SEC Proposes Major New Cybersecurity Rules for Market Participants
March 29, 2023
On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed three new cybersecurity rulemakings that, if adopted, would affect a wide range of market participants, including SEC-registered broker-dealers.
The first of the proposed rulemakings centers around a new proposed rule under the Exchange Act (“Proposed Rule 10”) which would impose new cybersecurity-related requirements on a wide range of market participants, including among others, broker-dealers, the Municipal Securities Rulemaking Board (the “MSRB”), the Financial Industry Regulatory Authority (“FINRA”), clearing agencies, national securities exchanges, and transfer agents.
The second of the proposed rulemakings is a series of amendments to Regulation Systems Compliance and Integrity under the Securities Exchange Act of 1934 (the “Exchange Act”) (“Reg SCI”), which applies to most self-regulatory organizations, ATSs meeting certain volume thresholds in NMS stocks and non-NMS stocks, plan processors, certain competing disseminators of consolidated market data, and certain exempt clearing agencies. The proposed amendment (“Proposed SCI Amendment”) (collectively with Proposed Rule 10, the “Proposals”) would expand the applicability of Reg SCI to include registered security-based swap data repositories (“SBSDRs”), certain “SCI broker-dealers” meeting either total asset thresholds or transaction activity thresholds in certain types of securities, and additional exempted clearing agencies. The Proposed SCI Amendment would also amend several specific requirements under Reg SCI, including imposing additional requirements related to systems classification, third-party/vendor management, cybersecurity, and other provisions.
The third proposed rulemaking involves amendments to the rules under the Exchange Act, the Investment Company Act of 1940 (the “40 Act”), and the Investment Advisers Act of 1940 (the “Advisers Act”), which require that certain institutions safeguard customer information and properly dispose of consumer report information. The proposed amendments (“Proposed S-P Amendment”) would broaden the existing safeguard and disposal rules and further require the adoption of an “incident response program.” We discuss the Proposed S-P Amendment further in a separate alert memorandum.
Key Takeaways from the Proposals
All Registered Broker-Dealers Would Be Required to Establish, Maintain, and Enforce Written Policies and Procedures Reasonably Designed to Address Their Cybersecurity Risks. Proposed Rule 10 would obligate all broker-dealers to have written policies and procedures to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of those policies and procedures. The scope of “cybersecurity risks” is broad and encompasses financial, operational, legal, reputational and other adverse consequences that could stem from cybersecurity incidents, cybersecurity threats, and cybersecurity vulnerabilities (all defined terms in Proposed Rule 10).
SEC Notifications Required for Significant Cybersecurity Incidents in Real Time. Proposed Rule 10 would require all Market Entities (a term that includes all registered broker-dealers) to notify the SEC “immediately” if they have a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. Covered Entities (a term—described below—that includes only certain broker-dealers) would also be required to file Part I of the Proposed Form SCIR to the SEC within 48 hours of establishing such reasonable basis, and would be required to continue filing amended Part I filings throughout the event. These Part I filings would not be made public.
Public Disclosures About Significant Cybersecurity Incidents Also Required. Proposed Rule 10 would require all Covered Entities to file Part II of the Proposed Form SCIR which requires, among other things, a summary description of each significant cybersecurity incident the entity experienced during the current or previous calendar year. Part II of the form would need to be updated “promptly” as events unfold with significant cybersecurity incidents. Part II would be disclosed publicly on EDGAR and would be required to be displayed on Covered Entities’ business websites.
Reg SCI’s Requirements Would Cover More Market Participants and Would Be Expanded Significantly. The Proposed SCI Amendment would expand the scope of market participants subject to the requirements of Reg SCI, including registered SBSDRs, certain “SCI broker‑dealers” meeting either total asset thresholds or transaction activity thresholds in certain types of securities, and additional exempted clearing agencies. SCI entities would be required to enhance their policies and procedures related to, among other things, SCI systems inventory, classification and lifecycle management, maintenance and security of SCI systems, as well as oversight of certain third-party service providers to covered systems. Reporting requirements for SCI events, as well as record keeping and annual review requirements, would also be increased. Each of these measures would carry significant initial and ongoing costs for affected entities.
