[Federal Register Volume 83, Number 139 (Thursday, July 19, 2018)]
[Notices]
[Pages 34179-34182]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-15381]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
Proposed Collection; Comment Request
Upon Written Request, Copies Available From: Securities and Exchange
Commission, Office of FOIA Services, 100 F Street NE, Washington, DC
20549-2736.
Extension:
Regulation SCI, Form SCI; SEC File No. 270-653, OMB Control No.
3235-0703.
Notice is hereby given that pursuant to the Paperwork Reduction Act
of 1995 (``PRA'') (44 U.S.C. 3501 et seq.), the Securities and Exchange
Commission
[[Page 34180]]
(``Commission'') is soliciting comments on the collection of
information provided for in Regulation Systems Compliance and Integrity
(``Regulation SCI'') (17 CFR 242.1000-1007) and Form SCI (17 CFR
249.1900) under the Securities Exchange Act of 1934 (``Exchange Act'')
(15 U.S.C. 78a et seq.). The Commission plans to submit this existing
collection of information to the Office of Management and Budget
(``OMB'') for extension and approval.
Regulation SCI requires certain key market participants to, among
other things: (1) Have comprehensive policies and procedures in place
to help ensure the robustness and resiliency of their technological
systems, and also that their technological systems operate in
compliance with the federal securities laws and with their own rules;
and (2) provide certain notices and reports to the Commission to
improve Commission oversight of securities market infrastructure.
Regulation SCI advances the goals of the national market system by
enhancing the capacity, integrity, resiliency, availability, and
security of the automated systems of entities important to the
functioning of the U.S. securities markets, as well as reinforcing the
requirement that such systems operate in compliance with the Exchange
Act and rules and regulations thereunder, thus strengthening the
infrastructure of the U.S. securities markets and improving its
resilience when technological issues arise. In this respect, Regulation
SCI establishes an updated and formalized regulatory framework, thereby
helping to ensure more effective Commission oversight of such systems.
Respondents consist of national securities exchanges and
associations, registered clearing agencies, exempt clearing agencies,
plan processors, and alternative trading systems. There are currently
42 respondents, and the Commission staff estimates that, on average, 2
new respondents may become SCI entities each year, 1 of which would be
a self-regulatory organization. Accordingly, Commission staff estimates
that over the next three years there will be an average of 44
respondents per year.
Rule 1001(a) requires each SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems and, for purposes of security standards, indirect
SCI systems, have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance of fair and orderly
markets. The Commission staff estimates that the total annual initial
recordkeeping burden for 2 new respondents will be 1,388 hours (694
hours per respondent x 2 respondents), and the annual ongoing
recordkeeping burden for all respondents will be, on average, 10,208
hours (232 hours per respondent x 44 respondents). The Commission staff
estimates that the 2 new respondents would incur, on average, an annual
initial internal cost of compliance of $465,656 ($232,828 per
respondent x 2 respondents), as well as outside legal or consulting
costs of $94,000 ($47,000 per respondent x 2 respondents). In addition,
all respondents will incur, on average, an estimated ongoing annual
internal cost of compliance of $3,426,632 ($77,878 per respondent x 44
respondents).
Rule 1001(b) requires each SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder and the entity's
rules and governing documents, as applicable. The Commission staff
estimates that the total annual initial recordkeeping burden for 2 new
respondents will be 540 hours (270 hours per respondent x 2
respondents), and the annual ongoing recordkeeping burden for all
respondents will be, on average, 6,820 hours (175 hours per SRO
respondent x 33 respondents + 95 hours per non-SRO respondent x 11 non-
SRO respondents). The Commission staff estimates that the 2 new
respondents would incur an initial internal cost of compliance of
$203,160 ($101,580 per respondent x 2 respondents), as well as outside
legal or consulting costs of $54,000 ($27,000 per respondent x 2
respondents). In addition, all respondents will incur, on average, an
estimated ongoing annual internal cost of compliance of $2,155,780
($86,230 per respondent x 44 respondents).
Rule 1001(c) requires each SCI entity to establish, maintain, and
enforce reasonably designed written policies and procedures that
include the criteria for identifying responsible SCI personnel, the
designation and documentation of responsible SCI personnel, and
escalation procedures to quickly inform responsible SCI personnel of
potential SCI events. The Commission staff estimates that the total
annual initial recordkeeping burden for 2 new respondents will be 228
hours (114 hours per respondent x 2 respondents), and the annual
ongoing recordkeeping burden for all respondents will be, on average,
1,716 hours (39 hours per respondent x 44 respondents). The Commission
staff estimates that the 2 new respondents would incur an initial
internal cost of compliance of $85,056 ($42,528 per respondent x 2
respondents), and all respondents will incur, on average, an estimated
ongoing annual internal cost of compliance of $684,112 ($15,548 per
respondent x 44 respondents).
