SEC Adopts Rule Creating New Regulatory Framework to Strengthen Technological Infrastructure of U.S. Securities Markets

November 25, 2014

Twenty months after proposing regulations to minimize incidents of disruptive trading and potentially catastrophic trading malfunctions, the SEC, on November 19, 2014, adopted Regulation Systems Compliance and Integrity ("Regulation SCI") to enhance confidence in U.S. securities markets.  As Commission Chair Mary Jo White explained in expressing her support for adoption of the regulation, "the critical infrastructure of the American securities markets must be built on the best, most robust technology feasible.  Failures must be minimized and, when they occur, they must be remediated as quickly as possible and promptly reported to the Commission.  Investors should expect no less of the world’s premier securities market — indeed, investor confidence depends on it."[1]

The 742-page adopting release secured the unanimous support of the Commissioners, who noted that many changes and improvements had been made to the proposal before adoption.  Although Regulation SCI applies to a narrow group of entities, Chair White has directed staff to recommend whether an SCI-like framework should apply to other market participants, including broker-dealers, other alternative trading systems, and transfer agents.  Regulation SCI imposes a new mandatory regulatory framework that requires certain entities to (1) adopt written policies and procedures to ensure operational capabilities of technological systems, (2) take prompt remedial action and notify the Commission and those affected if a system incident does occur, (3) conduct an objective annual review of their compliance with Regulation SCI and submit a report to management, and (4) submit the annual report and management’s response to the company’s board and the SEC, which has indicated that it will closely review these documents.[2]  Regulation SCI is broader and has more teeth than the SEC’s voluntary Automation Review Policy ("ARP"), pursuant to which the SEC conducts inspections and issues recommendations for improvements to self-regulatory organizations.[3]  Regulation SCI supersedes and replaces ARP with respect to the entities subject to Regulation SCI.[4]  The new rules become effective 60 days after publication in the Federal Register and entities subject to Regulation SCI generally must comply with the new rules within nine months after the effective date.[5]

Regulation SCI Applies to a Narrow Group of Entities

Regulation SCI’s new mandatory regulatory framework applies to approximately forty-four entities, including FINRA, MSRB, eighteen securities exchanges, fourteen alternative trading systems that meet certain trading volume thresholds, eight clearing agencies, and two securities information processors.[6]  Significantly, "the final rules do not apply to market participants, like broker-dealers, that operate proprietary trading platforms."[7]  Because the new rules do not cover broker-dealers, "virtually all retail investor orders . . . will not be executed on the venues that will be subject to Regulation SCI."[8]  Regulation SCI also does not apply to platforms that trade only fixed income securities because "fixed income markets rely much less on automation and electronic trading, and exhibit considerably less liquidity."[9]

Chair White stated that she had "directed the staff to prepare recommendations for the Commission’s consideration as to whether an SCI-like framework should be developed for other key market participants," which could include over 4,400 broker-dealers, 32 alternative trading venues trading equities, 43 alternative trading venues trading fixed income and other non-equity securities, broker-dealer trading centers, and other alternative trading venues.[10]  It will therefore be important for counsel and compliance professionals at broker-dealers and other market participants not covered by the new rules to closely monitor developments at the SEC relating to any proposed extensions of the Regulation SCI framework to their firms.  Regardless of whether the Regulation SCI framework is formally extended to their firms, counsel and compliance professionals should also monitor how Regulation SCI is interpreted and enforced because of the risk that Regulation SCI could become a de facto standard of care, potentially leading to the imposition of liability.

Written Policies, Notification Requirements, Annual Reports, and SEC Oversight

Regulation SCI has four major categories of requirements:  (1) written policies and procedures; (2) remedial action and notification to the SEC and those affected when systems problems occur; (3) annual review and report relating to compliance with Regulation SCI; and (4) board and SEC oversight through their review of the annual report and management’s response to the annual report.

