A. EXECUTIVE SUMMARY

On March 7, 2013, the Securities and Exchange Commission ("Commission" or "SEC") voted unanimously to propose Regulation Systems Compliance and Integrity ("Reg SCI") under the Securities Exchange Act of 1934 ("Exchange Act").1 The Commission believes that the dependence of today's trading markets on sophisticated automated systems, the lessons of recent market events,2 and the limitations of the SEC's current approach to the oversight of automated systems important to the national market system highlight the need to consider an updated and formalized regulatory framework for such systems. Therefore, the SEC has proposed replacing the voluntary requirements of the existing Automation Review Policy3 ("ARP Program") and the requirements of Rule 301(b)(6) of Regulation ATS4 with mandatory uniform requirements relating to the automated systems of "SCI entities." The term "SCI entities," as currently defined, would include:

  • self-regulatory organizations ("SROs");
  • alternative trading systems ("ATSs");
  • plan processors; and
  • exempt clearing agencies subject to the ARP Program.

The SEC has asked, however, whether Reg SCI also should apply to other types or categories of broker-dealers, such as OTC market makers, exchange market makers, order entry firms, clearing broker-dealers and/or large multi-service broker-dealers.

Reg SCI would specify the obligations SCI entities would have with respect to covered systems and events, including the following:

  • establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their systems have appropriate levels of capacity, integrity, resiliency, availability and security, and that they operate in the manner intended;
  • with regard to certain systems-related events, provide notices and reports to the Commission, take corrective action regarding such events, and disseminate to members or participants information related thereto;
  • mandate that members or participants participate in testing of business continuity and disaster recovery plans and coordinate testing on an industry- or sector-wide basis;
  • conduct an objective annual review of their systems; and
  • make, keep and preserve certain books and records related to matters covered by Reg SCI.

The Commission believes that Reg SCI "would further the goals of the national market system and reinforce the Exchange Act obligations to require entities important to the functioning of the U.S. securities markets to carefully design, develop, test, maintain, and surveil systems integral to their operations."5 The Commission has requested comments on the proposal by May 24, 2013.

A more detailed review of Reg SCI is set forth below.

B. APPLICABILITY OF REG SCI

Proposed Rule 1000(a) sets forth a series of definitions designed to establish the scope of Reg SCI. Particularly, proposed Rule 1000(a) describes the entities, the systems of those entities, and events involving those systems that are subject to Reg SCI.

1. SCI Entities

Proposed Rule 1000(a) would define "SCI entity" as a "SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP." Proposed Rule 1000(a) also would define each of these terms in turn.

a. SCI SRO

Proposed Rule 1000(a) would define the term "SCI self-regulatory organization" or "SCI SRO" consistent with the definition of SRO as set forth in Section 3(a)(26) of the Exchange Act, and would therefore cover all national securities exchanges registered under Section 6(b) of the Exchange Act,6 registered securities associations,7 registered clearing agencies,8 and the Municipal Securities Rulemaking Board ("MSRB"). The definition would, however, exclude an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act as well as any limited purpose national securities association registered with the Commission pursuant to Section 15A(k) under the Exchange Act.9

b. SCI Alternative Trading System

Proposed Rule 1000(a) would define the term "SCI alternative trading system" or "SCI ATS" as an ATS, as defined in Rule 300(a) of Regulation ATS, which during at least four of the preceding six calendar months, had: (1) with respect to NMS stocks (i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either (i) the average daily dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States. The proposed definition would modify the thresholds for complying with the capacity, integrity and security requirements currently in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs, and move the proposed thresholds to Rule 1000(a) of Reg SCI.

Specifically, with respect to NMS stocks, the Commission proposes to change the volume threshold from the current Regulation ATS requirement of 20 percent of average daily volume in any NMS stock such that an ATS that trades NMS stocks that meets either of the following two alternative tests would be subject to the requirements of proposed Reg SCI: (i) five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. The Commission designed this change to ensure that Reg SCI is applied to an ATS that could have a significant impact on the NMS stock market as a whole, as well as an ATS that could have a significant impact on a single NMS stock and some impact on the NMS stock market as a whole at the same time. The Commission estimates that approximately 10 ATSs trading NMS stocks currently would exceed the proposed thresholds and fall within the definition of SCI entity, accounting for approximately 87 percent of the dollar volume market share of all ATSs trading NMS stocks. Moreover, the Commission believes that the proposed thresholds would appropriately include ATSs that have NMS stock dollar volume comparable to the NMS stock dollar volume of the equity exchanges that are SCI SROs and therefore covered by Reg SCI.

With respect to non-NMS stocks for which transactions are reported to a self-regulatory organization, the Commission proposes to lower the threshold from 20 percent to five percent. In addition, the SEC would use an average daily dollar volume threshold, instead of an average daily share volume threshold. The Commission estimates that two ATSs currently would exceed this threshold and fall within the definition of SCI entity.