Cybersecurity Requirements Overlap. The SEC has noted that the Proposed SCI Amendment overlaps with the Proposed Rule 10 and Reg S-P and, in many instances, compliance with the current and proposed cybersecurity requirements of Reg SCI.
Proposed Rule 10
Applicability
Proposed Rule 10 would impose sweeping cybersecurity-related requirements on a wide range of market participants, including every registered broker-dealer. Under the proposed rule, the broadest range of requirements would apply to “Covered Entities,” defined to include FINRA; the MSRB; national securities exchanges; certain SEC-registered broker-dealers; clearing agencies; SBSDRs; security-based swap dealers registered pursuant to Section 15F(b) of the Exchange Act (“SBS Entities”); and transfer agents.
Proposed Rule 10 would also apply, in more limited respects, to all “Market Entities,” defined to include both Covered Entities as well as SEC-registered broker-dealers that are not Covered Entities.
The Covered Entities definition would include the following categories of broker-dealers:
- Broker-dealers that maintain custody of cash and securities for customers or other broker‑dealers and are not exempt from the requirements of Exchange Act Rule 15c3-3 (the “Customer Protection Rule”);
- Broker-dealers that introduce their customers’ accounts to a carrying broker-dealer on a fully disclosed basis (i.e., introducing broker-dealers);
- Broker-dealers with regulatory capital equal to or exceeding $50 million;
- Broker-dealers with total assets equal to or exceeding $1 billion;
- Broker-dealers that operate as market makers; and
- Broker-dealers that operate an Alternative Trading System (“ATS”).
For certain of these broker-dealers who also meet the thresholds discussed below under the Proposed SCI Amendment, the Proposed Rule 10 requirements would apply in addition to any requirements under Reg SCI.
Requirements for Covered Entities
Policies and Procedures. Covered Entities would be required to establish, maintain, and enforce written policies and procedures that include the following elements:
- Periodic assessments of cybersecurity risks associated with the Covered Entity’s information systems and written documentation of the risk assessments;
- Controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems;
- Measures designed to monitor the Covered Entity’s information systems and protect the Covered Entity’s information from unauthorized access or use, and oversee service providers that receive, maintain, or process information, or are otherwise permitted to access the Covered Entity’s information systems;
- Measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity’s information systems; and
- Measures to detect, respond to, and recover from a cybersecurity incident and written documentation of any cybersecurity incident and the response to and recovery from the incident.
For these purposes, Proposed Rule 10 defines an “information system” to mean “the information resources owned or used by the market entity, including, for example, physical or virtual infrastructure controlled by the information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the covered entity’s information to maintain or support the covered entity’s operations.”
Annual Review. Covered Entities would be required, at least annually, to review and assess the design and effectiveness of the required cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review, and then to prepare a written report that describes the review, the assessment, and any control tests performed. The written report would also need to explain the results of any tests performed, document any cybersecurity incident that occurred since the date of the last report, and discuss any material changes to the policies and procedures since the date of the last report.
If Proposed Rule 10 is adopted as proposed, Covered Entities would need to be careful in crafting such written reports. While the SEC explained that the requirement is “designed to impose a discipline on Covered Entities to be vigilant in assessing whether their cybersecurity risk management policies and procedures continue to be reasonably designed to address this risk,” we expect that, in examinations and enforcement actions, the SEC Staff would be quick to request these reports and use them to make determinations about whether the Covered Entities have complied with the policies and procedures requirements under Proposed Rule 10.
SEC Notification and Form SCIR Part I. Proposed Rule 10 would require certain notifications by Covered Entities relating to any “significant cybersecurity incident.” The term “cybersecurity incident” would be defined to mean an “unauthorized occurrence on or conducted through a Market Entity’s information systems that jeopardizes the confidentiality, integrity, or availability of the information systems or any information residing on those systems.” The term “significant cybersecurity incident” would be defined to include any cybersecurity incident (or group of related incidents) that (1) significantly disrupts or degrades the ability of the Market Entity to maintain critical operations, or (2) leads to the unauthorized access or use of the information or information systems of the Market Entity, where the unauthorized access or use of the information or information systems results in or is reasonably likely to result in substantial harm to the Market Entity, or substantial harm to a customer, counterparty, member, registrant, or other user of the Market Entity, or to any other person that interacts with the Market Entity. Conceptually, then, Proposed Rule 10 would define a significant cybersecurity incident to be one that either significantly impacts the Market Entity, or one that significantly impacts those who interact with the Market Entity. While there is no “materiality” threshold for either of these standards, each one is limited to incidents that qualify as “significant cybersecurity incidents.”
