a full functional test across all primary and recovery data centers for any significant number of members or participants would require substantial time to conduct and may require market downtime, as would a full performance test.[1177] One group of commenters suggested that the scope of the requirement should be revised to only cover “functional and operational testing” of disaster recovery plans, but requested additional guidance with regard to the scope of testing required to establish the effectiveness of disaster recovery plans.[1178] This group of commenters expressed concern about the “complexity and cost associated with establishing an effective coordinated test script that captures the significant number of possibilities that may occur to each significant market participant or SCI entity” and recommended that the scope of the coordinated functional and operational testing requirements be revised to cover those instances in which an SCI entity determines to enact its disaster recovery plan.[1179] Two commenters believed the tests should be “scenario-based” to recreate as closely as possible the actual conditions that would trigger widespread use of BC/DR plans.[1180]

Adopted Rule 1004(b) provides that the scope of required testing is “functional and performance testing of the operation of BC/DR plans.” As stated in the SCI Proposal, such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.[1181] In response to commenters expressing concern about the breadth of the requirement, the Commission notes that the rule requires functional and performance testing of the “operation of [BC/DR] plans.” While the type of testing required by adopted Rule 1004(b) is more rigorous than some types of testing urged by some commenters, the Commission does not believe that the requirement for “functional and performance testing of the operation of such plans” requires additional testing that is as burdensome as that feared by some of those commenters. Importantly, “functional and performance testing of the operation of [BC/DR] plans” entails testing that goes beyond communication and connectivity testing, and beyond validation testing, which are more limited types of testing urged by some commenters. But the requirement to conduct “functional and performance testing of the operation of [BC/DR] plans” does not mean that a full test of the functional and performance characteristics of each backup facility is required to be conducted all at once and in coordination with other SCI entities all at the same time, as some commenters characterized the proposed requirement.[1182] Specifically, the Commission notes that the testing of BC/DR plans, which is required by Rule 1004, is different from testing of the function and performance of backup facilities generally.[1183] What Rule 1004 requires is coordinated testing to evaluate annually whether such backup facilities of SCI entities can function and perform in accordance with the operation of BC/DR plans in the event of wide-scale disruption. In addition, the Commission notes that performance testing, which examines whether a system is able to perform under a particular workload, is not synonymous with “stress testing,” in which capacity limits are tested, and therefore should not require as much time to conduct as one commenter suggested.

In response to commenters concerned that the required testing would necessitate system reconfigurations,[1184] the Commission understands that the requirement to test backup facilities may require technology adjustments to permit testing activity to be processed by BC/DR systems, and believes that such adjustments to permit testing are warranted to achieve the goal, as discussed above, of achieving reliable and effective BC/DR plans at SCI entities. The Commission also believes that such system reconfigurations would be less burdensome than a Commission rule requiring the establishment of a dedicated environment for safe end-to-end testing that accurately simulates the trading environment, which some commenters suggested might be appropriate. One group of commenters noted the “complexity and cost associated with establishing an effective coordinated test script,” and urged that the scope of the coordinated testing be “narrowed to cover those instances in which an SCI entity determines to enact its disaster recovery plan.” The Commission acknowledges that establishment of an effective coordinated test script will involve Start Printed Page 72353some costs and complexity, but believes that this is an important first step in establishing robust and effective testing under the rule. The Commission encourages SCI entities to develop one or more test scripts contemplating a wide-scale disruption and the enactment by SCI entities in the region of the wide-scale disruption of their BC/DR plans.

Further, the Commission notes that nothing in Rule 1001(a) nor Rule 1004 requires that an SCI entity's BC/DR plan specify that its backup site must fully replicate the capacity, speed, and other features of the primary site. Similarly, SCI entity members and participants are not required by Regulation SCI to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites.[1185] In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that an SCI entity and its members or participants may not be able to provide the same level of liquidity as on a normal trading day. In addition, the Commission recognizes that the concept of “fair and orderly markets” does not require that trading on a day when business continuity and disaster recovery plans are in effect will reflect the same levels of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. Nevertheless, the Commission believes it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities' backup systems in the event of a wide-scale disruption. Therefore, Rule 1004 requires that an SCI entity's BC/DR plan that meets the requirements of Rule 1001(a)(2)(v) be tested for both its functionality and performance as specified by the SCI entity's BC/DR plan.