With respect to municipal and corporate debt securities, the Commission proposes to lower the threshold from 20 percent to five percent. In addition, instead of relying on an average daily share volume threshold, the SEC would use an alternative average daily dollar and transaction volume-based test. The Commission believes that this two-pronged threshold is important in identifying ATSs that play a significant role in the debt markets for executing both retail- and institutional-sized trades. The Commission believes that three ATSs executing transactions in municipal securities currently would likely exceed the proposed average daily transaction threshold. The Commission also believes that currently no ATSs executing transactions in corporate debt would exceed the proposed average daily dollar volumes threshold. However, the Commission believes that three ATSs executing transactions in corporate debt would likely exceed the proposed average daily transaction volume threshold.10

c. Plan Processor

Under proposed Rule 1000(a), the term "plan processor" would have the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines a "plan processor" as "any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan."

Since a plan processor is not required to be an SRO, and the systems of such entities deal with key market data, the Commission believes that such entities should be independently subject to the requirements of Reg SCI. Currently, this definition would cover the Securities Industry Automation Corporation ("SIAC"), as the processor for the CTA, CQS Plan and OPRA Plans, and Nasdaq, as the processor for the Nasdaq UTP Plan.11

d. Exempt Clearing Agency Subject to ARP

Proposed Rule 1000(a) would define the term "exempt clearing agency subject to ARP" as "an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the [Exchange] Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies, or any Commission regulation that supersedes or replaces such policies." This proposed definition presently would apply to one entity, Global Joint Venture Matching Services—US, LLC ("Omgeo").

e. Comment Requested Regarding Other Potential SCI Entities

The Commission has requested comment on whether to expand Reg SCI to apply to other types or categories of market participants. In particular, the Commission has asked whether it should apply the requirements of Reg SCI, in whole or in part, to security-based swap data repositories ("SB SDRs") and security-based swap execution facilities ("SB SEFs"). Recently, the SEC proposed Rules 13n-6 and 822 under the Exchange Act, which would set forth the requirements for these entities with regard to their automated systems' capacity, resiliency and security.12 These requirements are comparable to those in the ARP Program. Therefore, if the SEC were to extend Reg SCI to SB SDRs and SB SEFs, the requirements would go beyond those set forth in proposed Rules 13n-6 and 822.

In addition, the Commission solicited comment on whether it would be appropriate to extend all or some of the safeguards of Reg SCI to other types or categories of broker-dealers in addition to SCI ATSs. Such broker-dealers could include, for example, OTC market makers (either all or those that execute a significant volume of orders), exchange market makers (either all or those that trade a significant volume on exchanges), order entry firms that handle and route order flow for execution (either all or those that handle a significant volume of investor orders), clearing broker-dealers (either all or those that engage in a significant amount of clearing activities), and large multi-service broker-dealers that engage in a variety of order handling, trading, and clearing activities. The Commission noted that systems issues at these broker-dealers could pose a significant risk to the market.

2. Relevant Systems: SCI Systems and SCI Security Systems

Reg SCI would apply to "SCI systems" and a subset of Reg SCI—the provisions of Reg SCI relating to security standards and systems intrusions—would apply to "SCI security systems," each as defined below. The proposed definitions of SCI systems and SCI security systems together are intended to reach all of the systems that would be reasonably likely to impact a SCI entity's operational capability and the maintenance of fair and orderly markets.

a. SCI Systems

Proposed Rule 1000(a) would define the term "SCI systems" to mean "all computer, networks, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance." Therefore, the definition is intended to capture not only core systems for the functioning of the US securities markets (e.g., trading, clearance and settlement, order routing, market data, regulation and surveillance systems), but also systems of exchange-affiliated routing brokers that are facilities of national securities exchanges or such systems operated on behalf of national securities exchanges, as well as regulatory systems (e.g., systems for the regulation of the over-the-counter market, systems used to carry out regulatory services agreements, and similar future systems, including the consolidated audit trail repository). Moreover, the definition would not be limited to SCI entity-owned systems, but also would include those systems meeting the definition that are operated on behalf of the SCI entity by a third party.

b. SCI Security Systems

Because some SCI systems may be highly interconnected with other systems, the Commission is concerned that a security issue or systems intrusion with respect to these other systems would be reasonably likely to cause an issue with respect to SCI systems. Therefore, the Commission has proposed applying the provisions of Reg SCI relating to security standards and systems intrusions to these other systems, named in Reg SCI as "SCI security systems." Proposed Rule 1000(a) would define the term "SCI security systems" to mean "any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems." Depending on the relevant facts, examples of SCI security systems may include (1) systems pertaining to corporate operations (e.g., systems that support web-based services, administrative services, electronic filing, email capability and intranet sites, as well as financial and accounting systems) that are typically accessed by an array of users (e.g., employees or executives of the SCI entity) authorized to view non-public information; and (2) systems by which an SCI entity provides a service to issuers, participants, or clients (e.g., transaction services, infrastructure services, and data services) that may be accessed by employees or other representatives of the issuer, participant, or client organization.