Covered Entities would be required to provide “immediate written electronic notice” if they have a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. The notice would need to be made to the SEC, and if the Covered Entity is (i) a broker-dealer, to the broker-dealer’s examining authority, and (ii) a transfer agent, to its appropriate regulatory authority. The SEC does not provide exact details on what constitutes “immediate” notice, particularly given that the entity must draw a conclusion formed upon a reasonable basis that an incident is “significant”—something that might not be immediately apparent to the team conducting a review or seeking to mitigate an incident. The SEC explains that the notification requirement is “designed to alert the Commission on a confidential basis to the existence of a significant cybersecurity incident impacting a Covered Entity so the Commission staff can begin to assess the event,” and that it is “not intended as a means to report written information about the significant cybersecurity incident.”
Proposed Rule 10 would include a separate requirement for Covered Entities designed to provide detailed information about the incident—Part I of the proposed Form SCIR, which would be filed via the SEC’s EDGAR system. Covered Entities would have to file this form with the SEC within 48 hours of having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. Furthermore, Covered Entities would be required to file an amended Part I of the proposed form within 48 hours of certain developments relating to the significant cybersecurity incident:
- Any information previously reported to the SEC on Part I of Form SCIR pertaining to a significant cybersecurity incident becoming materially inaccurate;
- Any new material information pertaining to a significant cybersecurity incident previously reported to the SEC on Part I of Form SCIR being discovered;
- A significant cybersecurity incident being resolved; or
- An internal investigation pertaining to a significant cybersecurity incident being closed.
Similarly to the notice requirement, Covered Entities that are broker-dealers would be required to provide a copy of such a form to their examining authorities, and transfer agents would be required to provide a copy to their appropriate regulatory authorities. These Part I filings would not be made available to the public to the extent permitted by law.
In her dissent to the proposal, Commissioner Peirce highlighted several challenges that entities are likely to face if Proposed Rule 10 is adopted as written relating to the notification and Form SCIR Part I filings. She noted that firms experiencing significant cybersecurity incidents, which are likely to be hard at work in containing the breach and fixing the problems in their systems, may need to, within the first 48 hours of discovery, divert resources from those efforts to fill out a detailed government form, which provides for potential individual liability on the person signing the form. She also noted that the requirement that firms report the conclusion of any internal investigation into the issue is tantamount to asking a firm to report information about policies and procedures failures, and fails to consider that this requirement might dissuade firms from performing such internal investigations. Her dissent queries whether the proposal takes the view that firms that undergo significant cybersecurity incidents are foremost potential federal securities law violators rather than victims of a cyberattack.
Public Disclosures. In addition to the notification obligations to regulators, Covered Entities would be required to publicly disclose certain information on Part II of Form SCIR, which would also be filed through the SEC’s EDGAR system. Specifically, a Covered Entity would be required to disclose (i) summary descriptions of its cybersecurity risks that could materially affect the entity’s business and operations, and (ii) a summary description of each significant cybersecurity incident (as defined above) the entity experienced during the current or previous calendar year, including the persons affected; whether any data was stolen, altered, or accessed; the effect of the incident on the entity’s operations; and whether the entity has remediated (or is currently remediating) the incident. Covered Entities that are carrying or introducing broker-dealers would also need to provide Part II of Form SCIR to customers at account opening, when information on the form is updated, and annually (using the same means that the customer elects to receive account statements), and all Covered Entities would be required to post a copy of Part II of Form SCIR on its business website.
Covered Entities would also be required to promptly provide updated disclosures on Part II of Form SCIR if the information required to be disclosed about cybersecurity risk or significant cybersecurity incidents “materially changes,” including “after the occurrence of a new significant cybersecurity incident or when information about a previously disclosed significant cybersecurity incident materially changes.” Each method of the disclosure—the EDGAR filing, the posting on the website, and if the entity is a carrying or introducing broker-dealer, the delivery of copies to customers—would need to be updated if such information “materially changes.”
