[Federal Register Volume 79, Number 234 (Friday, December 5, 2014)]
[Rules and Regulations]
[Pages 72251-72447]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-27767]



[[Page 72251]]

Vol. 79

Friday,

No. 234

December 5, 2014

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------





17 CFR Parts 240, 242, and 249





Regulation Systems Compliance and Integrity; Final Rule

Federal Register / Vol. 79 , No. 234 / Friday, December 5, 2014 / 
Rules and Regulations

[[Page 72252]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 240, 242, and 249

[Release No. 34-73639; File No. S7-01-13]
RIN 3235-AL43


Regulation Systems Compliance and Integrity

AGENCY: Securities and Exchange Commission.

ACTION: Final rule and form; final rule amendment; technical amendment.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
adopting new Regulation Systems Compliance and Integrity (``Regulation 
SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and 
conforming amendments to Regulation ATS under the Exchange Act. 
Regulation SCI will apply to certain self-regulatory organizations 
(including registered clearing agencies), alternative trading systems 
(``ATSs''), plan processors, and exempt clearing agencies 
(collectively, ``SCI entities''), and will require these SCI entities 
to comply with requirements with respect to the automated systems 
central to the performance of their regulated activities.

DATES: Effective date: February 3, 2015.
    Compliance date: The applicable compliance dates are discussed in 
Section IV.F of this release.

FOR FURTHER INFORMATION CONTACT: David Liu, Senior Special Counsel, 
Office of Market Supervision, at (312) 353-6265, Heidi Pilpel, Senior 
Special Counsel, Office of Market Supervision, at (202) 551-5666, Sara 
Hawkins, Special Counsel, Office of Market Supervision, at (202) 551-
5523, Yue Ding, Special Counsel, Office of Market Supervision, at (202) 
551-5842, David Garcia, Special Counsel, Office of Market Supervision, 
at (202) 551-5681, and Elizabeth C. Badawy, Senior Accountant, Office 
of Market Supervision, at (202) 551-5612, Division of Trading and 
Markets, Securities and Exchange Commission, 100 F Street NE., 
Washington, DC 20549-7010.

SUPPLEMENTARY INFORMATION: Regulation SCI will, with regard to SCI 
entities, supersede and replace the Commission's current Automation 
Review Policy (``ARP''), established by the Commission's two policy 
statements, each titled ``Automated Systems of Self-Regulatory 
Organizations,'' issued in 1989 and 1991.\1\ Regulation SCI also will 
supersede and replace aspects of those policy statements codified in 
Rule 301(b)(6) under the Exchange Act, applicable to significant-volume 
ATSs that trade NMS stocks and non-NMS stocks.\2\ Regulation SCI will 
require SCI entities to establish written policies and procedures 
reasonably designed to ensure that their systems have levels of 
capacity, integrity, resiliency, availability, and security adequate to 
maintain their operational capability and promote the maintenance of 
fair and orderly markets, and that they operate in a manner that 
complies with the Exchange Act. It will also require SCI entities to 
mandate participation by designated members or participants in 
scheduled testing of the operation of their business continuity and 
disaster recovery plans, including backup systems, and to coordinate 
such testing on an industry- or sector-wide basis with other SCI 
entities. In addition, Regulation SCI will require SCI entities to take 
corrective action with respect to SCI events (defined to include 
systems disruptions, systems compliance issues, and systems 
intrusions), and notify the Commission of such events. Regulation SCI 
will further require SCI entities to disseminate information about 
certain SCI events to affected members or participants and, for certain 
major SCI events, to all members or participants of the SCI entity. In 
addition, Regulation SCI will require SCI entities to conduct a review 
of their systems by objective, qualified personnel at least annually, 
submit quarterly reports regarding completed, ongoing, and planned 
material changes to their SCI systems to the Commission, and maintain 
certain books and records. Finally, the Commission also is adopting 
modifications to the volume thresholds in Regulation ATS \3\ for 
significant-volume ATSs that trade NMS stocks and non-NMS stocks, 
applying them to SCI ATSs (as defined below), and moving this standard 
from Regulation ATS to adopted Regulation SCI for these asset classes.
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Release Nos. 27445 (November 16, 
1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP 
I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II 
Release'' or ``ARP II'' and, together with ARP I, the ``ARP Policy 
Statements'').
    \2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act 
Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 
1998) (``ATS Release'').
    \3\ 17 CFR 242.300-303 (``Regulation ATS'').
---------------------------------------------------------------------------

Table of Contents

I. Introduction
II. Background
    A. Automation Review Policy Inspection Program
    B. Recent Events
III. Overview
IV. Description of Adopted Regulation SCI and Form SCI
    A. Definitions Establishing the Scope of Regulation SCI--Rule 
1000
    1. SCI Entities
    a. SCI Self-Regulatory Organization or SCI SRO
    b. SCI Alternative Trading System
    c. Plan Processor
    d. Exempt Clearing Agency Subject to ARP
    2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems
    a. Overview
    b. SCI Systems
    c. Critical SCI Systems
    d. Indirect SCI Systems (Proposed as ``SCI Security Systems'')
    3. SCI Events
    a. Systems Disruption
    b. Systems Compliance Issue
    c. Systems Intrusion
    B. Obligations of SCI Entities--Rules 1001-1004
    1. Policies and Procedures to Achieve Capacity, Integrity, 
Resiliency, Availability and Security--Rule 1001(a)
    2. Policies and Procedures to Achieve Systems Compliance--Rule 
1001(b)
    3. SCI Events: Corrective Action; Commission Notification; 
Dissemination of Information--Rule 1002
    a. Triggering Standard
    b. Corrective Action--Rule 1002(a)
    c. Commission Notification--Rule 1002(b)
    d. Dissemination of Information--Rule 1002(c)
    4. Notification of Systems Changes--Rule 1003(a)
    5. SCI Review--Rule 1003(b)
    6. SCI Entity Business Continuity and Disaster Recovery Plans 
Testing Requirements for Members or Participants--Rule 1004
    C. Recordkeeping, Electronic Filing on Form SCI, and Access--
Rules 1005-1007
    1. Recordkeeping--Rules 1005-1007
    2. Electronic Filing and Submission of Reports, Notifications, 
and Other Communications--Rule 1006
    3. Access to the Systems of an SCI Entity
    D. Form SCI
    E. Other Comments Received
    F. Effective Date and Compliance Dates
V. Paperwork Reduction Act
VI. Economic Analysis
VII. Regulatory Flexibility Act Certification
VIII. Statutory Authority and Text of Amendments

I. Introduction

    The U.S. securities markets attract a wide variety of issuers and 
broad investor participation, and are essential for capital formation, 
job creation, and economic growth, both domestically and across the 
globe. The U.S. securities markets have been transformed by regulatory 
and related technological developments in recent years. They have, 
among other things, substantially enhanced the speed, capacity, 
efficiency, and sophistication of the trading functions that are 
available to

[[Page 72253]]

market participants.\4\ At the same time, these technological advances 
have generated an increasing risk of operational problems with 
automated systems, including failures, disruptions, delays, and 
intrusions. Given the speed and interconnected nature of the U.S. 
securities markets, a seemingly minor systems problem at a single 
entity can quickly create losses and liability for market participants, 
and spread rapidly across the national market system, potentially 
creating widespread damage and harm to market participants, including 
investors.
---------------------------------------------------------------------------

    \4\ See Securities Exchange Act Release No. 61358 (January 14, 
2010), 75 FR 3594, 3598 (January 21, 2010) (Concept Release on 
Equity Market Structure).
---------------------------------------------------------------------------

    This transformation of the U.S. securities markets has occurred in 
the absence of a formal regulatory structure governing the automated 
systems of key market participants. Instead, for over two decades, 
Commission oversight of the technology of the U.S. securities markets 
has been conducted primarily pursuant to a voluntary set of principles 
articulated in the Commission's ARP Policy Statements,\5\ applied 
through the Commission's Automation Review Policy inspection program 
(``ARP Inspection Program'').\6\
---------------------------------------------------------------------------

    \5\ While participation in the ARP Inspection Program is 
voluntary, the underpinnings of ARP I and ARP II are rooted in 
Exchange Act requirements. See infra notes 7-12 and accompanying 
text.
    \6\ See infra Section II.A (discussing the ARP Inspection 
Program). See also supra note 1. The ARP Inspection Program has 
historically been administered by the Commission's Division of 
Trading and Markets. In February 2014, to consolidate the inspection 
function of the group with the Commission's Office of Compliance 
Inspections and Examinations (``OCIE''), the ARP Inspection Program 
was transitioned to OCIE and has been renamed the Technology 
Controls Program (``TCP''). However, for ease of reference to the 
historical ARP Inspection Program, relevant portions of the SCI 
Proposal, and references in comment letters, this Release will 
continue to use the terms ARP, ARP Inspection Program, and ARP 
staff, unless the context otherwise requires.
---------------------------------------------------------------------------

    Section 11A(a)(2) of the Exchange Act,\7\ enacted as part of the 
Securities Acts Amendments of 1975 (``1975 Amendments''),\8\ directs 
the Commission, having due regard for the public interest, the 
protection of investors, and the maintenance of fair and orderly 
markets, to use its authority under the Exchange Act to facilitate the 
establishment of a national market system for securities in accordance 
with the Congressional findings and objectives set forth in Section 
11A(a)(1) of the Exchange Act.\9\ Among the findings and objectives in 
Section 11A(a)(1) is that ``[n]ew data processing and communications 
techniques create the opportunity for more efficient and effective 
market operations'' \10\ and ``[i]t is in the public interest and 
appropriate for the protection of investors and the maintenance of fair 
and orderly markets to assure . . . the economically efficient 
execution of securities transactions.'' \11\ In addition, Sections 
6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on 
national securities exchanges, national securities associations, and 
clearing agencies, respectively, to be ``so organized'' and ``[have] 
the capacity to . . . carry out the purposes of [the Exchange Act].'' 
\12\
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 78k-1(a)(2).
    \8\ Pub. L. 94-29, 89 Stat. 97 (1975).
    \9\ 15 U.S.C. 78k-1(a)(1).
    \10\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(B).
    \11\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k-
1(a)(1)(C)(i).
    \12\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the 
Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), 
respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, 
and Section 19 of the Exchange Act, 15 U.S.C. 78s.
---------------------------------------------------------------------------

    In March 2013, the Commission proposed Regulation Systems 
Compliance and Integrity (``Regulation SCI'') \13\ to require certain 
key market participants to, among other things: (1) Have comprehensive 
policies and procedures in place to help ensure the robustness and 
resiliency of their technological systems, and also that their 
technological systems operate in compliance with the federal securities 
laws and with their own rules; and (2) provide certain notices and 
reports to the Commission to improve Commission oversight of securities 
market infrastructure. As discussed in further detail below and in the 
SCI Proposal, Regulation SCI was proposed to update, formalize, and 
expand the Commission's ARP Inspection Program, and, with respect to 
SCI entities, to supersede and replace the Commission's ARP Policy 
Statements and rules regarding systems capacity, integrity and security 
in Rule 301(b)(6) of Regulation ATS.\14\
---------------------------------------------------------------------------

    \13\ Securities Exchange Act Release No. 69077 (March 8, 2013), 
78 FR 18083 (March 25, 2013) (``Proposing Release'' or ``SCI 
Proposal'').
    \14\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2.
---------------------------------------------------------------------------

    A confluence of factors contributed to the Commission's proposal of 
Regulation SCI and to the Commission's current determination that it is 
necessary and appropriate at this time to address the technological 
vulnerabilities, and improve Commission oversight, of the core 
technology of key U.S. securities markets entities, including national 
securities exchanges and associations, significant alternative trading 
systems, clearing agencies, and plan processors. These considerations 
include: the evolution of the markets to become significantly more 
dependent upon sophisticated, complex and interconnected technology; 
the current successes and limitations of the ARP Inspection Program; a 
significant number of, and lessons learned from, recent systems issues 
at exchanges and other trading venues,\15\ increased concerns over 
``single points of failure'' in the securities markets; \16\ and the 
views of a wide variety of commenters received in response to the SCI 
Proposal.
---------------------------------------------------------------------------

    \15\ See Proposing Release, supra note 13, at 18085-91 for a 
further discussion of these developments and infra Section II.B 
(discussing recent events related to technology issues). In 
addition, prior to issuing the Proposing Release, in October 2012 
the Commission convened a roundtable entitled ``Technology and 
Trading: Promoting Stability in Today's Markets'' (``Technology 
Roundtable''). The Technology Roundtable examined the relationship 
between the operational stability and integrity of the securities 
market and the ways in which market participants design, implement, 
and manage complex and interconnected trading technologies. See 
Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 
56697 (September 13, 2012) (File No. 4-652) and Technology 
Roundtable Transcript, available at: http://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. A webcast of the 
Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. As noted in the Proposing Release, the Commission 
believes that the information presented at the Technology Roundtable 
further highlighted that quality standards, testing, and improved 
response mechanisms are among the issues needing very thoughtful and 
focused attention in today's securities markets. See Proposing 
Release, supra note 13, at 18090-91 for further discussion of the 
Technology Roundtable.
    \16\ See infra Section IV.A.2.c (discussing single points of 
failure in the securities markets in conjunction with the adopted 
term ``critical SCI system'').
---------------------------------------------------------------------------

    The Commission received 60 comment letters on the proposal from 
national securities exchanges, registered securities associations, 
registered clearing agencies, ATSs, broker-dealers, institutional and 
individual investors, industry trade groups, software and technology 
vendors, and academics.\17\ Commenters generally supported the goals of 
the proposal, but as further discussed below, some expressed concern 
about various specific elements of the proposal, and recommended 
certain modifications or clarifications.
---------------------------------------------------------------------------

    \17\ Comments received on the proposal are available on the 
Commission's Web site, available at: http://www.sec.gov/comments/s7-01-13/s70113.shtml. See Exhibit A for a citation key to the comment 
letters cited in this release.
     Upon request from some commenters, the Commission extended the 
comment period for an additional 45 days in order to give the public 
additional time to comment on the matters addressed by the SCI 
Proposal. See Securities Exchange Act Release No. 69606 (May 20, 
2013), 78 FR 30803 (May 23, 2013).
---------------------------------------------------------------------------

    After careful review and consideration of the comment letters,

[[Page 72254]]

the Commission is adopting Regulation SCI (``Rule'') and Form SCI 
(``Form'') with certain modifications from the SCI Proposal, as 
discussed below, to respond to concerns expressed by commenters and 
upon further consideration by the Commission of the more appropriate 
approach to further the goals of the national market system by 
strengthening the technology infrastructure of the U.S. securities 
markets.

II. Background

A. Automation Review Policy Inspection Program

    For over two decades, the Commission's ARP Inspection Program has 
helped the Commission oversee the technology infrastructure of the U.S. 
securities markets. This voluntary information technology review 
program was developed by staff of the Commission to implement the 
Commission's ARP Policy Statements issued in 1989 and 1991.\18\ Through 
these Policy Statements, the Commission articulated its views on the 
steps that SROs should take with regard to their automated systems, set 
forth recommendations for how SROs should conduct independent reviews, 
and provided that SROs should notify the Commission of material systems 
changes and significant systems problems.\19\ In 1998, the Commission 
adopted Regulation ATS which, among other things, imposed by rule 
certain aspects of the ARP Policy Statements on significant-volume 
ATSs.\20\ Further, Commission staff subsequently provided additional 
guidance regarding various aspects of the ARP Inspection Program 
through letters to ARP entities, including recommendations regarding 
reporting planned systems changes and systems issues to the 
Commission.\21\
---------------------------------------------------------------------------

    \18\ See ARP Policy Statements, supra note 1. For a detailed 
discussion of the ARP Policy Statements, see Proposing Release, 
supra note 13, at 18085-86.
    \19\ See ARP Policy Statements, supra note 1.
    \20\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2.
    \21\ In June 2001, staff from the Division of Market Regulation 
sent a letter to the SROs and other participants in the ARP 
Inspection Program regarding Guidance for Systems Outage and System 
Change Notifications (``2001 Staff ARP Interpretive Letter''). See 
Proposing Release, supra note 13, at 18087, n. 35. The 2001 Staff 
ARP Interpretive Letter is available at: http://www.sec.gov/divisions/marketreg/sroautomation.shtml.
---------------------------------------------------------------------------

    Under the ARP Inspection Program, Commission staff (``ARP staff'') 
conducts inspections of the trading and related systems of national 
securities exchanges and associations, certain ATSs, clearing agencies, 
and plan processors (collectively ``ARP entities''), attends periodic 
technology briefings by ARP entities, monitors planned significant 
system changes, and responds to reports of system failures, 
disruptions, and other systems problems of ARP entities. The goal of 
the ARP inspections is to evaluate whether an ARP entity's controls 
over its information technology resources in nine general areas, or 
information technology ``domains,'' \22\ is consistent with ARP and 
industry guidelines. Such guidelines are identified by ARP staff from a 
variety of information technology publications that ARP staff believes 
reflects industry standards for securities market participants.\23\ At 
the conclusion of an ARP inspection, ARP staff typically issues a 
report to the ARP entity with an assessment of the ARP entity's 
information technology program for its key systems, including any 
recommendations for improvement.\24\
---------------------------------------------------------------------------

    \22\ These information technology ``domains'' include: 
application controls; capacity planning; computer operations and 
production environment controls; contingency planning; information 
security and networking; audit; outsourcing; physical security; and 
systems development methodology. Each domain itself contains 
subcategories. For example, ``contingency planning'' includes 
business continuity, disaster recovery, and pandemic planning, among 
other things. See id. at 18086.
    \23\ See id. at 18086-87.
    \24\ In addition, Commission staff conducts inspections of SROs, 
as part of the Commission's oversight of them. Unlike ARP 
inspections, however, which focus on information technology 
controls, such Commission staff primarily conducts risk-based 
examinations of securities exchanges, FINRA, and other SROs to 
evaluate whether they and their member firms are complying with the 
Exchange Act, the rules thereunder, and SRO rules, as applicable. As 
part of the Commission's oversight of the SROs, Commission staff 
also reviews systems compliance issues reported to Commission staff. 
The information gained from the Commission staff review of reported 
systems compliance issues helps to inform its examination risk-
assessments for SROs. See id. at 18087.
---------------------------------------------------------------------------

    Because the ARP Inspection Program was established pursuant to 
Commission policy statements rather than Commission rules, 
participation in and compliance with the ARP Inspection Program by ARP 
entities is voluntary. As such, despite its general success in working 
with SROs to improve their automated systems, there are certain 
limitations with the ARP Inspection Program. In particular, because of 
the voluntary nature of the ARP Inspection Program, the Commission is 
constrained in its ability to assure compliance with ARP standards. The 
Government Accountability Office (``GAO'') has identified the voluntary 
nature of the ARP Inspection Program as a limitation and recommended 
that the Commission make compliance with ARP guidelines mandatory.\25\ 
In addition, as more fully discussed in the SCI Proposal, the evolution 
of the U.S. securities markets in recent years to become almost 
entirely electronic and highly dependent on sophisticated trading and 
other technology, including complex and interconnected routing, market 
data, regulatory, surveillance and other systems, has posed challenges 
for the ARP Inspection Program.\26\
---------------------------------------------------------------------------

    \25\ See GAO, Financial Market Preparedness: Improvements Made, 
but More Action Needed to Prepare for Wide-Scale Disasters, Report 
No. GAO-04-984 (September 27, 2004). GAO cited instances in which 
the GAO believed that entities participating in the ARP Inspection 
Program failed to adequately address or implement ARP staff 
recommendations as the reasoning behind its recommendation to make 
compliance with ARP guidelines mandatory.
    \26\ See Proposing Release, supra note 13, at 18087-89.
---------------------------------------------------------------------------

B. Recent Events

    A series of high-profile recent events involving systems-related 
issues further highlights the need for market participants to bolster 
the operational integrity of their automated systems in this area. In 
the SCI Proposal, the Commission identified several systems problems 
experienced by SROs and ATSs that garnered significant public attention 
and illustrated the types and risks of systems issues affecting today's 
markets.\27\ Since Regulation SCI's proposal in March 2013, additional 
systems problems among market participants have occurred, further 
underscoring the importance of bolstering the robustness of U.S. market 
infrastructure to help ensure its stability, integrity, and resiliency.
---------------------------------------------------------------------------

    \27\ See id. at 18089-90. The Proposing Release also discussed 
the effects of Superstorm Sandy on the U.S. securities exchanges, 
noting certain weaknesses in business continuity and disaster 
recovery planning that were highlighted by the event. See id. at 
18091.
---------------------------------------------------------------------------

    In particular, since Regulation SCI's proposal, disruptions have 
continued to occur across a variety of market participants. For 
example, with respect to the options markets, some exchanges have 
delayed the opening of trading,\28\

[[Page 72255]]

halted trading,\29\ or experienced other errors as a result of systems 
issues,\30\ and trading in options was halted due to a systems issue 
with the securities information processor for options market 
information.\31\ Systems issues have also impacted consolidated market 
data in the equities markets, including one incident that led to a 
trading halt in all securities listed on a particular exchange.\32\ 
Systems issues have also affected trading off of national securities 
exchanges, including an incident where FINRA halted trading in all OTC 
equity securities due to a lack of availability of quotation 
information resulting from a connectivity issue experienced by an 
ATS.\33\ Systems issues during this time have not been limited to 
systems disruptions, but have also included allegations of systems 
compliance issues.\34\
---------------------------------------------------------------------------

    \28\ On April 25, 2013, the Chicago Board Options Exchange, Inc. 
(``CBOE'') delayed the opening of trading on its exchange for over 
three hours due to what CBOE described as an internal ``software 
bug.'' See CBOE Information Circular IC13-036, April 29, 2013, 
available at: http://www.cboe.com/publish/InfoCir/IC13-036.pdf. 
During this time, while trading in many products was able to 
continue on the other options exchanges, trading was completely 
halted for those products that are singly-listed on CBOE, including 
options on the S&P 500 Index and the CBOE Volatility Index 
(``VIX''). Trading was able to resume by approximately 1:00 p.m. ET, 
though some residual systems problems continued. Specifically, 
certain auction mechanisms were unavailable for the remainder of the 
day and some of the trade data from April 25 was erroneously re-
transmitted to OCC on April 26. See id. and CBOE System Status 
notifications for April 25, 2013, available at: http://www.cboe.com/aboutcboe/systemstatus/search.aspx. CBOE subsequently reported that 
preliminary staging work related to a planned reconfiguration of 
CBOE's systems in preparation for extended trading hours on the CBOE 
Futures Exchange and CBOE options exchange ``exposed and triggered a 
design flaw in the existing messaging infrastructure 
configuration.'' See CBOE Information Circular IC13-036, April 29, 
2013, available at: http://www.cboe.com/publish/InfoCir/IC13-036.pdf.
    \29\ On November 1, 2013, Nasdaq halted trading on the Nasdaq 
Options Market (``NOM'') for more than five hours through the close 
of the trading day. Nasdaq stated that the halt was a result of ``a 
significant increase in order entries which inhibited the system's 
ability to accept orders and disseminate quotes on a subset of 
symbols.'' As Nasdaq stated, Nasdaq determined that it was in the 
best interest of market participants and investors to cancel all 
orders on the NOM book and continue the market halt through the 
close. See Nasdaq Market System Status Updates for November 1, 2013, 
available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch.
    \30\ On April 29, 2014, NYSE Arca and NYSE Amex Options 
experienced a systems issue that resulted in numerous complex orders 
booking at incorrect prices. In some cases, this resulted in 
erroneous fill reports, all of which were subsequently nullified. 
See Trader Update to All NYSE Amex Options and NYSE Arca Options 
Participants, ``Erroneous Complex Order Executions,'' dated April 
29, 2014, available at: http://www1.nyse.com/pdfs/2014_04_29_NYSE_Amex_and_Arca_Options_Erroneous_Complex_Order_Executions.pdf.
    \31\ On September 16, 2013, options market trading was halted 
for approximately 20 minutes due to a systems issue with the Options 
Price Reporting Authority (``OPRA''), the securities information 
processor for options market information that disseminates option 
quotation and last sale information to market data vendors. OPRA 
reported that it experienced problems processing quotes as a result 
of a software issue originating from a limited rollout of certain 
software upgrades. See Notice to All OPRA Market Data Recipients 
from OPRA, LLC, dated September 18, 2013, available at: http://www.opradata.com/specs/16-sept-2013-opra-outage.pdf.
    \32\ On August 22, 2013, the NASDAQ Stock Market LLC 
(``Nasdaq'') halted trading in all Nasdaq-listed securities for more 
than three hours after the Nasdaq UTP Securities Information 
Processor (``SIP''), the single source of consolidated market data 
for Nasdaq-listed securities, was unable to process quotes from 
exchanges for dissemination to the public. According to Nasdaq, a 
sequence of events created a spike in message traffic volume into 
the SIP exceeding the SIP's capacity and causing the system to fail. 
Nasdaq cited ``more than 20 connect and disconnect sequences from 
NYSE Arca'' and a ``stream of quotes for inaccurate symbols from 
NYSE Arca'' as events contributing to the systems problem. Nasdaq 
noted that the stream of messages, which was 26 times greater than 
usual activity, degraded the system and exceeded its capacity, 
ultimately resulting in the failure. Nasdaq stated that these events 
exposed a flaw in the SIP's software code which prevented a 
successful failover to the backup system. See ``NASDAQ OMX Provides 
Updates on Events of August 22, 2013,'' by NASDAQ OMX (August 29, 
2013), available at: http://www.nasdaqomx.com/newsroom/pressreleases/pressrelease?messageId=1204807&displayLanguage=en; and 
Nasdaq Market System Status notifications for August 22, 2013, 
available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch.
    Nasdaq experienced another outage related to the SIP on 
September 4, 2013. This incident lasted only several minutes and 
affected only a subset of Nasdaq-listed securities. See ``NASDAQ OMX 
Issues Statement on the Securities Information Processor,'' by 
NASDAQ OMX (September 4, 2013), available at: http://ir.nasdaqomx.com/releasedetail.cfm?ReleaseID=788700.
    The SIP consolidates quotation information and transaction 
reports from market centers and disseminates such consolidated 
information to market participants pursuant to the Commission-
approved Joint Self-Regulatory Organization Plan Governing the 
Collection, Consolidation and Dissemination of Quotation and 
Transaction Information for Nasdaq-Listed Securities Traded on 
Exchanges on an Unlisted Trading Privilege Basis, available at: 
http://www.utpplan.com/. See generally Rule 608 of Regulation NMS, 
17 CFR 242.608 (``Filing and amendment of national market system 
plans'').
     More recently, on October 30, 2014, according to the NYSE, a 
network hardware failure impacted the Consolidated Tape System, 
Consolidated Quote System, and Options Price Reporting Authority 
data feeds at the primary data center. Exchanges experienced issues 
publishing and receiving trades and quotes as a result. After 
investigation of the issue, the Securities Industry Automation 
Corporation (``SIAC'') (the processor for the affected data feeds) 
switched over to the secondary data center for these data feeds and 
normal processing subsequently resumed. The exchanges then connected 
to the secondary data center as provided for in SIAC's business 
continuity plan. See ``Service Advisory--CTA Update,'' by NYSE 
(October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13467 and ``NMS SIP market wide issue,'' by NYSE 
(October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13465.
    \33\ On November 7, 2013, FINRA halted trading for over 3\1/2\ 
hours in all OTC equity securities due to a lack of availability of 
quotation information resulting from a connectivity issue 
experienced by OTC Markets Group Inc.'s OTC Link ATS. See ``Market-
Wide Quotation and Trading Halt for all OTC Equity Securities,'' 
FINRA Uniform Practice Advisory, UPC #47-13, November 7, 2013, 
available at: http://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381590.pdf; ``Quotation and Trading Halt 
for OTC Equity Securities,'' FINRA Uniform Practice Advisory, UPC 
#48-13, November 7, 2013, available at: http://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381593.pdf; 
``OTC Markets Group Issues Statement on OTC Link[supreg] ATS Trading 
on November 7, 2013,'' OTC Disclosure & News Service, November 7, 
2013, available at: http://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144. OTC Markets Group subsequently reported 
that a network outage at one of its core network providers caused 
the lack of connectivity to its primary data center in New Jersey. 
See ``OTC Markets Group Issues Statement on OTC Link[supreg] ATS 
Trading on November 7, 2013,'' OTC Disclosure & News Service, 
November 7, 2013, available at: http://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144.
    \34\ For example, in June 2013, the Commission charged CBOE and 
its affiliate (C2 Options Exchange, Incorporated (``C2'')) for 
various systemic breakdowns in their regulatory and compliance 
responsibilities as self-regulatory organizations, including failure 
to enforce the federal securities laws and Commission rules. See 
Securities Exchange Act Release No. 69726, In the Matter of Chicago 
Board Options Exchange, Incorporated and C2 Options Exchange, 
Incorporated (settled action: June 11, 2013), available at: http://www.sec.gov/litigation/admin/2013/34-69726.pdf (``CBOE Order''). 
CBOE and C2 consented to an Order Instituting Administrative and 
Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of 
the Securities Exchange Act of 1934, Making Findings, and Imposing 
Sanctions and a Cease-and-Desist Order. In the CBOE Order, among 
other charges, the Commission stated that ``CBOE's automated 
surveillance programs for manually handled trades were ineffective'' 
and that ``CBOE failed to maintain a reliable or accurate audit 
trail of orders'' on its trading facility. See id. at 11, 13.
    In addition, in May 2014, the Commission sanctioned the New York 
Stock Exchange LLC (``NYSE'') and two of its affiliated exchanges 
(NYSE Arca, Inc. (``NYSE Arca''), NYSE MKT LLC (``NYSE MKT'')) for 
alleged failure to comply with their responsibilities as self-
regulatory organizations to conduct their business operations in 
accordance with Commission-approved exchange rules and the federal 
securities laws. See Securities Exchange Act Release No. 72065, In 
the Matter of New York Stock Exchange LLC, NYSE Arca, Inc., NYSE MKT 
LLC, and Archipelago Securities, L.L.C. (settled action: May 1, 
2014), available at: http://www.sec.gov/litigation/admin/2014/34-72065.pdf (``NYSE Order''). NYSE, NYSE Arca, NYSE MKT, and 
Archipelago Securities consented to an Order Instituting 
Administrative and Cease-and-Desist Proceedings Pursuant to Sections 
19(h) and 21C of the Securities Exchange Act of 1934, Making 
Findings, and Imposing Sanctions and a Cease-and-Desist Order. In 
the NYSE Order, the Commission cited various instances of NYSE 
systems not operating in compliance with their effective rules, such 
as NYSE's block trading facility not functioning in accordance with 
applicable rules; NYSE distributing an automated feed of closing 
order imbalance information to its floor brokers at an earlier time 
than specified in NYSE rules; and NYSE failing to execute certain 
orders in locked markets contrary to exchange rules. See id. In the 
NYSE Order, the Commission stated that the exchanges ``lacked 
comprehensive and consistently-applied policies and procedures for . 
. . evaluating whether business operations were being conducted 
fully in accordance with existing exchange rules and the federal 
securities laws.'' Id. at 3.
---------------------------------------------------------------------------

    Systems issues are not unique to the U.S. securities markets, with 
similar incidents occurring in the U.S. commodities markets as well as 
foreign markets.\35\ However, the Commission

[[Page 72256]]

believes that it is critical that key U.S. securities market 
participants bolster their operational integrity to prevent, to the 
extent reasonably possible, these types of events, which can not only 
lead to tangible monetary losses,\36\ but which commenters believe to 
have the potential to reduce investor confidence in the U.S. 
markets.\37\
---------------------------------------------------------------------------

    \35\ See, e.g., Jacob Bunge, Bradley Hope, and Leslie Josephs, 
``Technical Glitch Hits CME Trading,'' Wall St. J., April 8, 2014; 
Jeremy Grant, ``Glitch Delays Singapore Derivative Trade,'' Fin. 
Times, April 9, 2013; Tamsyn Parker, ``NZX Trading Resumes After 
Technical Glitch,'' The New Zealand Herald, July 1, 2013; Matt 
Clinch, ``Flash Crash: Israel Stocks Hit by Typo,'' CNBC.com, 
available at: http://www.cnbc.com/id/100986999; and Ksenia 
Galouchko, ``Moscow Exchange Halts Derivatives Trading for Almost an 
Hour,'' Bloomberg, November 13, 2013.
    \36\ See, e.g., Proposing Release, supra note 13 (discussing 
systems issues affecting the initial public offerings (``IPO'') of 
BATS Global Markets, Inc. and Facebook, Inc.). In a rule change 
approved by the Commission in March 2013, Nasdaq implemented a $62 
million accommodation program to compensate certain members for 
their losses in connection with the Facebook IPO. Securities 
Exchange Act Release No. 69216 (March 22, 2013), 78 FR 19040 (March 
28, 2013). In its quarterly earnings announcement for the second 
quarter of 2013, UBS reported a $356 million loss tied to Facebook's 
IPO, while The Knight Capital Group and Citadel Investment Group 
claimed losses of $30 million to $35 million and Citigroup cited 
losses close to $20 million. See Michael J. De La Merced, ``Behind 
the Huge Facebook Loss at UBS,'' N.Y. Times, July 21, 2012. See also 
Angel Letter at 15 (stating that catastrophic failures in exchange 
systems are extremely costly in terms of direct losses to 
participants and result in reduced investor confidence in markets); 
and Better Markets Letter at 2 (citing to the systems related 
problems at Knight Capital, Direct Edge, BATS, and during the 
Facebook IPO that resulted in investor or company losses).
    \37\ See, e.g., Angel2 Letter at 2; Sungard Letter at 2; Better 
Markets Letter at 2; Leuchtkafer Letter at 3; FSI Letter at 3; and 
Angel Letter at 10, 15.
---------------------------------------------------------------------------

    The SCI Proposal also noted that the risks associated with 
cybersecurity, and how to protect against systems intrusions, are 
increasingly of concern to all types of entities.\38\ On March 27, 
2014, the Commission conducted a Cybersecurity Roundtable 
(``Cybersecurity Roundtable'').\39\ The Cybersecurity Roundtable 
addressed the cybersecurity landscape and cybersecurity issues faced by 
participants in the financial markets today, including exchanges, 
broker-dealers, investment advisers, transfer agents and public 
companies.\40\ Panelists discussed, among other topics, the scope and 
nature of cybersecurity threats to the financial industry; how market 
participants can effectively manage cybersecurity threats, including 
public and private sector coordination efforts and information sharing; 
the role that government should play to promote cybersecurity in the 
financial markets and market infrastructure; cybersecurity disclosure 
issues faced by public companies; and the identification of appropriate 
best practices and standards with regard to cybersecurity. Although the 
views of panelists varied, many emphasized the significant risk that 
cybersecurity attacks pose to the financial markets and market 
infrastructure today and the need to effectively manage that risk 
through measures such as testing, risk assessments, adoption of 
consistent best practices and standards, and information sharing.
---------------------------------------------------------------------------

    \38\ See Proposing Release, supra note 13, at 18089-90.
    \39\ See Securities Exchange Act Release No. 71742 (March 19, 
2014), 79 FR 16071 (March 24, 2014) (File No. 4-673). A webcast of 
the Cybersecurity Roundtable is available at: http://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml.
    \40\ The first panel discussed the cybersecurity landscape, and 
panelists included: Cyrus Amir-Mokri, Assistant Secretary for 
Financial Institutions, Department of the Treasury; Mary E. 
Galligan, Director, Cyber Risk Services, Deloitte and Touche LLP; 
Craig Mundie, Member, President's Council of Advisors on Science and 
Technology; Senior Advisor to the Chief Executive Officer, Microsoft 
Corporation; Javier Ortiz, Vice President, Strategy and Global Head 
of Government Affairs, TaaSera, Inc.; Andy Roth, Partner and Co-
Chair, Global Privacy and Security Group, Dentons US LLP; Ari 
Schwartz, Acting Senior Director for Cybersecurity Programs, 
National Security Council, The White House; Adam Sedgewick, Senior 
Information Technology Policy Advisor, national Institute of 
Standards and Technology; and Larry Zelvin, Director, National 
Cybersecurity and Communications Integration Center, U.S. Department 
of Homeland Security.
     The second panel discussed public company disclosure of 
cybersecurity risks and incidents, and panelists included: Peter 
Beshar, Executive Vice President and General Counsel, Marsh & 
McLennan Companies, Inc.; David Burg, Global and U.S. Advisor Cyber 
Security Leader, PricewaterhouseCoopers LLP; Roberta Karmel, 
Centennial Professor of Law, Brooklyn Law School; Jonas Kron, Senior 
Vice President, Director of Shareholder Advocacy, Trillum Asset 
Management LLC; Douglas Meal, Partner, Ropes & Gray LLP; and Leslie 
T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. 
and Washington Gas Light Company.
     The third panel addressed cybersecurity issues faced by the 
securities markets, and panelists included: Mark G. Clancy, Managing 
Director and Corporate Information Security Officer, The Depository 
Trust and Clearing Corporation; Mark Graff, Chief Information 
Security Officer, Nasdaq OMX; Todd Furney, Vice President, Systems 
Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy 
Assistant Secretary, Office of Financial Institutions Policy, 
Department of the Treasury; Thomas Sinnott, Managing Director, 
Global Information Security, CME Group; and Aaron Weissenfluh, Chief 
Information Security Officer, BATS Global Markets, Inc.
     The final panel discussed how broker-dealers, investment 
advisers, and transfer agents address cybersecurity issues, and 
panelists included: John Denning, Senior Vice President, Operational 
Policy Integration, Development and Strategy, Bank of America/
Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and 
Credit Officer, Wells Fargo Advisors LLC; Mark R. Manley, Senior 
Vice President, Deputy General Counsel and Chief Compliance Officer, 
AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate 
Information Security Officer, ITG; Karl Schimmeck, Managing 
Director, Financial Services Operations, Securities Industry and 
Financial Markets Association; Daniel M. Sibears, Executive Vice 
President, Regulatory Operations/Shared Services, FINRA; John Reed 
Stark, Managing Director, Stroz Friedberg; Craig Thomas, Chief 
Information Security Officer, Computershare; and David G. 
Tittsworth, Executive Director and Executive Vice President, 
Investment Adviser Association.
---------------------------------------------------------------------------

III. Overview

    The Commission acknowledges that the nature of technology and the 
level of sophistication and automation of current market systems 
prevent any measure, regulatory or otherwise, from completely 
eliminating all systems disruptions, intrusions, or other systems 
issues.\41\ However, given the issues outlined above, the Commission 
believes that the adoption of, and compliance by SCI entities with 
Regulation SCI, with the modifications from the SCI Proposal as 
discussed below, will advance the goals of the national market system 
by enhancing the capacity, integrity, resiliency, availability, and 
security of the automated systems of entities important to the 
functioning of the U.S. securities markets, as well as reinforce the 
requirement that such systems operate in compliance with the Exchange 
Act and rules and regulations thereunder, thus strengthening the 
infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In this respect, Regulation 
SCI establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of such systems.
---------------------------------------------------------------------------

    \41\ See, e.g., October 2, 2012 remarks by Dr. Nancy Leveson, 
Professor of Aeronautics and Astronautics and Professor of 
Engineering Systems, MIT, Technology Roundtable (stating, for 
example, that ``it is impossible to build totally secure software 
systems'' and ``we've learned that we cannot build an unsinkable 
ship and cannot build unfailable software''), available at: http://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf.
---------------------------------------------------------------------------

    As proposed, Regulation SCI would have applied to ``SCI entities'' 
(estimated in the SCI Proposal to be 44 entities), a term which would 
have included all self-regulatory organizations (excluding security 
futures exchanges), ATSs that exceed specified volume thresholds, plan 
processors for market data NMS plans, and certain exempt clearing 
agencies. The most significant elements of the SCI Proposal \42\ would 
have required each SCI entity to:
---------------------------------------------------------------------------

    \42\ Each provision of the SCI Proposal is described in further 
detail below in Section IV. See also Proposing Release, supra note 
13, at Section III.
---------------------------------------------------------------------------

     Implement policies and procedures reasonably designed to 
ensure that its ``SCI systems'' and ``SCI security systems'' have 
levels of capacity, integrity, resiliency, availability, and security, 
adequate to maintain the SCI entity's operational capability and

[[Page 72257]]

promote the maintenance of fair and orderly markets, with deemed 
compliance for policies and procedures that are consistent with current 
SCI industry standards, including identified information technology 
publications listed on proposed Table A;
     Implement policies and procedures reasonably designed to 
ensure that its systems operate in the manner intended, including in 
compliance with the federal securities laws and rules, and the entity's 
rules and governing documents, with safe harbors from liability for SCI 
entities and individuals;
     Upon any ``responsible SCI personnel'' becoming aware of 
the occurrence of an ``SCI event'' (defined to include systems 
disruptions, systems compliance issues, and systems intrusions), begin 
to take appropriate corrective action, including mitigating potential 
harm to investors and market integrity and devoting adequate resources 
to remedy the SCI event as soon as practicable;
     Report to the Commission the occurrence of any SCI event; 
and notify its members or participants of certain types of SCI events;
     Notify the Commission 30 days in advance of ``material 
systems changes'' (subject to an exception for exigent circumstances) 
and provide semi-annual summary progress reports on such material 
systems changes;
     Conduct an annual review, to be performed by objective, 
qualified personnel, of its compliance with Regulation SCI and submit a 
report of such annual review to its senior management and to the 
Commission;
     Designate those of its members or participants that would 
be required to participate in the testing (to occur at least annually) 
of its business continuity and disaster recovery plans, and coordinate 
such testing with other SCI entities on an industry- or sector-wide 
basis; and
     Meet certain other requirements, including maintaining 
records related to compliance with Regulation SCI and providing 
Commission representatives reasonable access to its systems to assess 
compliance with the rule.
    The Commission received substantial comment on the SCI Proposal 
from a wide range of entities. Commenters generally expressed support 
for the goals of the rule, but many suggested that the SCI Proposal's 
scope was unnecessarily broad and could be more tailored to lower 
compliance costs and still achieve the goal of reducing significant 
technology risk in the markets. Broadly speaking, the areas of concern 
garnering the greatest comment included the: (i) Breadth of certain key 
proposed definitions; (ii) costs associated with the scope of the 
proposed rule, including its reporting obligations; (iii) publications 
designated on Table A as proposed examples of ``current SCI industry 
standards;'' (iv) proposed entity safe harbor for systems compliance 
policies and procedures; (v) breadth of the proposed mandatory testing 
requirements; and (vi) proposed access provision.\43\
---------------------------------------------------------------------------

    \43\ A more detailed discussion of commenters' views can be 
found below in Section IV.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters in 
crafting Regulation SCI to meet its goals to strengthen the technology 
infrastructure of the securities markets and improve its resilience 
when technology falls short. Many of these modifications are intended 
to further focus the scope of the requirements from the proposal and to 
lessen the costs and burdens on SCI entities, while still allowing the 
Commission to achieve its goals. While Section IV below provides a 
detailed discussion of the changes the Commission has made to the SCI 
Proposal in adopting Regulation SCI today,\44\ broadly speaking, the 
key changes include:
---------------------------------------------------------------------------

    \44\ The Economic Analysis, infra Section VI, discusses the 
economic effects, including the costs and benefits, of the 
provisions of Regulation SCI, as adopted.
---------------------------------------------------------------------------

     Refining the scope of the proposal by, among other things, 
revising certain key definitions (including the definition of SCI 
systems and the definition of SCI ATS to exclude ATSs that trade only 
municipal securities or corporate debt securities (together, ``fixed-
income ATSs'')), refining the reporting framework for SCI events, and 
replacing the proposed 30-day advanced reporting requirement for 
material systems changes with a quarterly reporting requirement;
     Modifying the proposal to differentiate certain 
obligations and requirements, including tailoring certain obligations 
based on the criticality of a system (by, for example, adopting a new 
defined term ``critical SCI system'' for which heightened requirements 
will apply), and based on the significance of an event (such as 
adopting a new defined term ``major SCI event'' for purposes of the 
dissemination requirements, and establishing differing reporting 
obligations for SCI events that have had no or a de minimis impact on 
the SCI entity's operations or on market participants);
     Modifying the proposed policies and procedures 
requirements relating to both operational capability and the 
maintenance of fair and orderly markets, as well as systems compliance;
     Refining the scope of SCI entity members and participants 
that would be required to participate in mandatory business continuity/
disaster recovery plan testing; and
     Eliminating the proposed requirement that SCI entities 
provide Commission representatives reasonable access to their systems 
because the Commission can adequately assess an SCI entity's compliance 
with Regulation SCI through existing recordkeeping requirements and 
examination authority, as well as through the new recordkeeping 
requirement in Rule 1005 of Regulation SCI.
    In addition, the Commission notes that proposed Regulation SCI 
consisted of a single rule (Rule 1000) that included subparagraphs ((a) 
through (f)) addressing the various obligations of the rule. However, 
for clarity and simplification, adopted Regulation SCI is renumbered as 
Rules 1000 through 1007, as follows:
     Adopted Rule 1000 (which corresponds to proposed Rule 
1000(a)) contains definitions for terms used in Regulation SCI;
     Adopted Rule 1001 (proposed Rules 1000(b)(1)-(2)) contains 
the policies and procedures requirements for SCI entities relating to 
both operational capability and the maintenance of fair and orderly 
markets, as well as systems compliance;
     Adopted Rule 1002 (proposed Rules 1000(b)(3)-(5)) contains 
the obligations of SCI entities with respect to SCI events, which 
include corrective action, Commission notification, and information 
dissemination;
     Adopted Rule 1003 (proposed Rules 1000(b)(6)-(8)) contains 
requirements relating to material systems changes and SCI reviews;
     Adopted Rule 1004 (proposed Rule 1000(b)(9)) contains 
requirements relating to business continuity and disaster recovery 
testing;
     Adopted Rule 1005 (proposed Rule 1000(c)) contains 
requirements relating to recordkeeping;
     Adopted Rule 1006 (proposed Rule 1000(d)) contains 
requirements relating to electronic filing and submission;
     Adopted Rule 1007 (proposed Rule 1000(e)) contains 
requirements for service bureaus.

IV. Description of Adopted Regulation SCI and Form SCI

A. Definitions Establishing the Scope of Regulation SCI--Rule 1000

    A series of definitions set forth in Rule 1000 relate to the scope 
of Regulation SCI. These include the definitions for ``SCI entity'' (as 
well as the types of entities that are SCI entities,

[[Page 72258]]

namely ``SCI SRO,'' SCI ATS,'' ``plan processor,'' and ``exempt 
clearing agency subject to ARP''), ``SCI systems'' (and related 
definitions for ``indirect SCI systems'' and ``critical SCI systems''), 
and ``SCI event'' (as well as the types of events that constitute SCI 
events, namely ``systems disruption,'' ``systems compliance issue,'' 
and ``systems intrusion'').\45\
---------------------------------------------------------------------------

    \45\ Rule 1000 contains additional defined terms that are 
discussed in subsequent sections below. See infra Section IV.B.3 
(discussing the definition of ``responsible SCI personnel''), 
Section IV.B.3.d (discussing ``major SCI event'' and deletion of the 
proposed definition of ``dissemination SCI event''), Section IV.B.4 
(discussing deletion of the proposed definition for ``material 
systems change''), Section IV.B.5 (discussing ``SCI review'' and 
``senior management''), and Section IV.C.2 (discussing ``electronic 
signature'').
---------------------------------------------------------------------------

1. SCI Entities
    Regulation SCI imposes requirements on entities meeting the 
definition of ``SCI entity'' under the rule. Proposed Rule 1000(a) 
defined ``SCI entity'' as an ``SCI self-regulatory organization, SCI 
alternative trading system, plan processor, or exempt clearing agency 
subject to ARP.'' \46\ The Commission is adopting the definition of 
``SCI entity'' in Rule 1000 as proposed.\47\
---------------------------------------------------------------------------

    \46\ See proposed Rule 1000(a) and Proposing Release supra note 
13, at Section III.B.1.
    \47\ Proposed Rule 1000(a) also defined each of the terms within 
the definition of SCI entity for the purpose of designating 
specifically the entities that would be subject to Regulation SCI. 
As described in the Sections IV.A.1.a-d below, the Commission is 
also adopting these terms as proposed and without modification, with 
the exception of the definition of ``SCI ATS,'' which is being 
revised to exclude ATSs that trade only municipal securities or 
corporate debt securities.
---------------------------------------------------------------------------

    Some commenters discussed the definition of SCI entity generally 
and advocated for an expansion of the proposed definition, asserting 
that additional categories of market participants may have the 
potential to impact the market in the event of a systems issue.\48\ For 
example, one commenter suggested that the definition of ``SCI entity'' 
be extended to include the ATS and broker-dealer entities covered by 
the Regulation NMS definition of a ``trading center.'' \49\ Another 
commenter stated that the Commission should potentially expand the 
definition of SCI entity to also include dark pools if they met the 
volume thresholds of ATSs.\50\
---------------------------------------------------------------------------

    \48\ See, e.g., NYSE Letter at 8-9 and Liquidnet Letter at 2-3. 
See also BlackRock Letter at 4 (stating, among other things, that 
Regulation SCI should extend to any trading platforms that transact 
significant volume because these venues have a meaningful role and 
impact on the equity market). See also infra Section IV.E 
(discussing comments regarding the potential inclusion of other 
types of entities, such as broker-dealers generally, within the 
scope of Regulation SCI).
    \49\ Specifically, Section 600(b)(78) of Regulation NMS includes 
within the definition of a ``trading center'' ``an ATS, an exchange 
market maker, an OTC market maker, or any other broker or dealer 
that executes orders internally by trading as principal or crossing 
orders as agent.'' 17 CFR 242.600(b)(68). See NYSE Letter at 8-9.
    \50\ See CoreOne Letter at 7-9. CoreOne recommended that the 
Commission require dark pools to publicly disclose their aggregate 
volume in a manner similar to disclosures made by exchanges and 
ATSs. CoreOne stated that, once dark pools publicly disclose their 
volumes, it would be easier to evaluate whether dark pools should be 
included as SCI entities. Id.
---------------------------------------------------------------------------

    Other commenters believed that the scope of the definition should 
be more limited.\51\ For example, one commenter suggested that the 
definition should only include those entities that are systemically 
important to the functioning of the U.S. securities markets and should 
utilize volume thresholds for exchanges and ATSs to make this 
determination.\52\
---------------------------------------------------------------------------

    \51\ See, e.g., KCG Letter at 6-8; ITG Letter at 2-4; and CME 
Letter at 2-5.
    \52\ See ITG Letter at 2-4, 7. This commenter argued that, 
alternatively, the Commission could impose a lower set of 
obligations on ``lesser'' SCI entities. See id., at 9-11. See also 
infra notes 81-82 (discussing this commenter's suggested thresholds 
for exchanges) and note 131 (discussing this commenter's recommended 
thresholds for ATSs). See discussion in Sections IV.A.1.a and 
IV.A.1.b (relating to SCI SROs and SCI ATSs, respectively).
---------------------------------------------------------------------------

    Several commenters advocated the adoption of a ``risk-based'' 
approach, which would entail categorizing market participants based on 
the criticality of the functions performed rather than applying 
Regulation SCI to all ``SCI entities'' equally.\53\ Some commenters 
suggested replacing the term ``SCI entity'' with categories of 
participants based on potential market impact or including in the 
definition only those participants that are essential to continuous 
market-wide operation or that are the sole providers of a service in 
the securities markets.\54\ Other commenters agreed with the proposed 
scope of the term ``SCI entity,'' but believed that the various 
requirements under the rule should be tiered based on risk 
profiles.\55\ Several commenters identified various factors that should 
be considered in conducting a risk-assessment such as whether an entity 
is a primary listing market, is the sole market where the security is 
traded, or performs a monopoly or utility type role where there is no 
redundancy built into the marketplace, among others.\56\ Some 
commenters identified specific functions that they believed to be 
highly critical to the functioning of the securities markets and thus 
pose the greatest risk to the markets in the event of a systems issue, 
including securities information processing, clearance and settlement 
systems, and trading of exclusively listed securities, among 
others.\57\
---------------------------------------------------------------------------

    \53\ See, e.g., BIDS Letter at 5-6; SIFMA Letter at 4-5; KCG 
Letter at 2-3, 6-8; Fidelity Letter at 2-4; UBS Letter at 2-4; and 
LiquidPoint Letter at 2-3.
    \54\ See, e.g., BIDS Letter at 3-6; Direct Edge Letter at 1-2; 
and KCG Letter at 2-3, 6-8. Specifically, Direct Edge stated that 
SCI entities should include Commission-registered exchanges, 
securities information processors under approved NMS plans for 
market data, and clearance and settlement systems.
    \55\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4.
    \56\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4.
    \57\ See, e.g., SIFMA Letter at 4; Direct Edge Letter at 1-2; 
and KCG Letter at 2-3.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission has 
determined to adopt the overall scope of entities covered by Regulation 
SCI as proposed.\58\ As discussed below, the Commission continues to 
believe that it is appropriate and would further the goals of the 
national market system to subject all SROs (excluding securities 
futures exchanges), ATSs meeting certain volume thresholds with respect 
to NMS stocks and non-NMS stocks (discussed further below), plan 
processors, and certain exempt clearing agencies to the requirements of 
Regulation SCI. The Commission believes that this definition 
appropriately includes those entities that play a significant role in 
the U.S. securities markets and/or have the potential to impact 
investors, the overall market, or the trading of individual 
securities.\59\
---------------------------------------------------------------------------

    \58\ But see infra Section IV.A.1.b (discussing revisions to the 
definition of ``SCI ATS'').
    \59\ See infra Sections IV.A.1.a-d (discussing more specifically 
each category of entity included within the definition of ``SCI 
entity'').
---------------------------------------------------------------------------

    While some commenters supported expanding the definition of SCI 
entity to encompass various other types of entities, the Commission has 
determined not to expand the scope of entities subject to Regulation 
SCI at this time. As noted in the SCI Proposal, Regulation SCI is 
based, in part, on the ARP Inspection Program, which has included the 
voluntary participation of all active registered clearing agencies, all 
registered national securities exchanges, the only registered national 
securities association--Financial Industry Regulatory Authority 
(``FINRA''), one exempt clearing agency, and one ATS.\60\ The ARP 
Inspection Program has also included the systems of entities that 
process and disseminate quotation and transaction data on behalf of the 
Consolidated Tape Association System (``CTA Plan''), Consolidated 
Quotation System (``CQS Plan''), Joint Self-Regulatory Organization 
Plan

[[Page 72259]]

Governing the Collection, Consolidation, and Dissemination of Quotation 
and Transaction Information for Nasdaq-Listed Securities Traded on 
Exchanges on an Unlisted Trading Privileges Basis (``Nasdaq UTP 
Plan''), and Options Price Reporting Authority (``OPRA Plan'').\61\ 
Significant-volume ATSs have also been subject to certain aspects of 
the ARP Policy Statements pursuant to Regulation ATS.\62\ In addition, 
one entity that has been granted an exemption from registration as a 
clearing agency has been subject to the ARP Inspection Program pursuant 
to the conditions of the exemption order issued by the Commission.\63\ 
The scope of the definition of SCI entity is intended to largely 
reflect the historical reach of the ARP Inspection Program and existing 
Rule 301 of Regulation ATS, while also expanding the coverage to 
certain additional entities that the Commission believes play a 
significant role in the U.S. securities markets and/or have the 
potential to impact investors, the overall market, or the trading of 
individual securities. The Commission acknowledged in the SCI Proposal 
that there may be other categories of entities not included within the 
definition of SCI entity that, given their increasing size and 
importance, could pose risks to the market should an SCI event 
occur.\64\ However, as discussed in further detail below,\65\ the 
Commission believes that, at this time, the entities included within 
the definition of SCI entity, because of their current role in the U.S. 
securities markets and/or their level of trading activity, have the 
potential to pose the most significant risk in the event of a systems 
issue. Although some commenters suggested that Regulation SCI should 
cover a greater range of market participants,\66\ the Commission 
believes that it is important to move forward now on rules that will 
meaningfully enhance the technology standards and oversight of key 
markets and market infrastructure. Further, the Commission believes 
that a measured approach that takes an incremental expansion from the 
entities covered under the ARP Inspection Program is an appropriate 
method for imposing the mandatory requirements of Regulation SCI at 
this time given the potential costs of compliance. This approach will 
enable the Commission to monitor and evaluate the implementation of 
Regulation SCI, the risks posed by the systems of other market 
participants, and the continued evolution of the securities markets, 
such that it may consider, in the future, extending the types of 
requirements in Regulation SCI to additional categories of market 
participants, such as non-ATS broker-dealers, security-based swap 
dealers, investment advisers, investment companies, transfer agents, 
and other key market participants. As noted in the SCI Proposal, should 
the Commission decide to propose to apply some or all of the 
requirements of Regulation SCI to additional types of entities, the 
Commission will issue a separate release discussing such a proposal and 
seeking public comment.\67\
---------------------------------------------------------------------------

    \60\ See Proposing Release, supra note 13, at 18086.
    \61\ See infra note 196 and accompanying text.
    \62\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6).
    \63\ See Proposing Release, supra note 13, at 18096-97. See also 
infra Section IV.A.1.d (discussing the inclusion in Regulation SCI 
of exempt clearing agencies subject to ARP).
    \64\ See Proposing Release, supra note 13, at 18138-39.
    \65\ See infra Sections IV.A.1.a-d (discussing more specifically 
each category of entity included within the definition of ``SCI 
entity'').
    \66\ See supra notes 48-50 and accompanying text.
    \67\ See Proposing Release, supra note 13, at 18138.
---------------------------------------------------------------------------

    With respect to another commenter's recommendation regarding dark 
pools, to the extent that this commenter intended its comment to refer 
to ATSs, ATSs would be included within the scope of Regulation SCI if 
they met the applicable volume thresholds discussed below.\68\ To the 
extent that this commenter intended its comment to refer to other types 
of non-ATS dark venues where broker-dealers internalize order flow, the 
Commission notes that it has determined not to extend the scope of 
Regulation SCI to other types of broker-dealers at this time for the 
reasons discussed below.\69\
---------------------------------------------------------------------------

    \68\ See infra Section IV.A.1.b (discussing definition of ``SCI 
ATS''). This commenter also recommended that the Commission require 
dark pools to publicly disclose their aggregate volume to make it 
easier to evaluate whether dark pools should be included as SCI 
entities, and supported FINRA's plans to require such trading volume 
disclosures. The Commission notes that FINRA recently adopted new 
Rule 4552, which requires each ATS to report to FINRA weekly volume 
information regarding transactions in NMS stocks and OTC equity 
securities, and FINRA makes such information publicly available on 
its Web site. See Securities Exchange Act Release No. 71341 (January 
17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 
requiring each ATS to report to FINRA weekly volume information and 
number of securities transactions). The Commission also notes that 
all ATSs (including dark pool ATSs) are required under Regulation 
ATS to provide the Commission with quarterly trading volume 
information. See Rule 301(b)(9) of Regulation ATS, 17 CFR 
242.301(b)(9).
    \69\ See infra text accompanying notes 121-125.
---------------------------------------------------------------------------

    The Commission has also determined not to further limit the scope 
of entities subject to Regulation SCI as suggested by some commenters. 
As discussed in more detail below, the Commission continues to believe 
that each of the identified categories of entities plays a significant 
role in the U.S. securities markets and/or has the potential to impact 
investors, the overall market, or the trading of individual securities, 
and thus should be subject to the requirements of Regulation SCI. 
Accordingly, the Commission does not agree that it should adopt a 
``risk-based'' approach to further limit the categories of market 
participants subject to Regulation SCI. The Commission believes that 
limiting the applicability of Regulation SCI to only the most 
systemically important entities posing the highest risk to the markets 
is too limited of a category of market participants, as it would 
exclude certain entities that, in the Commission's view, have the 
potential to pose significant risks to the securities markets should an 
SCI event occur. However, the Commission believes it is appropriate to 
incorporate risk-based considerations in various other aspects of 
Regulation SCI. Consistent with the views of some commenters advocating 
that the requirements of Regulation SCI should be tailored to the 
specific risk-profile of a particular entity or particular system,\70\ 
the Commission notes that Regulation SCI, as proposed, was intended to 
incorporate a consideration of risk within its requirements and 
believes it is appropriate to more explicitly incorporate risk 
considerations in various provisions of adopted Regulation SCI. For 
example, as discussed in further detail below, the requirement to have 
reasonably designed policies and procedures relating to operational 
capability was designed to permit SCI entities to take a risk-based 
approach in developing their policies and procedures based on the 
criticality of a particular system.\71\ In addition, the Commission 
believes that it is appropriate to further incorporate a risk-based 
approach into other aspects of the regulation, and thus, as discussed 
below, is adopting a new term--``critical SCI systems''--to identify 
systems that the Commission believes should be subject to heightened 
requirements in certain areas.\72\ Further, the Commission has 
determined that certain other definitions (such as the definition of 
``SCI systems''), and certain requirements of the rule (such as 
Commission notification for SCI events and material systems changes), 
should be scaled back and refined consistent with a risk-based 
approach, as discussed

[[Page 72260]]

below. The Commission believes that these modifications, further 
incorporating risk-based considerations in the requirements and scaling 
back certain requirements, provide the proper balance between requiring 
that the appropriate entities are subject to baseline standards for 
systems capacity, integrity, resiliency, availability, security, and 
compliance, while reducing the overall burden of the rule for all SCI 
entities, which is consistent with, and responsive to, the views of 
those commenters that the Commission take a more risk-based approach to 
SCI entities.
---------------------------------------------------------------------------

    \70\ See supra note 55 and accompanying text.
    \71\ See infra Section IV.B.1 (discussing the policies and 
procedures requirement under adopted Rule 1001(a)).
    \72\ See infra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

a. SCI Self-Regulatory Organization or SCI SRO
    Proposed Rule 1000(a) defined ``SCI self-regulatory organization,'' 
or ``SCI SRO,'' to be consistent with the definition of ``self-
regulatory organization'' set forth in Section 3(a)(26) of the Exchange 
Act.\73\ This definition covered all national securities exchanges 
registered under Section 6(b) of the Exchange Act,\74\ registered 
securities associations,\75\ registered clearing agencies,\76\ and the 
Municipal Securities Rulemaking Board (``MSRB'').\77\ The definition, 
however, excluded an exchange that lists or trades security futures 
products that is notice-registered with the Commission as a national 
securities exchange pursuant to Section 6(g) of the Exchange Act, as 
well as any limited purpose national securities association registered 
with the Commission pursuant to Exchange Act Section 15A(k).\78\ 
Accordingly, the proposed definition of SCI SRO in Rule 1000(a) 
included all national securities exchanges registered under Section 
6(b) of the Exchange Act, all registered securities associations, all 
registered clearing agencies, and the MSRB.\79\ The definition of ``SCI 
self-regulatory organization'' or ``SCI SRO'' is being adopted in Rule 
1000 as proposed.\80\
---------------------------------------------------------------------------

    \73\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory 
organization' means any national securities exchange, registered 
securities association, or registered clearing agency, or (solely 
for purposes of sections 19(b), 19(c), and 23(b) of this title) the 
Municipal Securities Rulemaking Board established by section 15B of 
this title.''
    \74\ Currently, these registered national securities exchanges 
are: (1) BATS Exchange, Inc. (``BATS''); (2) BATS Y-Exchange, Inc. 
(``BATS-Y''); (3) Boston Options Exchange LLC (``BOX''); (4) CBOE; 
(5) C2; (6) Chicago Stock Exchange, Inc. (``CHX''); (7) EDGA 
Exchange, Inc. (``EDGA''); (8) EDGX Exchange, Inc. (``EDGX''); (9) 
International Securities Exchange, LLC (``ISE''); (10) Miami 
International Securities Exchange, LLC (``MIAX''); (11) NASDAQ OMX 
BX, Inc. (``Nasdaq OMX BX''); (12) NASDAQ OMX PHLX LLC (``Nasdaq OMX 
Phlx''); (13) Nasdaq; (14) National Stock Exchange, Inc. (``NSX''); 
(15) NYSE; (16) NYSE MKT; (17) NYSE Arca; and (18) ISE Gemini, LLC 
(``ISE Gemini'').
    \75\ FINRA is the only registered national securities 
association.
    \76\ Currently, there are seven clearing agencies (Depository 
Trust Company (``DTC''); Fixed Income Clearing Corporation 
(``FICC''); National Securities Clearing Corporation (``NSCC''); 
Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear 
Europe; and CME) with active operations that are registered with the 
Commission. The Commission notes that in 2012 it adopted Rule 17Ad-
22, which requires registered clearing agencies to have effective 
risk management policies and procedures in place. See Securities 
Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 
(November 2, 2012) (``Clearing Agency Standards Release''). The 
Commission believes that Regulation SCI, to the extent it addresses 
areas of risk management similar to those addressed by Rule 17Ad-
22(d)(4), complements Rule 17Ad-22(d)(4).
     Additionally, on March 12, 2014, the Commission proposed rules 
that would apply to SEC-registered clearing agencies that have been 
designated as systemically important by the Financial Stability 
Oversight Council or that are involved in activities with a more 
complex risk profile, such as clearing security-based swaps. See 
Securities Exchange Act Release No. 71699 (Mar. 12, 2014), 79 FR 
16865 (March 26, 2014) (``Covered Clearing Agencies Proposal''). 
Regulation SCI and proposed Rule 17Ad-22(e)(17) are intended to be 
consistent and complementary. See also Covered Clearing Agencies 
Proposal, 79 FR at 16866, n.1 and accompanying text (discussing the 
Commission's consideration of the relevant international standards).
    \77\ 15 U.S.C. 78c(a)(26). As noted in the Proposing Release, 
historically, the ARP Inspection Program did not include the MSRB, 
but instead focused on entities having trading, quotation and 
transaction reporting, and clearance and settlement systems more 
closely connected to the equities and options markets. The 
Commission believes that it is appropriate to apply Regulation SCI 
to the MSRB, particularly given the fact that the MSRB is the only 
SRO relating to municipal securities and is a key provider of 
consolidated market data for the municipal securities market. 
Accordingly, as proposed, the term ``SCI SRO'' included the MSRB. In 
2008, the Commission amended Rule 15c2-12 to designate the MSRB as 
the single centralized disclosure repository for continuing 
municipal securities disclosure. In 2009, the MSRB established the 
Electronic Municipal Market Access system (``EMMA''). EMMA now 
serves as the official repository of municipal securities 
disclosure, providing the public with free access to relevant 
municipal securities data, and is the central database for 
information about municipal securities offerings, issuers, and 
obligors. Additionally, the MSRB's Real-Time Transaction Reporting 
System (``RTRS''), with limited exceptions, requires municipal bond 
dealers to submit transaction data to the MSRB within 15 minutes of 
trade execution, and such near real-time post-trade transaction data 
can be accessed through the MSRB's EMMA Web site. While pre-trade 
price information is not as readily available in the municipal 
securities market, the Commission's Report on the Municipal 
Securities Market also recommended that the Commission and MSRB 
explore the feasibility of enhancing EMMA to collect best bids and 
offers from material ATSs and make them publicly available on fair 
and reasonable terms. See Report on the Municipal Securities Market 
(July 31, 2012), available at: http://www.sec.gov/news/studies/2012/munireport073112.pdf. The Commission believes that the MSRB's SCI 
systems currently are limited to those operated by or on behalf of 
the MSRB that directly support market data (i.e., currently limited 
to the EMMA, RTRS, and SHORT systems). As discussed more fully 
below, the EMMA, RTRS, and SHORT systems referenced by the MSRB in 
its comment letter would be market data systems within the 
definition of SCI systems because they provide or directly support 
price transparency. See infra note 253 and accompanying text.
    \78\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities 
are security futures exchanges and the National Futures Association, 
for which the CFTC serves as their primary regulator. See generally 
CFTC Concept Release on Risk Controls and System Safeguards for 
Automated Trading Environments, 78 FR 56542 (September 12, 2013) 
(``CFTC Concept Release'') (describing the CFTC's regulatory scheme 
for addressing risk controls relating to automated systems).
    \79\ For any SCI SRO that is a national securities exchange, any 
facility of such national securities exchange, as defined in Section 
3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also is covered 
because such facilities are included within the definition of 
``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 
78c(a)(1).
    \80\ The Commission notes that NSX ceased trading as of the 
close of business on May 30, 2014. See Securities Exchange Act 
Release No. 72107 (May 2, 2014), 79 FR 27017 (May 12, 2014) (Notice 
of Filing and Immediate Effectiveness of Proposed Rule Change To 
Cease Trading on Its Trading System) (``NSX Trading Cessation 
Notice''). In the NSX Trading Cessation Notice, NSX stated: ``[T]he 
Exchange will continue to be registered as a national securities 
exchange and will continue to retain its status as a self-regulatory 
organization[;]'' and further, that it ``shall file a proposed rule 
change pursuant to Rule 19b-4 of the Exchange Act prior to any 
resumption of trading on the Exchange pursuant to Chapter XI 
(Trading Rules).'' Because NSX remains a national securities 
exchange registered under Section 6(b) of the Exchange Act, it 
continues to meet the definition of SCI entity, and is counted as an 
SCI entity for purposes of this release.
---------------------------------------------------------------------------