3. SCI Events

Rule 1000(a) would define the term "SCI event" as "an event at an SCI entity that constitutes: (1) a systems disruption; (2) a systems compliance issue; or (3) a systems intrusion." Rule 1000(a), in turn, would define each of these three terms.

a. Systems Disruption

The Commission would define the term "systems disruption" to mean an event in an SCI entity's SCI systems that results in one or more of the following seven issues or elements:13

  • The first proposed issue is "a failure to maintain service level agreements or constraints." This would include, for example, a failure or inability of the SCI entity to honor its contractual obligations to provide a specified level or speed of service to users of its SCI systems.
  • The second proposed element is "a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely." The Commission intends "a disruption of normal operations" to capture problems with SCI systems such as programming errors, testing errors, systems failures, or if a system release is backed out after it is implemented in production.
  • The third proposed element, "a loss of use of any such system," would cover situations in which an SCI system is broken, offline, or otherwise out of commission. For example, the Commission intends that a failure of primary trading or clearance and settlement systems, even if immediately replaced by backup systems without any disruption to normal operations, would be covered under this third proposed element.
  • The fourth proposed element is "a loss of transaction or clearance and settlement data."
  • The fifth and sixth proposed elements are "significant back-ups or delays in processing" or a "significant diminution of ability to disseminate timely and accurate market data," respectively. These proposed elements are intended to include, for example, (1) circumstances in which a problem with an SCI system results in a slowdown or disruption of operations that would adversely affect customers, impair quotation or price transparency, or impair accurate and timely regulatory reporting; (2) instances in which message traffic is throttled (i.e., slowed) by an SCI entity for any market participant, other than pursuant to an SCI entity's rules, user agreements, or governing documents, as applicable; (3) instances in which customers or systems users have complained or inquired about a slowdown or disruption of operations, including, for example, a slowdown or disruption in their receipt of market data; and (4) the entry, processing, or transmission of erroneous or inaccurate orders, trades, price-reports, other information in the securities markets or clearance and settlement systems, or any other significant deterioration in the transmission of market data in an accurate, timely, and efficient manner.
  • Finally, the seventh proposed issue is "a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected." The Commission believes that such queuing is often a warning signal of significant disruption of normal system operations.14

b. Systems Compliance Issue

The Commission proposes to define the term "systems compliance issue" as "an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable." For example, a systems compliance issue could arise if a system's operation fails to comply with federal securities laws because there has been a miscommunication between an SCI SRO's information technology staff and its legal or regulatory staff regarding a SCI system's design or requisite regulatory approvals, or because of an error by the information technology staff. The phrase "operate in a manner that does not comply with . . . the entity's rules or governing documents" would mean, for example, that an SCI entity is operating in a manner that does not comply with its rules (for SCI SROs), the applicable effective national market system plan (for plan processors), documents such as subscriber agreements and any rules provided to subscribers and users (for ATSs and exempt clearing agencies subject to ARP), or Form ATS (for ATSs).

c. Systems Intrusion

The Commission proposes that "systems intrusion" be defined as "any unauthorized entry into the SCI systems or SCI security systems of an SCI entity." The proposed definition is intended to cover all unauthorized entry into SCI systems or SCI security systems by outsiders, employees, or agents of the SCI entity, regardless of whether the intrusions were part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate or destroy data, or access or disrupt systems of SCI entities. In addition, the proposed definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that result from weaknesses in the SCI entity's access controls and/or procedures. The proposed definition would not, however, cover unsuccessful attempts at unauthorized entry.

C. OBLIGATIONS OF SCI ENTITIES

Paragraphs (b) through (f) of proposed Rule 1000 set forth various requirements that would apply to SCI entities. As discussed in detail below, these requirements include: written policies and procedures regarding systems capacity, integrity, resiliency, availability and security; obligations with regard to corrective actions; reporting of SCI events to the Commission; dissemination of information relating to certain SCI events to members or participants; reporting of material systems changes; SCI review of compliance with Reg SCI; the participation of designated members or participants of SCI entities in testing business continuity and disaster recovery plans; recordkeeping; electronic submission of reports, notifications and other communications on Form SCI; and access to systems of SCI entities.

1. Written Policies and Procedures to Safeguard Capacity, Integrity, Resiliency, Availability and Security

Proposed Rule 1000(b)(1) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further provide that such policies and procedures include, at a minimum, the following:

  • The establishment of reasonable current and future capacity planning estimates.15
  • Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner.16 The Commission believes that this and the prior requirement would help an SCI entity determine its systems' ability to process transactions in an accurate, timely, and efficient manner.
  • A program to review and keep current systems development and testing methodology for such systems.17 The Commission believes that this would help ensure that the SCI entity continues to monitor and maintain systems capacity and availability. This and the prior two bullets are substantively the same as the requirements of Rule 301(b)(6)(ii)(A)-(C) of Regulation ATS, applicable to significant-volume ATSs, and trace their origin to the ARP I release.
  • Regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural and manmade disasters.18 Unlike Rule 301(b)(6)(ii)(D) of Regulation ATS, this item includes "manmade disasters," such as acts of terrorism and sabotage, in the list of vulnerabilities an SCI entity would be required to consider and protect against. The Commission believes that this requirement would assist an SCI entity in ascertaining whether its systems are and remain sufficiently secure and resilient.
  • Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next-business-day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption.19 This provision is substantially similar to a requirement in Rule 301(b)(6)(ii) of Regulation ATS and ARP I. However, this item would impose definitive time limits for resuming trading and clearance and settlement services after a wide-scale disruption.
  • Standards that result in the design, development, testing, maintenance, operation, and surveillance of such systems in a manner that facilitates the successful collection, processing, and dissemination of market data.20 This is a new requirement that has no precedent in either Rule 301(b)(6) of Regulation ATS or the ARP policy statements. The Commission believes that this requirement would assist an SCI entity in ensuring that its market data systems are designed to maintain market integrity.

