SEC Makes Cybersecurity Mandatory for Securities Exchanges

In recent years, malfunctioning technology has affected the trading of securities on a number of occasions. As just one better-known example, the firm Knight Capital, a trading company, lost almost $460 million on August 1, 2012, due to a computer glitch, and required a cash infusion of $400 million to remain solvent.¹ In an attempt to minimize or prevent similar disruptions in the future, on November 19, 2014, the Securities and Exchange Commission (SEC or Commission) adopted Regulation Systems Compliance and Integrity (Regulation or Regulation SCI).

Regulation SCI is an effort to fill a regulatory gap by providing for "Commission oversight of the technology of the U.S. securities markets[,]" which to date has been conducted "pursuant to a voluntary set of principles" that are over two decades old.² In the words of Mary Jo White, the Chair of the SEC, the previous regulations were enacted "before many Americans even owned a computer."³

The SEC found it "necessary and appropriate to address the technological vulnerabilities" at this time for several reasons, including:

the evolution of the markets to become significantly more dependent upon sophisticated, complex and interconnected technology; the current successes and limitations of the [prior] Inspection Program; a significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues, increased concerns over "single points of failure" in the securities markets . . . .⁴

Ensuring adequate protection against intrusion—i.e., cyber attacks—was an additional factor the Commission noted as motivating the adoption of Regulation SCI.⁵

As with all regulations, the enactment of Regulation SCI raises important questions regarding its implementation.

Who Does Regulation SCI Cover?

Regulation SCI applies to all "SCI entities," which the Regulation defines as "an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP [Automation Review Policy]."⁶ There are currently 44 entities that fit this definition.⁷

• SCI Self-Regulation Organization (SCI SRO): This includes "any national security exchange, registered securities association, or registered clearing agency, or the Municipal Securities Rulemaking Board . . . ."⁸ The SEC has identified a total of 27 organizations that qualify as SCI SROs, including, by way of example: the Chicago Stock Exchange, Inc.; NASDAQ OMX BX, Inc.; NASDAQ OMX PHLX LLC; Nasdaq; NYSE, NYSE MKT; and NYSE Arca.⁹
• SCI alternative trading system (SCI ATS): This consists of an organization or person that "[c]onstitutes, maintains, or provides a market place . . . for bringing together purchases and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange . . . ."¹⁰ Dark pools, security-trading private exchanges, are common examples of such systems. Regulation SCI includes minimum volume trading requirements that limit the number of alternative trading systems that will have to comply with the Regulation.¹¹
• Plan processor: "[A]ny self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market plan."¹²  According to the SEC, there are currently two plan processors: SIAC and Nasdaq.¹³
• Exempt clearing agency subject to ARP: At this moment, only Omgeo Matching Services - US, LLC fits this definition.

Regulation SCI does not govern brokers, but the possibility exists that the Commission will subject brokers to similar regulations in the future.¹⁴

What Systems Are Regulated by Regulation SCI?

The requirements under the Regulation sometimes differ depending on which of the following systems is at issue:

• SCI Systems: This category consists of "all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market date, market regulation, or market surveillance."¹⁵
• Critical SCI Systems: This consists of systems that "Directly support functionality relating to: (1) Clearance and settlement systems of clearing agencies; (2) Openings, reopenings, and closings on the primary listing markets; (3) Trading halts; (4) Initial public offerings; (5) The provision of consolidated market data; or (6) Exclusively-listed securities . . . ."¹⁶ It also includes those systems that "[p]rovide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets."¹⁷
• Indirect SCI Systems: This consists of "any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems."¹⁸

What Are the Requirements under Regulation SCI?

The following summarizes the key aspects of many of the Regulation's requirements:

• Policies and Procedures: SCI entities must implement policies meant to ensure systems "have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operation capability and promote the maintenance of fair and orderly markets."¹⁹ This includes conducting periodic tests, establishing "[b]usiness continuity and disaster recovery plans[,]" monitoring, and periodic review and updating of procedures.²⁰ The business continuity plan must be "reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption . . . ."²¹ SCI entities also must establish procedures for identifying responsible SCI personnel.²² SCI personnel who "reasonably discharged" his or her duties or "[w]as without reasonable cause to believe" the system was not in compliance are subject to a safe harbor provision.²³ No safe harbor exists for SCI entities.²⁴
• Obligations Related to SCI Events: The Regulation imposes requirements in response to an "SCI event," which is defined as any of the following:
  • Systems Disruption: This consists of any event "that disrupts, or significantly degrades, the normal operation of an SCI system."²⁵ This does not include planned disruptions for maintenance.²⁶
  • Systems Compliance Issues: This consists of "an event . . . that has caused any SCI system . . . to operate in a manner that does not comply with the [Securities Exchange] Act [of 1934] and the rules and regulations thereunder or the entity's rules or governing documents, as applicable."²⁷ The definition does not include a materiality qualifier.²⁸
  • Systems Intrusion: This consists of "any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity." This include the introduction of malware, the inadvertent intrusion by employees, and everything between the two.²⁹ This definition also lacks a materiality qualifier.³⁰

When an SCI event occurs, SCI entities must take "appropriate corrective action" to "mitigat[e] potential harm to investors and market integrity " and "devot[e] adequate resources to remedy the SCI event as soon as reasonably practicable."³¹ SCI entities must immediately notify the SEC, provide written notification within 24 hours, and provide periodic updates as to the status of the investigation into and resolution of the SCI event. The SCI entity must submit, among other things, an assessment of who the SCI event impacted and how. Many of the reporting requirements do not apply or are relaxed for de minimis SCI events."³²

Entities also have requirements to disseminate information about the SCI event and corrective steps to those likely affected.³³

• Systems Change: SCI entities must submit a quarterly "report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect systems . . . ."³⁴
• System Review: SCI entities must conduct an "SCI review."³⁵ The review includes a risk assessment and "assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance . . . ."³⁶

SCI reviews must occur once a year, but a penetration test of "network, firewalls, and production systems" may occur every three years. An assessment of "SCI systems directly supporting market regulation or market surveillance" may also, based on the results of the risk assessment, occur once every three years.³⁷

SCI entities must submit to the SEC and the entity's board of directors a report of the SCI review and senior management's response within 60 days after senior management receives the report.³⁸

• Disaster Recovery Plan Testing: SCI entities must establish standards to determine who would be "the minimum necessary for the maintenance of fair and orderly markets" if it proves necessary to implement a business continuity and disaster recovery plan.³⁹ Those designated by SCI entities shall participate in testing of the plan at least once a year. They also will coordinate the testing of their plan "on an industry- or sector-wide basis with other SCI entities."⁴⁰
• Recordkeeping: The Regulation imposes a requirement to "make, keep, and preserve" certain documents demonstrating compliance, and to provide them to the SEC upon request.⁴¹
• Electronic Filing: Many of the filings required by Regulation SCI must be submitted electronically using a specific form accompanying the Regulation.

How Long Do SCI Entities Have To Comply?

Regulation SCI becomes effective 60 days after publication in the Federal Register. SCI entities will then have nine months after publication to become compliant.⁴² The policies and procedures contemplated by the regulations "shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization."⁴³

Conclusion

Only time will tell if Regulation SCI serves its purpose of limiting disruptions to the market due to technological malfunctions, natural disasters, and cyber attacks. What is certain, though, is that SCI entities-including all national security exchanges-will shortly begin the process of complying with the Regulation and reporting to the SEC. In order to best prepare, SCI entities should familiarize themselves with the Regulation, review the technology and procedures they currently rely upon, and determine how to meet the SEC's new requirements.