    One commenter suggested that the rule should include volume 
thresholds for exchanges.\81\ Specifically, this commenter recommended 
that, with regard to exchanges, the definition should include only 
those exchanges that have five percent or more of average daily dollar 
volume in at least five NMS stocks for four of the previous six 
months.\82\ Another commenter asked the Commission to adopt certain 
specific exceptions to the definition of SCI SRO and SCI entity for 
entities that are dually registered with the CFTC and Commission where 
the CFTC is the entity's ``primary regulator'' and for any entity that 
does not play a ``significant role'' in the markets subject to the 
Commission's jurisdiction and that cannot have a ``significant impact'' 
on the markets subject to the Commission's jurisdiction.\83\
---------------------------------------------------------------------------

    \81\ See ITG Letter at 10. This commenter also suggested similar 
revised thresholds for SCI ATSs. See also infra note 131 and 
accompanying text. Although only one commenter specifically 
commented on the proposed inclusion of SCI SROs within the scope of 
Regulation SCI, as discussed above, some commenters believed that 
Regulation SCI should generally take a more risk-based or tiered 
approach generally which, in some cases, would affect which entities 
(including SCI SROs) would be subject to Regulation SCI. See supra 
notes 53-56 and accompanying text.
    \82\ See ITG Letter at 10.
    \83\ See CME Letter at 2.
---------------------------------------------------------------------------

    The Commission does not believe that a trading volume threshold is

[[Page 72261]]

appropriate for SCI SROs that are exchanges, but instead believes that 
Regulation SCI should apply to all SCI SROs. The threshold suggested by 
the commenter would exclude from Regulation SCI those exchanges with 
volumes below the suggested threshold; however, the Commission believes 
that all exchanges play a significant role in our securities markets. 
For example, all stock exchanges are subject to a variety of specific 
public obligations under the Exchange Act, including the requirements 
of Regulation NMS which, among other things, designates the best bid or 
offer of such exchanges to be protected quotations.\84\ Accordingly, 
every exchange may have a protected quotation that can obligate market 
participants to send orders to that exchange. Among other reasons, 
given that market participants may be required to send orders to any 
one of the exchanges at any given time if such exchange is displaying 
the best bid or offer, the Commission believes that it is important 
that the safeguards of Regulation SCI apply equally to all exchanges 
irrespective of trading volume.
---------------------------------------------------------------------------

    \84\ See generally 17 CFR 242.600-612. In addition, as the 
commenter's suggested thresholds would apply only with respect to 
exchanges that trade NMS stocks, national securities exchanges that 
do not trade NMS stocks (i.e., options exchanges) would also be 
excluded from Regulation SCI under the commenter's suggestion. The 
Commission believes that it would be inappropriate to exclude 
options exchanges from the requirements of Regulation SCI, because 
technology risks are equally applicable to such exchanges, as 
evidenced by recent significant technology incidents affecting the 
options markets. See supra notes 28-31 and accompanying text. As 
such, systems issues at options exchanges can pose significant risks 
to the markets, and the Commission believes that the inclusion of 
options exchanges within the scope of Regulation SCI is necessary to 
achieve the goals of Regulation SCI.
---------------------------------------------------------------------------

    With regard to one commenter's suggestion to except from the 
definition of SCI SRO those entities dually registered with the CFTC 
and Commission where the CFTC is the entity's ``primary 
regulator,''\85\ the Commission disagrees that such entities should be 
relieved from the requirements of Regulation SCI solely because they 
are dually registered.\86\ While the CFTC is responsible for overseeing 
such an entity with regard to its futures activities, it does not have 
oversight responsibility for the entity's securities-related activities 
and systems. While the commenter stated that it (as a dual registrant) 
is already subject to similar requirements to adopt controls and 
procedures with regard to operational risk and reliability, security, 
and capacity of its systems pursuant to CFTC regulations, the 
Commission again notes that such requirements do not apply to such an 
entity's securities-related systems as such systems are outside of the 
CFTC's jurisdiction and, as such, such systems would not be subject to 
inspection and examination by the CFTC for compliance with such 
requirements.\87\ Further, Regulation SCI imposes a notification 
framework to inform the Commission of SCI events and material systems 
changes, as well as other requirements unique to Regulation SCI. 
Accordingly, the Commission believes that such entities should be 
subject to the requirements of Regulation SCI. In addition, as noted 
above, this commenter also asked the Commission to create an exception 
for any entity that does not play a ``significant role'' in the markets 
subject to the Commission's jurisdiction and that cannot have a 
``significant impact'' on the markets subject to the Commission's 
jurisdiction.\88\ While the Commission disagrees with excluding SROs 
from coverage as discussed above, the Commission notes that it is 
revising the proposed definition of SCI systems to clarify that the 
term SCI systems encompasses only those systems that, with respect to 
securities, directly support trading, clearance and settlement, order 
routing, market data, market regulation, or market surveillance, as 
discussed below.\89\ Accordingly, the Commission believes this change 
should address the commenter's concerns about the requirements applying 
to entities whose systems cannot affect the markets subject to the 
Commission's jurisdiction, i.e., the U.S. securities markets.
---------------------------------------------------------------------------

    \85\ See supra note 83 and accompanying text.
    \86\ The commenter notes that the Commission has proposed to 
exclude from the definition of SCI SRO those exchanges that list or 
trade security futures products that are notice-registered with the 
Commission pursuant to Section 6(g), as well as limited purpose 
national securities associations registered with the Commission 
pursuant to Exchange Act Section 15A(k). See Proposing Release, 
supra note 13, at 18093, n. 97 and accompanying text. The Commission 
notes that such entities are subject to the joint jurisdiction of 
the Commission and the CFTC. To avoid duplicative regulation, 
however, the CFMA established a system of notice registration under 
which trading facilities and intermediaries that are already 
registered with either the Commission or the CFTC may register with 
the other agency on an expedited basis for the limited purpose of 
trading security futures products. A ``notice registrant'' is then 
subject to primary oversight by one agency, and is exempted under 
the CFMA from all but certain specified provisions of the laws 
administered by the other agency. See Section 6(g)(4) and Section 
15A(k)(3)-(4) (enumerating the provisions of the Exchange Act from 
which a notice-registered exchange and limited purpose national 
securities association, respectively, are exempted). Given this, the 
Commission believes that it is appropriate to defer to the CFTC 
regarding the systems integrity of these entities). See also 
generally CFTC Concept Release, supra note 78. This regulatory 
scheme does not apply outside of the specific contexts of security 
futures exchanges and associations. In contrast, entities that are 
registered with both the Commission and the CFTC in other 
capacities, such as clearing agencies, are subject to a full set of 
regulations by each regulator. The Exchange Act and Commodity 
Exchange Act do not exempt these entities, due to any dual 
regulatory scheme, from any provisions of the laws administered by 
the Commission and, as discussed further below, the Commission 
believes they should not be afforded an exclusion from Regulation 
SCI.
    \87\ The Commission notes that, to the extent that such an 
entity's systems for its functions that fall in the purview of the 
Commission (relating to securities and securities-based swaps) and 
that fall in the purview of the CFTC (relating to futures and swaps) 
are integrated, it believes that the focus of the CFTC's exams and 
inspections of such systems would be on such systems' functionality 
related to non-securities-related activities, such as swaps or 
futures, and not those related to securities activities. Thus, the 
Commission believes that the potential examination and inspection of 
such integrated systems by both the CFTC and SEC does not support 
the exclusion of the SCI entities operating such systems, or the 
systems themselves, from the scope of Regulation SCI.
    \88\ See supra note 83 and accompanying text.
    \89\ See adopted Rule 1000 (emphasis added). See also infra 
Section IV.A.2.b (discussing the definition of ``SCI systems'').
---------------------------------------------------------------------------

b. SCI Alternative Trading System
    Proposed Rule 1000(a) defined the term ``SCI alternative trading 
system,'' or ``SCI ATS,'' as an alternative trading system, as defined 
in Sec.  242.300(a), which during at least four of the preceding six 
calendar months, had: (1) With respect to NMS stocks--(i) five percent 
or more in any single NMS stock, and 0.25 percent or more in all NMS 
stocks, of the average daily dollar volume reported by an effective 
transaction reporting plan, or (ii) one percent or more, in all NMS 
stocks, of the average daily dollar volume reported by an effective 
transaction reporting plan; (2) with respect to equity securities that 
are not NMS stocks and for which transactions are reported to a self-
regulatory organization, five percent or more of the average daily 
dollar volume as calculated by the self-regulatory organization to 
which such transactions are reported; or (3) with respect to municipal 
securities or corporate debt securities, five percent or more of 
either--(i) the average daily dollar volume traded in the United 
States, or (ii) the average daily transaction volume traded in the 
United States.\90\
---------------------------------------------------------------------------

    \90\ See proposed Rule 1000(a) and Proposing Release, supra note 
13, at Section III.B.1.
---------------------------------------------------------------------------

    The proposed definition would have modified the thresholds 
currently appearing in Rule 301(b)(6) of Regulation ATS that apply to 
significant-volume ATSs.\91\ Specifically,

[[Page 72262]]

the proposed definition would have: Used average daily dollar volume 
thresholds, instead of an average daily share volume threshold, for 
ATSs that trade NMS stocks or equity securities that are not NMS stocks 
(``non-NMS stocks''); used alternative average daily dollar and 
transaction volume-based tests for ATSs that trade municipal securities 
or corporate debt securities; lowered the volume thresholds applicable 
to ATSs for each category of asset class; and moved the proposed 
thresholds to Regulation SCI. In particular, with respect to NMS 
stocks, the Commission proposed to change the volume threshold from 20 
percent of average daily volume in any NMS stock such that an ATS that 
traded NMS stocks that met either of the following two alternative 
threshold tests would be subject to the requirements of proposed 
Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 
percent or more in all NMS stocks, of the average daily dollar volume 
reported by an effective transaction reporting plan; or (ii) one 
percent or more, in all NMS stocks, of the average daily dollar volume 
reported by an effective transaction reporting plan. With respect to 
non-NMS stocks, municipal securities, and corporate debt securities, 
the Commission proposed to reduce the standard from 20 percent to five 
percent for these types of securities,\92\ the same percentage 
threshold for such types of securities that triggers the fair access 
provisions of Rule 301(b)(5) of Regulation ATS.\93\
---------------------------------------------------------------------------

    \91\ 17 CFR 242.301(b)(6).
    \92\ See proposed Rule 1000(a).
    \93\ See Rule 301(b)(5) of Regulation ATS under the Exchange 
Act. 17 CFR 242.301(b)(5). In addition, as noted above, the proposed 
rule used alternative average daily dollar and transaction volume-
based tests for ATSs that trade municipal securities or corporate 
debt securities.
---------------------------------------------------------------------------

    The proposed definition of ``SCI ATS'' is being adopted 
substantially as proposed with regard to ATSs trading NMS stocks and 
ATSs trading non-NMS stocks, with the addition of a six-month 
compliance period for entities satisfying the thresholds in the 
definition for the first time, as discussed in more detail below. 
However, for the reasons discussed below, the Commission has determined 
to exclude from the definition of ``SCI ATS'' ATSs that trade only 
municipal securities or corporate debt securities and accordingly, such 
ATSs will not be subject to the requirements of Regulation SCI.
Inclusion of ATSs Generally
    Many commenters provided comment on the inclusion of ATSs within 
the scope of Regulation SCI. Some commenters believed that more ATSs 
should be covered by Regulation SCI.\94\ For example, some commenters 
suggested that the term ``SCI ATS'' should include all ATSs, because 
these commenters believed that they have the potential to negatively 
impact the market in the event of a systems issue.\95\ Moreover, one 
commenter stated that the Commission should not distinguish between 
ATSs based on calculated thresholds because an ATS might limit trading 
on its system so as to avoid being subject to the requirements of 
Regulation SCI.\96\
---------------------------------------------------------------------------

    \94\ See, e.g., NYSE Letter at 9-10; Lauer Letter at 4; and 
CoreOne Letter at 7-8.
    \95\ See, e.g., NYSE Letter at 9-10; and Lauer Letter at 4.
    \96\ See, e.g., NYSE Letter at 9-10.
---------------------------------------------------------------------------

    Conversely, other commenters stated that fewer, or even no, ATSs 
should be covered.\97\ Such commenters generally argued that there are 
key differences between ATSs and exchanges, and thus, ATSs should be 
regulated differently from exchanges and not be included in Regulation 
SCI with exchanges.\98\ The differences identified by commenters 
included: ATSs' relative market shares and sizes; the fact that ATSs 
are already subject to various regulations as broker-dealers (including 
Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation 
ATS); and certain fundamental economic differences between the two 
types of entities (including that exchanges can gain revenue from 
listing and market data, have self-clearing, and have a protected 
quote).\99\ One commenter argued that, if the Commission were to 
include ATSs in Regulation SCI, it should treat ATSs and SROs equally 
by allowing ATSs to have the same benefits of SROs, including allowing 
ATSs to derive an income stream from contributions to the SIP, have 
access to clearing, and have immunity from lawsuits.\100\ Other 
commenters also noted that, although ATSs have an increasingly large, 
collective market share, ATSs have not contributed to any of the recent 
major systems issues that have impacted the market.\101\
---------------------------------------------------------------------------

    \97\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 
8; and OTC Markets Letter at 9.
    \98\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 
9, 14-17; TMC Letter at 2; and OTC Markets Letter at 9.
    \99\ Id.
    \100\ See OTC Markets Letter at 9.
    \101\ See ITG Letter at 4; and BIDS Letter at 3.
---------------------------------------------------------------------------

    Another commenter stated that the SCI Proposal unfairly 
discriminated against ATSs by including them within the definition of 
SCI entity.\102\ Specifically, although this commenter did not believe 
that Regulation SCI should be expanded to include more entities, it 
stated that the SCI Proposal's failure to capture certain entities 
(such as clearing firms, market makers, block positioners, and order 
routing firms) that it believed could have a greater impact on market 
stability in the event of a systems issue, while including ATSs, 
demonstrates that the proposal is arbitrary, capricious, and unfairly 
discriminatory in nature.\103\
---------------------------------------------------------------------------

    \102\ See ITG Letter at 9.
    \103\ See id.
---------------------------------------------------------------------------

    After careful consideration of the comment letters, the Commission 
continues to believe that the inclusion of ATSs that trade NMS stocks 
and non-NMS stocks in Regulation SCI is appropriate.\104\ The 
Commission believes that certain of those ATSs play an important role 
in today's securities markets, and thus should be subject to the 
safeguards and obligations of Regulation SCI. As noted in the SCI 
Proposal, the equity markets have evolved significantly over recent 
years, resulting in an increase in the number of trading centers and a 
reduction in the concentration of trading activity.\105\ As such, even 
smaller trading centers, such as certain higher-volume ATSs, now 
collectively represent a significant source of liquidity for NMS stocks 
and some ATSs have similar and, in some cases, greater trading volume 
than some national securities exchanges, with no single national 
securities exchange executing more than approximately 19 percent of 
volume in NMS stocks in today's securities markets.\106\ Accordingly, 
the Commission believes that ATSs meeting certain volume thresholds can 
play a significant role in the securities markets and, given their 
heavy reliance on automated systems, have the potential to 
significantly impact investors, the overall market,

[[Page 72263]]

and the trading of individual securities should an SCI event occur.
---------------------------------------------------------------------------

    \104\ Given the inclusion of ATSs that trade NMS stocks and non-
NMS stocks within the scope of Regulation SCI, Regulation ATS is 
also being amended to remove paragraphs (b)(6)(i)(A) and 
(b)(6)(i)(B) of Rule 301 so that Rule 301(b)(6) will no longer apply 
to ATSs trading NMS stocks and non-NMS stocks. However, as described 
below, the Commission has determined to exclude ATSs that trade only 
municipal securities or corporate debt securities from the scope of 
Regulation SCI, and such ATSs will remain subject to the 
requirements of Rule 301(b)(6) if they meet the volume thresholds 
therein. 17 CFR 242.301(b)(6). See supra notes 14 and 20 and 
accompanying text.
    \105\ See Proposing Release, supra note 13, at 18094.
    \106\ See market volume statistics reported by BATS, available 
at: http://www.batstrading.com/market_summary/ (no single stock 
exchange executed more than approximately 19 percent during the 
second quarter of 2014, with Nasdaq having the highest market share 
of 18.6 percent). In comparison, according to data from Form ATS-R 
for the second quarter of 2014, approximately 18 percent of 
consolidated NMS stocks dollar volume took place on ATSs.
---------------------------------------------------------------------------

    Commenters identified certain differences between exchanges and 
ATSs, which commenters argued justified different treatment under 
Regulation SCI for ATSs or exclusion of ATSs from the regulation 
completely.\107\ While the Commission recognizes that there are some 
fundamental differences between ATSs and exchanges, including certain 
of those identified by commenters, the Commission does not agree that 
all ATSs should be excluded from Regulation SCI because, as discussed 
above, it believes that there are certain significant-volume ATSs that 
have the potential to significantly impact investors, the overall 
market, or the trading of individual securities should an SCI event 
occur. At the same time, the risk-based considerations permitted in 
adopted Regulation SCI may result in the systems of those ATSs that are 
subject to Regulation SCI (i.e., SCI ATSs) being subject to less 
stringent requirements than the systems of SROs or other SCI entities 
in certain areas. For example, as discussed in further detail below, 
the Commission is adopting a definition of ``critical SCI systems,'' 
which are a subset of SCI systems that are subject to certain 
heightened requirements under Regulation SCI. This definition is 
intended to capture those systems that are core to the functioning of 
the securities markets or that represent ``single points of failure'' 
and thus, pose the greatest risk to the markets. The Commission 
believes that, as currently constituted, relative to the systems of SCI 
SROs, the systems of SCI ATSs generally would not fall within this 
category of critical SCI systems, and thus such SCI ATSs would not be 
subject to the more stringent requirements that would be applicable to 
the critical SCI systems of other SCI entities. The Commission also 
notes that other requirements under Regulation SCI are designed to be 
consistent with a risk-based approach. The Commission believes that 
this approach recognizes the different roles played by different SCI 
systems at various SCI entities and, where permitted, allows each SCI 
entity, including SCI ATSs, to tailor the applicable requirements 
accordingly.
---------------------------------------------------------------------------

    \107\ See supra notes 98-99 and accompanying text.
---------------------------------------------------------------------------

    While some commenters noted that ATSs have not contributed to any 
of the recent high-profile systems issues,\108\ the Commission does not 
believe that the relative lack of high-profile systems issues at ATSs 
to date is an indication that ATSs do not have the potential to have a 
significant impact on the market in the event of a future systems 
issue.\109\
---------------------------------------------------------------------------

    \108\ See supra note 101 and accompanying text.
    \109\ The Commission also notes that, as discussed above, in 
November 2013, a systems issue at OTC Link ATS led FINRA to halt 
trading in all OTC securities for over three hours. See supra note 
33 and accompanying text.
---------------------------------------------------------------------------

    Other commenters noted the competitive environment of ATSs and 
argued that, if one ATS experiences a systems issue and becomes 
temporarily unavailable, trading can be easily rerouted to other 
venues.\110\ The Commission acknowledges that a temporary outage at an 
ATS (or at a SCI SRO, for that matter) may not lead to a widespread 
systemic disruption. However, the Commission notes that Regulation SCI 
is not designed to solely address system issues that cause widespread 
systemic disruption, but also to address more limited systems 
malfunctions and other issues that can harm market participants or 
create compliance issues.\111\
---------------------------------------------------------------------------

    \110\ See ITG Letter at 3; and KCG Letter at 9.
    \111\ The Commission notes that each ATS provides different 
services in terms of, among other things, pricing, latency, and 
order fills to meet investors' specific needs. Thus, for example, an 
ATS outage could interfere with the supply of certain services that 
investors demand and, thus, could impose costs on investors.
---------------------------------------------------------------------------

    Some commenters also stated that inclusion of ATSs is not necessary 
because ATSs are already subject to sufficient regulations as broker-
dealers, citing Rule 15c3-5 under the Exchange Act, various FINRA 
rules, and Regulation ATS.\112\ While the Commission acknowledges that 
these rules similarly impose requirements related to the capacity, 
integrity and/or security of a broker-dealer's systems and are designed 
to address some of the same concerns that Regulation SCI is intended to 
address, the Commission notes that these rules generally take a 
different approach than Regulation SCI. For example, the obligations of 
an ATS under Rule 15c3-5 address vulnerability in the national market 
system that relate specifically to market access,\113\ whereas 
Regulation SCI is designed to further the goals of the national market 
system more broadly by helping to ensure the capacity, integrity, 
resiliency, availability, and security of the automated systems of 
entities important to the functioning of the U.S. securities 
markets.\114\ Thus, the Commission has determined to include ATSs 
within the scope of Regulation SCI because of their role as markets and 
a potential significant source of liquidity. With regard to the FINRA 
rules identified by commenters, the Commission does not believe that 
these rules, even when considered in combination with Rule 15c3-5, are 
an appropriate substitute for the comprehensive approach in Regulation 
SCI for ATSs in their role as markets.\115\ Finally, as noted above,

[[Page 72264]]

Rule 301(b)(6) of Regulation ATS imposed by rule certain aspects of the 
ARP Policy Statements on significant-volume ATSs. As described in 
detail herein, Regulation SCI seeks to expand upon, update, and 
modernize the requirements of the ARP Policy Statements and Rule 
301(b)(6), by, for example, expanding the requirements to a broader set 
of systems, imposing new requirements for information dissemination 
regarding SCI events, and requiring Commission notification for 
additional types of events, among others. Accordingly, the Commission 
believes that, for SCI ATSs, the existing broker-dealer rules and 
regulations identified by commenters are complemented by the 
requirements of Regulation SCI (other than Rule 301(b)(6), which will 
no longer apply to ATSs that trade NMS stocks and non-NMS stocks), and 
do not serve as substitutes for the regulatory framework being adopted 
today.
---------------------------------------------------------------------------

    \112\ See supra notes 98-99 and accompanying text.
    \113\ See Securities Exchange Act Release No. 63241 (November 3, 
2010), 75 FR 69792 (November 15, 2010) (``Market Access Release'').
    \114\ The Commission notes that Rule 15c3-5 focuses on 
addressing the particular risks that arise when broker-dealers 
provide electronic access to exchanges or ATSs and therefore does 
not address the same range of technology-related issues as 
Regulation SCI is designed to address. Both Rule 15c3-5 and 
Regulation SCI are policies and procedures-based rules that are 
designed to address the risks presented by the pervasive use of 
technology in today's markets.The policies and procedures required 
by Regulation SCI apply broadly to technology that supports trading, 
clearance and settlement, order routing, market data, market 
regulation, and market surveillance and, among other things, address 
their overall capacity, integrity, resilience, availability, and 
security. Rule 15c3-5, by contrast, is more narrowly focused on 
those technology and other errors that can create some of the more 
significant risks to broker-dealers and the markets, namely those 
that arise when a broker-dealer enters orders into an exchange or 
ATS, including when it provides sponsored or direct market access to 
customers or other persons, where the consequences of such an error 
can rapidly magnify and spread throughout the markets. See also 
infra note 115 (discussing FINRA rules applicable to broker-
dealers). The Commission will continue to monitor and evaluate the 
risks posed by broker-dealer systems to the market and the 
implementation of the Market Access Rule, and may consider extending 
the types of requirements in Regulation SCI to additional market 
participants in the future.
    \115\ For example, NASD Rule 3010(b)(1) requires a member to 
establish, maintain, and enforce written procedures to supervise the 
types of business in which it engages and to supervise the 
activities of registered representatives, registered principals, and 
other associated persons that are reasonably designed to achieve 
compliance with applicable securities laws and regulations. This 
rule relates to policies and procedures to achieve compliance with 
applicable securities laws and regulations, and thus the Commission 
believes that this requirement is broadly related to adopted Rule 
1001(b) regarding policies and procedures to ensure systems 
compliance. However, the Commission notes that, unlike adopted Rule 
1001(b), which focuses on ensuring that an entity's systems operate 
in compliance with the Exchange Act, the rules and regulations 
thereunder and the entity's rules and governing documents, this NASD 
rule does not specifically address compliance of the systems of 
FINRA members. Further, the Commission does not believe this 
provision covers more broadly policies and procedures akin to those 
in adopted Rule 1001(a) that are designed to ensure that SCI systems 
have levels of capacity, integrity, resiliency, availability, and 
security adequate to maintain the SCI entity's operation capability 
and promote fair and orderly markets. Similarly, while FINRA Rule 
3130 relates to adopted Rule 1001(b) regarding policies and 
procedures to ensure systems compliance in that it requires a 
member's chief compliance officer to certify that the member has in 
place written policies and procedures reasonably designed to achieve 
compliance with applicable FINRA rules, MSRB rules, and federal 
securities laws and regulations, it does not specifically address 
compliance of the systems of FINRA members, and does not require 
similar policies and procedures to those in adopted Rule 1001(a) 
regarding operational capability of SCI entities. Further, while 
FINRA Rule 4530 imposes a reporting regime for, among other things, 
compliance issues and other events where a member has concluded or 
should have reasonably concluded that a violation of securities or 
other enumerated law, rule, or regulation of any domestic or foreign 
regulatory body or SRO has occurred, the Commission notes that these 
reporting requirements are different in several respects from the 
Commission notification requirements relating to systems compliance 
issues (e.g., scope, timing, content, the recipient of the reports) 
and, importantly, would not cover reporting of systems disruptions 
or systems intrusions that did not also involve a violation of a 
securities law, rule, or regulation. In addition, FINRA Rule 4370 
generally requires that a member maintain a written continuity plan 
identifying procedures relating to an emergency or significant 
business disruption, which is akin to adopted Rule 1001(a)(2)(v) 
requiring policies and procedures for business continuity and 
disaster recovery plans. Unlike Regulation SCI, however, the FINRA 
rule does not include the requirement that the business continuity 
and disaster recovery plans be reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of 
critical SCI systems following a wide-scale disruption, nor does it 
require the functional and performance testing and coordination of 
industry or sector-testing of such plans, which the Commission 
believes to be instrumental in achieving the goals of Regulation SCI 
with respect to SCI entities.
---------------------------------------------------------------------------

    The Commission also believes that, unlike with respect to 
exchanges, it is appropriate that Regulation SCI not apply to all ATSs. 
Exchanges, as self-regulatory organizations, play a special role in the 
U.S. securities markets, and as such, are subject to certain 
requirements under the Exchange Act and are able to enjoy certain 
unique benefits.\116\ Accordingly, as discussed above, the Commission 
believes it is appropriate to subject all national securities exchanges 
to the requirements of Regulation SCI regardless of trading 
volume.\117\ In contrast, in recognition of the more limited role that 
certain ATSs may play in the securities markets and the costs that will 
result from compliance with the requirements of the regulation, the 
Commission believes that it is appropriate to adopt volume thresholds, 
as discussed below, to identify those ATSs that have the potential to 
significantly impact the market should an SCI event occur, therefore 
warranting inclusion within the scope of the regulation. One commenter, 
in advocating for the application of the regulation to all ATSs, stated 
that the Commission should not adopt volume thresholds because ATSs may 
limit trading so as to avoid being subject to the requirements of 
Regulation SCI.\118\ The Commission does not believe that the 
possibility of some ATSs structuring their business to fall below the 
thresholds of the rule is a sufficient justification for applying the 
rule to all ATSs. The Commission notes that, to the extent that an ATS 
limits its trading so as not to reach the volume thresholds for SCI 
ATSs, it would have less potential to impact investors and the market 
and may appropriately not be subject to the requirements of the rules. 
As discussed further below, the Commission believes that the dual 
dollar volume threshold for NMS stocks being adopted today is 
appropriately designed to ensure that ATSs that have either the 
potential to significantly impact the market as a whole or the 
potential to significantly impact the market for a single NMS stock 
(and have some impact on the market as a whole at the same time) will 
be subject to the requirements of Regulation SCI. Thus, only those ATSs 
that limit their trading so as to fall below both the single NMS stock 
threshold and the broad NMS stocks threshold will not be subject to the 
requirements of Regulation SCI.
---------------------------------------------------------------------------

    \116\ See supra Section IV.A.1.a (discussing the definition of 
``SCI SRO'') and infra notes 120-121 and accompanying text. As 
identified by one commenter, benefits afforded to SROs include, 
among others, the ability to receive market data revenue and 
immunity from private liability for regulatory activities. See supra 
note 100. See also ATS Release, supra note 2, at 70902-03 
(discussing generally some of the obligations and benefits to be 
considered when determining whether to register as a national 
securities exchange or as a broker-dealer acting as an ATS).
    \117\ See supra notes 81-83 and accompanying text.
    \118\ See supra notes 95-96 and accompanying text.
---------------------------------------------------------------------------

    As noted above, one commenter asserted that, if ATSs are subject to 
the same requirements of Regulation SCI as exchanges, they similarly 
should be entitled to the benefits afforded to SROs.\119\ The 
Commission notes that, as discussed above, SROs are subject to a 
variety of obligations as self-regulatory organizations under the 
Exchange Act--including filing proposed rules with the Commission and 
enforcing those rules and the federal securities laws with respect to 
their members--that do not apply to other market participants, 
including ATSs.\120\ Although SRO and non-SRO markets are subject to 
different regulatory regimes, with a different mix of benefits and 
obligations, the Commission believes it is appropriate to subject them 
to comparable requirements for purposes of Regulation SCI given the 
importance of assuring that the technology of key trading centers, 
regardless of regulatory status, is reliable, secure, and functions in 
compliance with the law.\121\ At the same time, while questions have 
been raised as to whether the broader regulatory regimes for exchanges 
and ATSs should be harmonized, the Commission does not believe it 
appropriate to delay implementing Regulation SCI or necessary to 
resolve these issues before proceeding with Regulation SCI. The 
Commission notes that ATSs have the ability to apply for registration 
as a SRO should they so wish and, if such application were to be 
approved by the Commission, such entities could assume the additional 
responsibilities that are imposed on SROs, as well as avail themselves 
of the same benefits.
---------------------------------------------------------------------------

    \119\ See supra note 100 and accompanying text.
    \120\ See supra Section IV.A.1.a (discussing the definition of 
``SCI SRO''); see also Section 19(b) of the Exchange Act, 15 U.S.C. 
78s(b)(1), and Section 6(b) of the Exchange Act, 15 U.S.C. 78f(b). 
Because these important regulatory responsibilities are imposed upon 
SROs, SROs also are afforded certain unique benefits, such as 
immunity from private liability with respect to their regulatory 
functions and the ability to receive market data revenue. See supra 
note 116 and accompanying text.
    \121\ But see discussion supra regarding potentially different 
requirements for ATSs and exchanges, including those relating to SCI 
ATSs and critical SCI systems.
---------------------------------------------------------------------------

    As noted above, one commenter objected to the regulation's 
inclusion of ATSs while excluding certain other entities that the 
commenter believed similarly had the potential to impact the market, 
concluding that the proposal was therefore arbitrary, capricious, and 
unfairly discriminatory in nature.\122\ At the same time, this 
commenter stated that it did not recommend that additional entities be 
included within the scope of the regulation.\123\ First, as noted 
above, the Commission has determined to include ATSs meeting the 
adopted volume thresholds within the scope of Regulation SCI because of 
their unique role as markets rather than because of their role as 
traditional broker-dealers. All broker-dealers are subject to Rule 
15c3-5 and other FINRA rules as noted by some commenters, which impose 
certain requirements

[[Page 72265]]

related to the capacity, integrity and/or security of a broker-dealer's 
systems appropriately tailored to their role as broker-dealers. 
Further, as noted above, the scope of Regulation SCI is rooted in the 
historical reach of the ARP Inspection Program and Rule 301 of 
Regulation ATS (which applies to significant-volume ATSs).\124\ The 
Commission acknowledged in the SCI Proposal that there may be other 
categories of broker-dealers not included within the definition of SCI 
entity that, given their increasing size and importance, could pose a 
significant risk to the market should an SCI event occur.\125\ The 
Commission solicited comment on whether there are additional categories 
of market participants that should be subject to all or some of the 
requirements of Regulation SCI and noted that, were the Commission to 
decide to apply the requirements of Regulation SCI to such additional 
entities, it would issue a separate release outlining such a proposal 
and the rationale therefor.\126\ As discussed above, the Commission 
believes that, at this time, the entities included within the scope of 
Regulation SCI, because of their current role in the U.S. securities 
markets and/or their level of trading activity, have the potential to 
pose the most significant risk in the event of a systems issue. 
Further, the Commission believes that a measured approach that takes an 
incremental expansion from the entities covered under the ARP 
Inspection Program is an appropriate method for imposing the mandatory 
requirements of Regulation SCI at this time. As such, while the 
Commission believes that the types of entities subject to Regulation 
SCI as adopted are appropriate, the Commission may consider extending 
the types of requirements in Regulation SCI to additional market 
participants in the future.
---------------------------------------------------------------------------

    \122\ See supra note 103 and accompanying text.
    \123\ See supra note 103 and accompanying text.
    \124\ See supra notes 60-67 and accompanying text.
    \125\ See Proposing Release, supra note 13, at 18138-39.
    \126\ See id.
---------------------------------------------------------------------------

SCI ATS Thresholds
    Several commenters discussed the specific proposed volume 
thresholds for SCI ATSs, and many offered what they believed to be more 
appropriate alternative methods for including ATSs within Regulation 
SCI.\127\ For example, some commenters urged the Commission to retain 
the existing 20 percent threshold under Regulation ATS for purposes of 
Regulation SCI or asked the Commission to provide further explanation 
as to why the current threshold under Regulation ATS should be 
altered.\128\ One commenter agreed with the Commission that the 20 
percent threshold currently in Regulation ATS might be too high, and 
suggested using a threshold for ATSs trading NMS stocks of five percent 
or more of the volume in all NMS stocks during a 12-month period, to be 
determined once a year in the same given month.\129\ Another commenter 
suggested that the Commission apply its ATS threshold for NMS stocks to 
only the 500 most active securities.\130\ An additional recommendation 
by one commenter with regard to NMS stocks was to include only those 
ATSs with five percent or more of at least five NMS stocks with an 
aggregate average daily share volume greater than 500,000 shares and 
0.25 percent or more of all NMS stocks for four of the previous six 
months, or those ATSs that have three percent or more of all NMS stocks 
in four of the previous six months.\131\ Another commenter suggested 
retaining Rule 301(b)(6) as part of Regulation ATS, but amending the 
rule by lowering the average daily volume threshold to 2.5 
percent.\132\
---------------------------------------------------------------------------

    \127\ See, e.g., Direct Edge Letter at 2; SIFMA Letter at 6-7; 
BIDS Letter at 6; ITG Letter at 10; and OTC Markets Letter at 11. 
But see BlackRock Letter at 4 (agreeing with the Commission's 
approach in the SCI Proposal of lowering the thresholds for SCI ATSs 
from the thresholds in Rule 301(b)(6) of Regulation ATS).
    \128\ See, e.g., Direct Edge Letter at 2; and KCG Letter at 10-
11.
    \129\ See SIFMA Letter at 6.
    \130\ See BIDS Letter at 6.
    \131\ See ITG Letter at 10.
    \132\ See OTC Markets Letter at 11. This commenter also 
suggested leaving in place the existing five percent average daily 
share volume threshold for the display requirement of Rule 301(b)(3) 
under Regulation ATS.
---------------------------------------------------------------------------

    One commenter requested clarification on the phrase ``0.25 percent 
or more in all NMS stocks, of the average daily dollar volume reported 
by an effective transaction reporting plan.'' \133\ Because there is 
more than one transaction reporting plan, this commenter asked whether 
the proposed volume thresholds would be calculated per plan or 
calculated based on all NMS volume.\134\
---------------------------------------------------------------------------

    \133\ See SIFMA Letter at 6-7.
    \134\ See SIFMA Letter at 6-7.
---------------------------------------------------------------------------

    Some commenters provided suggestions with regard to the proposed 
measurement methodology for the thresholds.\135\ A few commenters 
argued that the proposed time period measurement of ``at least four of 
the preceding six calendar months'' is cumbersome to apply in practice 
and believed that the time period should be over a longer term.\136\ 
For example, two commenters stated that the rule should utilize a 12-
month measurement period.\137\ Conversely, another commenter generally 
opposed the thresholds stating that all ATSs should be subject to the 
rule, but noted that if the rule includes a trading volume metric, the 
measurement period should be much shorter (such as two to four 
weeks).\138\ In addition, one commenter stated that the measurement 
should be based on number of shares traded rather than dollar 
value.\139\
---------------------------------------------------------------------------

    \135\ See, e.g., BIDS Letter at 6; KCG Letter at 19; SIFMA 
Letter at 7; and Lauer Letter at 4-5.
    \136\ See, e.g., BIDS Letter at 6; and KCG Letter at 19.
    \137\ See BIDS Letter at 6; and KCG Letter at 19.
    \138\ See Lauer Letter at 4-5.
    \139\ See BIDS Letter at 6.
---------------------------------------------------------------------------

    Two commenters also suggested that ATSs should be given six months 
after meeting the given threshold in the definition of SCI ATS to come 
into compliance with Regulation SCI.\140\
---------------------------------------------------------------------------

    \140\ See KCG Letter at 19; and SIFMA Letter at 7.
---------------------------------------------------------------------------

    The Commission is adopting the thresholds for ATSs that trade NMS 
stocks and non-NMSs stock as proposed. In setting the thresholds for 
Regulation SCI, the Commission believes it is establishing an 
appropriate and reasonable scope for the application of the regulation. 
Although commenters provided various suggestions for different 
thresholds, nothing persuaded the Commission that these suggestions 
would better accomplish the goals of Regulation SCI than the thresholds 
the Commission is adopting. As discussed below, the Commission has 
analyzed the number of entities it believes are likely to be covered by 
the thresholds it is establishing. The Commission recognizes that these 
thresholds ultimately represent a matter of judgment by the Commission 
as it takes the step of promulgating Regulation SCI, and the Commission 
intends to monitor these thresholds to determine whether they continue 
to be appropriate.
    With regard to the threshold for ATSs trading NMS stocks, the 
Commission has determined to adopt this threshold as proposed. After 
careful consideration of the comments, the Commission continues to 
believe that this threshold is an appropriate measure of when a market 
is of sufficient significance so as to warrant the protections and 
requirements of Regulation SCI.\141\ The

[[Page 72266]]

Commission is, however, making one technical modification in response 
to a commenter to clarify that the threshold will be calculated based 
on all NMS volume, rather than on a per plan basis.\142\ The Commission 
agrees with the commenter that the proposed language should be 
clarified and, as such, the threshold language within the definition of 
``SCI ATS'' in Rule 1000 is being revised to refer to ``applicable 
effective transaction reporting plans,'' rather than ``an effective 
transaction reporting plan.'' \143\
---------------------------------------------------------------------------

    \141\ The numerical thresholds in the definition of SCI ATS 
reflect an informed assessment by the Commission, based on 
qualitative and quantitative analysis, of the likely economic 
consequences of the specific numerical thresholds included in the 
definition. In making such assessment and, in turn, selecting the 
numerical thresholds, in addition to considering the views of 
commenters, the Commission has reviewed relevant data. See infra 
notes 150 and 175 and accompanying text.
    \142\ See supra note 134 and accompanying text. As noted above, 
this commenter asked the Commission for clarification on this aspect 
of the rule.
    \143\ Because the threshold has two prongs, one of which is 
based on all NMS volume, it is necessary to specify that there is 
more than one transaction reporting plan that would be applicable in 
calculating all NMS stock trading volume. At the same time, since 
the other prong of the threshold is based on the trading volume of 
single NMS stocks, it is necessary to also add the term 
``applicable'' before the term ``transaction reporting plans'' as 
only one transaction reporting plan would be applicable per 
security. The definition of ``eligible securities'' in each of the 
transaction reporting plans are mutually exclusive, ensuring that 
each security is subject to only one transaction reporting plan. See 
CTA Plan, available at: http://www.nyxdata.com/cta; and Nasdaq UTP 
Plan, available at: http://www.utpplan.com.
---------------------------------------------------------------------------

    Under the adopted definition of SCI ATS, with regard to NMS stocks, 
an ATS will be subject to Regulation SCI if, during at least four of 
the preceding six calendar months, it had: (i) Five percent or more in 
any single NMS stock, and 0.25 percent or more in all NMS stocks, of 
the average daily dollar volume reported by applicable effective 
transaction reporting plans, or (ii) one percent or more, in all NMS 
stocks, of the average daily dollar volume reported by applicable 
effective transaction reporting plans.\144\ The Commission continues to 
believe that this threshold will identify those ATSs that could have a 
significant impact on the overall market or that could have a 
significant impact on a single NMS stock and some impact on the market 
as a whole at the same time.\145\
---------------------------------------------------------------------------

    \144\ But see infra notes 169-170 and accompanying text 
(discussing a six-month compliance period for SCI entities 
satisfying the thresholds for the first time).
    \145\ Under the adopted thresholds, because of the requirement 
to meet the threshold for at least four of the preceding six 
calendar months, inactive and newly operating ATSs would not be 
included in the definition of SCI ATS. See infra note 152.
---------------------------------------------------------------------------

    While some commenters advocated for thresholds higher than those 
proposed and/or retaining the 20 percent threshold in Regulation 
ATS,\146\ as the Commission discussed in the SCI Proposal, the 
securities markets have significantly evolved since the time of the 
adoption of Regulation ATS, resulting in trading activity in stocks 
being more dispersed among a variety of trading centers. For example, 
in today's markets, national securities exchanges, once the predominant 
type of venue for trading stocks, each account for no more than 
approximately 19 percent of volume in NMS stocks.\147\ By way of 
contrast, based on data collected from ATSs pursuant to FINRA Rule 4552 
for 18 weeks of trading in 2014, the trading volume of ATSs accounted 
for approximately 18 percent of the total dollar volume in NMS stocks, 
with no individual ATS executing more than five percent.\148\ Given 
this dispersal of trading volume among an increasing number of trading 
venues, the increasingly interconnected nature of the markets, and the 
increasing reliance on a variety of automated systems, the Commission 
believes that there is a heightened potential for systems issues 
originating from a number of sources to significantly affect the 
market. Due to these developments, the Commission believes that the 20 
percent threshold as adopted in Regulation ATS is no longer an 
appropriate measure for determining those entities that can have a 
significant impact on the market and thus should be subject to the 
protections of Regulation SCI. Rather, the Commission believes that 
lower volume thresholds are appropriate, and as noted in the SCI 
Proposal, the Commission believes that the adopted thresholds would 
include ATSs having NMS stock dollar volume comparable to or in excess 
of the NMS stock dollar volume of certain national securities exchanges 
subject to Regulation SCI.\149\
---------------------------------------------------------------------------

    \146\ See supra note 128 and accompanying text.
    \147\ See supra note 106.
    \148\ See infra note 150.
    \149\ See Proposing Release, supra note 13, at 18094.
---------------------------------------------------------------------------

    Based on data collected from ATSs pursuant to FINRA Rule 4552 for 
18 weeks of trading in 2014,\150\ the Commission believes that 
approximately 12 ATSs trading NMS stocks would exceed the adopted 
thresholds and fall within the definition of SCI entity, accounting for 
approximately 66 percent of the dollar volume market share of all ATSs 
trading NMS stocks.\151\ The Commission acknowledges that its analysis 
of the FINRA ATS data did not reveal an obvious threshold level above 
which a particular subset of ATSs may be considered to have a 
significant impact on individual NMS stocks or the overall market, as 
compared to another subset of ATSs. However, for the following reasons, 
the Commission continues to believe that the adopted thresholds for 
ATSs trading NMS stock are an appropriate measure to identify those 
ATSs that should be subject to the requirements of Regulations SCI. 
First, by imposing both a single NMS stock threshold and an all NMS 
stocks threshold in the first prong of the definition, the thresholds 
will help to ensure that Regulation SCI will not apply to an ATS that 
has a large volume in a small NMS stock and little volume in all other 
NMS stocks. At the same time, the Commission believes that inclusion of 
the dual-prong dollar volume thresholds is appropriate. Specifically, 
it will require not only that ATSs that have significant trading volume 
in all NMS stocks are subject to the requirements of Regulation SCI, 
but also that ATSs that have large trading volume in a single NMS stock 
and could significantly affect the market for that stock are also 
covered by the safeguards of Regulation SCI provided they have levels 
of trading in all NMS stocks that could allow such ATSs to also have 
some impact on the market as a whole. The Commission also believes 
that, as discussed further below, the adopted thresholds will also 
appropriately capture not only ATSs that have significant trading 
volume in active stocks, but also those that have significant trading 
volume in less active stocks. The Commission believes that a systems 
issue at an ATS that is a significant market for the trading of a less 
actively traded stock could similarly impose significant risks to the 
market for such securities, because a systems outage at such a venue 
could significantly impede the ability to trade

[[Page 72267]]

such securities, thereby having a significant impact on the market for 
such less-actively traded securities. In addition, the Commission 
continues to believe that thresholds that account for 66 percent of the 
dollar volume market share of all ATSs trading NMS stocks is a 
reasonable level that would not exclude new entrants to the ATS 
market.\152\ Further, as noted above, the thresholds would include ATSs 
having NMS stock dollar value comparable to the NMS stock dollar volume 
of the equity exchanges subject to Regulation SCI. Finally, the 
Commission believes that the adopted thresholds are appropriate to help 
ensure that entities that have determined to participate (in more than 
a limited manner) in the national market system as markets that bring 
buyers and sellers together, are subject to the requirements of 
Regulation SCI.
---------------------------------------------------------------------------

    \150\ See Securities Exchange Act Release No. 71341 (January 17, 
2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 
requiring each ATS to report to FINRA weekly volume information and 
number of securities transactions). Commission staff analyzed FINRA 
ATS data for the period of May 19, 2014 through September 19, 2014. 
The recently available FINRA ATS data is consistent with the OATS 
data used in the SCI Proposal. In addition, the analysis of FINRA 
ATS data examines a threshold of trading volume over four out of six 
time periods, each period defined as a period of three consecutive 
weeks as a rough approximation of the threshold test on four out of 
the preceding six calendar months as prescribed in the definition of 
SCI ATS. The Commission noted in the SCI Proposal that the staff 
analysis of OATS data may overestimate the number of ATSs that may 
meet the proposed thresholds. While the calculation based on FINRA 
ATS data may not overestimate the number of ATSs as much as the data 
analysis in the proposal, it could still overestimate the number of 
ATSs that would meet the thresholds. Nevertheless, the Commission 
believes the analysis of FINRA ATS data offers useful insights. See 
Proposing Release, supra note 13, at 18094.
    \151\ According to the FINRA ATS data, during this time period, 
a total of 44 ATSs traded NMS stocks. The Commission notes that the 
number of ATSs exceeding the adopted thresholds, and the percentage 
of volume of trading in NMS stocks that they represent, may change 
over time in response to market and competitive forces.
    \152\ Consistent with the Commission's statement in the SCI 
Proposal, the Commission has considered barriers to entry and the 
promotion of competition in setting the threshold such that new ATSs 
trading NMS stocks would be able to commence operations without, at 
least initially, being required to comply with--and thereby not 
incurring the costs associated with--Regulation SCI. See Proposing 
Release, supra note 13, at n. 102. In particular, a new ATS could 
engage in limited trading in any one NMS stock or all NMS stocks, 
until it reached an average daily dollar volume of five percent or 
more in any one NMS stock and 0.25 percent or more in all NMS 
stocks, or one percent in all NMS stocks, over four of the preceding 
six months. Because a new ATS could begin trading in NMS stocks for 
at least three months (i.e., less than four of the preceding six 
months), and conduct such trading at any dollar volume level without 
being subject to Regulation SCI, and would have to exceed the 
specified volume levels for the requisite period to become so 
subject, the Commission believes that these thresholds should not 
prevent a new ATS entrant from having the opportunity to initiate 
and develop its business. Further, the Commission notes that, as 
discussed below, it is adopting an additional six-month compliance 
period (in addition to the general nine-month compliance period from 
the Effective Date of Regulation SCI afforded to all SCI entities) 
for ATSs newly meeting the thresholds, so that once an ATS meets the 
threshold, it will have six months from that time to become fully 
compliant with Regulation SCI. See infra Section IV.F (discussing 
effective dates and compliance periods). The Commission believes 
that, for ATSs that have newly entered the market, this additional 
compliance period will give such ATSs additional opportunity to 
develop and grow their business without incurring the costs of 
compliance with Regulation SCI during this time. This additional 
compliance period should also provide such ATSs with time to plan on 
how they would meet the requirements of Regulation SCI, and could 
also potentially allow SCI ATSs to become more equipped to bear the 
cost of Regulation SCI once compliance is required, and thus not 
significantly discourage new ATSs from entering the market and 
growing. See infra Section VI.C.1.c (discussing further barriers to 
entry and the potential effects on competition of the adopted 
thresholds).
---------------------------------------------------------------------------

    As noted above, several commenters provided specific suggestions 
for alternative standards for determining which ATSs should be included 
within the scope of Regulation SCI.\153\ While the Commission 
recognizes that some of the suggested alternatives could have certain 
benefits, it also believes that each recommended standard also has 
corresponding limitations, and thus believes that the adopted 
thresholds are an appropriate measure for identifying those ATSs that 
should be subject to Regulation SCI. First, as described above, the 
Commission believes that adopting a two-prong standard is necessary to 
identify those ATSs that, in the event of a systems issue, could have a 
significant impact on the overall market or that could have a 
significant impact on a single NMS stock and some impact on the market 
as a whole at the same time. The Commission notes that several of the 
thresholds suggested by commenters lacked such a dual-prong standard 
(and, in particular, the prong relating to individual NMS stocks) and 
thus do not provide the advantages associated with the adopted 
threshold in protecting the trading venues for a single NMS stock. With 
regard to one commenter's suggestion that the first prong of the 
threshold should, among other things, consider five NMS stocks, rather 
than a single stock, the Commission does not believe the commenter has 
provided any clear rationale for this standard.\154\ As discussed, the 
purpose of the first prong is to identify significant trading venues 
(or markets) for a single security where a systems disruption could 
have a significant effect on the market for that security, and setting 
the threshold to consider five NMS securities could potentially exclude 
trading venues that host large trading activity for a single NMS 
security. Additionally, the Commission notes that the suggested 
alternative approach would be unlikely to have any significant 
practical effect when used in conjunction with the second prong of the 
threshold, which looks at trading across all NMS stocks, because the 
second prong would likely capture an ATS with five percent or more 
volume in five NMS stocks. With regard to one commenter's suggestion to 
apply the threshold to only the 500 most active NMS stocks \155\ and 
another commenter's suggestion to include only stocks with an aggregate 
average daily share volume greater than 500,000,\156\ the Commission 
disagrees that the threshold should be structured to capture only ATSs 
that have significant trading volume in active stocks. Rather, the 
first prong of the adopted threshold is designed to capture any ATS 
that has five percent or more of the trading volume of any NMS stock, 
irrespective of how actively traded it is, so that Regulation SCI can 
effectively address risks relating to the trading of all NMS stocks, 
and not only the most active of NMS stocks. If the Commission were to 
apply the threshold only to the 500 most active NMS stocks or stocks 
only with average daily share volumes greater than 500,000, an ATS 
that, for example, served as the primary venue for the trading of less 
actively traded NMS stocks, but had negligible market share for more 
actively traded NMS stocks, would not be subject to Regulation SCI. 
However, an SCI event that resulted in an outage of such an ATS could 
have a significant impact on the market for such less actively traded 
NMS stocks. As such, failure to include such an ATS within the scope of 
Regulation SCI would be contrary to the goals of the regulation. 
Finally, with regard to one commenter's suggestion to retain Rule 
301(b)(6) as part of Regulation ATS and amend the threshold to 2.5 
percent,\157\ as discussed throughout this release, Regulation SCI is 
intended to expand upon the requirements of Rule 301(b)(6) and to 
supersede and replace such requirements for ATSs that trade NMS 
stocks.\158\ For the reasons noted above, the Commission believes it is 
appropriate to include ATSs meeting the adopted volume thresholds 
within the scope of Regulation SCI, and the Commission does not believe 
it is appropriate to retain Rule 301(b)(6) as part of Regulation ATS, 
thereby subjecting ATSs to a separate and differing set of regulatory 
requirements than other SCI entities with regard to systems capacity, 
integrity, resiliency, availability, security, and compliance.\159\ For 
all of the reasons discussed above, the Commission does not believe 
that any of the alternative standards suggested by commenters would 
better capture those entities that

[[Page 72268]]

have the potential to pose significant risk to the market.
---------------------------------------------------------------------------

    \153\ See supra notes 127-132 and accompanying text.
    \154\ See supra note 131 and accompanying text. This commenter 
argued generally that the thresholds should be revised so as to only 
include those entities that would have an ``immediate and 
substantial impairment of a functioning marketplace.'' However, the 
commenter did not explain why it advocated the use of five NMS 
stocks, rather than a single NMS stock. See ITG Letter at 9.
    \155\ See supra note 130 and accompanying text.
    \156\ See supra note 131 and accompanying text.
    \157\ See supra note 132 and accompanying text.
    \158\ But see infra notes 189-192 and accompanying text 
(discussing the Commission's determination to retain the 
applicability of Rule 301(b)(6) to fixed-income ATSs).
    \159\ The Commission notes that, with regard to the specific 
threshold level suggested by this commenter (2.5%), the Commission 
believes the adopted thresholds to be an appropriate measure to 
identify those ATSs that should be subject to the requirements of 
Regulations SCI for the reasons discussed above. See supra note 141.
---------------------------------------------------------------------------

    One commenter urged the Commission to utilize number of shares 
traded rather than dollar value, stating that while most of the world 
uses value traded, available data for the U.S. equity markets is share-
based.\160\ The Commission disagrees with this commenter and notes that 
daily dollar volume is readily available from a number of sources, 
including the SIPs.\161\
---------------------------------------------------------------------------

    \160\ See supra note 139 and accompanying text.
    \161\ See also Proposing Release, supra note 13, at 18094 
(stating that the use of dollar thresholds may better reflect the 
economic impact of trading activity).
---------------------------------------------------------------------------

    The time measurement period for ATSs that trade NMS stocks and non-
NMS stocks is also being adopted as proposed. Thus, ATSs will be 
subject to Regulation SCI only if they meet the numerical thresholds 
for at least four of the preceding six months.\162\ The Commission 
notes that the adopted time measurement period is consistent with the 
current standard in Rule 301(b)(6) of Regulation ATS.\163\ The 
Commission believes that this time measurement period is an appropriate 
time period over which to evaluate the trading volume of an ATS and 
should help to ensure that it does not capture ATSs with relatively low 
trading volume that may have had an anomalous increase in trading on a 
given day or few days. Contrary to concerns raised by some 
commenters,\164\ under this time measurement methodology, an ATS would 
not qualify as an SCI entity simply by trading a single large block of 
an illiquid security during one month (or even two or three months). 
While one commenter suggested that the time measurement period be 
shorter and recommended a period of two to four weeks,\165\ the 
Commission believes that this could cause ATSs to fall within the scope 
of the definition solely as a result of an atypical, short-term 
increase in trading or a small number of large block trades that is not 
reflective of ATSs' general level of trading. Specifically, with such a 
short period of measurement, a short-term spike in trading volume 
uncharacteristic of an ATS's overall trading volume history could (and 
if large enough, likely would) skew the overall trading volume for that 
time period, causing an ATS to meet the volume thresholds and thus 
become subject to Regulation SCI even though the overall risk posed by 
the ATS does not warrant it. Further, the Commission believes that such 
a shorter time measurement period could provide more barriers to entry 
for ATSs, because new ATSs would not have as long of a time period to 
develop their business prior to having to incur the costs of compliance 
associated with being subject to the requirements of Regulation 
SCI.\166\ This potential to incur such costs almost immediately after 
the initial start of operations could act as a barrier to entry for 
some new ATSs.
---------------------------------------------------------------------------

    \162\ See adopted Rule 1000 (definition of ``SCI ATS''). The 
Commission notes that if an ATS that was not previously subject to 
Regulation SCI meets the SCI ATS volume threshold for four 
consecutive months, it would become subject to Regulation SCI at the 
end that four-month period. However, as discussed further below, 
such an ATS would have an additional six months from that time to 
comply with the requirements of Regulation SCI. See infra text 
accompanying notes 169-170.
    \163\ 17 CFR 242.301(b)(6).
    \164\ See, e.g., BIDS Letter at 6.
    \165\ See supra note 138 and accompanying text.
    \166\ See supra note 152 and accompanying text. See also infra 
Section VI.C.1.c (discussing barriers to entry and the effects on 
competition of the adopted thresholds and time measurement period 
for SCI ATSs).
---------------------------------------------------------------------------

    Other commenters recommended a longer measurement period, such as 
12 months.\167\ The Commission does not believe, however, that a longer 
time period is necessary or more appropriate to identify those entities 
that play a significant role in the market for a particular asset class 
and/or that have the potential to significantly impact investors or the 
market, warranting inclusion in the scope of Regulation SCI. The 
Commission believes that the adopted time measurement period provides 
sufficient trading history data so as to indicate an ATS's significance 
to the market, and that the structure of the test (i.e., requiring an 
ATS to meet the threshold for four out of six months) ensures 
sustainability of such trading levels. In addition, modifying the time 
measurement period to 12 months (and thus eliminating the four out of 
six month measurement period) would make such a measure more 
susceptible to capturing ATSs that have a major but isolated spike in 
trading during a single month. Specifically, as noted above, a single 
anomalous large increase in trading volume during one month (or such a 
spike in two or three months) could never result in an ATS becoming 
subject to Regulation SCI solely as a result of such a spike in 
trading, because the ATS would meet the threshold only for one month, 
rather than the four months required by the rule. On the other hand, a 
threshold based on an average over 12 months could be skewed by the 
occurrence of one large spike in trading that results in the overall 
average for the 12-month period being increased to such a level that it 
meets the volume threshold levels. Thus, contrary to one commenter's 
suggestion that a 12-month period would require ``a sustained trading 
level at the threshold,'' \168\ the Commission believes that the 
structure of the adopted measurement period test (i.e., four out of six 
months) may be a better indicator of actual sustained trading levels at 
the threshold warranting the protections of the rule. Further, the 
Commission believes that 12 months is a less appropriate time 
measurement period than the period adopted because, for example, an ATS 
could have significant trading volume early on during such a time 
period such that it may pose significant risk to the markets in the 
event of a systems issue at such an ATS without being subject to 
Regulation SCI for a significant period of time. The Commission 
believes that the adopted time period strikes an appropriate balance 
between being a long enough period so as to not be triggered by 
atypical periods of increased trading or a few occurrences of very 
large trades, while also not causing unnecessary delay in requiring 
that ATSs playing an important role in the market are subject to 
Regulation SCI.
---------------------------------------------------------------------------

    \167\ See supra notes 136-137 and accompanying text. One of 
these commenters noted that the ``four out of the preceding six 
months'' measurement is cumbersome to apply in practice. See KCG 
Letter at 19. The Commission does not believe this measurement 
period to be overly cumbersome to apply in practice, as it would 
require only that an ATS undertake an assessment once at the end of 
each month as to whether the ATSs had exceeded the volume thresholds 
set forth in the rule and then make a determination at the end of a 
six month period whether the ATS met this threshold for four out of 
the six preceding months.
    \168\ See KCG Letter at 19. See also supra notes 136-137 and 
accompanying text.
---------------------------------------------------------------------------

    Finally, as discussed further in Section IV.F, the Commission 
agrees with commenters that it is appropriate to provide ATSs meeting 
the volume thresholds in the definition of SCI ATS for the first time a 
period of time before they are required to comply with Regulation 
SCI.\169\ Thus, consistent with the recommendation of these commenters, 
the Commission is revising the definition of SCI ATS to provide that an 
SCI ATS will not be required to comply with the requirements of 
Regulation SCI until six months after satisfying any of the applicable 
thresholds in the definition of SCI ATS for the first time.\170\
---------------------------------------------------------------------------

    \169\ See supra note 140 and accompanying text.
    \170\ See Rule 1000 (definition of SCI ATS).
---------------------------------------------------------------------------

ATSs Trading Non-NMS Stocks
    Some commenters addressed whether Regulation SCI should apply to 
ATSs trading non-NMS stocks.\171\ Specifically,

[[Page 72269]]

one commenter stated that the rules should apply only to trading in NMS 
securities because non-NMS stock trading--which is dispersed among 
broker-dealers--does not have a single point of failure and is 
therefore less susceptible to rapid, widespread issues that occur as a 
result of a high degree of linkage or inter-dependency.\172\ Another 
commenter stated that, with respect to non-NMS stocks (as well as 
municipal securities and corporate debt securities), the proposed five 
percent threshold was too low and would unnecessarily include ATSs for 
these product types that are ``not systemic to maintaining fair, 
orderly, and efficient markets'' and asked the Commission to further 
study the appropriate threshold for these ATSs.\173\
---------------------------------------------------------------------------

    \171\ See, e.g., OTC Markets Letter at 7; SIFMA Letter at 7; TMC 
Letter at 1-3 (asserting that retail fixed-income ATSs should not be 
subject to Regulation SCI); and KCG Letter at 3, 10-11.
    \172\ See OTC Markets Letter at 7.
    \173\ See SIFMA Letter at 7.
---------------------------------------------------------------------------

    With regard to equity securities that are not NMS stocks and for 
which transactions are reported to a self-regulatory organization, the 
adopted thresholds remain unchanged from the SCI Proposal. Thus, for 
such securities, an ATS will be subject to the requirements of 
Regulation SCI if, during four of the preceding six calendar months, it 
had five percent or more of the average daily dollar volume as 
calculated by the self-regulatory organization to which such 
transactions are reported.\174\ The Commission continues to believe 
that this threshold will appropriately identify ATSs that play a 
significant role in the market for those securities and, thus, should 
be subject to the requirements of Regulation SCI.
---------------------------------------------------------------------------

    \174\ However, as noted above, an ATS meeting the definition of 
SCI ATS for the first time will be afforded a six-month compliance 
period. See supra notes 169-170 and accompanying text.
---------------------------------------------------------------------------

    Using data from the second quarter of 2014, an ATS executing 
transactions in non-NMS stocks at a level exceeding five percent of the 
average daily dollar volume traded in the United States would be 
executing trades at a level exceeding $45.2 million daily.\175\ Based 
on data collected from Form ATS-R for the second quarter of 2014, the 
Commission estimates that two ATSs would exceed this threshold and fall 
within the definition of SCI entity, accounting for approximately 99 
percent of the dollar volume market share of all ATSs trading non-NMS 
stocks.\176\ These thresholds reflect an assessment by the Commission, 
based on qualitative and quantitative analysis, of the likely 
consequences of the specific quantitative thresholds included in the 
definition. From this analysis and in conjunction with considering the 
views of commenters, the Commission has derived what it believes to be 
an appropriate threshold to identify those ATSs that should be subject 
to the requirements of Regulation SCI.
---------------------------------------------------------------------------

    \175\ In the Proposing Release, the Commission used data from 
the first six months of 2012 to estimate that an ATS executing 
transactions in non-NMS stocks at a level exceeding five percent of 
the average daily volume traded in the United States would be 
executed trades at a level exceeding $31 million daily. See 
Proposing Release, supra note 13, at n.111 and accompanying text. 
The Commission has updated this estimate using over-the-counter 
reporting facility data available from FINRA.
    \176\ The Commission notes that the number of ATSs exceeding the 
adopted threshold, and the percentage of volume of trading in non-
NMS stocks that they represent, may change over time in response to 
market and competitive forces.
---------------------------------------------------------------------------

    As discussed above, one commenter objected to the inclusion of ATSs 
trading non-NMS stocks within the scope of Regulation SCI.\177\ This 
commenter argued that non-NMS trading is not susceptible to the issues 
that Regulation SCI is designed to address because such trading is 
dispersed among broker-dealers and does not create the types of single 
points of failure that pose widespread systemic risk.\178\ First, as 
noted above, while the Commission is particularly concerned with 
systems issues that pose the greatest risk to our markets and have the 
potential to cause the most widespread effects and damage (such as 
those that are single points of failure), Regulation SCI is intended to 
address a broader set of risks of systems issues. Accordingly, the 
adopted threshold for non-NMS stock ATSs is designed to identify those 
ATSs that play a significant role in the market for such securities. 
Further, the Commission disagrees with the commenter's assertion that 
trading in non-NMS stocks cannot result in widespread disruptions.\179\
---------------------------------------------------------------------------

    \177\ See supra note 172 and accompanying text.
    \178\ See id.
    \179\ See supra note 33 and accompanying text.
---------------------------------------------------------------------------

    While one commenter stated that the five percent threshold was too 
low, this commenter did not provide an alternative threshold but rather 
asked the Commission to further study this issue.\180\ As noted above, 
based on qualitative and quantitative analysis, the Commission believes 
the five percent threshold to be an appropriate measure to determine 
which ATSs are of sufficient significance in the current market for 
non-NMS stocks to warrant their inclusion within the scope of 
Regulation SCI. The Commission notes that it intends to monitor the 
level of this threshold, and other thresholds being adopted today, to 
ensure that they continue to be appropriate.
---------------------------------------------------------------------------

    \180\ See supra note 173.
---------------------------------------------------------------------------

    The Commission notes that adoption of a higher threshold for non-
NMS stocks than for NMS stocks reflects the Commission's 
acknowledgement of certain differences between the two markets. In 
particular, as noted in the SCI Proposal, while the Commission believes 
that similar concerns about the trading of NMS stocks on ATSs apply to 
the trading of non-NMS stocks, the Commission also believes that 
certain characteristics of the market for non-NMS stocks, such as the 
lower degree of automation, electronic trading, and interconnectedness, 
generally result in an overall lower risk to the market in the event of 
a systems issue.\181\ In particular, the Commission believes that a 
systems issue at an SCI entity that trades non-NMS stocks would not be 
as likely to have as significant or widespread an impact as readily as 
a systems issue at an SCI entity that trades NMS stocks. Therefore, the 
Commission believes that there is less risk of market impact in the 
markets for those securities at this time. As such, the Commission has 
determined not to adopt the same, more stringent, thresholds that would 
trigger the requirements of Regulation SCI that the Commission is 
adopting for ATSs trading NMS stocks. The Commission also believes that 
imposition of a threshold that is set too low in markets that lack 
automation could have the unintended effects of discouraging automation 
in these markets and discouraging new entrants into these markets. 
Specifically, it could increase the cost of automation in relation to 
other methods of executing trades, and thus market participants might 
make a determination that the costs associated with becoming subject to 
Regulation SCI preclude a shift to automated trading or the development 
of a new automated trading system, particularly given the expected 
lower trading volume when beginning operations. Further, the Commission 
notes that it has traditionally provided special safeguards with regard 
to NMS stocks in its rulemaking efforts relating to market 
structure.\182\ For these reasons, the Commission believes that it is 
appropriate at this time to apply a different threshold to ATSs trading 
NMS stocks than those ATSs trading non-NMS stocks.
---------------------------------------------------------------------------

    \181\ See Proposing Release, supra note 13, at 18096.
    \182\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities 
Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 
2005) (Regulation NMS Adopting Release).