Proposed Rule 1000(b)(1)(ii) would deem an SCI entity's policies and procedures required by proposed Rule 1000(b)(1) to be reasonably designed if they are consistent with SCI industry standards. The Commission would require that any SCI industry standards be: (1) comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (2) issued by an authoritative body that is a US governmental entity or agency, an association of US governmental entities or agencies, or a widely recognized organization.21 Table A in the Proposing Release lists the publication(s) that the Commission has preliminarily identified as SCI industry standards.22 The Commission emphasizes, however, that compliance with the identified SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). By drafting proposed Rule 1000(b)(1)(ii) in this manner, the Commission intends to provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures to comply with proposed Rule 1000(b)(1).

2. Systems Compliance

Proposed Rule 1000(b)(2)(i) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable.23 Because of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities' rules and governing documents, the Commission believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in the event that a system compliance issue develops. Therefore, the Commission is proposing Rules 1000(b)(2)(ii) and (iii), which would provide a safe harbor from liability under proposed Rule 1000(b)(2)(i) for SCI entities and persons employed by SCI entities, respectively.

Specifically, proposed Rule 1000(b)(2)(ii) provides that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if:

  • the SCI entity has established and maintained policies and procedures reasonably designed to provide for: (1) testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all such systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to such systems; (4) ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable;24
  • the SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity;25 and
  • the SCI entity: (1) has reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures, and (2) was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect.26

In addition, proposed Rule 1000(b)(2)(iii) would provide a safe harbor from liability for individuals, as opposed to SCI entities. Specifically, proposed Rule 1000(b)(2)(iii) would provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect.

3. Corrective Action

Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable.

Proposed Rule 1000(a) would define "responsible SCI personnel" to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of an SCI entity having responsibility for such system. This definition is intended to include, for example, (1) any technology, business or operations staff of an SCI entity with responsibility for SCI systems or SCI security systems; (2) with respect to systems compliance issues, regulatory, legal and compliance personnel with legal or compliance responsibility for such systems; (3) both senior level and junior level personnel of the SCI entity with relevant responsibilities; and (4) agents of the SCI entity with responsibility for SCI systems and SCI security systems, such as personnel of an external firm hired by the SCI entity to monitor the operation of such systems. The Commission, however, does not intend to include all personnel of an SCI entity in the proposed definition. For example, personnel of the SCI entity who have no responsibility for any SCI system or SCI security system of an SCI entity are not intended to be included in the proposed definition.

4. Commission Notification

Proposed Rule 1000(b)(4) would address the obligation of an SCI entity to notify the SEC upon any responsible SCI personnel becoming aware of an SCI event. The Commission believes that the comprehensive reporting of all SCI events under this proposed rule would facilitate the Commission's regulatory oversight of the national securities markets. These reporting requirements should provide the SEC with an aggregate and comprehensive set of data on SCI events, which would be a significant improvement over the current state of administration, whereby SCI entities report events through multiple methods and with varying consistency.27

Proposed Rule 1000(b)(4)(i) would require an SCI entity to notify the Commission, orally (e.g., by telephone) or in writing (e.g., by email), upon any responsible SCI personnel becoming aware of an "immediate notification SCI event"—that is, a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. The Commission believes that, by not prescribing the precise method of communication for this initial notification, the SCI entities would have the needed flexibility to determine the most appropriate method.28 Further, if the responsible SCI personnel became aware of such an SCI event outside of normal business hours, the SCI entity would still be required to notify the Commission at that time rather than, for example, the start of the next business day.

Proposed Rule 1000(b)(4)(ii) would require an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved.

Proposed Rule 1000(b)(4)(iv) would require that any written notification to the SEC made pursuant to Rule 1000(b)(4)(ii) or (iii) be made on new proposed Form SCI, and include all information as prescribed in Form SCI and the instructions thereto. Proposed Rule 1000(b)(4)(iv)(A)(1) would provide that a written notification under Rule 1000(b)(4)(ii) must include all pertinent information known about an SCI event, including: (1) a detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the SCI entity's determination regarding whether the SCI event is a dissemination SCI event or not. In addition, as set forth in proposed Rule 1000(b)(iv)(A)(2), to the extent available as of the time of the initial notification under Rule 1000(b)(4)(ii), the notification must include (1) a description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.