First, SCI entities must "establish written policies and procedures reasonably designed to ensure that their [technology] systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets."[11]  Regulation SCI sets forth certain minimum standards for these policies and procedures.[12]  These minimum standards include, among other things, policies and procedures relating to capacity planning, capacity stress tests, systems testing to identify vulnerabilities, business continuity and disaster recovery plans (which include recovery timeframe and geographical diversity requirements), and monitoring of systems to identify potential systems errors.[13]While many covered entities will have written policies in place, the SEC issued detailed guidance, in conjunction with adopting Regulation SCI, regarding current industry and government standards to assist the development of compliant policies and procedures.[14]  Chair White noted that these standards "potentially could lay the foundation for the development of a uniform set of SCI standards" in the future.[15]  Moreover, broader efforts to develop risk management and technology-related frameworks (including the cybersecurity NIST[16] and ISO frameworks) could also contribute to the establishment of a uniform standard of care that would be applicable to market participants not currently subject to Regulation SCI.

Second, Regulation SCI recognizes that, although adequate policies and procedures will mitigate the risk of technological issues, computers and software are going to fail, cyber-attacks are going to occur, and human error cannot be prevented.  Therefore, "the occurrence of an SCI event does not necessarily mean that an SCI entity has violated Regulation SCI."[17]When "SCI events," which are defined to include systems disruptions, systems intrusions, or systems compliance issues, do occur, Regulation SCI requires covered entities to take corrective actions, notify the SEC, and disseminate information about the issues to those affected.[18]  A systems disruption is a systems event "that disrupts, or significantly degrades, the normal operation of an SCI system."[19]  A systems intrusion constitutes "any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity."[20]  Finally, a systems compliance issue is defined as an event that has caused the SCI system "to operate in a manner that does not comply with the [Exchange] Act and the rules and regulations thereunder or the entity’s rules or governing documents."[21]

The notification requirement is triggered when a senior manager of the SCI entity or her designee, responsible for the particular system at issue, has a reasonable basis to conclude that an SCI event occurred.[22]  Although there is no formal "materiality" threshold for reporting the SCI event, the Commission required only quarterly reporting, rather than immediate SEC notification, for systems disruptions or intrusions that had, or that the entity reasonably estimates would have, no or only a de minimis impact on the entity’s operations or on market participants.[23]  De minimis systems compliance issues would only be subject to record-keeping requirements.[24]

Third, Regulation SCI creates a new annual review and management oversight requirement.  SCI entities are required to conduct an annual review, performed by "objective, qualified personnel," of compliance with Regulation SCI.[25]  Chair White stated that "[t]he requirement of objectivity means that a covered entity must have in place mechanisms to identify and mitigate all conflicts of interest that a reviewer may have, whether that reviewer is internal or external."[26]  A report of the annual review must be submitted to the covered entity’s "Senior Management"–the CEO, CTO, CIO, General Counsel, and CCO, or their functional equivalents–for their review and response.[27]

Fourth, the annual report, together with any response from Senior Management, must be submitted to the company’s board of directors and filed with the SEC.[28]  The SEC stated that it would keep these reports and responses "confidential to the extent permitted by law," including the  Freedom of Information Act, and noted that "the Commission does not generally publish or make available information contained in any reports . . . arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation."[29]  Although Regulation SCI does not require Senior Management to certify the annual reports,[30] the reports and management responses "are required to be filed using Form SCI under the Exchange Act and Regulation SCI, [such that] it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in such reports or responses."[31]  Moreover, the Commission emphasized the importance of Senior Management’s role in ensuring that an adequate technological infrastructure is developed.  Indeed, Chair White cautioned that "[w]e will look closely at the annual reviews and senior management responses, and I am confident that our focus will result in these reports and responses being accorded the appropriate level of attention by the entities submitting them."[32]  In addition, SCI entities must submit quarterly reports to the SEC regarding any "completed, ongoing, and planned material changes to their SCI systems."[33]

While SCI entities may be subject to SEC fines or other sanctions for violating Regulation SCI, individuals may only be found liable for aiding, abetting, or causing an SCI entity’s violation of Regulation SCI, but not for any direct violations, "because Regulation SCI does not impose any direct obligations on personnel of SCI entities."[34]Although the original proposed rule would have included a safe harbor both for covered entities and individuals employed by these covered entities, the final rule only included a safe harbor for individuals.  Specifically, an individual employed by an SCI entity will not be liable for aiding, abetting, or causing an entity’s violation of Regulation SCI if the individual (1) reasonably discharged his duties and obligations pursuant to the entity’s policies and procedures and (2) did not have reasonable cause to believe that the policies and procedures relating to the systems that he supervised or for which he was responsible violated Regulation SCI in any material respect.[35]  Importantly, the individual has the burden of proving the applicability of the safe harbor.[36]