---------------------------------------------------------------------------

[[Page 72270]]

ATSs Trading Fixed-Income Securities
    Several commenters specifically addressed the inclusion of 
municipal security and corporate debt security ATSs within the scope of 
Regulation SCI, stating that these ATSs should not be subject to 
Regulation SCI or that the proposed thresholds should be modified.\183\ 
These commenters identified differences in the nature of fixed-income 
trading as compared to the markets for NMS securities and concluded 
that the thresholds were inappropriate and would be detrimental to the 
market for these types of securities.\184\ In particular, commenters 
stated that inclusion of fixed-income ATSs and/or the adoption of the 
proposed thresholds would impose unduly high costs on these entities 
given their size, scope of operations, lack of automation, low speed, 
and resulting low potential to pose risk to systems.\185\ Further, one 
commenter noted that the cost of compliance for these types of entities 
would discourage the shift from manual fixed-income trading in the OTC 
markets to more transparent and efficient automated trading 
venues.\186\
---------------------------------------------------------------------------

    \183\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \184\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \185\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG 
Letter at 2-3, 10-11.
    \186\ See KCG Letter at 3, 10-11 (noting that the vast majority 
of fixed-income trades are done in the OTC markets and only a few 
ATSs for the fixed-income market have emerged in recent years).
---------------------------------------------------------------------------

    In addition, one commenter stated that if retail fixed-income ATSs 
are included in the final rule, a better measurement would be to look 
at par amount traded rather than volume.\187\ Finally, one commenter 
requested that the Commission clarify that ATSs relating to listed-
options are not subject to the obligations of proposed Regulation 
SCI.\188\
---------------------------------------------------------------------------

    \187\ See TMC Letter at 1-3.
    \188\ See LiquidPoint Letter at 2-3.
---------------------------------------------------------------------------

    While the adopted definition of SCI ATS remains unchanged from the 
proposal for NMS stocks and non-NMS stocks, the Commission, after 
considering the views of commenters, has determined to exclude ATSs 
that trade only municipal securities or corporate debt securities from 
the definition of SCI ATS at this time.\189\ Accordingly, such fixed-
income ATSs will not be subject to the requirements of Regulation SCI. 
Rather, fixed-income ATSs will continue to be subject to the existing 
requirements in Rule 301(b)(6) of Regulation ATS regarding systems 
capacity, integrity and security if they meet the twenty percent 
threshold for municipal securities or corporate debt securities 
provided by that rule.\190\ The Commission believes that this change is 
warranted given the unique nature of the current fixed-income markets, 
as noted by several commenters. In particular, fixed-income markets 
currently rely much less on automation and electronic trading than 
markets that trade NMS stocks or non-NMS stocks.\191\ In addition, the 
municipal and corporate fixed-income markets tend to be less liquid 
than the equity markets, with slower execution times and less complex 
routing strategies.\192\ As such, the Commission believes that a 
systems issue at a fixed-income ATS would not have as significant or 
widespread an impact as in other markets. Thus, while ensuring the 
capacity, integrity and security of the systems of fixed-income ATSs is 
important, the benefits of lowering the threshold applicable to fixed-
income ATSs from the current twenty percent threshold in Regulation ATS 
and subjecting such ATSs to the safeguards of Regulation SCI would not 
be as great as for ATSs that trade NMS stock or non-NMS stock. As 
commenters pointed out, the cost of the requirements of Regulation SCI 
could be significant for fixed-income ATSs relative to their size, 
scope of operations, and more limited potential for systems risk. The 
Commission is cognizant that lowering the current threshold applicable 
to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the 
requirements of Regulation SCI could have the unintended effect of 
discouraging automation in these markets and discouraging the entry of 
new fixed-income ATSs into the market, which could impede the evolving 
transparency and efficiency of these markets and negatively impact 
liquidity in these markets.
---------------------------------------------------------------------------

    \189\ See supra notes 183-186.
    \190\ See 17 CFR 242.301(b)(6).
    \191\ See, e.g., supra notes 183-186 and accompanying text 
(discussing the unique nature of fixed-income trading). See also 
Tracy Alloway and Michael Mackenzie, ``Goldman Retreats from Bond 
Platform,'' Fin. Times, February 17, 2014 (noting that, despite 
efforts to make the market for bond trades more electronic, large 
bond trading continues to occur overwhelmingly by `voice-brokered' 
transactions); and Lisa Abramowicz, ``Humans Beat Machines as 
Electronic Trading Slows: Credit Markets,'' Bloomberg, February 19, 
2014 (stating that a shift in corporate bond transactions to 
electronic systems is failing to keep up with total volume).
    \192\ See, e.g., TMC Bonds Letter at 1 (stating that fixed-
income markets have significantly lower volumes and slower execution 
times than equity markets and have no meaningful connectivity 
between fixed-income ATS participants).
---------------------------------------------------------------------------

    For these reasons, the Commission believes that it is appropriate 
to continue to apply the requirements in Rule 301(b)(6) of Regulation 
ATS to fixed-income ATSs that meet the volume thresholds of that rule 
and to exclude ATSs that trade only municipal securities or corporate 
debt securities from the scope of Regulation SCI at this time.
c. Plan Processor
    Under Proposed Rule 1000(a), the term ``plan processor'' had the 
meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines 
``plan processor'' as ``any self-regulatory organization or securities 
information processor acting as an exclusive processor in connection 
with the development, implementation and/or operation of any facility 
contemplated by an effective national market system plan.'' \193\ The 
Commission is adopting the definition of ``plan processor'' as 
proposed.\194\
---------------------------------------------------------------------------

    \193\ See 17 CFR 242.600(b)(55).
    \194\ See proposed Rule 1000(a) and Proposing Release supra note 
13, at Section III.B.1.
---------------------------------------------------------------------------

    The Commission received no comments on the proposed definition of 
``plan processor.'' \195\ As noted in the SCI Proposal, the ARP 
Inspection Program included the systems of the plan processors of four 
national market system plans--the CTA Plan, CQS Plan, Nasdaq UTP Plan, 
and OPRA Plan.\196\

[[Page 72271]]

Although an entity selected as the processor of an SCI Plan acts on 
behalf of a committee of SROs, such entity is not required to be an 
SRO, nor is it required to be owned or operated by an SRO.\197\ The 
Commission believes, however, that the systems of such entities, 
because they deal with key market data, are central features of the 
national market system \198\ and should be subject to the same systems 
standards as SCI SROs. The inclusion of plan processors in the 
definition of SCI entity is designed to ensure that the processor for 
an SCI Plan, regardless of its identity, is independently subject to 
the requirements of Regulation SCI. The Commission believes that it is 
important for such plan processors to be subject to the requirements of 
Regulation SCI because of the important role they serve in the national 
market system: Operating and maintaining computer and communications 
facilities for the receipt, processing, validating, and dissemination 
of quotation and/or last sale price information generated by the 
members of the plan.
---------------------------------------------------------------------------

    \195\ However, some commenters did support the overall scope of 
the term ``SCI entity'' or agreed specifically that plan processors 
should be included within the definition of that term. See, e.g., 
Lauer Letter at 3 (urging the Commission to expand the scope of 
entities covered) and KCG Letter at 5-6 (recommending that 
Regulation SCI be targeted to services offered by only one or a few 
entities, such as plan processors). In addition, one commenter, 
although commenting specifically on the definition of ``SCI 
system,'' stated that Regulation SCI should be tailored to focus 
only on systems impacting the core functions of the overall market, 
which should include the exclusive SIPs that transmit market data. 
See OTC Markets Letter at 12-13.
    \196\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each 
of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a 
``national market system plan'' (``NMS Plan'') as defined under Rule 
600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 
242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange 
Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any 
self-regulatory organization or securities information processor 
acting as an exclusive processor in connection with the development, 
implementation and/or operation of any facility contemplated by an 
effective national market system plan.'' Section 3(a)(22)(B) of the 
Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor'' 
to mean ``any securities information processor or self-regulatory 
organization which, directly or indirectly, engages on an exclusive 
basis on behalf of any national securities exchange or registered 
securities association, or any national securities exchange or 
registered securities association which engages on an exclusive 
basis on its own behalf, in collecting, processing, or preparing for 
distribution or publication any information with respect to (i) 
transactions or quotations on or effected or made by means of any 
facility of such exchange or (ii) quotations distributed or 
published by means of any electronic system operated or controlled 
by such association.''
    As a processor involved in collecting, processing, and preparing 
for distribution transaction and quotation information, the 
processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and 
OPRA Plan meets the definition of ``exclusive processor;'' and 
because each acts as an exclusive processor in connection with an 
NMS Plan, each also meets the definition of ``plan processor'' under 
Rule 600(a)(55) of Regulation NMS, as well as Rule 1000(a) of 
Regulation SCI. For ease of reference, an NMS Plan having a current 
or future ``plan processor'' is referred to herein as an ``SCI 
Plan.'' The Commission notes that not every processor of an NMS Plan 
would be a ``plan processor'' under Rule 1000, and therefore not 
every processor of an NMS Plan would be an SCI entity subject to the 
requirements of Regulation SCI. For example, the processor of the 
Symbol Reservation System associated with the National Market System 
Plan for the Selection and Reservation of Securities Symbols (File 
No. 4-533) would not be a ``plan processor'' subject to Regulation 
SCI because it does not meet the ``exclusive processor'' statutory 
definition, as it is not involved in collecting, processing, and 
preparing for distribution transaction and quotation information.
    \197\ Pursuant to Section 11A of the Exchange Act (15 U.S.C. 
78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), 
such entities, as ``exclusive processors,'' are required to register 
with the Commission as securities information processors on Form 
SIP. See 17 CFR 249.1001 (Form SIP, application for registration as 
a securities information processor or to amend such an application 
or registration).
    \198\ See Concept Release on Equity Market Structure, supra note 
4, at 3594-95.
---------------------------------------------------------------------------

    Recent SIP incidents further highlighted the importance of plan 
processors to the U.S. securities markets and the necessity of 
including such processors within the scope of Regulation SCI.\199\ As 
evidenced by the incidents, the availability of consolidated market 
data is central to the functioning of the securities markets. The 
unavailability of a system, such as a plan processor, that is a single 
point of failure with no backups or alternatives can result in a 
significant impact on the entire national market system. Accordingly, 
the Commission believes that that it is essential to ensure that the 
automated systems of the entities responsible for the consolidation and 
processing of important market data, namely, plan processors, have 
adequate levels of capacity, integrity, resiliency, availability, and 
security.\200\
---------------------------------------------------------------------------

    \199\ As noted above, a disruption of the Nasdaq SIP on August 
22, 2013 resulted in a three hour halt in trading in all Nasdaq-
listed securities because of the SIP's inability to process quotes. 
See supra note 32 and accompanying text. Also as noted above, on 
October 30, 2014, according to the NYSE, a network hardware failure 
impacted the Consolidated Tape System, Consolidated Quote System, 
and Options Price Reporting Authority data feeds at the primary data 
center, and SIAC switched over to the secondary data center for 
these data feeds. See id.
    \200\ Systems directly supporting functionality relating to the 
provision of consolidated market data are included within the 
definition of ``critical SCI systems,'' for which heightened 
obligations under Regulation SCI will apply. See adopted Rule 1000. 
See also supra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

    Further, pursuant to its terms, each SCI Plan is required to 
periodically review its selection of its processor, and may in the 
future select a different processor for the SCI Plan than its current 
processor.\201\ Thus, the definition of ``plan processor'' covers any 
entity selected as the processor for a current or future SCI Plan.\202\
---------------------------------------------------------------------------

    \201\ See CTA Plan Section V(d) and CQS Plan Section V(d), 
available at: http://www.nyxdata.com/cta; OPRA Plan Section V, 
available at: http://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq 
UTP Plan Section V, available at: http://www.utpplan.com.
    \202\ Currently, SIAC is the processor for the CTA Plan, CQS 
Plan, and OPRA Plan, and Nasdaq is the processor for the Nasdaq UTP 
Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq 
are registered with the Commission as securities information 
processors, as required by Section 11A(b)(1) of the Exchange Act, 15 
U.S.C. 78k-1(b)(1), and in accordance with Rule 609 of Regulation 
NMS, 17 CFR 242.609.
---------------------------------------------------------------------------

d. Exempt Clearing Agency Subject to ARP
    Proposed Rule 1000(a) defined the term ``exempt clearing agency 
subject to ARP'' to mean ``an entity that has received from the 
Commission an exemption from registration as a clearing agency under 
Section 17A of the Act, and whose exemption contains conditions that 
relate to the Commission's Automation Review Policies, or any 
Commission regulation that supersedes or replaces such policies.'' This 
definition is being adopted as proposed.
    As noted in the SCI Proposal, this definition of ``exempt clearing 
agency subject to ARP'' currently covers one entity, Omgeo Matching 
Services--US, LLC (``Omgeo'').\203\ In its comment letter, Omgeo stated 
that it believed its inclusion as an SCI entity was reasonable because 
clearing agencies that provide matching services, such as Omgeo, 
perform a critical role in the infrastructure of the U.S. financial 
markets in handling large amounts of highly confidential proprietary 
trade data.\204\ Omgeo requested, however, that the Commission clarify 
that other similarly situated clearing agencies would also be subject 
to the requirements of Regulation SCI, and further requested that the 
Commission expand the definition of SCI entity, as applied to clearing 
agencies, to include, without limitation, any entity providing either 
matching services or confirmation/affirmation services for depository 
eligible securities that settle in the United States, as contemplated 
by FINRA Rule 11860.\205\
---------------------------------------------------------------------------

    \203\ On April 17, 2001, the Commission issued an order granting 
Omgeo an exemption from registration as a clearing agency subject to 
certain conditions and limitations in order that Omgeo might offer 
electronic trade confirmation and central matching services. See 
Global Joint Venture Matching Services--US, LLC; Order Granting 
Exemption from Registration as a Clearing Agency, Securities 
Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 
23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the 
Commission granted it an exemption from clearing agency 
registration, Omgeo is not a self-regulatory organization.
    \204\ See Omgeo Letter at 2-3.
    \205\ See id.
---------------------------------------------------------------------------

    The Commission notes that the adopted definition of ``exempt 
clearing agency subject to ARP'' does provide that any entity that 
receives from the Commission an exemption from registration as a 
clearing agency under Section 17A of the Act, and whose exemption 
contains conditions that relate to the Automation Review Policies or 
any Commission regulation that supersedes or replaces the Commission's 
Automation Review Policies (such as Regulation SCI) would be included 
within the scope of Regulation SCI. Therefore, clearing agencies that 
are similarly situated as Omgeo (i.e., those that are subject to an 
exemption that contains the relevant conditions) will be subject to 
Regulation SCI.\206\ The Commission does not believe, therefore, that 
an expansion of the definition as suggested by Omgeo is necessary to 
further clarify that

[[Page 72272]]

similarly situated entities will be subject to the requirements of 
Regulation SCI.
---------------------------------------------------------------------------

    \206\ Any entity seeking an exemption from registration as a 
clearing agency is responsible for requesting and obtaining such an 
exemption from the Commission.
---------------------------------------------------------------------------

    Among the operational conditions required by the Commission in the 
Omgeo Exemption Order were several that directly related to the ARP 
policy statements.\207\ For the same reasons that it required Omgeo to 
abide by the conditions relating to the ARP policy statements set forth 
in the Omgeo Exemption Order, the Commission believes it is appropriate 
that Omgeo (or any similarly situated exempt clearing agency) should be 
subject to the requirements of Regulation SCI, and thus is including 
any ``exempt clearing agency subject to ARP'' within the definition of 
SCI entity.
---------------------------------------------------------------------------

    \207\ These conditions require Omgeo to, among other things: 
Provide the Commission with an audit report addressing all areas 
discussed in the Commission ARP policy statements; provide annual 
reports prepared by competent, independent audit personnel in 
accordance with the annual risk assessment of the areas set forth in 
the ARP policy statements; report all significant systems outages to 
the Commission; provide advance notice of any material changes made 
to its electronic trade confirmation and central matching services; 
and respond and require its service providers to respond to requests 
from the Commission for additional information relating to its 
electronic trade confirmation and central matching services, and 
provide access to the Commission to conduct inspections of its 
facilities, records and personnel related to such services. See 
supra note 203.
---------------------------------------------------------------------------

2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems
a. Overview
    Regulation SCI, as adopted, distinguishes three categories of 
systems of an SCI entity: ``SCI systems;'' ``critical SCI systems,'' 
and ``indirect SCI systems.'' The SCI Proposal broadly defined SCI 
systems to mean ``all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity, whether in production, development, or testing, that 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance.'' The SCI Proposal also 
defined the term SCI security systems (to which only the provisions of 
Regulation SCI relating to security and intrusions would apply) as: 
``any systems that share network resources with SCI systems that, if 
breached, would be reasonably likely to pose a security threat to SCI 
systems.'' \208\
---------------------------------------------------------------------------

    \208\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    Many commenters stated that the proposed definitions of SCI systems 
and SCI security systems were too broad and urged the Commission to 
target systems that pose the greatest risk to the market if they 
malfunction.\209\ After careful consideration of the comments, and as 
discussed more fully below, the Commission agrees that certain types of 
systems included in the proposed definition of SCI systems may be 
appropriately excluded from the adopted definition. However, because 
U.S. securities market infrastructure is highly interconnected and 
seemingly minor systems problem at a single entity can spread rapidly 
across the national market system, the Commission does not believe it 
is appropriate to apply Regulation SCI only to the most critical SCI 
systems, as some commenters suggested. Instead, the adopted regulation 
applies to a broader set of systems than urged by some commenters, but 
a more targeted set of systems than proposed. In addition, the adopted 
approach recognizes that some systems pose greater risk than others to 
the maintenance of fair and orderly markets if they malfunction. To 
this end, adopted Regulation SCI identifies three broad categories of 
systems of SCI entities that are subject to the regulation: ``SCI 
systems,'' ``critical SCI systems,'' and ``indirect SCI systems,'' with 
each category subject to differing requirements under Regulation SCI.
---------------------------------------------------------------------------

    \209\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; 
Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 
3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13.
---------------------------------------------------------------------------

    As discussed more fully below, the adopted definition of ``SCI 
systems'' includes those systems that directly support six areas that 
have traditionally been considered to be central to the functioning of 
the U.S. securities markets, namely trading, clearance and settlement, 
order routing, market data, market regulation, and market surveillance. 
SCI systems are subject to all provisions of Regulation SCI, except for 
certain requirements applicable only to critical SCI systems.
    In addition, the Commission is adopting a definition of ``critical 
SCI systems,'' a subset of SCI systems that are subject to certain 
heightened resilience and information dissemination provisions of 
Regulation SCI. Guided significantly by commenters' views on those 
systems that are most critical, the Commission is defining the term 
``critical SCI systems'' as SCI systems that: (1) Directly support 
functionality relating to: (i) Clearance and settlement systems of 
clearing agencies; (ii) openings, reopenings, and closings on primary 
trading markets; (iii) trading halts; (iv) initial public offerings; 
(v) the provision of consolidated market data (i.e., SIPs); or (vi) 
exclusively-listed securities; or (2) provide functionality to the 
securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets.\210\ As more fully 
discussed below, systems in this category are those that, if they were 
to experience systems issues, the Commission believes would be most 
likely to have a widespread and significant impact on the securities 
markets.
---------------------------------------------------------------------------

    \210\ See Rule 1000.
---------------------------------------------------------------------------

    In addition, the Commission is adopting a definition of ``indirect 
SCI systems,'' in place of the proposed definition of ``SCI security 
systems.'' ``Indirect SCI systems'' are subject only to the provisions 
of Regulation SCI relating to security and intrusions. The term 
``indirect SCI systems'' is defined to mean ``any systems of, or 
operated by or on behalf of, an SCI entity that, if breached, would be 
reasonably likely to pose a security threat to SCI systems'' and, if an 
SCI entity puts in place appropriate security measures, is intended to 
refer to few, if any, systems of the SCI entity.
b. SCI Systems
SCI Systems Generally
    Proposed Rule 1000(a) defined the term ``SCI systems'' to mean 
``all computer, network, electronic, technical, automated, or similar 
systems of, or operated by or on behalf of, an SCI entity, whether in 
production, development, or testing, that directly support trading, 
clearance and settlement, order routing, market data, regulation, or 
surveillance.'' \211\ After careful consideration of the comments, the 
Commission is refining the scope of the systems covered by the 
definition of ``SCI systems.'' As adopted, the term ``SCI systems'' in 
Rule 1000 means ``all computer, network, electronic, technical, 
automated, or similar systems of, or operated by or on behalf of, an 
SCI entity that, with respect to securities, directly support trading, 
clearance and settlement, order routing, market data, market 
regulation, or market surveillance.''
---------------------------------------------------------------------------

    \211\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    One commenter generally supported the proposed definition of SCI 
systems, and stated that the definition should be expanded to include 
any technology system that has direct market access.\212\ In response 
to this comment, the Commission believes that many systems with direct 
market access are captured by the adopted definition. However, as

[[Page 72273]]

discussed above, the Commission has determined not to propose to expand 
the scope of Regulation SCI to include other broker-dealer entities and 
their systems at this time.\213\
---------------------------------------------------------------------------

    \212\ See Lauer Letter at 5.
    \213\ See supra Section IV.A.1 (discussing scope of SCI entities 
covered by Regulation SCI) and infra Section IV.E (discussing 
comments on the inclusion of broker-dealers generally within the 
scope of Regulation SCI).
---------------------------------------------------------------------------

    Contrary to the commenter who urged expansion of the proposed 
definition, many commenters believed the term to be too broad and 
recommended that it be revised in various ways.\214\ These commenters 
argued that the definition was over-inclusive, with some believing that 
it could potentially apply to all systems of an SCI entity.
---------------------------------------------------------------------------

    \214\ See, e.g., NYSE Letter at 10-11; Omgeo Letter at 3-6; MSRB 
Letter at 7-9; FIF Letter at 3; ICI Letter at 4; BIDS Letter at 15-
16; ITG Letter at 5; Liquidnet Letter at 3; CME Letter at 5; DTCC 
Letter at 3-5; OCC Letter at 3-4; Joint SROs Letter at 5; FINRA 
Letter at 5-10; SIFMA Letter at 8; Oppenheimer Letter at 3; OTC 
Markets Letter at 12; and Direct Edge Letter at 2.
---------------------------------------------------------------------------

    Specifically, several commenters recommended that the definition of 
SCI systems be revised to include a more limited set of systems than 
proposed.\215\ Commenters advocating this general approach provided 
various suggestions for the specific standard that they believed should 
apply. For example, among commenters' recommendations were suggestions 
that the definition of SCI systems should include only those systems: 
whose failure or degradation would reasonably be expected to have an 
adverse material impact on the sound operation of financial markets; 
\216\ that are highly critical to functioning as an SCI entity; \217\ 
that have the potential to impact the protection of securities 
investors and the maintenance of fair and orderly markets; \218\ that 
directly support trading, clearance and settlement, order routing, 
market data, regulation, or surveillance in real-time; \219\ that 
support the SCI entity's ``core functions . . . which the SCI entity 
performs pursuant to applicable Commission regulations;'' \220\ that 
are reasonably likely to pose a plausible risk to the markets (namely, 
systems that route or execute orders, clear and settle trades, or 
transmit required market data); \221\ or that impact the core functions 
of the overall market, which, according to the commenter, would include 
exclusive SIPs that transmit market data and systems responsible for 
primary NMS auction markets that set daily opening and closing 
prices.\222\ In addition, one commenter suggested that the term should 
be defined as a production system that connects to and is part of the 
electronic network that comprises the market.\223\ This commenter also 
noted that the definition should distinguish between systems that 
connect to the markets and those that are used to run a business.\224\ 
Another commenter suggested that, if Regulation SCI were to apply only 
to exchanges and ATSs, the term should be limited to exchange and ATS 
systems operated by the entity and should not include, for example, 
brokerage systems.\225\
---------------------------------------------------------------------------

    \215\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; 
Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 
3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13. See infra 
text accompanying notes 216-225.
    \216\ See Omgeo Letter at 4.
    \217\ See KCG Letter at 3. See also ICI Letter at 3 and 
Oppenheimer Letter at 3 (stating generally that the proposed 
definitions should be revised to more specifically focus on system 
events that are truly disruptive to the markets and the systems 
themselves that are likely to pose a risk to the fair and orderly 
operation of the markets or participants in the markets).
    \218\ See CME Letter at 5.
    \219\ See Joint SROs Letter at 5. This group of commenters 
further stated that non-real-time systems should not be included, as 
they do not warrant the level of oversight and added costs that the 
regulation imposes.
    \220\ See DTCC Letter at 4.
    \221\ See NYSE Letter at 3, 10. In addition, this commenter 
added that the key to whether a proposed ``supporting'' function 
should be included is whether or not it is critical to the proper 
operation of a core functionality.
    \222\ See OTC Markets Letter at 13.
    \223\ See BIDS Letter at 15-16. Thus, this commenter argued 
that, for a venue that does not route orders, the reporting of trade 
executions to the tape should not be enough to qualify such a system 
as an ``SCI system.''
    \224\ See id.
    \225\ See Liquidnet Letter at 3.
---------------------------------------------------------------------------

    The Commission is further focusing the scope of the definition of 
SCI systems in response to these comments.\226\ The Commission is 
replacing the proposed language referring to ``systems . . . whether in 
production, development, or testing that directly support trading, 
clearance and settlement, order routing, market data, regulation, or 
surveillance'' with the following language: ``systems, with respect to 
securities, that directly support trading, clearance and settlement, 
order routing, market data, market regulation, or market 
surveillance.'' As such, the adopted definition has been limited to 
apply to production systems that relate to securities market functions, 
and in particular to those six functions--trading, clearance and 
settlement, order routing, market data, market regulation, or market 
surveillance--that traditionally have been considered to be central to 
the functioning of the U.S. securities markets, as urged by several 
commenters.\227\ The Commission believes that systems providing these 
six functions may pose a significant risk to the maintenance of fair 
and orderly markets if their capacity, integrity, reliability, 
availability or security is compromised, and therefore that they should 
be covered by the definition of ``SCI systems.''
---------------------------------------------------------------------------

    \226\ See supra notes 215-218, 220-222, and 224-225, and 
accompanying text. The definition is not limited strictly to real-
time systems, however, or those that ``connect to'' and are ``part 
of the electronic network that comprises the market,'' because those 
limitations could exclude relevant systems, such as certain market 
regulation or market surveillance systems operated by or on behalf 
of an SCI entity, which the Commission views as integral to one or 
more of the six functions identified in the definition. In response 
to the commenter requesting that ``brokerage'' systems be excluded 
from the definition of SCI systems, the Commission notes that the 
adopted definition of SCI systems applies to systems that directly 
support the enumerated six functions, operated by or on behalf of an 
SCI entity. The definition therefore would exclude systems, 
including brokerage systems, that are not operated by or on behalf 
of an SCI entity. See, respectively, supra notes 219 and 223 and 
accompanying text.
    \227\ See supra notes 219-221 and accompanying text.
---------------------------------------------------------------------------

    Although some commenters pointed to the phrase ``directly support'' 
in the proposed rule as vague and overbroad,\228\ the Commission has 
retained this phrase in the adopted definition. The term ``directly 
support,'' is retained to acknowledge that systems of SCI entities are 
complex and highly interconnected and that the definition of SCI 
systems should not exclude functionality or supporting systems on which 
the six identified categories of systems rely to remain 
operational.\229\ In response to comment that the definition of SCI 
systems should distinguish between systems that connect to the markets 
and those that are used to run a business,\230\ the Commission notes 
that the adopted definition would not include systems ``used to run a 
business'' if they are not within the six identified categories of 
market-related production systems and not necessary to their continued 
functioning. Further, the adopted definition clarifies that SCI systems 
encompass only those systems that, with respect to securities, directly 
support trading, clearance and settlement, order routing, market data, 
market regulation, or market surveillance. The Commission believes

[[Page 72274]]

that this change appropriately responds to one commenter's concerns 
that the proposed definition would capture systems operated by an SCI 
entity that have ``practically no relevance or relation to SEC 
markets'' and suggested that the definition should be revised to 
include only those systems that would directly impact a market that was 
subject to the Commission's jurisdiction. \231\ As a result of this 
modification, if an SCI SRO does not use its systems to conduct 
business with respect to securities, its systems would not fall within 
the definition of ``SCI systems.'' Further, if an SCI entity operates 
systems for the trading of both futures and securities, only its 
trading systems for securities would be subject to the requirements of 
Regulation SCI.\232\
---------------------------------------------------------------------------

    \228\ See OCC Letter at 3; and NYSE Letter at 10.
    \229\ The Commission notes that it believes that specifying that 
the definition applies to those systems that ``directly support'' 
these core functions is necessary so as to not result in a 
definition that is overly broad and would capture systems that only 
peripherally or indirectly support these functions. See generally 
supra notes 214-225 and accompanying text (discussing comments that 
urged revisions to the definition of SCI systems). See also infra 
Section IV.A.2.d (discussing the definition of ``indirect SCI 
systems'').
    \230\ See supra note 224 and accompanying text.
    \231\ See CME Letter at 5.
    \232\ However, the Commission notes that, if an SCI entity has 
systems that do not relate to securities, and that have not been 
properly walled off from its SCI systems for securities, they may be 
captured by the definition of ``indirect SCI systems'' (as discussed 
below) and subject to certain requirements of the rule including 
those relating to security and intrusions standards. See infra 
Section IV.A.2.d (discussing definition of ``indirect SCI 
systems'').
---------------------------------------------------------------------------

    In addition, one commenter urged that the Commission should 
initially limit the scope of SCI systems to those systems covered by 
the ARP Policy Statements (trading, clearance and settlement, and order 
routing) and phase in other types of systems later.\233\ The Commission 
believes that the adopted definition of SCI systems obviates the need 
for such an approach, as many systems for which the commenter urged a 
delay in compliance will not be covered by the regulation, as adopted.
---------------------------------------------------------------------------

    \233\ See MSRB Letter at 9.
---------------------------------------------------------------------------

SCI Systems: Inclusions and Exclusions
    Various commenters objected to specific categories proposed to be 
included in the definition of SCI systems. First, many commenters 
opposed the proposed inclusion of development and testing systems in 
the definition, noting that issues in development and testing systems 
would have little or no impact on the operations of SCI entities and 
that such systems are designed to identify and address problems before 
they are introduced into production systems.\234\ Some commenters 
argued that inclusion of development and testing systems in the 
definition of SCI systems would subject such systems to more 
requirements under Regulation SCI than was necessary and noted that 
certain other provisions of Regulation SCI would necessarily include 
reporting information to the Commission on such systems, even without 
their inclusion in the definition of SCI systems.\235\ For example, one 
commenter stated that application of most provisions of Regulation SCI 
to testing and development systems would provide little benefit, and 
noted that updates regarding systems in development and material new 
features of existing systems could instead be done through the semi-
annual reports to the Commission under proposed Rule 1000(b)(8).\236\ 
Similarly, one commenter noted that information regarding the status of 
systems that are in development and testing would be captured in the 
notices regarding material systems changes under proposed Rule 
1000(b)(6) and in the updates under proposed Rule 1000(b)(8).\237\ 
Alternatively, this commenter suggested that the Commission could 
require that any testing errors be corrected (and such corrections be 
retested) prior to implementation of those changes in production.\238\
---------------------------------------------------------------------------

    \234\ See NYSE Letter at 11; FINRA Letter at 10-11; Omgeo Letter 
at 5; DTCC Letter at 4; SIFMA Letter at 8; BIDS Letter at 16; MSRB 
Letter at 7-8; OCC Letter at 5; CME Letter at 6; Joint SROs Letter 
at 5; and Direct Edge Letter at 2. One commenter qualified this 
position by stating that, to the extent that a systems issue in a 
development and testing environment were to give rise to an issue 
affecting an SCI system, the proposal should apply to that 
development and testing environment. See OCC Letter at 5.
    \235\ See MSRB Letter at 7; and DTCC Letter at 4.
    \236\ See MSRB Letter at 7.
    \237\ See DTCC Letter at 4.
    \238\ See id.
---------------------------------------------------------------------------

    The Commission believes that certain modifications to the elements 
of the proposed definition of SCI systems are appropriate. First, in 
response to comments, the reference to development and testing systems 
in the proposed definition of SCI systems has been deleted.\239\ As 
commenters pointed out, development and testing systems are generally 
designed to identify and address problems before new systems or systems 
changes are introduced into production systems and, by their nature, 
can often experience issues, both intentional and unplanned, during the 
testing process. The Commission believes that systems issues that occur 
with respect to such systems are less likely to have a significant 
impact on the operations of an SCI entity or on the securities markets 
as a whole than issues occurring with respect to production systems. 
Further, subjecting these systems to the Commission notification 
requirements in adopted Rule 1002(b) could have the unintended effect 
of deterring SCI entities from fully utilizing the testing and 
development processes to test new systems and systems changes and 
develop solutions to issues prior to implementation of such systems or 
changes in production. At the same time, the Commission notes that, in 
order to have policies and procedures reasonably designed to achieve 
capacity, integrity, resiliency, availability, and security for SCI 
systems in accordance with adopted Rule 1001(a), an SCI entity will be 
required to have policies and procedures that include a program to 
review and keep current systems development and testing methodology for 
SCI systems.\240\ Accordingly, review of programs relating to systems 
development and testing for SCI systems is within the scope of 
Regulation SCI, and an SCI entity should reasonably expect Commission 
staff to review such processes and systems during the course of its 
exams and inspections. In addition, the Commission notes that the 
definition of SCI review in adopted Rule 1000 and corresponding 
requirements for an annual SCI review in adopted Rule 1003(b) require 
an assessment of internal control design and effectiveness, which 
includes development processes.\241\ Further, if development and 
testing systems are not appropriately walled off from production 
systems, such systems could be captured under the definition of 
indirect SCI systems as discussed below and be subject to the 
requirements of Regulation SCI. If an SCI entity's development and 
testing systems are not walled off from production systems, the SCI 
entity should consider whether its policies and procedures should 
specify safeguards to ensure that its personnel can clearly distinguish 
the development and testing systems from the production systems, in 
order to avoid inadvertent errors that may result in an SCI event.
---------------------------------------------------------------------------

    \239\ Because the Commission is removing development and testing 
systems from the definition of SCI systems, the reference to 
production systems in the definition of SCI systems is also being 
deleted as it is unnecessary to distinguish between development, 
testing and production systems within the definition. See adopted 
Rule 1000 (definition of ``SCI systems'').
    \240\ See adopted Rule 1001(a) and discussion in infra Section 
IV.B.1 (discussing the policies and procedures requirement under 
adopted Rule 1001(a)).
    \241\ See adopted Rule 1000 and 1003(b) and discussion in infra 
Section IV.B.5 (discussing the SCI review requirement). The 
Commission also notes that development processes include testing 
processes.
---------------------------------------------------------------------------

    Some commenters also opposed the proposed inclusion of regulatory 
and surveillance systems within the definition of SCI systems or 
suggested that the Commission refine or clarify the scope of such 
systems.\242\ Some of these

[[Page 72275]]

commenters argued that inclusion of such systems was not necessary 
because these systems do not operate on a real-time basis or have a 
real-time impact on trading.\243\ Further, one commenter suggested that 
periodic reporting of material outages or delays in the operation of 
regulatory and surveillance systems, pursuant to appropriate policies 
and procedures, would support the goals of Regulation SCI without 
imposing undue burdens on SCI entities or raising the risk that market 
participants would purposefully direct order flow to SCI entities 
experiencing regulatory or surveillance systems issues.\244\ Another 
commenter advocated for replacing the terms ``regulation'' and 
``surveillance'' with ``market regulation'' and ``market 
surveillance,'' respectively, and asked the Commission to clarify the 
difference between ``regulatory'' and ``surveillance'' systems.\245\
---------------------------------------------------------------------------

    \242\ See NYSE Letter at 11; BATS Letter at 5; MSRB Letter at 8-
9; and FINRA Letter at 7-8.
    \243\ See NYSE Letter at 11; and Joint SROs Letter at 5.
    \244\ See NYSE Letter at 11 (citing concerns regarding the 
potential that dissemination of information regarding issues with 
regulatory or surveillance systems to members or participants could 
provide a ``roadmap for violative market behavior'').
    \245\ See FINRA Letter at 7-8.
---------------------------------------------------------------------------

    In consideration of these comments, the Commission has determined 
to limit SCI systems to those systems relating to market regulation and 
market surveillance rather than including all regulation and 
surveillance systems. As proposed, the definition contained no such 
limitations and could potentially be interpreted to cover systems used 
for member regulation and member surveillance. The Commission does not 
believe that inclusion of member regulation or member surveillance 
systems such as those, for example, relating to member registration, 
capital requirements, or dispute resolution, would advance the goals of 
Regulation SCI. Issues relating to such systems are unlikely to have 
the same level of impact on the maintenance of fair and orderly markets 
or an SCI entity's operational capability as those systems identified 
in the definition of SCI systems. The Commission believes that this 
change will more appropriately capture only those regulatory and 
surveillance systems that are related to core market functions, such as 
trading, clearance and settlement, order routing, and market data.\246\ 
Another element of the proposed definition of ``SCI systems'' that some 
commenters addressed was the inclusion of market data systems. 
Specifically, one commenter believed that the inclusion of all market 
data systems was too broad, and argued that only ``systems that 
directly support `the transmission of market data as required by the 
Exchange Act''' should be included, thus limiting the types of market 
data systems to those relating to consolidated data and excluding those 
that transmit proprietary market data.\247\ Although the term ``market 
data'' is not defined in Regulation SCI, that term generally refers to 
price information for securities, both pre-trade and post-trade, such 
as quotations and transaction reports.\248\ In response to the 
commenter urging that only market data systems relating to consolidated 
data be included, the term ``market data'' does not refer exclusively 
to consolidated market data, but includes proprietary market data 
generated by SCI entities as well. The Commission notes that both 
consolidated and proprietary market data systems are widely used and 
relied upon by a broad array of market participants, including 
institutional investors, to make trading decisions, and that if a 
consolidated or a proprietary market data feed became unavailable or 
otherwise unreliable, it could have a significant impact on the trading 
of the securities to which it pertains, and could interfere with the 
maintenance of fair and orderly markets. Therefore, systems of an SCI 
entity directly supporting proprietary market data or consolidated 
market data are both within the scope of the definition of SCI systems 
and subject to Regulation SCI. However, the Commission has repeatedly 
emphasized the importance of consolidated market data to the national 
market system and the protection of investors \249\ and the severe 
impact of its unavailability was evidenced by the SIP outage in August 
2013.\250\ Thus, as discussed below, systems directly supporting 
functionality related to the provision of consolidated market data are 
distinguished by their inclusion in the definition of ``critical SCI 
systems.'' \251\
---------------------------------------------------------------------------

    \246\ The Commission notes that Rule 613 of Regulation NMS 
requires the creation of an NMS plan to govern the creation, 
implementation, and maintenance of a consolidated audit trail and 
central repository. See 17 CFR 242.613. See also Securities Exchange 
Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) 
(``Consolidated Audit Trail Adopting Release''). Although the 
consolidated audit trail central repository has not yet been 
created, the Commission believes that the consolidated audit trail 
repository will be a market regulation system that falls within the 
definition of SCI systems, and further that it will be an SCI system 
of each SCI SRO that is a member of an approved NMS plan under Rule 
613, because it will be a facility of each SCI SRO that is a member 
of such plan. See Consolidated Audit Trail Adopting Release, 77 FR 
at 45774 (stating, ``[T]he central repository will be jointly owned 
by, and be a facility of, each SRO that is a sponsor of the NMS 
plan.''). See also SCI Proposing Release, supra note 13, at 18099 
(contemplating inclusion of the consolidated audit trail central 
repository as an SCI system).
    \247\ See NYSE Letter at 10-11.
    \248\ See Exchange Act Section 11A (15 U.S.C. 78K-
1(a)(1)(C)(iii)), granting the Commission authority to assure the 
availability to brokers, dealers, and investors of ``information 
with respect to quotations for and transactions in securities''). 
See also Regulation of Market Information Fees and Revenues, 
Securities Exchange Act Release No. 42208, 64 FR 70613 (December 17, 
1999) (describing ``market information'' as information concerning 
quotations for and transactions in equity securities and options 
that are actively traded in the U.S. markets).
    \249\ See, e.g., Concept Release on Equity Market Structure, 
supra note 198; and Regulation NMS Adopting Release, supra note 182, 
at 37503-04.
    \250\ See supra note 32 and accompanying text.
    \251\ See infra Section IV.A.2.c (discussing definition of 
``critical SCI systems'').
---------------------------------------------------------------------------

    Further, one commenter questioned whether the phrase ``market data 
systems'' was intended to be limited to data-driven systems devoted to 
price transparency or whether the Commission also intended to include 
document-based systems devoted to public disclosure.\252\ In response 
to this comment, the Commission notes that systems providing or 
directly supporting price transparency are within the scope of SCI 
systems.\253\ However, systems solely providing or directly supporting 
other types of data, such as systems used by market participants to 
submit disclosure documents, or systems used by SCI entities to make 
disclosure documents publicly available, are not within the scope of 
SCI systems, so long as they do not also directly support price 
transparency.
---------------------------------------------------------------------------

    \252\ See MSRB Letter at 8-9 (citing its EMMA Primary Market 
Disclosure Service and EMMA Continuing Disclosure Service system as 
an example of a document-based system devoted to public disclosure).
    \253\ With regard to this particular comment, the Commission 
notes that the specific systems referenced--the RTRS, EMMA Primary 
Market Disclosure Service, EMMA Continuing Disclosure Service and 
SHORT System--all include pricing information for securities, and 
thus would fall within the definition of ``SCI systems.''
---------------------------------------------------------------------------

    Several commenters also argued that the term SCI systems should not 
include systems operated on behalf of an SCI entity by a third 
party.\254\ Some of these commenters pointed to potential difficulties 
with meeting the requirements of Regulation SCI with regard to third 
party systems.\255\ One

[[Page 72276]]

commenter specifically suggested that the proposal should be limited to 
those systems under the control of the SCI entity.\256\ Another 
commenter noted that the SCI entity should instead be responsible for 
managing these relationships through due diligence, contract terms, and 
monitoring of third party performance.\257\ One commenter also 
requested that the Commission clarify how SCI entities should comply 
with the oversight of vendor systems as part of Regulation SCI.\258\
---------------------------------------------------------------------------

    \254\ See Omgeo Letter at 5-6; DTCC Letter at 4; SIFMA Letter at 
8-9; BIDS Letter at 16; and BATS Letter at 4. See also ITG Letter at 
5 (expressing concern about the inclusion of systems of third 
parties operated on behalf of an SCI entity and systems that are 
unrelated to the trading operations of an ATS).
    \255\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4 
(arguing that it would be difficult for SCI entities to ensure 
compliance by third party vendors absent their willingness to 
disclose to SCI entities highly detailed information about their 
intellectual property and proprietary systems).
    \256\ See SIFMA Letter at 9.
    \257\ See BIDS Letter at 16.
    \258\ See FIF Letter at 3.
---------------------------------------------------------------------------

    Although several commenters argued that the term SCI systems should 
not include third-party systems, the Commission continues to believe 
that, if a system is operated on behalf of an SCI entity and directly 
supports one of the six key functions listed within the definition of 
SCI system, it should be included as an SCI system subject to the 
requirements of Regulation SCI. The Commission believes that any system 
that directly supports one of the six functions enumerated in the 
definition of SCI system is important to the functioning of the U.S. 
securities markets, regardless of whether it is operated by the SCI 
entity directly or by a third party. The Commission believes that 
permitting such systems to be excluded from the requirements of 
Regulation SCI would significantly reduce the effectiveness of the 
regulation in promoting the national market system by ensuring the 
capacity, integrity, resiliency, availability, and security of those 
systems important to the functioning of the U.S. securities markets. 
Further, if the definition did not include systems operated on behalf 
of an SCI entity, the Commission is concerned that some SCI entities 
might be inclined to outsource certain of their systems solely to avoid 
the requirements of Regulation SCI, which would further undermine the 
goals of Regulation SCI. The Commission agrees with the comment that an 
SCI entity should be responsible for managing its relationship with 
third parties operating systems on behalf of the SCI entity through due 
diligence, contract terms, and monitoring of third party performance. 
However, the Commission believes that these methods may not be 
sufficient in all cases to ensure that the requirements of Regulation 
SCI are met for SCI systems operated by third parties. The fact that 
they might be sufficient some of the time is therefore not a basis for 
excluding these systems from the definition of SCI systems. Instead, if 
an SCI entity determines to utilize a third party for an applicable 
system, it is responsible for having in place processes and 
requirements to ensure that it is able to satisfy the requirements of 
Regulation SCI for systems operated on behalf of the SCI entity by a 
third party. The Commission believes that it would be appropriate for 
an SCI entity to evaluate the challenges associated with oversight of 
third-party vendors that provide or support its applicable systems 
subject to Regulation SCI. If an SCI entity is uncertain of its ability 
to manage a third-party relationship (whether through due diligence, 
contract terms, monitoring, or other methods) to satisfy the 
requirements of Regulation SCI,\259\ then it would need to reassess its 
decision to outsource the applicable system to such third party.\260\ 
For example, if a third-party vendor is unwilling to disclose to an SCI 
entity information regarding the vendor's intellectual property or 
proprietary system that the SCI entity believes it needs to satisfy the 
requirements of Regulation SCI, as some commenters suggested might be 
the case, an SCI entity will need to reassess its relationship with 
that vendor, because the vendor's unwillingness to provide necessary 
information or other assurances would not exclude the outsourced system 
from the definition of SCI systems. Accordingly, the definition of SCI 
system, as adopted in Rule 1000, retains the reference to systems 
operated ``on behalf of'' SCI entities.
---------------------------------------------------------------------------

    \259\ See BIDS Letter at 16 (suggesting these methods of 
managing third-party relationships to comply with the proposed 
rule).
    \260\ See FIF Letter at 3 and FINRA Letter at 22-23 (requesting 
Commission guidance on how an SCI entity should manage third-party 
relationships in the context of adopted Regulation SCI). See also 
infra notes 851-852 and accompanying text (discussing comments on 
the risk of noncompliance by an SCI entity in connection with 
reporting SCI events and material systems changes due to challenges 
posed by third-party systems).
---------------------------------------------------------------------------

    Finally, some commenters asked for clarification on miscellaneous 
aspects of the definition. For example, one commenter requested that 
the Commission clarify that the definition of SCI system for purposes 
of Regulation SCI is separate and distinct from the definition of a 
facility set forth in Section 3(a)(2) of the Exchange Act.\261\ The 
Commission notes that the term ``SCI system'' under Regulation SCI is 
distinct from the term ``facility'' in Section 3(a)(2) of the Exchange 
Act.\262\ Because a facility of an exchange would only fall within the 
definition of ``SCI systems'' if it is a system that directly supports 
any one of the six functions provided in the definition of ``SCI 
systems,'' not all systems that are facilities of an exchange will be 
SCI systems. For example, as noted in the SCI Proposal, the definition 
of SCI systems would apply to systems of exchange-affiliated routing 
brokers that are facilities of national securities exchanges.\263\ But 
a system used for member regulation that may meet the definition of a 
facility under the Exchange Act, would not be within the scope of the 
definition of ``SCI systems.''
---------------------------------------------------------------------------

    \261\ See NYSE Letter at 10.
    \262\ See 15 U.S.C. 78c3(a)(2).
    \263\ See Proposing Release, supra note 13, at 18099.
---------------------------------------------------------------------------

    Another commenter requested confirmation that internal systems are 
excluded from the definition of SCI system.\264\ The Commission notes 
that the definition of ``SCI system'' does not differentiate between 
``internal systems'' and those systems accessed by market participants 
or other outside parties.\265\ The Commission notes that, while some 
internal systems of an SCI entity may not meet the definition of SCI 
system, it does not believe that that all internal systems (as 
described by this commenter) would be outside of the scope of the 
definition of SCI system.\266\
---------------------------------------------------------------------------

    \264\ See FINRA Letter at 10.
    \265\ See adopted Rule 1000 (definition of SCI systems).
    \266\ In addition, the Commission notes that, while certain 
internal systems may not be ``SCI systems,'' they may instead meet 
the definition of ``indirect SCI systems'' under adopted Rule 1000, 
if they are not properly walled off from SCI systems. However, as 
discussed below, the Commission is clarifying the meaning of this 
defined term to note that systems that are effectively physically or 
logically separated from SCI systems would be outside of the 
definition of indirect SCI systems and thus outside of the scope of 
Regulation SCI. See infra Section IV.A.2.d (discussing the 
definition of ``indirect SCI systems'').
---------------------------------------------------------------------------

    Other commenters advocated that SCI entities should be permitted to 
conduct their own risk-based assessment to determine which of their 
systems should be considered SCI systems.\267\ One commenter noted that 
SCI entities should be required to develop and maintain an established 
methodology for identifying which systems qualify as SCI systems,\268\ 
while other commenters advocated for coordination with the Commission 
in establishing criteria to be used in conducting such risk-based 
assessments or review by the Commission of an SCI entity's own risk-
based assessment.\269\ The Commission has carefully considered these 
comments and generally agrees that

[[Page 72277]]

certain systems pose greater risk to the markets in the event of a 
systems issue and are of paramount importance to the functioning of the 
U.S. securities markets. Rather than include only those in the 
definition of SCI systems, the Commission believes that it is more 
prudent to instead identify these systems as ``critical SCI systems'' 
subject to certain heightened obligations. Further, adopted Rule 
1001(a) requiring SCI entities to have policies and procedures 
reasonably designed to ensure that their systems have adequate levels 
of capacity, integrity, resiliency, availability, and security is 
consistent with a risk-based approach.\270\ Specifically, as discussed 
in further detail below, an SCI entity may tailor its policies and 
procedures based on the relative criticality of a given SCI system to 
the SCI entity and to the securities markets generally.\271\
---------------------------------------------------------------------------

    \267\ See DTCC Letter at 3-5; Omgeo Letter at 5-6; and OCC 
Letter at 3-4.
    \268\ See Omgeo Letter at 5.
    \269\ See OCC Letter at 3-4; and DTCC Letter at 3-4.
    \270\ See adopted Rule 1001(a). See also infra Section IV.B.1 
(discussing policies and procedures for operational capability).
    \271\ See infra Section IV.B.1.a-b (discussing the use of risk-
based considerations to tailor policies and procedures for 
operational capability).
---------------------------------------------------------------------------

c. Critical SCI Systems
    As discussed above, in response to comments, the Commission is 
incorporating a risk-based approach in certain aspects of Regulation 
SCI.\272\ To that end, the Commission is adopting a definition of 
``critical SCI systems'' to designate SCI systems that the Commission 
believes should be subject to the highest level of requirements. As a 
subset of ``SCI systems,'' ``critical SCI systems'' are subject to the 
same provisions as ``SCI systems,'' except that critical SCI systems 
are subject to certain heightened resilience and information 
dissemination provisions of Regulation SCI. In these respects, critical 
SCI systems are subject to an increased level of obligation as compared 
to other SCI systems.\273\
---------------------------------------------------------------------------

    \272\ See supra notes 53-56 and accompanying text (discussing 
comments on a risk-based approach).
    \273\ See infra Sections IV.B.1.b and IV.B.3.d (discussing the 
two-hour resumption goal for ``critical SCI systems'' and 
information dissemination requirement for ``major SCI events,'' 
respectively).
---------------------------------------------------------------------------

    Rule 1000 defines ``critical SCI systems'' as ``any SCI systems of, 
or operated by or on behalf of, an SCI entity that: (1) Directly 
support functionality relating to: (i) Clearance and settlement systems 
of clearing agencies; \274\ (ii) openings, reopenings, and closings on 
the primary listing market; (iii) trading halts; (iv) initial public 
offerings; (v) the provision of consolidated market data; or (vi) 
exclusively-listed securities; or (2) provide functionality to the 
securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets.''
---------------------------------------------------------------------------

    \274\ ``Clearance and settlement systems of clearing agencies'' 
includes systems of registered clearing agencies and exempt clearing 
agencies subject to ARP. See Rule 1000 (definition of ``exempt 
clearing agency subject to ARP,'' which by its terms would also 
include an entity that has received from the Commission an exemption 
from registration as a clearing agency under Section 17A of the Act, 
and whose exemption contains conditions that relate to ARP, or any 
Commission regulation that supersedes or replaces such policies, 
including Regulation SCI).
---------------------------------------------------------------------------

    As noted above, many commenters advocated for a risk-based approach 
to Regulation SCI and either suggested that only the entities or 
systems that pose the greatest risk to the markets should be within the 
scope of the regulation or, alternatively, that the requirements of 
Regulation SCI be tailored to the specific risk-profile of a particular 
entity or particular system.\275\ While the Commission disagrees with 
commenters who suggested that Regulation SCI should apply only to 
``critical systems,'' as it believes that these are not the only 
systems that could pose a significant risk to the securities markets, 
the Commission believes that it is appropriate to hold systems that 
pose the greatest risk to the markets if they malfunction to higher 
standards and more stringent requirements under Regulation SCI. Recent 
events have also demonstrated the importance of certain critical 
systems functionality, including those that represent ``single points 
of failure'' to the securities markets, and the need for more robust 
market infrastructure, particularly with regard to critical market 
systems.\276\
---------------------------------------------------------------------------

    \275\ See supra notes 53-56 and 216-222 and accompanying text 
(discussing comments on a risk-based approach and limiting SCI 
systems to only core or critical systems).
    \276\ See supra Section II.B (describing recent events involving 
systems-related issues). In particular, the Nasdaq SIP incident, 
which caused a disruption in the dissemination of consolidated 
market data in the equity markets and led to a trading halt in all 
Nasdaq-listed stocks for several hours, confirmed that disruptions 
in systems that represent single points of failure can have a major 
and detrimental impact across an entire national market system.
---------------------------------------------------------------------------

    The Commission believes that the adoption of the definition of 
``critical SCI systems'' and heightened requirements for such systems 
recognizes that some systems are critical to the continuous and orderly 
functioning of the securities markets more broadly and, as such, 
ensuring their capacity, integrity, resiliency, availability, and 
security is of the utmost importance. Therefore, as discussed further 
below, the Commission believes that it is appropriate for such critical 
SCI systems to be held to heightened requirements (as compared to those 
for SCI systems) related to capacity, integrity, resiliency, 
availability, and security generally; rapid recovery following wide-
scale disruptions; and disclosure of SCI events. The Commission 
believes that the definition of critical SCI systems is appropriately 
designed to identify those SCI systems whose functions are critical to 
the operation of the markets, including those systems that represent 
potential single points of failure in the securities markets. Systems 
in this category are those that, if they were to experience systems 
issues, the Commission believes would be most likely to have a 
widespread and significant impact on the securities markets.
    The first prong of the definition identifies six specific 
categories of systems that the Commission believes are the most 
critical to the securities markets, and the most likely to have 
widespread and significant market impact should a systems issue occur. 
These are: clearance and settlement systems of clearing agencies; 
openings, reopenings, and closings on the primary listing market; 
trading halts; initial public offerings; the provision of consolidated 
market data (i.e., SIPs); and exclusively-listed securities.
    In the context of suggesting the adoption of a risk-based approach 
for Regulation SCI, some commenters identified those functions that 
they believed were most critical to the functioning of the markets. 
Among those identified were clearance and settlement, opening and 
closing auctions, IPO auctions, the provision of consolidated market 
data by the SIPs; and trading of exclusively-listed securities.\277\ 
The Commission agrees with commenters who characterized these 
categories of systems as critical. In addition, as discussed below, the 
Commission believes that systems that directly support functionality 
relating to

[[Page 72278]]

trading halts should be included in the definition of critical SCI 
systems.
---------------------------------------------------------------------------

    \277\ See, e.g., Direct Edge Letter at 2 (citing, among others, 
SIPs and clearance and settlement systems as essential to continuous 
market-wide operation); KCG Letter at 2-3 (identifying opening and 
closing auctions, IPO auctions, trading of exclusively-listed 
options, market data consolidators, and settlement and central 
clearing as ``single points of failure'' that should be subject to 
heightened regulatory requirements); and SIFMA Letter at 4 (stating 
that highly critical functions should include primary listing 
exchanges, trading exclusively listed securities, SIPs, clearance 
and settlement, distribution of unique post-trade transparency 
information, and real-time market surveillance). Although these 
commenters were urging that Regulation SCI apply only to these 
critical systems, as explained above, the Commission believes that 
such an approach would be too limited.
---------------------------------------------------------------------------

    With respect to ``clearance and settlement systems of clearing 
agencies,'' the clearance and settlement of securities is fundamental 
to securities market activity.\278\ Clearing agencies perform a variety 
of services that help ensure that trades settle on time and at the 
agreed upon terms. For example, clearing agencies compare transaction 
information (or report to members the results of exchange comparison 
operations), calculate settlement obligations (including net 
settlement), collect margin (such as initial and variation margin), and 
serve as a depository to hold securities as certificates or in 
dematerialized form to facilitate automated settlement. Because of 
their role, clearing agencies are critical central points in the 
financial system. A significant portion of securities activity flows 
through one or more clearing agencies. Clearing agencies have direct 
links to participants and indirect links to the customers of 
participants. Clearing agencies are also linked to each other through 
common participants and, in some cases, by operational processes. Safe 
and reliable clearing agencies are essential not only to the stability 
of the securities markets they serve but often also to payment systems, 
which may be used by a clearing agency or may themselves use a clearing 
agency to transfer collateral.\279\ The safety of securities settlement 
arrangements and post-trade custody arrangements is also critical to 
the goal of protecting the assets of investors from claims by creditors 
of intermediaries and other entities that perform various functions in 
the operation of the clearing agency.\280\ Investors are more likely to 
participate in markets when they have confidence in the safety and 
reliability of clearing agencies as well as settlement systems.\281\ 
Accordingly, the Commission believes ``clearance and settlement systems 
of clearing agencies'' are appropriate for inclusion in the definition 
of critical SCI systems.\282\
---------------------------------------------------------------------------

    \278\ See Clearing Agency Standards Release, supra note 76, at 
66220, 66264.
    \279\ See Clearing Agency Standards Release, supra note 76, at 
66264.
    \280\ See id.
    \281\ See id.
    \282\ The Commission notes that systems of SCI entities other 
than clearing agencies that are used in connection with the 
clearance and settlement of trades are not captured by the 
definition of ``critical SCI systems,'' but rather would fall within 
the definition of ``SCI systems,'' as discussed above. See supra 
Section IV.2. The Commission believes that such systems of other SCI 
entities, such as SROs and ATSs, do not provide the same critical 
functions or pose the same level of risk to the market as the 
clearance and settlement systems of clearing agencies as discussed 
above.
---------------------------------------------------------------------------

    Similarly, reliable openings, reopenings, and closings on primary 
listing markets are key to the establishment and maintenance of fair 
and orderly markets. NYSE and Nasdaq, for example, each have an opening 
cross for their listed securities that solicits trading interest and 
generates a single auction price that attracts widespread participation 
and is relied upon as a benchmark by other markets and market 
participants.\283\ Similar processes are used, and heavy levels of 
participation typically are generated, at the primary listing markets 
in the reopening cross that follows a trading halt.\284\ Closing 
auctions at the primary listing markets also attract widespread 
participation, and the closing prices they establish are commonly used 
as benchmarks, such as to value derivative contracts and generate 
mutual fund net asset values. As such, during these critical trading 
periods, market participants rely on the processes of the primary 
listing markets to effect transactions, and establish benchmark prices 
that are used in a wide variety of contexts so that the unavailability 
or disruption of systems directly supporting the opening, reopening and 
closing processes on the primary listing markets could have widespread 
detrimental effects.\285\
---------------------------------------------------------------------------

    \283\ See Nasdaq Rule 4752 (Opening Process) and NYSE Rules 115A 
(Orders at the Opening) and 123D (Openings and Halts in Trading).
    \284\ See, e.g., Nasdaq Rule 4753 (Nasdaq Halt and Imbalance 
Crosses) and NYSE Rules 115A (Orders at the Opening) and 123D 
(Openings and Halts in Trading).
    \285\ For example, press reports indicated that the decision to 
close the New York Stock Exchange in the wake of Superstorm Sandy, 
and the resulting lack of availability of the NYSE opening and 
closing prices, was a significant contributing cause of the 
unscheduled closure of the U.S. national securities exchanges. See, 
e.g., Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ``Behind 
Decision to Close Markets,'' Wall St. J., October 29, 2012. See also 
Proposing Release, supra note 13, at 18091 (discussing the effects 
of Superstorm Sandy on the securities markets). While other 
exchanges outside of the path of Superstorm Sandy did not experience 
the same risks to their electronic trading systems as the NYSE and 
could have otherwise opened for business, the risk that opening and 
closing prices might not be set by NYSE for its listed securities 
contributed to the consensus recommendation of market participants 
that the markets remain closed. See Jenny Strasburg, Jonathan Cheng, 
and Jacob Bunge, ``Behind Decision to Close Markets,'' Wall St. J., 
October 29, 2012.
---------------------------------------------------------------------------

    In addition, the Commission believes that systems directly 
supporting functionality relating to trading halts \286\ are essential 
to the orderly functioning of the securities markets, and therefore 
should be included in the definition of critical SCI systems. In the 
event a trading halt is necessary, it is essential that the systems 
responsible for communicating the trading halt--typically maintained by 
the primary listing market--are robust and reliable so that the trading 
halt is effective across the U.S. securities markets. For example, when 
there is material ``news pending'' with respect to an issuer, it is the 
responsibility of the primary listing market to call a regulatory halt 
by generating a halt message which, when received by other trading 
centers, requires them to cease trading the security.\287\ Similar 
responsibilities are placed on the primary listing market with respect 
to calling trading halts under the National Market System Plan to 
Address Extraordinary Market Volatility, as well as on plan processors 
to disseminate this information to the public.\288\ Thus, systems which 
communicate information regarding trading halts provide an essential 
service in the U.S. markets and, should a systems issue occur affecting 
the ability of an SCI entity to provide such notifications, the fair 
and orderly functioning of the securities markets may be significantly 
impacted.
---------------------------------------------------------------------------

    \286\ For purposes of clarity, the Commission notes that the 
term ``trading halts'' as used in this context is intended to 
capture market-wide halts, such as regulatory halts, rather than a 
halt to trading for securities on a particular market (for example, 
caused by a systems issue specific to that market).
    \287\ See, e.g., CTA Plan Section IX(a), available at: http://www.nyxdata.com/cta; National Market System Plan To Address 
Extraordinary Market Volatility, Section VII (``Limit Up/Limit Down 
Plan''); NYSE Arca Rule 7.12, BATS Rule 11.18, and EDGA Rule 11.14. 
See also Securities Exchange Act Release No. 67091 (May 31, 2012), 
77 FR 33498 (June 6, 2012) (File No. 4-631) (Order Approving, on a 
Pilot Basis, the National Market System Plan To Address 
Extraordinary Market Volatility) (``Limit Up/Limit Down Plan 
Approval Order'').
    \288\ See Limit Up/Limit Down Plan, supra note 287 and Limit Up/
Limit Down Plan Approval Order, supra note 287.
---------------------------------------------------------------------------

    Companies offer shares of capital stock to the general public for 
the first time through the IPO process, in which the primary listing 
market initiates public trading in a company's shares. The IPO is 
conducted exclusively on that exchange, and secondary market trading 
cannot commence on any other exchange until the opening trade is 
printed on the primary listing market.\289\ As such, the Commission 
believes that an exchange's systems that directly support the IPO 
process and the initiation of secondary market trading are a critical 
element of the capital formation process and the effective functioning 
of the securities markets. The Commission believes that these

[[Page 72279]]

systems, which are the sole responsibility of the primary listing 
market, can adversely affect not only the IPO of a particular issuer, 
but may also result in significant monetary losses and harm to 
investors if they fail.\290\ As noted in the SCI Proposal, systems 
issues affecting the two recent high-profile IPOs highlighted how 
disruptions in IPO systems can have a significant impact on the 
market.\291\
---------------------------------------------------------------------------

    \289\ See Rule 12f-2 under the Exchange Act, 17 CFR 240.12f-2 
(providing that a national securities exchange may extend unlisted 
trading privileges to a security when at least one transaction in 
the security has been effected on the national securities exchange 
upon which the security is listed and the transaction has been 
reported pursuant to an effective transaction reporting plan).
    \290\ See, e.g., supra note 36 (discussing the losses associated 
with Nasdaq's Facebook IPO).
    \291\ Specifically, in March 2012, BATS announced that a 
``software bug'' caused BATS to shut down the IPO of its own stock, 
and in May 2012, issues with Nasdaq's trading systems delayed the 
start of trading in the IPO of Facebook, Inc. and some market 
participants experienced delays in notifications of whether orders 
had been filled. See Proposing Release, supra note 13, at 18089; and 
Securities Exchange Act Release No. 69655, In the Matter of The 
NASDAQ Stock Market, LLC and NASDAQ Execution Services, LLC (settled 
action: May 29, 2013), available at: http://www.sec.gov/litigation/admin/2013/34-69655.pdf. Nasdaq and Nasdaq Execution Services, LLC 
consented to an Order Instituting Administrative and Cease-and-
Desist Proceedings Pursuant to Sections 19(h)(1) and 21C of the 
Securities Exchange Act of 1934, Making Findings, and Imposing 
Sanctions and a Cease-and-Desist Order.
---------------------------------------------------------------------------

    Systems directly supporting the provision of consolidated market 
data are also critical to the functioning of U.S. securities markets 
and represent potential single points of failure in the delivery of 
important market information. When Congress mandated a national market 
system in 1975, it emphasized that the systems for collecting and 
distributing consolidated market data would be central features of the 
national market system.\292\ Further, one of the findings of the recent 
report by the staffs of the Commission and the CFTC on the market 
events of May 6, 2010 was that ``fair and orderly markets require that 
the standards for robust, accessible, and timely market data be set 
quite high.'' \293\ Accurate, timely, and efficient collection, 
processing, and dissemination of consolidated market data provides the 
public with ready access to a comprehensive and reliable source of 
information for the prices and volume of any NMS stock at any time 
during the trading day.\294\ This information helps to ensure that the 
public is aware of the best displayed prices for a stock, no matter 
where they may arise in the national market system.\295\ It also 
enables investors to monitor the prices at which their orders are 
executed and serves as a data point that helps them to assess whether 
their orders received best execution.\296\
---------------------------------------------------------------------------

    \292\ See H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975). 
See also Concept Release on Equity Market Structure, supra note 4, 
at 3600, and Proposing Release, supra note 13, at 18108 (each 
discussing the importance of consolidated market data).
    \293\ See Findings Regarding The Market Events Of May 6, 2010, 
Report Of The Staffs Of The CFTC And SEC To The Joint Advisory 
Committee On Emerging Regulatory Issues, September 30, 2010, at 8 
(``May 6 Staff Report'').
    \294\ See id.
    \295\ See id.
    \296\ See id. Also, as discussed above, the recent Nasdaq SIP 
disruption demonstrated that the availability, accuracy, and 
reliability of consolidated market data is currently central to the 
functioning of the securities markets, and systems issues affecting 
such systems can result in major disruptions to the national market 
system, undermining the maintenance of fair and orderly markets.
---------------------------------------------------------------------------

    Finally, systems directly supporting functionality relating to 
exclusively-listed securities represent single points of failure in the 
securities markets, because exclusively-listed securities, by 
definition, are listed and traded solely on one exchange.\297\ As such, 
a trading disruption on the exclusive listing market necessarily will 
disrupt trading by all market participants in those securities.\298\
---------------------------------------------------------------------------

    \297\ As noted above, commenters identified the systems 
supporting the trading of exclusively-listed securities as 
representing critical points of failure or critical functionality in 
the securities markets. See, e.g., KCG Letter at 2-3; and SIFMA 
Letter at 4.
    \298\ For example, as noted above, in April 2013, CBOE delayed 
the opening of trading on its exchange for over three hours due to 
an internal ``software bug,'' preventing investors from trading in 
those products that are singly-listed on CBOE, including options on 
the S&P 500 Index and the VIX. See supra note 28 and accompanying 
text.
---------------------------------------------------------------------------

    The second prong of the definition is a broader catch-all provision 
intended to capture any SCI systems, beyond those specifically 
identified within the first prong of the definition, that provide 
functionality to the securities markets for which the availability of 
alternatives is significantly limited or nonexistent and without which 
there would be a material impact on fair and orderly markets. The 
Commission is not aware of any SCI systems that would fall under this 
prong of the critical SCI systems definition at this time, and notes 
that this prong of the definition is intended to account for further 
technology advancements and the continual evolution of the securities 
markets, in recognition that such developments could result in 
additional or new types of systems that would, similar to the 
enumerated categories of systems in the first prong of the definition, 
become so critical to the continuous and orderly functioning of the 
securities markets such that they should be subject to the requirements 
of Regulation SCI imposed on those systems specifically enumerated in 
the first prong of the definition.
    The Commission also notes that the definition applies to those 
systems ``of, or operated by or on behalf of, an SCI entity.'' This 
language mirrors the language in the definitions of SCI system and 
indirect SCI system, and as discussed above, is intended to cover 
systems that are third-party systems operated on behalf of SCI 
entities.\299\
---------------------------------------------------------------------------