Regulatory requirements to make public disclosures about cybersecurity incidents are not risk-free propositions. As the SEC itself explained, “[r]evealing too much information could assist future attackers as well as lead to loss of customers, reputational harm, litigation, or regulatory scrutiny.” The SEC explained its intent to balance the need to disclose this information publicly so customers and investors can be aware of potential issues with the need to avoid these potential pitfalls, and that the requirement is “designed to produce high-level disclosures about the Covered Entity’s cybersecurity risks and significant cybersecurity incidents that can be easily reviewed by interested parties in order to give them a general understanding of the Covered Entity’s risk profile.”
Recordkeeping. Proposed Rule 10 would require a Covered Entity to make several different types of records. While the proposed rule itself would not specify how long these records would need to be preserved, the SEC also proposes to amend the recordkeeping rules for broker-dealers, transfer agents, and SBS Entities to include these Proposed Rule 10 records as records that would need to be preserved and maintained by these existing requirements, typically for three years.
Requirements for Non-Covered Entity Broker-Dealers
Market Entities that are not Covered Entities (i.e., the broker-dealers that would not fit into one or more of the Covered Entity categories (“Non-Covered Broker-Dealers”)) would be required to comply with a more limited set of requirements than Covered Entities.
Like Covered Entities, Non-Covered Broker-Dealers would be required to establish, maintain, and enforce written policies and procedures reasonably designed to address their cybersecurity risks. Unlike for Covered Entities, Proposed Rule 10 would not specify the minimum elements that would need to be included in the policies and procedures—though the SEC notes that “a Non-Covered Broker-Dealer may want to consider whether any of those required elements would be appropriate components of it[s] policies and procedures for addressing cybersecurity risk.”
Non-Covered Broker-Dealers would also be required to annually review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether the policies and procedures reflect changes in cybersecurity risk over the time period covered by the review, and to make a “written record” that documents the steps taken in performing the annual review and the conclusions. Unlike for Covered Entities, Proposed Rule 10 would not require a Non‑Covered Broker-Dealer to create a “written report” of the annual review. The SEC explained that a “report is a means to communicate information within an organization” and that a record “among other things, is a means to document that an activity took place, for example, to demonstrate compliance with a requirement.”
Non-Covered Broker-Dealers would be required to provide immediate written notice to the SEC upon having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring. Unlike for Covered Entities, Proposed Rule 10 would not require Non-Covered Broker-Dealers to file Form SCIR—either Part I (for detailed information on significant cybersecurity incident updates within 48 hours) or Part II (for publicly disclosed summary information).
Other Notable Points
Substituted Compliance for Non-US SBS Entities. The SEC is also proposing to amend Rule 3a71-6 to permit certain SBS Entities that are not U.S. persons to seek an SEC determination that the requirements under a foreign financial regulatory system satisfy the corresponding requirements of Proposed Rule 10, meaning that the non-U.S. SBS Entity would not need to comply with the proposed rule.
Crypto Assets. While Proposed Rule 10 does not set forth any special requirements for Covered Entities or Market Entities that maintain information systems involving crypto assets, the SEC noted that crypto assets are “exposed to cybersecurity risks” and are “attractive targets for threat actors,” and, therefore, “information systems that involve crypto assets may be subject to heightened cybersecurity risks.” The SEC also noted that Market Entities and Covered Entities engaged in “business activities involving crypto assets . . . could be exposed to these heightened cybersecurity risks.” While not a strict requirement, then, it appears that the SEC will expect Market Entities and Covered Entities to pay particular attention to information systems involving crypto assets as they design and review their policies and procedures under Proposed Rule 10.
Proposed Reg SCI Amendment
Introduction
The Proposed SCI Amendment would significantly expand the scope of market participants subject to the requirements of Reg SCI, and would add additional requirements designed to conform Reg SCI to technological and other changes the SEC has observed since the adoption of Reg SCI in 2014. Reliance on new and evolving technology has been driven, in part, by the growing prevalence of remote work and the increased utilization of third-party service providers. The SEC points to technological advancements as evidence of both greater sophistication and interconnection of the markets, and of heightened risk of exposure to cybersecurity and operational vulnerabilities for key market participants.