In addition, several commenters addressed testing more generally.[1186] For example, some commenters urged that comprehensive, industry-wide, end-to-end testing could be enhanced if there were uniform test tickers supported by the testing infrastructure at all SCI entities.[1187] Two commenters urged the establishment of principles for end-to-end, integrated testing.[1188] Specifically, one of these commenters suggested that SCI entities, the Commission, and relevant third-parties think about how to establish a dedicated environment where end-to-end testing could be done safely, and where it could accurately simulate the trading environment.[1189] This commenter also suggested that testing plans concentrate on high volume periods, stress testing common order types, and focusing on securities that generally experience low liquidity.[1190] This commenter believed that industry-wide testing should include derivatives and cross-asset scenarios, and possibly include some involvement by foreign regulators and markets as well.[1191] While the suggestions of these commenters are not inconsistent with the rule's requirement for functional and performance testing of BC/DR plans, the Commission has determined not to require them because the Commission does not believe, at this time, that these suggestions are necessary in every instance to achieve reliable and effective BC/DR plans at SCI entities. However, to the extent an SCI entity believes them to be appropriate for its systems, these suggestions could be utilized in its BC/DR plans testing.

Importantly, the adopted rule does not prescribe how SCI entities are to develop plans for functional and performance testing of order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if these functions can operate as contemplated by SCI entity BC/DR plans. Thus, as with the proposed requirement, the adopted rule provides an SCI entity with discretion to determine the precise manner and content of the BC/DR testing required pursuant to Rule 1004, and SCI entities have discretion to determine, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test. Therefore, while comments urging the creation of uniform test tickers, establishment of principles for end-to-end testing, mandatory types of test scripts, and cross-asset and cross-jurisdictional coordination are matters that SCI entities may wish to consider in implementing the testing required by the rule, the Commission does not believe it is appropriate to mandate such details in Regulation SCI. To do so would be more prescriptive than the Commission believes is appropriate, as this requirement is designed to provide SCI entities flexibility and discretion in determining how to meet it. The Commission believes that the adopted testing requirement will help to improve securities market infrastructure resilience by helping to ensure not only that an SCI entity can operate following an event that triggers its BC/DR plans, but also that it can do so with a greater level of confidence that its core members or participants are also ready based on experience during testing. The Commission is adopting Rule 1004(b) substantively as proposed because it gives SCI entities discretion to develop a test that meets the requirements of the rule.

One commenter recommended requiring that each entity be run entirely under its backup plan at least one day a year for a full trading day, and that the entire market run off of the backup sites at least once a year.[1192] While adopted Rule 1004 would not preclude this approach, the Commission notes that other commenters disagreed with the wisdom of it.[1193] Specifically, one group of commenters stated that the risks of testing in a “live production environment on a periodic basis” outweigh the benefits.[1194] Another commenter stated that requiring SCI entities to operate using their backup facilities would increase the risk of erroneous quotes and orders entering the marketplace.[1195]

After careful consideration of these comments, the Commission has determined not to prescribe the time of day or week during which testing shall occur. In addition, the adopted rule does not require an SCI entity to test its BC/DR plan in live production, but also does not prohibit an SCI entity from testing its BC/DR plans in live production, either, if an SCI entity determines such a method of testing to be appropriate. The Commission continues to believe that SCI entities are in the best position to structure the details of the test in a way that would maximize its utility.

With respect to testing frequency, one commenter agreed with the proposal that an SCI entity's BC/DR plans, including its backup systems, be tested “at least once every 12 months.” [1196] One commenter stated that the rule should explicitly set forth the required frequency of testing.[1197] One commenter believed that two coordinated industry tests per year would be more appropriate.[1198] One commenter Start Printed Page 72354believed that testing once per year is arbitrary, and suggested that a risk-based approach might justify testing certain systems with more or less frequency.[1199]

The Commission is adopting as proposed the requirement that testing occur not less than once every 12 months. Although commenters offered differing views on the appropriate frequency for the required testing,[1200] the Commission continues to believe that a testing frequency of once every 12 months is an appropriate minimum frequency that encourages regular and focused attention on the establishment of meaningful and effective testing. In the context of coordinated BC/DR testing, the Commission believes the key is for testing to occur regularly enough to offer practical utility in the event of a wide-scale disruption without imposing undue cost, and that a minimum frequency of one year achieves this balance. This requirement does not prevent SCI entities from testing more frequently, but rather is intended to give SCI entities the flexibility to test their BC/DR plans, including their backup systems, at more frequent intervals if they find it appropriate to do so.

iv. Industry- or Sector-Wide Coordination—Rule 1004(d)

Proposed Rule 1000(b)(9)(a)(ii) specified that an SCI entity would be required to coordinate the testing of BC/DR plans on an industry- or sector-wide basis with other SCI entities. The Commission received significant comment on this aspect of the proposal.