    \299\ See supra notes 254-260 and accompanying text.
---------------------------------------------------------------------------

d. Indirect SCI Systems (Proposed as ``SCI Security Systems'')
    Proposed Rule 1000 defined the term ``SCI security systems'' to 
mean ``any systems that share network resources with SCI systems that, 
if breached, would be reasonably likely to pose a security threat to 
SCI systems.'' \300\ As adopted, Regulation SCI includes the new term 
``indirect SCI systems,'' in place of the proposed term ``SCI security 
systems.'' The term ``indirect SCI systems'' is defined to mean ``any 
systems of, or operated by or on behalf of, an SCI entity that, if 
breached, would be reasonably likely to pose a security threat to SCI 
systems.''
---------------------------------------------------------------------------

    \300\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.2.
---------------------------------------------------------------------------

    As an initial matter, the Commission has determined to replace the 
proposed term ``SCI security systems'' with the adopted term ``indirect 
SCI systems'' because it believes that the latter term, in using the 
word ``indirect,'' better reflects that it is intended to cover non-SCI 
systems only if they are not appropriately secured and segregated from 
SCI systems, and therefore could indirectly pose risk to SCI 
systems.\301\ The adopted definition of indirect SCI systems includes 
systems ``of, or operated by or on behalf of'' of an SCI entity that, 
``if breached, would be reasonably likely to pose a security threat to 
SCI systems.'' As discussed below, in response to comment that the 
proposed term would cover too many systems unrelated to SCI systems, 
the adopted term excludes the phrase ``share network resources.''
---------------------------------------------------------------------------

    \301\ The Commission also believes that eliminating the word 
``security'' from the defined term will help clarify that the term 
is not limited to systems relating only to security of the SCI 
entity and its systems (e.g., firewalls, VPNs).
---------------------------------------------------------------------------

    One commenter expressly supported the definition of SCI security 
systems and urged that it be expanded to include any technology system 
that has direct market access.\302\ In response to this comment, the 
Commission notes that the adopted definition includes any technology 
system of, or operated by or on behalf of an SCI entity, that has 
direct market access if that system meets the definition's test: 
whether a breach of

[[Page 72280]]

that system would be reasonably likely to pose a security threat to SCI 
systems.
---------------------------------------------------------------------------

    \302\ See Lauer Letter at 5.
---------------------------------------------------------------------------

    This commenter also suggested that the Commission additionally 
require SCI entities to have independent security audits performed and 
allow the auditor to have the ability to define which systems should be 
included and which can be safely excluded.\303\ The Commission is not 
requiring ``independent security audits'' to determine which systems 
would fall within the definition of indirect SCI system as suggested by 
this commenter,\304\ because the Commission believes its adopted rule 
requiring an annual SCI review addresses the commenter's request. The 
Commission notes that the adopted annual SCI review requirement 
requires that such review be performed by objective, qualified 
personnel, and that it include an assessment of logical and physical 
security controls for SCI systems and indirect SCI systems. The 
Commission believes that an SCI entity is generally in the best 
position to assess in the first instance which of its systems may fall 
within the definition of indirect SCI systems, and that having an 
independent third party audit to make that determination should be 
optional rather than required at this time.
---------------------------------------------------------------------------

    \303\ See id.
    \304\ See adopted Rule 1000 (definition of ``SCI review'') and 
infra Section IV.B.5 (discussing the SCI review requirement).
---------------------------------------------------------------------------

    Contrary to the commenter urging expansion of the proposed 
definition of SCI security systems, many commenters argued that the 
proposed definition was overbroad,\305\ with several of these same 
commenters suggesting that the term be deleted from the rule 
entirely.\306\ The Commission believes that Regulation SCI warrants 
inclusion of a definition of indirect SCI systems because an issue or 
systems intrusion with respect to a non-SCI system still could cause or 
increase the likelihood of an SCI event with respect to an SCI entity's 
SCI systems.\307\ In particular, because systems that are not 
adequately walled off from SCI systems may present potential entry 
points to an SCI entity's network and thus represent potential 
vulnerabilities to SCI systems, the Commission believes that it is 
important that the provisions of Regulation SCI relating to security 
standards and systems intrusions apply to such systems (i.e., indirect 
SCI systems).
---------------------------------------------------------------------------

    \305\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA 
Letter at 6 (noting specifically that the definition could be read 
to extend to broker-dealers or other third parties); SIFMA Letter at 
8; ITG Letter at 5, 12; BIDS Letter at 16-17; MSRB Letter at 7; OCC 
Letter at 4; FINRA Letter at 12-13; CME Letter at 6; DTCC Letter at 
5; Oppenheimer Letter at 3; and Direct Edge Letter at 3.
    \306\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA 
Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter 
at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5.
    \307\ See Proposing Release, supra note 13, at 18099.
---------------------------------------------------------------------------

    Many commenters objecting to the proposed definition as too broad 
addressed particular elements of the proposed definition of SCI 
security systems or provided specific recommendations for modifications 
or limitations to the definition.\308\ For example, some commenters 
criticized the use of the phrase ``share network resources,'' noting 
that it was vague and too broad, potentially encompassing almost any 
system of an SCI entity.\309\ Similarly, one commenter stated that the 
definition of SCI security system should include only systems that 
``directly'' share network resources with an SCI system.\310\ One 
commenter argued that the definition should only include those systems 
that are materially and directly connected to the trading operations of 
an SCI entity.\311\ Several commenters recommended that systems that 
are logically and/or physically separated from SCI systems should be 
excluded from the definition.\312\ Some commenters qualified this 
position by stating that such systems should be excluded, for example, 
as long as SCI entities monitor those systems for security breaches and 
have the ability to shut the system off if they detect a security 
breach; \313\ or provided that the separation is routinely monitored 
and has appropriate risk controls in place and the system is ``air 
gapped'' (i.e., has no point of entry) from the public internet.\314\ 
One commenter believed that the definition should exclude any system 
with ``compensatory controls in place,'' which it stated would protect 
and secure SCI systems from vulnerabilities that could arise from 
shared network links.\315\ Another commenter asked for greater clarity 
on the extent to which SCI security systems that are isolated from 
production, such as email and intranet sites, raise security issues 
that are within the scope of the proposal.\316\
---------------------------------------------------------------------------

    \308\ See NYSE Letter at 12; BATS Letter at 5-6; ISE Letter at 
7-8; BIDS Letter at 16-17; SROs Letter at 15; Direct Edge Letter at 
3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5; and 
ITG Letter at 12.
    \309\ See NYSE Letter at 12; BATS Letter at 5; and ISE Letter at 
7-8.
    \310\ See BIDS Letter at 16-17.
    \311\ See ITG Letter at 12 (stating that its suggested approach 
would, in its case, cover systems for order handling and execution, 
processing of market data, transaction reporting, and clearing and 
settlement of trades).
    \312\ See, e.g., Joint SROs Letter at 15 (stating that the term 
``SCI security systems'' should be deleted, but if retained, should 
exclude those systems that are physically and logically separated); 
BATS Letter at 5-6; Direct Edge Letter at 3; FINRA Letter at 13; ISE 
Letter at 8; and DTCC Letter at 5.
    \313\ See BATS Letter at 5-6.
    \314\ See Direct Edge Letter at 3.
    \315\ See FINRA Letter at 13.
    \316\ See ISE Letter at 8.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission 
believes that inclusion of the phrase ``share network resources'' in 
the proposed definition could be interpreted in a manner that would 
include almost any system that is part of an SCI entity's network. In 
response to commenters who expressed concern about the breadth of the 
proposed definition, the Commission has determined to eliminate the 
phrase ``share network resources'' from the definition, so that the 
adopted result-oriented test depends on whether a system ``if breached, 
would be reasonably likely to pose a security threat to SCI systems.'' 
As a result, the inquiry into whether any system is an indirect SCI 
system will depend on whether it is effectively physically or logically 
separated from SCI systems. Systems that are adequately physically or 
logically separated (i.e., isolated from SCI systems, such that they do 
not provide vulnerable points of entry into SCI systems) will not fall 
within the definition of indirect SCI systems.
    The Commission believes that having adequate separation and 
security controls should protect SCI systems from vulnerabilities 
caused by other systems. To the extent that non-SCI systems are 
sufficiently walled off from SCI systems using appropriate security 
measures, and thus are not reasonably likely to pose a security threat 
to SCI systems if breached, they would not be included in the 
definition of indirect SCI systems, and thus would be outside of the 
scope of Regulation SCI.
    The Commission notes that the definition of indirect SCI systems 
will not include any systems of an SCI entity for which the SCI entity 
establishes reasonably designed and effective controls that result in 
SCI systems being logically or physically separated from such non-SCI 
systems. Thus, the universe of an SCI entity's indirect SCI systems is 
in the control of each SCI entity, and SCI entities should reasonably 
expect Commission staff to assess its security controls around SCI 
systems in connection with an inspection or examination for compliance 
with Regulation SCI. If these controls are not present or are not 
reasonably designed, the applicable non-SCI systems would be within the 
scope of the definition of indirect SCI systems and subject to the 
security

[[Page 72281]]

standards and systems intrusions provisions of Regulation SCI.
    Some commenters recommended that, rather than including SCI 
security systems in the scope of the regulation, the Commission should 
instead require SCI entities to establish policies and procedures 
designed to ensure the security of their systems.\317\ According to 
these commenters, such an approach would require an evaluation of the 
risks posed to SCI systems by non-SCI systems. As noted, the Commission 
believes that the adopted definition of ``indirect SCI systems'' will 
effectively require SCI entities to evaluate the risks posed to SCI 
systems by non-SCI systems. However, the Commission believes that the 
adopted approach will incentivize SCI entities to seek to have in place 
strong security controls around SCI systems. As noted, if an SCI entity 
designs and implements security controls so that none of its non-SCI 
systems would be reasonably likely to pose a security threat to SCI 
systems, then it will have no indirect SCI systems. If, however, an SCI 
entity does have indirect SCI systems, then certain provisions of 
Regulation SCI will apply to those indirect SCI systems.\318\ The 
Commission believes this approach to indirect SCI systems is more 
appropriate than the policies and procedures approach suggested by some 
commenters because the Commission believes that its approach is more 
comprehensive as it includes, for example, the requirements to take 
corrective action, provide notifications to the Commission, and 
disseminate information for certain SCI events relating to indirect SCI 
systems which, by definition, if breached, would be reasonably likely 
to pose a security threat to SCI systems. Another commenter stated that 
a more precise definition of SCI security systems is important and that 
it would be valuable for the Commission to work with representatives 
within the securities industry to collectively craft the most 
appropriate definition that will ensure that critical security systems 
are captured.\319\ In crafting the definition, the Commission has taken 
into account comments received, with such commenters representing a 
wide variety of types of participants in the securities markets, and 
believes the adopted definition of indirect SCI systems, along with the 
definition of SCI systems, is responsive to a broad range of 
commenters' concerns.\320\
---------------------------------------------------------------------------

    \317\ See, e.g., NYSE Letter at 12; MFA Letter at 6; SIFMA 
Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 
18; OCC Letter at 3; and Joint SROs Letter at 5.
    \318\ See infra notes 323-328 (discussing the provisions of 
Regulation SCI applicable to indirect SCI systems).
    \319\ See DTCC Letter at 5.
    \320\ See supra note 17 and accompanying text.
---------------------------------------------------------------------------

    Another commenter suggested that the definition be limited to 
systems ``of, or operated by or on behalf of, an SCI entity,'' noting 
that the definition of SCI security systems should have parallel 
construction to the definition of ``SCI systems'' and without this 
phrase, SCI entities would be tasked inappropriately with controlling 
for systems outside of their effective control.\321\ As noted, the 
adopted definition of ``indirect SCI systems'' applies to those systems 
``of, or operated by or on behalf of, an SCI entity.'' As a result, the 
adopted definition of indirect SCI systems provides (as is the case for 
SCI systems) that systems ``of, or operated by or on behalf of'' an SCI 
entity, are included in the definition of indirect SCI systems if their 
breach would be reasonably likely to pose a security threat to SCI 
systems.\322\ The Commission believes that the addition of this 
language is warranted to make clear that security of SCI systems is not 
limited solely to threats from systems operated directly by the SCI 
entity. If it were, outsourced systems of SCI entities would not be 
subject to the requirements of Regulation SCI, which would undermine 
the goals of Regulation SCI.
---------------------------------------------------------------------------

    \321\ See MSRB Letter at 7.
    \322\ See supra Section IV.A.2.b (discussing the inclusion of 
third party systems in the definition of ``SCI systems'').
---------------------------------------------------------------------------

    As discussed in further detail below, unlike SCI systems, those 
systems meeting the definition of ``indirect SCI systems'' will only be 
subject to certain provisions of Regulation SCI. Specifically, 
references to ``indirect SCI systems'' are included in the definitions 
of ``responsible SCI personnel,'' ``SCI review,'' and ``systems 
intrusion'' in adopted Rule 1000.\323\ Rule 1001(a), requiring 
reasonably designed policies and procedures to ensure operational 
capability, will apply to indirect SCI systems only for purposes of 
security standards.\324\ In addition, Rule 1002, which relates to an 
SCI entity's obligations with regard to SCI events, will apply to 
indirect SCI systems only with respect to systems intrusions.\325\ 
Further, pursuant to Rule 1003(a), the obligations related to systems 
changes will apply to material changes to the security of indirect SCI 
systems.\326\ In addition, the requirements regarding an SCI review 
will apply to indirect SCI systems.\327\ Finally, Rules 1005 through 
1007, relating to recordkeeping and electronic filing and submission of 
Form SCI, respectively, will also apply to indirect SCI systems.\328\ 
The Commission believes that it is appropriate to subject indirect SCI 
systems to only these specified provisions because the Commission 
believes that the primary risk posed by indirect SCI systems is that 
they may serve as vulnerable entry points to SCI systems. The 
Commission's objective with respect to indirect SCI systems is to guard 
against a non-SCI system being breached in a manner that threatens the 
security of any SCI system. The Commission believes that its approach 
to defining indirect SCI systems, and requiring SCI entities to 
consider, address, and report on security changes and intrusions into 
systems where vulnerabilities have been identified, is tailored to meet 
this objective.
---------------------------------------------------------------------------

    \323\ See adopted Rule 1000.
    \324\ See adopted Rule 1001(a) and supra Section IV.B.1 
(discussing the policies and procedures requirement under Rule 
1001(a)).
    \325\ See adopted Rule 1000 (definitions of system compliance 
and systems disruption, which do not include indirect SCI systems, 
and the definition of systems intrusion, which includes indirect SCI 
systems) and supra Section IV.B.3 (discussing an SCI entity's 
obligations with respect to SCI events).
    \326\ See adopted Rule 1003(a)(i) and Section IV.B.4 (discussing 
requirements relating to material systems changes).
    \327\ See adopted Rule 1003(b) and Section IV.B.5 (discussing 
the SCI review requirement).
    \328\ See adopted Rules 1005-1007 and Section IV.C (discussing 
the recordkeeping and electronic filing of Form SCI).
---------------------------------------------------------------------------

3. SCI Events
    Regulation SCI specifies the types of events--i.e., SCI events--
that give rise to certain obligations under the rule, including taking 
corrective action, reporting to the Commission, and disseminating 
information about such SCI events.\329\ Proposed Rule 1000(a) defined 
the term ``SCI event'' as ``an event at an SCI entity that constitutes: 
(1) A systems disruption; (2) a systems compliance issue; or (3) a 
systems intrusion.'' \330\ The Commission is adopting the definition of 
``SCI event'' as proposed.
---------------------------------------------------------------------------

    \329\ See infra Section IV.B.3 (discussing an SCI entity's 
obligations with respect to SCI events).
    \330\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.
---------------------------------------------------------------------------

    Many commenters believed that the proposed definition of ``SCI 
event'' was vague \331\ or overly broad because it was not limited to 
capturing material SCI events \332\ or events that the commenters 
believed are truly disruptive and pose a risk to the market.\333\ 
Specifically,

[[Page 72282]]

several commenters recommended that the definition of SCI event include 
a materiality threshold, so that only events determined by the SCI 
entity to be material would trigger certain obligations under the 
rule.\334\ One commenter stated that the definition of SCI event could 
be interpreted to include trivial events, and therefore believed that 
the definition needed clarity.\335\ Finally, one commenter suggested 
that SCI event be defined as outlined in Rule 301(b)(6)(ii)(G) under 
Regulation ATS,\336\ which requires a qualifying ATS to notify the 
Commission of material systems outages and significant systems 
changes.\337\
---------------------------------------------------------------------------

    \331\ See ITG Letter at 12; and OTC Markets Letter at 16.
    \332\ See FIF Letter at 2; ITG Letter at 12; DTCC Letter at 5; 
and OTC Markets Letter at 16.
    \333\ See NYSE Letter at 3; ICI Letter at 4; Oppenheimer Letter 
at 3. See also supra note 231 and accompanying text (discussing 
comment that the definition of SCI systems should be revised to 
cover only those systems where a disruption, compliance issue, 
intrusion or material systems change would impact investors and 
markets that are subject to the Commission's jurisdiction).
    \334\ See, e.g., FIF Letter at 2 (suggesting factors for 
determining what is a material SCI event, and urging that only 
material SCI events be subject to notification requirements); ITG 
Letter at 12 (suggesting that a Commission notification requirement 
apply only to those events that have a material impact on the 
ongoing maintenance of fair and orderly markets in an NMS security); 
and DTCC Letter at 5 (recommending that each component of the term 
SCI event be limited by a materiality threshold and be ``risk-
based'' so that the term includes events that cause a disruption to 
the SCI entity's ability to conduct its core functions).
    \335\ See ITG Letter at 12.
    \336\ 17 CFR 242.301(b)(6)(ii)(G).
    \337\ See OTC Markets Letter at 16. In addition, some commenters 
objected to the inclusion of systems compliance issues within the 
definition of SCI events. See infra notes 403-405 and accompanying 
text.
---------------------------------------------------------------------------

    After careful consideration of the views of commenters, although 
the Commission is adopting the definition of ``SCI event'' as proposed, 
the requirements of Regulation SCI are tiered in a manner that the 
Commission believes is responsive to the concerns of commenters about 
the breadth of the definition.\338\ Specifically, and as explained in 
further detail below, the Commission is incorporating a risk-based 
approach to the obligations of SCI entities with respect to SCI 
events.\339\
---------------------------------------------------------------------------

    \338\ See supra notes 331-337 and accompanying text.
    \339\ Under this risk-based approach, for example, de minimis 
SCI events will not be subject to the immediate Commission reporting 
requirements as proposed, but rather, SCI entities will only be 
required to make, keep, and preserve records regarding de minimis 
SCI events and submit de minimis systems disruptions and de minimis 
systems intrusions to the Commission in quarterly summary reports. 
See Rule 1002(b)(5).
---------------------------------------------------------------------------

    The Commission is not incorporating a materiality threshold as 
requested by some commenters,\340\ including by limiting the definition 
of SCI event to only those events that are considered by SCI entities 
to be truly disruptive to the market.\341\ Rather, the Commission 
believes that the adopted Commission notification and information 
dissemination requirements for SCI events will help to focus the 
Commission's and SCI entities' resources on the more significant SCI 
events by providing appropriate exceptions from reporting and 
dissemination for events that have no or de minimis impacts on an SCI 
entity's operations or market participants. In addition, the Commission 
believes that SCI event should not be defined as outlined in Rule 
301(b)(6)(ii)(G) under Regulation ATS as suggested by one 
commenter,\342\ because Rule 301(b)(6)(ii)(G) requires Commission 
notification of ``material systems outages.'' \343\ Such an approach 
would exclude any systems compliance issues or systems intrusions, two 
types of events that the Commission believes should be included as SCI 
events. This approach would also create a materiality threshold for 
systems disruptions, which the Commission believes would not be 
appropriate, as discussed below.
---------------------------------------------------------------------------

    \340\ See supra notes 334 and 337 and accompanying text.
    \341\ See supra note 333 and accompanying text.
    \342\ See supra note 337 and accompanying text.
    \343\ See 17 CFR 242.301(b)(6)(ii)(G). Rule 301(b)(6)(ii)(G) 
also requires that ATSs promptly notify the Commission of 
significant systems changes.
---------------------------------------------------------------------------

    In addition, by not including a materiality threshold within the 
definition, SCI entities will be required to assess, take corrective 
action, and keep records of all such events, some of which may 
initially seem insignificant to an SCI entity, but which may later 
prove to be the cause of significant systems issues at the SCI entity. 
An SCI entity's records of de minimis SCI events may also be useful to 
the Commission in that they may, for example, aid the Commission in 
identifying patterns of de minimis SCI events that together might 
result in a more impactful SCI event, either at an SCI entity or across 
a group of SCI entities, or circumstances in which an SCI event causes 
de minimis systems issues for one particular SCI entity but results in 
significant issues for another SCI entity. The Commission also believes 
that the ability to view such events in the aggregate and across 
multiple SCI entities is important to allow the Commission and its 
staff to be able to gather information about trends related to SCI 
events that could not otherwise be properly discerned. Information 
about trends will assist the Commission in fulfilling its oversight 
role by keeping Commission staff informed about the nature and 
frequency of the types of de minimis SCI events that SCI entities 
encounter. Moreover, information about trends and notifications of de 
minimis SCI events generally can also inform the Commission of areas of 
potential weaknesses, or persistent or recurring problems, across SCI 
entities and also should help the Commission better focus on common 
types of SCI events or issues with certain types of SCI systems across 
SCI entities. This information also will permit the Commission and its 
staff to issue industry alerts or guidance if appropriate. In addition, 
this information would allow the Commission and its staff to review SCI 
entities' classification of SCI events as de minimis SCI events.
    In addition, although the definition of SCI event is unchanged, to 
address commenters' concerns, the Commission has determined to modify 
the various components of that definition (i.e., the definition of 
systems disruption, systems compliance issue, and systems intrusion), 
in certain respects, as discussed below.
a. Systems Disruption
    Proposed Rule 1000(a) would have defined ``systems disruption'' as 
``an event in an SCI entity's SCI systems that results in: (1) A 
failure to maintain service level agreements or constraints; (2) a 
disruption of normal operations, including a switchover to back up 
equipment with near-term recovery of primary hardware unlikely; (3) a 
loss of use of any SCI system; (4) a loss of transaction or clearance 
and settlement data; (5) significant backups or delays in processing; 
(6) a significant diminution of ability to disseminate timely and 
accurate market data; or (7) a queuing of data between systems 
components or queuing of messages to or from customers of such duration 
that normal service delivery is affected.'' \344\ As discussed below, 
in response to comments, the Commission is substantially modifying the 
proposed definition of systems disruption in adopted Rule 1000.
---------------------------------------------------------------------------

    \344\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.a.
---------------------------------------------------------------------------

    One commenter stated that the proposed definition of systems 
disruption was reasonable, but recommended that it be expanded to 
encompass disruptions originating from a third party.\345\ However, 
many other commenters believed that the definition of systems 
disruption was too broad and would include minor events that they 
believed should be excluded from the

[[Page 72283]]

definition.\346\ Several commenters suggested ways to limit the scope 
of the defined term. For example, some commenters suggested limiting 
the definition to material disruptions.\347\ One of these commenters 
added that systems disruptions should exclude any regularly planned 
outages occurring during the normal course of business.\348\ Another 
commenter recommended that development and testing environments should 
be excluded from the definition of systems disruption.\349\ One 
commenter suggested modifying the definition to include only two 
elements: (1) Disruptions of either the SCI systems or of the 
operations of the SCI entity that have the effect of disrupting the 
delivery of the SCI service provided by those systems; and (2) 
degradations of SCI systems processing creating backups or delays of 
such a degree and duration that the delivery of service is effectively 
disrupted or unusable by the market participants who use the 
systems.\350\
---------------------------------------------------------------------------

    \345\ See Lauer Letter at 5-6.
    \346\ See, e.g., FINRA Letter at 16; BATS Letter at 9; Omgeo 
Letter at 7; NYSE Letter at 14; Joint SROs Letter at 6; OCC Letter 
at 6; SIFMA Letter at 9-10; and OTC Markets Letter at 21.
    \347\ See DTCC Letter at 6; SIFMA Letter at 9; OCC Letter at 6; 
OTC Markets Letter at 21; and Joint SROs Letter at 6.
    \348\ See DTCC Letter at 7.
    \349\ See FINRA Letter at 11, 16 (noting also that the many 
elements of the defined term were vague). See also Section IV.A.2.b 
(discussing the definition of ``SCI systems,'' including the 
elimination of test and development systems from its definition).
    \350\ See Omgeo Letter at 11.
---------------------------------------------------------------------------

    Two commenters believed that the proposed definition of systems 
disruption was too rigid and should provide for more flexibility and 
discretion.\351\ Both commenters were skeptical that an event should be 
reportable solely because it matched the description of one of the 
seven elements of the definition.\352\ One of these commenters noted 
that the Commission's proposed definition seeks to codify as a formal 
definition language used by the ARP Inspection Program that was meant 
to provide flexibility and latitude in determining what constitutes a 
systems disruption.\353\ The other commenter thought that the seven 
prongs of the proposed definition of ``systems disruption'' were 
appropriate considerations in determining whether a systems disruption 
had occurred, but that an SCI entity should be afforded more discretion 
and flexibility in determining whether a particular issue meets the 
definition.\354\
---------------------------------------------------------------------------

    \351\ See Omgeo Letter at 7; and OCC Letter at 6-8.
    \352\ See Omgeo Letter at 7; and OCC Letter at 6-8.
    \353\ See Omgeo Letter at 7.
    \354\ See OCC Letter at 6. This commenter also critiqued or 
requested clarification for each prong of the definition, as 
discussed further below.
---------------------------------------------------------------------------

Service Level Agreements
    Two commenters believed that the first element of the definition 
regarding service level agreements should be eliminated.\355\ One of 
these commenters stated that an SCI entity's regulatory requirements 
should not depend upon the negotiated language of an agreement between 
business partners, while the other commenter noted that, in some cases, 
a private contract might have more stringent requirements than required 
by regulation, which would, in effect, transform such agreements into 
new regulatory obligations.\356\ Other commenters stated this element 
should be revised to capture only the most significant disruptions to a 
service level agreement.\357\ In addition, one commenter expressed 
concern that SCI entities may forgo negotiating detailed and stringent 
service level agreements if the first element were to be adopted as 
proposed.\358\
---------------------------------------------------------------------------

    \355\ See NYSE Letter at 13; and BATS Letter at 9.
    \356\ See NYSE Letter at 13; and BATS Letter at 9.
    \357\ See DTCC Letter at 7 (suggesting that the definition 
capture only the most significant disruptions to a service level 
agreement that are caused by the SCI entity and that impede its 
ability to perform its core functions and critical operations); and 
OCC Letter at 7. See also Omgeo Letter at 9 (noting concerns that 
this element could require reporting of events too minor to be 
noticed by participants and that do not cause any disruptions of 
service or material risks to the entity or users).
    \358\ See OCC Letter at 7.
---------------------------------------------------------------------------

Disruptions of Normal Operations
    Two commenters stated that the second element of the definition 
needs clarification because the phrase ``disruption of normal 
operations'' is vague and overbroad and therefore could potentially 
include minor events.\359\ Two commenters stated that, if a switchover 
is utilized and there is no material impact on the core services, then 
there should not be a requirement to notify the Commission of a systems 
disruption.\360\ One of these commenters added that programming errors 
that occur prior to production and regularly scheduled maintenance 
should not be considered disruptions.\361\ Several commenters also 
recommended that testing errors should not be included in the 
definition,\362\ and one commenter stated that testing errors should 
only be included if they result in a material impact on an SCI entity's 
operations.\363\
---------------------------------------------------------------------------

    \359\ See NYSE Letter at 13; and Omgeo Letter at 8.
    \360\ See BATS Letter at 9; and SIFMA Letter at 10.
    \361\ See BATS Letter at 10.
    \362\ See BATS Letter at 11; SIFMA Letter at 10; and NYSE Letter 
at 13.
    \363\ See Omgeo Letter at 9 (noting that inclusion of testing 
errors would discourage SCI entities from conducting effective 
quality assurance programs and could undermine good quality 
engineering practices).
---------------------------------------------------------------------------

Loss of Use of Any System
    One commenter stated that the term ``loss of use of any SCI 
system'' is unclear and expressed concern that the lack of clarity may 
lead to interpretive differences and inconsistencies in application 
among SCI entities.\364\ Three commenters discussed failovers to backup 
systems, with one commenter stating the Commission should clarify 
whether this constitutes a loss of use of a system,\365\ another 
commenter stating that it should not be considered a systems 
disruption,\366\ and the third commenter stating that it should only be 
considered a systems disruption if there is an impact on normal 
operations.\367\
---------------------------------------------------------------------------

    \364\ See OCC Letter at 7.
    \365\ See id.
    \366\ See NYSE Letter at 13.
    \367\ See Direct Edge Letter at 3.
---------------------------------------------------------------------------

Loss of Data
    Several commenters stated that losses of transaction or clearance 
and settlement data that are immediately retrieved, promptly corrected, 
or, for clearance and settlement data, resolved prior to the close of 
the trading day should not be systems disruptions.\368\ One commenter 
suggested that the rule be revised to include as a systems disruption 
data that is altered or corrupted in some way.\369\ Another commenter 
stated that this prong of the definition should include a materiality 
qualifier.\370\
---------------------------------------------------------------------------

    \368\ See, e.g., OCC Letter at 7; DTCC Letter at 7; SIFMA Letter 
at 10; and Omgeo Letter at 11.
    \369\ See Omgeo Letter at 11.
    \370\ See NYSE Letter at 14.
---------------------------------------------------------------------------

Backups or Delays and Market Data Dissemination
    With respect to the fifth and sixth elements of the definition 
regarding significant backups or delays in processing and a significant 
diminution of ability to disseminate timely and accurate market data, 
one commenter expressed support for the inclusion of such performance 
degradations in the definition of systems disruptions but stated that 
it believed that the Commission's interpretation of the term 
``significant'' in the SCI Proposal was overly broad because it would 
encompass delays that are small and, in fact, insignificant.\371\
---------------------------------------------------------------------------

    \371\ See Omgeo Letter at 9. See also Proposing Release, supra 
note 13, at 18101-02.

---------------------------------------------------------------------------

[[Page 72284]]

Data Queuing
    With respect to the seventh element, one commenter stated that 
queuing of data is a very good indicator of a problem, but also noted 
that it is not necessarily being properly monitored by most firms and 
suggested that the Commission require SCI entities to monitor queue 
depth.\372\ However, several other commenters stated that queuing of 
data is normal and necessary.\373\ Some commenters suggested that the 
Commission should only require reporting of such queuing if it 
materially affects the delivery of core services to customers.\374\ One 
commenter asked for additional clarification on this element because 
all systems have queues to some extent with normal functionality and 
only certain queues should trigger recovery actions.\375\ One commenter 
expressed concern that language in the SCI Proposal stating that 
``queuing of data is a warning signal of significant disruption'' \376\ 
would make events that are precursors to system disruptions themselves 
become system disruptions.\377\
---------------------------------------------------------------------------

    \372\ See Lauer Letter at 5.
    \373\ See, e.g., BATS Letter at 10; DTCC Letter at 7; SIFMA 
Letter at 10; Omgeo Letter at 10; and Joint SROs Letter at 6.
    \374\ See, e.g., BATS Letter at 10-11; DTCC Letter at 7; Omgeo 
Letter at 10; and OCC Letter at 8.
    \375\ See NYSE Letter at 14.
    \376\ See Proposing Release, supra note 13, at 18102.
    \377\ See Omgeo Letter at 9.
---------------------------------------------------------------------------

Customer Complaints
    Several commenters objected to the Commission's discussion in the 
SCI Proposal regarding customer complaints,\378\ stating that the 
Commission should not consider each instance in which a customer or 
systems user complains or inquires about a slowdown or disruption of 
operations as an indicator of a systems disruption.\379\ For example, 
one commenter noted that customer complaints are often ultimately 
determined to be the result of system errors or discrepancies on the 
customer's end, and stated that requiring an SCI entity to treat these 
complaints as significant systems disruptions simply because they are 
made would impose an unnecessary burden on the SCI entity.\380\
---------------------------------------------------------------------------

    \378\ See Proposing Release, supra note 13, at 18102.
    \379\ See, e.g., DTCC Letter at 7; Omgeo Letter at 10; BATS 
Letter at 11; NYSE Letter at 14; and OCC Letter at 8.
    \380\ See Omgeo Letter at 10-11.
---------------------------------------------------------------------------

Definition of ``Systems Disruption'' as Adopted
    After careful consideration of the views of commenters, the 
Commission is removing the seven specific types of systems malfunctions 
that were proposed to define systems disruption. As adopted, ``systems 
disruption'' is defined in Rule 1000 to mean ``an event in an SCI 
entity's SCI systems that disrupts, or significantly degrades, the 
normal operation of an SCI system.'' The Commission has considered 
commenters' suggestions and feedback with respect to the proposed 
definition, including the criticisms of various aspects of the seven 
specific types of systems malfunctions delineated in the SCI Proposal 
and believes that the adopted definition, which largely follows the 
definition suggested by a commenter, is appropriate.\381\ Specifically, 
this commenter recommended that the definition of systems disruption be 
revised to have two elements: (1) Disruptions of either the SCI systems 
or of the operations of the SCI entity that have the effect of 
disrupting the delivery of the SCI service provided by those systems; 
and (2) degradations of SCI systems processing creating backups or 
delays of such a degree and duration that the delivery of service is 
effectively disrupted or unusable by the market participants who use 
the systems.\382\
---------------------------------------------------------------------------

    \381\ See id. at 11.
    \382\ See supra note 353 and accompanying text.
---------------------------------------------------------------------------

    The Commission agrees with commenters that the proposed definition 
of systems disruption had the potential to be both over-inclusive and 
under-inclusive. The Commission believes that the adopted definition 
appropriately represents a change in focus of the definition from the 
prescriptive seven prongs in the SCI Proposal's definition that 
represented the effects caused by a disruption of an SCI entity's 
systems to, instead, whether a system is halted or degraded in a manner 
that is outside of its normal operation. The Commission believes the 
revised definition sets forth a standard that SCI entities can apply in 
a wide variety of circumstances to determine in their discretion 
whether a systems issue should be appropriately categorized as a 
systems disruption. Further, because the adopted definition of systems 
disruption takes into account whether a systems problem is outside of 
normal operations, the Commission also believes that partly addresses 
the concerns of the commenters suggesting that the definition of 
systems disruption include a materiality qualifier.\383\
---------------------------------------------------------------------------

    \383\ As discussed more fully below, an SCI entity's assessment 
of the impact of an event meeting the definition of a systems 
disruption will affect whether it is subject to an immediate 
Commission notification obligation, or a recordkeeping and quarterly 
reporting obligation. See infra Section IV.B.3.c (discussing the 
exclusion of de minimis systems disruptions from immediate 
Commission notification requirements in Rule 1002(b)(5)).
---------------------------------------------------------------------------

    Because the Commission agrees with commenters regarding the 
difficulties of the proposed definition of ``systems disruption,'' it 
is not including any of the specific types of systems malfunctions in 
the adopted definition of ``systems disruption.'' Thus, the Commission 
believes SCI entities would likely find it helpful to establish 
parameters that can aid them and their staff in determining what 
constitutes the ``normal operation'' \384\ of each of its SCI systems, 
and when such ``normal operation'' has been disrupted or significantly 
degraded because those parameters have been exceeded. The Commission 
agrees with commenters who noted that, given its voluntary nature, 
entities that participate in the ARP Inspection Program are afforded a 
certain degree of flexibility and discretion in reporting systems 
outages, and agrees that, given its proposed application to a mandatory 
rule, the proposed definition limited the flexibility and discretion of 
SCI entities in a manner that was overly rigid.\385\ Although the 
specific types of systems malfunctions have been removed from the 
adopted definition of systems disruption, the Commission nonetheless 
continues to believe, as suggested by one commenter,\386\ that the 
types of systems malfunctions that comprised the proposed definition 
may be useful to SCI entities to consider as indicia of a systems 
disruption.
---------------------------------------------------------------------------

    \384\ The Commission notes that, for certain SCI systems, 
``normal operation'' may include a certain degree of operational 
variability that would allow for a given amount of degradation of 
functionality (e.g., some data queuing or some slowing of response 
times) before the system's operations reach the point of being 
``significantly degraded.'' However, such variability parameters may 
be included as part of an SCI entity's policies and procedures so 
that the SCI entity and its personnel would be aware of them before 
the occurrence of systems issues.
    \385\ Commenters highlighted many examples where a rigid 
interpretation of the proposed definition had the potential to 
incorporate into the definition events that could be considered part 
of normal operation. See, e.g., supra notes 361, 364, 368, 369, 374, 
and 379 and accompanying text. As adopted, however, such events 
would not be captured by the definition of systems disruptions 
because an event that disrupts, or significantly degrades, the 
normal operation of an SCI system would not be considered the 
``normal operation'' of such SCI system.
    \386\ See supra note 354 and accompanying text.

---------------------------------------------------------------------------

[[Page 72285]]

    As discussed in the SCI Proposal \387\ and by certain 
commenters,\388\ the seven categories of malfunctions in the proposed 
definition of ``systems disruption'' have their origin in ARP staff 
guidance regarding when ARP participants should notify the Commission 
of system outages and represent practical examples that SCI entities 
should consider to be systems disruptions in many circumstances. The 
Commission notes that the revised definition is intended to address 
some commenters' concerns with the particular elements of the 
definition of systems disruption as originally proposed. For example, 
under the modified definition, if an SCI system experiences an 
unplanned outage but fails over smoothly to its backup system such that 
there is no disruption or significant degradation of the normal 
operation of the system, the outage of the primary system would not 
constitute a systems disruption. On the other hand, an SCI entity may 
determine that, even when a primary system fails over smoothly to its 
backup system such that users are not impacted by the failover, 
operating from the backup system without additional redundancy would 
not constitute normal operation. In this case, the outage of the 
primary system would fall within the definition of systems disruption. 
Further, the Commission believes it would be appropriate for an SCI 
entity to take into account regularly scheduled outages or scheduled 
maintenance as part of ``normal operations.'' \389\ In particular, a 
planned disruption to an SCI system that is a part of regularly 
scheduled outages or scheduled maintenance would not constitute a 
systems disruption or be subject to the requirements of Regulation SCI, 
if such regularly scheduled outages or scheduled maintenance are part 
of the SCI entity's normal operations. With regard to data queuing, to 
the extent that such queuing is part of the normal functionality of a 
system and does not cause a disruption or significant degradation of 
normal operations, it would not be captured by the rule, which is 
limited to events occurring to an SCI system that are outside its 
normal operations.\390\ Additionally, by eliminating the seven types of 
malfunctions from the definition as proposed, the Commission has 
responded to commenters who expressed concern that events that are 
precursors to system disruptions, such as the queuing of data, would 
themselves be systems disruptions.\391\ Similarly, by eliminating the 
seven types of malfunctions, the Commission has addressed comments that 
called for the elimination of specific elements of the proposed 
definition, such as service level agreements.\392\
---------------------------------------------------------------------------

    \387\ See Proposing Release, supra note 13, at 18101.
    \388\ See supra note 353 and accompanying text.
    \389\ See supra note 361 and accompanying text.
    \390\ See supra notes 372-377 and accompanying text.
    \391\ See supra note 377 and accompanying text.
    \392\ See supra notes 355 and 358 and accompanying text.
---------------------------------------------------------------------------

    Further, the Commission agrees with commenters that customer 
complaints may be indicia of a systems issue,\393\ but that a customer 
complaint alone would not be determinative of whether a system problem 
has occurred that meets the definition of systems disruption under 
Regulation SCI.\394\ With respect to the commenters who stated that 
losses of transaction or clearance and settlement data that are 
immediately retrieved, promptly corrected, or, for clearance and 
settlement data, resolved prior to the close of the trading day should 
not be systems disruptions, the adopted definition would exclude these 
events if they do not disrupt or significantly degrade the normal 
operations of an SCI system.\395\ However, if loss of transaction or 
clearance and settlement data disrupts or significantly degrades the 
normal operation of an SCI system, it would constitute a systems 
disruption and be subject to the requirements of Regulation SCI (e.g., 
immediate or quarterly Commission notification, depending on the impact 
of the disruption).
---------------------------------------------------------------------------

    \393\ The Commission agrees, as noted by some commenters, that 
in some instances, customer complaints may be the result of a 
problem at a system not operated by (or on behalf of) an applicable 
SCI entity, but rather a system operated by the customer itself. See 
supra note 380 and accompanying text.
    \394\ See supra notes 379-380 and accompanying text.
    \395\ See supra note 368. The Commission notes that for 
clearance and settlement systems, normal operations would include 
all steps necessary to effectuate timely and accurate end of day 
settlement. In response to the commenter who stated that the 
definition of systems disruption should be revised to include data 
that is altered or corrupted in some way, because the Commission has 
determined to eliminate the pronged approach to the definition of 
systems disruption, the Commission notes that, under the adopted 
definition, data that is altered or corrupted in some way may be a 
systems disruption if such altered or corrupted data disrupt or 
significantly degrade the affected SCI system's normal operation. 
See supra note 369.
---------------------------------------------------------------------------

    Several commenters also suggested that testing errors or other 
disruptions in development and testing environments should be excluded 
from the definition of systems disruption.\396\ The Commission notes 
that, as discussed above, development and testing systems have been 
excluded from the definition of SCI systems, and thus such disruptions 
would not be subject to the requirements of Regulation SCI.\397\
---------------------------------------------------------------------------

    \396\ See supra notes 361-363 and accompanying text.
    \397\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems'').
---------------------------------------------------------------------------

    The Commission is not incorporating a materiality threshold into 
the definition of systems disruption as requested by some 
commenters.\398\ Rather, as discussed below, the requirements of 
Regulation SCI are tiered in a manner that the Commission believes is 
responsive to commenters' concerns regarding the breadth of the 
definition of systems disruption (while stopping short of including a 
materiality standard).\399\ In particular, the Commission believes that 
the adopted Commission notification and information dissemination 
requirements for SCI events (i.e., quarterly Commission reporting of de 
minimis systems disruptions, and an exception for de minimis systems 
disruptions from the information dissemination requirement) will help 
to focus the Commission's and SCI entities' resources on the more 
significant systems disruptions. In addition, by not including a 
materiality threshold within the definition, SCI entities will be 
required to assess, take corrective action, and keep records of all 
systems disruptions, some of which may initially seem insignificant to 
an SCI entity, but which may later prove to be the cause of significant 
systems disruptions at the SCI entity. An SCI entity's records of de 
minimis systems disruptions may also be useful to the Commission in 
that they may, for example, aid the Commission in identifying patterns 
of de minimis systems disruptions that together might result in a more 
impactful SCI event, either at an SCI entity or across a group of SCI 
entities, or circumstances in which a systems disruption causes de 
minimis systems issues for one particular SCI entity but results in 
significant issues for another SCI entity. The Commission also believes 
that the ability to view de minimis SCI events in the aggregate and 
across multiple SCI

[[Page 72286]]

entities is important to the Commission and its staff to be able to 
gather information about trends related to such systems disruptions 
that could not otherwise be properly discerned. Information about 
trends will assist the Commission in fulfilling its oversight role by 
keeping Commission staff informed about the nature and frequency of the 
types of de minimis systems disruptions that SCI entities encounter. 
Moreover, information about trends can also inform the Commission of 
areas of potential weaknesses, or persistent or recurring problems, 
across SCI entities and also should help the Commission better focus on 
common types of systems disruptions with certain types of SCI systems 
across SCI entities. This information also would permit the Commission 
and its staff to issue industry alerts or guidance if appropriate. In 
addition, this information would allow the Commission and its staff to 
review SCI entities' classification of events as de minimis systems 
disruptions. Moreover, the Commission believes that, even without 
adopting a materiality threshold, the adopted definition of SCI systems 
further focuses the scope of the definition of systems disruption.\400\
---------------------------------------------------------------------------

    \398\ See supra note 347 and accompanying text.
    \399\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems disruptions). See 
also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing 
information dissemination requirement for certain SCI events, but 
excluding de minimis systems disruptions).
    \400\ See supra Sections IV.A.2.b (discussing the definition of 
``SCI systems'').
---------------------------------------------------------------------------

    The Commission also believes that it is unnecessary to modify the 
definition of systems disruption specifically to encompass disruptions 
originating from a third party, as one commenter suggested.\401\ The 
definition of systems disruption does not limit such events with 
respect to the source of the disruption, whether an internal source at 
the SCI entity or an external third party source.
---------------------------------------------------------------------------

    \401\ See supra note 345.
---------------------------------------------------------------------------

b. Systems Compliance Issue
    Proposed Rule 1000(a) would have defined the term ``systems 
compliance issue'' as ``an event at an SCI entity that has caused any 
SCI system of such entity to operate in a manner that does not comply 
with the federal securities laws and rules and regulations thereunder 
or the entity's rules or governing documents, as applicable.'' \402\ 
The Commission is adopting the definition of systems compliance issue 
substantially as proposed, with modifications to refine its scope.
---------------------------------------------------------------------------

    \402\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.b.
---------------------------------------------------------------------------

    Two commenters stated that the term ``systems compliance issue'' 
should be deleted from the definition of SCI event entirely.\403\ One 
of these commenters stated that the inclusion of systems compliance 
issue as an SCI event would be a departure from the ARP Inspection 
Program and ARP Policy Statements.\404\ The other commenter argued that 
any report regarding a systems compliance issue is an admission that 
the SCI entity has violated a law, rule, or one of its governing 
documents, creating a risk of an enforcement action or other liability 
for the SCI entity.\405\
---------------------------------------------------------------------------

    \403\ See Omgeo Letter at 13; and NYSE Letter at 16.
    \404\ See Omgeo Letter at 14.
    \405\ See NYSE Letter at 16.
---------------------------------------------------------------------------

    Other commenters stated that the proposed definition is too broad 
and should be refined to include only those issues that are material or 
significant.\406\ Commenters' specific recommendations included 
limiting the definition to those systems compliance issues that: have a 
material and significant effect on members; \407\ can be reasonably 
expected to result in significant harm or loss to market participants 
or impact the operation of a fair and orderly market; \408\ or have a 
materially negative impact on the SCI entity's ability to perform its 
core functions.\409\ One commenter also noted that the term should be 
specifically defined to take account of an SCI entity's function, such 
as clearing agencies' ability to comply with Section 17A.\410\
---------------------------------------------------------------------------

    \406\ See, e.g., Joint SROs Letter at 2, 8; ISE Letter at 6; 
SIFMA Letter at 13; Liquidnet Letter at 3; CME Letter at 8; DTCC 
Letter at 6; OCC Letter at 13; and FINRA Letter at 17 (stating that 
systems compliance issues should be reportable only if they would 
directly impact the market or a member firm's ability to comply with 
FINRA rules). See also BATS Letter at 13.
    \407\ See ISE Letter at 6-7.
    \408\ See Liquidnet Letter at 3; and CME Letter at 8. See also 
FINRA Letter at 17.
    \409\ See DTCC Letter at 6; and OCC Letter at 13.
    \410\ See DTCC Letter at 6. See also infra Sections IV.B.3.c and 
IV.B.3.d (discussing comments with respect to systems compliance 
issues and their relation to Commission notification and information 
dissemination to members or participants).
---------------------------------------------------------------------------

    After considering the view of commenters that the proposed 
definition of systems compliance issue is too broad,\411\ the 
Commission is revising the definition to mean an event that has caused 
an SCI system to operate ``in a manner that does not comply with the 
Act'' and the rules and regulations thereunder and the entity's rules 
and governing documents, as applicable.\412\ The Commission believes 
the refinement from ``federal securities laws'' to ``the Act'' (i.e., 
the Securities Exchange Act of 1934) will appropriately focus the 
definition on Exchange Act compliance rather than other areas of the 
federal securities laws. Although the Commission did not receive 
specific comment suggesting that it amend the definition of systems 
compliance issue by using the term ``the Act'' instead of the broader 
``federal securities laws,'' commenters did suggest that the Commission 
limit the scope of the definition to only apply to those sections of 
the Act that are applicable to a particular SCI entity \413\ or the SCI 
entity's rules.\414\ The Commission agrees with these commenters 
insofar as they advocated for focusing the scope to a more specific set 
of securities laws and for reducing the burden on SCI entities, and 
further believes this refinement does not compromise the objective of 
the definition, which is to capture systems compliance issues with 
respect to SCI entities' obligations under the Exchange Act. The 
Commission believes that the refinement provides additional clarity to 
SCI entities that, for purposes of Regulation SCI, their obligations 
are with respect to compliance with the Exchange Act and the rules and 
regulations thereunder and the entity's rules and governing 
documents.\415\
---------------------------------------------------------------------------

    \411\ See supra note 406 and accompanying text.
    \412\ As noted above, proposed Rule 1000 defined systems 
compliance issue as an event at an SCI entity that has caused any 
SCI system of such entity to operate ``in a manner that does not 
comply with the federal securities laws'' and rules and regulations 
thereunder or the entity's rules and governing documents, as 
applicable.
    \413\ See supra note 410 and accompanying text.
    \414\ See supra note 406 and accompanying text.
    \415\ Notwithstanding this provision's focus on compliance with 
the Exchange Act and the rules and regulations thereunder and the 
entity's rules and governing documents, the Commission notes that 
its objective in adopting Regulation SCI is not, for example, to 
change the obligations of SCI entities that are public companies 
with respect to their disclosure obligations under the Securities 
Act of 1933. See 15 U.S.C. 77a et seq.
---------------------------------------------------------------------------

    The Commission disagrees with commenters who suggested removing 
systems compliance issues from the definition of SCI event 
altogether.\416\ Although systems compliance issues have not been 
within the scope of the ARP Inspection Program,\417\ the Commission 
believes that inclusion of systems compliance issues in the definition 
of SCI event and the resulting applicability of the Commission 
reporting, information dissemination, and recordkeeping requirements to 
systems compliance issues is important to help ensure that SCI systems 
are operated by SCI entities in compliance with the Exchange Act, rules 
thereunder, and their own rules and governing documents.
---------------------------------------------------------------------------

    \416\ See supra notes 403-405 and accompanying text.
    \417\ See supra note 404 and accompanying text. See also 
Proposing Release, supra note 13, at 18087.

---------------------------------------------------------------------------

[[Page 72287]]

    In addition, the Commission is not adopting a materiality qualifier 
\418\ or other limiting threshold \419\ in the definition of systems 
compliance issue as suggested by some commenters. Instead, the 
requirements of Regulation SCI are tiered in a manner that the 
Commission believes is responsive to commenters' concerns regarding the 
breadth of the definition of systems compliance issue.\420\ In 
particular, the Commission believes that the adopted Commission 
notification requirement and the information dissemination requirement 
(each of which provides an exception for systems compliance issues that 
have no or de minimis impacts on an SCI entity's operations or market 
participants) will help to focus the Commission's and SCI entities' 
resources on those systems compliance issues with more significant 
impacts. In addition, by not including a materiality threshold within 
the definition, SCI entities will be required to assess, take 
corrective action, and keep records of all systems compliance issues, 
some of which may initially seem to have little or no impact, but which 
may later prove to be the cause of significant systems compliance 
issues at the SCI entity. The Commission notes that all SCI entities 
are required to comply with the Exchange Act, the rules and regulations 
thereunder, and their own rules, as applicable. Therefore, even if an 
SCI entity determines that a systems compliance issue has no or a de 
minimis impact, the Commission believes that it is important that it 
have ready access to records regarding such de minimis systems 
compliance issues to allow it to more effectively oversee SCI entities' 
compliance with the Exchange Act and relevant rules. An SCI entity's 
records of de minimis systems compliance issues may also be useful to 
the Commission in that they may, for example, aid the Commission in 
identifying areas of potential weaknesses, or persistent or recurring 
problems, at an SCI entity or across multiple SCI entities. This 
information also would permit the Commission and its staff to issue 
industry alerts or guidance if appropriate. In addition, this 
information would allow the Commission and its staff to review SCI 
entities' classification of events as de minimis systems compliance 
issues.
---------------------------------------------------------------------------

    \418\ See supra notes 406-407 and 409 and accompanying text.
    \419\ See supra note 408.
    \420\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and the 
exclusion for de minimis systems compliance issues). See also Rule 
1002(c)(4) and infra Section IV.B.3.d (discussing the information 
dissemination requirement for certain SCI events, but excluding de 
minimis systems compliance issues).
---------------------------------------------------------------------------

    Finally, the Commission believes that, even without adopting a 
materiality threshold, the adopted definition of SCI systems, as 
described in Section IV.A.2 above, further focuses the scope of the 
definition of systems compliance issue.
    With respect to a commenter's concern that any report regarding a 
systems compliance issue would be an admission of a violation and thus 
create a risk of enforcement action or other liability,\421\ the 
Commission notes that the Commission notification requirement is not 
triggered until a responsible SCI personnel has a reasonable basis to 
conclude that a systems compliance issue has occurred.\422\ The 
Commission acknowledges that it could consider the information provided 
to the Commission in determining whether to initiate an enforcement 
action. However, the Commission notes that the occurrence of a systems 
compliance issue also does not necessarily mean that the SCI entity 
will be subject to an enforcement action. Rather, the Commission will 
exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.\423\ With respect 
to the potential for other types of liability as suggested by this 
commenter, many entities that fall within the definition of SCI entity 
already currently disclose to the Commission and their members or 
participants certain information regarding systems issues, including 
issues that may potentially give rise to liability.\424\ Moreover, the 
Commission recognizes that compliance with Regulation SCI will increase 
the amount of information about SCI events available to the Commission 
and SCI entities' members and participants, and that the greater 
availability of this information has some potential to increase 
litigation risks for SCI entities, including the risk of private civil 
litigation. The Commission believes that the value of disclosure to the 
Commission, market participants and investors justifies the potential 
increase in litigation risk. Moreover, the Commission notes that, to 
the extent members and participants or the public suffer damages when 
SCI events occur, SCI entities are already subject to litigation risk.
---------------------------------------------------------------------------

    \421\ See supra note 405 and accompanying text.
    \422\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \423\ See, e.g., infra notes 626-628 and accompanying text.
    \424\ See supra Section II.B (discussing recent events related 
to systems issues).
---------------------------------------------------------------------------

    As adopted, Rule 1000 defines ``systems compliance issue'' as ``an 
event at an SCI entity that has caused any SCI system of such entity to 
operate in a manner that does not comply with the Act and the rules and 
regulations thereunder or the entity's rules or governing documents, as 
applicable.'' As noted in the SCI Proposal, a systems compliance issue 
could, for example, occur when a change to an SCI system is made by 
information technology staff, without the knowledge or input of 
regulatory staff, that results in the system operating in a manner that 
does not comply with the Act and rules thereunder or the entity's rules 
and other governing documents.\425\ For an SCI SRO, systems compliance 
issues would include SCI systems operating in a manner that does not 
comply with the SCI SRO's rules as defined in the Act and the rules 
thereunder.\426\ For a plan processor, systems compliance issue would 
include SCI systems operating in a manner that does not comply with an 
applicable effective national market system plan. For an SCI ATS or 
exempt clearing agency subject to ARP, a systems compliance issue would 
include SCI systems operating in a manner that does not comply with 
documents such as subscriber agreements and any rules provided to 
subscribers and users and, for an ATS, described in its Form ATS 
filings with the Commission.\427\
---------------------------------------------------------------------------

    \425\ See Proposing Release, supra note 13, at 18103.
    \426\ The rules of an SCI SRO include, among other things, its 
constitution, articles of incorporation, and bylaws. See 15 U.S.C. 
78c(a)(27)-(28). See also 17 CFR 240.19b-4(c).
    \427\ Subscriber agreements and other similar documents that 
govern operations of SCI ATSs and exempt clearing agencies subject 
to ARP are generally not publicly available, but are typically 
provided to subscribers and users of such entities. See 17 CFR 
242.301(b) for a description of the filing requirements for ATSs.
---------------------------------------------------------------------------

c. Systems Intrusion
    Proposed Rule 1000(a) defined ``systems intrusion'' as ``any 
unauthorized entry into the SCI systems or SCI security systems of an 
SCI entity.'' \428\ The proposed definition is being adopted as 
proposed, with one technical modification to replace the term ``SCI 
security systems'' with ``indirect SCI systems.'' \429\
---------------------------------------------------------------------------

    \428\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.B.3.c.
    \429\ See supra Section IV.A.2.d (discussing the definition of 
``indirect SCI systems'').
---------------------------------------------------------------------------

    While one commenter noted its general support for the inclusion of 
systems intrusions within the scope of

[[Page 72288]]

Regulation SCI,\430\ this commenter and others stated that the proposed 
definition was too broad or vague.\431\ Several commenters asserted 
that the proposed definition would capture too many insignificant and 
minor incidents.\432\ Some commenters recommended limiting the 
definition to material systems intrusions, and offered various 
suggestions for how to do so.\433\
---------------------------------------------------------------------------

    \430\ See NYSE Letter at 15.
    \431\ See, e.g., NYSE Letter at 15; BATS Letter at 12; DTCC 
Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10-11; and Joint 
SROs Letter at 7.
    \432\ See, e.g., BATS Letter at 12; DTCC Letter at 7; Omgeo 
Letter at 11; SIFMA Letter at 10-11; and Joint SROs Letter at 7.
    \433\ See, e.g., NYSE Letter at 15 (recommending that the 
definition include only major intrusions that pose a plausible risk 
to the trading, routing, or clearance and settlement operations of 
the exchange or to required market data transmission); Omgeo Letter 
at 11-12 (expressing concern that the definition did not contain a 
reference to the materiality of an intrusion, nor the intrusion's 
impact on markets or market participants); DTCC Letter at 7 
(suggesting that the definition capture only unauthorized entries 
where the SCI entity has reason to believe such entry could 
materially impact its ability to perform its core functions or 
critical operations); Joint SROs Letter at 7 (stating that the 
definition should include only those intrusions that the SCI entity 
reasonably estimated would result in significant harm or loss to 
market participants); FINRA Letter at 18 (arguing that only 
intrusions that have a material impact on the SCI system or a direct 
impact on the market or market participants should be included); and 
OCC Letter at 13 (suggesting, as an alternative to a ``risk-based'' 
approach, that the definition be limited to any unauthorized entry 
into the SCI systems or SCI security systems of an SCI entity, which 
the SCI entity reasonably believes may materially impact its ability 
to perform its core functions or critical operations).
---------------------------------------------------------------------------

    One commenter stated that the proposed definition was overbroad 
because it would include both intentional and unintentional conduct, as 
well as events that have no adverse impact.\434\ Another commenter also 
stated that the definition should be modified to make clear that an 
intrusion that is inadvertent would not qualify as a systems 
intrusion.\435\ This commenter further stated that a systems intrusion 
should be limited to unauthorized access to confidential information or 
to the SCI systems of an SCI entity that materially disrupts the 
operations of such systems.\436\ Another commenter suggested that the 
definition focus on the unauthorized control of the confidentiality, 
integrity, or availability of an SCI system and/or its data.\437\
---------------------------------------------------------------------------

    \434\ See, e.g., BATS Letter at 12.
    \435\ See SIFMA Letter at 11.
    \436\ See id.
    \437\ See NYSE Letter at 15.
---------------------------------------------------------------------------

    Some commenters noted that the proposed definition of systems 
intrusion did not take into account the multi-layered nature of today's 
technology systems. Two commenters stated that the multi-layered 
protections of systems architecture are designed to anticipate 
intrusions into the outer layer without material risk or impact, thus 
intrusions into such a peripheral system should not constitute a 
systems intrusion under the rule.\438\
---------------------------------------------------------------------------

    \438\ See SIFMA Letter at 11; and Omgeo Letter at 12. The 
Commission discusses below the comments that advocated greater 
Commission use of FS-ISAC for reporting systems intrusions.
---------------------------------------------------------------------------

    Several commenters stated that only successful systems intrusions 
should be covered in the definition.\439\ One commenter suggested that 
this concept be made explicit in the rule text by adding the term 
``successful'' to the definition.\440\ Two commenters, while supporting 
the inclusion of only successful systems intrusions in the definition, 
pointed out the value of sharing information regarding unsuccessful 
systems intrusions, stating that this practice already occurs today 
among SCI entities, their regulators, and appropriate law enforcement 
agencies.\441\
---------------------------------------------------------------------------

    \439\ See BIDS Letter at 17; SIFMA Letter at 11; NYSE Letter at 
15; DTCC Letter at 8.
    \440\ See NYSE Letter at 15.
    \441\ See BIDS Letter at 17; and DTCC Letter at 8.
---------------------------------------------------------------------------

    As adopted, Rule 1000 defines ``systems intrusion'' to mean ``any 
unauthorized entry into the SCI systems or indirect SCI systems of an 
SCI entity.'' This definition is intended to cover any unauthorized 
entry into SCI systems or indirect SCI systems, regardless of the 
identity of the person committing the intrusion (whether they are 
outsiders, employees, or agents of the SCI entity), and regardless of 
whether or not the intrusion was part of a cyber attack, potential 
criminal activity, or other unauthorized attempt to retrieve, 
manipulate, or destroy data, or access or disrupt systems of SCI 
entities. Thus, for example, this definition is intended to cover the 
introduction of malware or other attempts to disrupt SCI systems or 
indirect SCI systems provided that such systems were actually breached. 
In addition, the definition is intended to cover unauthorized access, 
whether intentional or inadvertent, by employees or agents of the SCI 
entity that resulted from weaknesses in the SCI entity's access 
controls and/or procedures. In response to comments, the Commission 
emphasizes that the definition of systems intrusion does not include 
unsuccessful attempts at unauthorized entry because an unsuccessful 
systems intrusion is much less likely to disrupt the systems of an SCI 
entity than a successful intrusion. The Commission believes that it is 
unnecessary and redundant to specifically state in the definition of 
systems intrusion that unauthorized entries must be ``successful'' 
because the term ``entry'' incorporates the concept of successfully 
gaining access to an SCI system or indirect SCI system.
    Further, the Commission is not incorporating a materiality 
threshold for the definition of systems intrusion or otherwise limiting 
the definition of systems intrusion to only those systems intrusions 
that are major or significant as requested by some commenters. The 
Commission believes that, even without adopting a materiality 
threshold, the adopted definitions of SCI systems and indirect SCI 
systems further focus the scope of the definition of systems intrusion. 
Further, because any unauthorized entry into an SCI system or indirect 
SCI system is a security breach of which the Commission, having 
responsibility for oversight of the U.S. securities markets, should be 
notified, the Commission is not including a materiality threshold. In 
addition, as discussed below, the requirements of Regulation SCI are 
tiered in a manner that the Commission believes is responsive to 
commenters' concerns regarding the breadth of the definition of systems 
intrusion.\442\ By not including a materiality threshold within the 
definition, SCI entities will be required to assess, take corrective 
action, and keep records of all systems intrusions, some of which may 
initially seem insignificant to an SCI entity, but which may later 
prove to be the cause of significant systems issues at the SCI entity. 
An SCI entity's records of de minimis systems intrusions may also be 
useful to the Commission in that they may, for example, aid the 
Commission in identifying patterns of de minimis systems intrusions 
that together might result in a more impactful SCI event, either at an 
SCI entity or across a group of SCI entities, or circumstances in which 
a systems intrusion causes de minimis systems issues for one particular 
SCI entity but results in significant issues for another SCI entity. 
The Commission also believes that the ability to view de minimis 
systems intrusions in the aggregate and across multiple SCI entities is 
important to allow the Commission and its staff to be able to gather 
information about trends related to such systems intrusions that could 
not otherwise be properly discerned. Information about trends will

[[Page 72289]]

assist the Commission in fulfilling its oversight role by keeping 
Commission staff informed about the nature and frequency of the types 
of de minimis systems intrusions that SCI entities encounter. Moreover, 
information about trends and notifications of de minimis systems 
intrusions generally can also inform the Commission of areas of 
potential weaknesses, or persistent or recurring problems, across SCI 
entities and also should help the Commission better focus on common 
types of systems intrusions or issues with certain types of SCI systems 
across SCI entities. This information also would permit the Commission 
and its staff to issue industry alerts or guidance if appropriate. In 
addition, this information would allow the Commission and its staff to 
review SCI entities' classification of events as de minimis systems 
intrusions.
---------------------------------------------------------------------------

    \442\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems intrusions). See 
also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing 
information dissemination requirement for certain SCI events, but 
excluding de minimis systems intrusions).
---------------------------------------------------------------------------

    The Commission also is not distinguishing between intentional and 
unintentional systems intrusions, as suggested by some commenters.\443\ 
The Commission acknowledges that intentional systems intrusions may 
result in more severe disruptions to the systems of an SCI entity than 
unintentional or inadvertent intrusions. On the other hand, the 
Commission believes that it should be notified of successful 
unintentional or inadvertent systems intrusions because they can still 
indicate weaknesses in a system's security controls. To the extent that 
these systems intrusions have no or a de minimis impact on the SCI 
entity's operations or on market participants, they will only be 
subject to a quarterly reporting requirement and will be excepted from 
the information dissemination requirement.\444\
---------------------------------------------------------------------------

    \443\ See supra notes 434-435 and accompanying text.
    \444\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing 
the Commission notification requirement for SCI events and requiring 
a quarterly summary report for de minimis systems intrusions). See 
Rule 1002(c)(4), and infra Sections IV.B.3.d (discussing the 
information dissemination requirements for certain SCI events, but 
excluding de minimis systems intrusions).
---------------------------------------------------------------------------

    Additionally, the Commission does not agree that the definition of 
systems intrusion should be limited to unauthorized access to 
confidential information \445\ or should be focused on the unauthorized 
control of the confidentiality, integrity, or availability of an SCI 
system and/or its data \446\ because the Commission believes that these 
modifications would create a definition that would limit the 
Commission's ability to be aware of events that fall outside the 
limited definition that commenters suggested but that could, for 
example, have industry-wide implications. Similarly, with respect to 
the comment that intrusions into a peripheral system should not 
constitute a systems intrusion because the multi-layered protections of 
systems architecture are designed to anticipate intrusions into the 
outer layer and help prevent material risk or impact,\447\ the 
Commission believes that its discussion of indirect SCI systems in 
Section IV.A.2.d above responds to commenters' concerns by explaining 
that systems intrusions into an indirect SCI system could cause or 
increase the likelihood of an SCI event with respect to an SCI system. 
And to the extent a system intrusion occurs with respect to an SCI 
system or indirect SCI system but the SCI entity's multi-layered 
systems architecture helps prevent material risk or impact, the 
Commission notes that de minimis systems intrusions (if such a system 
intrusion was determined to be de minimis) would be subject to less 
frequent Commission reporting requirements and would not be subject to 
the information dissemination requirements.
---------------------------------------------------------------------------

    \445\ See supra note 436 and accompanying text.
    \446\ See supra note 437 and accompanying text.
    \447\ See supra note 438 and accompanying text.
---------------------------------------------------------------------------

B. Obligations of SCI Entities--Rules 1001-1004

    Proposed Rules 1000(b)(1)-(9) are renumbered as adopted Rules 1001-
1004. Adopted Rule 1001 corresponds to proposed Rules 1000(b)(1)-(2) 
and contains the policies and procedures requirements for SCI entities 
with respect to operational capability and the maintenance of fair and 
orderly markets (Rule 1001(a)), systems compliance (Rule 1001(b)), and 
identification and designation of responsible SCI personnel and 
escalation procedures (Rule 1001(c)).\448\ Adopted Rule 1002 
corresponds to proposed Rules 1000(b)(3)-(5) and contains the 
obligations of SCI entities with respect to SCI events, which include 
corrective action, Commission notification, and information 
dissemination. Adopted Rule 1003 corresponds to proposed Rules 
1000(b)(6)-(8) and contains requirements relating to material systems 
changes and SCI reviews. Finally, adopted Rule 1004 corresponds to 
proposed Rule 1000(b)(9) and contains requirements relating to business 
continuity and disaster recovery plan testing, including requiring 
participation of designated members or participants of SCI entities in 
such testing.
---------------------------------------------------------------------------

    \448\ The discussion of Rule 1001(c), which relates to the 
triggering standard for Rule 1002, is discussed below in Section 
IV.B.3.a.
---------------------------------------------------------------------------