For a notification made pursuant to paragraph (b)(4)(iii), proposed Rule 1000(b)(4)(iv)(B) would require an SCI entity to update any of the pertinent information contained in previous written notifications, including any information required by proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time of initial submission. Subsequent notifications would be required to update any of the pertinent information previously provided until the SCI event is resolved.

In addition, proposed Rule 1000(b)(4)(iv)(C) would further require an SCI entity to provide a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available website.

Proposed Rule 1000(b)(4) would require that any written notification as described above be made electronically on new proposed Form SCI, and include all information as prescribed in Form SCI and the instructions thereto. Specifically, for a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that an SCI entity indicate that the filing is being made pursuant to proposed Rule 1000(b)(4)(ii) and provide the following information in a short, standardized format: (1) whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (2) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (3) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (4) if so, whether the Commission has been notified of the SCI event; (5) whether the SCI event has been resolved; (6) the date/time the SCI event started; (7) the duration of the SCI event; (8) the date and time when responsible SCI personnel became aware of the SCI event; (9) the estimated number of market participants impacted by the SCI event; (10) the type(s) of systems impacted; and (11) if applicable, the type of systems disruption.

In addition, proposed Form SCI would require attachment of Exhibit 1, providing a narrative description of the SCI event, including: (1) a detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the SCI entity's determination regarding whether the SCI event is a dissemination SCI event (as defined below) or not. In addition, to the extent available as of the time of the initial notification, Exhibit 1 would require inclusion of the following information: (1) a description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.

With regard to an update regarding an SCI event, Form SCI would require that an SCI entity indicate that it is providing any such update pursuant to Rule 1000(b)(4)(iii) and attach such update as Exhibit 2 to Form SCI. Moreover, if any of the foregoing information is not available for inclusion on Exhibit 1 as of the date of the initial notification, the SCI entity would be required to provide such information on Exhibit 2 when it becomes available. The information proposed to be required in narrative format in Exhibit 1, and if applicable, Exhibit 2, is intended to elicit a fuller description of the SCI event, and would require an SCI entity to provide detail and context not easily conveyed in short-form responses.

Proposed Form SCI would further require attachment of Exhibit 3, providing a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available website.

5. Dissemination of Information to Members or Participants

Proposed Rule 1000(b)(5) would require information relating to "dissemination SCI events" to be disseminated to members or participants, and would specify the nature and timing of such disseminations, with a limited delay permitted for certain systems intrusions, as discussed further below.29 The Commission proposes to define the term "dissemination SCI event" as "an SCI event that is a: (1) systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants." This requirement is intended to aid members or participants of SCI entities in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity, so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action. Further, this requirement could provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events.

Proposed Rule 1000(b)(5)(i)(A) would require that an SCI entity, promptly after any responsible SCI personnel (as defined above) become aware of a dissemination SCI event other than a systems intrusion, disseminate to its members or participants the following information about such SCI event: (1) the systems affected by the SCI event; and (2) a summary description of the SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to further disseminate to its members or participants, when known: (1) a detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require an SCI entity to provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B).

Proposed Rule 1000(b)(5)(ii) would provide a limited exception to the requirement of prompt dissemination of information to members or participants for certain systems intrusions. Proposed Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any responsible SCI personnel become aware of a systems intrusion, to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion was resolved or an estimate of when the systems intrusion is expected to be resolved. The prompt dissemination of such information, however, would not be required if the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and the SCI entity documents the reasons for such determination. The Commission believes that there may be circumstances in which the dissemination of information relating to a systems intrusion should be delayed, for example, to avoid compromising the investigation or resolution of a systems intrusion. If an SCI entity determines to delay the dissemination of information to members or participants relating to a systems intrusion, it would be required to make an affirmative determination and document the reasons for such determination that such dissemination would likely compromise the security of its SCI systems or SCI security systems, or an investigation of the systems intrusion. If it cannot make such a determination, or at whatever point in time such a determination no longer applies, the SCI entity must disseminate the information relating to the systems intrusion to the SCI entity's members or participants.

The information required to be disseminated to members or participants for systems intrusions by proposed Rule 1000(b)(5)(ii) is not as extensive as that required to be disseminated to members or participants for other types of dissemination SCI events. The Commission is sensitive to the fact that dissemination of too much detailed information regarding a systems intrusion may provide hackers or others seeking unauthorized entry into the systems of an SCI entity with insights into the potential vulnerabilities of the SCI entity's systems. At the same time, the occurrence of a systems intrusion may reveal a weakness in the SCI systems or SCI security systems of the SCI entity that warrants dissemination of information about such event to the SCI entity's members or participants. Proposed Rule 1000(b)(5)(ii) is therefore intended to strike an appropriate balance by requiring dissemination to members or participants, which may be delayed when necessary, of key summary information about a given systems intrusion.

6. Notification of Material Systems Changes

To help ensure the Commission has information about important systems changes at an SCI entity, proposed Rule 1000(b)(6) would require an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes, including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes.