Two commenters supported the coordinated testing requirement.[1201] Specifically, one of these commenters stated that a coordination requirement targets an area where technology risks have left the markets more vulnerable, namely, the complex ways that firms interact.[1202] This commenter favored market-wide testing as a way to better manage that risk.[1203] This commenter also stated that coordination is vital because the more SCI entities and member firms that participate in testing, the more realistic that testing will be.[1204] Another commenter noted that one of the most important steps in validating and maintaining systems integrity is an effective BC/DR model and urged the Commission to promptly advance a program to introduce a new and more comprehensive BC/DR testing paradigm.[1205]

In contrast, some commenters opposed the proposed comprehensive, coordinated testing structure.[1206] Some commenters stated that coordinating testing presents significant technological and logistical challenges that need to be weighed carefully.[1207] One commenter stated that coordinated testing is a good aspirational goal, but expressed concern that too much is outside of the control of an individual SCI entity, and therefore the rule should, at most, require SCI entities to attempt to coordinate such testing.[1208] Another commenter stated that the fixed-income market is so fragmented that coordinated testing is difficult to conduct and much less imperative.[1209]

Some commenters offered suggestions on how to improve the proposed coordination requirement. One commenter urged that coordination only be required among providers of singular services in the market (i.e., exchanges that list securities, exclusive processors under NMS plans, and clearing and settlement agencies).[1210] Some commenters believed that coordination would work best if it was organized by an entity with regulatory authority over SCI entities, or by an organization designated by the Commission to fulfill that role.[1211] One such commenter supported coordinating testing through a Commission-approved plan, provided SCI entities have the right to maintain the confidentiality of certain critical information.[1212] Another commenter recommended that the Commission work with the CFTC to adopt a coordinated approach to dealing with technology issues across financial markets, including through participation by derivatives exchanges in testing alongside their equity markets counterparts.[1213]

After careful consideration of the comments, the Commission has determined to adopt the coordination requirement as proposed. Specifically, Rule 1004(d) requires that an SCI entity “coordinate the testing of [BC/DR] plans on an industry- or sector-wide basis with other SCI entities.” The Commission recognizes that coordinating industry- or sector-wide testing among SCI entities and their designated members or participants may present logistical challenges. Because of these challenges, the Commission does not believe that a more prescriptive approach is warranted. Instead, the coordination requirement provides discretion to SCI entities to determine how to meet it.

The Commission does not agree with commenters suggesting that the Commission should assume leadership on the organization of coordinated testing, designate an organization to fulfill that role, or require a “Commission-approved plan” for testing, because it believes at this time that SCI entities can achieve coordination more quickly and efficiently without the imposition of a formal procedural framework that these suggestions would entail.[1214] In response to comment suggesting that coordination should be aspirational rather than required, the Commission believes that, because trading in the U.S. securities markets today is dispersed among a wide variety of exchanges, ATSs, and other trading venues, and is often conducted through sophisticated trading strategies that access many trading platforms simultaneously, requiring SCI entities to coordinate testing would result in testing under more realistic market conditions.[1215] The Commission also continues to believe that it would be more cost-effective for SCI entity members and participants to participate in testing of SCI entity BC/DR plans on an industry- or sector-wide basis than to test with each SCI entity on an individual basis because such coordination would likely reduce duplicative testing efforts.[1216] In Start Printed Page 72355addition, if SCI entities that are “providers of singular services” in the markets (i.e., which the Commission believes would be synonymous with SCI entities that are providers of “critical SCI systems”) lead coordination efforts on behalf of all SCI entities, such an approach would not be impermissible under Rule 1004(d), provided all SCI entities agreed to such an approach.