1. Policies and Procedures To Achieve Capacity, Integrity, Resiliency, 
Availability and Security--Rule 1001(a)
a. Proposed Rule 1000(b)(1)
    Proposed Rule 1000(b)(1) would have required an SCI entity to: (1) 
Establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, SCI security systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets; and (2) include certain required elements in 
such policies and procedures. As proposed, these policies and 
procedures were required to provide for: (A) The establishment of 
reasonable current and future capacity planning estimates; (B) periodic 
capacity stress tests of systems to determine their ability to process 
transactions in an accurate, timely, and efficient manner; (C) a 
program to review and keep current systems development and testing 
methodology; (D) regular reviews and testing of systems, including 
backup systems, to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters; 
(E) business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption; and (F) standards that result in 
systems being designed, developed, tested, maintained, operated, and 
surveilled in a manner that facilitates the successful collection, 
processing, and dissemination of market data.
    Proposed Rule 1000(b)(1)(i) also provided that an SCI entity's 
applicable policies and procedures would be deemed to be reasonably 
designed if they were consistent with ``current SCI industry 
standards.'' Proposed Rule 1000(b)(1)(ii) provided that ``current SCI 
industry standards'' were to be comprised of ``information technology 
practices that are widely available for free to information technology 
professionals in the financial sector . . . and issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely

[[Page 72290]]

recognized organization.'' \449\ The SCI Proposal also included, on 
``Table A,'' a list of publications that the Commission had 
preliminarily identified as examples of current SCI industry standards 
in each of nine information security domains.\450\ The SCI Proposal 
stated that an SCI entity, taking into account its nature, size, 
technology, business model, and other aspects of its business, could, 
but would not be required to, use the publications listed on Table A to 
establish, maintain, and enforce reasonably designed policies and 
procedures that satisfy the requirements of proposed Rule 
1000(b)(1).\451\ The SCI Proposal also stated that ``current SCI 
industry standards'' were not limited to those identified in the 
publications on Table A and could include other publications meeting 
the proposed criteria for ``current SCI industry standards.'' \452\ In 
addition, proposed Rule 1000(b)(1)(ii) stated that compliance with 
``current SCI industry standards'' would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1).\453\
---------------------------------------------------------------------------

    \449\ See Proposing Release, supra note 13, at 18178.
    \450\ The domains covered in Table A of the SCI Proposal are: 
application controls; capacity planning; computer operations and 
production environment controls; contingency planning; information 
security and networking; audit; outsourcing; physical security; and 
systems development methodology. See id. at 18111.
    \451\ See id. at 18110.
    \452\ See id. at 18110 (stating that an SCI entity could elect 
standards contained in publications other than those identified on 
proposed Table A to comply with the rule).
    \453\ See id. at 18109.
---------------------------------------------------------------------------

b. Comments Received on Proposed Rule 1000(b)(1) and Commission 
Response
i. Policies and Procedures Generally--Rules 1001(a)(1) and (3)
    The Commission received a wide range of comments on proposed Rule 
1000(b)(1). With respect to policies and procedures generally, some 
commenters believed the proposal was too prescriptive.\454\ Several 
characterized it as a ``one-size-fits-all'' approach that did not 
adequately take into account differences between SCI entities and SCI 
entity systems.\455\ Several commenters objecting to the rule as too 
prescriptive urged that the adopted rule incorporate a risk-based 
framework, so that SCI entities and/or systems of greater criticality 
would be required to adhere to a stricter set of policies and 
procedures than SCI entities and/or systems of lesser criticality.\456\ 
These commenters maintained that each SCI entity should have discretion 
to calibrate its policies and procedures based on its own assessment of 
the criticality of the SCI entity and its systems to market stability, 
or that the Commission should ``tier'' the obligations of SCI entities 
or SCI entity systems based on their market function.\457\
---------------------------------------------------------------------------

    \454\ See, e.g., Angel Letter at 2, 8; BIDS Letter at 7; FIF 
Letter at 3-4; Joint SROs Letter at 4; LiquidPoint Letter at 3-4; 
MFA Letter at 3; and SIFMA Letter at 12-13.
    \455\ See, e.g., FIF Letter at 3-4; FINRA Letter at 31; Joint 
SROs Letter at 4; KCG Letter at 2-3, 6-8; Liquidpoint Letter at 3-4; 
MFA Letter at 3; OCC Letter at 3-4; SIFMA Letter at 12-13; UBS 
Letter at 2-4; Tellefsen Letter at 13; and BIDS Letter at 2-3, 6-9.
    \456\ See, e.g., Joint SROs Letter at 4; LiquidPoint Letter at 
3; MFA Letter at 3; and SIFMA Letter at 8, 12-13. See also FIF 
Letter at 4; MSRB Letter at 3; Fidelity Letter at 2; NYSE Letter at 
3, 4, 21; FINRA Letter at 13-14; and OCC Letter at 3.
    \457\ See, e.g., Joint SROs Letter at 4; FINRA Letter at 13-14; 
MSRB Letter at 3; MFA Letter at 6; NYSE Letter at 3, 4, and 21; 
SIFMA Letter at 12-13; FIF Letter at 4; Fidelity Letter at 2; and 
OCC Letter at 3.
---------------------------------------------------------------------------

    In contrast, some commenters stated that the Commission's proposed 
approach was too vague or insufficient.\458\ For example, one commenter 
characterized the minimum elements of policies and procedures in 
proposed Rule 1000(b)(1)(A)-(F) as ``so vague that they will fail to 
provide any meaningful improvement in technological systems.'' \459\ 
Another commenter stated that the proposed scope of required policies 
and procedures was appropriate, but that further elaboration on the 
details was warranted.\460\ One commenter stated that the proposed rule 
lacked adequate discussion of what it means for policies and procedures 
to be reasonably designed ``to maintain . . . operational capability 
and promote the maintenance of fair and orderly markets.'' \461\
---------------------------------------------------------------------------

    \458\ See Better Markets Letter at 3-5; CAST Letter at 4; CISQ 
Letter at 2, 5; CISQ2 Letter at 5; and Direct Edge Letter at 4.
    \459\ See Better Markets Letter at 3.
    \460\ See CISQ Letter at 2.
    \461\ See Direct Edge Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters on 
its proposed policies and procedures approach to ensuring adequate 
capacity, integrity, resiliency, availability, and security of SCI 
systems (and security for indirect SCI systems). The Commission agrees 
with commenters who stated that requiring SCI entities to have policies 
and procedures relating to the capacity, integrity, resiliency, 
availability, and security of SCI systems (and security for indirect 
SCI systems) should not be a ``one-size-fits-all'' approach and, as 
discussed in detail below, is therefore clarifying that the adopted 
rule is consistent with a risk-based approach, as it allows an SCI 
entity's policies and procedures to be tailored to a particular 
system's criticality and risk. As noted above, while some commenters 
characterized the proposed rule as too vague and sought further 
specificity, others found the rule to be too prescriptive. The 
Commission believes that the adopted rule provides an appropriate 
balance between these two opposing concerns by providing a framework 
that identifies the minimum areas that are required to be addressed by 
an SCI entity's policies and procedures without prescribing the 
specific policies and procedures that an SCI entity must follow, or 
detailing how each element in Rule 1001(a)(2) should be addressed. 
Given the various types of systems at SCI entities, each of which 
represent a different level of criticality and risk to each SCI entity 
and to the securities markets more broadly, the adopted rule seeks to 
provide flexibility to SCI entities to design their policies and 
procedures consistent with a risk-based approach, as discussed in 
further detail below. At the same time, because the Commission believes 
that additional guidance on how an SCI entity may comply with the rule 
is warranted in certain areas, the Commission is providing further 
guidance below. In response to comment, the Commission is adopting Rule 
1001(a) with modifications that it believes will better provide SCI 
entities with sufficient flexibility to develop their policies and 
procedures to achieve robust systems, while also providing guidance on 
how an SCI entity may comply with the final rule. Specifically, adopted 
Rule 1001(a) is modified to: (i) Clarify that the rule is consistent 
with a risk-based approach that requires more robust policies and 
procedures for higher-risk systems and provides an SCI entity with 
flexibility to tailor its policies and procedures to the nature of its 
business, technology, and the relative criticality of each of its SCI 
systems; (ii) make clear that an SCI entity's reasonable policies and 
procedures remain subject to ongoing self-assessment; (iii) provide 
increased flexibility in the manner in which an SCI entity may satisfy 
the minimum elements of required policies and procedures; and (iv) 
revise the criteria for ``current SCI industry standards.'' In 
addition, proposed Table A is recharacterized and will be issued as 
staff guidance that will evolve over time.
Response to Commenters Advocating a Risk-Based Approach
    Adopted Rule 1001(a)(1) requires each SCI entity to establish, 
maintain, and enforce written policies and procedures

[[Page 72291]]

reasonably designed to ensure that its SCI systems and, for purposes of 
security standards, indirect SCI systems, have levels of capacity, 
integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. The text of this part of the rule is largely 
unchanged from the proposal. Although several commenters expressed 
concern that the proposed rule would have imposed a ``one-size-fits-
all'' approach, requiring all SCI entities to hold all of their SCI 
systems to the same standards,\462\ this was not the intent of proposed 
Rule 1000(b)(1), nor is it what adopted Rule 1001(a)(1) requires. By 
requiring an SCI entity to have policies and procedures ``reasonably 
designed'' and ``adequate'' to maintain operational capability and 
promote the maintenance of fair and orderly markets, the adopted rule 
provides an SCI entity with flexibility to determine how to tailor its 
policies and procedures to the nature of its business, technology, and 
the relative criticality of each of its SCI systems.\463\ Although the 
adopted rule does not assign differing obligations to an SCI entity 
based on its registration status, or its general market function, as 
some commenters urged, by allowing each SCI entity to tailor its 
policies and procedures accordingly, the adopted approach recognizes 
that there are differences between, and varying roles played by, 
different systems at various SCI entities. In tandem with the refined 
definition of ``SCI systems,'' the modified definition of ``SCI 
security systems'' (adopted as ``indirect SCI systems''), and the new 
definition of ``critical SCI systems,\464\ adopted Rule 1001(a)(1) 
explicitly recognizes that policies and procedures that are 
``reasonably designed'' and ``adequate'' to maintain operational 
capability and promote the maintenance of fair and orderly markets for 
critical SCI systems may differ from those that are ``reasonably 
designed'' and ``adequate'' to maintain operational capability and 
promote the maintenance of fair and orderly markets for other SCI 
systems, or indirect SCI systems. As such, the Commission believes that 
its adopted approach in Regulation SCI is consistent with a risk-based 
approach, and that adopted Regulation SCI may result in the systems of 
certain SCI entities (for example, those that have few or no critical 
SCI systems) generally being subject to less stringent policies and 
procedures than the systems of other SCI entities. Thus, a risk 
assessment is appropriate for an SCI entity to determine how to tailor 
its policies and procedures for its SCI systems and indirect SCI 
systems.
---------------------------------------------------------------------------

    \462\ See supra note 455 and accompanying text.
    \463\ See Proposing Release, supra note 13, at 18109 (stating: 
``The Commission intends to . . . provide SCI entities sufficient 
flexibility, based on the nature, size, technology, business model, 
and other aspects of their business, to identify appropriate 
policies and procedures that would meet the articulated standard, 
namely that they be reasonably designed to ensure that their systems 
have levels of capacity, integrity, resiliency, availability, and 
security adequate to maintain the SCI entity's operational 
capability and promote the maintenance of fair and orderly 
markets.'').
    \464\ As a result of these changes, the adopted rule applies to 
fewer systems than as proposed, and only to those types of systems 
that the Commission believes pose significant risk to market 
integrity if not adequately safeguarded.
---------------------------------------------------------------------------

    The Commission also believes that requiring an SCI entity to tailor 
its policies and procedures so that they are reasonably designed and 
adequate will entail that an SCI entity assess the relative criticality 
and risk of each of its SCI systems and indirect SCI systems. 
Evaluation of the risk posed by any particular SCI system to the SCI 
entity's operational capability and the maintenance of fair and orderly 
markets will be the responsibility of the SCI entity in the first 
instance. The Commission believes this approach will achieve the goal 
of improving Commission review and oversight of U.S. securities market 
infrastructure, but will do so within a more focused framework than as 
proposed. By being subject to requirements for a more targeted set of 
SCI systems, and guided by consideration of the relative risk of each 
of its SCI systems, SCI entities may more easily determine how to 
allocate their resources to achieve compliance with the regulation than 
they would have under the proposed regulation.
    As noted above, one commenter urged the Commission to discuss what 
it means for policies and procedures to be reasonably designed ``to 
maintain . . . operational capability and promote the maintenance of 
fair and orderly markets.'' \465\ This commenter characterized the 
proposed standard of ``maintaining operational capability'' as an 
``introspective standard relevant to the applicable SCI entity,'' and 
the proposed standard of ``promoting the maintenance of fair and 
orderly markets'' as implying ``some incremental responsibility to the 
collective market.'' \466\ The Commission agrees with this commenter's 
characterization and believes that it is appropriate for SCI entities 
to assess the risk of their systems taking into consideration both 
objectives, which are related and complementary.\467\ Specifically, the 
Commission believes that it is important that an SCI entity's policies 
and procedures are reasonably designed to ensure its own operational 
capability, including the ability to maintain effective operations, 
minimize or eliminate the effect of performance degradations, and have 
sufficient backup and recovery capabilities. At the same time, an SCI 
entity's own operational capability can have broader effects and, as 
entities that play a significant role in the U.S. securities markets 
and/or have the potential to impact investors, the overall market, or 
the trading of individual securities,\468\ the Commission believes that 
the policies and procedures should also be reasonably designed to 
promote the maintenance of fair and orderly markets.
---------------------------------------------------------------------------

    \465\ See supra note 461 and accompanying text.
    \466\ See Direct Edge Letter at 4.
    \467\ The Commission notes that the identification of ``critical 
SCI systems'' in Regulation SCI emphasizes that some systems pose 
greater risk than others to the maintenance of fair and orderly 
markets if they malfunction, and that it is appropriate for an SCI 
entity to consider the risk to other SCI entities and market 
participants in the event of a systems malfunction.
    \468\ See supra note 59 and accompanying text.
---------------------------------------------------------------------------

Periodic Review
    Some commenters expressed concern that, when an SCI entity's 
policies and procedures fail to prevent an SCI event, the Commission 
might use such failure as the basis for an enforcement action, charging 
that the policies and procedures were not reasonable.\469\ One 
commenter suggested that the Commission's focus should be on an 
entity's adherence to its own set of policies and procedures, developed 
based on ``experience, annual SCI reviews, and other inputs,'' rather 
than a ``set of generic standards.'' \470\
---------------------------------------------------------------------------

    \469\ See, e.g., BATS Letter at 3-4; Angel Letter at 2; and FSR 
Letter at 5. See also ITG Letter at 14 (stating that no set of 
policies and procedures could guarantee perfect operational 
compliance); and NYSE Letter at 32 (urging inclusion of a good faith 
safe harbor).
    \470\ See FIF Letter at 4.
---------------------------------------------------------------------------

    In response to these comments, the Commission notes that the 
reasonably designed policies and procedures approach taken in adopted 
Rule 1001(a) does not require an entity to guarantee flawless systems. 
But the Commission believes it should be understood to require 
diligence in maintaining a reasonable set of policies and procedures 
that keeps pace with changing technology and circumstances and does not 
become outdated over time. The Commission is therefore adopting a 
requirement for periodic review by an SCI entity of the effectiveness 
of its policies and procedures required by Rule 1001(a), and prompt 
action by the SCI entity to

[[Page 72292]]

remedy deficiencies in such policies and procedures.\471\ An SCI entity 
will not be found to be in violation of this maintenance requirement 
solely because it failed to identify a deficiency in its policies and 
procedures immediately after the deficiency occurred if the SCI entity 
takes prompt action to remedy the deficiency once it is discovered, and 
the SCI entity had otherwise reviewed the effectiveness of its policies 
and procedures and took prompt action to remedy those deficiencies that 
were discovered, as required by Rule 1001(a)(3).
---------------------------------------------------------------------------

    \471\ See Rule 1001(a)(3).
---------------------------------------------------------------------------

    Further, the occurrence of a systems disruption or systems 
intrusion will not necessarily mean that an SCI entity has violated 
Rule 1001(a), or that it will be subject to an enforcement action for 
violation of Regulation SCI. The Commission will exercise its 
discretion to initiate an enforcement action if the Commission 
determines that such action is warranted, based on the particular facts 
and circumstances. While a systems problem may be probative as to the 
reasonableness of an SCI entity's policies and procedures, it is not 
determinative.
ii. Minimum Elements of Reasonable Policies and Procedures--Rule 
1001(a)(2)
    Proposed Rule 1000(b)(1)(i) would have required that an SCI 
entity's policies and procedures provide for, at a minimum: (A) The 
establishment of reasonable current and future capacity planning 
estimates; (B) periodic capacity stress tests of systems to determine 
their ability to process transactions in an accurate, timely, and 
efficient manner; (C) a program to review and keep current systems 
development and testing methodology; (D) regular reviews and testing of 
systems, including backup systems, to identify vulnerabilities 
pertaining to internal and external threats, physical hazards, and 
natural or manmade disasters; (E) business continuity and disaster 
recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse to 
ensure next business day resumption of trading and two-hour resumption 
of clearance and settlement services following a wide-scale disruption; 
and (F) standards that result in systems being designed, developed, 
tested, maintained, operated, and surveilled in a manner that 
facilitates the successful collection, processing, and dissemination of 
market data. References to ``systems'' in the proposed rule were to the 
proposed definition of SCI systems, and with respect to security 
standards only, the proposed definition of SCI security systems.
    Adopted Rule 1001(a)(2) includes the items formerly proposed as 
Rules 1001(b)(1)(i)(A)-(F) as renumbered Rules 1001(2)(i)-(vi) and a 
new item (vii), relating to monitoring of SCI systems. Proposed items 
(A), (D), and (E) are revised in certain respects in response to 
comment. In addition, the Commission discusses below each of the 
adopted provisions of Rule 1001(a)(2) in the context of the adopted 
definitions of SCI systems and indirect SCI systems, where 
relevant.\472\
---------------------------------------------------------------------------

    \472\ In particular, the Commission is adopting the language of 
items (B) and (C) as proposed (renumbered as Rule 1001(a)(2)(ii) and 
(iii), respectively) but elaborates on the scope of these 
provisions, as well as the scope of revised item (D) (renumbered as 
Rule 1001(a)(2)(iv)) and in the context of the adopted definitions 
of SCI systems and indirect SCI systems.
---------------------------------------------------------------------------

Capacity Planning
    The SCI Proposal stated that policies and procedures for the 
establishment of reasonable current and future capacity planning 
(proposed item (A)) would help an SCI entity determine its systems' 
ability to process transactions in an accurate, timely, and efficient 
manner, and thereby help ensure market integrity.\473\ One commenter 
expressed support for the requirement in proposed item (A),\474\ and 
another commenter recommended that proposed item (A) be revised to make 
clear that SCI entity capacity planning estimates apply to ``technology 
infrastructure'' capacity, as opposed to capacity with respect to non-
technology infrastructure of an SCI entity.\475\ Because the Commission 
intended proposed item (A) to relate to capacity planning for SCI 
systems, rather than capacity planning more broadly (for example, in 
relation to an SCI entity's office space), the Commission is including 
this suggested clarification in adopted Rule 1001(a)(2)(i), and thus 
requires that an SCI entity's policies and procedures include the 
establishment of reasonable current and future technology 
infrastructure capacity planning estimates.
---------------------------------------------------------------------------

    \473\ See Proposing Release, supra note 13, at 18107.
    \474\ See MSRB Letter at 9.
    \475\ See DTCC Letter at 14-15. The Commission also received 
comments in regard to capacity planning as it relates to proposed 
industry standards on the capacity planning domain set out in 
proposed Table A. See, e.g., infra note 580 and accompanying text.
---------------------------------------------------------------------------

Stress Testing
    A few commenters raised concerns about proposed item (B), which 
required periodic capacity stress tests.\476\ Some of these commenters 
urged that the adopted rule provide an SCI entity with flexibility to 
determine, using a risk-based assessment, when capacity stress tests 
are appropriate.\477\ Others suggested that capacity stress tests be 
required in specified circumstances or time frames, such as when new 
capabilities are released into production,\478\ whenever required 
system capacity increases by 10 percent, on a quarterly basis, or in 
conjunction with any material systems change.\479\ One commenter 
suggested that SCI entities should supplement dynamic stress and load 
testing with static analysis, a technique used to help uncover 
structural weaknesses in software.\480\ In proposing item (B), the 
Commission intended for SCI entities to engage in a careful risk-based 
assessment (as suggested by some commenters) \481\ of its SCI systems 
to determine when to stress test its systems.\482\ Rule 1001(a)(2)(ii), 
as adopted, affords SCI entities the flexibility to consider the 
factors suggested by commenters, as appropriate for their specific 
systems and circumstances.\483\ The adopted rule does not prescribe a 
particular frequency or trigger for stress testing; however, because 
the Commission believes that, in light of the variability in SCI 
systems, an SCI entity's experience with its particular systems

[[Page 72293]]

and assessment of risk in this area will dictate when capacity stress 
testing is warranted. The requirement for periodic capacity stress 
tests of systems to determine their ability to process transactions in 
an accurate, timely, and efficient manner is therefore adopted as 
proposed as Rule 1001(a)(2)(ii).
---------------------------------------------------------------------------

    \476\ See, e.g., CISQ Letter at 5; DTCC Letter at 14; Lauer 
Letter at 6; MSRB Letter at 9; OCC Letter at 10; and SIFMA Letter at 
12.
    \477\ See DTCC Letter at 14; and OCC Letter at 10. See also 
SIFMA Letter at 12 (suggesting that periodic capacity monitoring 
would be more appropriate and cost-effective than periodic capacity 
stress testing).
    \478\ See MSRB Letter at 9.
    \479\ See Lauer Letter at 6.
    \480\ See CISQ Letter at 5. See also infra notes 491 and 497, 
and 498 and accompanying text (further discussing this comment and 
the commenter's views on the value of assessing the structural 
quality of software).
    \481\ See supra note 477 and accompanying text.
    \482\ In response to the commenter that suggested periodic 
capacity monitoring would be more appropriate and cost-effective 
than periodic capacity stress testing, see supra note 477 and 
accompanying text, the Commission believes that such monitoring is 
appropriate and may play an important role in an SCI entity's 
assessing when to stress tests its systems. However, the Commission 
continues to believe that stress testing is necessary to help an SCI 
entity determine its systems' ability to process transactions in an 
accurate, timely, and efficient manner, and thereby help ensure 
market integrity. See Proposing Release, supra note 13, at 18107. 
While monitoring may be a cost-effective method to determine when a 
stress test is warranted, the Commission does not believe monitoring 
alone will be an effective substitute for stress testing, which, 
unlike monitoring, is designed to challenge systems capacity.
    \483\ See supra notes 478-479 and accompanying text.
---------------------------------------------------------------------------

Systems Development and Testing Methodology
    In the SCI Proposal, the Commission explained that proposed item 
(C), which would require SCI entities to have policies and procedures 
for a ``program to review and keep current systems development and 
testing methodology,'' would help an SCI entity monitor and maintain 
systems capacity and availability.\484\ The Commission is adopting the 
language of this item as proposed as Rule 1001(a)(2)(iii).
---------------------------------------------------------------------------

    \484\ See Proposing Release, supra note 13, at 18107.
---------------------------------------------------------------------------

    Two commenters supported this requirement as proposed.\485\ Another 
commenter argued that sufficient controls were in place with respect to 
production systems, as proposed, and therefore that separate policies 
and procedures specifically for the development and testing environment 
would be unnecessary and duplicative.\486\ This commenter added that, 
if development and testing systems were not excluded from the 
definition of SCI systems altogether, then the policies and procedures 
requirements regarding systems development and testing methodology 
should not apply separately to these environments. The Commission 
agrees with this comment, and believes it logically follows that 
policies and procedures requiring a program to review and keep current 
systems development and testing methodology for SCI systems, and 
indirect SCI systems, as applicable, are important if development and 
testing systems are excluded from the definition of SCI systems, as 
they are under the adopted regulation.\487\ An SCI entity's systems 
development and testing methodology is a core part of the systems 
development life cycle for any SCI system. Therefore, the Commission 
believes that if an SCI entity did not have a program to review and 
keep current systems development and testing methodology for SCI 
systems, and indirect SCI systems, as applicable, its ability to assess 
the capacity, integrity, reliability, availability and security of its 
SCI systems and indirect SCI systems, as applicable, would be 
undermined. In complying with this adopted requirement, an SCI entity 
may wish to consider how closely its testing environment simulates its 
production environment; whether it designs, tests, installs, operates, 
and changes SCI systems through use of appropriate development, 
acquisition, and testing controls by the SCI entity and/or its third-
party service providers, as applicable; whether it identifies and 
corrects problems detected in the development and testing stages; 
whether it verifies change implementation in the production stage; 
whether development and test environments are segregated from SCI 
systems in production; and whether SCI entity personnel have adequately 
segregated roles between the development and/or test environment, and 
the production environment.
---------------------------------------------------------------------------

    \485\ See CISQ Letter at 2; and MSRB Letter at 9.
    \486\ See FINRA Letter at 12.
    \487\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems''). Because development and testing systems are not 
part of the adopted definition of ``SCI systems,'' systems issues 
with regard to development and testing systems would not be subject 
to the requirements of adopted Rule 1002 relating to corrective 
action, Commission notification, and dissemination of information on 
SCI events; or Rule 1003(a) regarding notification of systems 
changes.
---------------------------------------------------------------------------

Reviews of SCI Systems and Indirect SCI Systems
    The SCI Proposal explained that proposed item (D), which would have 
required an SCI entity to establish, maintain, and enforce policies and 
procedures to review and test regularly SCI systems (and SCI security 
systems, as applicable), including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters, would assist an SCI entity 
in ascertaining whether such systems are and remain sufficiently secure 
and resilient.\488\ Proposed item (D) garnered a range of comments. 
Some commenters addressing this item focused on internal SCI entity 
testing,\489\ whereas others focused more broadly on industry-wide 
testing and testing of backup systems.\490\
---------------------------------------------------------------------------

    \488\ See Proposing Release, supra note 13, at 18107.
    \489\ See, e.g., CAST Letter at 4; CISQ Letter at 3-7; FIA PTG 
Letter at 4; Lauer Letter at 6; and MSRB Letter at 10.
    \490\ See, e.g., Angel Letter at 2; CoreOne Letter at 3-5; DTCC 
Letter at 13; FIA PTG Letter at 2; FIX Letter at 1-2; Tradebook 
Letter at 1-4; UBS Letter at 4; and CISQ Letter at 6. See also infra 
Section IV.B.6 (discussing adopted Rule 1004, requiring business 
continuity and disaster recovery testing, including required 
participation of designated members or participants of SCI entities 
in such testing).
---------------------------------------------------------------------------

    With respect to comments on internal testing, one commenter 
suggested that the proposed requirement be expanded beyond testing to 
cover a range of ``quality assurance activities'' with each release of 
software into production.\491\ Two commenters advocated for requiring 
an SCI entity to focus on identifying structural deficiencies, which 
they stated pose much greater risks than functional deficiencies.\492\ 
A few commenters urged that groups independent of the team that 
designed and developed the systems should be involved in testing to 
offer a diverse perspective.\493\ One of these commenters further 
suggested that enforcement of the policies governing development and 
testing activities should be conducted by a ``process audit'' role that 
evaluates compliance with policies, provides guidance to development 
and testing teams on how to comply, and reports on compliance to senior 
management.\494\
---------------------------------------------------------------------------

    \491\ See CISQ Letter at 3-7 (encouraging the Commission to 
require quality assurance activities other than testing, including 
that an SCI entity evaluate and measure the structural quality of 
its SCI systems because ``the attributes of an SCI system most 
critically affecting its capacity, integrity, resiliency, 
availability, and security are predominantly structural 
(engineering) rather than functional (correctness)'').
    \492\ See CAST Letter at 4; and CISQ Letter at 3-7.
    \493\ See, e.g., CISQ Letter at 7; and Lauer Letter at 6.
    \494\ See CISQ Letter at 7. This commenter further recommended 
that such process audits be conducted at least annually for each SCI 
system, and more often for SCI systems with operational problems, a 
record of non-compliance, or those being developed, tested, or 
operated by an inexperienced staff, and stated that process auditors 
who perform a mentoring role to software teams have proven a cost-
effective mechanism for on-the-job training.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission is 
adopting this provision with modifications as Rule 1001(a)(2)(iv). 
Specifically, adopted Rule 1001(a)(2)(iv) requires an SCI entity's 
reasonably designed policies and procedures to include ``[r]egular 
reviews and testing, as applicable, of [its SCI systems and, for 
purposes of security standards, indirect SCI systems], including backup 
systems, to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters.''
    As adopted, this provision will afford an SCI entity greater 
flexibility, through the addition of the phrase ``as applicable,'' to 
determine how to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters. 
Specifically, the adopted rule replaces the proposed rule's requirement 
that an SCI entity conduct ``regular reviews and testing'' of relevant 
systems (including backup systems) with a more flexible requirement 
that an SCI entity conduct ``regular reviews and

[[Page 72294]]

testing, as applicable'' of relevant systems, including backup systems. 
In response to some commenters' concerns that the proposed requirement 
focused too much on regular testing and not enough on other methods to 
assess systems operation,\495\ the adopted rule provides an SCI entity 
the flexibility to determine an assessment methodology that would be 
most appropriate for a given system, or particular functionality of a 
system. Thus, consistent with commenters' views, the adopted provision 
does not specifically require both regular reviews and regular testing 
in connection with an SCI entity's identification of vulnerabilities. 
Instead, the provision requires reviews or testing (or both) to occur 
as applicable, so long as the approach is effective to identify 
vulnerabilities in SCI systems, and indirect SCI systems, as 
applicable.
---------------------------------------------------------------------------

    \495\ See supra notes 491-492 and accompanying text.
---------------------------------------------------------------------------

    While Rule 1001(a)(2)(iv) specifically identifies reviews and 
testing as means to identify vulnerabilities pertaining to internal and 
external threats, physical hazards, and natural or manmade disasters, 
it does not dictate the precise manner or frequency of reviews and 
testing, and does not prohibit an SCI entity from determining that 
there are methods other than reviews and testing that may be effective 
in identifying vulnerabilities. For example, reviews and testing would 
each be one of the methods that an SCI entity could employ, and each 
SCI entity would be able to determine which method(s) are most 
appropriate for each SCI system (or indirect SCI system, as applicable) 
or particular functionality of a given system, as well as the frequency 
with which such method(s) should be employed.\496\ In addition, in 
response to commenters advocating that SCI entities should focus on 
identifying structural vulnerabilities or weaknesses,\497\ an SCI 
entity may also find it useful to conduct reviews of its software and 
systems architecture and design to assess whether they have flaws or 
dependencies that constitute structural risks that could pose a threat 
to SCI systems' operational capability.\498\ Likewise, an inspection by 
an SCI entity of its physical premises may be a method of assessing 
some of the vulnerabilities listed in the rule (such as physical 
hazards).
---------------------------------------------------------------------------

    \496\ Rule 1001(a)(2)(iv) would also permit an SCI entity to 
engage personnel independent of the team that designed and developed 
the systems in testing, or to employ a process audit role, to comply 
with this requirement, as some commenters suggested. See supra notes 
493-494 and accompanying text. Like other methods of review and 
testing, such engagements could identify vulnerabilities in a number 
of ways, such as through assessments of the SCI entity's compliance 
with applicable standards, its risk management and control 
framework, or its use of resources.
    In response to the comment suggesting that process audits be 
conducted at least annually for each SCI system, and more often for 
SCI systems with operational problems, a record of non-compliance, 
or those being developed, tested, or operated by an inexperienced 
staff, the Commission notes that Rule 1001(a)(2)(iv) does not 
specify the precise manner or frequency of reviews and tests. 
Rather, Rule 1001(a)(2)(iv) provides flexibility to an SCI entity in 
determining the precise manner and frequency of reviews and/or 
tests. For example, an SCI entity could determine that, in order for 
its policies and procedures to be reasonably designed, as required 
by Rule 1001(a), its policies and procedures should provide that 
process audits be conducted at least annually for some SCI systems, 
and more frequently for certain other SCI systems.
    \497\ See supra note 492 and accompanying text.
    \498\ As noted by one commenter, static analysis could be a 
technique SCI entities could choose to utilize to help uncover 
structural weaknesses in software. See supra note 480 and 
accompanying text.
---------------------------------------------------------------------------

Business Continuity and Disaster Recovery
    Proposed item (E) would have required an SCI entity to have 
business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse to ensure next business day resumption of 
trading and two-hour resumption of clearance and settlement services 
following a wide-scale disruption. The Commission received significant 
comment on this aspect of the proposal, with several commenters 
questioning or challenging the principle that securities market 
infrastructure resilience is achieved by requiring both geographic 
diversity and specific recovery times for the backup and recovery 
capabilities of all SCI entities.\499\ Although several commenters were 
supportive of the broad goals of the proposed requirement,\500\ others 
maintained that, because the national market system has built-in 
redundancies, the proposed geographic diversity and resumption 
requirements need not apply to all SCI entities to ensure securities 
market resilience.\501\ Some of these commenters urged that the 
specific redundancy requirement implicit in the proposed geographic 
diversity provision should apply to a more limited set of SCI 
entities.\502\ In addition, some commenters stated that proposed time 
frames were too inflexible.\503\
---------------------------------------------------------------------------

    \499\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF 
Letter at 3; Group One Letter at 2-3; KCG Letter at 6-8, 11-14; 
FINRA Letter at 35-36; Angel Letter at 12; and ITG Letter at 15.
    \500\ See Direct Edge Letter at 4; FINRA Letter at 35; ISE 
Letter at 2; and MSRB Letter at 10.
    \501\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF 
Letter at 3; Group One Letter at 2-3; and KCG Letter at 6-8, 11-14. 
According to these commenters, because of the ease with which market 
participants are able to shift their order flow when there is an 
issue at one or more markets, the proposed requirements are 
burdensome and unnecessary. See also Angel Letter at 12 (stating 
that, if an exchange experiences an issue, other exchanges have more 
than enough capacity to handle the trading volume, and suggesting 
that it is not necessary for each exchange to have totally redundant 
backup facilities if the market network as a whole has sufficient 
capacity).
    \502\ See, e.g., FIA PTG Letter at 4. See also supra note 53 and 
accompanying text.
    \503\ See, e.g., SIFMA Letter at 13; and Joint SROs Letter at 
17.
---------------------------------------------------------------------------

    The Commission has carefully considered commenters' views and is 
revising this provision from the proposal to: (i) Specify that the 
stated recovery timeframes in Regulation SCI are goals, rather than 
inflexible requirements; \504\ and (ii) provide that the stated two-
hour recovery goal applies to critical SCI systems generally. In 
addition, the Commission is adopting the geographic diversity 
requirement, which does not specify any minimum distance for an SCI 
entity's backup and recovery facilities, as proposed. As explained 
below, the Commission continues to believe that geographic diversity of 
physical facilities is an important component of every SCI entity's BC/
DR plan.
---------------------------------------------------------------------------

    \504\ See Interagency Paper on Sound Practices to Strengthen the 
Resilience of the U.S. Financial Systems, Securities Exchange Act 
Release No. 47638 (April 7, 2003), 68 FR 17809, 17812 (April 11, 
2003) (``Interagency White Paper''), stating: ``Recovery-time 
objectives provide concrete goals to plan for and test against. They 
should not be regarded as hard and fast deadlines that must be met 
in every emergency situation;'' and 2003 Policy Statement on 
Business Continuity Planning for Trading Markets, Securities 
Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656, 
56658 (October 1, 2003) (``2003 BCP Policy Statement''), stating: 
``Consistent with the approach taken in the Interagency Paper, the 
next-day resumption objective should provide a concrete goal to plan 
for and test against. This should not be regarded as a hard and fast 
deadline that must be met in every emergency situation.''
---------------------------------------------------------------------------

Recovery Timeframes as Goals
    Several commenters addressing proposed item (E) focused their 
comments specifically on the proposed recovery timeframes.\505\ A few 
commenters that are clearing agencies specifically expressed concern 
about the proposed requirement for the two-hour resumption of clearance 
and settlement services, urging that the two-hour standard be a goal 
rather than a requirement.\506\ One commenter noted

[[Page 72295]]

that the ``Interagency White Paper itself recognizes that `various 
external factors surrounding a disruption such as time of day, scope of 
disruption, and status of critical infrastructure--particularly 
telecommunications can affect actual recovery times,' and concludes 
that `[r]ecovery-time objectives provide concrete goals to plan for and 
test against . . . they should not be regarded as hard and fast 
deadlines that must be met in every emergency situation.' '' \507\ 
Several commenters suggested that SCI entities generally be given more 
discretion to decide when to resume trading following a wide-scale 
disruption.\508\ Other commenters stated more broadly that the proposed 
recovery timeframes were too rigid and inconsistent with the 
Interagency White Paper and the 2003 BCP Policy Statement.\509\ Other 
commenters similarly noted that it might be in the public interest and 
consistent with the protection of investors and the maintenance of fair 
and orderly markets for the markets to remain closed following a wide-
scale disruption.\510\
---------------------------------------------------------------------------

    \505\ See, e.g., SIFMA Letter at 3, 13, 18; KCG Letter at 11-12; 
DTCC Letter at 15; OCC Letter at 9-10; Omgeo Letter at 27-28; Angel 
Letter at 16-17; Direct Edge Letter at 4-5; ISE Letter at 2-5; Joint 
SROs Letter at 16-17; FINRA Letter at 36; MSRB Letter at 10; 
Tellefsen Letter at 6; and Group One Letter at 2.
    \506\ See DTCC Letter at 15 (``[P]roposed Rule 1000(b)(l)(i)(E) 
has made what is currently a target within the 2003 Interagency 
White Paper that clearing and settling services be resumed within 2 
hours of a disruption into a requirement that may not be attainable 
in all circumstances. . . .''); OCC Letter at 9-10 (``While a two-
hour recovery time objective is a laudable goal . . . current 
guidelines remain appropriate to recover and resume clearing and 
settlement activities within the business day on which the 
disruption occurs, with the overall aspiration of achieving recovery 
and resumption within two hours''); and Omgeo Letter at 27-28 
(``While Omgeo agrees that SCI entities should be required to 
rapidly recover from a wide-scale disruption and resume operations 
to avoid disrupting the critical markets beyond a single business 
day, it is unreasonable to require these operations to be resumed 
within two hours.'').
    \507\ See Omgeo Letter at 27-28.
    \508\ See Angel Letter at 16-17; Direct Edge Letter at 4-5; ISE 
Letter at 2; Joint SROs Letter at 16-17; and Group One Letter at 2.
    \509\ See SIFMA Letter at 13 (noting that the Interagency White 
Paper recommends that ``core clearing and settlement organizations 
develop the capacity to recover and resume clearing and settlement 
activities within the business day on which the disruption occurs 
with the overall goal of achieving recovery and resumption within 
two hours after an event.'' See also Joint SROs Letter at 17 (noting 
that the 2003 BCP Policy Statement, supra note 504, provides that 
rapid recovery should not be regarded as a hard and fast deadline 
that must be met in every emergency situation).
    \510\ See, e.g., Angel Letter at 16-17; Direct Edge Letter at 4-
5, 9; ISE Letter at 2-5; and Joint SROs Letter at 16-17.
---------------------------------------------------------------------------

    In response to comments that the proposed two-hour recovery time 
frame was too inflexible,\511\ the Commission is eliminating the 
proposed requirement that an SCI entity must ``ensure'' next business 
day resumption of trading and two-hour resumption of clearance and 
settlement services following a wide-scale disruption. The Commission 
acknowledges that a hard and fast resumption timeframe may not be 
achievable in each and every case, given the variety of disruptions 
that potentially could arise and pose challenges even for well-designed 
business continuity and disaster recovery. For this reason, the 
Commission is revising the proposed requirement by replacing it with a 
requirement that an SCI entity have policies and procedures that 
include ``business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient and 
geographically diverse and that are reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of critical 
SCI systems following a wide-scale disruption.'' Replacement of the 
phrase ``to ensure'' with the phrase ``reasonably designed to achieve'' 
means that Regulation SCI's enumerated recovery timeframes are concrete 
goals, consistent with the Interagency White Paper and 2003 BCP Policy 
Statement.\512\ As such, the rule's specified recovery timeframes are 
the standards against which the reasonableness of business continuity 
and disaster recovery (``BC/DR'') plans will be assessed by the 
Commission and its inspection staff. Moreover, as recovery goals, 
rather than hard and fast deadlines, the enumerated time frames in the 
rule will continue to allow for SCI entities to account for the 
specific facts and circumstances that arise in a given scenario to 
determine whether it is appropriate to resume a system's operation 
following a wide-scale disruption.
---------------------------------------------------------------------------

    \511\ See supra notes 506-510 and accompanying text.
    \512\ See Interagency White Paper, supra note 504, at 17812-13, 
and the 2003 BCP Policy Statement, supra note 504, at 56658.
---------------------------------------------------------------------------

Recovery Timeframe Distinctions
    In the SCI Proposal, the Commission solicited comment on whether 
the proposed next business day resumption of trading following a wide-
scale disruption and proposed two-hour resumption of clearance and 
settlement services following a wide-scale disruption were 
appropriate.\513\ The Commission also solicited comment on whether it 
should consider revising the proposed next business day resumption 
requirement for trading to a shorter period for certain entities that 
play a significant role within the securities markets.\514\ One 
commenter stated that it agreed with imposing more stringent 
requirements for resumption of clearance and settlement services than 
for trading services following a wide-scale disruption.\515\ However, 
this commenter also urged more broadly that the Commission take into 
account the criticality of the functions performed by an SCI entity to 
the maintenance of fair and orderly markets in order to tailor the 
obligations of the rule more effectively.\516\ According to this 
commenter, ``[n]otification and remediation requirements . . . should 
be tailored to the time sensitivity of each of the functions performed, 
not applied uniformly across all activities of an SCI entity.'' This 
commenter identified ``highly critical functions'' as including the 
primary listing exchanges, trading of securities on an exclusive basis, 
securities information processors, clearance and settlement agencies, 
distribution of unique post-trade transparency information, and real-
time market surveillance,'' and urged the Commission to ``leverage the 
best practices of the Interagency White Paper, and expand them to 
include the [highly] critical functions. . . .'' \517\ Other commenters 
also urged the Commission to consider the criticality of SCI systems 
functionality and tailor requirements accordingly.\518\ One

[[Page 72296]]

commenter noted that the August 2013 Nasdaq SIP outage revealed each of 
SIAC and Nasdaq (in their roles as plan processors) as a potential 
``single point of failure'' in the national market system, and 
specifically urged improved backup capabilities for these systems.\519\ 
Another commenter, in the context of questioning the need for all 
markets to have geographically diverse backups, acknowledged that 
specific redundancy might be appropriate in certain areas, such as 
where an instrument is traded only on one exchange or in the case of a 
primary market during the open and closing periods of the market.\520\
---------------------------------------------------------------------------

    \513\ See Proposing Release, supra note 13, at 18112, question 
73.
    \514\ See id. at 18112, question 76.
    \515\ See SIFMA Letter at 12-13. Specifically, this commenter 
noted that the Interagency White Paper, supra note 504, 
distinguishes between ``core clearing and settlement organizations'' 
and firms that play ``significant roles in the financial markets'' 
and recommended that the Commission continue to distinguish between 
SCI entities that are responsible for the highly critical function 
of centralized counterparties (e.g., clearing agencies registered 
with the Commission) and SCI entities that are not.
    \516\ See SIFMA Letter at 4.
    \517\ See id. at 4, 18. SIFMA also listed the distribution of 
unique post-trade transparency information and real-time market 
surveillance as highly critical functions. While such systems are 
not specifically identified in the first prong of the definition of 
critical SCI systems (as are SCI systems that directly support 
functionality relating to: (1) Clearance and settlement systems of 
clearing agencies; (2) openings, reopenings, and closings on the 
primary listing market; (3) trading halts; (4) initial public 
offerings; (5) the provision of consolidated market data; or (6) 
exclusively-listed securities), the Commission notes that systems 
that provide functionality to the securities markets for which the 
availability of alternatives is significantly limited or nonexistent 
and without which there would be a material impact on fair and 
orderly markets are considered critical SCI systems under its second 
prong. See supra Section IV.A.2.c (discussing the definition of 
``critical SCI systems'').
    \518\ See, e.g., KCG Letter at 8, 13-14 (suggesting that 
proposed item (E) apply only to SCI entities that perform critical, 
unique functions in the market), and at 5 (stating ``when critical 
services are provided, additional heightened regulatory 
requirements, as proposed in Regulation SCI, may be appropriate''). 
See also UBS Letter at 3 (urging the Commission to take into 
consideration the difference between ``interruptions of activities 
that hold significant implications for the National Market System'' 
and ``low criticality activities [that] are much more manageable and 
localized in impact . . . because market participants are not 
directly touched or are equipped to quickly route around the 
problem''). According to this commenter, activities that hold such 
significant implications would include: ``disruption at primary 
exchange during [the] open/close, [a] problem with protected quote 
data, [an] outage at listing exchange during [an] IPO, [and] SIP 
data disruptions.''
    \519\ See Angel Letter 2 at 3-4.
    \520\ See FIA PTG Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered these comments and believes 
they support revising the proposed rule to provide that the two-hour 
recovery goal specified in the adopted rule, as the standard against 
which BC/DR plans are to be assessed, should apply not only to 
``clearance and settlement services,'' but more generally to the 
functions performed by critical SCI systems. Given that the securities 
markets are dependent upon the reliable operation of critical SCI 
systems, the Commission believes it is reasonable to distinguish the 
two-hour and next-business day recovery goals in a manner consistent 
with other provisions of adopted Regulation SCI: Specifically, to have 
the shorter recovery goal apply to critical SCI systems, and the longer 
recovery goal apply to resumption of trading by non-critical SCI 
systems. The Commission also notes that, because the proposed recovery 
timeframes are being adopted as concrete goals that the policies and 
procedures must be reasonably designed to achieve, rather than hard and 
fast requirements, the adopted approach is somewhat more flexible than 
that proposed. Accordingly, adopted Rule 1001(a)(2)(v) holds BC/DR 
plans for critical SCI systems (as defined in Rule 1000) to a higher 
standard than BC/DR plans for resumption of trading operations more 
generally. Specifically, an SCI entity responsible for a given critical 
SCI system will be expected to design BC/DR plans that contemplate 
resumption of critical SCI system functionality to meet a recovery goal 
of two hours or less. The Commission believes that this approach is 
consistent with the broader risk-based approach urged by 
commenters.\521\ The Commission also believes that its approach to 
holding critical SCI systems to stricter resiliency standards than 
other systems is an appropriate measure that responds not only to 
comments received, but also to recent events highlighting the effects 
of malfunctions in critical SCI systems.\522\
---------------------------------------------------------------------------

    \521\ See supra notes 53-57 and accompanying text (summarizing 
commenters' recommendations with regard to adopting a risk-based 
approach generally).
    \522\ See supra Section II.B (discussing recent systems issues, 
including a systems problem that resulted in certain exclusively-
listed securities being unable to trade for over three hours, and a 
systems problem affecting the SIP that halted trading in all Nasdaq-
listed securities for more than three hours).
---------------------------------------------------------------------------

    Two commenters requested clarification on the expectations for 
resumption of SCI systems that are not related to trading, clearance, 
or settlement.\523\ In response to this comment, the Commission notes 
that the adopted definition of SCI systems has been refined from the 
proposed definition of SCI systems and that all SCI systems could be 
considered to be ``related to'' trading. However, systems that directly 
support market regulation and/or market surveillance will not be held 
to the resumption goals of Rule 1001(a)(2)(v) (unless they are critical 
SCI systems) because the Commission believes that the resumption of 
trading and critical SCI systems could occur following a wide-scale 
disruption without the immediate availability of market regulation and/
or market surveillance systems (unless they are critical SCI systems). 
However, systems that directly support trading, order routing, and 
market data would be subject to the next-business day resumption goal, 
unless they are also critical SCI systems, in which case they would be 
subject to the two-hour resumption goal.
---------------------------------------------------------------------------

    \523\ See FINRA Letter at 36; and MSRB Letter at 10.
---------------------------------------------------------------------------

    One commenter questioned what the expectations are with respect to 
next-day resumption if an SCI entity loses functionality towards the 
end of the trading day.\524\ In response to this comment, the 
Commission notes that neither the next-business day resumption of 
trading goal nor the two-hour recovery goal for critical SCI systems is 
dependent on the time of day that the loss of functionality occurs. 
Consistent with the Interagency White Paper and 2003 BCP Policy 
Statement, however, the Commission acknowledges that the time of day of 
a disruption can affect actual recovery times.\525\ The Commission 
believes it is important, particularly with respect to clearing 
agencies, that SCI entities endeavor to take all steps necessary to 
effectuate end of day settlement.
---------------------------------------------------------------------------

    \524\ See Tellefsen Letter at 6.
    \525\ See Interagency White Paper, supra note 504, at 17812, and 
the 2003 BCP Policy Statement, supra note 504, at 56658.
---------------------------------------------------------------------------

Geographic Diversity To Ensure Resilience
    Several commenters addressing proposed item (E) expressed concern 
about the proposed geographic diversity requirement.\526\ Some 
commenters cited a reluctance on the part of SCI entity members or 
participants to incur the cost or assume the risk of connecting to a 
backup site that would only be used infrequently.\527\ In addition, 
some commenters cited concerns, such as challenges to market makers 
generating quotes, if a backup site did not have the same low latency 
as the primary site.\528\ One of these commenter suggested that 
allowing other fully operational exchanges to fill in and perform the 
duties of an exchange experiencing an outage would offer the advantages 
of continued operation on tested systems and the introduction of fewer 
variables.\529\ Another of these commenters argued that, in many 
respects, the goal of resilient and redundant markets is already in 
place due to the existence of multiple competing and interconnected 
venues, operating as a collective system under Regulation NMS.\530\
---------------------------------------------------------------------------

    \526\ See, e.g., KCG Letter at 13; FIA PTG Letter at 3-4; Group 
One Letter at 2-3; ISE Letter at 2-5; BIDS Letter at 8; and ITG 
Letter at 15.
    \527\ See KCG Letter at 13; FIA PTG Letter at 3-4; and Group One 
Letter at 2-3.
    \528\ See KCG Letter at 13; and FIA PTG Letter at 3-4.
    \529\ See Group One Letter at 2-3.
    \530\ See FIA PTG Letter at 4. See also Angel 2 Letter at 3.
---------------------------------------------------------------------------

    One commenter agreed that it is a best business practice for a 
market to have backup disaster recovery facilities and robust BC/DR 
plans, but stated that ``significant geographic diversity'' should not 
be an absolute requirement,'' because a wide-scale disruption in New 
York or Chicago would make next day resumption difficult, even with a 
geographically diverse backup.\531\ This commenter noted that the more 
remote the backup, the more difficult it would be to staff such a 
facility, and even more so in a surprise disaster, unless the backup 
was fully staffed at all times.\532\ Several commenters also argued 
that SCI entities that are ATSs are less critical to market stability, 
and therefore

[[Page 72297]]

should be subject to less stringent geographic diversity and recovery 
requirements.\533\ One commenter suggested eliminating the reference to 
``geographic diversity'' in favor of requiring ``comprehensive business 
continuity and disaster recovery plans with recovery time objectives of 
the next business day for trading and two hours for clearance and 
settlement,'' and emphasizing as guidance that geographic diversity of 
physical facilities would be an expected component of any such 
plan.\534\
---------------------------------------------------------------------------

    \531\ See ISE Letter at 2-5.
    \532\ See id.
    \533\ See BIDS Letter at 8; FIA PTG Letter at 4; ITG Letter at 
15; and KCG Letter at 8, 13. These commenters believed that the 
proposed geographic diversity requirements are burdensome and 
unnecessary because of the ease with which market participants are 
able to shift their order flow when there is an issue at one or more 
markets. In addition, two commenters argued that, because ATSs are 
subject to FINRA regulations with respect to BC/DR plans, further 
regulation would be redundant and unnecessary. See ITG Letter at 15; 
and OTC Markets Letter at 9.
    \534\ See Direct Edge Letter at 4.
---------------------------------------------------------------------------

    The Commission has carefully considered commenters' views on the 
proposed geographic diversity requirement and continues to believe that 
geographic diversity of physical facilities is an important component 
of every SCI entity's BC/DR plan.\535\ The Commission believes that 
challenges to recovery are increased when a disruption impacts a broad 
geographic area, and therefore that an SCI entity's arrangements to 
assure resilience in the event of a wide-scale disruption cannot 
reliably be achieved without geographic diversity of its BC/DR 
resources.\536\ The Commission does not agree with commenters who 
argued that the existence of multiple competing and interconnected 
venues operating as a collective system under Regulation NMS obviates 
the need for geographic diversity at the individual SCI entity 
level.\537\ For example, a wide-scale disruption, such as a natural 
disaster or man-made attack, could affect a large number of SCI 
entities, and absent individual SCI entity responsibility for 
maintaining geographic diversity, there could be a greater likelihood 
that a critical mass of SCI entities would not be operational, so that 
the continued maintenance of fair and orderly markets could be 
impacted. The Commission notes that some of the practical difficulties 
commenters cited as the basis for objecting to a backup site 
requirement, such as the cost and operational risk of maintaining a 
redundant connection to an SCI entity backup facility that would be 
used infrequently, are concerns raised on behalf of SCI entity members 
and participants.\538\ In response to commenters who expressed concern 
regarding the cost for members or participants to co-locate their 
systems at backup sites to replicate the speed and efficiency of the 
primary site, the Commission emphasizes that adopted Rule 1001(a)(2)(v) 
does not require an SCI entity to require members or participants to 
use the backup facility in the same way it uses the primary facility. 
Rather, the assessment of the effectiveness of a BC/DR plan that 
includes geographically diverse backup facilities is whether it is 
reasonably designed to achieve next business day resumption of trading 
and two-hour resumption of critical SCI systems following a wide-scale 
disruption.
---------------------------------------------------------------------------

    \535\ The Commission's view is consistent with the 2003 BCP 
Policy Statement. See 2003 BCP Policy Statement, supra note 504, at 
56658. See also infra Section VI.C.2.b (discussing the benefits of 
geographic diversity).
    \536\ See, e.g., 2003 BCP Policy Statement, supra note 504, at 
56657 (stating that a critical ``lesson learned'' from the events of 
September 11, 2001 is the need for more rigorous business continuity 
planning in the financial sector to address problems of wider 
geographic scope and longer duration than those previously 
addressed).
    \537\ See supra notes 530 and 533 and accompanying text.
    \538\ See infra Section IV.B.6 (discussing SCI entity BC/DR 
testing requirements for members or participants).
---------------------------------------------------------------------------

    In response to comments that geographic diversity should be 
encouraged but not required for all SCI entities, the Commission does 
not believe that it would be appropriate to eliminate the proposed 
requirement that SCI entities maintain geographically diverse backup 
and recovery capabilities (which the Commission understands many SCI 
entities already have) because, as stated, absent individual SCI entity 
responsibility for maintaining geographic diversity, there could be a 
greater likelihood that a critical mass of SCI entities would not be 
operational following a wide-scale disruption. In response to comment 
that ATSs are less critical to market stability, and therefore should 
be subject to less stringent geographic diversity and recovery 
requirements, the Commission notes that ATSs that do not have critical 
SCI systems will be subject to less stringent geographic diversity and 
recovery requirements than SCI entities that do.\539\ However, because 
the Commission believes that SCI ATSs have the potential to 
significantly impact investors, the overall market, and the trading of 
individual securities as a result of an SCI event, the Commission 
believes that these entities are appropriate for inclusion in the 
definition of SCI entity and for the application of the geographic 
diversity requirement.\540\
---------------------------------------------------------------------------

    \539\ In addition, in response to commenters who argued that, 
because ATSs are subject to FINRA regulations with respect to BC/DR 
plans further regulation would be redundant and unnecessary (see 
supra note 533), the Commission notes that FINRA Rule 4370 generally 
requires that a member maintain a written continuity plan 
identifying procedures relating to an emergency or significant 
business disruption. Unlike Regulation SCI, however, the FINRA rule 
does not include the requirement that the business continuity and 
disaster recovery plans be reasonably designed to achieve next 
business day resumption of trading and two-hour resumption of 
critical SCI systems following a wide-scale disruption, nor does it 
require the functional and performance testing and coordination of 
industry or sector-testing of such plans, which the Commission 
believes to be instrumental in achieving the goals of Regulation SCI 
with respect to SCI entities. See also supra note 115.
    \540\ See supra notes 107-109 and accompanying text.
---------------------------------------------------------------------------

    Like the proposed rule, the adopted rule does not specify any 
particular minimum distance or geographic location that would be 
necessary to achieve geographic diversity.\541\ However, as stated in 
the SCI Proposal, the Commission continues to believe that backup sites 
should not rely on the same infrastructure components, such as for 
transportation, telecommunications, water supply, and electric 
power.\542\ The Commission also continues to believe that an SCI entity 
should have a reasonable degree of flexibility to determine the precise 
nature and location of its backup site depending on the particular 
vulnerabilities associated with those sites, and the nature, size, 
technology, business model, and other aspects of its business.'' \543\ 
In response to comment that a geographically diverse backup facility is 
impractical if key personnel do not live sufficiently close to the 
backup facility, the Commission notes that adopted Regulation SCI does 
not require an SCI entity to have a geographically diverse backup 
facility so distant from the primary facility that the SCI entity may 
not rely primarily on the same labor pool to staff both facilities if 
it believed it to be appropriate.\544\ Given that the Commission did 
not propose a specified minimum distance to achieve geographic 
diversity, the Commission believes that the geographic diversity 
requirement is reasonable and appropriate for all SCI entities. The

[[Page 72298]]

geographic diversity requirement is therefore adopted as proposed.
---------------------------------------------------------------------------

    \541\ See Proposing Release, supra note 13, at 18108, n. 182 and 
accompanying text.
    \542\ See id.
    \543\ See id.
    \544\ An SCI entity with critical SCI systems subject to a two-
hour recovery goal may, however, find it prudent to establish back-
up facilities a significant distance away from their primary sites, 
or otherwise address the risk that a wide-scale disruption could 
impact either or both of the sites and their labor pool. See 
Interagency White Paper, supra note 504, at 17813.
---------------------------------------------------------------------------

    In sum, the Commission believes that adopted Rule 1001(a)(2)(v), 
requiring an SCI entity to have business continuity and disaster 
recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse and that 
are reasonably designed to achieve next business day resumption of 
trading and two-hour resumption of critical SCI systems following a 
wide-scale disruption, is consistent with, and builds upon, both the 
Interagency White Paper and the 2003 BCP Policy Statement by applying 
their principles to SCI entities in today's trading environment, one 
with a heavy reliance on technological infrastructure. The Commission 
believes that individual SCI entity resilience is fundamental to 
achieving the goal of improving U.S. securities market infrastructure 
resilience.
Robust Standards for Market Data
    Proposed item (F), requiring an SCI entity to have standards that 
result in systems being designed, developed, tested, maintained, 
operated, and surveilled in a manner that facilitates the successful 
collection, processing, and dissemination of market data, received 
little comment. One commenter supported the proposed requirement, 
subject to further clarification about what constitutes market 
data.\545\ Another commenter believed that this proposed requirement is 
redundant because SROs and other market participants are already 
subject to substantial requirements for market data.\546\
---------------------------------------------------------------------------

    \545\ See MSRB Letter at 8.
    \546\ See Angel Letter at 19.
---------------------------------------------------------------------------

    While consolidated market data is collected and distributed 
pursuant to a variety of Exchange Act rules and joint industry 
plans,\547\ the Commission does not believe that existing requirements 
have the same focus on ensuring the operational capability of the 
systems for collecting, processing, and disseminating market data. 
Thus, the Commission believes that this provision, while consistent 
with existing rules, acts as a complement to such requirements and is 
not redundant. Further, as explained above, the term ``market data'' is 
not intended to include only consolidated market data, but proprietary 
market data as well and, as such, SCI systems directly supporting 
proprietary market data or consolidated market data are subject to the 
requirements of item (F). As stated in the SCI Proposal, the Commission 
believes that the accurate, timely, and efficient processing of data is 
important to the proper functioning of the securities markets. The 
Commission continues to believe that it is important that each SCI 
entity's market data systems are reasonably designed to maintain market 
integrity and that the proposed requirement would facilitate that 
goal.\548\ This element, requiring that an SCI entity's policies and 
procedures include standards that result in systems being designed, 
developed, tested, maintained, operated, and surveilled in a manner 
that facilitates the successful collection, processing, and 
dissemination of market data, is adopted as proposed, as Rule 
1001(a)(2)(vi).
---------------------------------------------------------------------------

    \547\ See, e.g., Rules 601-604 of Regulation NMS and Rule 
301(b)(3) of Regulation ATS. See also supra Section IV.A.1.c 
(discussing definition of plan processor) and Concept Release on 
Equity Market Structure, supra note 4, at 3600 (discussing various 
rules and requirements relating to consolidated market data).
    \548\ See Proposing Release, supra note 13, at 18108.
---------------------------------------------------------------------------

Monitoring
    The Commission is adopting an additional provision, designated as 
Rule 1001(a)(2)(vii), that requires an SCI entity's policies and 
procedures to provide for monitoring of SCI systems, and, for purposes 
of security standards, indirect SCI systems, to identify potential SCI 
events. Several commenters argued that Regulation SCI should allow 
entities to adopt and follow escalation procedures instead of providing 
that obligations under Regulation SCI are triggered by one employee's 
awareness of a systems issue.\549\ The Commission is modifying 
Regulation SCI in three respects in response to these comments: 
revising the definition of responsible SCI personnel to focus on senior 
managers; requiring that an SCI entity have policies and procedures to 
identify, designate, and escalate potential SCI events to responsible 
SCI personnel; and explicitly requiring policies and procedures for 
monitoring.\550\ The requirement that an SCI entity have policies and 
procedures to provide for monitoring of SCI systems and, for purposes 
of security standards, indirect SCI systems, is added to make explicit 
that escalation of a systems problem should occur not only if a systems 
problem is identified by chance, but rather that an SCI entity should 
have a monitoring process in place so that systems problems are able to 
be identified as a matter of standard operations and pursuant to 
parameters reasonably established by the SCI entity. In addition, the 
Commission believes that the reliability of escalation of potential SCI 
events to designated responsible SCI personnel for determination as to 
whether they are, in fact, SCI events is likely to be more effective 
when it occurs in connection with established procedures for monitoring 
of SCI systems and indirect SCI systems and pursuant to a process for 
the communication of systems problems by those who are not responsible 
SCI personnel to those who are. The Commission notes that several 
commenters discussed the role that technology staff play in monitoring 
and identifying potential systems problems and escalating issues up the 
chain of command to management as well as legal and/or compliance 
personnel. Although systems monitoring may already be routine in many 
SCI entities, there are expected benefits of monitoring and thus it is 
appropriate to require an SCI entity's policies and procedures to 
provide for monitoring of SCI systems, and, for purposes of security 
standards, indirect SCI systems, to identify potential SCI events. The 
Commission believes that monitoring in tandem with escalation to 
responsible SCI personnel is an appropriate approach to ensuring SCI 
compliance. As noted, the requirement that an SCI entity have policies 
and procedures for monitoring provides an SCI entity with flexibility 
to establish parameters that define the types of systems problems to 
which technology personnel should be alert, as well as the frequency 
and duration of monitoring. The Commission also believes this 
requirement is consistent with a risk-based approach, and that an SCI 
entity's policies and procedures for monitoring may be tailored to the 
relative criticality of SCI systems, with critical SCI systems likely 
to be subject to relatively more rigorous policies and procedures for 
monitoring than other SCI systems.
---------------------------------------------------------------------------

    \549\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. See also 
infra notes 758-761 and accompanying text (discussing comments on 
the proposed ``becomes aware'' standard).
    \550\ See infra Section IV.B.3.a (discussing the Commission's 
determination to further focus the definition of ``responsible SCI 
personnel'').
---------------------------------------------------------------------------

iii. Policies and Procedures Consistent With ``Current SCI Industry 
Standards''--Rule 1001(a)(4)
    Proposed Rule 1000(b)(1)(ii) stated that an SCI entity's policies 
and procedures would be deemed to be reasonably designed if they are 
consistent with ``current SCI industry standards,'' such as those 
listed on proposed Table A. ``Current SCI industry standards'' were not 
limited to those listed on proposed Table A, but

[[Page 72299]]

were proposed to be required to be: (A) Comprised of information 
technology practices that are widely available for free to information 
technology professionals in the financial sector; and (B) issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely 
recognized organization. The rule further stated that ``compliance with 
such current SCI industry standards . . . shall not be the exclusive 
means to comply with the requirements of paragraph (b)(1).''
    The goal of proposed Rule 1000(b)(1)(ii) was to provide guidance to 
SCI entities on policies and procedures that would meet the articulated 
standard of being ``reasonably designed to ensure that their systems 
have levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain their operational capability and promote 
the maintenance of fair and orderly markets.'' The proposal sought to 
provide this guidance by identifying example information technology 
publications describing processes, guidelines, frameworks, and/or 
standards that SCI entities could elect to look to in developing its 
policies and procedures. Proposed Table A set forth an example of one 
set of technology publications that the Commission preliminarily 
believed was an appropriate set of reference documents. The SCI 
Proposal acknowledged that ``current SCI industry standards'' would not 
be limited to the publications identified on proposed Table A. As such, 
an SCI entity's choice of a current SCI industry standard in a given 
domain or subcategory thereof could appropriately be different from 
those contained in the publications identified in proposed Table 
A.\551\ Many commenters, however, objected to the proposed objective 
criteria for reference publications, and/or one or more of the specific 
publications listed on proposed Table A. The Commission has carefully 
considered commenters' views and is adopting Rule 1000(b)(1)(ii), 
renumbered as Rule 1001(a)(4), with certain modifications as described 
below.
---------------------------------------------------------------------------

    \551\ See Proposing Release, supra note 13, at 18109.
---------------------------------------------------------------------------

Criteria for Identifying SCI Industry Standards: Comments Received and 
Commission Response
    Some commenters disagreed with the Commission's proposal to require 
SCI industry standards to be ``comprised of information technology 
practices that are widely available for free to information technology 
professionals in the financial sector.'' Several commenters argued that 
there were significant disadvantages to requiring that standards be 
available free of charge.\552\ One of these commenters stated that 
requiring standards to be available for free ``may encourage SCI 
entities to use standards that may be outdated when more suitable 
standards may be available and would be more appropriate.'' \553\ 
Another of these commenters stated that ``the cost or lack thereof of a 
technology standard or standard framework has no bearing on the quality 
or appropriateness of such standard or framework and bears no 
significance to the maintenance of fair and orderly markets.'' \554\
---------------------------------------------------------------------------

    \552\ See ANSI Letter at 1; DTCC Letter at 15; OCC Letter at 9; 
Omgeo Letter at 33-34; and X9 Letter at 1.
    \553\ See OCC Letter at 9.
    \554\ See Omgeo Letter at 33 (noting also that the proposed 
criteria would eliminate appropriate standards such ITIL and ISO 
27000).
---------------------------------------------------------------------------

    Two standard setting organizations commented regarding the use of 
consensus standards, citing OMB Circular No. A-119, which directs 
agencies to use voluntary consensus standards (i.e., standards 
developed by professional standards organizations), and urged the 
Commission to eliminate the requirement that SCI industry standards be 
``available for free.'' \555\ Another commenter similarly urged that it 
was important for SCI entities to use publications generated by 
professional organizations that regularly update their standards and 
employ open processes for gathering industry input.\556\
---------------------------------------------------------------------------

    \555\ See ANSI Letter at 1; and X9 Letter at 1.
    \556\ See CISQ2 Letter at 6. See also Angel Letter at 8 
(suggesting that the proposed criteria could potentially result in 
the creation of race-to-the-bottom standards organizations that 
establish lax standards).
---------------------------------------------------------------------------

    The Commission agrees that the cost or lack thereof of a technology 
standard or standard framework has no bearing on the quality or 
appropriateness of such standard, and also that SCI entities should be 
encouraged to use appropriate standards developed by professional 
organizations that regularly update their standards and employ open 
processes for gathering industry input. While the Commission did not 
propose to require that particular standards be used, in response to 
comment, the Commission is adopting Rule 1001(a)(4) without the 
criterion in the SCI Proposal that a technology standard be available 
free of charge. The other criteria are adopted as proposed. Thus, to 
qualify as an ``SCI industry standard,'' a publication must be 
comprised of information technology practices that are widely available 
to information technology professionals in the financial sector and 
issued by an authoritative body that is a U.S. governmental entity or 
agency, association of U.S. governmental entities or agencies, or 
widely recognized organization. The Commission believes that this 
criterion is sufficiently flexible to include technology practices 
issued by professional organizations, including the professional 
organizations referenced by commenters.\557\
---------------------------------------------------------------------------