Rule 1000(a) of Reg SCI would define "material systems change" as change to one or more: (1) SCI systems of an SCI entity that: (i) materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. Examples of changes that could be included within this proposed definition are: major systems architecture changes; reconfigurations of systems that would cause a variance greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity's board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require allocation or use of significant resources. In addition, the Commission believes that any systems change occurring as a result of the discovery of an actual or potential systems compliance issue would be material.

If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, the SCI entity would be required to notify the Commission, either orally or in writing, as early as reasonably practicable. The SCI entity must memorialize an oral notification in writing within 24 hours. The existence of exigent circumstances would be determined by the SCI entity and might exist where, for example, (1) a systems compliance issue or systems intrusion were discovered that requires immediate corrective action to ensure compliance with the Exchange Act and the rules and regulations thereunder, and/or the SCI entity's own rules and procedures; (2) the information previously provided to the Commission regarding a material systems change has become materially inaccurate (e.g., a material systems change's expected implementation completion date were to be substantially delayed because of an inability to procure systems components, or due to difficulties in systems programming); or (3) an SCI entity decided to significantly alter the scope of its planned material systems change.30

A written notification to the Commission made pursuant to paragraph (b)(6) would be required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto. Specifically, Form SCI would require an SCI entity to indicate on Form SCI that it is filing a planned material systems change notification; provide the date of the planned material systems change; indicate whether exigent circumstances exist or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, and, if so, whether the Commission has been notified orally; and attach as Exhibit 4 a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes, or, if applicable, a material systems change that has already been made due to exigent circumstances.

7. Review of Systems

Similar to the practice in place under the current ARP Program, proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of the SCI entity's compliance with Reg SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review. Proposed Rule 1000(a) would define the term "SCI review" to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) a risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. In addition, such review would be required to include penetration test reviews of the SCI entity's network, firewalls, development, testing and production systems at a frequency of not less than once every three years. These requirements are intended to help an SCI entity assess the effectiveness of its information technology practices and determine where to best devote resources, and to evaluate its system's security and resiliency in the face of attempted and successful systems intrusions.

To satisfy the criterion that an SCI review be conducted by "objective personnel," the review should be performed by persons who have not been involved in the development, testing, or implementation of the systems being reviewed. Accordingly, the SCI review could be performed by personnel of the SCI entity (e.g., an SCI entity's internal audit department) or an external firm with objective personnel.

8. Periodic Reports

Proposed Rule 1000(b)(8)(i) would require an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. In addition, proposed Rule 1000(b)(8)(ii) would require each SCI entity to submit a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes.31

Pursuant to proposed Rule 1000(b)(8)(iii), the reports required to be submitted to the Commission by proposed Rule 1000(b)(8) would be required to be submitted electronically as prescribed in Form SCI and the instructions thereto. Specifically, for filings of the reports of SCI reviews, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a report of SCI review, indicate the date of completion of the SCI review, and indicate the date of submission of the SCI review to the SCI entity's senior management. The report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, would be required to be submitted as Exhibit 5 to proposed Form SCI. For filings of the semi-annual reports of material systems changes, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a semi-annual report of material systems changes, and attach the semi-annual report as Exhibit 6 to proposed Form SCI.

9. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants

Proposed Rule 1000(b)(9) would require the testing of business continuity and disaster recovery plans by SCI entity members or participants. The Commission believes that the viability of an SCI entity's business continuity and disaster recovery plans, and the usefulness of its backup systems, depend upon the ability of such members or participants to be ready, able, and willing to use such systems during an actual disaster or disruption.

Specifically, proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. Such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans. Because the Commission believes that SCI entities are in the best position to structure the details of the test to maximize its usefulness, proposed Rule 1000(b)(9)(i) would provide an SCI entity with discretion to determine the precise manner and content of the testing, including, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test.

In addition, proposed Rule 1000(b)(9)(ii) would require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities. Again, recognizing that the SCI entities are best suited to finding the most efficient and effective way to test, the Commission would provide SCI entities with discretion to determine how best to meet this requirement.

Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to paragraph (i) discussed above. In addition, each SCI entity would be required to notify the Commission of such designations as well as its standards for designation, and promptly update such notification after any changes to its designations or standards. Rule 1000(b)(9)(iii) requires each SCI entity to make any written notification electronically on Form SCI. Form SCI would require such information to be submitted as Exhibit 7 to Form SCI. Thus, with regard to an SCI entity's standards, an SCI SRO would be required to attach any relevant provisions of its rules, an SCI ATS or exempt clearing agency subject to ARP would be required to attach its relevant internal processes or other documents, and a plan processor would be required to attach the relevant provisions of its SCI plan. Further, proposed Rule 1000(b)(9)(iii) would require each SCI entity to provide to the Commission on Form SCI the list of designated members or participants and promptly update such notification following any changes to the designations.

