SEC Proposes to Expand and Update Regulation SCI

In view of the increasing interconnectedness of financial systems and the risks to financial stability, if financial infrastructures are disrupted, the U.S. Securities and Exchange Commission (SEC) has published another press release to announce an upcoming consultation on planned revisions to Regulation SCI (17 CFR Part 242, §242.1000 ff.). Regulation SCI was introduced in 2014 in response to securities markets being increasingly dependent on technology and automated systems. It requires covered entities to design, implement, test, and enforce IT policies and procedures for their systems as regards system capacity, integrity, resiliency, availability and security. It also sets out requirements concerning the taking of corrective action and the notification of the SEC in case of system issues as defined in the regulation and stipulates notification requirements, if entities are making any changes to their IT-systems.
The SEC is now proposing to revise Regulation SCI to
(1) expand the scope of application to now include „registered security-based swap data repositories; all clearing agencies that are exempt from registration; and certain large broker-dealers, in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts“. For broker-dealers, this threshold would thereby be set to 5% or more of the reported total assets of all security brokers and dealers in two of the four preceding calendar quarters or 10% of all average daily reported security transactions in two of the four preceding calendar quarters.
(2) expand the current requirements to include policies and procedures as regards:
– an „inventory, classification, and lifecycle management program for SCI systems and indirect SCI systems;
– a program to manage and oversee third party providers, including cloud service providers, that provide or support SCI or indirect SCI systems.
– business continuity and disaster recovery (BC/DR) plans that address the unavailability of any third party provider without which there would be a material impact on critical SCI systems;
– a program to prevent unauthorized access to SCI systems and information therein; and
– the identification of current SCI industry standards with which each such policy and procedure is consistent, if any“.
(3) modify the definition of „system intrusion“ to include „any cybersecurity attack that disrupts, or significantly degrades, the normal operation of an SCI system“. Therefore, the new definition would also include attacks that are unsuccessful from the view of the perpetrator, if they fulfill a set of written criteria that covered entities will have to establish.
(4) require at the least an annual system penetration test to be conducted by „objective“ personnel and the establishment of risk control procedures with respect to third party service providers.
————
As these are only the key requirements outlined in the proposed revision, please refer to the original document for more detailed, comprehensive information.