    \557\ See infra notes 583-601 and accompanying text. The 
Commission expresses no view, however, on any particular publication 
that is not specifically identified in infra notes 584-601, or 
standards that remain in development (e.g., a standard being drafted 
by AT 9000) (see infra note 601 and accompanying text).
---------------------------------------------------------------------------

Proposed Table A: Comments Received
    The SCI Proposal stated that written policies and procedures that 
are consistent with the relevant examples of SCI industry standards 
contained in the publications identified in Table A would be deemed to 
be ``reasonably designed'' for purposes of proposed Rule 
1000(b)(1).\558\ Proposed Table A listed publications covering nine 
inspection areas, or ``domains,'' that Commission staff historically 
has evaluated under the ARP Inspection Program.\559\
---------------------------------------------------------------------------

    \558\ See Proposing Release, supra note 13, at 18109.
    \559\ See id.
---------------------------------------------------------------------------

    Proposed Table A elicited significant and varied comment. Some 
commenters objected generally to the Table A framework.\560\ Others 
objected more specifically to Table A's proposed content,\561\ and some 
commenters objected to Table A as a premature attempt to establish 
consensus on SCI industry standards where consensus has not yet 
emerged.\562\
---------------------------------------------------------------------------

    \560\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; BIDS 
Letter at 7; Direct Edge Letter at 2; Joint SROs Letter at 4; MSRB 
Letter at 11-12; and NYSE Letter at 20-21.
    \561\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; FIF 
Letter at 3-4; ISE Letter at 11-12; CAST Letter at 10; MSRB Letter 
at 11-12; DTCC Letter at 15; FINRA Letter at 31; Omgeo Letter at 33; 
CISQ Letter at 1-2; OCC Letter at 9; Lauer Letter at 5-7; BIDS 
Letter at 7; and Liquidnet Letter at 3-4.
    \562\ See, e.g., FIF Letter at 3-4; Liquidnet Letter at 3-4; UBS 
Letter at 7; and ISE Letter at 11-12.
---------------------------------------------------------------------------

Table A Framework and Process

    One group of commenters suggested that, in lieu of the publications 
identified in Table A, the Commission should characterize policies and 
procedures as reasonably designed if they comply with ``generally 
accepted standards.'' \563\ Another commenter similarly suggested that 
the Commission replace the proposed rule's reference to ``current SCI 
industry standards'' with

[[Page 72300]]

the phrase ``generally accepted technology principles,'' and delete 
Table A and the proposed Table A criteria.\564\ These commenters viewed 
proposed Table A as flawed in concept.\565\ Specifically, one of these 
commenters expressed concern that the standards set forth in Table A 
might not keep pace with a constantly evolving technological landscape 
and that, despite this evolution, Commission staff might take a 
checklist approach to its review of policies and procedures, which 
would result in unintended consequences.\566\
---------------------------------------------------------------------------

    \563\ See Joint SROs Letter at 4.
    \564\ See NYSE Letter at 20-21.
    \565\ See Joint SROs Letter at 4; and NYSE Letter at 20.
    \566\ See Joint SROs Letter at 4. Other commenters similarly 
expressed concern that SCI entities would closely adhere to the 
publications listed in Table A (even though the SCI Proposal 
specified that such adherence would not be the exclusive means to 
comply with the requirements of proposed Rule 1000(b)(1)), rather 
than take advantage of the flexibility built into the proposed rule 
out of concern that if they did not, they would expose themselves to 
potential regulatory action for failure to comply with Regulation 
SCI. See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 
6; and NYSE Letter at 20-21.
---------------------------------------------------------------------------

    The other commenter stated that it was more common, and more 
appropriate in any industry that relies heavily on technology, for an 
entity to review a variety of different standards for frameworks or 
best practices, and then adopt a derivative of multiple standards, 
customizing them for the systems at issue.\567\ According to this 
commenter, SCI entities would be unlikely to comply with all aspects of 
any particular standard in Table A at any particular time, thereby 
``obviating its usefulness.'' \568\
---------------------------------------------------------------------------

    \567\ See NYSE Letter at 20.
    \568\ See id.
---------------------------------------------------------------------------

    Other commenters argued that the Table A concept was flawed because 
Table A would always be on the verge of being outdated. For example, 
one commenter characterized the proposed Table A publications as 
``soon-to-be outdated'' and stated that it is crucial that SCI entity 
policies and procedures be ``forward-looking'' and able to respond to 
future threats.\569\ Another commenter stated that the proposed process 
for updating Table A \570\ would not be sufficiently nimble to assure 
that SCI entities adhere to the best possible then-current standards, 
and suggested that the Commission defer to the expertise of the 
organizations that have established the listed standards and rely on 
the updates provided by these organizations.\571\ Another commenter 
stated that any ``hard coded'' solutions are likely to become obsolete 
very quickly.\572\
---------------------------------------------------------------------------

    \569\ See id. See also ISE Letter at 10 (stating that the 
standards listed in Table A are not the most current or appropriate 
standards). See also infra notes 577-578 and accompanying text.
    \570\ In the SCI Proposal, the Commission stated that it 
``preliminarily believes that, following its initial identification 
of one set of SCI industry standards . . . it would be appropriate 
for Commission staff, from time to time, to issue notices to update 
the list of previously identified set of SCI industry standards 
after receiving appropriate input from interested persons. . . . 
However, until such time as Commission staff were to update the 
identified set of SCI industry standards, the then-current set of 
SCI industry standards would be the [relevant] standards. . . .'' 
Proposing Release, supra note 13, at 18111.
    \571\ See MSRB Letter at 11-12.
    \572\ See Direct Edge Letter at 2.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission 
acknowledges that the proposed framework for identifying and updating 
publications on Table A may not be sufficiently nimble to assure that 
its list of publications does not become obsolete as technology and 
standards change. The Commission agrees that, in an industry that 
relies heavily on technologies that are constantly evolving, the 
prescription of hard-coded solutions that may become quickly outdated 
is not the better approach. However, because several commenters stated 
that there is currently a lack of consensus on what constitutes 
generally accepted standards or principles in the securities 
industry,\573\ the Commission continues to believe that there is value 
in identifying example publications for SCI entities to consider 
looking to in establishing policies and procedures that are consistent 
with ``current SCI industry standards.'' \574\
---------------------------------------------------------------------------

    \573\ See supra note 633 and accompanying text.
    \574\ See Rule 1001(a)(4), which states: ``For purposes of 
[complying with Rule 1001(a)], such policies and procedures shall be 
deemed to be reasonably designed if they are consistent with current 
SCI industry standards, which shall be comprised of information 
technology practices that are widely available to information 
technology professionals in the financial sector and issued by an 
authoritative body that is a U.S. governmental entity or agency, 
association of U.S. governmental entities or agencies, or widely 
recognized organization. Compliance with such current SCI industry 
standards, however, shall not be the exclusive means to comply with 
[Rule 1001(a)].''
---------------------------------------------------------------------------

    After considering the potential disadvantages of ``hard-coding'' 
Table A in a Commission release, and the potential benefits of 
providing further guidance to SCI entities on the meaning of ``current 
SCI industry standards,'' the Commission has determined that, rather 
than the Commission issuing Table A in this release, Commission staff 
should issue guidance to assist SCI entities in developing policies and 
procedures consistent with ``current SCI industry standards'' in a 
manner that is consistent with the Commission's response to comments 
received on proposed Table A, as discussed in this Section 
IV.B.1.b.iii, and periodically update such guidance as appropriate. The 
Commission believes that guidance issued by the Commission staff will 
have the advantage of easier updating and allow for emerging consensus 
on standards more focused on the securities industry. Thus, concurrent 
with the Commission's adoption of Regulation SCI, Commission staff is 
issuing guidance to SCI entities on developing policies and procedures 
consistent with ``current SCI industry standards.'' \575\
---------------------------------------------------------------------------

    \575\ Staff Guidance on Current SCI Industry Standards will be 
available on the Commission's Web site at: www.sec.gov.
---------------------------------------------------------------------------

Table A Publications

    Many commenters who did not urge elimination of Table A altogether 
addressed the content of proposed Table A. Those commenters did not 
express opposition to the identification of certain inspection areas or 
domains on proposed Table A, but some commenters identified issues with 
specific publications listed on Table A.\576\ Specifically, two 
commenters stated that the NIST publication listed for the Systems 
Development Methodology domain was outdated.\577\ One of these 
commenters objected to this publication as reflecting a burdensome 
staged process to software development that favors the ``waterfall 
methodology'' over ``agile'' software development, which generally uses 
more ``nimble processes'' and is more typical in the financial services 
industry today.\578\ Another commenter noted that this publication had 
both strengths and weaknesses.\579\ Two commenters objected to the 
FFIEC's Operations IT Examination Handbook in the capacity planning 
domain as too generic.\580\ One commenter objected to the inclusion of 
FFIEC's Audit IT Examination Handbook.\581\ Another commenter stated 
more broadly that the proposed Table A publications focus too heavily

[[Page 72301]]

on firm-level risks and do not take into account the technological and 
economic stability of the U.S. market as a whole.\582\
---------------------------------------------------------------------------

    \576\ See, e.g., Angel Letter at 9; BATS Letter at 6-7; FIF 
Letter at 3-4; and ISE Letter at 10.
    \577\ See BATS Letter at 6; and ISE Letter at 10 (objecting to 
the inclusion of NIST Security Considerations in the System 
Development Life Cycle (Special Publication 800-64 Rev. 2) as a 
suitable ``current SCI industry standard'' in the systems 
development methodology domain).
    \578\ See BATS Letter at 6-7.
    \579\ See CISQ2 Letter at 4-5 (stating that NIST Special 
Publication 800-64, Rev. 2 and any derivative standard should ``be 
reviewed and if necessary revised by a panel of industry 
practitioners and technical experts to balance the requirement for 
rigor with the amount of practices and documentation specified in 
the standard'').
    \580\ See ISE Letter at 10; and FIF Letter at 3-4 (both 
described this publication as setting forth a process for conducting 
capacity planning).
    \581\ See ISE Letter at 10.
    \582\ See Angel Letter at 9.
---------------------------------------------------------------------------

    In addition, several commenters suggested specific additions to the 
proposed list of publications on Table A.\583\ For example, more than 
one commenter suggested the following standards as appropriate for 
inclusion on Table A: COBIT/ISACA; \584\ ISO-27000; \585\ ISO 25000; 
\586\ and NFPA-1600.\587\ Other standards or publications mentioned by 
commenters as useful, particularly in the area of software quality or 
software security, include the CISQ Software Quality 
Specification,\588\ the Capability Maturity Model Integration (CMMI) 
framework, \589\ ``SANS 20 Critical Security Controls,'' \590\ ``CWE/
SANS Top 25 Most Dangerous Software Errors,'' \591\ the Open Source 
Security Testing Methodology Manual (OSSTMM),\592\ the BITS Financial 
Services Roundtable Software Assurance Framework (January 2012),\593\ 
the ``Build Security In Maturity Model'' (BSTMM),\594\ Microsoft's 
SDL,\595\ and resources for defining secure software development 
practices from organizations such as OWASP, WASC and SAFECode,\596\ and 
publications issued by Scrum Alliance,\597\ the Association for 
Software Testing (AST),\598\ the Institute of Electrical and 
Electronics Engineers (IEEE),\599\ and the Association for Computing 
Machinery (ACM).\600\ In addition, one commenter suggested a standard 
currently being drafted by AT 9000, a working group which focuses on 
trading safety, regulatory requirements, and achieving efficiency and 
effectiveness of systems involved in automated trading.\601\
---------------------------------------------------------------------------

    \583\ See, e.g., CAST Letter; ISE Letter; MSRB Letter; DTCC 
Letter; FINRA Letter; Omgeo Letter; CISQ2 Letter; OCC Letter; BIDS 
Letter; Liquidnet Letter; and X9 Letter.
    \584\ See CAST Letter at 10; ISE Letter at 11; and MSRB Letter 
at 11. COBIT (formerly known as Control Objectives for Information 
and related Technology) is an enterprise information technology 
governance framework developed by ISACA (formerly known as the 
Information Systems Audit and Control Association).
    \585\ See DTCC Letter at 15; ISE Letter at 11; FINRA Letter at 
31; and Omgeo Letter at 33. FINRA recommended ISO-27000 series 
because it provides ``greater specificity'' and may be ``less 
burdensome'' than the standards identified in proposed Table A. ISE 
and DTCC recommended ISO 27000 specifically for application 
controls, information security and networking, and physical security 
controls. Omgeo stated more broadly that it models aspects of its 
program on widely accepted international standards and frameworks 
such as ITIL and ISO 27000.
    \586\ See CAST Letter and CISQ2 Letter. CAST suggested 
supplementing the SCI industry standards with standards that address 
development, as well as standards that pertain to structural 
software quality, such as ISO 25010 and CISQ Software Quality 
Specification. See CAST Letter at 5. CISQ2 agreed that standards 
addressing structural software quality are needed and suggested 
including CISQ Specification for Automated Quality Characteristic 
Measures: CISQ-TR-2012-01 in Table A. CISQ also pointed to the 
Capability Maturity Model Integration (CMMI) as another potential 
option, noting that it was the most widely adopted process standard 
for rigorous software development practices. See CISQ2 Letter at 3-
4.
    \587\ See OCC Letter at 9; and ISE Letter at 11. ISE also 
specifically recommended BS 25999 as an alternative contingency 
planning standard.
    \588\ See CAST Letter at 5; and CISQ Letter at 1.
    \589\ See CAST Letter at 10.
    \590\ See FIF Letter at 4.
    \591\ See id.
    \592\ See Lauer Letter at 5-7.
    \593\ See BIDS Letter at 7.
    \594\ See id.
    \595\ See id.
    \596\ See id.
    \597\ See Liquidnet Letter at 4.
    \598\ See id.
    \599\ See id.
    \600\ See id.
    \601\ See X9 Letter at 2.
---------------------------------------------------------------------------

    A few commenters opposed referencing standards in Regulation SCI at 
the outset and instead supported establishing a process that they 
believed would, after a certain period of time, yield a coherent set of 
standards.\602\ One of these commenters urged that best practices 
should evolve from the Commission's experience with the annual SCI 
review process and experience with the ARP program, because such best 
practices will be specific to the securities industry and reflect the 
actual practices of SCI entities.\603\ Finally, several commenters 
suggested that the Commission establish a working group to develop SCI 
industry standards.\604\
---------------------------------------------------------------------------

    \602\ See, e.g., FIF Letter at 4, 6; Liquidnet Letter at 3; UBS 
Letter at 7; and ISE Letter at 11.
    \603\ See FIF Letter at 4, 6.
    \604\ See, e.g., Liquidnet Letter at 3 (urging that a working 
group consisting of regulators, industry participants (from 
exchanges, ATSs and broker-dealers) and security and controls 
experts be established to develop a security and controls framework 
for the industry). See also UBS Letter at 7 (urging the Commission 
to convene a ``cross-industry, multi-disciplinary Working Group'' to 
be responsible for developing recommendations for appropriate 
standards); and ISE Letter at 11 (recommending that the Commission 
authorize SCI entities to establish a standards committee to review 
and recommend specific sets of standards). See also CISQ Letter at 
2, 6 (supporting the Table A approach but also seeing value in 
tailoring existing standards from professional organizations into an 
industry-specific set of standards for SCI entities).
---------------------------------------------------------------------------

    The Commission has carefully considered these comments, and 
continues to believe that there is value in identifying publications 
for SCI entities to consider looking to in establishing reasonable 
policies and procedures, because doing so will provide guidance on how 
an SCI entity may comply with adopted Rule 1001(a). The Commission 
therefore believes that issuance of staff guidance that does this, as 
discussed above, will be useful for SCI entities. However, after 
careful consideration of commenters' views regarding the publications 
on proposed Table A, the Commission believes it is useful to 
characterize how such staff guidance should be used by SCI entities. In 
particular, the Commission understands that some commenters who 
objected to the proposed Table A concept and/or the proposed Table A 
content were more broadly taking issue with the characterization of 
certain of the documents on proposed Table A, such as the NIST 800-53 
document, as a ``standard,'' rather than a ``framework'' or a 
``process.'' \605\ The Commission believes that many commenters 
implicitly were questioning why certain identified technology 
frameworks (such as NIST 800-53) were being labeled as, and thereby 
elevated to, an example of ``current SCI industry standards'' when many 
SCI entities were already following ISO 27000, COBIT, or other 
technology standards that they viewed as more specific, relevant, and/
or cost effective than the NIST frameworks identified on proposed Table 
A.\606\ In response to these comments, the Commission believes it is 
appropriate that the staff's guidance be characterized as listing 
examples of publications describing processes, guidelines, frameworks, 
or standards for an SCI entity to consider looking to in developing 
reasonable policies and procedures, rather than strictly as listing 
industry standards. Thus, the Commission believes it is appropriate if 
Commission staff were to list publications that provide guidance to SCI 
entities on suitable processes for developing, documenting, and 
implementing policies and procedures for their SCI systems (and 
indirect SCI systems, as applicable), taking into account the 
criticality of each such system.
---------------------------------------------------------------------------

    \605\ The Commission also notes that this point was made by a 
member of the third panel at the Cybersecurity Roundtable, supra 
note 39. See also FINRA Letter at 31.
    \606\ See supra notes 577-601 and accompanying text.
---------------------------------------------------------------------------

    With respect to the publications commenters suggested for inclusion 
on proposed Table A, the Commission is not disputing the value of such 
standards, and believes that each, when considered with respect to a 
particular system at an SCI entity, may contain appropriate standards 
for the SCI entity to use as, or incorporate within, its

[[Page 72302]]

policies and procedures.\607\ The Commission notes that the guidance is 
intended to be used as a baseline from which the staff may work with 
SCI entities and other interested market participants to build 
consensus on industry-specific standards, as discussed more fully 
below. Further, the Commission believes that the goal of providing 
general and flexible guidance to SCI entities does not necessitate 
providing a lengthy list of all the publications that meet the criteria 
set forth in Rule 1001(a)(4).\608\
---------------------------------------------------------------------------

    \607\ See supra notes 577-601 and accompanying text.
    \608\ See supra note 557 and accompanying text.
---------------------------------------------------------------------------

    The Commission continues to believe that it may be appropriate for 
an SCI entity to choose to adhere to a standard or guideline in a given 
domain or subcategory thereof that is different from those contained in 
the staff guidance, and emphasizes that nothing that the staff may 
include in its guidance precludes an SCI entity from adhering to 
standards such as ISO 27000, COBIT, or others referenced by commenters 
to the extent they result in policies and procedures that comply with 
the requirements of Rule 1001(a).\609\ Moreover, adopted Rule 
1001(a)(4) explicitly provides that compliance with current SCI 
industry standards (i.e., including those publications identified by 
the Commission staff) is not the exclusive method of compliance with 
Rule 1001(a). Accordingly, an SCI entity's determination not to adhere 
to some or all of the publications included in the staff guidance in 
developing its policies and procedures does not necessarily mean that 
its policies and procedures will be deficient or unreasonable for 
purposes of Rule 1001(a)(1). Importantly, the publications listed by 
Commission staff should be understood to provide guidance to SCI 
entities on selecting appropriate controls for applicable systems, as 
well as suitable processes for developing, documenting, and 
implementing policies and procedures for their SCI systems (and 
indirect SCI systems, as applicable), taking into account the 
criticality of each such system. Thus, for example, the Commission 
believes it would be reasonable for the most robust controls to be 
selected and implemented for ``critical SCI systems,'' as compared to 
other types of SCI systems, and the Commission believes it would be 
appropriate that the staff's guidance include publications that require 
more rigorous controls for higher-risk systems. The staff guidance is 
not intended to be static, however. As the Commission staff works with 
SCI entities, as well as members of the securities industry, technology 
experts, and interested members of the public, and as technology 
standards continue to evolve, the Commission anticipates that the 
Commission staff will periodically update the staff guidance as 
appropriate.
---------------------------------------------------------------------------

    \609\ Likewise, such guidance would not preclude an SCI entity 
from adopting a derivative of multiple standards, and/or customizing 
one or more standards for the particular system at issue, as one 
commenter suggested. See supra note 567 and accompanying text. In 
assessing whether an SCI entity's use of such an approach in 
designing its policies and policies and procedures would be 
``deemed'' to be reasonably designed, the Commission's inquiry would 
be into whether its policies and procedures were consistent with 
standards meeting the criteria in adopted Rule 1001(a)(4).
---------------------------------------------------------------------------

    Another way in which the publications identified by Commission 
staff should provide guidance to SCI entities is by providing 
transparency on how the staff will, at least initially, prepare for and 
conduct inspections relating to Regulation SCI. As discussed in the SCI 
Proposal and above,\610\ for over two decades, ARP staff has conducted 
inspections of ARP entity systems, with a goal of evaluating whether an 
ARP entity's controls over its information technology resources in each 
domain are consistent with ARP and industry guidelines,\611\ as 
identified by ARP staff from a variety of information technology 
publications that ARP staff believed were appropriate for securities 
market participants.\612\ With the adoption of Regulation SCI, and the 
resultant transition away from the voluntary ARP Inspection Program to 
an inspection program under Regulation SCI, the Commission believes it 
is helpful to establish consistency in its approach to examining SCI 
entities for compliance with Regulation SCI. Importantly, establishing 
consistency does not mean that the Commission will take a one-size-
fits-all or checklist approach. Because the publications identified by 
Commission staff should be general and flexible enough to be compatible 
with many widely-recognized technology standards that SCI entities 
currently use, the Commission believes the publications identified by 
Commission staff should provide guidance for an SCI entity to self-
assess whether its policies and procedures comply with Rules 
1001(a)(1)-(2). Moreover, because use of the publications identified by 
Commission staff is not mandatory, the staff guidance should not be 
regarded as establishing a checklist, the use of which could result in 
unintended consequences, but rather a basis for considering how an SCI 
entity's selected standards relate to the guidance provided by 
Commission staff and whether they are appropriate standards for use by 
that particular SCI entity for a given system.
---------------------------------------------------------------------------

    \610\ See supra Section II.A.
    \611\ As stated in the SCI Proposal, the domains covered during 
an ARP inspection depend in part upon whether the inspection is a 
regular inspection or a ``for-cause'' inspection. Typically, 
however, to make the most efficient use of resources, a single ARP 
inspection will cover fewer than nine domains. See Proposing 
Release, supra note 13, at 18086.
    \612\ See id. and supra Section II.A (discussing the ARP 
Inspection Program).
---------------------------------------------------------------------------

    The Commission believes that it would be appropriate that the 
publications initially identified by Commission staff at a minimum 
include the nine inspection areas, or ``domains,'' that the Commission 
identified on Table A in the SCI Proposal and that are relevant to SCI 
entities' systems capacity, integrity, resiliency, availability, and 
security, namely: Application controls; capacity planning; computer 
operations and production environment controls; contingency planning; 
information security and networking; audit; outsourcing; physical 
security; and systems development methodology.
    The Commission believes it would be appropriate that each 
publication identified by Commission staff be identified with 
specificity and include the particular publication's date, volume 
number, and/or publication number, as the case may be. Thus, for SCI 
entities that establish or self-assess their policies and procedures in 
reliance on the guidance provided by the publications identified by 
Commission staff, the Commission believes that the publications should 
be the relevant publications until such time as the list is updated by 
Commission staff. Of course, SCI entities may elect to use publications 
describing processes, guidelines, frameworks, and/or standards other 
than those identified by Commission staff to develop policies and 
procedures that satisfy the requirements of Rules 1001(a)(1)-(2).
    As stated in the SCI Proposal, however, the Commission continues to 
believe that the development of securities-industry specific standards 
is a worthy goal. Although some commenters urged the Commission not to 
adopt Table A at the outset, and instead establish a process to achieve 
that end,\613\ the Commission believes that the better approach is for 
Commission staff to provide examples of publications through its 
guidance that form a baseline and remain open to emerging consensus on 
industry-specific standards. In response to the

[[Page 72303]]

commenter that suggested that the Commission leverage the annual SCI 
review process and the SCI inspection process to yield a coherent set 
of industry-specific standards that could be referenced on Table A, the 
Commission believes that such an approach could serve as an appropriate 
input into the future development of such standards.\614\ In response 
to the commenter who stated that the proposed Table A publications do 
not take into account the technological and economic stability of the 
U.S. market as a whole,\615\ the Commission notes that the 
technological stability of individual SCI entities, in tandem with a 
heightened focus on critical SCI systems, are necessary prerequisites 
to achieving such market-wide goals. Accordingly, the Commission 
believes that the publications identified by Commission staff today 
should serve as an appropriate initial set of publications, processes, 
guidelines, frameworks, and standards for SCI entities to use as 
guidance to develop their policies and procedures under Rule 1001(a). 
With this guidance as a starting point, the Commission expects that the 
Commission staff will seek to work with members of the securities 
industry, technology experts, and interested members of the public 
towards developing standards relating to systems capacity, integrity, 
resiliency, availability, and security appropriately tailored for the 
securities industry and SCI entities, and periodically issue staff 
guidance that updates the guidance with such standards.
---------------------------------------------------------------------------

    \613\ See supra note 604 and accompanying text.
    \614\ See supra note 602 and accompanying text.
    \615\ See supra note 582 and accompanying text.
---------------------------------------------------------------------------

2. Policies and Procedures To Achieve Systems Compliance--Rule 1001(b)
    Proposed Rule 1000(b)(2)(i) would have required each SCI entity to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to ensure that its SCI systems operate in the 
manner intended, including in a manner that complies with the federal 
securities laws and rules and regulations thereunder and the SCI 
entity's rules and governing documents, as applicable.
    Proposed Rule 1000(b)(2) also would have included safe harbors for 
an SCI entity and its employees. Specifically, proposed Rule 
1000(b)(2)(ii) provided that an SCI entity would be deemed not to have 
violated proposed Rule 1000(b)(2)(i) if the SCI entity: (1) Established 
policies and procedures reasonably designed to provide for specified 
elements; (2) established and maintained a system for applying such 
policies and procedures which would reasonably be expected to prevent 
and detect, insofar as practicable, any violations of such policies and 
procedures by the SCI entity or any person employed by the SCI entity; 
and (3) reasonably discharged the duties and obligations incumbent upon 
it by such policies and procedures, and was without reasonable cause to 
believe that such policies and procedures were not being complied with 
in any material respect. The safe harbor for SCI entities in proposed 
Rule 1000(b)(2)(ii) specified that the SCI entity's policies and 
procedures must be reasonably designed to provide for: (1) Testing of 
all SCI systems and any changes to such systems prior to 
implementation; (2) periodic testing of all SCI systems and any changes 
to such systems after their implementation; (3) a system of internal 
controls over changes to SCI systems; (4) ongoing monitoring of the 
functionality of SCI systems to detect whether they are operating in 
the manner intended; (5) assessments of SCI systems compliance 
performed by personnel familiar with applicable federal securities laws 
and rules and regulations thereunder and the SCI entity's rules and 
governing documents, as applicable; and (6) review by regulatory 
personnel of SCI systems design, changes, testing, and controls to 
prevent, detect, and address actions that do not comply with applicable 
federal securities laws and rules and regulations thereunder and the 
SCI entity's rules and governing documents, as applicable.
    In addition, proposed Rule 1000(b)(2)(iii) set forth a safe harbor 
for individuals. It provided that a person employed by an SCI entity 
would be deemed not to have aided, abetted, counseled, commanded, 
caused, induced, or procured the violation by any other person of 
proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity 
has reasonably discharged the duties and obligations incumbent upon 
such person by the policies and procedures, and was without reasonable 
cause to believe that such policies and procedures were not being 
complied with in any material respect.
    After careful consideration of the comments, proposed Rule 
1000(b)(2) is adopted as Rule 1001(b) with modifications, as discussed 
below.
a. Reasonable Policies and Procedures To Achieve Systems Compliance
    The Commission received significant comment on its proposal to 
require that SCI entities establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure systems 
compliance. Some commenters supported the broad goals of a policies and 
procedures requirement to help ensure that SCI systems operate as 
intended.\616\ Other commenters questioned whether any set of policies 
and procedures could guarantee perfect operational compliance.\617\ One 
commenter emphasized that no set of policies and procedures can 
guarantee 100% operational compliance and that, historically, the 
Commission has allowed entities to use a reasonableness standard so 
that policies and procedures are required to be reasonably designed to 
promote compliance, and the same should be used for the underlying 
predicate requirement in Regulation SCI.\618\ A few commenters 
expressed concern that, in instances where an SCI entity's policies and 
procedures failed to prevent SCI events, the Commission might use such 
failures as the basis for an enforcement action, charging that the 
policies and procedures were not reasonable.\619\ One commenter 
believed that compliance with Regulation SCI should be measured against 
a firm's adherence to its own set of policies and procedures that are 
in keeping with SCI system objectives, and such policies should be 
reviewed and updated as part of the annual SCI review process.\620\ 
Another commenter requested that the Commission more clearly 
distinguish between liability under Regulation SCI and liability for 
SCI events, stating that compliance with Regulation SCI and compliance 
with other federal securities laws and rules must remain distinct.\621\
---------------------------------------------------------------------------

    \616\ See MSRB Letter at 12-13; SIFMA Letter at 12; and MFA 
Letter at 3. Two of these commenters believed that SCI entities that 
perform critical market functions should be required to have more 
stringent policies and procedures than less critical SCI entities. 
See SIFMA Letter at 12; and MFA Letter at 3-4.
    \617\ See ITG Letter at 14. See also BATS Letter at 3-4, 6.
    \618\ See ITG Letter at 14.
    \619\ See BATS Letter at 3-4; Angel Letter at 4; and FSR Letter 
at 5. One of these commenters considered this possibility as, in 
effect, imposing a strict liability standard with respect to systems 
issues, and was concerned that the proposed approach would result in 
``finger-pointing'' and constant enforcement actions for immaterial 
violations that desensitize people to actual material violations. 
See FSR Letter at 3-8.
    \620\ See FIF Letter at 4.
    \621\ See FSR Letter at 6.
---------------------------------------------------------------------------

    Whereas adopted Rule 1001(a) \622\ concerns the robustness of the 
SCI entity's systems, adopted Rule 1001(b) \623\ concerns the 
operational compliance of an SCI entity's SCI systems with the Exchange 
Act, the rules and regulations thereunder, and

[[Page 72304]]

the SCI entity's governing documents. The Commission continues to 
believe, as stated in the SCI Proposal, that a rule requiring SCI 
entities to establish, maintain, and enforce policies and procedures 
reasonably designed to ensure operational compliance will help to: 
ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; 
\624\ reinforce existing SRO rule filing processes to assist market 
participants and the public in understanding how the SCI systems of SCI 
SROs are intended to operate; and assist SCI SROs in meeting their 
obligations to file plan amendments to SCI Plans under Rule 608 of 
Regulation NMS.\625\ It will similarly help other SCI entities (i.e., 
SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) 
to achieve operational compliance with the Exchange Act, the rules and 
regulations thereunder, and their governing documents.
---------------------------------------------------------------------------

    \622\ Adopted Rule 1001(a) was proposed as Rule 1000(b)(1).
    \623\ Adopted Rule 1001(b) was proposed as Rule 1000(b)(2).
    \624\ See 15 U.S.C. 78s(b)(1) (requiring each SRO to file with 
the Commission copies of any proposed rule or any proposed change 
in, addition to, or deletion from the rules of the SRO).
    \625\ See Proposing Release, supra note 13, at 18115.
---------------------------------------------------------------------------

    The Commission notes that Rule 1001(b) is intended to help prevent 
the occurrence of systems compliance issues at SCI entities. The 
Commission discussed in Section IV.A.3.b the rationale for further 
focusing the definition of systems compliance issue (i.e., replacing 
the reference to operating ``in the manner intended, including in a 
manner that complies with the federal securities laws'' with a 
reference to operating ``in a manner that complies with the Act''). To 
provide consistency between the definition of systems compliance issue 
and the requirement for policies and procedures to ensure systems 
compliance, the Commission is similarly revising Rule 1001(b)(1) to 
require each SCI entity to establish, maintain, and enforce written 
policies and procedures reasonably designed to ensure that its SCI 
systems operate ``in a manner that complies with the Act'' and the 
rules and regulations thereunder and the entity's rules and governing 
documents, as applicable.
    As noted above, some commenters expressed concern that an SCI 
entity would be found to be in violation of Rule 1001(b) if an SCI 
event occurs.\626\ Consistent with the discussion above regarding Rule 
1001(a), the Commission emphasizes that the occurrence of a systems 
compliance issue at an SCI entity does not necessarily mean that the 
SCI entity has violated Rule 1001(b) of Regulation SCI. As stated in 
the SCI Proposal, an SCI entity will not be deemed to be in violation 
of Rule 1001(b) solely because it experienced a systems compliance 
issue.\627\ The Commission also notes that Rule 1001(b) requires 
systems compliance policies and procedures to be reasonably 
designed.\628\ The Commission acknowledges that reasonable policies and 
procedures will not ensure the elimination of all systems issues, 
including systems compliance issues. While a systems compliance issue 
may be probative as to the reasonableness of an SCI entity's policies 
and procedures, it is not determinative. Further, the occurrence of a 
systems compliance issue also does not necessarily mean that the SCI 
entity will be subject to an enforcement action. Rather, the Commission 
will exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.
---------------------------------------------------------------------------

    \626\ See supra notes 617-620 and accompanying text. One of 
these commenters believed that compliance with Regulation SCI should 
be measured against a firm's adherence to its own set of policies 
and procedures that are in keeping with SCI systems objectives. See 
supra note 620 and accompanying text. The Commission understands 
this commenter to be expressing the same concern as other commenters 
that an SCI entity would be found to be in violation of Rule 1001(b) 
if an SCI event occurs. This commenter also noted that policies and 
procedures should be reviewed and updated as part of the annual SCI 
review process. See supra note 620 and accompanying text. The 
comment regarding reviews and updates of policies and procedures is 
addressed below. See infra note 673 and accompanying text.
    \627\ Also, as noted in the SCI Proposal, an employee of an SCI 
entity would not be deemed to have aided, abetted, counseled, 
commanded, caused, induced, or procured the violation by any other 
person of Rule 1001(b) merely because the SCI entity at which the 
employee worked experienced a systems compliance issue. See 
Proposing Release, supra note 13, at 18116.
    \628\ As stated above, one commenter noted that no set of 
policies and procedures can guarantee 100% operational compliance 
and that historically, the Commission has allowed entities to use a 
reasonableness standard so that policies and procedures are required 
to be reasonably designed to promote compliance, and the same 
approach should be used for Regulation SCI. See supra note 618 and 
accompanying text. The Commission agrees with this commenter that 
reasonably designed policies and procedures might not completely 
eliminate the occurrence of systems compliance issues. Also, adopted 
Rule 1001(b) is consistent with this commenter's suggestion, because 
it requires policies and procedures that are ``reasonably designed'' 
to ensure systems compliance.
---------------------------------------------------------------------------

    In response to one commenter's request that the Commission more 
clearly distinguish between liability under Regulation SCI and 
liability for SCI events,\629\ the Commission notes that liability 
under Regulation SCI is separate and distinct from liability for other 
violations that may arise from the underlying SCI event. In particular, 
whether an SCI entity violated Regulation SCI does not affect the 
determination of whether the underlying SCI event also caused the SCI 
entity to violate other laws or rules, and compliance with Regulation 
SCI is not a safe harbor or other shield from liability under other 
laws or rules. Thus, even if the occurrence of an SCI event does not 
cause an SCI entity to be found to be in violation of Regulation SCI, 
the SCI entity may still be liable under other Commission rules or 
regulations, the Exchange Act, or SRO rules for the underlying SCI 
event.\630\
---------------------------------------------------------------------------

    \629\ See supra note 621 and accompanying text.
    \630\ For example, it is possible for an SCI SRO to have 
established, maintained, and enforced reasonably designed systems 
compliance policies and procedures consistent with the requirements 
of Rule 1001(b) of Regulation SCI, but still potentially violate 
Section 19(g) of the Exchange Act if the operation of its systems is 
inconsistent with its own rules. See 15 U.S.C. 78s(g) (requiring 
every SRO to comply with the Exchange Act, the rules and regulations 
thereunder, and its own rules).
---------------------------------------------------------------------------

b. Proposed Safe Harbor for SCI Entities
i. Comments Received
    In the SCI Proposal, the Commission solicited comment on the 
proposed approach to include safe harbor provisions in proposed Rule 
1000(b)(2) and specifically asked whether commenters agreed with the 
proposed inclusion of safe harbors.\631\ Many commenters specifically 
addressed the safe harbors in proposed Rule 1000(b)(2). Two commenters 
urged elimination of the proposed safe harbors.\632\ One of these 
commenters stated that the safe harbors were framed so generally that 
they would be easy to invoke.\633\ This commenter also stated that 
inclusion of a safe harbor provision for compliance standards would 
unnecessarily and severely limit the Commission's ability to deter 
violations through meaningful enforcement actions.\634\ The other 
commenter stated that, if a safe harbor is adopted, the Commission 
should be as specific as possible in establishing how to qualify for 
the safe harbor, and recommended that Commission guidance ensure that 
SCI entities are actively building and improving upon safety systems 
and not simply checking boxes and doing the minimal amount necessary to 
ensure compliance.\635\
---------------------------------------------------------------------------

    \631\ See Proposing Release, supra note 13, at 18117, question 
104.
    \632\ See Better Markets Letter at 5-6; and Lauer Letter at 7-8.
    \633\ See Better Markets Letter at 5-6.
    \634\ See id. at 6.
    \635\ See Lauer Letter at 7-8.
---------------------------------------------------------------------------

    In contrast, several commenters supported the inclusion of a safe 
harbor in proposed Rule 1000(b)(2) in theory, but objected to the 
proposed

[[Page 72305]]

approach.\636\ Some commenters stated that the proposed safe harbor, 
with its prescriptive requirements, would evolve into the de facto rule 
itself as SCI entities decide to adhere to the requirements of the safe 
harbor rather than risk a potential enforcement action stemming from an 
SCI event.\637\ One of these commenters noted that the safe harbor 
merely further defined the elements that the policies and procedures 
must have by providing a list of points that reasonably designed 
policies and procedures must cover.\638\ This commenter believed that 
including a requirement for reasonably designed policies and procedures 
and providing a safe harbor when those policies and procedures are 
reasonably designed is inherently circular, and expressed concern about 
liability under Regulation SCI whenever there is a systems or 
technology malfunction or error.\639\ This commenter also compared the 
proposed SCI entity safe harbor to other rules, stating that the other 
rules requiring policies and procedures recognize the need for those 
policies and procedures to be reasonably designed in light of the 
manner in which business is conducted.\640\ This commenter further 
noted that, if the Commission intends that all SCI entities conform to 
the standards articulated in the safe harbor, the Commission should set 
them forth as express provisions of the rule, although this commenter 
believed that such an approach would be misguided because it would 
create strictures that impose protocols that may not be suitable for 
certain market participants.\641\
---------------------------------------------------------------------------

    \636\ See, e.g., Angel Letter; Direct Edge Letter; FSR Letter; 
ITG Letter; MSRB Letter; NYSE Letter; OCC Letter; OTC Markets 
Letter; and Joint SROs Letter.
    \637\ See ITG Letter at 14 (stating that ``[t]he safe harbor 
contains so many requirements that it operates as a rule by 
itself''); and FSR Letter at 8.
    \638\ See FSR Letter at 4-5.
    \639\ See id. at 5-6.
    \640\ See FSR Letter at 8-9 (expressing concern that the safe 
harbor will become the sole yardstick by which conduct is measured 
and, even if the safe harbor were non-exclusive, it could become the 
de facto standard to the exclusion of other, legitimate approaches).
    \641\ See FSR Letter at 9.
---------------------------------------------------------------------------

    Several other commenters expressed concern that the proposed safe 
harbors were unclear.\642\ One group of commenters noted that the 
provisions in the proposed safe harbors were vague, subjective, and 
merely duplicate elements that would result from a logical 
interpretation of Rule 1000(b)(1),\643\ which these commenters believed 
offered no safe harbor protection at all.\644\ Another commenter stated 
that the use of a reasonableness standard with respect to the design of 
systems and the discharge of duties under an SCI entity's policies and 
procedures would mean that an SCI entity and its employees would never 
know with certainty whether they met the terms of the safe harbor.\645\ 
Another commenter similarly stated that SCI entities cannot know if 
they have complied with the safe harbor unless more guidance is 
provided on the concept of ``reasonable policies and procedures'' and 
the Commission explains what constitutes adequate testing, monitoring, 
assessments, and review for each system.\646\ One commenter agreed with 
the need for a safe harbor but stated that the proposed safe harbor is 
not sufficiently robust because it contains ``vague and extensive 
requirements that are overly subjective'' and the Commission therefore 
would be ``likely to review an SCI entity's interpretation of the safe 
harbor in the event of a systems issue with the benefit of 20/20 
hindsight.'' \647\ This commenter expressed concern that the occurrence 
of a significant systems event would mean that an exchange did not have 
reasonable policies and procedures and would be outside the terms of 
the proposed safe harbor.\648\
---------------------------------------------------------------------------

    \642\ See, e.g., FSR Letter; OCC Letter; and OTC Markets Letter.
    \643\ See Joint SROs Letter at 13 (stating that the proposed 
safe harbor should provide a more objective and transparent 
approach, and provide SCI entities a clear, affirmative defense from 
allegations of having violated Regulation SCI).
    \644\ See Joint SROs Letter at 13.
    \645\ See OCC Letter at 11. This commenter also questioned the 
value of the safe harbors as proposed and requested that the 
Commission consider including bright-line tests and minimum 
standards in the safe harbor provisions to better guide SCI entities 
and their employees in avoiding liability under Regulation SCI. See 
OCC Letter at 11. See also NYSE Letter at 30 (noting that the 
Commission provided no guidance on the phrase ``policies and 
procedures reasonably designed'').
    \646\ See OTC Markets Letter at 15.
    \647\ See NYSE Letter at 30.
    \648\ See id.
---------------------------------------------------------------------------

    A few commenters suggested specific alternatives to the proposed 
safe harbors.\649\ One commenter recommended that the Commission adopt 
a safe harbor with objective criteria to protect SCI entities from 
enforcement actions under Regulation SCI except in cases of intentional 
or reckless non-compliance or patterns of non-compliance with 
Regulation SCI, or if an SCI entity fails to implement reasonable 
corrective action in response to a written communication from the 
Commission regarding Regulation SCI.\650\ This commenter urged that, 
even if the Commission does not include the suggested safe harbor, the 
adopting release should clearly state that the Commission will not 
pursue enforcement actions against SCI entities that establish, 
maintain, and enforce compliance policies and procedures or act in good 
faith, notwithstanding a violation of Regulation SCI.\651\
---------------------------------------------------------------------------

    \649\ See, e.g., FSR Letter; ITG Letter; OTC Markets Letter; 
Joint SROs Letter; and NYSE Letter.
    \650\ See NYSE Letter at 29, 31-32. This commenter also 
suggested that SCI entity employees be protected except in instances 
where employees intentionally or recklessly fail to discharge their 
duties and obligations under the SCI entity's policies and 
procedures. See NYSE Letter at 29, 31-32. This comment and the 
individual safe harbor are addressed in Section IV.B.2.d below. 
Another commenter, expressing support for NYSE's suggested approach 
for SCI entities and their employees, stated that an objective 
standard would provide the proper incentives for compliance and 
allow SCI entities to reasonably evaluate their potential exposure 
when an SCI event occurs and act quickly in the critical moments 
following an SCI event. See OTC Markets Letter at 16.
    \651\ See NYSE Letter at 32, n. 41.
---------------------------------------------------------------------------

    One group of commenters similarly recommended that the Commission 
adopt an objective safe harbor.\652\ These commenters noted that minor 
mistakes and unintentional errors occur in the daily operations of 
running a business, and a safe harbor should provide protection to SCI 
entities that follow the policies and procedures as intended, including 
in the resolution and containment of such mistakes and errors.\653\ 
These commenters believed that it should be sufficient for an SCI 
entity to qualify for the safe harbor if it adopts policies and 
procedures reasonably designed to comply with Regulation SCI and does 
not knowingly violate such policies and procedures.\654\ These 
commenters further requested that the Commission clarify its views on 
the protections of the safe harbor for inadvertent violations of other 
laws and rules despite compliance with Regulation SCI and expand the 
safe harbor to explicitly cover such instances.\655\
---------------------------------------------------------------------------

    \652\ See Joint SROs Letter at 13-14.
    \653\ See id.
    \654\ See id. These commenters suggested a parallel safe harbor 
for employees of SCI entities. See id. at 14.
    \655\ See id.
---------------------------------------------------------------------------

    One commenter suggested simplifying the safe harbor to require only 
that an SCI entity adopt reasonable policies and procedures to comply 
with proposed Regulation SCI, which should include reasonable ongoing 
responsibilities related to testing and monitoring.\656\ Another 
commenter believed that the safe harbor should grant immunity from 
enforcement penalties for all problems that are self-reported by SCI 
entities and individuals.\657\ One commenter suggested that Regulation 
SCI should: (1) Encourage parties to discover and

[[Page 72306]]

remediate technology errors and malfunctions, and/or deficiencies in 
their policies and procedures; (2) avoid ipso facto liability under 
Regulation SCI for failures by technology or systems; and (3) require 
some form of causation in order for liability to attach.\658\ This 
commenter also recommended that the Commission provide safe harbors 
from liability under both proposed Rules 1000(b)(1) and (2) where 
either: (1) The SCI entity or SCI personnel discovers and remediates a 
problem without regulatory intervention and assuming no underlying 
material violation; or (2) no technology error or problem has occurred, 
but the policies and procedures might benefit from improvements.\659\ 
According to this commenter, the remediation safe harbor should also 
apply to underlying technology problems if the SCI entity had complied 
with Regulation SCI.\660\ One commenter expressed concern that, without 
a safe harbor and a guarantee of immunity, the disclosures to the 
Commission required under Regulation SCI would provide a roadmap for 
litigation against non-SRO entities.\661\
---------------------------------------------------------------------------

    \656\ See ITG Letter at 14.
    \657\ See Angel Letter at 4.
    \658\ See FSR Letter at 9.
    \659\ See id. at 9-10.
    \660\ See id. at 3, 9-10.
    \661\ See OTC Markets Letter at 15-16 (stating that ``entities 
that do not have SRO immunity, such as ATSs, may be subject to 
liability based on information reported under Reg. SCI's Rule 
1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of 
immunity, this kind of disclosure provides a roadmap for litigation 
against non-SRO SCI entities'').
---------------------------------------------------------------------------

ii. Elimination of Proposed Safe Harbor for SCI Entities and 
Specification of Minimum Elements
    As discussed in greater detail below, after careful consideration 
of the comments, and in light of the more focused scope of Regulation 
SCI, the Commission has determined not to adopt the proposed safe 
harbor for SCI entities.\662\ Rather, Rule 1001(b) sets forth non-
exhaustive minimum elements that an SCI entity must include in its 
systems compliance policies and procedures. The Commission recognizes 
that the precise nature, size, technology, business model, and other 
aspects of each SCI entity's business vary. Therefore, the minimum 
elements are intended to be general in order to accommodate these 
differences, and each SCI entity will need to exercise judgment in 
developing and maintaining specific policies and procedures that are 
reasonably designed to achieve systems compliance. The Commission also 
believes that SCI entities should consider the evolving nature of the 
securities industry, as well as industry practices and standards, in 
developing and maintaining such policies and procedures. As such, the 
elements specified in Rule 1001(b) are non-exhaustive, and each SCI 
entity should consider on an ongoing basis what steps it needs to take 
in order to ensure that its policies and procedures are reasonably 
designed.
---------------------------------------------------------------------------

    \662\ The Commission's decision not to adopt an SCI entity safe 
harbor also addresses a commenter's concern that the inclusion of a 
safe harbor provision in Rule 1001(b) could unnecessarily and 
severely limit the Commission's ability to deter violations through 
meaningful enforcement actions. See supra notes 633-634 and 
accompanying text. As discussed in Section IV.B.2.d below, however, 
the Commission is adopting a safe harbor for personnel of SCI 
entities.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission stated that, ``[b]ecause of the 
complexity of SCI systems and the breadth of the federal securities 
laws and rules and regulations thereunder and the SCI entities' rules 
and governing documents, the Commission preliminarily believes that it 
would be appropriate to provide an explicit safe harbor for SCI 
entities and their employees in order to provide greater clarity as to 
how they can ensure that their conduct will comply with [Rule 
1000(b)(2)].'' \663\
---------------------------------------------------------------------------

    \663\ See Proposing Release, supra note 13, at 18115.
---------------------------------------------------------------------------

    One reason that the Commission is not adopting the proposed safe 
harbor for SCI entities is that the Commission has focused the scope of 
Regulation SCI as adopted. For example, adopted Rule 1001(b) requires 
policies and procedures that are reasonably designed to ensure 
compliance with ``the Act''--rather than operating ``in the manner 
intended, including in a manner that complies with the federal 
securities laws'' as was proposed--and the rules and regulations 
thereunder, and the SCI entity's rules and governing documents. 
Therefore, the requirement under adopted Rule 1001(b) is more targeted 
than the requirement under proposed Rule 1000(b)(2), and alleviates 
some of the concern regarding the ``breadth of the federal securities 
laws and rules and regulations thereunder'' that was expressed in the 
SCI Proposal. The Commission expects that SCI entities are familiar 
with their obligations under the Exchange Act, the rules and 
regulations thereunder, and their own rules and governing documents. In 
addition, as discussed in Section IV.A.2.b above, the Commission has 
further focused the scope of SCI systems, which also alleviates some of 
the concern regarding the ``complexity of SCI systems'' that was 
expressed in the SCI Proposal.\664\
---------------------------------------------------------------------------

    \664\ See id.
---------------------------------------------------------------------------

    Further, as noted above, in the SCI Proposal, the Commission stated 
its preliminary belief that it would be appropriate to provide an 
explicit safe harbor for SCI entities in order to provide greater 
clarity on how they could comply with proposed Rule 1000(b)(2).\665\ 
Rather than achieving this goal, commenters argued that the proposed 
safe harbor merely further defined the elements that the policies and 
procedures must have, and did not include sufficient guidance or 
specificity to SCI entities seeking to rely on it.\666\ For example, 
one commenter noted that the policies and procedures specified in the 
safe harbor would still need to be ``reasonably designed.'' \667\ 
Further, the Commission acknowledges some commenters' concern that the 
proposed safe harbor, ``with its prescriptive requirements,'' could 
evolve into the de facto rule itself.\668\
---------------------------------------------------------------------------

    \665\ See id.
    \666\ See supra notes 638-639, 643-648 and accompanying text. 
With respect to the group of commenters who suggested that the safe 
harbor should give SCI entities a clear, affirmative defense from 
allegations of having violated Regulation SCI, as discussed above, 
the Commission is eliminating the proposed safe harbor for SCI 
entities. See supra note 643. As discussed below, the Commission 
believes that, by specifying non-exhaustive minimum elements that an 
SCI entity must include in its systems compliance policies and 
procedures, the rule will encourage SCI entities to actively build 
and improve upon the compliance of their systems, rather than limit 
their compliance to some fixed elements of a safe harbor.
    \667\ See supra notes 638-639 and accompanying text. This 
commenter also compared the proposed SCI entity safe harbor to other 
rules, stating that the other rules requiring policies and 
procedures recognize the need for those policies and procedures to 
be reasonably designed in light of the manner in which business is 
conducted. See supra note 640 and accompanying text. Rule 1001(b), 
as adopted, requires policies and procedures to be ``reasonably 
designed'' to ensure the compliance of SCI systems. Therefore, Rule 
1001(b) recognizes the need for policies and procedures to be 
reasonably designed in light of the manner in which an SCI entity's 
business is conducted.
    \668\ See supra note 637 and accompanying text and supra note 
640. The Commission acknowledges that some commenters who believed 
that the proposed safe harbor was inadequate also advocated for 
alternative safe harbors, such as those that require knowledge or 
recklessness for liability. These comments are discussed below in 
Section IV.B.2.b.iii.
---------------------------------------------------------------------------

    As discussed above, the Commission is not adopting a safe harbor 
for SCI entities. Rather, adopted Rule 1001(b)(1) requires an SCI 
entity to have reasonably designed policies and procedures to achieve 
systems compliance and adopted Rule 1001(b)(2) specifies non-
exhaustive, general minimum elements that an SCI entity must include in 
its systems compliance policies and procedures. These minimum elements 
are based on the elements contained in the proposed safe harbor for SCI 
entities, but modified in

[[Page 72307]]

response to concerns raised by commenters. As adopted, Rules 1001(b)(1) 
and (b)(2) specify the minimum elements of reasonably designed policies 
and procedures to achieve systems compliance, and at the same time 
provide flexibility by permitting an SCI entity to establish policies 
and procedures that are reasonably designed based on the nature, size, 
technology, business model, and other aspects of its business. 
Moreover, the Commission believes that, by specifying non-exhaustive, 
general minimum elements of systems compliance policies and procedures, 
the rule will encourage SCI entities to actively build and improve upon 
the compliance of their systems rather than limit their compliance to 
bright-line tests or the fixed elements of a safe harbor, and encourage 
the evolution of sound practices over time. In addition, the Commission 
notes that there currently are no publicly available written industry 
standards regarding systems compliance that are applicable to all SCI 
entities that can serve as the basis for a clear, objective safe 
harbor, as there is with current SCI industry standards (e.g., the 
publications listed in staff guidance) relating to operational 
capability. Even if such standards existed, the Commission believes 
that the specificity necessary to achieve the goal of a clear, 
objective safe harbor would disincentivize SCI entities from continuing 
to improve their systems over time. Finally, the Commission believes 
that, because the minimum elements specified in Rule 1001(b)(2) are 
non-exhaustive, Rule 1001(b) can accommodate the possibility that, as 
technology evolves, additional or updated elements could become 
appropriate for SCI entities to include in their systems compliance 
policies and procedures to ensure that such policies and procedures 
remain reasonably designed on an ongoing basis.
iii. Response to Other Comments on the SCI Entity Safe Harbor
    With respect to commenters who requested clarification on the 
protection of the safe harbor for inadvertent violations of other laws 
and rules despite compliance with Regulation SCI,\669\ as noted above, 
the Commission clarifies that liability under Regulation SCI is 
separate and distinct from liability for other violations that may 
arise from the underlying SCI events under other laws and rules. 
Specifically, Regulation SCI imposes new requirements on SCI entities 
and is not intended to alter the standards for determining liability 
under other laws or rules. Therefore, if an SCI entity is in compliance 
with Regulation SCI but inadvertently violates another law or rule, 
whether or not the SCI entity will be liable under the other law or 
rule depends on the standards for determining liability under such law 
or rule. Because the new requirements under Regulation SCI are separate 
and distinct from existing requirements under other laws or rules, 
Regulation SCI is not a shield from liability under such laws or rules.
---------------------------------------------------------------------------

    \669\ See supra notes 655 and 660 and accompanying text.
---------------------------------------------------------------------------

    The Commission also does not believe that it would be appropriate 
to provide a safe harbor for all problems that are self-reported by SCI 
entities and individuals or that are discovered and remediated without 
regulatory intervention, as suggested by commenters.\670\ In 
particular, Rule 1001(b) is intended to help ensure that SCI entities 
operate their systems in compliance with the Exchange Act and relevant 
rules in the first place, and thus is not only focused on helping to 
ensure that SCI entities appropriately respond to a compliance issue 
(e.g., by taking corrective action or reporting the issue to the 
Commission) after it has occurred and impacted the market or market 
participants. Therefore, the Commission does not believe that the 
suggested self-report or remediation safe harbors will effectively 
further this intent of Rule 1001(b). In particular, the Commission 
notes that reporting and remediation of SCI events are separately 
required under Rules 1002(b) and (a) of Regulation SCI, respectively. 
The purposes of Rule 1002(b) include keeping the Commission informed of 
SCI events after they have occurred. Moreover, Rule 1002(a) is intended 
to ensure that SCI entities remedy a systems issue and mitigate the 
resulting harm after the issue has already occurred. The Commission 
believes that, if an SCI entity is protected from liability under Rule 
1001(b) simply because it self-reported systems compliance issues or 
discovered and remediated systems compliance issues without regulatory 
intervention, the SCI entity will not be effectively incentivized to 
have reasonably designed policies and procedures to ensure systems 
compliance in the first place. As discussed above, the occurrence of an 
SCI event will not necessarily cause a violation of Regulation SCI. 
Further, the occurrence of a systems compliance issue also does not 
necessarily mean that the SCI entity will be subject to an enforcement 
action. Rather, the Commission will exercise its discretion to initiate 
an enforcement action if the Commission determines that action is 
warranted, based on the particular facts and circumstances of an 
individual situation.
---------------------------------------------------------------------------

    \670\ See supra notes 657 and 659 and accompanying text.
---------------------------------------------------------------------------

    As discussed above, some commenters expressed concern that the 
occurrence of a significant systems issue would mean that an SCI entity 
did not have reasonable policies and procedures and therefore suggested 
``objective'' safe harbors.\671\ The Commission notes that all SCI 
entities are required to comply with the Exchange Act, the rules and 
regulations thereunder, and their own rules and governing documents, as 
applicable, and the purpose of Rule 1001(b) is to effectively help 
ensure compliance of the operation of SCI systems with these laws and 
rules. The Commission does not believe that Rule 1001(b) would further 
this goal to the same degree if the Commission were to adopt 
commenters' safe harbor suggestions (i.e., an SCI entity is deemed to 
be in compliance with Rule 1001(b) so long as: The SCI entity is not 
knowingly out of compliance; such non-compliance is not intentional, 
reckless, or in bad faith; or there is no pattern of non-compliance) 
because, with these suggested ``objective'' safe harbors, SCI entities 
may not be effectively incentivized to establish, maintain, and enforce 
reasonably designed policies and procedures to ensure systems 
compliance. Moreover, the Commission notes that Rule 1001(b) requires 
``reasonably designed'' policies and procedures, which already provides 
flexibility to SCI entities in complying with the rule. The Commission 
also emphasizes again that, while it is eliminating the safe harbor for 
SCI entities, the occurrence of a systems compliance issue may be 
probative, but is not determinative, of whether an SCI entity violated 
Regulation SCI. As noted above, an SCI entity would not be

[[Page 72308]]

deemed to be in violation of Rule 1001(b)(1) merely because it 
experienced a systems compliance issue. Further, the occurrence of a 
systems compliance issue also does not necessarily mean that the SCI 
entity will be subject to an enforcement action. Rather, the Commission 
will exercise its discretion to initiate an enforcement action if the 
Commission determines that action is warranted, based on the particular 
facts and circumstances of an individual situation.
---------------------------------------------------------------------------

    \671\ See supra notes 650-654 and accompanying text. As 
discussed above, some of these commenters suggested that the safe 
harbor should protect SCI entities from enforcement action except in 
cases of intentional or reckless non-compliance, or patterns of non-
compliance with Regulation SCI. See supra note 650 and accompanying 
text. As an alternative to the intentional and recklessness 
standard, one of these commenters requested that the Commission 
specifically state that the Commission will not pursue enforcement 
actions against SCI entities that establish, maintain, and enforce 
systems compliance policies and procedures or act in good faith, 
notwithstanding a violation of Regulation SCI. See supra note 651 
and accompanying text. One commenter noted that it should be 
sufficient for an SCI entity to qualify for the safe harbor if it 
adopts policies and procedures reasonably designed to comply with 
Regulation SCI and does not knowingly violate such policies and 
procedures. See supra note 654 and accompanying text.
---------------------------------------------------------------------------

    Further, as noted above, one commenter recommended that the 
Commission provide a safe harbor where no technology error or problem 
has occurred, but the policies and procedures might benefit from 
improvements.\672\ The Commission believes that there may be instances 
where an SCI entity's policies and procedures might benefit from 
improvement, even though they are reasonably designed. In such 
instances, the SCI entity is in compliance with Rule 1001(b) and 
therefore does not need a safe harbor. At the same time, the Commission 
notes that there may be instances where no technology error or problem 
has occurred, but an SCI entity's policies and procedures with regard 
to systems compliance might nonetheless be deficient and not satisfy 
the requirements of Rule 1001(b). The Commission does not believe that 
it would be appropriate to provide a safe harbor in these instances. As 
noted above, Rule 1001(b) is intended to help ensure that SCI entities 
operate their SCI systems in compliance with the Exchange Act and 
relevant rules. The Commission does not believe that a safe harbor that 
effectively insulates deficient policies and procedures will further 
the intent of this rule. Further, the Commission notes that one 
requirement of Rule 1001(b)(1) is that an SCI entity ``maintain'' its 
policies and procedures. To explicitly set forth an SCI entity's 
obligation to review and update its policies and procedures, similar to 
Rule 1001(a), the Commission is adopting a requirement for periodic 
review by an SCI entity of the effectiveness of its systems compliance 
policies and procedures, and prompt action by the SCI entity to remedy 
deficiencies in such policies and procedures.\673\ The Commission notes 
that an SCI entity will not be found to be in violation of this 
maintenance requirement solely because it failed to identify a 
deficiency immediately after the deficiency occurred, if the SCI entity 
takes prompt action to remedy the deficiency once it is discovered, and 
the SCI entity had otherwise appropriately reviewed the effectiveness 
of its policies and procedures and took prompt action to remedy those 
deficiencies that were discovered.
---------------------------------------------------------------------------

    \672\ See supra note 659 and accompanying text.
    \673\ See Rule 1001(b)(3). The adoption of this review and 
update requirement is consistent with the views of some commenters. 
See supra notes 620 and accompanying text (discussing a commenter's 
suggestion that policies and procedures should be reviewed and 
updated as part of the annual SCI review process) and 658 and 
accompanying text (discussing a commenter's suggestion that 
Regulation SCI should encourage parties to discover and remediate 
deficiencies in policies and procedures). The Commission notes that 
Rule 1001(b)(3) requires SCI entities to review and update their 
systems compliance policies and procedures rather than simply 
``encourage'' the discovery and remediation of deficiencies because, 
in order to achieve the intended benefits of Rule 1001(b), an SCI 
entity's systems compliance policies and procedures must remain 
reasonably designed. If the Commission simply encourages SCI 
entities to review and update their systems compliance policies and 
procedures, the Commission believes that there would be a greater 
likelihood that such policies and procedures might become outdated 
and less effective in preventing systems compliance issues.
---------------------------------------------------------------------------

    Finally, as noted above, one commenter believed that, without a 
safe harbor and a guarantee of immunity (such as the regulatory 
immunity of SROs), information provided to the Commission pursuant to 
Rule 1000(b)(4)(iv) would provide a roadmap for litigation. As 
discussed below in Section IV.B.3.c, the Commission acknowledges that, 
if an SCI entity experiences an SCI event, it could become the subject 
of litigation (including private civil litigation). At the same time, 
the Commission notes that the information submitted to the Commission 
pursuant to Regulation SCI will be treated as confidential, subject to 
applicable law.\674\ On the other hand, the Commission acknowledges 
that it could consider the information provided to the Commission 
pursuant to Rule 1002(b) in determining whether to initiate an 
enforcement action. The Commission notes that all SCI entities are 
required to comply with the Exchange Act, the rules and regulations 
thereunder, and their own rules and governing documents, as applicable, 
and the requirement for Commission notification of systems compliance 
issues is intended to assist the Commission in its oversight of such 
compliance. With respect to the regulatory immunity of SROs, the 
Commission notes that, although courts have found that SROs are 
entitled to absolute immunity from private claims under certain 
circumstances,\675\ if an SRO fails to comply with the provisions of 
the Exchange Act, the rules or regulations thereunder, or its own 
rules, the Commission is still authorized to impose sanctions.\676\ As 
such, like other SCI entities, SROs are not immune from Commission 
sanctions. Finally, as discussed in detail above, the Commission does 
not believe that it would be appropriate to provide a safe harbor for 
all problems that are self-reported to the Commission by SCI entities 
and individuals.
---------------------------------------------------------------------------

    \674\ The Commission notes that the General Instructions to Form 
SCI, Item G. Paperwork Reduction Act Disclosure, provides that the 
Commission ``will keep the information collected pursuant to Form 
SCI confidential to the extent permitted by law.'' See infra Section 
IV.C.2.
    \675\ The Commission notes that SRO immunity applies only under 
certain circumstances. In particular, ``when acting in its capacity 
as a SRO, [the SRO] is entitled to immunity from suit when it 
engages in conduct consistent with the quasi-governmental powers 
delegated to it pursuant to the Exchange Act and the regulations and 
rules promulgated thereunder.'' See DL Capital Group, LLC v. NASDAQ 
Stock Market, Inc., 409 F.3d 93, 97 (2d Cir. 2005) (quoting 
D'Alessio v. New York Stock Exchange, Inc., 258 F.3d 93, 106 (2d 
Cir. 2001)).
    \676\ See 15 U.S.C. 78s(g).
---------------------------------------------------------------------------

c. Minimum Elements of Reasonable Policies and Procedures
    The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) 
specified that, to qualify for the safe harbor, the SCI entity's 
policies and procedures must be reasonably designed to provide for: (1) 
Testing of all SCI systems and any changes to such systems prior to 
implementation; (2) periodic testing of all SCI systems and any changes 
to such systems after their implementation; (3) a system of internal 
controls over changes to SCI systems; (4) ongoing monitoring of the 
functionality of SCI systems to detect whether they are operating in 
the manner intended; (5) assessments of SCI systems compliance 
performed by personnel familiar with applicable federal securities laws 
and rules and regulations thereunder and the SCI entity's rules and 
governing documents, as applicable; and (6) review by regulatory 
personnel of SCI systems design, changes, testing, and controls to 
prevent, detect, and address actions that do not comply with applicable 
federal securities laws and rules and regulations thereunder and the 
SCI entity's rules and governing documents, as applicable. In the SCI 
Proposal, the Commission asked whether each element of the proposed 
safe harbor for SCI entities was appropriate.\677\ Several commenters 
addressed one or more of the proposed safe harbor elements.
---------------------------------------------------------------------------

    \677\ See Proposing Release, supra note 13, at 18116-17.
---------------------------------------------------------------------------

    As discussed above, rather than adopting the proposed safe harbor 
for SCI entities, the Commission is specifying non-exhaustive, general

[[Page 72309]]

minimum elements that an SCI entity must include in its systems 
compliance policies and procedures. The minimum elements are based on 
the proposed safe harbor. These elements are: (i) Testing of all SCI 
systems and any changes to SCI systems prior to implementation; (ii) a 
system of internal controls over changes to SCI systems; (iii) a plan 
for assessments of the functionality of SCI systems designed to detect 
systems compliance issues, including by responsible SCI personnel and 
by personnel familiar with applicable provisions of the Act and the 
rules and regulations thereunder and the SCI entity's rules and 
governing documents; and (iv) a plan of coordination and communication 
between regulatory and other personnel of the SCI entity, including by 
responsible SCI personnel, regarding SCI systems design, changes, 
testing, and controls designed to detect and prevent systems compliance 
issues. Each of these elements is discussed below.
    As noted above, some commenters requested more guidance or 
certainty regarding the safe harbor elements (e.g., by including 
bright-line tests and minimum standards).\678\ As discussed above in 
Section IV.B.2.b, the Commission is not adopting a safe harbor but is 
specifying the minimum elements that an SCI entity must include in its 
systems compliance policies and procedures. By generally requiring 
policies and procedures to be reasonably designed and specifying non-
exhaustive, general minimum elements of systems compliance policies and 
procedures, the Commission intends to provide specificity on how to 
comply with Rule 1001(b), and at the same time provide a reasonable 
degree of flexibility to SCI entities in establishing and maintaining 
policies and procedures that are appropriately tailored to each SCI 
entity.
---------------------------------------------------------------------------

    \678\ See supra notes 645-647 and accompanying text.
---------------------------------------------------------------------------