Rule 1004 requires each SCI entity to establish standards for the
designation of certain members or participants for BC/DR plan testing,
to designate members or participants in accordance with these
standards, to require participation by designated members or
participants in such testing at least annually, and to coordinate such
testing on an industry- or sector-wide basis with other SCI entities.
The Commission staff estimates that the total annual initial
recordkeeping burden for 2 new respondents will be 720 hours (360 hours
per respondent x 2 respondents), and the annual ongoing recordkeeping
burden for all respondents that are not plan processors will be, on
average, 5,670 hours (135 hours per respondent x 42 respondents). The
Commission staff estimates that the 2 new respondents would incur an
initial internal cost of compliance of $214,596 ($107,298 per
respondent x 2 respondents). In addition, all respondents that are not
plan processors will incur, on average, an estimated ongoing annual
internal cost of compliance of $1,508,850 ($35,925 per respondent x 42
respondents). In addition, the Commission staff estimates that the 2
plan processor respondents will incur an estimated ongoing annual cost
of $108,000 for outside legal services ($54,000 per plan processor
respondent x 2 respondents).
Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI
personnel having a reasonable basis to conclude that an SCI event has
occurred, to notify the Commission immediately. The Commission staff
estimates that the total annual ongoing burden for all respondents will
be, on average, 352 hours (8 hours per respondent x 44 respondents).
The Commission staff estimates that respondents will incur, on average,
an estimated ongoing annual internal cost of compliance of $108,394
($2,463.25 per respondent x 44 respondents).
Rule 1002(b)(2) requires each SCI entity, within 24 hours of any
responsible SCI personnel having a reasonable basis to conclude that
the SCI event has occurred, to submit a written notification to the
Commission pertaining to the SCI event on a good faith, best efforts
basis. These
[[Page 34181]]
notifications are required to be submitted on Form SCI. The Commission
staff estimates that the total annual ongoing burden for all
respondents will be, on average, 5,280 hours (120 hours per respondent
x 44 respondents). The Commission staff estimates that respondents will
incur, on average, an estimated ongoing annual internal cost of
compliance of $1,739,540 ($39,535 per respondent x 44 respondents).
Rule 1002(b)(3) requires each SCI entity to provide updates to the
Commission pertaining to an SCI event on a regular basis, or at such
frequency as reasonably requested by a representative of the
Commission, until the SCI event is resolved and the SCI entity's
investigation of the SCI event is closed. The Commission staff
estimates that the total annual ongoing burden for all respondents will
be, on average, 462 hours (10.5 hours per respondent x 44 respondents).
The Commission staff estimates that all respondents will incur, on
average, an estimated ongoing annual internal cost of compliance of
$144,309 ($3,279.75 per respondent x 44 respondents).
Rule 1002(b)(4) requires each SCI entity to submit written interim
reports, as necessary, and a written final report regarding an SCI
event to the Commission. These reports are required to be submitted on
Form SCI. The Commission staff estimates that the total annual ongoing
burden for all respondents will be, on average, 7,700 hours (175 hours
per respondent x 44 respondents). The Commission staff estimates that
all respondents will incur, on average, an estimated ongoing annual
internal cost of compliance of $2,686,860 ($61,065 per respondent x 44
respondents).
Rule 1002(b)(5) requires each SCI entity to submit to the
Commission quarterly reports containing a summary description of any
systems disruption or systems intrusion that has had, or the SCI entity
reasonably estimates would have, no or a de minimis impact on the SCI
entity's operations or on market participants. These reports are
required to be submitted on Form SCI. The Commission staff estimates
that the total annual ongoing burden for all respondents will be, on
average, 7,040 hours (160 hours per respondent x 44 respondents). The
Commission staff estimates that respondents will incur, on average, an
estimated ongoing annual internal cost of compliance of $2,378,728
($54,062 per respondent x 44 respondents).
In addition, the Commission staff estimates that respondents will
incur, on average, annual costs of $255,200 ($5,800 x 44 respondents)
for outside legal advice in preparation of certain notifications
required by Rule 1002(b).
Rule 1002(c)(1)(i) requires each SCI entity, promptly after any
responsible SCI personnel has a reasonable basis to conclude that an
SCI event (other than a systems intrusion) has occurred, to disseminate
certain information to its members or participants. The Commission
staff estimates that the total annual ongoing burden for all
respondents will be, on average, 924 hours (21 hours per respondent x
44 respondents). The Commission staff estimates that all respondents
will incur, on average, an estimated ongoing annual internal cost of
compliance of $604,230 ($13,732.50 per respondent x 44 respondents).
