Regulation SCI was adopted by the SEC in 2014 to strengthen the technology infrastructure of the U.S. securities markets. It requires SCI entities to have policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and requires measures that facilitate the SEC's oversight. Currently, Regulation SCI applies to SCI entities, which comprise the self-regulatory organizations (excluding securities futures exchanges), ATSs meeting certain volume thresholds with respect to NMS stocks and non-NMS stocks, plan processors, certain competing disseminators of consolidated market, and certain exempt clearing agencies.
Regulation SCI applies to SCI entities with respect to their SCI systems that directly support one or more of six key securities market functions - trading, clearance and settlement, order routing, market data, market regulation, or market surveillance - as well as other systems (indirect SCI systems) that, if breached, would be reasonably likely to pose a security threat to SCI systems. The scope of an SCI entity's technology systems is determined by whether they are operated "by or on behalf of" the SCI entity and whether they directly support any of the six market functions enumerated above.
The foundational principles and components of Regulation SCI include:
system integrity: establishing, maintaining and enforcing written policies and procedures reasonably designed to ensure that an SCI entity's SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. Such policies and procedures must meet certain minimum requirements set forth in Rule 1001(a)(2) of Regulation SCI;
system compliance: establishing, maintaining and enforcing written policies and procedures reasonably designed to ensure SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents;
periodic review of Regulation SCI policies and procedures for effectiveness and prompt actions to remedy deficiencies;
incident response and escalation: establishing, maintaining and enforcing written policies and procedures that include criteria for identifying, the designation and documentation of responsible SCI personnel, and escalation procedures to inform responsible SCI personnel of potential SCI events;
incident (SCI event) information dissemination;
system change reports and SCI review performed by objective personnel not less than once each year of SCI systems and indirect SCI systems, which contains a risk assessment, an assessment of internal control design and effectiveness of the SCI systems and indirect SCI systems to include security controls, development processes and information technology governance;
business continuity and disaster recovery testing with members or participants; and
recordkeeping relating to compliance of Regulation SCI.
Regulation SCI is one of the regulations that impose some of the most extensive compliance burdens on securities market registrants. In March 2023, the SEC proposed rules to expand the application of Regulation SCI to registered security-based swap data repositories, registered broker-dealers exceeding certain size threshold, and additional exempt clearing agencies by amending the definition of "SCI entity".
We can help SCI entities design Regulation SCI policies and procedures and conduct reviews of such policies and procedures for compliance. In addition, we can help those firms that may become subject to Regulation SCI prepare for compliance.