    Regarding elements (1) and (2) of the proposed safe harbor, a few 
commenters opposed the inclusion of a requirement that an SCI entity 
conduct periodic testing of systems absent systems changes.\679\ One 
commenter stated that it performs testing prior to implementation of 
trading systems changes in the production environment and conducts 
regression testing to ensure that the changes did not introduce any 
undesired side-effects.\680\ This commenter explained that the proposed 
periodic testing requirement would impose additional cost and not 
provide any benefit.\681\ One commenter believed that the pre- and 
post-implementation testing components of the safe harbor, which would 
apply to all systems changes, could potentially drive SCI entities to 
take a narrow view of what constitutes a systems change.\682\ Another 
commenter sought further guidance from the Commission on the scope of 
periodic testing of all SCI systems and whether, for example, systems 
testing would be required following a systems change if the SCI entity 
has already provided notice of the systems change to the 
Commission.\683\ One commenter requested clarification that the testing 
described in proposed Rules 1000(b)(2)(ii)(A)(1) and (2) refers to 
testing to ensure that SCI systems operate in the manner intended, and 
noted that testing should not be required to be periodic, but instead 
should be based on the relative risks of non-compliance arising from 
any changes being introduced into production or any changes to the 
applicable laws or rules.\684\ One commenter stated that it believed 
that the frequency and type of testing under proposed Rules 
1000(b)(2)(ii)(A)(1) and (2) are open to interpretation.\685\
---------------------------------------------------------------------------

    \679\ See FINRA Letter at 33; BATS Letter at 7; and ISE Letter 
at 7.
    \680\ See ISE Letter at 7.
    \681\ See id. See also FINRA Letter at 33.
    \682\ See Direct Edge Letter at 6. This commenter expressed 
concern that, under the proposed approach, any opening of a customer 
port, the removal of access rights from a departing employee, and 
the previously unscheduled closing of the market for the death of a 
U.S. president all involve ``changes'' to SCI systems that need to 
be tracked, approved, and catalogued within the construct of an 
enterprise-wide change management system. See id. This commenter 
stated that these ``changes'' cannot all be tested, either prior to 
or after implementation, without an extraordinary amount of 
redundancy and bureaucracy, if at all. See id. This commenter 
therefore suggested requiring instead ``[a]ppropriate testing of 
[SCI] systems and changes to such systems prior to their 
implementation.'' See id.
    \683\ See OCC Letter at 11.
    \684\ See MSRB Letter at 13-14.
    \685\ See NYSE Letter at 30.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission 
believes that testing of SCI systems and changes to such systems prior 
to implementation is appropriate for inclusion as a required element of 
systems compliance policies and procedures. As noted in the SCI 
Proposal, elements (1) and (2) of the proposed safe harbor were 
intended to help SCI entities to identify potential problems before 
such problems have the ability to impact markets and investors.\686\ 
The Commission believes that testing prior to implementation of SCI 
systems and prior to implementation of any SCI systems changes would 
likely be an important component for achieving this goal and it is 
included as a required element of systems compliance policies and 
procedures.\687\ In contrast, the Commission believes that the value of 
the proposed element for additional testing in the absence of systems 
changes may be variable, depending on the SCI system or change to an 
SCI system at issue.\688\ At the same time, each SCI entity should 
consider on an ongoing basis what steps it needs to take in order to 
ensure that its policies and procedures are reasonably designed, 
including whether its policies and procedures should provide for 
testing of certain systems changes after their implementation to ensure 
that they operate in compliance with the Exchange Act and relevant 
rules.
---------------------------------------------------------------------------

    \686\ See Proposing Release, supra note 13, at 18115.
    \687\ With respect to a commenter's concern that ``changes'' to 
SCI systems could include, for example, any opening of a customer 
port, the removal of access rights from a departing employee, and 
the previously unscheduled closing of the market for the death of a 
U.S. president, the Commission does not view these as changes to an 
SCI entity's systems, because the Commission believes that these 
actions are part of an SCI entity's standard operations. See supra 
note 682. In particular, the Commission believes that the opening of 
a customer port, the removal of access rights, and the closing of 
the market are existing functionalities at SCI entities, and are 
routinely performed by SCI entities without the need to change 
existing functionalities.
    \688\ See supra notes 681-682 and accompanying text. The 
Commission notes that a commenter asked about the scope of periodic 
testing under the proposed safe harbor, and whether systems testing 
under the proposed safe harbor would be required following a systems 
change if the SCI entity has already provided notice of the systems 
change to the Commission. Another commenter noted that testing under 
the proposed safe harbor should not be required to be periodic, but 
instead could be based on the relative risks of non-compliance 
arising from any changes being introduced into production or any 
changes to applicable laws or rules. The Commission is not requiring 
periodic testing or testing following systems changes in Rule 
1001(b), and, as discussed above, the Commission is not adopting the 
proposed safe harbor.
---------------------------------------------------------------------------

    With regard to element (3) of the proposed safe harbor, one 
commenter stated that it is unclear what minimum standards are required 
for the internal controls under proposed Rule 
1000(b)(2)(ii)(A)(3).\689\ As discussed above, the Commission believes 
it is appropriate to set forth minimum elements of systems compliance 
policies and procedures that are broad enough to provide SCI entities 
with reasonable flexibility to design their policies and procedures 
based on the nature, size, technology, business model, and other 
aspects of their businesses. Therefore, while the Commission believes 
that a system of internal controls over changes to SCI systems is 
appropriate for inclusion as a required element of systems compliance 
policies and

[[Page 72310]]

procedures, the Commission is not specifying the minimum standard for 
internal controls. As stated in the SCI Proposal, a system of internal 
controls and ongoing monitoring of systems functionality are intended 
to help ensure that an SCI entity adopts a framework that will help it 
bring newer, faster, and more innovative SCI systems online without 
compromising due care, and to help prevent SCI systems from becoming 
noncompliant resulting from, for example, inattention or failure to 
review compliance with established written policies and procedures. The 
Commission believes that such internal controls would likely include, 
for example, protocols that provide for: Communication and cooperation 
between legal, business, technology, and compliance departments in an 
SCI entity; appropriate authorization of systems changes by relevant 
departments of the SCI entity prior to implementation; review of 
systems changes by legal or compliance departments prior to 
implementation; and monitoring of systems changes after implementation.
---------------------------------------------------------------------------

    \689\ See NYSE Letter at 30.
---------------------------------------------------------------------------

    With regard to elements (4)-(6) of the proposed safe harbor, one 
commenter noted that the proposed requirement related to ongoing 
monitoring was too broad and should be eliminated or revised to be more 
flexible.\690\ This commenter noted that the proposal for ``monitoring 
of the functionality of [SCI] systems to detect whether they are 
operating in the manner intended'' is potentially quite broad and seems 
to suggest some form of independent validation.\691\ Another commenter 
asked the Commission to clarify how the testing requirements in 
proposed Rules 1000(b)(2)(ii)(1) and (2) (testing prior to and after 
implementation) differ from those in proposed Rule 1000(b)(2)(ii)(A)(5) 
(assessments of systems compliance by personnel familiar with 
applicable laws and rules).\692\ One commenter noted that the 
monitoring, assessments, and reviews under proposed Rules 
1000(b)(2)(ii)(A)(4), (5), and (6) are unclear.\693\ Two commenters 
sought guidance on how an SCI entity could satisfy the requirements 
related to reviews and assessments by legal and compliance personnel 
(i.e., proposed Rules 1000(b)(2)(ii)(A)(5) and (6)).\694\ One of these 
commenters suggested that each SCI entity be given the discretion to 
determine the level of familiarity necessary to qualify as personnel 
able to undertake the assessments and which personnel are regulatory 
personnel, and asked whether these two categories of personnel are 
different.\695\ Another commenter also sought clarification on the 
meaning of the term ``regulatory personnel'' and suggested that each 
SCI entity should have discretion in determining which of its employees 
constitute regulatory personnel.\696\ One commenter expressed concern 
that review by regulatory personnel of SCI systems would unreasonably 
expose non-technology persons to potential liability if an SCI entity 
suffers a malfunction.\697\
---------------------------------------------------------------------------

    \690\ See FINRA Letter at 33-34.
    \691\ See id.
    \692\ See MSRB Letter at 13.
    \693\ See NYSE Letter at 30.
    \694\ See FINRA Letter at 34-35; and MSRB Letter at 13.
    \695\ See MSRB Letter at 13-14.
    \696\ See OCC Letter at 11. See also FINRA Letter at 34-35 
(requesting more guidance on which types of personnel are intended 
to fulfill the requirements of proposed Rules 1000(b)(2)(ii)(A)(5) 
and (6)).
    \697\ See ITG Letter at 14.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission 
believes that ``a plan for assessments of the functionality of SCI 
systems designed to detect systems compliance issues, including by 
responsible SCI personnel and by personnel familiar with applicable 
provisions of the Act and the rules and regulations thereunder and the 
SCI entity's rules and governing documents'' is appropriate for 
inclusion as a required element of systems compliance policies and 
procedures. In particular, rather than ``ongoing monitoring of the 
functionality of [SCI] systems to detect whether they are operating in 
the manner intended'' and also ``assessments of SCI systems compliance 
. . . ,'' the Commission believes that ``a plan for assessments'' of 
SCI systems compliance would be more appropriate.\698\ The Commission 
notes that ``a plan for assessments'' could include, for example, not 
only a plan for monitoring, but also a plan for testing or assessments, 
as appropriate, and at a frequency (e.g., periodic or continuous) that 
is based on the SCI entity's risk assessment of each of its SCI 
systems.\699\ The Commission is not specifying the manner and frequency 
of assessments that must be set forth in such plan because the 
Commission believes that each SCI entity will likely be in the best 
position to assess and determine the assessment plan that is most 
appropriate for its SCI systems. The Commission emphasizes that the 
nature and frequency of the assessments contemplated by an SCI entity's 
plan will vary based on a range of factors, including the entity's 
governance structure, business lines, and legal and compliance 
framework. The plan for assessments does not require the SCI entity to 
conduct a specific kind of assessment, nor does it require that 
assessments be performed at a certain frequency. The plan, however, may 
address the specific reviews required by Rule 1003(b)(1).
---------------------------------------------------------------------------

    \698\ The Commission notes that ``a plan for assessments'' is 
derived from a combination of the ``ongoing monitoring'' and 
``assessments'' elements of the proposed SCI entity safe harbor. 
Because ``a plan for assessments'' could provide for ongoing (i.e., 
periodic or continuous) monitoring, the Commission believes that it 
would be duplicative to include both monitoring and a plan for 
assessments as required elements of systems compliance policies and 
procedures.
    \699\ See supra note 690 and accompanying text (discussing the 
view of a commenter that the proposed element of the SCI entity safe 
harbor related to ongoing monitoring was too broad and should be 
eliminated or revised to be more flexible) and supra note 694 and 
accompanying text (discussing comments seeking guidance on how an 
SCI entity could satisfy the requirements related to reviews and 
assessments by legal and compliance personnel). Further, in response 
to a commenter, a plan for assessments is different from the testing 
of SCI systems prior to implementation of systems changes. See supra 
note 692 and accompanying text.
---------------------------------------------------------------------------

    In addition, in response to a commenter's concern that the proposed 
safe harbor element of ``monitoring of the functionality of [SCI] 
systems to detect whether they are operating in the manner intended'' 
is potentially quite broad and seems to suggest some form of 
independent validation, the Commission notes that it is not requiring 
SCI entities to include independent validation in their assessment 
plans.\700\ However, if an SCI entity determines that its reasonably 
designed systems compliance policies and procedures should provide for 
independent validation in its assessment plan under certain 
circumstances, then the SCI entity should design its policies and 
procedures accordingly. In that case, pursuant to Rule 1001(b), which 
requires an SCI entity to establish, maintain, and enforce its written 
policies and procedures, the SCI entity would be required to enforce 
its own policies and procedures, including those related to independent 
validation.
---------------------------------------------------------------------------

    \700\ See supra note 691 and accompanying text.
---------------------------------------------------------------------------

    In addition, the Commission believes that ``a plan of coordination 
and communication between regulatory and other personnel of the SCI 
entity, including by responsible SCI personnel, regarding SCI systems 
design, changes, testing, and controls designed to detect and prevent 
systems compliance issues'' is appropriate for inclusion as a required 
element of systems compliance policies and procedures. As noted in the 
SCI Proposal, assessments of SCI systems compliance by personnel 
familiar with applicable laws and rules

[[Page 72311]]

and regulatory personnel review of SCI systems design, changes, 
testing, and controls are intended to help foster coordination between 
the information technology and regulatory staff of an SCI entity so 
that SCI events and other issues related to SCI systems would be more 
likely to be addressed by a team of staff in possession of the 
requisite range of knowledge and skills.\701\ They are also intended to 
help ensure that an SCI entity's business interests do not undermine 
regulatory, surveillance, and compliance functions and, more broadly, 
the requirements of the Exchange Act, during the development, testing, 
implementation, and operation processes for SCI systems.\702\ The 
Commission believes that a plan of coordination and communication 
between regulatory and other personnel, including by responsible SCI 
personnel, would further these same goals.
---------------------------------------------------------------------------

    \701\ See Proposing Release, supra note 13, at 18116.
    \702\ For example, profit incentive could lead an SCI entity to 
introduce a new functionality before regulatory personnel are able 
to adequately check that the functionality will operate in 
compliance with relevant laws and rules.
---------------------------------------------------------------------------

    The Commission expects that an SCI entity will determine for itself 
the responsible SCI personnel and other personnel who have sufficient 
knowledge of relevant laws and rules to be able to effectively 
implement systems assessments,\703\ such that the SCI entity's policies 
and procedures are reasonably designed to ensure that SCI systems 
operate in compliance with the Exchange Act and relevant rules, as 
required by Rule 1001(b).\704\ Similarly, the Commission expects that 
an SCI entity will determine for itself the regulatory and other 
personnel, including responsible SCI personnel, who have sufficient 
knowledge with respect to the legal and technical aspects of systems 
design, changes, testing, and controls to engage in coordination and 
communication regarding such operations, such that the SCI entity's 
policies and procedures are reasonably designed to ensure that its SCI 
systems operate in compliance with the Exchange Act and relevant rules, 
as required by Rule 1001(b).\705\
---------------------------------------------------------------------------

    \703\ See supra notes 694-696 and accompanying text (describing 
comments on the proposed safe harbor related to who would be 
involved in systems assessments).
    \704\ Criteria for identification of such personnel could, for 
example, be set forth in the SCI entity's systems compliance 
policies and procedures.
    \705\ Some commenters expressed concern regarding the potential 
liability for regulatory personnel. See supra note 697 and 
accompanying text. The Commission discusses individual liability in 
Section IV.B.2.d below.
---------------------------------------------------------------------------

    One commenter sought clarity on how an SCI entity would satisfy the 
requirement that it does ``not have reasonable cause to believe the 
policies and procedures were not being complied with.'' \706\ Another 
commenter stated that there is no guidance for SCI entities on how to 
appropriately follow the procedures that they have developed and stated 
that as proposed, it would be reasonable to interpret the safe harbor 
as excluding any SCI entity that suffers a significant systems 
event.\707\ One commenter believed that the Commission should resolve 
any potential ambiguity between the requirements of proposed Rule 
1000(b)(2)(ii)(C)(1) (requiring SCI entities to reasonably discharge 
the duties and obligations set forth in the policies and procedures) 
and proposed Rule 1000(b)(2)(ii)(C)(2) (requiring that SCI entities not 
have reasonable cause to believe such policies and procedures were not 
being complied with).\708\ As discussed throughout this section, the 
Commission is not adopting the proposed safe harbor for SCI entities. 
Therefore, as adopted, Rule 1001(b) does not include the provisions of 
proposed Rules 1000(b)(2)(ii)(B) and (C). Further, the Commission 
believes that proposed Rules 1000(b)(2)(ii)(B) and (C) reiterated the 
requirements for SCI entities to establish, maintain, and enforce their 
systems compliance policies and procedures, and provided an example of 
how SCI entities could satisfy these requirements. For example, the SCI 
Proposal noted that proposed Rules 1000(b)(2)(ii)(B) and (C) specified 
that an SCI entity's policies and procedures must be reasonably 
designed to achieve SCI systems compliance, and that, as part of such 
policies and procedures, the SCI entity must establish and maintain 
systems for applying those policies and procedures, and enforce its 
policies and procedures, in a manner that would reasonably allow it to 
prevent and detect violations of the policies and procedures.\709\ The 
Commission believes that Rule 1001(b), as adopted, provides flexibility 
to SCI entities regarding their methods for establishing, maintaining, 
and enforcing their systems compliance policies and procedures.
---------------------------------------------------------------------------

    \706\ See FINRA Letter at 35.
    \707\ See OTC Markets Letter at 15.
    \708\ See MSRB Letter at 13-15.
    \709\ See Proposing Release, supra note 13, at 18116.
---------------------------------------------------------------------------

d. Individual Safe Harbor
    Proposed Rule 1000(b)(2)(iii) set forth a safe harbor for 
individuals. It provided that a person employed by an SCI entity would 
be deemed not to have aided, abetted, counseled, commanded, caused, 
induced, or procured the violation by any other person of proposed Rule 
1000(b)(2)(i) if the person employed by the SCI entity has reasonably 
discharged the duties and obligations incumbent upon such person by the 
policies and procedures, and was without reasonable cause to believe 
that such policies and procedures were not being complied with in any 
material respect.
    In the SCI Proposal, the Commission asked whether commenters agreed 
with the requirements of the proposed safe harbor for employees of SCI 
entities, and whether a similar safe harbor should be available to 
individuals other than employees of SCI entities.\710\ Some commenters 
specifically addressed the proposed safe harbor for individuals.\711\ 
Several commenters urged that individuals not be subject to liability 
under Regulation SCI absent an intentional act of willful 
misconduct.\712\ Two commenters questioned the need for a safe harbor 
for individuals generally,\713\ and one commenter stated

[[Page 72312]]

that inclusion of a safe harbor would unnecessarily and severely limit 
the Commission's ability to deter violations through meaningful 
enforcement actions.\714\ Two commenters questioned why the proposed 
safe harbor for individuals was limited to SCI entity employees.\715\ 
One commenter expressed concern that the proposed safe harbor for 
individuals could be counterproductive and create an environment of 
second-guessing and distrust, where employees act in a way to avoid 
potential liability (i.e., each person would be effectively deputized 
to police others' actions).\716\ A few commenters added that the 
proposed safe harbor for individuals, and the resulting implication of 
potential individual liability, may have the unintended consequence of 
limiting the ability of SCI entities to hire the best available talent 
in information technology, risk-management, and compliance 
disciplines.\717\ One commenter questioned why the proposed safe harbor 
for individuals would apply only to actions of aiding any other person 
and not apply to any actions of the reporting individual.\718\
---------------------------------------------------------------------------

    \710\ See id. at 18117, question 103.
    \711\ See, e.g., Angel Letter; Direct Edge Letter; FINRA Letter; 
FSR Letter; and MSRB Letter.
    \712\ See Direct Edge Letter at 6; and MSRB Letter at 17. See 
also supra notes 650 and 654 and accompanying text (discussing 
comments suggesting individual safe harbors). One commenter 
suggested that the safe harbor should provide that a person employed 
by an SCI entity shall be deemed not to have aided, abetted, 
counseled, commanded, caused, induced, or procured the violation by 
any other person unless such violation directly or indirectly 
relates to the duties and obligations of such person under the 
policies and procedures described in Rule 1000(b)(2)(i) and such 
person: (A) Has not reasonably discharged the applicable duty or 
obligation under such policies and procedures; (B) was not directed 
by his or her supervisor, SCI entity legal counsel, SCI senior 
management, or the governing body of the SCI entity to act in a 
manner that would constitute such a failure to discharge such duty 
or obligation; and (C) acted recklessly or intentionally with 
respect to such failure to discharge such duty or obligation. See 
MSRB Letter at 17. The Commission believes that elements (A) and (B) 
of this commenter's suggestion are consistent with the adopted 
individual safe harbor. In particular, the Commission notes that the 
safe harbor specifies that an individual must have reasonably 
discharged the duties and obligations incumbent upon such person by 
the SCI entity's policies and procedures. The Commission believes 
that there can be instances where a person has reasonably discharged 
his or her duties and obligations under the SCI entity's policies 
and procedures, even though such person was directed by his or her 
supervisor, SCI entity legal counsel, SCI entity senior management, 
or the governing body of the SCI entity to act in a manner that is 
inconsistent with his or her duties that are set forth the policies 
and procedures. For example, the SCI entity's reasonably designed 
policies and procedures could specifically set forth circumstances 
where certain personnel of the SCI entity may direct another person 
to act outside of his or her duties or obligations that are set 
forth in the policies and procedures.
    \713\ See FINRA Letter at 35; and FSR Letter at 3-8 (stating 
that the proposed rule lacks clarity over why individuals need a 
safe harbor when the policies and procedures requirement is placed 
exclusively on SCI entities, and lacks clarity regarding to whom SCI 
entities or SCI personnel would be liable for a breach and how 
liability would be apportioned between market participants for an 
SCI event). See also MSRB Letter at 15 (seeking further 
clarification from the Commission regarding the nature of the 
potential liabilities faced by individuals).
    \714\ See Better Markets Letter at 6.
    \715\ See FINRA Letter at 35; and MSRB Letter at 17. These 
commenters suggested extending the safe harbor to contractors, 
consultants, and other non-employees used by SCI entities in 
connection with their SCI systems. See FINRA Letter at 35; and MSRB 
Letter at 17.
    \716\ See MSRB Letter at 15-17.
    \717\ See Direct Edge Letter at 6; and MSRB Letter at 17.
    \718\ See Angel Letter at 4.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission is 
adopting the individual safe harbor with certain modifications. With 
respect to the commenter who expressed concern that a safe harbor would 
``unnecessarily and severely'' limit the Commission's ability to deter 
violations through meaningful enforcement actions,\719\ the Commission 
notes that Regulation SCI only imposes obligations directly on SCI 
entities and the Commission is not adopting a safe harbor for SCI 
entities. Further, personnel of SCI entities qualify for the individual 
safe harbor under Rule 1001(b) only if they satisfy certain 
requirements.\720\ In particular, in connection with a Commission 
finding that an SCI entity violated Rule 1001(b), the individual safe 
harbor will not apply if an SCI entity personnel failed to reasonably 
discharge his or her duties and obligations under the policies and 
procedures. In addition, for an SCI entity personnel who is responsible 
for or has supervisory responsibility over an SCI system, the 
individual safe harbor also will not apply if he or she had reasonable 
cause to believe that the policies and procedures related to such an 
SCI system were not in compliance with Rule 1001(b) in any material 
respect. Therefore, the Commission does not believe that the individual 
safe harbor will ``unnecessarily and severely'' limit the Commission's 
ability to deter violations.
---------------------------------------------------------------------------

    \719\ See supra note 714 and accompanying text.
    \720\ As discussed below in this section, the Commission is 
extending the safe harbor to all personnel of an SCI entity, rather 
than only persons employed by an SCI entity, as proposed.
---------------------------------------------------------------------------

    With respect to commenters who questioned the need for an 
individual safe harbor because Rule 1001(b) imposes an obligation on 
SCI entities,\721\ the Commission agrees that Regulation SCI imposes 
direct obligations on SCI entities, and does not impose obligations 
directly on personnel of SCI entities. At the same time, as with all 
other violations of the Exchange Act and rules that impose obligations 
on an entity, there is a potential for secondary liability for an 
individual who aided and abetted or caused a violation. The Commission 
is therefore revising the individual safe harbor to clarify that 
personnel of an SCI entity shall be deemed not to have aided, abetted, 
counseled, commanded, caused, induced, or procured the violation by 
``an SCI entity'' (rather than ``any other person'') of Rule 1001(b) if 
the elements of the safe harbor are satisfied.
---------------------------------------------------------------------------

    \721\ See supra note 713 and accompanying text.
---------------------------------------------------------------------------

    As noted above, one commenter questioned why the proposed safe 
harbor for individuals would only apply to actions of aiding another 
and not apply to any direct violative action of the reporting 
individual.\722\ The Commission notes that the individual safe harbor 
only applies to actions of aiding, abetting, counseling, commanding, 
causing, inducing, or procuring the violation by an SCI entity because 
Regulation SCI does not impose any direct obligations on personnel of 
SCI entities. Therefore, individuals could not be found to be in 
violation of Regulation SCI, except through aiding, abetting, 
counseling, commanding, causing, inducing, or procuring the violation 
by an SCI entity of Regulation SCI.
---------------------------------------------------------------------------

    \722\ See supra note 718 and accompanying text.
---------------------------------------------------------------------------

    With respect to commenters who suggested extending the individual 
safe harbor to contractors, consultants, and other non-employees used 
by SCI entities in connection with their SCI systems,\723\ the 
Commission agrees with these comments and is extending the safe harbor 
to all ``personnel of an SCI entity,'' rather than only persons 
employed by an SCI entity, as was proposed. Specifically, the 
Commission believes that contractors, consultants, and other similar 
non-employees may act in a capacity similar to an SCI entity's 
employees, and thus should be able to avail themselves of the 
individual safe harbor if they satisfy its requirements.
---------------------------------------------------------------------------

    \723\ See supra note 715 and accompanying text.
---------------------------------------------------------------------------

    To be covered by the individual safe harbor, for which the 
individual has the burden of proof, personnel of an SCI entity must: 
(i) Have reasonably discharged the duties and obligations incumbent 
upon such person by the SCI entity's policies and procedures; and (ii) 
be without reasonable cause to believe that the policies and procedures 
relating to an SCI system for which such person was responsible, or had 
supervisory responsibility, were not established, maintained, or 
enforced in accordance with Rule 1001(b) in any material respect. 
Element (i) of the adopted individual safe harbor is substantively 
unchanged from the proposal. For the reasons discussed below in this 
section, element (ii) of the adopted individual safe harbor specifies 
that it applies only to a person who is responsible for or has 
supervisory responsibility over an SCI system. In addition, rather than 
requiring an individual to be without reasonable cause to believe that 
systems compliance policies and procedures ``were not being complied 
with in any material respect'' as proposed, element (ii) of the adopted 
safe harbor requires the applicable personnel to be without reasonable 
cause to believe that the relevant systems compliance policies and 
procedures ``were not established, maintained, or enforced'' in 
accordance with Rule 1001(b) in any material respect. The Commission 
notes that element (ii) of the adopted safe harbor tracks the language 
of the general requirement under Rule 1001(b) that an SCI entity 
``establish, maintain, and enforce'' written policies and procedures 
reasonably designed to ensure systems compliance, and appropriately 
reflects the responsibilities of a person who is responsible for or has 
supervisory responsibility over an SCI system.\724\
---------------------------------------------------------------------------

    \724\ As noted below, the Commission believes it is appropriate 
in the context of the safe harbor that, if a person with 
responsibility over an SCI system becomes aware of potential 
material non-compliance of the SCI entity's policies and procedures 
related to that system, such person should take action to review and 
address, or direct other personnel to review and address, such 
material non-compliance.

---------------------------------------------------------------------------

[[Page 72313]]

    The Commission believes that it is appropriate to not provide a 
safe harbor to a person with responsibility over an SCI system if such 
person had reasonable cause to believe that the policies and procedures 
for such system were not established, maintained, or enforced as 
required by Rule 1001(b) in a material respect. The limited application 
of this element to such personnel (rather than to any person employed 
by an SCI entity as proposed) is intended to mitigate commenters' 
concerns that the proposed safe harbor would create an environment of 
distrust and limit the ability of SCI entities to hire high quality 
personnel.\725\ In particular, personnel who are not responsible for 
and do not have supervisory responsibility over SCI systems can qualify 
for the individual safe harbor, regardless of their belief regarding 
the reasonableness of the SCI entity's systems compliance policies and 
procedures. Therefore, such personnel would not be ``deputized to 
police'' the actions of other personnel, as a commenter believed they 
would.\726\ Further, with respect to personnel who are responsible for 
or have supervisory responsibility over an SCI system, such personnel 
likely already have the responsibility to supervise others' activities 
related to that SCI system, which would provide such personnel with 
information to form a reasonable belief regarding the reasonableness of 
the policies and procedures. Because Rule 1001(b) is intended to help 
prevent the occurrence of systems compliance issues at SCI entities, 
the Commission believes that it is appropriate for supervisory 
personnel to be knowledgeable regarding the entity's policies and 
procedures regarding systems compliance, which may be accomplished 
through training provided by the SCI entity. Moreover, the Commission 
believes it is appropriate in the context of the safe harbor that, if a 
person with responsibility over an SCI system becomes aware of 
potential material non-compliance of the SCI entity's policies and 
procedures related to that system, such person should take action to 
review and address, or direct other personnel to review and address, 
such material non-compliance. Finally, to further mitigate commenters' 
concern that potential individual liability may limit the hiring 
ability of SCI entities,\727\ as noted above, personnel of an SCI 
entity will not be deemed to have aided, abetted, counseled, commanded, 
caused, induced, or procured the violation by an SCI entity of 
Regulation SCI merely because the SCI entity experienced a systems 
compliance issue, whether or not the person was able to take advantage 
of the individual safe harbor.
---------------------------------------------------------------------------

    \725\ See supra notes 716-717 and accompanying text.
    \726\ See supra note 716 and accompanying text.
    \727\ See supra note 717 and accompanying text.
---------------------------------------------------------------------------

    As noted above, with respect to a personnel of an SCI entity who is 
not responsible for and does not have supervisory responsibility over 
SCI systems, the safe harbor provides that such personnel shall be 
deemed not to have aided, abetted, counseled, commanded, caused, 
induced, or procured the violation by an SCI entity of Rule 1001(b) if 
such person has reasonably discharged the duties and obligations 
incumbent upon him or her by the systems compliance policies and 
procedures. Therefore, unlike personnel who are responsible for or have 
supervisory responsibility over SCI systems, these persons would not be 
liable even if the SCI entity itself did not have reasonably designed 
systems compliance policies and procedures or did not enforce its 
policies and procedures, as long as they discharged their duties and 
obligations under the policies and procedures in a reasonable 
manner.\728\ The Commission believes this safe harbor is appropriate 
because the persons who will seek to rely on this safe harbor are those 
who do not have responsibility for the establishment, maintenance, and 
enforcement of the policies and procedures, or the actions of other 
personnel of the SCI entity.
---------------------------------------------------------------------------

    \728\ The Commission believes that, in order for a person to 
reasonably discharge his duties and obligations under the SCI 
entity's policies and procedures, that person must be able to 
understand his duties and obligations under such policies and 
procedures, which may be accomplished through training provided by 
the SCI entity.
---------------------------------------------------------------------------

    With respect to commenters who argued that individuals should not 
be subject to liability under Regulation SCI absent an intentional act 
of willful misconduct,\729\ the Commission notes again that Regulation 
SCI imposes direct obligations only on SCI entities, and not on 
individuals. However, as with all other violations of provisions of the 
Exchange Act and rules that impose obligations on an entity, there is a 
potential for secondary liability for an individual who aided and 
abetted or caused a violation. As discussed above in the context of SCI 
entities, all SCI entities are required to comply with the Exchange 
Act, the rules and regulations thereunder, and their own rules and 
governing documents, as applicable, and the purpose of Rule 1001(b) is 
to effectively help ensure compliance of the operation of SCI systems 
with the Exchange Act, the rules and regulations thereunder, and their 
own rules and governing documents. The Commission does not believe that 
the rule would further this goal to the same degree if the Commission 
adopts commenters' suggestions for the individual safe harbor (i.e., 
personnel of an SCI entity are permitted to cause an SCI entity to be 
out of compliance with Rule 1001(b) so long as the personnel did not 
act intentionally or willfully).
---------------------------------------------------------------------------

    \729\ See supra note 712 and accompanying text.
---------------------------------------------------------------------------

3. SCI Events: Corrective Action; Commission Notification; 
Dissemination of Information--Rule 1002
    Adopted Rule 1002, which corresponds to proposed Rules 1000(b)(3)-
(5), requires an SCI entity to take corrective action, notify the 
Commission, and disseminate information regarding certain SCI events.
a. Triggering Standard
    As proposed, the obligation of an SCI entity to take corrective 
action (proposed Rule 1000(b)(3)), notify the Commission (proposed Rule 
1000(b)(4)), and disseminate information (proposed Rule 1000(b)(5)) 
would have been triggered upon ``any responsible SCI personnel becoming 
aware of'' an SCI event.\730\ Proposed Rule 1000(a) defined 
``responsible SCI personnel'' to mean, for a particular SCI system or 
SCI security system impacted by an SCI event, any personnel, whether an 
employee or agent, of an SCI entity having responsibility for such 
system.\731\ In the SCI Proposal, the Commission noted that this 
proposed definition was intended to include any personnel of the SCI 
entity having responsibility for the specific system(s) impacted by a 
given SCI event.\732\ The Commission stated that such personnel would 
include any technology, business, or operations staff with 
responsibility for such systems, and with respect to systems compliance 
issues, any regulatory, legal, or compliance personnel with legal or 
compliance responsibility for such systems.\733\ The Commission also

[[Page 72314]]

explained that ``responsible SCI personnel'' would not be limited to 
managerial or senior-level employees of the SCI entity and could 
include junior personnel with responsibility for a particular 
system.\734\
---------------------------------------------------------------------------

    \730\ See proposed Rules 1000(b)(3), 1000(b)(4)(i)-(ii), and 
1000(b)(5)(i)-(ii).
    \731\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.C.3.a.
    \732\ See Proposing Release, supra note 13, at 18118.
    \733\ See id.
    \734\ See id.
---------------------------------------------------------------------------

    After considering the views of commenters, the Commission is 
modifying the proposed standard for triggering corrective action, 
Commission notification, and dissemination of information obligations 
in adopted Rule 1002, including by amending the definition of 
responsible SCI personnel, as discussed below.
Responsible SCI Personnel
    Many commenters expressed concern that the proposed definition of 
responsible SCI personnel was too broad.\735\ These commenters 
generally urged the Commission to revise the scope of the definition to 
cover only those employees in management or supervisory roles that have 
responsibility over an SCI system, rather than including relatively 
junior or inexperienced employees.\736\ Some of these commenters stated 
that junior employees and/or technology personnel may not have the 
training or breadth of knowledge or experience necessary to identify, 
analyze, and determine whether a systems issue is an SCI event under 
the rule.\737\ Similarly, one commenter advocated limiting responsible 
SCI personnel to employees with full knowledge and authority over a 
system.\738\ Some commenters also suggested that SCI entities should 
have the discretion to decide which employees are responsible SCI 
personnel.\739\
---------------------------------------------------------------------------

    \735\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6; BATS 
Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 
12; Joint SROs Letter at 12; FINRA Letter at 25-26; and OTC Markets 
Letter at 19. See also NYSE Letter at 19 (stating that the proposed 
definition was too vague and suggesting an alternative approach). 
See also infra note 761 and accompanying text.
    \736\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6, 18; NYSE 
Letter at 19; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 
7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25-26; 
and OTC Markets Letter at 19. Similarly, with regard to the 
Commission notification requirement in proposed Rule 1000(b)(4), one 
commenter stated that the obligation to notify the Commission should 
only be triggered when the responsible SCI personnel notifies the 
officer or senior staff responsible for the SCI system or systems 
generally. See DTCC Letter at 9.
    \737\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; and 
OTC Markets Letter at 19.
    \738\ See FIF Letter at 3, 5.
    \739\ See, e.g., Liquidnet Letter at 3; NYSE Letter at 19; and 
Joint SROs Letter at 12.
---------------------------------------------------------------------------

    Similarly, several commenters emphasized the importance of 
escalation policies and procedures, pursuant to which technology staff 
or junior employees could assess a systems problem and escalate the 
issue up the chain of command to management as well as legal and/or 
compliance personnel, who will help determine whether a systems issue 
was an SCI event and whether the obligations under Regulation SCI are 
triggered.\740\ These commenters argued that the rule should allow 
entities to adopt and follow such escalation procedures rather than 
triggering the obligations under Regulation SCI upon one employee's 
awareness of a systems issue.\741\ One commenter also asserted that 
limiting the definition of responsible SCI personnel would be 
appropriate if the Commission also required a robust escalation 
procedure.\742\
---------------------------------------------------------------------------

    \740\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20.
    \741\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo 
Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20.
    \742\ See FIF Letter at 5.
---------------------------------------------------------------------------

    Some commenters also expressed concern about the potential 
liability that responsible SCI personnel could face if the rule were 
adopted as proposed, given the breadth of the definition of 
``responsible SCI personnel.'' \743\ Specifically, commenters asserted 
that, as a result of including junior and information technology 
personnel within the definition and the potential liability of such 
individuals, the proposed provision would make it more difficult for 
SCI entities to attract and retain high quality information technology 
employees.\744\ Another commenter noted that responsible operations or 
technical personnel may not be in a position to make legal 
determinations about when a compliance issue has arisen.\745\
---------------------------------------------------------------------------

    \743\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs 
Letter at 13; and OTC Markets Letter at 18. See also supra note 717.
    \744\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs 
Letter at 13; and OTC Markets Letter at 18. These commenters 
therefore recommended that the definition include only senior 
personnel who would more appropriately be responsible for making a 
determination as to whether an SCI event had occurred given their 
knowledge and authority.
    \745\ See Omgeo Letter at 13.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
revised the term ``responsible SCI personnel'' to mean, ``for a 
particular SCI system or indirect SCI system impacted by an SCI event, 
such senior manager(s) of the SCI entity having responsibility for such 
system, and their designee(s).'' \746\ The Commission agrees that the 
proposed definition of responsible SCI personnel was broad and, 
consistent with the views of some commenters, believes that it is 
appropriate to instead focus the adopted definition on senior personnel 
of SCI entities that have responsibility for a particular system.\747\ 
The Commission believes that adopting a more focused definition of 
responsible SCI personnel to include only senior managers having 
responsibility for a given system (and their designees) addresses 
commenters' concerns that the obligations of the rule could have been 
triggered upon the awareness of junior or inexperienced employees who 
lack the knowledge or experience to be able to make a determination 
regarding whether an SCI event had, in fact, occurred.\748\ The 
Commission believes that the revised definition is a better approach 
than the proposed definition because, consistent with suggestions from 
some commenters, it will appropriately allow SCI entities to adopt 
procedures that would require personnel of an SCI entity to escalate a 
systems issue to senior individuals who are responsible for a 
particular system and who have the ability and authority to 
appropriately analyze and assess the issue affecting the SCI system or 
indirect SCI system, and their designees, as applicable.\749\
---------------------------------------------------------------------------

    \746\ See adopted Rule 1000.
    \747\ See generally supra notes 735-738 and accompanying text.
    \748\ See supra notes 736-737. See also note 738 and 
accompanying text.
    \749\ See supra Section IV.B.1.b (discussing Rule 
1001(a)(1)(2)(vii), which requires an SCI entity to have policies 
and procedures to provide for monitoring of SCI systems, and 
indirect SCI systems, as applicable, to identify potential SCI 
events, and escalate them to responsible SCI personnel); and infra 
notes 758-761 and accompanying text.
---------------------------------------------------------------------------

    The Commission also notes that, consistent with some commenters' 
recommendations, under the adopted rule, SCI entities will be afforded 
flexibility to determine which personnel to designate as ``responsible 
SCI personnel.'' \750\ Specifically, SCI entities will need to 
affirmatively identify one or more senior managers that have 
responsibility for each of its SCI systems or indirect SCI 
systems.\751\ In addition, the Commission notes that the definition of 
responsible SCI personnel affords SCI entities with the flexibility to 
designate one or more other personnel as designees for a given 
system.\752\ The Commission believes that it is important to include 
designees within the definition of responsible SCI personnel to provide 
an SCI entity with the flexibility that it may need, and

[[Page 72315]]

which the Commission believes is necessary, given the varying sizes, 
natures, and complexities of each SCI entity. A senior manager may name 
a designee (or designees) who would also have responsibility for a 
given system with regard to Regulation SCI, for example, if the senior 
manager is absent, is occupied with other oversight responsibilities 
for a period of time, or because of other practical limitations, is 
otherwise unavailable to assess the SCI entity's obligations under 
Regulation SCI at a given point in time. The Commission believes it is 
likely that the designation of a designee and such designee's 
particular responsibilities with regard to an SCI system or indirect 
SCI system would be addressed by an SCI entity's policies and 
procedures, as discussed below. However, the Commission notes that 
while the definition of ``responsible SCI personnel'' does not permit 
the senior manager having responsibility for an applicable system to 
disclaim responsibility under the rule by delegating it fully to one or 
more designees (i.e., the adopted rule reads ``and their designees'' 
rather than ``or their designees''), it may assist SCI entities in 
fulfilling their responsibilities under Regulation SCI by allowing them 
to delegate to personnel other than senior managers such that those 
designees can also serve in the role of responsible SCI personnel.
---------------------------------------------------------------------------

    \750\ See supra note 739 and accompanying text.
    \751\ See Rule 1001(c).
    \752\ The Commission notes that the rules do not, however, 
require SCI entities to have designees. Rather, each SCI entity has 
the discretion to have designees if they choose to do so.
---------------------------------------------------------------------------

    The Commission further believes that the modifications to the 
definition addresses some commenters' concerns regarding the potential 
liability of junior SCI personnel, as the obligations of the rule are 
now triggered only when senior managers, rather than junior employees, 
having responsibility for a particular system have a reasonable basis 
to conclude that an SCI event has occurred.\753\ Further, the 
Commission reiterates that Regulation SCI imposes direct obligations on 
SCI entities and does not impose obligations directly on personnel of 
SCI entities. For these reasons, the Commission believes that an SCI 
entity's ability to attract and retain employees should not be 
negatively affected by the requirements of Regulation SCI, as 
adopted.\754\ The Commission also reiterates that the occurrence of an 
SCI event may be probative, but is not determinative of whether an SCI 
entity violated Regulation SCI.\755\
---------------------------------------------------------------------------

    \753\ See supra notes 743-744 and accompanying text.
    \754\ See supra notes 721 and 743-744 and accompanying text. The 
Commission notes that commenters' concerns regarding potential 
liability of employees were related to the scope of the proposed 
definition of responsible SCI personnel and the effect on the hiring 
and retention of junior and information technology personnel. 
Commenters believed that the definition should instead focus on 
senior managers who could appropriately be held responsible given 
their responsibilities and authority to take necessary actions under 
the rule.
    \755\ See, e.g., supra notes 470 and 627 and accompanying text.
---------------------------------------------------------------------------

    In light of the more focused definition of responsible SCI 
personnel and consistent with commenters' suggestions,\756\ the 
Commission believes it is appropriate to also adopt a policies and 
procedures requirement with respect to the designation of responsible 
SCI personnel and escalation procedures. As discussed above, many 
commenters highlighted the importance of escalation procedures and 
advocated for their use as an alternative to the adoption of a broader 
definition of responsible SCI personnel.\757\ Specifically, the 
Commission is adopting Rule 1001(c), which requires each SCI entity to 
``[e]stablish, maintain, and enforce reasonably designed written 
policies and procedures that include the criteria for identifying 
responsible SCI personnel, the designation and documentation of 
responsible SCI personnel, and escalation procedures to quickly inform 
responsible SCI personnel of potential SCI events.'' The Commission 
believes that it is important for an SCI entity's policies and 
procedures to have a defined set of criteria for identifying 
responsible SCI personnel so that such personnel are identified in a 
consistent manner across all of an SCI entity's operations and with 
regard to all of its SCI systems and indirect SCI systems. The 
Commission believes that SCI entities are best suited to establish the 
appropriate criteria for such a designation but notes that such 
criteria could include, for example, consideration of the level of 
knowledge, skills, and authority necessary to take the required actions 
under the rules. The Commission also believes it is important for 
policies and procedures to include the designation and documentation of 
responsible SCI personnel, so that it is clear to all employees of the 
SCI entity who the designated responsible SCI personnel are for 
purposes of the escalation procedures and so that Commission staff can 
easily identify such responsible SCI personnel in the course of its 
inspections and examinations and other interactions with SCI entities. 
The Commission also believes that, given the more focused definition of 
responsible SCI personnel, escalation procedures to quickly inform 
responsible SCI personnel of potential SCI events are necessary to help 
ensure that the appropriate person(s) are provided notice of potential 
SCI events so that any appropriate actions can be taken in accordance 
with the requirements of Regulation SCI without unnecessary delay. Such 
escalation procedures would establish the means by which, and actions 
required for, escalating information regarding a systems issue that may 
be an SCI event up the chain of command to the responsible SCI 
personnel, who will be responsible for determining whether an SCI event 
has occurred and what resulting obligations may be triggered. The 
Commission notes that each SCI entity may establish escalation 
procedures that conform to its needs, organization structure, and size. 
By requiring that responsible SCI personnel are ``quickly inform[ed]'' 
of potential SCI events, the Commission intends to require that 
escalation procedures emphasize promptness and ensure that responsible 
SCI personnel are informed of potential SCI events without delay. At 
the same time, the rule does not prescribe a specific time requirement 
in order to give flexibility to SCI entities in recognition that 
immediate notification may not be possible or feasible. Further, 
similar to adopted Rules 1001(a) and 1001(b), Rule 1001(c) requires 
that an SCI entity periodically review the effectiveness of the 
policies and procedures related to responsible SCI personnel, and to 
take prompt action to remedy deficiencies in such policies and 
procedures.
---------------------------------------------------------------------------

    \756\ See supra notes 740-742 and accompanying text and infra 
notes 759-761 and accompanying text.
    \757\ See supra notes 740-742 and accompanying text.
---------------------------------------------------------------------------

Becomes Aware
    Several commenters criticized the proposed requirement that certain 
obligations under Regulation SCI be triggered when a responsible SCI 
personnel ``becomes aware'' of an SCI event. Some commenters stated 
that the standard was vague and lacked clarity regarding when, exactly, 
responsible SCI personnel would be deemed to become aware of an SCI 
event.\758\ Further, some commenters noted that the ``becomes aware'' 
standard emphasized immediate action over methodical escalation, 
diagnosis, and resolution procedures.\759\ As noted above, several 
commenters emphasized the importance of escalation policies and 
procedures, and argued that the rule should allow entities to adopt and 
follow such escalation procedures rather

[[Page 72316]]

than triggering the obligations under Regulation SCI upon one 
employee's awareness of a systems issue.\760\ Another commenter 
suggested specific revisions to the triggering standard so that the 
phrase ``responsible SCI personnel becoming aware'' would be eliminated 
entirely and replaced with ``SCI entity having a reasonable basis to 
conclude,'' which it believed would allow for escalation through a 
normal chain of command.\761\
---------------------------------------------------------------------------

    \758\ See, e.g., BATS Letter at 8-9; NYSE Letter at 19; and 
Joint SROs Letter at 12.
    \759\ See Joint SROs Letter at 3, 9, and 12. See also OCC Letter 
at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; 
and NYSE Letter at 19-20.
    \760\ See supra notes 740-742 and accompanying text.
    \761\ See NYSE Letter at 19.
---------------------------------------------------------------------------

    With regard to the Commission notification requirements 
specifically,\762\ one commenter suggested that SCI entities should 
only be required to notify the Commission ``upon confirming the 
existence of an SCI event,'' \763\ while another commenter stated that 
the rule should require notification to the Commission as soon as 
reasonably practicable after responsible personnel becomes aware of the 
SCI event.\764\ Similarly, one commenter believed that the ``becomes 
aware'' standard was problematic because it would require notification 
before an SCI entity has accurate information upon which to act.\765\
---------------------------------------------------------------------------

    \762\ See infra Section IV.B.3.c (discussing the Commission 
notification requirement for SCI events).
    \763\ See Direct Edge Letter at 8.
    \764\ See Omgeo Letter at 17.
    \765\ See FIF Letter at 5 (urging that notification be required 
when ``accurate and actionable'' information is provided to 
responsible SCI personnel). See also BATS Letter at 9.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
determined to revise the triggering standard so that SCI entities will 
be required to comply with the obligations of adopted Rule 1002 upon 
responsible SCI personnel having ``a reasonable basis to conclude'' 
that an SCI event has occurred, as suggested by a commenter.\766\ This 
standard permits an SCI entity to gather relevant information and 
perform an initial analysis and assessment as to whether a systems 
issue may be an SCI event, rather than requiring an SCI entity to take 
corrective action, notify the Commission, and/or disseminate 
information about an SCI event immediately upon responsible SCI 
personnel becoming aware of an SCI event.\767\ Thus, the Commission 
believes that the ``reasonable basis to conclude'' standard should 
provide some additional flexibility and time for judgment to determine 
whether there is a ``reasonable basis to conclude'' in contrast to the 
``becomes aware'' standard which many commenters noted would be 
difficult to apply in practice due to the difficulty of determining 
when an individual, in fact, ``becomes aware'' of an SCI event.\768\ 
Further, the Commission believes that, consistent with commenters' 
recommendations, the revised standard, in conjunction with the revised 
definition of ``responsible SCI personnel,'' will allow an SCI entity 
to adopt and follow its internal escalation policies and procedures to 
inform senior SCI entity personnel of systems issues, and allow 
meaningful assessment of the issues by such senior management prior to 
triggering obligations of the rule.\769\ At the same time, the 
Commission believes that the obligations of the rule will continue to 
be triggered in a timely manner because the Commission is adopting a 
separate requirement in Rule 1001(c), as noted above, for escalation 
procedures to quickly inform responsible SCI personnel of potential SCI 
events.
---------------------------------------------------------------------------

    \766\ See adopted Rules 1002(a), (b), and (c). See also supra 
note 761.
    \767\ See supra notes 759 and 763-765 and accompanying text. 
Additionally, the Commission does not agree with the commenter who 
stated that notification should be required only as soon as 
reasonably practicable after responsible personnel become aware of 
an SCI event because that standard would unnecessarily delay the 
requirement for an SCI entity to take necessary actions under the 
rule and the Commission's knowledge of an SCI event. See supra note 
764.
    \768\ See supra note 758 and accompanying text.
    \769\ See supra notes 758-760 and accompanying text. The 
Commission believes that the adopted standard similarly allows for 
escalation of a systems issue to senior officials because the 
Commission believes that having ``a reasonable basis to conclude'' 
is a good indication that an SCI event has likely occurred and does 
not require that the responsible SCI personnel come to a definitive 
conclusion, which would cause unnecessary delay in taking the 
actions required by Regulation SCI. Rather, once responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred, the Commission believes that an SCI entity should begin to 
take corrective action, provide notice to the Commission, and/or 
disclose such event, as applicable, because these requirements are 
designed to ensure that the SCI entity begins to take action in a 
timely fashion to mitigate potential harm arising from the incident 
and that the Commission and relevant market participants are kept 
apprised of an SCI event even where a definitive conclusion is not 
yet available. The Commission does not agree with the commenter that 
it should apply the triggering standard only to the SCI entity 
rather than responsible SCI personnel. The Commission notes, as 
discussed above, that the adopted definition of responsible SCI 
personnel imposes obligations only upon the senior personnel of an 
SCI entity that have responsibility for a particular system. 
Additionally, the Commission believes that it is important to apply 
the triggering standard to responsible SCI personnel rather than to 
the SCI entity because, when combined with an SCI entity's policies 
and procedures with respect to the designation of responsible SCI 
personnel and escalation and monitoring procedures, the triggering 
standard is designed to ensure that senior managers are provided 
notice of potential SCI events so that any appropriate actions can 
be taken in accordance with the requirements of Regulation SCI 
without unnecessary delay.
---------------------------------------------------------------------------

b. Corrective Action--Rule 1002(a)
    Proposed Rule 1000(b)(3) required an SCI entity, upon any 
responsible SCI personnel becoming aware of an SCI event, to begin to 
take appropriate corrective action including, at a minimum, mitigating 
potential harm to investors and market integrity resulting from the SCI 
event and devoting adequate resources to remedy the SCI event as soon 
as reasonably practicable.\770\ The corrective action requirement is 
being adopted substantially as proposed, but with the triggering 
standard modified as discussed above.\771\
---------------------------------------------------------------------------

    \770\ See proposed Rule 1000(b)(3) and Proposing Release, supra 
note 13, at 18117.
    \771\ See supra Section IV.B.3.a (discussing the triggering 
standard).
---------------------------------------------------------------------------

    Two commenters supported the corrective action provision 
generally.\772\ Several commenters stated that the proposed requirement 
put too great an emphasis on immediately taking corrective action at 
the expense of thoroughly analyzing the SCI event and its cause, 
considering potential remedies, and/or acting in accordance with 
internal policies and procedures before committing to a plan to take 
corrective action.\773\ One group of commenters suggested that the rule 
should make clear that ``corrective action'' should also include a 
variety of other potential actions, such as communicating with 
responsible parties, diagnosing the root cause, disclosing to members 
and the public, and mitigating potential harm by following their 
policies and procedures.\774\ Another commenter stated that, in certain 
circumstances, it is ``aggressive to presume that one individual's 
knowledge should prompt an immediate response by the SCI [e]ntity at 
large.'' \775\ This commenter further stated that a standard requiring 
an SCI entity to mitigate potential harm to investors is extremely 
vague.\776\
---------------------------------------------------------------------------

    \772\ See MSRB Letter at 17 and DTCC Letter at 9-10.
    \773\ See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter 
at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge 
Letter at 7.
    \774\ See Joint SROs at 11.
    \775\ See Direct Edge Letter at 7.
    \776\ Id.
---------------------------------------------------------------------------

    As adopted, Rule 1002(a) requires an SCI entity, upon any 
responsible SCI personnel having a reasonable basis to conclude that an 
SCI event has occurred, to begin to take appropriate corrective action 
including, at a minimum, mitigating potential harm to investors and 
market integrity resulting

[[Page 72317]]

from the SCI event and devoting adequate resources to remedy the SCI 
event as soon as reasonably practicable. The Commission continues to 
believe that this provision of Regulation SCI is important to make 
clear that each SCI entity has the obligation to respond to SCI events 
with appropriate steps necessary to remedy the problem or problems 
causing such SCI event and mitigate the negative effects of the SCI 
event, if any, on market participants and the securities markets more 
broadly. As discussed below, the specific steps that an SCI entity will 
need to take to mitigate the harm will be dependent on the particular 
systems issue, its causes, and the estimated impact of the event, among 
other factors. To the extent that a systems issue affects not only the 
particular users of an SCI system, but also has a more widespread 
impact on the market generally, as may be likely with regard to systems 
issues affecting critical SCI systems, the SCI entity will need to 
consider how it might mitigate any potential harm to the overall market 
to help ensure market integrity. For example, an SCI entity would need 
to take steps to regain a system's ability to process transactions in 
an accurate, timely, and efficient manner, or to ensure the accurate, 
timely, and efficient collection, processing, and dissemination of 
market data.
    As noted above, many of the comments on this requirement are 
related to the standard for triggering the obligation to take 
corrective action under this provision, namely ``upon any SCI 
responsible personnel becoming aware of'' an SCI event. As discussed 
above, the Commission has further focused the scope of the term 
``responsible SCI personnel'' in response to commenters' concerns that 
the term was too broad and could inappropriately capture junior and/or 
inexperienced employees. Further, as discussed above, the Commission 
has revised the ``becomes aware'' standard to instead trigger 
obligations when responsible personnel have ``a reasonable basis to 
conclude'' an SCI event has occurred. As explained above, the 
Commission believes that these important modifications are responsive 
to commenters' concerns that the corrective action requirement could be 
triggered upon the knowledge of only one individual or a junior 
employee of a systems issue without sufficient time to analyze and 
assess the systems problem and follow internal escalation procedures. 
Under the adopted standard, only when (i) suspected systems problems 
are escalated to senior managers of the SCI entity who have 
responsibility for the SCI system or indirect SCI system experiencing 
an SCI event and their designees, and (ii) such personnel have ``a 
reasonable basis to conclude'' that an SCI event has occurred are the 
appropriate corrective actions required by Rule 1002(a) triggered.
    Further, in response to commenters who stated that the proposed 
rule places too large an emphasis on immediate corrective action,\777\ 
in addition to the modifications noted above which are intended to 
allow for appropriate time for an SCI entity to perform an initial 
analysis and preliminary investigation into a potential systems issue 
before the obligations under Rule 1002(a) are triggered, the Commission 
notes that it does not use the term ``immediate'' in either the 
proposed or adopted rules. Rather, the Commission emphasizes that the 
rule requires that corrective action be taken ``as soon as reasonably 
practicable'' once the triggering standard has been met. The Commission 
believes that, because the facts and circumstances of each specific SCI 
event will be different, this standard ensures that an SCI entity will 
take necessary corrective action soon after an SCI event, but not 
without sufficient time to first consider what is the appropriate 
action to remedy the SCI event in a particular situation and how such 
action should be implemented.
---------------------------------------------------------------------------

    \777\ See supra notes 773-775 and accompanying text.
---------------------------------------------------------------------------

    Moreover, the Commission has considered the comment that the rule 
prescribe in more specificity the particular types of corrective action 
that must be taken by an SCI entity and believes that it is appropriate 
to adopt, as proposed, a rule that requires more generally that 
``appropriate'' corrective action be taken and requires that, at a 
minimum, the SCI entity take appropriate steps to mitigate potential 
harm to investors and market integrity resulting from the SCI event and 
devote adequate resources to remedy the SCI event. The Commission notes 
that the rule is designed to afford flexibility to SCI entities in 
determining how to best respond to a particular SCI event in order to 
remedy the problem causing the SCI event and mitigate its effects. As a 
general matter, though, the Commission agrees that such corrective 
action would likely include a variety of actions, such as those 
identified by one group of commenters, including determining the scope 
of the SCI event and its causes, making a determination regarding its 
known and anticipated impact, following adequate internal diagnosis and 
resolution policies and procedures, and taking additional action to 
respond as each SCI entity deems appropriate.\778\ The Commission also 
notes that certain other specific types of corrective action identified 
by such commenters are already required by other provisions of 
Regulation SCI, such as communicating and escalating the issue to 
responsible personnel and making appropriate disclosures to members or 
participants regarding the SCI event.\779\
---------------------------------------------------------------------------

    \778\ See supra note 774 and accompanying text.
    \779\ See adopted Rule 1001(c) (requiring policies and 
procedures that include, among other things, escalation procedures 
to quickly inform responsible SCI personnel of potential SCI events) 
and Rule 1002(c) (requiring dissemination of information regarding 
SCI events).
---------------------------------------------------------------------------

c. Commission Notification--Rule 1002(b)
i. Proposed Rule 1000(b)(4)
    Proposed Rule 1000(b)(4) addressed the Commission notification 
obligations of an SCI entity upon any responsible SCI personnel 
becoming aware of an SCI event.\780\ Specifically, proposed Rule 
1000(b)(4)(i) required an SCI entity, upon any responsible SCI 
personnel becoming aware of a systems disruption that the SCI entity 
reasonably estimated would have a material impact on its operations or 
on market participants, any systems compliance issue, or any systems 
intrusion (``immediate notification SCI event''), to notify the 
Commission of such SCI event, which could be done orally or in writing 
(e.g., by email). Proposed Rule 1000(b)(4)(ii) required an SCI entity 
to submit a written notification pertaining to any SCI event to the 
Commission within 24 hours of any responsible SCI personnel becoming 
aware of the SCI event. Proposed Rule 1000(b)(4)(iii) required an SCI 
entity to submit to the Commission continuing written updates on a 
regular basis, or at such frequency as reasonably requested by a 
representative of the Commission, until such time as the SCI event was 
resolved.
---------------------------------------------------------------------------

    \780\ See proposed Rule 1000(b)(4) and Proposing Release, supra 
note 13, at Section III.C.3.b.
---------------------------------------------------------------------------

    Proposed Rule 1000(b)(4)(iv) detailed the types of information that 
was required for written notifications under proposed Rule 
1000(b)(4).\781\ In

[[Page 72318]]

addition, proposed Rule 1000(b)(4)(iv)(C) required an SCI entity to 
provide a copy of any information disseminated regarding the SCI event 
to its members or participants or on the SCI entity's publicly 
available Web site.
---------------------------------------------------------------------------

    \781\ Specifically, the SCI Proposal required written 
notifications and updates to be made electronically and required 
initial written notifications to include all pertinent information 
known about an SCI event, including: (1) A detailed description of 
the SCI event; (2) the SCI entity's current assessment of the types 
and number of market participants potentially affected by the SCI 
event; (3) the potential impact of the SCI event on the market; and 
(4) the SCI entity's current assessment of the SCI event, including 
a discussion of the SCI entity's determination regarding whether the 
SCI event was a dissemination SCI event or not. In addition, as 
proposed, to the extent available as of the time of the initial 
notification, Exhibit 1 to Form SCI would have required inclusion of 
the following information: (1) A description of the steps the SCI 
entity was taking, or planned to take, with respect to the SCI 
event; (2) the time the SCI event was resolved or timeframe within 
which the SCI event was expected to be resolved; (3) a description 
of the SCI entity's rule(s) and/or governing documents, as 
applicable, that related to the SCI event; and (4) an analysis of 
the parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. See proposed Rule 
1000(b)(4)(iv)(A).
---------------------------------------------------------------------------

    As described below, adopted Rule 1002(b) retains the general 
framework of proposed Rule 1000(b)(4) for Commission notification of 
SCI events, but makes several modifications in response to comments.
Comments Regarding Commission Notification of SCI Events
    One commenter generally supported proposed Rule 1000(b)(4), stating 
that it would enhance transparency and might allow the Commission to 
see patterns in small, seemingly non-material SCI events that are 
worthy of attention.\782\ However, many other commenters expressed 
concerns about proposed Rule 1000(b)(4).\783\ Many of these commenters 
stated that the scope of proposed Rule 1000(b)(4) was too broad, and 
that the notification requirement would lead to over-reporting to the 
Commission.\784\ Commenters also suggested various ways to revise the 
reporting requirement. For example, several commenters recommended 
requiring notification to the Commission only for ``material'' or 
``significant'' events.\785\ For example, one commenter recommended 
reporting most SCI events as part of the annual SCI review process, 
while focusing Commission notification on material SCI events.\786\ 
Similarly, another commenter suggested that SCI entities should only be 
required to report information relating to ``impactful'' systems 
disruptions in an annual report to the Commission rather than in near 
real time reports.\787\ Another commenter recommended requiring 
notification only for systems issues that warrant notification to an 
SCI entity's subscribers or participants.\788\ Some commenters 
recommended a risk-based approach under which each SCI event would be 
subject to a risk-based assessment, in which the obligation to notify 
the Commission would be based on the attendant risk, with only material 
events requiring notification.\789\
---------------------------------------------------------------------------

    \782\ See Lauer Letter at 6. The Commission also notes that, 
although many other commenters expressed reservations with proposed 
Rule 1000(b)(4), many of these commenters also expressed their 
general support for a notification rule that is more limited in 
scope. See, e.g., ITG Letter at 12 (stating that a reduction in 
notifications would result in lower costs, reduce the over-reporting 
of events, and allow the Commission to focus on events that warrant 
review); and FINRA Letter at 18 (``FINRA fully supports the 
Commission's goal of ensuring that Commission staff is informed of 
events that could potentially impact the market'').
    \783\ See, e.g. NYSE Letter at 21; BATS Letter at 12-13; ITG 
Letter at 12; FINRA Letter at 16-17; Omgeo Letter at 16; SIFMA 
Letter at 13; ISE Letter at 6; OCC Letter at 11; and CME Letter at 
9.
    \784\ See, e.g., NYSE Letter at 22; Omgeo Letter at 16; SIFMA 
Letter at 14; ISE Letter at 6; and OCC Letter at 12.
    \785\ See, e.g., ITG Letter at 12; CME Letter at 9; DTCC Letter 
at 8; and Omgeo Letter at 15.
    \786\ See FIF Letter at 4.
    \787\ See BATS Letter at 10.
    \788\ See OTC Markets Letter at 19 (stating that the 
notification requirement to the Commission should be aligned with 
the current industry practice of notifying SCI entities' subscribers 
of material events, explaining that competitive forces motivate 
entities to promptly notify subscribers about significant issues).
    \789\ See, e.g., OCC Letter at 13; SIFMA Letter at 13; Omgeo 
Letter at 1; FINRA Letter at 14; and NYSE Letter at 25.
---------------------------------------------------------------------------

    Commenters also identified potential problems resulting from a 
notification requirement that they perceived as too broad. For example, 
one commenter stated that the notification requirements have the 
potential to create efficiency issues, delay system remediation, create 
substantial resource demands, and create instability, which would 
diminish an SCI entity's ability to be responsive to investors and 
damage market efficiency.\790\ Similarly, several commenters stated 
that the proposed Commission notification provision would require SCI 
entities to divert resources to comply with the requirement which, in 
turn, would risk delaying resolution of the SCI event that is being 
reported on.\791\ Other commenters suggested that the proposed rule 
would result in large volumes of data and reporting, which would 
present challenges to, and burdens on, SCI entities as well as 
Commission staff.\792\ One commenter also questioned the extent to 
which the reported information provided by the notifications would be 
useful to the Commission.\793\
---------------------------------------------------------------------------

    \790\ See UBS Letter at 3.
    \791\ See Omgeo Letter at 16; MSRB Letter at 19; and OCC Letter 
at 14.
    \792\ See SunGard Letter at 5; and Joint SROs Letter at 7.
    \793\ See NYSE Letter at 22.
---------------------------------------------------------------------------

    Some commenters focused their comments on the proposal's 
requirements for Commission reporting of systems intrusions and offered 
alternative approaches to reporting systems intrusions. One commenter 
stated that, in order to limit the number of notifications, SCI 
entities should be required to investigate and keep a record of all 
systems intrusions that did not cause a material disruption of service, 
or that were a malicious (but unsuccessful) attempt in gaining 
unauthorized access to confidential data, and make these records 
available to the Commission staff if requested.\794\ Another commenter 
recommended that non-material systems intrusions be recorded within the 
SCI entity's records.\795\ Another commenter suggested that systems 
intrusions in a development or testing environment should only be 
reportable if there is a likelihood that the same issue or 
vulnerabilities exist in the current production environment and cannot 
be verified within a certain period, such as, for example, 24 to 48 
hours.\796\ In addition, one commenter suggested that, for systems 
intrusions, rather than impose the Commission notification requirement 
on SCI entities, the Commission should instead require SCI entities to 
establish policies and procedures reasonably designed to prevent, 
detect, and respond to systems intrusions.\797\
---------------------------------------------------------------------------

    \794\ See Omgeo Letter at 12.
    \795\ See DTCC Letter at 8.
    \796\ See FINRA Letter at 11-12.
    \797\ See BATS Letter at 12. This commenter believed that the 
cost of the proposed requirement would outweigh any benefits because 
the proposed rule would require SCI entities to ``rapidly 
investigate and report a multitude of minor incidents that regularly 
occur during the normal course of business.'' Id.
---------------------------------------------------------------------------

    One commenter stated that the Commission should support the 
enhancement of the Financial Services Information Sharing and Analysis 
Center (``FS-ISAC'') \798\ and another commenter suggested that non-
material cyber-relevant events be provided to and disseminated through 
FS-ISAC rather than the Commission.\799\ Some commenters further 
suggested that certain systems intrusions should be reported to FS-
ISAC.\800\
---------------------------------------------------------------------------

    \798\ FS-ISAC is a service that gathers information from a 
multitude of sources related to threat, vulnerability, and risk of 
cyber and physical security and communicates timely notifications 
and authoritative information specifically designed to help protect 
critical systems and assets from physical and cybersecurity threats. 
See FS-ISAC: Financial Services--Information Sharing and Analysis 
Center, available at: www.fsisac.com.
    \799\ See BIDS Letter at 10; and Omgeo Letter at 12.
    \800\ See SIFMA Letter at 14 (recommending that systems 
intrusions be reported to FS-ISAC in addition to the Commission); 
and Omgeo Letter at 12 and 21 (recommending that non-material 
systems intrusions be reported solely to FS-ISAC).
---------------------------------------------------------------------------

    Other commenters stated that reporting a systems compliance issue 
is

[[Page 72319]]

reporting a legal conclusion, and that requiring an SCI entity to do so 
would overburden them with extensive technical and legal analysis and 
potentially expose those entities to Commission sanctions or 
litigation.\801\ Several commenters expressed concerns regarding the 
confidentiality of the information provided pursuant to proposed Rule 
1000(b)(4), and stated that the such information should be confidential 
and protected from public disclosure.\802\ One of these commenters 
requested that the Commission confirm in the final rule that the 
information will remain confidential.\803\
---------------------------------------------------------------------------

    \801\ See OTC Markets Letter at 16. See also NYSE Letter at 16.
    \802\ See NYSE Letter at 24; Joint SROs Letter at 12; and DTCC 
Letter at 11.
    \803\ See DTCC Letter at 11.
---------------------------------------------------------------------------