Rule 1002(c)(1)(ii) requires each SCI entity, when known, to
promptly disseminate additional information about an SCI event (other
than a systems intrusion) to its members or participants. Rule
1002(c)(1)(iii) requires each SCI entity to provide to its members or
participants regular updates of any information required to be
disseminated under Rules 1002(c)(1)(i) and (ii) until the SCI event is
resolved. The Commission staff estimates that the total annual ongoing
burden for all respondents will be, on average, 5,148 hours (117 hours
per respondent x 44 respondents). The Commission staff estimates that
all respondents will incur, on average, an estimated ongoing annual
internal cost of compliance of $2,033,856 ($46,224 per respondent x 44
respondents).
Rule 1002(c)(2) requires each SCI entity to disseminate certain
information regarding a systems intrusion to its members or
participants, and provides an exception when the SCI entity determines
that dissemination of such information would likely compromise the
security of its SCI systems or indirect SCI systems, or an
investigation of the systems intrusion, and documents the reasons for
such determination. The Commission staff estimates that the total
annual ongoing burden for all respondents will be, on average, 440
hours (10 hours per respondent x 44 respondents). The Commission staff
estimates that all respondents will incur, on average, an estimated
ongoing annual internal cost of compliance of $173,415 ($3,941.25 per
respondent x 44 respondents).
In addition, the Commission staff estimates that all respondents
will incur, on average, annual costs of $146,080 ($3,320 x 44
respondents) for outside legal advice in preparation of certain
notifications required by Rule 1002(c).
Rule 1003(a)(1) requires each SCI entity to submit to the
Commission quarterly reports describing completed, ongoing, and planned
material changes to its SCI systems and security of indirect SCI
systems during the prior, current, and subsequent calendar quarters.
These reports are required to be submitted on Form SCI. The Commission
staff estimates that the total annual ongoing burden for all
respondents will be, on average, 22,000 hours (500 hours per respondent
x 44 respondents). The Commission staff estimates that all respondents
will incur, on average, an estimated ongoing annual internal cost of
compliance of $6,570,520 ($149,330 per respondent x 44 respondents).
Rule 1003(a)(2) requires each SCI entity to promptly submit a
supplemental report notifying the Commission of a material error in or
material omission from a report previously submitted under Rule
1003(a)(1). These reports are required to be submitted on Form SCI. The
Commission staff estimates that the total annual ongoing burden for all
respondents will be, on average, 660 hours (15 hours per respondent x
44 respondents). The Commission staff estimates that all respondents
will incur, on average, an estimated ongoing annual internal cost of
compliance of $209,176 ($4,754 per respondent x 44 respondents).
Rule 1003(b)(1) requires each SCI entity to conduct an SCI review
of its compliance with Regulation SCI not less than once each calendar
year, with an exception for penetration test reviews, which are
required to be conducted not less than once every three years. Rule
1003(b)(1) also provides an exception for assessments of SCI systems
directly supporting market regulation or market surveillance, which are
required to be conducted at a frequency based on the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years. Rule 1003(b)(2) requires each SCI entity to submit a
report of the SCI review to senior management no more than 30 calendar
days after completion of the review. The Commission staff estimates
that the total annual ongoing burden for all respondents will be, on
average, 30,360 hours (690 hours per respondent x 44 respondents). The
Commission staff estimates that all respondents will incur, on average,
an estimated ongoing annual internal cost of compliance of $9,724,660
($221,015 per respondent x 44 respondents).
Rule 1003(b)(3) requires each SCI entity to submit the report of
the SCI review to the Commission and to its
[[Page 34182]]
board of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its
submission to senior management. These reports are required to be
submitted on Form SCI. The Commission staff estimates that the total
annual ongoing burden for all respondents will be, on average, 44 hours
(1 hour per respondent x 44 respondents). The Commission staff
estimates that all respondents will incur, on average, an estimated
ongoing annual internal cost of compliance of $18,128 ($412 per
respondent x 44 respondents).
In addition, the Commission staff estimates that all respondents
will incur, on average, annual costs of $2,200,000 ($50,000 x 44
respondents) for outside legal advice in preparation of certain
notifications required by Rule 1003(b).