The SEC describes the proposed amendments to Reg SCI as “[c]onsistent with the goals of addressing technological vulnerabilities and improving oversight of the core technology of key U.S. securities market entities.” The SEC noted its prior statements in Reg SCI’s original adopting release, that the SEC was endeavoring to take a “measured approach” to the entities subject to Reg SCI, and only making an “incremental expansion” from entities covered under the prior ARP Inspection Program. By contrast, this proposal would result in far more than an “incremental expansion” of the entities currently covered by Reg SCI.
Reg SCI
Applicability. Reg SCI imposes requirements on “SCI entities.” Today, entities that qualify as SCI entities include self-regulatory organizations (such as national securities exchanges, covered clearing agencies, FINRA and the MSRB), ATSs meeting certain volume thresholds in NMS stocks and non-NMS stocks, plan processors (exclusive disseminators of consolidated market data), certain competing disseminators of consolidated market data, and certain exempt clearing agencies. SCI entities are subject to Reg SCI’s obligations with respect to “SCI systems,” “critical SCI systems,” and “indirect SCI systems.”
The term “SCI system” is defined to include “all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.” Because this definition includes any “securities,” the SCI systems of an SCI entity may pertain to any type of securities, including NMS stocks, listed options, security-based swaps, digital asset securities, or others.
A “critical SCI system” is defined to include a subset of SCI systems which lack or have limited substitutes and represent potential single points of failure. These include SCI systems that directly support functionality relating to clearance and settlement systems of clearing agencies, trading halts, initial public offerings, and others that “[p]rovide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.”
Indirect SCI systems are defined to include systems of an SCI entity which, “if breached, would be reasonably likely to pose a security threat to SCI systems.”
Systems Requirements. Reg SCI currently requires SCI entities to establish, maintain, and enforce policies and procedures “reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets.” Reg SCI requires that such policies and procedures include, at a minimum, (i) current and future capacity planning; (ii) periodic stress testing; (iii) systems development and testing methodology; (iv) reviews and testing to identify vulnerabilities; (v) business continuity and disaster recovery planning (inclusive of backup systems that are geographically diverse and designed to meet specified recovery time objectives); (vi) standards for market data collection, processing, and dissemination; and (vii) monitoring to identify potential SCI events. SCI entities must also periodically review the effectiveness of those policies and procedures and take prompt corrective action to remedy deficiencies. Reg SCI provides that policies and procedures may satisfy these requirements to the extent they are consistent with “current SCI industry standards,” which is in turn defined to include information technology practices that are “widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.”
Compliance Requirements. Under Reg SCI, each SCI entity must maintain and enforce policies and procedures to ensure its SCI systems operate in a manner that complies with the Exchange Act and Exchange Act rules, and the SCI entity’s rules and governing documents. Reg SCI provides that these policies and procedures must include, at minimum, (i) testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by “responsible SCI personnel” and by personnel familiar with applicable provisions of the Exchange Act and the rules and regulations thereunder and the SCI entity’s rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Reg SCI defines “responsible SCI personnel” to include “for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).” As with the policies and procedures related to SCI systems, SCI entities are required to periodically review the effectiveness of those policies and procedures and take prompt corrective action to remedy deficiencies.
SCI entities must also maintain and enforce policies and procedures that include (i) the criteria for identifying responsible SCI personnel; (ii) the designation and documentation of responsible SCI personnel; and (iii) escalation procedures to quickly inform responsible SCI personnel of potential SCI events.
SCI Events. Reg SCI currently imposes obligations upon SCI entities regarding three different types of “SCI events,” which include (i) systems disruptions (events in an SCI entity’s SCI systems that disrupt, or significantly degrade, the normal operation of an SCI system); (ii) systems compliance issues (events at an SCI entity that cause any SCI system to operate in a manner that is out of compliance with the Exchange Act or the SCI entity’s rules or governing documents); and (iii) systems intrusions (any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity). Reg SCI requires SCI entities to take the necessary corrective action to mitigate harm to investors and market integrity, and prescribes a framework for notifying the SEC under Rule 1002(b). Reg SCI also requires SCI entities to disseminate information to their members or participants regarding certain SCI events, to generate quarterly reports to the SEC regarding material changes to SCI systems, and to comply with business continuity and disaster recovery testing requirements and recordkeeping requirements.