In response to commenters who more generally expressed concern about the rule subjecting SCI entity members and participants to multiple duplicative and costly testing requirements,[1217] the Commission notes that the flexibility provided in the adopted coordination requirement, in tandem with the more focused adopted mandatory designation requirement should mitigate these concerns. As discussed above, adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion is likely to reduce the extent to which SCI entity member or participant designations overlap and possibly result in a smaller number of SCI entity members or participants being designated for participation in testing than as contemplated by the SCI Proposal, and a fewer number of members or participants designated to participate in testing should simplify efforts to coordinate testing. However, as some commenters noted, it remains possible that, despite coordination, some firms that are members of multiple SCI entities may be designated to participate in testing with multiple SCI entities at greater cost than if they had been designated by only one SCI entity, and may be required to test more than once annually, as this may be necessary for each SCI entity to meet its obligations under the rule. Though the Commission recognizes that the possibility of being designated by multiple SCI entities to participate in the testing of their BC/DR plans may be costly, the Commission ultimately believes that such a cost is appropriate to help ensure that the BC/DR plan of each SCI entity is useful and effective. If, for example, a firm is designated for mandatory testing by multiple SCI entities, it would be so designated because each such SCI entity determines that such firm is necessary to the successful activation of its BC/DR plan. The Commission recognizes that it is conceivable that a firm that is required to participate in testing with multiple SCI entities assesses the costs and burdens of participating in every such test to be too great, and makes its own business decision to withdraw its membership or participation in one or more such SCI entities so as to avoid the costs and burdens of such testing, but believes such scenario to be unlikely. Specifically, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity (even a smaller SCI entity) would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI's BC/DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test. The Commission continues to believe that SCI entities are best suited to find the most efficient and effective manner in which to test its BC/DR plans.[1218]

Furthermore, the Commission is also adopting a longer compliance period with regard to the industry- or sector-wide coordinated testing requirement in adopted Rule 1004(d).[1219] Specifically, SCI entities will have 21 months from the Effective Date to coordinate the testing of an SCI entity's business continuity and disaster recovery plans on an industry- or sector-wide basis with other SCI entities pursuant to adopted Rule 1004(d). In sum, the Commission believes that Rule 1004, as adopted, will enhance the resilience of the infrastructure of the U.S. securities markets.

C. Recordkeeping, Electronic Filing on Form SCI, and Access—Rules 1005-1007

Adopted Rules 1005 through 1007 specify several additional requirements of Regulation SCI relating to recordkeeping and electronic filing and submission. As discussed below, the Commission has determined not to adopt the proposed provision regarding Commission access to the systems of an SCI entity because the Commission can adequately assess an SCI entity's compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI.

1. Recordkeeping—Rules 1005-1007

a. Recordkeeping Related to Compliance With Regulation SCI—Rule 1005

Proposed Rule 1000(c) required SCI SROs to make, keep, and preserve all documents relating to their compliance with Regulation SCI, as prescribed in Rule 17a-1 under the Exchange Act. Proposed Rule 1000(c) required SCI entities other than SCI SROs to: Make, keep, and preserve at least one copy of all documents relating to their compliance with Regulation SCI; keep these documents for not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and promptly furnish to Commission representatives [1220] copies of any of these documents upon request. Further, proposed Rule 1000(c) provided that, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity must ensure that the required records are accessible to the Commission and its representatives in a manner required by Rule 1000(c) for the remainder of the period required by Rule 1000(c).

The Commission received one comment letter supporting proposed Rule 1000(c).[1221] The Commission is adopting Rule 1000(c) as proposed, but re-designated as Rule 1005.[1222]

As noted in the SCI Proposal, SCI entities are already subject to recordkeeping requirements,[1223] but records relating to Regulation SCI may not be specifically addressed in certain Start Printed Page 72356current recordkeeping rules.[1224] As adopted, Rule 1005 specifically addresses recordkeeping requirements for SCI entities with respect to records relating to Regulation SCI compliance.

With respect to SCI SROs, Rule 17a-1(a) under the Exchange Act requires every national securities exchange, national securities association, registered clearing agency, and the MSRB to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made and received by it in the course of its business as such and in the conduct of its self-regulatory activity.[1225] In addition, Rule 17a-1(b) requires these entities to keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a-6.[1226] Rule 17a-1(c) requires these entities, upon request of any representative of the Commission, to promptly furnish to the possession of Commission representatives copies of any documents required to be kept and preserved by it pursuant to Rules 17a-1(a) and (b).[1227] Therefore, as noted in the SCI Proposal, the breadth of Rule 17a-1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI.[1228] The Commission continues to believe that it is appropriate to cross-reference Rule 17a-1 in Rule 1005 to be clear that all SCI entities are subject to the same recordkeeping requirements regarding compliance with Regulation SCI. The Commission also continues to believe that it is appropriate to adopt recordkeeping requirements for SCI entities other than SCI SROs that are consistent with the recordkeeping requirements applicable to SROs under Rule 17a-1 under the Exchange Act. The Commission believes it is important to require such records be kept at both SCI SROs and SCI entities other than SCI SROs because such records are essential to understanding whether an SCI entity is meeting its obligations under Regulation SCI, to assess whether an SCI entity has appropriate policies and procedures with respect to its technology systems, to help identify the causes and consequences of an SCI event, and to understand the types of material systems changes occurring at an SCI entity.[1229]