Rule 1006 requires each SCI entity, with a few exceptions, to file
any notification, review, description, analysis, or report to the
Commission required under Regulation SCI electronically on Form SCI
through the EFFS. An SCI entity will submit to the Commission an EAUF
to register each individual at the SCI entity who will access the EFFS
system on behalf of the SCI entity. The Commission staff estimates that
the total annual initial burden for 2 new respondents will be 0.6 hours
(0.3 hours per respondent x 2 respondents), and the annual ongoing
burden for all respondents will be, on average, 6.6 hours (0.15 hours
per respondent x 44 respondents). The Commission staff estimates that
the 2 new respondents would incur an initial internal cost of
compliance of $248 ($124 per respondent x 2 respondents), as well as
outside costs to obtain a digital ID of $100 ($50 per respondent x 2
respondents). In addition, all respondents will incur, on average, an
estimated ongoing annual internal cost of compliance of $2,728 ($62 per
respondent x 44 respondents), as well as outside costs to obtain a
digital ID of $2,200 ($50 per respondent x 44 respondents).
Rule 1002(a) requires each SCI entity, upon any responsible SCI
personnel having a reasonable basis to conclude that an SCI event has
occurred, to begin to take appropriate corrective action. The
Commission staff estimates that the total annual initial recordkeeping
burden for 2 new respondents will be 228 hours (114 hours per
respondent x 2 respondents), and the annual ongoing recordkeeping
burden for all respondents will be, on average, 1,716 hours (39 hours
per respondent x 44 respondents). The Commission staff estimates that
the 2 new respondents would incur an initial internal cost of
compliance of $85,056 ($42,528 per respondent x 2 respondents). In
addition, all respondents will incur, on average, an estimated ongoing
annual internal cost of compliance of $677,468 ($15,397 per respondent
x 44 respondents).
Rule 1003(a)(1) requires each SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material. The Commission staff
estimates that the total annual initial recordkeeping burden for 2 new
respondents will be 228 hours (114 hours per respondent x 2
respondents), and the annual ongoing recordkeeping burden for all
respondents will be, on average, 1,188 hours (27 hours per respondent x
44 respondents). The Commission staff estimates that the 2 new
respondents would incur an initial internal cost of compliance of
$85,056 ($42,528 per respondent x 2 respondents). In addition, all
respondents will incur, on average, an estimated ongoing annual
internal cost of compliance of $507,584 ($11,536 per respondent x 44
respondents).
Regulation SCI also requires SCI entities to identify certain types
of events and systems. The Commission staff estimates that the total
annual initial recordkeeping burden for 2 new respondents will be 396
hours (198 hours per respondent x 2 respondents), and the annual
ongoing recordkeeping burden for all respondents will be, on average,
1,716 hours (39 hours per respondent x 44 respondents). The Commission
staff estimates that the 2 new respondents would incur an initial
internal cost of compliance of $139,412 ($69,706 per respondent x 2
respondents). In addition, all respondents will incur, on average, an
estimated ongoing annual internal cost of compliance of $677,468
($15,397 per respondent x 44 respondents).
Rules 1005 and 1007 establish recordkeeping requirements for SCI
entities other than SROs. The Commission staff estimates that for a new
respondent that is not an SRO the average annual initial burden would
be 170 hours (170 hours x 1 respondent), and the annual ongoing burden
for all respondents will be, on average, 275 hours (25 hours x 11
respondents). The Commission staff estimates that a new respondent
would incur an estimated internal initial internal cost of compliance
of $11,370, as well as a one-time cost of $900 to modify existing
recordkeeping systems. In addition, all respondents will incur, on
average, an estimated ongoing internal cost of compliance of $18,975
($1,725 x 11 respondents).
Written comments are invited on: (a) Whether the proposed
collection of information is necessary for the proper performance of
the functions of the Commission, including whether the information
shall have practical utility; (b) the accuracy of the Commission's
estimates of the burden of the proposed collection of information; (c)
ways to enhance the quality, utility, and clarity of the information to
be collected; and (d) ways to minimize the burden of the collection of
information on respondents, including through the use of automated
collection techniques or other forms of information technology.
Consideration will be given to comments and suggestions submitted in
writing within 60 days of this publication.
An agency may not conduct or sponsor, and a person is not required
to respond to, a collection of information under the PRA unless it
displays a currently valid OMB control number.
Please direct your written comments to: Pamela Dyson, Director/
Chief Information Officer, Securities and Exchange Commission, c/o
Candace Kenner, 100 F Street NE, Washington, DC 20549, or send an email
to: [email protected].
Dated: July 13, 2018.
Eduardo A. Aleman,
Assistant Secretary.
[FR Doc. 2018-15381 Filed 7-18-18; 8:45 am]
BILLING CODE 8011-01-P