Proposed Amendments to the Definition of SCI Entities
Definition of SCI Entities. The SEC is proposing to expand the definition of SCI entity to include, and therefore subject Reg SCI’s requirements to, additional market participants, including registered SBSDRs, certain “SCI broker-dealers” meeting either total asset thresholds or transaction activity thresholds in certain types of securities, and additional exempted clearing agencies.
SBSDRs. The Proposed SCI Amendment would expand the definition of SCI entities to include SBSDRs, due to their key role in the SBS market. Because SBSDRs rely on automated systems and work to limit systemic risk and promote stability of SBS markets, the SEC would include SBSDRs in the definition of SCI entities to ensure SBSDR systems are “robust, resilient, and secure.” The SEC’s concern is that vulnerabilities of SBSDRs could lead to significant failures which could “disrupt price transparency and oversight of the SBS market.”
SCI Broker-Dealers. The Proposed SCI Amendment would expand the definition of SCI entities to include registered broker-dealers that exceed one of two size thresholds. The SEC expects the thresholds would capture only the largest broker-dealers, and estimates that 17 entities would currently satisfy one or more of the proposed thresholds. The SEC’s purpose for including this limited number of registered broker-dealers is the concern that the unreliability or unavailability of broker-dealers with significant total assets or transaction activity, either measured across multiple markets or “predominately in a single market,” risks disruption to orderly market functioning. While Reg SCI currently applies to national securities exchanges and to certain ATSs that meet trading volume thresholds, the SEC is concerned that the growth of electronic trading has caused certain broker-dealers to become “similarly dependent on sophisticated and interconnected automated systems.”
- Total assets threshold. The first size threshold would be based on a broker-dealer’s size as measured by total assets. This would include a registered broker-dealer which, in at least two of the four preceding calendar quarters, had total assets equal to five percent or more of the total assets of all security brokers and dealers. The assets of each broker-dealer would be based on the total assets reported to the SEC on the broker-dealer’s FOCUS Reports in Part II, Item 940. The denominator in this case will include total assets of all security brokers and dealers as calculated by the Federal Reserve Board and published quarterly in the Federal Reserve Economic Data website. Based on recent data, a registered broker-dealer with total assets of approximately $250 billion in two of the preceding four calendar quarters would meet the proposed threshold. Should a broker-dealer exceed the threshold in two of the four preceding calendar quarters, it will become subject to Reg SCI beginning six months after the end of the second such quarter, and will continue to be an SCI entity for as long as it continues to satisfy one or more of the thresholds.
- Transaction activity threshold. The second threshold would be based on the size of a broker-dealer’s transaction activity in several specified asset classes. The SEC has observed that, “[i]n several asset classes, the transaction activity of each of a relatively small number of broker-dealers constitutes a share of trading that could, if affected by a systems issue, negatively impact fair and orderly markets.” These asset classes include NMS stocks, exchange-listed options contracts, U.S. Treasury Securities, and Agency securities. The Proposed SCI Amendment is designed to capture those broker-dealers that, by themselves, make up a sizable portion of the trading activity in one or more of these asset classes.
In contrast to the total assets threshold, which is measured on a quarterly basis, the transaction activity threshold would be measured using the time period of “at least four of the preceding six calendar months.” To monitor whether or not a broker-dealer meets the proposed threshold, the release notes that a broker-dealer would need to determine its average daily dollar volume in the specified asset class each calendar month, and divide that number by the total reported average daily dollar volume for the same month. The denominator may be pulled, for NMS stocks, from plan processors of the CTA/CQ Plans and the Nasdaq UPT Plan. For listed options, the denominator may be pulled from the plan processor of the OPRA Plan. For U.S. Treasury Securities and Agency Securities, the denominator may be pulled from FINRA.
- NMS stocks. The NMS stocks threshold is tied to a broker-dealer’s activity “on or as a trading center.” A broker-dealer would be an SCI entity if it traded average daily dollar volume equal to 10% or more of the average daily dollar volume reported. Transactions in which the broker-dealer trades on a national securities exchange or executes off of a national securities exchange or an ATS would be included. Notably, this calculation would not include transactions for which a broker-dealer is a non-executing counterparty in an off-exchange, non-ATS transaction. If, however, a broker-dealer operator of an ATS trades as a participant on its ATS or acts as a counterparty to every trade on its own ATS, the volume would be counted as trading activity of the broker-dealer.