Further, as noted above, the definitions of SCI system and indirect SCI system include systems operated “on behalf of” an SCI entity by third parties. An SCI entity retains legal responsibility for systems operated on its behalf and, as such, is responsible for producing to Commission representatives records required to be made, kept, and preserved under Regulation SCI, even if those records are maintained by third parties, and the SCI entity is responsible for ensuring that such third parties produce those requested documents, upon examination or other request. Accordingly, the Commission believes that an SCI entity should have processes and requirements in place, such as contractual provisions with a third party, to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on its behalf by a third party, including the recordkeeping requirements in Rule 1005.[1230] The Commission believes that if an SCI entity is unable to ensure compliance with Regulation SCI with regard to third party systems or recordkeeping, it should reassess its decision to outsource its systems or recordkeeping.

The Commission believes that Rule 1005 will facilitate its inspections and examinations of SCI entities and assist it in evaluating an SCI entity's compliance with Regulation SCI. In particular, Rule 1005 should facilitate Commission examination of SCI entities by helping to reduce delays in obtaining relevant records during an examination. Therefore, as noted in the SCI Proposal, the Commission's ability to examine for, and enforce compliance with, Regulation SCI could be hampered if an SCI entity were not required to adequately provide accessibility to its records for the full proposed retention period.

Further, while many SCI events may occur, be discovered, and be resolved in a short time frame, there may be other SCI events that may not be discovered until months or years after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity's records available even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Because SCI events have the potential to negatively impact trade execution, price discovery, liquidity, and investor participation, the Commission believes that its ability to oversee the securities markets could be undermined if it is unable to review records to determine the causes and consequences of one or more SCI events experienced by an SCI entity that deregisters or ceases to do business. This information should provide an additional tool to help the Commission reconstruct important market events and better understand how such events impacted trade execution, price discovery, liquidity, and investor participation.

b. Service Bureau—Rule 1007

Proposed Rule 1000(e) required that, if the records required to be filed or kept by an SCI entity under Regulation SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a duly authorized person at such service bureau or other recordkeeping service. Further, the written undertaking was required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, Start Printed Page 72357upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. Proposed Rule 1000(e) also provided that the preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records.

The Commission did not receive any comments on proposed Rule 1000(e) and is adopting Rule 1000(e) as proposed, but re-designated as Rule 1007. As noted in the SCI Proposal, Rule 1007 is substantively the same as the requirement applicable to broker-dealers under Rule 17a-4(i) of the Exchange Act.[1231] The Commission continues to believe that this requirement will help ensure the Commission's ability to obtain required records that are held by a third party who may not otherwise have an obligation to make such records available to the Commission. In addition, the Commission continues to believe that the requirement that SCI entities obtain from such third parties a written undertaking will also help ensure that such service bureau or other recordkeeping service is aware of its obligation with respect to records relating to Regulation SCI. The Commission believes that this requirement will help ensure that the Commission has prompt and efficient access to all required records, including those housed at a service bureau or any other recordkeeping service.[1232]

2. Electronic Filing and Submission of Reports, Notifications, and Other Communications—Rule 1006

Proposed Rule 1000(d) required that, except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis, or report to the Commission required under Regulation SCI be submitted electronically on Form SCI and include an electronic signature. Proposed Rule 1000(d) also required that the signatory to an electronically submitted Form SCI manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. This document would be required to be executed before or at the time Form SCI is electronically submitted and would be required to be retained by the SCI entity in accordance with the recordkeeping requirements of Regulation SCI. The Commission is adopting Rule 1000(d) substantially as proposed, as discussed below, but re-designated as Rule 1006.