10. Recordkeeping Requirements

Proposed Rule 1000(c) would set forth the recordkeeping requirements for SCI entities with respect to records relating to Reg SCI compliance. Under proposed Rule 1000(c)(1), SCI SROs would be required to make, keep, and preserve all documents relating to their compliance with Reg SCI, as prescribed by Rule 17a-1 under the Exchange Act. Consistent with the recordkeeping requirements applicable to SCI SROs, proposed Rule 1000(c)(2) would require each SCI entity that is not an SCI SRO (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) to make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Reg SCI, including, but not limited to, records relating to any changes to its SCI systems and SCI security systems, for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Upon request of any representative of the Commission, such SCI entities would be required to promptly furnish such representative copies of any documents required to be kept and preserved by it under proposed Rule 1000(c)(2).

Proposed Rule 1000(c)(3), applicable to all SCI entities, would require each SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that records required to be made, kept, and preserved by proposed Rule 1000(c) would be accessible to the Commission or its representatives for the remainder of the period required by proposed Rule 1000(c). For example, an SCI entity could fulfill its obligations under proposed Rule 1000(c)(3) by delivering such records, immediately prior to deregistration, to a repository or other similar entity and by making all necessary arrangements for such records to be readily accessible to the Commission or its representative for inspection and examination for the duration of the requirement under proposed Rule 1000(c)(3).

Proposed Rule 1000(e) would provide that, if the records required to be made or kept by an SCI entity under proposed Reg SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. The written undertaking would be required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records.32

11. Electronic Submission of Reports, Notifications, and Other Communications on Form SCI

Proposed Rule 1000(d) provides that, except with respect to notifications to the Commission under proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events), and oral notifications to the Commission under proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis or report required to be submitted to the Commission under proposed Reg SCI must be submitted electronically on Form SCI and contain an electronic signature. The Commission's proposal contemplates the use of an online filing system, similar to the electronic form filing system currently used by SCI SROs to submit Form 19b-4 filings.

12. Access to the Systems of an SCI Entity

Proposed Rule 1000(f) would require SCI entities to provide Commission representatives reasonable access to their SCI systems and SCI security systems in order to assess the SCI entity's compliance with Rule 1000. Thus, the proposed rule would facilitate the access of representatives of the Commission to such systems of an SCI entity either remotely or on site.

D. NEW PROPOSED FORM SCI

The Commission is proposing that the notices, reports, and other information required to be provided to the Commission pursuant to proposed Rules 1000(b)(4), (6), (8), and (10) of Reg SCI be submitted electronically on new proposed Form SCI. Proposed Form SCI would solicit information through a series of questions designed to elicit short-form answers and also would require SCI entities to provide information and/or reports in narrative form by attaching specified exhibits. All filings on proposed Form SCI would require that an SCI entity identify itself and indicate the basis for submitting Form SCI, whether a: (1) notification or update notification regarding an SCI event pursuant to proposed Rule 1000(b)(4); (2) notice of a planned material systems change pursuant to proposed Rule 1000(b)(6); (3) submission of a required report pursuant to proposed Rule 1000(b)(8); (4) or notification of an SCI entity's standards for designation of members or participants to participate in required testing and the identity of such designated members or participants pursuant to proposed Rule 1000(b)(9). A filing on Form SCI required by proposed Rules 1000(b)(4), (6), (8), or (9) would require that an SCI entity provide additional information on attached exhibits, as discussed above.33

Footnotes

1 Securities Exchange Act Release No. 69077 (March 8, 2013), 78 Fed. Reg. 18084 (March 25, 2013) ("Proposing Release").

2 The SEC noted such recent events as the "flash crash" of May 6, 2010, the systems issues that affected the initial public offerings of BATS Global Markets, Inc. and Facebook, Inc., the hacking of the systems of NASDAQ OMX Group, and the two-day market closure due to Superstorm Sandy.

3 The ARP Program, established by the Commission's two policy statements, each entitled "Automated Systems of Self-Regulatory Organizations," issued in 1989 and 1991, is a voluntary technology review program ("ARP I" and "ARP II," respectively). ARP I stated that SROs should establish comprehensive planning and assessment programs to test systems capacity and vulnerability, including annual reviews by an independent reviewer. In ARP II, the SEC further articulated its views on how SROs should conduct independent reviews. ARP II also addressed how SROs should notify the SEC of material systems changes and significant systems problems, and suggested the development of standards for meeting the ARP policy statements. The ARP Inspection Program was developed by the SEC to implement the ARP policy statements. All active registered clearing agencies, national securities exchanges, FINRA, one exempt clearing agency and one ATS participate in the program. See Securities Exchange Act Release Nos. 27445 (Nov. 16, 1989), 54 Fed. Reg. 48703 (Nov. 24, 1989) ("ARP I") and 29185 (May 1, 1991), 56 Fed. Reg. 22490 (May 15, 1991) ("ARP II").

4 Rule 301(b)(6) of Regulation ATS requires certain significant volume ATSs to establish reasonable current and future capacity estimates; conduct periodic capacity stress tests of critical systems to determine their ability to accurately, timely and efficiently process transactions; develop and implement reasonable procedures to review and keep current system development and testing methodology; review system and data center vulnerability to threats; establish adequate contingency and disaster recovery plans; perform annual independent reviews of systems to ensure compliance with the above-listed requirements and perform review by senior management of reports containing the recommendations and conclusions of the independent review; and promptly notify the SEC of materials systems outages and significant systems changes. Currently, no ATSs meet the significant-volume thresholds specified in Rule 301(b)(6).