- Exchange-listed options. The proposed threshold with regards to exchange-listed options contracts is the transacted average daily dollar volume equal to 10% or more of the average daily dollar volume reported by an applicable effective national market system plan.
- U.S. Treasury Securities and Agency Securities. The proposed threshold with regards to both U.S. Treasury Securities and Agency Securities is the transacted average daily dollar volume in an amount equal to 10% or more of the “total average daily dollar volume made available by the self-regulatory organizations to which such transactions are reported.” A “U.S. Treasury Security” would be defined to include securities issued by the U.S. Department of the Treasury. “Agency Security” would be defined to include debt securities issued or guaranteed by a U.S. executive agency or a government-sponsored enterprise.
- SCI Broker-Dealers and Crypto Asset Securities. To the extent a broker-dealer satisfies the total assets threshold, that broker-dealer would need to assess whether any systems pertaining to its activity in crypto asset securities meet the definition of an SCI system or an indirect SCI system. In determining whether a broker-dealer meets a transaction activity threshold, the broker-dealer must first determine whether any crypto asset securities are NMS stocks, exchange-listed options, U.S. Treasury Securities, or Agency Securities, and if so, include those crypto asset securities in the tally for that class of assets. No crypto asset securities currently fit into these categories, though it is possible the market will develop such that these crypto asset securities come into existence.
Further, any SCI systems or indirect SCI systems supporting activity related to crypto asset securities that are one of the enumerated asset classes would be subject to the requirements of Reg SCI. While the SEC acknowledged that no special purpose broker-dealers specifically authorized to maintain custody of crypto asset securities—which are the only broker-dealers authorized to maintain custody of crypto asset securities—exist, the SEC reiterated that SCI entities trading in crypto asset securities will need to apply Reg SCI as appropriate to that activity. We expect that, at least in the short term, this requirement would be more impactful to broker-dealers than the requirement to count crypto asset securities toward the total asset thresholds. If an SCI entity uses systems that otherwise meet the definition of an SCI system for activities with crypto asset securities, the SCI requirements would apply in full for such activities.
For broker-dealers that meet the definition of an SCI entity solely because of the transaction activity threshold, the SEC has proposed that SCI systems for those broker‑dealers will include “only those systems with respect to the type of securities for which an SCI broker-dealer satisfies the requirements [of the definition of SCI entity].” Thus, if a broker-dealer exceeds the 10% trading activity threshold only in NMS stocks, for example, only those systems meeting the definition of “SCI system” and involving NMS stocks would be in scope.
Exempt Clearing Agencies. The Proposed SCI Amendment would expand the definition of SCI entities to include all “exempt clearing agencies.”[1] In the SEC’s view, the similarities in function and importance of exempt clearing agencies supports the need to treat all exempt clearing agencies similarly for purposes of Reg SCI. The SEC points to rapid innovation and interconnectedness of technology supporting such clearing agencies’ systems related to margin obligations, netting and payment, movement of funds and securities, and end-of-day settlement procedures. In the SEC’s view, the “increasing reliance on new technologies” necessitates attention “on the potential for such services to introduce operational risk or introduce single points of failure into the national system for clearance and settlement.”
Proposed Amendments to Obligations of SCI Entities
In addition to expanding the group of entities subject to Reg SCI, the Proposed SCI Amendment would significantly update a number of the obligations applicable to those SCI entities, potentially adding considerable time and cost to resources required for compliance.
Systems Classification and Lifecycle Management. The Proposed SCI Amendment would add additional requirements to policies and procedures of SCI entities with respect to their SCI systems (including SCI systems, indirect SCI systems, and critical SCI systems, as discussed above). First, SCI entities would be required to develop and maintain a written inventory of their systems and classification of those systems, which represents a codification of current practice. An SCI entity’s policies and procedures would also be required to include a program regarding the life cycle management of these systems, including “the acquisition, integration, support, refresh, and disposal of such systems.” In particular, the SEC would expect a properly refreshed and updated system to include up-to-date software and security patches.