One commenter supported the electronic submission of Form SCI.[1233] One commenter suggested that the Commission should make clear that Regulation SCI filings do not need to be made in a tagged data format such as XBRL, which could be costly.[1234] Another commenter stated that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.[1235] According to this commenter, the requirement that there be an electronic signature and a manual signature could put SCI entity personnel at risk if it is later determined that there were factual errors, omissions, or other flaws in the initial filing.[1236]

After consideration of the comments, the Commission is adopting Rule 1000(d) substantially as proposed, and with updated internal cross references to reflect revisions to other aspects of Regulation SCI, as adopted. Specifically, Rule 1006 provides that notifications made pursuant to Rule 1002(b)(1) (immediate Commission notification of SCI events) and updates made pursuant to Rule 1002(b)(3) (updates regarding SCI events) are not required to be filed on Form SCI.[1237] As noted in the SCI Proposal, Rule 1006 is intended to provide a uniform manner in which the Commission would receive—and SCI entities would provide—written notifications, reviews, descriptions, analyses, or reports made pursuant to Regulation SCI.[1238] Rule 1006 should therefore allow SCI entities to efficiently draft and submit the required reports, and for the Commission to efficiently review, analyze, and respond to the information provided.[1239] In addition, the Commission believes that filing Form SCI in an electronic format would be less burdensome and more efficient for SCI entities and the Commission than mailing and filing paper forms.[1240] Further, after considering comments regarding the burden of submitting Form SCI in a tagged data format such as XBRL, the Commission is not requiring the use of XBRL formatting for Form SCI. Rather, certain fields in Sections I-III of Form SCI will require information to be provided by SCI entities in a format that will allow the Commission to gather information in a structured manner (e.g., the submission type and SCI event type in Section I), whereas the exhibits to Form SCI will allow SCI entities to provide narrative responses, such as through a text format. Further, the Commission also is specifying that documents filed through the EFFS system must be in a text-searchable format without the use of optical character recognition. If, however, a portion of a Form SCI submission (e.g., an image or diagram) cannot be made available in a text-searchable format, such portion may be submitted in a non-text-searchable format.[1241] The Commission believes that requiring documents to be submitted in a text-searchable format (with the limited exception noted) is necessary to allow Commission staff to efficiently review and analyze information provided by SCI entities. In particular, a text-searchable format allows Commission staff to better gather, analyze and use data submitted as exhibits, whereas a non-text-searchable format submission would require significantly more steps and labor to review and analyze data. The Commission notes that word processing and spreadsheet applications that are widely used by many businesses, including SCI entities, generate documents in this format.

As noted above, one commenter stated that the electronic signature requirement was appropriate only if the Start Printed Page 72358final rule included a safe harbor for good faith reporting of SCI events. The Commission is adopting the electronic signature requirement as proposed. The Commission notes that, as discussed above in Section IV.B.3.c, immediate Commission notification following an SCI event and updates regarding the SCI event may be given orally; the 24-hour Commission notification is required to be made on a good faith, best efforts basis; and the final Commission notification is not required until the resolution of the SCI event and the completion of the SCI entity's investigation of the SCI event. The Commission also notes that the purpose of the electronic signature requirement on Form SCI is to ensure that the person submitting the form to the Commission has been properly authorized by the SCI entity to submit the form on its behalf.[1242] Therefore, the electronic signature requirement would not put SCI entity personnel at risk if the SCI entity later determines that there were factual errors, omissions, or other flaws in the initial filing. As such, the Commission does not agree with the comment that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.[1243]

Amendment To Facilitate Electronic Filing Requirements

In addition, to permit implementation of Rule 1006,[1244] the Commission is adopting an amendment to Rule 24b-2 under the Exchange Act.[1245] Rule 24b-2 currently provides confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only.[1246] The Commission is amending Rule 24b-2 by amending the rule's preliminary note, and paragraph (b) of the rule to clarify that under Rule 24b-2, confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only, unless Rule 24b-2 provides otherwise. The Commission also is adding a new paragraph (g) to Rule 24b-2 to provide an electronic means by which an SCI entity may request confidential treatment of its filings on Form SCI. New paragraph (g) will provide that an SCI entity's electronic filings on Form SCI pursuant to Regulation SCI must include any information with respect to which confidential treatment is requested (“confidential portion”), and provide that, in lieu of the procedures described in Rule 24b-2b, an SCI entity may request confidential treatment of all information submitted on Form SCI by completing Section IV of Form SCI. The Commission's amendment provides an exception from Rule 24b-2's paper-only request for confidential treatment for all Form SCI filings, and specifically permits an SCI entity to electronically request confidential treatment of all information filed on Form SCI in accordance with Regulation SCI. The Commission believes that allowing for electronic submission of confidential treatment requests will reduce the burden on SCI entities by not requiring a separate paper submission, and provided the confidential treatment request is properly made, will expedite Commission review of the requests for confidential treatment, as all information submitted on Form SCI will be deemed to be the subject of the request for confidential treatment.

If such a confidential treatment request is properly made, the Commission will keep the information collected pursuant to Form SCI confidential to the extent permitted by law.[