Regulation SCI and Cybersecurity
Posted by Laura Anthony, Esq. on December 27, 2017
Regulation SCI and Cybersecurity- The SEC adopted Regulation Systems Compliance and Integrity (Regulation SCI) on November 3, 2015 to improve regulatory standards and processes related to technology in the securities business including by financial services firms. Regulation SCI was originally proposed in March 2013.
Technology has transformed the securities industry over the last years both in the area of regulatory oversight such as through algorithms to spot trading anomalies that could indicate manipulation and/or insider trading issues, and for market participants through enhanced speed, capacity, efficiency and sophistication of trading abilities. As I have been reviewing in this Lawcast series, enhanced technology carries the corresponding risk of failures, disruptions and of course hacking/intrusions.
As U.S. securities market systems are interconnected; an issue with one entity or system can have widespread consequences for all market participants.
Regulation SCI was proposed and adopted to require key market participants to maintain comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure systems operate in compliance with federal securities laws, to provide for review and testing of such systems and to provide for notices and reports to the SEC. Key market participants generally include national securities exchanges and associations, significant alternative trading systems (such as OTC Markets, which has confirmed is in compliance with the Regulation), clearing agencies, and plan processors.
Prior to enactment of Regulation SCI, there was no formal regulatory oversight of U.S. securities markets technological systems. Rather, oversight was historically through a voluntary Automation Review Policy (“ARP”). Under the ARP, the SEC created an ARP Inspection Program as well as policy statements and ongoing guidance. Compliance with ARP policies has been included in rules over the years, including Regulation ATS for high-volume automated trading systems. Although most major market participants, including SRO’s and national exchanges, participate in the ARP program, it remained voluntary and the SEC had no power to ensure compliance or enforce standards.
In recent years technology has outpaced the ARP program’s reach. Today the U.S. securities markets are almost entirely electronic and highly dependent on sophisticated trading and other technology, including complex and interconnected routing, market data, regulatory, surveillance and other systems. The need for a codified regulatory system has been amplified by real-world issues such as, for example, the effects of hurricane Sandy in New York on DTC and the markets in general; the multiple occasions of halting and delay of trading on exchanges due to systems issues; the highly publicized NYSE breakdown resulting in orders being booked at incorrect prices as well as multiple well known breaches in security including the EDGAR hacking.