Third-Party Provider Management. SCI entities are required to manage their relationships with third-party providers through due diligence, contract terms, and monitoring. In particular, SCI entities are responsible for having processes and requirements that ensure SCI systems that are operated by a third party are able to satisfy the requirements of Reg SCI. The Proposed SCI Amendment would update the requirements applicable to SCI entities regarding third-party provider management in several important respects:
- SCI entities would be required, in their policies and procedures, to include programs to manage and oversee third-party providers that “provide functionality, support or service, directly or indirectly, for [their] SCI systems and, for purposes of security standards, indirect SCI systems.” These programs would be required to include a number of specific elements, including (i) initial and periodic third-party provider contract review; and (ii) risk-based assessments of each third-party provider’s “criticality to the SCI entity.” These contract reviews must include a review of contract terms that may be inconsistent with Reg SCI requirements, and the risk-based assessment should consider third-party provider concentration, among other things.
- With respect to third-party providers that provide functionality, support, or service related to those SCI systems that are “critical SCI systems,” the Proposed SCI Amendment would include a requirement that SCI entities have business continuity and disaster recovery plans designed to address the unavailability of those third-party providers.
- SCI entities would be required to designate third-party providers necessary for maintenance of fair and orderly markets in the event of activation of that SCI entity’s business continuity or disaster recovery plans, and to require those third-party providers to participate in scheduled functional and performance testing of those plans.
The SEC’s release also focuses specifically on the increased use of cloud service providers (“CSPs”). The proposals include a number of specific applications of an SCI entity’s responsibilities in the context of CSP relationships. In particular, the proposal instructs SCI entities that they should not view their relationship with a CSP as “turn[ing] over its Regulation SCI-related responsibilities to the CSP.” Further, the proposal reminds Reg SCI entities, when considering CSP relationships, they should keep in mind Reg SCI’s requirement that policies and procedures include business and continuity recovery plans “reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.” The proposal also notes that, in the context of CSPs, SCI entities should be cognizant of Reg SCI’s notice and dissemination requirements, and data security and recordkeeping obligations.
Security Systems. In light of the evolving nature of cybersecurity events since Reg SCI’s adoption, the Proposed SCI Amendment would “enhance” the cybersecurity provisions of Reg SCI to significantly increase the potential scope of testing and reporting obligations. In particular:
- Policies and procedures of SCI entities would be required to include programs to prevent the unauthorized access to SCI systems and the information residing in them, including specific access controls.
- Penetration testing would be required at least annually (rather than the current requirement of once every three years).
- The definition of a “systems intrusion” (triggering resolution and notice requirements) would be expanded to include both “any cybersecurity event that disrupts, or significantly degrades, the normal operation of an SCI system,” and “any significant attempted unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity, as determined by the SCI entity pursuant to established reasonable written criteria.” Notably, this expansion would sweep in attempted but unsuccessful unauthorized entry into an SCI entity’s SCI systems or indirect SCI systems.
- The de minimis exception to current reporting requirements regarding systems intrusions would be eliminated, thereby requiring that all systems intrusion, regardless of impact, be reported pursuant to Reg SCI.
SCI Reviews. The Proposed SCI Amendment would update substantive and procedural requirements related to an SCI entity’s reviews of its SCI systems and indirect SCI systems. Currently, Reg SCI requires SCI entities to maintain policies and procedures for annual reviews of SCI systems by objective personnel, and reporting of the results of those reviews to the board of directors (or equivalent) of the SCI entity and to the SEC. The Proposed SCI Amendment would require, in particular, three assessments to be performed by objective personnel, including (i) an assessment of risks related to capacity, integrity, resiliency, availability and security; (ii) an assessment of internal control design and operating effectiveness (including specifics, such as logical and physical security controls, developmental processes, systems capacity and availability, and others); and (iii) assessment of third-party provider management risks and controls. Each of these reviews, particularly that of third-party providers, would potentially require considerable expenditure of resources and attention by SCI entity personnel, as well as by management and boards. Comments on both proposals are due 60 days after publication in the Federal Register.
[1] To date, the SEC has granted exemptions from clearing agency registration to three matching entities: DTCC ITP Matching US, LLC; Bloomberg STP LLC; and SS&C Technologies Inc. The SEC has also granted exemptions to certain non-U.S. clearing agencies for limited clearing activities: Euroclear Bank SA/NV and Clearstream Banking, S.A.