5 Proposing Release at 18091.

6 This currently would include BATS, BATS-Y, BOX, CBOE, C2, CHX, EDGA, EDGX, ISE, MIAX, Nasdaq OMX BX, Nasdaq OMX Phlx, Nasdaq, NSX, NYSE, NYSE MKT and NYSE Arca. Note that this definition would also cover facilities of a national securities exchange, as defined in Section 3(a)(2) of the Exchange Act.

7 Currently, the only registered securities association is FINRA.

8 There are seven registered clearing agencies with active operations: DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE Clear Europe and CME.

9 These entities are security futures exchanges and the National Futures Association, for which the CFTC serves as their primary regulator.

10 The five percent standard for non-NMS stocks, municipal securities and corporate debt securities is the same percentage threshold that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.

11 The proposed definition would also cover any entity selected and acting as the exclusive processor for any future NMS plan, including the plan contemplated by the rules to create a consolidated audit trail.

12 See Securities Exchange Act Release Nos. 63347 (Nov. 19, 2010), 75 Fed. Reg. 77306 (Dec. 10, 2010) and 63825 (Feb. 2, 2011), 76 Fed. Reg. 10948 (Feb. 28, 2011).

13 These elements are based on, but not identical to, those listed in the 2001 letter sent by the staff of the SEC's Division of Market Regulation to the SROs and other participants in the ARP Inspection Program regarding Guidance for Systems Outage and System Change Notifications ("2001 Staff ARP Interpretive Letter").

14 Although listed in the 2001 Staff ARP Interpretive Letter, the Commission is not proposing to include the following in the definition of systems disruption: (1) "a report or referral of an event to the entity's board of directors or senior management"; (2) "an outage situation communicated to other external entities"; or (3) "a serious threat to systems operations even though systems operations are not disrupted."

15 Proposed Rule 1000(b)(1)(i)(A).

16 Proposed Rule 1000(b)(1)(i)(B).

17 Proposed Rule 1000(b)(1)(i)(C).

18 Proposed Rule 1000(b)(1)(i)(D).

19 Proposed Rule 1000(b)(1)(i)(E). The Commission preliminarily believes that backup sites should not rely on the same infrastructure components (e.g., transportation, telecommunications, water supply, and electric power) used by the primary site.

20 Proposed Rule 1000(b)(1)(i)(F).

21 Standards issues by the Commission itself would meet the proposed criteria.

22 The publications listed in Table A set forth industry standards that the SEC understands are currently used by information technology and audit professionals in the financial and government sectors. These standards have been issued primarily by NIST, an agency within the US Department of Commerce, and FFIEC, a US intergovernmental body that prescribes uniform principles and practices for the examination of certain financial institutions by US regulators, although some of the standards are issued by financial regulatory agencies, the Institute of Internal Auditors and the Security Benchmarks division of the Center for Internet Security.

23 The SEC believes that diligent discharge of this obligation would establish the organizational framework for an SCI entity to meet its other obligations under Reg SCI. For example, compliance with proposed Rule 1000(b)(2)(i) should help to ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act, which requires each SRO to file with the Commission copies of any proposed rule or any proposed change in, addition to, or deletion from the rules of the SRO.

24 Proposed Rule 1000(b)(2)(ii)(A).

25 Proposed Rule 1000(b)(2)(ii)(B).

26 Proposed Rule 1000(b)(2)(ii)(C). The language of proposed Rules 1000(b)(2)(ii)(B) and (C) is drawn in significant part from language in Section 15(b)(4)(E) of the Exchange Act, which generally provides a safe harbor from liability for failure to supervise, with a view to preventing violations of the securities laws, another person who is subject to his or her supervision and who commits such a violation.

27 Currently, there is no Commission rule specifically requiring SCI entities to notify the Commission of systems problems in writing or in a specific format.

28 The Commission expects that it would establish a telephone hotline, designated email accounts or similar arrangements to enable receipt of notifications of immediate notification SCI events.

29 The requirements relating to dissemination of information relating to dissemination SCI events to members or participants proposed to be included in Reg SCI relate solely to Reg SCI. Nothing in proposed Reg SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities under other federal securities laws or regulations.

30 The Commission notes further that, in such cases, an SCI entity might separately be obligated to notify the Commission or its members or participants pursuant to proposed Rules 1000(b)(4) and (5), as discussed above.

31 This proposed requirement would formalize a practice in place under the current ARP Program in which senior information technology, audit, and compliance staff of certain SROs prepare such reports in advance of meeting with Commission staff periodically throughout the year to present and discuss recently completed systems projects and proposed systems projects.

32 Proposed Rule 1000(e) is substantively the same as the requirements applicable to broker-dealers under Rule 17a-4(i) under the Exchange Act.

33 To the extent that the Commission receives confidential information pursuant to these reports and submissions, such information would be kept confidential, subject to the provisions of applicable law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.