Regulation SCI builds upon previous steps that the SEC has taken in recent years, including working with "equity exchanges to put in place new ‘kill switches’ that market participants can use to better control their risks."[37]  In particular, after a September 2013 meeting that Chair White held with exchanges and other key parties following the August 22, 2013 NASDAQ trading interruption, the parties agreed to take various steps to improve technological infrastructure and reduce the risks and consequences of technological failures.[38]  These steps included developing comprehensive action plans for and providing assessments of critical infrastructure systems; issuing new rules as necessary relating to regulatory halts, trade breaks, and reopen of trading following trading halts; and implementing kill switches "that would allow exchanges to shut down trading in the event of technological failures."[39]  In the wake of this meeting, for example, NASDAQ, in March 2014, began offering an optional, free-of-charge kill switch tool that would allow participants to establish a risk exposure limit and would prevent orders from being executed that exceeded this limit.[40]  Although the SEC has encouraged the adoption of these kill switch risk mitigation mechanisms, Regulation SCI did not require their use or include specific rules for how they should function.

Conclusion

The adoption of Regulation SCI, and the focus that Chair White has promised to confirm that covered entities are complying with it, represent the most significant steps that the SEC has taken in more than two decades to ensure the proper functioning of the technological backbone of U.S. securities markets.  Given the SEC’s stated intent to examine whether to extend an SCI-like regulatory framework to other market participants, as well as the expected continued high pace of technological change in the securities industry, Regulation SCI will likely mark only the beginning of regulations designed to minimize trading disruptions and address the immediate and collateral consequences of weaknesses in the technological infrastructure underpinning U.S. securities markets.

^[1] Statement at Open Meeting on Regulation SCI of Chair Mary Jo White, available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370543489640 (Nov. 19, 2014) ("White Statement").

^[2] See Release No. 34-73639, available at http://www.sec.gov/rules/final/2014/34-73639.pdf.

^[3] See id. at 9-11.

^[4] See id. at 2.

^[5] See id. at 444.

^[6] See Statement at Open Meeting on Regulation SCI of Commissioner Kara M. Stein, available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370543493597 (Nov. 19, 2014) ("Stein Statement").

^[7] See Statement at Open Meeting on Regulation SCI of Commissioner Luis A. Aguilar, available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370543491121 (Nov. 19, 2014) ("Aguilar Statement").

^[8] Id.

^[9] White Statement.

^[10] Id.; Stein Statement.  Of note, two of the Commissioners would have supported expanding Regulation SCI to cover other entities, including broker-dealers that operate proprietary trading platforms and algorithms.  See Stein Statement; Aguilar Statement.

^[11] See Release No. 34-73639, at 2.

^[12] See id. at 154-55.

^[13] See id. at 154-80.

^[14] See Staff Guidance on Current SCI Industry Standards, available at http://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf (Nov. 19, 2014).

^[15] White Statement.

^[16] See Alexander Southwell and Stephenie Gosnell Handler, NIST DEBUTS CYBERSECURITY FRAMEWORK, Law Technology News, February 20, 2014, available at http://www.gibsondunn.com/wp-content/uploads/documents/publications/SouthwellHandlerNIST.pdf.

^[17] See Release No. 34-73639, at 281.

^[18] See id. at 2-3, 115.

^[19] Id. at 125.

^[20] Id. at 140.

^[21] Id. at 137.

^[22] See id. at 237-245.

^[23] See id. at 261.

^[24] See id. at 263.

^[25] Id. at 20.

^[26] White Statement.

^[27] See Release No. 34-73639, at 348, 363.

^[28] See id. at 362.

^[29] Id. at 734; see also id. at 408-409, 555.

^[30] See id. at 362-63.

^[31] Id. at 363.

^[32] White Statement.

^[33] Release No. 34-73639, at 3.

^[34] Id. at 233.

^[35] Id. at 233-234.

^[36] See id.

^[37]White Statement.

^[38] See SEC Chair White Statement on Meeting with Leaders of Exchanges, available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539804861 (Sept. 12, 2013).

^[39] Id.

^[40] See NASDAQ Stock Market Equity Rule 6130, available at http://nasdaq.cchwallstreet.com/NASDAQ/.