    Commenters also raised other general concerns and made suggestions 
with regard to proposed Rule 1000(b)(4). One commenter argued that the 
proposed rules could cause SCI entities to release information before 
all relevant factors are known, which could be counterproductive and 
harmful.\804\ Another commenter was concerned that SCI entities would 
be required to provide notification reports multiple times to different 
Commission staff for the same event.\805\ Another commenter suggested 
that the proposed requirement is onerous and costly and thus, to 
realize benefits, the Commission, based on notifications received from 
SCI entities, should provide regular summary-level feedback that 
communicates the types, frequency, severity, and impact of market 
incidents across all reporting entities and other related data on the 
root cause of problems.\806\ Another commenter suggested that the 
Commission provide examples, such as publications and reference 
blueprints, which could be useful to SCI entities as they attempt to 
understand the types of SCI events that warrant Commission 
notification.\807\ Finally, some commenters broadly questioned the 
Commission's legal authority to adopt Regulation SCI as proposed, 
asserting, among other things that the Commission's proposed 
notification requirement was beyond its legal authority.\808\
---------------------------------------------------------------------------

    \804\ See ITG Letter at 13.
    \805\ See NYSE Letter at 22. Another commenter suggested that 
the notification requirement with respect to system disruptions 
should make clear that multiple notifications are not required if a 
disruption impacts multiple SCI entities. See FINRA Letter at 22.
    \806\ See BIDS Letter at 10.
    \807\ See SunGard Letter at 6.
    \808\ See NYSE Letter at 4-6; and OTC Markets at 6. See infra 
notes 833-837 and accompanying text (discussing ``Commission Legal 
Authority'').
---------------------------------------------------------------------------

ii. Rule 1002(b)
    After careful consideration of the comments on proposed Rule 
1000(b)(4), the Commission is adopting Rule 1002(b), with several 
modifications in response to comments.\809\
---------------------------------------------------------------------------

    \809\ Specific comments on proposed Rules 1000(b)(4)(i)-(iii) 
that are not discussed above are discussed below in conjunction with 
the Commission's response to those comments.
---------------------------------------------------------------------------

Overview
    The Commission notes that, even without the modifications the 
Commission is making in adopted Rule 1002(b), the proposed Commission 
notification rule would require Commission notice of fewer SCI events 
than as proposed as a result of the adopted definitions of SCI systems, 
indirect SCI systems, systems disruption, and systems compliance issue, 
and the revised triggering standard discussed above. In addition, the 
Commission has determined to refine the scope of the adopted Commission 
notification requirement by incorporating a risk-based approach that 
requires SCI entities, for purposes of Commission notification, to 
divide SCI events into two main categories: SCI events that ``[have] 
had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants'' (``de minimis'' SCI events); and SCI events that are not 
de minimis SCI events. De minimis SCI events will not be subject to an 
immediate Commission notification requirement as proposed. Instead, all 
de minimis SCI events will be subject to recordkeeping requirements, 
and de minimis systems disruptions and de minimis systems intrusions 
will be subject to a quarterly reporting obligation, as set forth in 
adopted Rule 1002(b)(5). For SCI events that are not de minimis, 
Commission notification will be governed by adopted Rules 1002(a)(1)-
(4), which is substantially similar to proposed Rules 1000(b)(4)(ii)-
(iv), but relaxed in certain respects in response to comment, as 
discussed below.
Effect of Revised Definitions and Revised Triggering Standard on 
Commission Notification Requirement
    The Commission believes that the revisions made to a number of 
definitions already focus the scope of the Commission notification 
requirement in adopted Rule 1002(b) from the SCI Proposal. For example, 
elimination of member regulation and member surveillance systems from 
the adopted definition of SCI systems will substantially reduce the 
potential number of SCI events that would be subject to Commission 
notification under the proposal.\810\ Likewise, systems problems that 
would otherwise meet the definition of SCI event do not meet the 
definition of an SCI event if they occur in the development or testing 
environment.\811\ In addition, the Commission believes that the revised 
definition of ``systems disruption'' and ``systems compliance issue'' 
also will result in fewer systems issues being identified as SCI 
events.\812\ In tandem with the revised definitions, the Commission 
also believes that the revised triggering standard for notification of 
SCI events, which affords an SCI entity time to evaluate whether a 
potential SCI event is an actual SCI event, will also result in fewer 
SCI events being subject to the requirements of Rules 1002(b)(1)-
(4).\813\ The Commission believes that these changes respond to 
comments that proposed Rule 1000(b)(4) was overbroad and overly 
burdensome for SCI entities.\814\
---------------------------------------------------------------------------

    \810\ See supra Section IV.A.2.b (discussing the definition of 
``SCI systems'').
    \811\ See supra note 796 and accompanying text. See also supra 
Section IV.A.2.b (discussing the definition of ``SCI systems''). 
According to one commenter who supported excluding non-market 
systems from the definition of SCI systems and the notification and 
dissemination requirements, applying the reporting requirements to 
non-market systems ``would significantly increase the volume of the 
reports the Commission receives.'' FINRA Letter at 10. (``If the 
definition of SCI systems is broadly construed to apply to non-
market regulatory and surveillance systems, approximately 111 FINRA 
systems could be subject to Regulation SCI.'') FINRA Letter at 7.
    \812\ See supra Section IV.A.3 (discussing the definition of 
``SCI event,'' ``systems disruption,'' and ``systems compliance 
issue'').
    \813\ See supra Section IV.B.3.a (discussing the definition of 
``responsible SCI personnel'') and Section IV.B.3.a (discussing the 
triggering standard).
    \814\ See supra note 784 and accompanying text. See also Section 
VI (discussing comments regarding the burdens associated with 
proposed Rule 1000(b)(4)).
---------------------------------------------------------------------------

Exclusion of De Minimis SCI Events From Immediate Notification 
Requirements: Adopted Rule 1002(b)(5)
    Adopted Rule 1002(b)(5) states that the requirements of Rules 
1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI 
entity reasonably estimates would have, no or a de minimis impact on 
the SCI entity's operations or on market participants. For such de 
minimis events, Rule 1002(b)(5) requires that an SCI entity: (i) Make, 
keep, and preserve records relating to all such SCI events; and (ii) 
submit to the Commission a report, within 30 calendar days after the 
end of each calendar quarter, containing a summary description of such 
systems

[[Page 72320]]

disruptions and systems intrusions, including the SCI systems and, for 
systems intrusions, indirect SCI systems, affected by such systems 
disruptions and systems intrusions during the applicable calendar 
quarter.
    The Commission believes that this exception will result in a less 
burdensome reporting framework for de minimis SCI events than for other 
SCI events, and therefore responds to comment that the proposed 
reporting framework was too burdensome. The Commission believes that 
the quarterly reporting of de minimis systems disruptions and de 
minimis systems intrusions will reduce the frequency and volume of SCI 
event notices submitted to the Commission and also will allow both the 
SCI entity and its personnel, as well as the Commission and its staff, 
to focus their attention and resources on other, more significant SCI 
events. Consistent with taking a risk-based approach in other aspects 
of Regulation SCI, the Commission believes this modification from the 
SCI Proposal will result in more focused Commission monitoring of SCI 
events than if this aspect of the SCI Proposal was adopted without 
modification. Further, by reducing the number of SCI event notices 
provided to the Commission on an immediate basis as compared to the SCI 
Proposal, the adopted rule should also impose lower compliance costs 
and fewer burdens than if this aspect of the SCI Proposal was adopted 
without modification.
    However, the Commission has determined not to incorporate a 
materiality threshold as requested by some commenters,\815\ to limit 
the Commission reporting requirements to those events that are 
considered by SCI entities to be truly disruptive to the markets, as 
suggested by other commenters,\816\ or to limit the Commission 
reporting requirement only to those events that warrant notification to 
an SCI entity's subscribers or participants, as suggested by still 
other commenters.\817\ The Commission has made this determination 
because while there may be SCI events with little apparent impact on an 
SCI entity's operations or on market participants and the burden on an 
SCI entity to provide immediate notice to the Commission every time 
such an event occurs may not justify the benefit of providing such 
notice to the Commission on an immediate basis, the Commission does not 
believe that such de minimis events are irrelevant or that the 
Commission should never be made aware of them. To fulfill its oversight 
role, the Commission believes that the Commission and its staff should 
regularly be made aware of de minimis systems disruptions and de 
minimis systems intrusions and should have ready access to records 
regarding de minimis systems compliance issues that SCI entities are 
facing and addressing because, as the regulator of the U.S. securities 
markets, it is important that the Commission and its staff have access 
to information regarding all SCI events (including de minimis SCI 
events) and their impact on the technology systems and systems 
compliance of SCI entities, which may also provide useful insights into 
learning about indications of more impactful SCI events. The Commission 
has, however, determined to distinguish the timing of its receipt of 
information regarding SCI events based on their impact: those SCI 
events that an SCI entity reasonably estimates to have a greater impact 
are subject to ``immediate'' notification upon responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred; and those SCI events that an SCI entity reasonably estimates 
to have no or a de minimis impact are subject to recordkeeping 
obligations, and for de minimis systems disruptions and de minimis 
systems intrusions, a quarterly summary notification. Despite 
commenters' arguments to the contrary that de minimis SCI events do not 
warrant the Commission's and its staff's attention, the Commission 
believes that quarterly reporting of de minimis systems disruptions and 
de minimis systems intrusions and review of records regarding de 
minimis systems compliance issues is beneficial to the Commission and 
its staff in understanding SCI entity systems operations at the level 
of the individual SCI entity, as well as across the spectrum of SCI 
entities, and to monitor compliance with the Exchange Act and rules 
thereunder. The Commission notes that, while it is not requiring that 
de minimis systems compliance issues be submitted to the Commission in 
quarterly reports, Commission staff may request records relating to 
such de minimis systems compliance issues as necessary. The Commission 
encourages and does not intend to inhibit an evaluation by SCI entities 
of systems compliance issues, including de minimis systems compliance 
issues, which may inherently involve legal analysis.
---------------------------------------------------------------------------

    \815\ See, e.g., supra note 785 and accompanying text.
    \816\ See, e.g., supra notes 785-787.
    \817\ See supra note 788.
---------------------------------------------------------------------------

    As noted, some commenters focused specifically on systems 
intrusions, urging the Commission to modify or significantly reduce the 
instances in which notice of systems intrusions would be required,\818\ 
or provide that non-material systems intrusions not be reported at all, 
and only be recorded by the SCI entity.\819\ The Commission believes 
that the recordkeeping and quarterly reporting requirement for de 
minimis systems intrusions described in Rule 1002(b)(5) is partially 
responsive to these comments, but also believes that notice of 
intrusions in SCI systems and indirect SCI systems is important to 
allow the Commission and its staff to detect patterns or understand 
trends in the types of systems intrusions that may be occurring at 
multiple SCI entities. However, as compared to what would have been 
required if the SCI Proposal was adopted without modification, the 
Commission expects that the exception from the immediate reporting 
requirement provided for de minimis SCI events under Rule 1002(b)(5) 
will result in a much lower number of systems intrusions that SCI 
entities will be required to immediately report to the Commission than 
commenters believed,\820\ and will achieve this result without 
compromising the Commission's interest in receiving more timely 
notification of impactful SCI events.
---------------------------------------------------------------------------

    \818\ See supra notes 794-797 and accompanying text.
    \819\ See supra notes 794-795 and accompanying text.
    \820\ See, e.g., supra note 794 and accompanying text 
(discussing a commenter's suggestion to limit the number of 
notifications by requiring recordkeeping of all systems intrusions 
that did not cause a material disruption of service or that were a 
malicious (but unsuccessful) attempt in gaining unauthorized access 
to confidential data).
---------------------------------------------------------------------------

    In addition, some commenters suggested that certain types of 
systems intrusions or non-material SCI events be reported exclusively 
to FS-ISAC or to both the Commission and FS-ISAC, and some advocated 
that the Commission support the enhancement of FS-ISAC.\821\ The 
Commission believes that FS-ISAC, and other information sharing 
services play an important role in assisting SCI entities and other 
entities with respect to security issues. Consistent with views shared 
by several members of the third panel at the Cybersecurity Roundtable, 
to the extent SCI entities determine that such information sharing 
services are useful, the Commission encourages SCI entities to 
cooperate with and share information relating to information security 
threats and related issues with such entities to

[[Page 72321]]

further enhance their utility.\822\ At the same time, for the reasons 
discussed above,\823\ the Commission believes that it is important that 
the Commission directly receive information regarding systems 
intrusions from SCI entities, through immediate notifications or 
quarterly reports, as applicable.
---------------------------------------------------------------------------

    \821\ See supra notes 799-800 and accompanying text.
    \822\ See supra notes 39-40 and accompanying text. During the 
Cybersecurity Roundtable, panelists referenced other services that 
they believed useful to SROs, including the Financial Services 
Sector Coordinating Council for Critical Infrastructure Protection 
and Homeland Security (FSSCC), the Clearing House and Exchange Forum 
(CHEF), and the Worldwide Federation of Exchange's recently 
established Global Exchanges Cyber Security Working Group (GLEX). 
See supra note 39.
    \823\ See supra notes 904-906 and accompanying text.
---------------------------------------------------------------------------

    In response to comments that recordkeeping of non-material SCI 
events would be more appropriate than reporting, the Commission 
believes that quarterly reporting of de minimis systems disruptions and 
de minimis systems intrusions will better achieve the goal of keeping 
Commission staff informed regarding the nature and frequency of SCI 
events that arise but are reasonably estimated by the SCI entity to 
have a de minimis impact on the entity's operations or on market 
participants. Importantly, submission and review of regular reports 
will facilitate Commission staff comparisons among SCI entities and 
thereby permit the Commission and its staff to have a more holistic 
view of the types of systems operations challenges that were posed to 
SCI entities in the aggregate.
    With regard to de minimis systems compliance issues, however, the 
Commission believes the goals of Regulation SCI can be achieved through 
the SCI entity's obligation to keep, and provide to representatives of 
the Commission upon request, records of such de minimis systems 
compliance issues. The Commission believes that systems compliance 
issues generally are more specific to a particular entity's systems and 
rules and less likely, as compared to systems disruptions and systems 
intrusions, to raise market-wide issues that could affect several SCI 
entities. Accordingly, information on such events are less likely to 
provide valuable insight into trends and risks across the industry and, 
therefore, the Commission believes that the benefits of receiving 
quarterly reports on such de minimis systems compliance issues would be 
less relative to de minimis systems disruptions and de minimis systems 
intrusions. Further, the Commission notes that, based on Commission 
staff's experience with notifications of compliance-related issues at 
SROs, the Commission believes that SCI entities will experience a 
relatively small number of systems compliance issues each year, and 
thus, its regular examinations of SCI entities will provide an adequate 
mechanism for reviewing and addressing de minimis systems compliance 
issues affecting SCI entities. As noted above, Commission staff may 
request records relating to such de minimis systems compliance issues 
as necessary.
    In response to the concerns raised by one commenter that the 
notification requirements have the potential to create efficiency 
issues, delay system remediation, create substantial resource demands, 
and create instability, the Commission believes that these concerns 
have been mitigated by the numerous changes made from the proposal, 
such as the adoption of a quarterly reporting framework for de minimis 
systems disruptions and de minimis systems intrusions and revised 
definitions of the terms SCI systems, indirect SCI systems, systems 
disruption, and systems compliance issue, in addition to the reduction 
in the obligations SCI entities have with respect to reporting 
requirements.\824\ In addition, ARP entities today are able to 
regularly notify the Commission of systems related issues, such as 
systems outages, and the Commission therefore believes that the 
notification requirements will not require a majority of SCI entities 
to develop policies and procedures that are incongruous with their 
current practice. Moreover, the Commission believes that providing SCI 
entities with 30 days after the end of each quarter is adequate time 
for an SCI entity to prepare its report without unduly diverting SCI 
entity resources away from focusing on SCI events occurring in real 
time.\825\
---------------------------------------------------------------------------

    \824\ See supra note 790.
    \825\ See supra notes 791-793 and accompanying text.
---------------------------------------------------------------------------

    The Commission believes that requiring SCI entities to report de 
minimis systems disruptions and de minimis systems intrusions quarterly 
balances the interest of SCI entities in having a limited reporting 
burden for such types of events with the Commission's interest in 
oversight of the information technology programs and systems compliance 
of SCI entities.\826\ Similarly, the Commission believes that requiring 
recordkeeping of de minimis systems compliance issues allows the 
Commission to adequately monitor compliance with the Exchange Act and 
rules thereunder, while reducing the burdens on SCI entities with 
regard to providing information to the Commission on such de minimis 
systems compliance issues. Accordingly, the Commission has determined 
to exclude certain SCI events from the immediate Commission reporting 
requirements, subject to certain recordkeeping and reporting 
requirement for such events, as applicable.\827\
---------------------------------------------------------------------------

    \826\ The Commission notes an SCI entity should be prepared for 
the possibility that Commission staff may, whether upon request 
pursuant to Rule 1002(b)(3), Rule 1005(b)(3), or Rule 1007 or during 
an examination of its compliance with Regulation SCI, include a 
review of the entity's classification of SCI events as de minimis 
SCI events under Rule 1002(b).
    \827\ While the facts and circumstances surrounding a particular 
SCI event will ultimately determine the severity of a given event, 
including whether the event is reasonably estimated to be a de 
minimis event, a wide range of factors may be relevant to an SCI 
entity in making such a determination. For example, such factors 
could include, but are not limited to: whether critical SCI systems 
are impacted; the duration of the SCI event; whether there is a loss 
of redundancy (that negatively impacts, for example, a source of 
power, telecommunications, or other key service); whether an 
alternate trading system is available following a trading system 
disruption; the size of the affected market trading volume; whether 
the processes for trade completion or clearance and settlement are 
adversely impacted; whether settlement is completed on time; whether 
an event is resolved prior to the market's open; whether a post-
trade event is resolved before the market closes; whether a 
failover, despite being successful, results in a given system 
operating without a backup; and the number of securities symbols 
that are adversely affected.
---------------------------------------------------------------------------

    As described above, the de minimis exception from the immediate 
Commission notification requirements applies to systems compliance 
issues as well as systems disruptions and systems intrusions. The 
Commission believes that this approach strikes a balance that will help 
focus the Commission's and SCI entities' resources on those systems 
compliance issues with more significant impacts. Even if an SCI entity 
determines that the impact of the systems compliance issue is none or 
negligible, however, the Commission believes that it should have ready 
access to records regarding such systems compliance issues, and notes 
that Rule 1002 requires that an SCI entity take corrective action with 
respect to all SCI events, including de minimis systems compliance 
issues.\828\
---------------------------------------------------------------------------

    \828\ See infra note 829 and accompanying text.
---------------------------------------------------------------------------

    The Commission recognizes that in many cases, the discovery of a 
potential systems compliance issue may be of a different nature than 
the discovery of potential systems disruptions or systems intrusions, 
as the latter types of events often have an immediately apparent and 
negative impact on the operations of a given system of the SCI entity. 
In contrast, in many instances, a systems compliance issue may require 
the involvement of various personnel

[[Page 72322]]

(potentially including compliance and/or legal personnel) and a period 
of time may be required to afford such personnel the chance to perform 
a preliminary legal analysis to analyze whether a systems compliance 
issue had, in fact, occurred. Because Rule 1002(b)(1) only requires 
notification to the Commission when responsible SCI personnel have a 
``reasonable basis to conclude'' that a non-de minimis SCI event has 
occurred, the Commission believes it is appropriate for an SCI entity 
to notify the Commission of a non-de minimis systems compliance issue 
after it has conducted such a preliminary legal analysis, unless the 
nature of the issue makes it readily identifiable as a systems 
compliance issue.\829\ Further, if an SCI entity determines that a 
systems compliance issue is de minimis, such event will not be required 
to be reported immediately to the Commission, but rather the SCI entity 
will be required to keep, and provide to representatives of the 
Commission upon request, records of such de minimis systems compliance 
issue. Thus, the Commission believes that, as adopted, the requirements 
with respect to systems compliance issues are reasonable because SCI 
entities are afforded flexibility to assess and understand potential 
SCI events and are not required to notify the Commission prior to 
forming a reasonable basis to conclude that an SCI event has occurred. 
The Commissions also believes that, as part of its oversight of the 
securities markets, it should have access to information regarding de 
minimis systems compliance issues when requested. And, although some 
commenters expressed concern that a systems compliance issue is a legal 
conclusion that requires time to analyze and could possibly expose the 
entity to liability if reported,\830\ as discussed above, the 
Commission believes these concerns will be mitigated by the revised 
triggering standard for the obligations in Rule 1002.\831\ However, 
while commenters are correct that the occurrence of a systems 
compliance issue may expose an SCI entity to liability,\832\ the 
occurrence of an SCI event will not necessarily cause a violation of 
Regulation SCI. Further, the occurrence of a systems compliance issue 
also does not necessarily mean that the SCI entity will be subject to 
an enforcement action. Rather, the Commission will exercise its 
discretion to initiate an enforcement action if the Commission 
determines that action is warranted, based on the particular facts and 
circumstances of an individual situation.
---------------------------------------------------------------------------

    \829\ At the same time, the Commission cautions SCI entities 
against unnecessarily delaying Commission notifications of SCI 
events, including systems compliance issues. The Commission notes 
that the notification requirement is triggered when responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred and not, for example, when responsible SCI personnel have 
definitively concluded that an SCI event has occurred. As discussed 
above, the Commission does not believe it is appropriate for an SCI 
entity to delay notifying its regulator of a systems compliance 
issue once the SCI entity has a reasonable basis to conclude there 
is one. See supra note 828 and accompanying text.
    \830\ See OTC Markets Letter at 16; and NYSE Letter at 16.
    \831\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \832\ If an SRO fails to, among other things, comply with the 
provisions of the Exchange Act, the rules or regulations thereunder, 
or its own rules, the Commission is authorized to impose sanctions. 
See 15 U.S.C. 78s(g).
---------------------------------------------------------------------------

Commission Legal Authority
    As noted above, some commenters broadly questioned the Commission's 
legal authority to adopt certain provisions of Regulation SCI as 
proposed, including those relating to Commission notification of SCI 
events, as well as Commission notification of material systems 
changes.\833\ Section 11A(a)(2) of the Exchange Act directs the 
Commission, having due regard for the public interest, the protection 
of investors, and the maintenance of fair and orderly markets, to use 
its authority under the Exchange Act to facilitate the establishment of 
a national market system for securities in accordance with the 
Congressional findings and objectives set forth in Section 11A(a)(1) of 
the Exchange Act. Among the findings and objectives in Section 
11A(a)(1) is that ``[n]ew data processing and communications techniques 
create the opportunity for more efficient and effective market 
operations'' and ``[i]t is in the public interest and appropriate for 
the protection of investors and the maintenance of fair and orderly 
markets to assure . . . the economically efficient execution of 
securities transactions.'' In addition, Sections 6(b), 15A, and 
17A(b)(3) of the Exchange Act impose obligations on national securities 
exchanges, national securities associations, and clearing agencies, 
respectively, to be ``so organized'' and ``[have] the capacity to . . . 
carry out the purposes of [the Exchange Act].''
---------------------------------------------------------------------------

    \833\ See supra note 808 and accompanying text. See infra note 
1268 (noting comments relating to the Commission's legal authority 
for the proposed access provision, which the Commission has 
determined not to adopt in its final rules because the Commission 
can adequately assess an SCI entity's compliance with Regulation SCI 
through existing recordkeeping requirements and examination 
authority, as well as through the new recordkeeping requirement in 
Rule 1005 of Regulation SCI).
---------------------------------------------------------------------------

    Consistent with this statutory authority, the Commission is 
adopting Regulation SCI to require, among other things, that SCI 
entities: (1) Provide certain notices and reports to the Commission to 
improve Commission oversight of securities market infrastructure; and 
(2) have comprehensive policies and procedures in place to help ensure 
the robustness and resiliency of their technological systems, and also 
that their technological systems operate in compliance with the 
Exchange Act, rules thereunder, and with their own rules and governing 
documents. These requirements are important to furthering the 
directives in Section 11A(a)(2) of the Exchange Act that the 
Commission, having due regard for the public interest, the protection 
of investors, and the maintenance of fair and orderly markets, 
facilitate the establishment of a national market system for securities 
in accordance with the Congressional findings and objectives set forth 
in Section 11A(a)(1) of the Exchange Act, including the economically 
efficient execution of securities transactions.
    As discussed in Section I, the U.S. securities markets have been 
transformed in recent years by technological advancements that have 
enhanced the speed, capacity, efficiency, and sophistication of the 
trading functions that are available to market participants. Central to 
these technological advancements have been changes in the automated 
systems that route and execute orders, disseminate quotes, clear and 
settle trades, and transmit market data. At the same time, however, 
these technological advances have generated an increasing risk of 
operational problems with automated systems, including failures, 
disruptions, delays, and intrusions. Accordingly, in today's securities 
markets, properly functioning technology is central to the maintenance 
of fair and orderly markets, the national market system, and the 
efficient and effective market operations and the execution of 
securities transactions. While the Commission's ARP Inspection Program 
has been active in this area, the Commission has not adopted rules 
specific to these matters. The Commission believes that the adoption of 
Regulation SCI, with the modifications from the SCI Proposal as 
discussed above, and compliance with the regulation by SCI entities, 
will further the goals of the national market system. It will help to 
ensure the capacity, integrity, resiliency, availability, and security 
of the automated systems of entities important

[[Page 72323]]

to the functioning of the U.S. securities markets, as well as reinforce 
the requirement that such systems operate in compliance with the 
Exchange Act and rules and regulations thereunder, thus strengthening 
the infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In addition, Regulation SCI 
establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of these systems 
whose proper functioning is central to the maintenance of fair and 
orderly markets and for the continued operation of the national market 
system. For these reasons, the Commission disagrees with the comments 
questioning the Commission's legal authority to adopt Regulation SCI.
    More specifically, the Commission disagrees with comment regarding 
its legal authority under Rule 1002(b) related to Commission 
notification of SCI events. As discussed above, having immediate notice 
and continuing updates of non-de minimis SCI events, quarterly reports 
related to de minimis systems disruptions and de minimis systems 
intrusions, and recordkeeping requirements for de minimis SCI events, 
directly enables the Commission to have more effective oversight of the 
systems whose proper functioning is central to the maintenance of fair 
and orderly markets and for the continued operation of the national 
market system. In this respect, Rule 1002(b) is integral to furthering 
the statutory purposes of Section 11A of the Act under which the 
Commission is directed to act. Moreover, the Commission underscores 
that the adopted Commission notification provisions would require 
immediate Commission notice of fewer SCI events than as proposed 
because the adopted definitions of SCI systems, indirect SCI systems, 
systems disruption, and systems compliance issue have been refined from 
the proposal, and de minimis SCI events are not subject to immediate 
notice.
    Some commenters also questioned the Commission's legal authority to 
require Commission notification of material systems changes.\834\ As 
discussed in more detail below, the material systems change reports are 
intended to make the Commission and its staff aware of significant 
systems changes at SCI entities, and thereby improve Commission 
oversight of U.S. securities market infrastructure, which directly 
furthers the findings and objectives set forth in Section 11A(a)(1) of 
the Exchange Act.\835\ The Commission believes that the adopted 
material systems change notification requirement will allow the 
Commission to more efficiently and effectively participate in 
discussions with SCI entities when systems issues occur and will allow 
Commission staff to effectively prepare for inspections and 
examinations of SCI entities. Moreover, Rule 1003(a), as adopted, 
differs significantly from the proposed requirements as it no longer 
requires 30-day advance notification, but rather requires quarterly 
reports of material systems changes. As such, the requirement is 
designed not to result in ``close, minute regulation of computer 
systems and computer security.'' \836\ Additionally, the Commission 
notes that Regulation SCI does not provide for a new review or approval 
process for SCI entities' material systems changes.\837\
---------------------------------------------------------------------------

    \834\ See infra note 1046 and accompanying text.
    \835\ See infra Section IV.B.4 (discussing the requirement to 
notify the Commission of material systems changes).
    \836\ See infra note 1046.
    \837\ As noted below in Section IV.B.4, Commission staff will 
not use material systems change reports to require any approval of 
prospective systems changes in advance of their implementation 
pursuant to any provision of Regulation SCI, or to delay 
implementation of material systems changes pursuant to any provision 
of Regulation SCI.
---------------------------------------------------------------------------

Immediate Commission Notification--Proposed Rule 1000(b)(4)(i)
    Commenters also specifically discussed proposed Rule 1000(b)(4)(i) 
regarding reporting to the Commission on immediate notification SCI 
events. One commenter stated that it generally supported the immediate 
notification requirement of proposed Rule 1000(b)(4)(i) in the case of 
material SCI events,\838\ but other commenters were critical.\839\ For 
example, some commenters stated that the Commission should adopt a 
materiality threshold which would only require an SCI entity to 
immediately report material SCI events.\840\ Similarly, one group of 
commenters suggested a tiered method that would reserve immediate 
notification to the Commission for truly critical events ``where the 
Commission's input would contribute to an expedient resolution,'' while 
requiring SCI entities to have written policies and procedures that 
focus the SCI entity's attention primarily on taking corrective 
measures during an SCI event and maintaining records to provide 
information to the Commission and members and participants as 
appropriate.\841\ Two commenters suggested that different reporting 
standards should apply to different types of systems, suggesting, for 
example, that immediate notification should be required only for higher 
priority systems.\842\
---------------------------------------------------------------------------

    \838\ See MSRB Letter at 18.
    \839\ See, e.g., NYSE Letter at 22.
    \840\ See SIFMA Letter at 13; FIF Letter at 4; ITG Letter at 12; 
NYSE Letter at 23; FINRA Letter at 10, 22; and OCC Letter at 13. One 
commenter stated that, in considering factors that would determine 
whether or not an SCI event is material, the Commission should 
consider the overall market disruption caused by the SCI event, the 
length of the event, the financial impact of the event, and the 
inability to meet core regulatory obligations regarding order 
handling and execution activities. See ITG Letter at 13. Similarly, 
two commenters stated that, with respect to systems compliance 
issues or systems intrusions, immediate notification SCI events 
should be limited to systems compliance issues or systems intrusions 
that the SCI entity reasonably estimates would have a material 
impact on its operations or on market participants. See MSRB Letter 
at 18; and Omgeo Letter at 15. Further, in the case of intrusions, 
one commenter stated that notifications could also include 
intrusions that would cause a malicious unauthorized access to 
confidential data, but recommended that other types of intrusions be 
subject to recordkeeping. See Omgeo Letter at 15. One group of 
commenters supported implementing a materiality threshold for 
systems compliance issues, which it stated should be based on 
factors such as the number of members affected, financial impact and 
operation impact, and these guidelines should be articulated in the 
SCI entities' policies and procedures. See Joint SROs Letter at 9.
    \841\ See Joint SROs Letter at 10.
    \842\ See FINRA Letter at 22 (suggesting, for example, that 
immediate Commission notification should not be required for SCI 
events that occur in systems that do not provide real-time data to 
the market); and SIFMA Letter at 13 (stating that that lower 
priority systems should only be reported on an aggregate and 
periodic basis).
---------------------------------------------------------------------------

    One commenter questioned the adequacy of the Commission's asserted 
basis and purpose for requiring notification for the vast majority of 
SCI events.\843\ In this commenter's view, the Commission's asserted 
rationale for the Commission notification requirement \844\ would only 
support requiring immediate notification for a limited number of SCI 
events, where the Commission's involvement is necessary.\845\ For other 
SCI events, in which the Commission would only be gathering and 
analyzing submitted information, the commenter stated that the 
Commission's rationale for requiring immediate notification is 
insufficient.\846\
---------------------------------------------------------------------------

    \843\ See NYSE Letter at 21-22.
    \844\ See Proposing Release, supra note 13, at 18119.
    \845\ See NYSE Letter at 22; see also Joint SROs Letter at 10.
    \846\ See NYSE Letter at 22.
---------------------------------------------------------------------------

    Some commenters addressed the use of the term ``immediately'' in 
the proposed rule. One commenter characterized the proposed immediate 
reporting requirements as rigid, and questioned why reporting could not 
occur ``promptly'' with follow-up as reasonably requested by the 
Commission staff.\847\ Another commenter stated that immediate 
notification is unrealistic and predicted

[[Page 72324]]

that it could trigger an innumerable amount of false alarms.\848\
---------------------------------------------------------------------------

    \847\ See BATS Letter at 12.
    \848\ See Direct Edge Letter 8.
---------------------------------------------------------------------------

    Other commenters addressed SCI events that occur outside of normal 
business hours. Two commenters believed that an SCI entity should not 
be required to notify the Commission of an SCI event outside of normal 
business hours.\849\ Other commenters stated that material events 
should require immediate notification to the Commission, but all other 
types of events should be reported by the next business day.\850\
---------------------------------------------------------------------------

    \849\ See FINRA Letter at 21; and BATS Letter at 12. FINRA also 
stated that an SCI entity should have one full business day to 
report an SCI event.
    \850\ See, e.g., DTCC Letter at 9 (stating that, outside of 
normal business hours, an SCI entity should only be required to 
notify the Commission of the most critical events; i.e., those with 
the potential to impact the core functions and critical operations 
of the SCI entity); and OCC Letter at 14 (stating that when an event 
is material because it could have a market-wide impact or impact the 
core functions of an SCI entity, immediate notification should be 
required even outside of normal business hours, but all other SCI 
events should be reported no later than the next business day).
---------------------------------------------------------------------------

    One commenter stated that immediate notification of an SCI event 
may be difficult where an SCI entity uses a third party to operate its 
systems, and therefore believed that an SCI entity should not be 
responsible for reporting an SCI event caused by a third party unless 
there is a material impact to the market or the SCI entity's ability to 
meet its service level agreements.\851\ This commenter stated that the 
rule should permit SCI entities flexibility on how to address third 
party issues and requested further guidance from the Commission in this 
area.\852\
---------------------------------------------------------------------------

    \851\ See FINRA Letter at 22; see also supra Section IV.A.2.b 
(discussing the definition of ``SCI systems'' as it relates to third 
parties).
    \852\ See FINRA Letter at 22.
---------------------------------------------------------------------------

Immediate Notification of SCI Events: Adopted Rule 1002(b)(1)
    Adopted Rule 1002(b)(1) requires each SCI entity to notify the 
Commission of an SCI event immediately upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred (unless it is a de minimis SCI event). Such notification may 
be provided orally (e.g., by telephone) or in writing (e.g., by email 
or on Form SCI). Although many commenters were critical of the 
immediate notification provision, Rule 1002(b)(1) substantially retains 
the requirements of proposed Rule 1000(b)(4)(i), but is modified in 
certain respects in response to comments.
    The Commission has considered the views of commenters who stated 
that the Commission should require immediate notification only for 
material SCI events, or when Commission involvement would contribute to 
an expedient resolution.\853\ Given the Commission's oversight 
responsibilities over SCI entities and the U.S. securities market 
generally, the notification rule is not intended to be limited to 
instances in which SCI entities might believe that it would be useful 
for the Commission to provide input. SCI event notifications also serve 
the function of providing the Commission and its staff with information 
about the potential impact of an SCI event on the securities markets 
and market participants more broadly, which potential impacts may not 
be readily apparent or important to the SCI entity reporting such an 
event. Moreover, the Commission believes that there will be instances 
in which an SCI entity will not know the significance of an SCI event 
at the time of the occurrence of an event, or whether such event (or, 
potentially, the aggregated impact of several SCI events occurring, for 
example, across many SCI entities) will warrant the Commission's input 
or merit the Commission's awareness, nor does the Commission believe it 
should be solely within an SCI entity's discretion to make such a 
determination. And SCI entities retain the flexibility to revise their 
initial assessments should they subsequently determine that the event 
in question was incorrectly initially assessed to be a de minimis event 
(or incorrectly initially assessed to not be a de minimis event). 
Consequently, the Commission does not agree with commenters who stated 
that only material SCI events should be reported to the Commission 
immediately.\854\
---------------------------------------------------------------------------

    \853\ See supra notes 838-846 and accompanying text.
    \854\ See, e.g., supra note 842 and accompanying text.
---------------------------------------------------------------------------

    The Commission has also considered comments that the term 
``immediately'' as used in proposed Rule 1000(b)(4) is rigid and 
unrealistic.\855\ The Commission, in adopting Rule 1002(b), has 
retained the requirement that SCI entities must notify the Commission 
immediately; however, as discussed in detail above,\856\ the triggering 
standard has been modified so that the notification obligations of Rule 
1002(b) are triggered only upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred. The 
Commission believes this modification responds to commenters concerns 
that the ``immediate'' reporting requirement is too rigid or would pose 
practical difficulties, as it allows additional time for escalation to 
senior SCI entity personnel and for the performance of preliminary 
analysis and assessment regarding whether an SCI event has, in fact, 
occurred before requiring notification to the Commission. As such, the 
Commission believes that the immediate notification requirement of Rule 
1002(b)(1) will not unduly cause ``false alarms,'' as one commenter 
stated.\857\ At the same time, the Commission believes that the 
immediate notification requirement, as adopted, will help ensure that 
the Commission and its staff are kept apprised of SCI events after they 
occur, and as their impact unfolds and is mitigated and, ultimately, as 
the SCI entity engages in corrective action to resolve the SCI events. 
Additionally, the Commission notes that immediate notifications made 
pursuant to Rule 1002(b)(1) may be made orally (e.g., by telephone) or 
in a written form (e.g., by email or on Form SCI).\858\ The Commission 
notes that, by not prescribing the precise method of communication for 
an immediate notification, SCI entities are afforded the flexibility to 
determine the most effective and efficient method to communicate with 
the Commission.
---------------------------------------------------------------------------

    \855\ See supra note 847 and accompanying text.
    \856\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \857\ See supra note 848 and accompanying text. The Commission 
notes that, if an SCI entity at some point after submitting an 
immediate notification concludes after further investigation and 
analysis that it was incorrect in its initial determination that an 
SCI event had occurred, the SCI entity should alert the Commission 
of its updated assessment pursuant to Rule 1002(b)(3). Relatedly, 
Rule 1002(b) is designed to provide SCI entities flexibility in 
notifying the Commission of the details regarding an SCI event (for 
example, through the ability to provide the Rule 1002(b)(2) written 
notification on a good faith, best efforts basis) and time to assess 
and analyze the SCI event (for example, by requiring that the Rule 
1002(b)(2) written notification only provide a description of the 
SCI event, including the system(s) affected, and with additional 
information only required to the extent available at that time).
    \858\ The Commission notes that, prior to the compliance date of 
Regulation SCI, Commission staff intends to notify SCI entities of 
the email addresses, phone numbers, and contact persons that SCI 
entities should use when notifying the Commission of SCI events 
under Rule 1002(b).
---------------------------------------------------------------------------

    The Commission has also considered comments that immediate 
notification should not be required outside of normal business hours, 
or that it should only be required outside of normal business hours in 
the case of material SCI events.\859\ The Commission notes that the 
adopted rule will afford SCI entities considerable flexibility in how 
to communicate an immediate notification to the Commission--that is, 
SCI entities may satisfy the immediate

[[Page 72325]]

notification requirement simply by communicating with the Commission 
via telephone or email. In addition, because an SCI entity's obligation 
to report to the Commission is not triggered until responsible SCI 
personnel has a reasonable basis to conclude that an SCI event has 
occurred,\860\ the Commission does not believe that timely 
notification, even outside of normal business, is so onerous that it 
necessitates allowing a full business day to comply. Particularly 
because it has determined to exclude de minimis SCI events from the 
immediate notification requirement, the Commission believes that it is 
reasonable to require that an SCI event (except those specified in Rule 
1002(b)(5)) be reported to the Commission orally (e.g., by telephone) 
or in writing (e.g., by email or on Form SCI) when responsible SCI 
personnel have a reasonable basis to conclude that an SCI event has 
occurred, even if such communication may be outside of normal business 
hours. Because the rule provides flexibility to more easily enable 
communication--by permitting oral notification--of the fact of an SCI 
event to the Commission, and because only non-de minimis SCI events are 
subject to this requirement, the Commission believes notice to the 
Commission is appropriate sooner rather than later. In addition, as 
discussed above, the Commission believes that there may be situations 
where the severity of an SCI event may not be immediately apparent to 
an SCI entity experiencing the event, but the Commission, from its 
unique position, may determine as a result of receiving multiple 
immediate notifications, each related to an SCI event of a similar 
nature, that the SCI event is part of a pattern of a larger, more 
significant occurrence. The Commission is therefore adopting Rule 
1002(b) to require that an SCI entity notify the Commission of an SCI 
event immediately upon any responsible SCI personnel having a 
reasonable basis to conclude that an SCI event has occurred, without an 
exception for periods outside of normal business hours.
---------------------------------------------------------------------------

    \859\ See, e.g., supra notes 849 and 794-797 and accompanying 
text.
    \860\ See supra Section IV.B.3.a (discussing the triggering 
standard).
---------------------------------------------------------------------------

    In addition, as noted above, the information submitted to the 
Commission pursuant to Regulation SCI will be treated as confidential, 
subject to applicable law \861\ and, as noted in Sections IV.B.1.b.i 
and IV.B.2.a, the occurrence of an SCI event does not necessarily mean 
that an SCI entity has violated Regulation SCI.
---------------------------------------------------------------------------

    \861\ See supra note 674.
---------------------------------------------------------------------------

    The Commission disagrees with the commenter who stated that the 
Commission should not require SCI entities to be responsible for 
reporting an SCI event caused by a third party because immediate 
notification would be difficult.\862\ An SCI event, whether or not 
caused by a third party system, by definition relates to an SCI system 
or indirect SCI system. As explained in Section IV.A.2 above 
(discussing the definitions of ``SCI systems'' and ``indirect SCI 
systems''), the Commission has adopted the definition of SCI systems to 
include, specifically, those systems of SCI entities that would be 
reasonably likely to impact the protection of investors and the 
maintenance of fair and orderly markets and an SCI entity's operational 
capability, and has not excluded third party systems from the 
definition. As stated above, if an SCI entity is uncertain of its 
ability to manage a third-party relationship to satisfy the 
requirements of Regulation SCI, then it would need to reassess its 
decision to outsource the applicable system to such third party.\863\
---------------------------------------------------------------------------

    \862\ See supra notes 851-852 and accompanying text.
    \863\ See supra note 260 and accompanying text.
---------------------------------------------------------------------------

    In response to comment that SCI entities would be required to 
provide notification reports multiple times to different Commission 
staff for the same event,\864\ the Commission notes that rule does not 
include such a requirement. In addition, the Commission also disagrees 
with the commenter who stated that, for systems disruptions, 
notifications should not be required from each separate entity where a 
disruption impacts multiple SCI entities.\865\ Excusing immediate 
notification where a given event seems to be affecting multiple SCI 
entities would not be appropriate because the Commission, as the 
centralized receiver of notifications, will be the entity that will be 
in a position to determine whether, in fact, SCI entities are 
concurrently experiencing the same SCI event. Moreover, even if a given 
event affects multiple SCI entities, it may be the case that the event 
impacts each SCI entity and the affected systems in a different manner, 
and thus the Commission believes it is important to receive individual 
notifications from each affected SCI entity.
---------------------------------------------------------------------------

    \864\ See, e.g., supra note 805 and accompanying text.
    \865\ See, e.g., id.
---------------------------------------------------------------------------

Written Commission Notification: Proposed Rule 1000(b)(4)(ii)
    Commenters also specifically discussed and suggested alternatives 
to proposed Rule 1000(b)(4)(ii), which would have required an SCI 
entity, within 24 hours of any responsible SCI personnel becoming aware 
of any SCI event, to submit a written notification pertaining to such 
SCI event to the Commission. Many commenters stated that the proposed 
24-hour time frame was too short or burdensome.\866\ Several commenters 
specifically suggested that the Commission extend the time frame to 
allow SCI entities to attend to the SCI event without also devoting 
resources to notifying the Commission, suggesting different time frames 
they believed to be appropriate.\867\ One commenter suggested that SCI 
entities be given until 24 to 48 hours after final resolution of the 
SCI event to submit a written notification.\868\ Another commenter 
similarly recommended that, where real-time notification is needed, 
written notification should not be required unless an SCI event remains 
unresolved after a reasonable period (such as 10 or 15 days).\869\
---------------------------------------------------------------------------

    \866\ See NYSE Letter at 23; FINRA Letter at 19; BATS Letter at 
12; DTCC Letter at 9; MSRB Letter at 18; SIFMA Letter at 13; FIF 
Letter at 5; BIDS Letter at 10; Omgeo Letter at 17; and CME Letter 
at 9.
    \867\ Commenters suggested time frames of 48 hours (CME Letter 
at 9); 72 hours (OCC Letter at 12; DTCC Letter at 9, 11 (noting, 
however, that details surrounding an SCI event should not be 
required to be provided in writing until after the investigation of 
the event is complete and the event has been resolved)); and five 
business days (BIDS Letter at 10).
    \868\ See FINRA Letter at 20. This commenter further suggested 
that, if an SCI event has not been fully resolved within a 
reasonable period, e.g.,10 or 15 days, an SCI entity could be 
required to submit written notification based on currently available 
information at the end of that period, with periodic status updates 
via telephone or email, and a final written submission within 24 to 
48 hours after the event has been fully resolved.
    \869\ See SIFMA Letter at 14.
---------------------------------------------------------------------------

    Some commenters also suggested that, if the Commission retains the 
24-hour requirement, it should require provision of less information. 
For example, one commenter suggested that SCI entities should only be 
required to provide whatever information is sufficiently reliable at 
that time.\870\ Two other commenters stated that SCI entities should 
not be required to include an estimate of the markets and participants

[[Page 72326]]

impacted by an SCI event or to quantify such impact because this 
requirement may create a risk of civil liability for the SCI 
entity.\871\ Another commenter recommended that the rule require only a 
brief written summary that is one or two paragraphs, which could be 
supplemented by oral communications and a longer summary within 15 days 
after an SCI event has been fully resolved.\872\
---------------------------------------------------------------------------

    \870\ See FINRA Letter at 20. This commenter also suggested that 
the rule require an SCI entity to assess the ``business impact'' of 
an SCI event, noting that this information may provide more context 
than requiring an SCI entity to estimate the number of market 
participants impacted by an SCI event (which in some cases could be 
zero, but still have a negative impact on the SCI entity). See FINRA 
Letter at 30.
    \871\ See DTCC Letter at 10; and Omgeo Letter at 30. Omgeo added 
that such a calculation would be difficult to compute, likely 
inaccurate, and of little use to the Commission.
    \872\ See Omgeo Letter at 17.
---------------------------------------------------------------------------

    With respect to the information provided to the Commission via 
notification of an SCI event, one commenter suggested that the rule 
provide a safe harbor for entities and employees for either inadvertent 
omissions in a submitted report, or when a good faith, documented 
determination is made that no report is required.\873\ One commenter 
stated that that the Commission should expressly provide that initial 
written submissions are to be made on a best efforts basis and SCI 
entities will incur no liability or penalty for any unintentional 
inaccuracies or omissions contained in these submissions.\874\ Some 
commenters stated that entities should not be liable for information 
that is later found to be incomplete or inaccurate.\875\
---------------------------------------------------------------------------

    \873\ See id. at 18.
    \874\ See FINRA Letter at 20.
    \875\ See, e.g., SIFMA Letter at 14; and UBS Letter at 4 
(stating that SCI entities acting in good faith should not be held 
accountable if details offered in reports to the Commission are 
substantially different from what is revealed by further analysis).
---------------------------------------------------------------------------

    Some commenters \876\ questioned the purpose of requiring that 
information disseminated to members and participants (under proposed 
Rule 1000(b)(5)) be copied and attached to Form SCI as part of 
notifications to the Commission, and considered it ``an overly broad 
inclusion of communications'' that would have ``a chilling effect on 
communications between the SCI entities and their members and 
participants,'' \877\ while another commenter argued that, when an 
exchange is having a technology issue, many members may be reaching out 
to the exchange's staff with requests for information and status. 
Therefore, that commenter questioned the feasibility, need, and 
potential impact of the proposed requirement that SCI entities provide 
a copy of any information disseminated to date regarding the SCI event 
to their members or participants.\878\
---------------------------------------------------------------------------

    \876\ Because the requirement to provide information 
disseminated to an SCI entity's members or participants is now 
included in the Final Report (Rule 1002(b)(4)) instead of with the 
24-written notification requirement as proposed, the Commission's 
response to these comments is discussed below in the subsection 
``Final Report: Adopted Rule 1002(b)(4).''
    \877\ See Joint SROs Letter at 11.
    \878\ See Direct Edge Letter at 7-8.
---------------------------------------------------------------------------

    One commenter stated that, to reduce the cost of compliance, the 
Commission should accept the same notifications of service 
interruptions that an ATS already provides to its subscribers.\879\
---------------------------------------------------------------------------

    \879\ See BIDS Letter at 11.
---------------------------------------------------------------------------

    Commenters also provided suggestions for limiting the circumstances 
for which 24-hour written notification would be required under proposed 
Rule 1000(b)(4)(ii). One commenter stated that only SCI events that 
materially impact an SCI entity's operations or market participants 
should be subject to the 24-hour written notification requirement, but 
questioned whether 24 hours was realistic even for those events.\880\ 
One commenter suggested that proposed Rule 1000(b)(4)(ii) only apply to 
significant SCI events and that other events only be subject to a 
recordkeeping requirement.\881\ In addition, some commenters suggested 
that if an SCI entity has provided oral notification to the Commission, 
it should not be required to file written notice within 24 hours after 
the initial report unless reasonably requested by the Commission.\882\
---------------------------------------------------------------------------

    \880\ See MSRB Letter at 18.
    \881\ See CME Letter at 9.
    \882\ See BATS Letter at 12; and Omgeo Letter at 17. See also 
DTCC Letter at 10; and OCC Letter at 14 (suggesting 72 hours to 
provide written information after providing verbal notification).
---------------------------------------------------------------------------

Written Notification Within 24 Hours: Adopted Rule 1002(b)(2)
    Adopted Rule 1002(b)(2) requires an SCI entity, within 24 hours of 
any responsible SCI personnel having a reasonable basis to conclude 
that the SCI event has occurred, to submit a written notification 
pertaining to such SCI event to the Commission. Rule 1002(b)(2) allows 
for such written notifications to be made on a good faith, best efforts 
basis and requires that it include: (i) A description of the SCI event, 
including the system(s) affected; and (ii) to the extent available as 
of the time of the notification: the SCI entity's current assessment of 
the types and number of market participants potentially affected by the 
SCI event; the potential impact of the SCI event on the market; a 
description of the steps the SCI entity has taken, is taking, or plans 
to take, with respect to the SCI event; the time the SCI event was 
resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.
    The Commission has considered comments stating that 24 hours is too 
short and burdensome a duration for an SCI entity to submit a compliant 
written notification.\883\ The Commission understands commenters' 
concerns that SCI entities may still be actively investigating and 
working to resolve an SCI event and that information it initially 
provides to the Commission about an SCI event may not ultimately prove 
correct.\884\ Therefore, in line with commenters' concerns regarding a 
good faith and best efforts standard,\885\ the Commission has modified 
the 24-hour written notification requirement in adopted Rule 1002(b) to 
make clear that the written notification should be provided on a ``good 
faith, best efforts basis.'' This modification acknowledges that a 
written notification provided within 24 hours may provide only a 
preliminary assessment of the SCI event, that additional information 
may come to light after the initial 24-hour period, and that the 
initial assessment may prove in retrospect to be incorrect or 
incomplete. Consequently, the adopted rule requires that the written 
notification provided within 24 hours be submitted on a good faith, 
best efforts basis, and does not require that the written notification 
be a comprehensive or complete assessment of the SCI event (unless, of 
course, an SCI entity has completed a full assessment by such time). 
The Commission believes that a ``good faith'' standard will help to 
ensure that SCI entities will not be accountable for unintentional 
inaccuracies or omissions contained in these submissions, and a ``best 
efforts'' standard will help to ensure that SCI entities will make a 
diligent and timely attempt to provide all the information required by 
the written notification requirement. The Commission also notes that an 
SCI entity will not need to submit a written notification where an SCI 
entity documents that an SCI event is determined to be a de minimis SCI 
event, other than including de minimis systems disruptions and de 
minimis systems intrusions in the quarterly report required by Rule 
1002(b)(5). As discussed in further detail below, in the event that new 
information comes to light or previously reported information is found 
to be materially incorrect, adopted Rule 1002(b)(3) requires an SCI 
entity to update the information at that

[[Page 72327]]

time, and does not require that such updates be written.\886\ The 
Commission believes these modifications will help ensure that SCI 
entities are able to provide the information required by Rule 
1002(b)(2) within 24 hours, and therefore the Commission is not 
modifying the timeframe to extend beyond 24 hours, as requested by 
several commenters.\887\ Moreover, because the information need only be 
provided on a good faith, best efforts basis and, pursuant to Rule 
1002(b)(3), updates can be provided on a regular basis to correct any 
materially incorrect information previously provided or when new 
material information is discovered, the Commission disagrees with 
commenters that stated that the information required by Rule 1002(b) 
should be provided only after resolution of the SCI event. The 
Commission continues to believe that Rule 1002(b)(2)'s requirement to 
provide information to the Commission within 24 hours is appropriately 
tailored to help the Commission and its staff quickly assess the nature 
and the scope of an SCI event and will contribute to more timely and 
effective Commission oversight of systems whose proper functioning is 
central to the maintenance of fair and orderly markets, and that this 
would particularly be the case for SCI events that are not yet 
resolved.\888\
---------------------------------------------------------------------------

    \883\ See, e.g., supra note 866 and accompanying text.
    \884\ See supra notes 873-875 and accompanying text.
    \885\ See id.
    \886\ See infra note 909 and accompanying text.
    \887\ See supra notes 867-869 and accompanying text; and 
Proposing Release, supra note 13, at 18119.
    \888\ See supra notes 868 and 872 and accompanying text.
---------------------------------------------------------------------------

    Adopted Rule 1002(b)(2) is also responsive to comments urging the 
Commission to require less information in a 24-hour written 
notification.\889\ Specifically, whereas proposed Rule 1000(b)(4) 
required a detailed description of the SCI event, adopted Rule 
1002(b)(2)(i) specifies that an SCI entity must only provide ``a 
description of the SCI event, including the system(s) affected.'' 
Additional information is only required to the extent available as of 
the time of the notification, which includes an ``SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; the potential impact of the SCI event on the 
market; a description of the steps the SCI entity has taken, is taking, 
or plans to take, with respect to the SCI event; the time the SCI event 
was resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.'' \890\ This information is the type of necessary 
information that SCI entities are able to provide in a short timeframe 
and that the Commission has come, over time, to rely upon to properly 
assess systems issues.
---------------------------------------------------------------------------

    \889\ See supra notes 870-872 and accompanying text.
    \890\ Rule 1002(b)(2)(ii). The information required to be 
provided in Rule 1002(b)(2)(ii) is a subset of information proposed 
to be required under Rule 1000(b)(4)(iv)(A)(1)-(2) of the SCI 
Proposal.
---------------------------------------------------------------------------

    Additionally, the Commission notes that adopted Rule 1002(b) does 
not require that an SCI entity provide the Commission, at the time of 
the initial notice to the Commission, with its current assessment of 
the SCI event, including a discussion of the determination of whether 
it is subject to a dissemination requirement, as proposed in Rule 
1000(b)(4).
    The Commission has also determined to further refine the scope of 
information that needs to be reported in the 24-hour written 
notification by requiring that the following items instead be included 
in the final report under Rule 1002(b)(4), rather than in the 24-hour 
written notification required by Rule 1002(b)(2): A description of the 
SCI entity's rule(s) and/or governing document(s), as applicable, that 
relate to the SCI event; and an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss.\891\
---------------------------------------------------------------------------

    \891\ At the same time, if such information is known at the time 
of the notification, the SCI entity will be required to provide it 
pursuant to Rule 1002(b)(2)(ii)'s requirement that the SCI entity 
provide ``any other pertinent information known . . . about the SCI 
event.'' Additionally, such information would be provided under the 
requirement to provide the Commission with regular updates under 
Rule 1002(b)(3)'s requirement to provide any of the information 
listed in Rule 1002(b)(2)(ii) if it becomes available after the time 
of submission of the 24-hour notification. The Commission also notes 
that Rule 1002(b)(4)(ii) requires that an SCI entity include in the 
final report a copy of any information disseminated pursuant to Rule 
1002(c) by the SCI entity to date regarding an SCI event to any of 
its members or participants.
---------------------------------------------------------------------------

    In response to commenters who suggested that the Commission limit 
the events for which 24-hour written notification would be required to 
material events,\892\ the Commission notes that it has partially 
responded to such comments by providing an exception to the immediate 
notification requirement for de minimis events in Rule 1002(b)(5). The 
Commission believes that this exception should reduce the overall 
number of SCI events subject to immediate notification requirements as 
compared to what would have been required if the SCI Proposal was 
adopted without modification and, consequently, the requirement to 
submit a written notification within 24 hours of an SCI event, thereby 
alleviating some of the burdens about which commenters expressed 
concerns. Moreover, the Commission believes that a materiality 
threshold would likely exclude from the 24-hour written notification a 
large number of SCI events that are not de minimis SCI events but that 
the Commission, as part of its oversight role, should be updated on so 
that the Commission and its staff can quickly assess the nature and 
scope of those SCI events and potentially assist the SCI entity in 
identifying the appropriate response, including ways to mitigate the 
impact of SCI events on investors and promote the maintenance of fair 
and orderly markets. The Commission reemphasizes that the information 
to be provided under the 24-hour written notification would represent 
the SCI entity's preliminary assessment--performed on a good faith, 
best efforts basis--of the SCI event, and only certain key information 
is required under the 24-hour written notification, with ``other 
pertinent information'' required only where ``known by the SCI entity'' 
within the 24-hour timeframe. For these reasons, the Commission has 
determined not to adopt a materiality threshold for the requirement 
that an SCI entity update the Commission within 24 hours after it has a 
reasonable basis to conclude that an SCI event has occurred.
---------------------------------------------------------------------------

    \892\ See supra note 880 and accompanying text.
---------------------------------------------------------------------------

    Additionally, the Commission disagrees with those commenters who 
stated that written notification should only be required when 
reasonably requested by the Commission.\893\ The Commission believes 
that it should be notified of all SCI events and that all SCI events 
(other than those specified in Rule 1002(b)(5)) should be subject to 
the 24-hour written notification requirement because, by articulating 
in a single notification what is currently known about an SCI event and 
the steps expected to be taken to respond to the SCI event, the 
Commission will be better able to assess the nature and scope of, and 
respond to, SCI events and potentially assist SCI entities in 
identifying the appropriate response, including ways to mitigate the 
impact of SCI events on investors and promote the maintenance of fair 
and orderly markets.
---------------------------------------------------------------------------

    \893\ See supra note 882 and accompanying text.
---------------------------------------------------------------------------

    In response to the comment that the Commission should accept the 
same notifications of service interruptions that an ATS provides to its

[[Page 72328]]

subscribers,\894\ the Commission believes that SCI ATSs can use the 
types of information contained in ATS notices to subscribers when 
completing Form SCI, but nevertheless believes that it is more useful 
and efficient for the Commission and its staff to be able to have all 
SCI event notifications standardized in a single format (i.e., Form 
SCI).
---------------------------------------------------------------------------

    \894\ See supra note 879 and accompanying text.
---------------------------------------------------------------------------

    As discussed above, the information required under the adopted 24-
hour written notification requirement has been refined as compared with 
the requirements in the proposal. Consequently, the Commission believes 
that SCI entities should be able to provide the Commission with this 
information in a written format, and does not agree that such 
information should be provided in an oral format, as requested by some 
commenters, regardless of the manner in which the immediate 
notification was provided to the Commission.\895\ The Commission 
emphasizes that regular updates provided under Rule 1002(b)(3) may, 
however, be provided either orally or in written form.\896\
---------------------------------------------------------------------------

    \895\ See supra notes 872 and 882 and accompanying text.
    \896\ See infra note 911 and accompanying text.
---------------------------------------------------------------------------

    In response to commenters that stated SCI entities should not be 
required to include an estimate of the market participants impacted by 
an SCI event or to quantify such impact because this requirement may 
create a risk of civil liability for the SCI entity,\897\ the 
Commission notes that the information submitted to the Commission 
pursuant to Regulation SCI will be treated as confidential, subject to 
applicable law, including amended Rule 24b-2.\898\ Moreover, the 
requirement to provide a 24-hour written notification does not itself 
create a risk of civil liability, but the Commission acknowledges that 
the information provided to it may be subject to FOIA requests.
---------------------------------------------------------------------------

    \897\ See supra note 871.
    \898\ See supra notes 802-803 and accompanying text. For a 
discussion of the amendment to Rule 24b-2, see infra notes 1245-1248 
and accompanying text.
---------------------------------------------------------------------------

    Regarding the comment that the requirement to include an estimate 
of the markets and participants impacted by an SCI event or to quantify 
such impact would be difficult to compute, likely inaccurate, and of 
little use to the Commission,\899\ the Commission disagrees. The rule 
requires an SCI entity to provide its current assessment of the types 
and number of market participants potentially affected by the SCI event 
and the potential impact of the SCI event on the market, to the extent 
this information is available as of the time of the notification, 
rather than an exact computation. In addition, the rule does not 
require that the assessment be submitted only if the SCI entity ensures 
that it is free of inaccuracies. Further, contrary to the commenter's 
suggestion, the Commission believes that such estimates will be of 
significant use to the Commission and its staff in understanding the 
potential severity of the SCI event. In addition, because the SCI 
entity is likely to be in the best position to assess an SCI event, the 
Commission also believes that an assessment of the impact of an SCI 
event on markets and participants is useful because it afford the 
Commission the opportunity to learn the SCI entity's perspective on the 
potential or actual impact of an SCI event.\900\
---------------------------------------------------------------------------

    \899\ See supra note 871 and accompanying text.
    \900\ The Commission notes that SCI entities retain the 
flexibility to provide additional information to the Commission as 
part of their assessments, such as providing the ``business impact'' 
of an SCI event, as suggested by one commenter. See supra note 870.
---------------------------------------------------------------------------

Written Commission Updates: Proposed Rule 1000(b)(4)(iii)
    Commenters also addressed proposed Rule 1000(b)(4)(iii), which 
required an SCI entity to provide the Commission written updates 
pertaining to an SCI event on a regular basis, or at such frequency as 
reasonably requested by a representative of the Commission, until the 
SCI event was resolved. Some commenters urged the Commission to provide 
clarity on the definition of ``resolved.'' \901\ For example, one 
commenter suggested that the Commission should define the resolution of 
an SCI event to be when the affected SCI systems have been 
normalized,\902\ and another commenter stated that there should be a 
precise definition of when an SCI event is resolved and that definition 
should be linked directly to the definition of the SCI event 
itself.\903\ Other commenters expressed concern that the continuing 
update requirement could divert resources from resolution of the SCI 
event and suggested that updates be required only to the extent they 
would not interfere with event resolution.\904\ One commenter stated 
that continual updates should only be necessary if the SCI entity had 
not resolved the event within a reasonable period, such as 10 to 15 
days.\905\
---------------------------------------------------------------------------

    \901\ See DTCC Letter at 11; and Omgeo Letter at 18.
    \902\ See DTCC Letter at 11.
    \903\ See Omgeo Letter at 18.
    \904\ See MSRB Letter at 19; and OCC Letter at 14.
    \905\ See FINRA Letter at 20.
---------------------------------------------------------------------------

    Other commenters addressed the method of providing updates. For 
example, one commenter stated that only oral communication should be 
required when an SCI event is ongoing, and that the rule should allow a 
written supplement to a final or post mortem report if additional 
information comes to light regarding the SCI event.\906\ Another 
commenter suggested that updates should be permitted to be in writing 
or provided orally based on the judgment of the SCI entity.\907\ 
Finally, one commenter stated that requests for updates regarding SCI 
events should only be permitted to come from senior staff at the 
Commission.\908\
---------------------------------------------------------------------------

    \906\ See Omgeo Letter at 17.
    \907\ See MSRB Letter at 19.
    \908\ See NYSE Letter at 24.
---------------------------------------------------------------------------

Regular Updates: Adopted Rule 1002(b)(3)
    Rule 1002(b)(3) requires that, until such time as an SCI event is 
resolved, and the SCI entity's investigation of the SCI event is 
closed, an SCI entity provide the Commission with updates pertaining to 
the SCI event on a regular basis, or at such frequency as reasonably 
requested by a representative of the Commission. Updates are required 
to correct any materially incorrect information previously provided, or 
when new material information is discovered, including not limited to, 
any of the information listed in Rule 1002(b)(2)(ii).
    While the Commission recognizes that providing the Commission with 
such updates imposes an additional reporting requirement on SCI 
entities, the Commission also believes that updates are important to 
allow the Commission to fully monitor the SCI event. In addition, the 
Commission believes that the update requirement will encourage SCI 
entities to formalize their processes for gathering information on SCI 
events, which will help to ensure that responsible SCI personnel 
receive accurate and updated information on SCI events as they are 
being resolved, and further, that this process may be helpful to SCI 
entities when providing information about SCI events to their members 
or participants. Also, because the Commission has revised the 
requirements of the 24-hour notification to allow SCI entities to 
provide information on a good faith, best efforts basis and has limited 
the scope of information required in that report as discussed above, 
the Commission believes that updates to the Commission to correct 
materially incorrect information previously reported or when new 
material information is

[[Page 72329]]

discovered as required by the rule is important to keep the Commission 
up to date with accurate information, including the following: The SCI 
entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; the potential 
impact of the SCI event on the market; a description of the steps the 
SCI entity has taken, is taking, or plans to take, with respect to the 
SCI event; the time the SCI event was resolved or timeframe within 
which the SCI event is expected to be resolved; and any other pertinent 
information known by the SCI entity about the SCI event. Consequently, 
the Commission does not agree with the commenter who suggested that 
updates should be only required if an SCI event has not been resolved 
within a reasonable amount of time, such as 10 to 15 days.\909\
---------------------------------------------------------------------------

    \909\ See supra note 870 and accompanying text.
---------------------------------------------------------------------------

    The Commission believes that updates regarding this information are 
important to enhance the Commission's oversight of the securities 
markets and its informed and continued understanding of an SCI event. 
Moreover, the Commission underscores that updates are only required to 
the extent that they correct any materially incorrect information 
previously provided or when new material information is discovered, 
including but not limited to, any of the information listed in Rule 
1002(b)(2)(ii), thereby alleviating the burden to SCI entities of 
providing such updates absent such circumstances.\910\ The Commission 
has also eased the requirements of the proposed update provision by 
eliminating the proposed requirements that an SCI entity attach a copy 
of any information disseminated to date regarding the SCI event to its 
members or participants or on the SCI entity's publicly available Web 
site; a description of the SCI entity's rule(s) and/or governing 
document(s), as applicable, that relate to the SCI event; an analysis 
of parties that may have experienced a loss, whether monetary or 
otherwise, due to the SCI event, the number of such parties, and an 
estimate of the aggregate amount of such loss. Instead, these 
information requirements must only be provided as part of the final 
report required by Rule 1002(b)(4), and the Commission therefore 
believes that burdens associated with the continuing update requirement 
will be streamlined because SCI entities will not need to devote 
resources to providing written updates while an SCI event is ongoing.
---------------------------------------------------------------------------

    \910\ The requirement that updates regarding new or corrected 
information be provided on a regular basis (unless an alternative, 
specific frequency is reasonably requested by a representative of 
the Commission) is designed to take into account the fact that new 
or updated information may develop at different frequencies for 
different SCI events.
---------------------------------------------------------------------------

    At the same time, the Commission is cognizant of the burdens 
associated with requiring written updates and therefore has revised the 
update requirement in adopted Rule 1002(b)(3) to remove the proposed 
requirement that such updates be provided in written form. Thus, 
submission of updates may be provided either orally or in written form, 
and will result in a lighter burden on SCI entities than the proposed 
requirement, and is responsive to commenters that suggested that SCI 
entity resources would be better directed to resolving an SCI 
event.\911\
---------------------------------------------------------------------------

    \911\ See supra note 791 and accompanying text. SCI entities 
may, but are not required to, utilize Form SCI to submit such 
updates. See Section IV.D (discussing Form SCI). The Commission also 
believes that, to the extent commenters suggested that the 
Commission permit oral updates, they did so because, at least in 
part, oral updates are less burdensome to SCI entities than written 
updates. See supra notes 906-907 and accompanying text.
---------------------------------------------------------------------------

    In response to comment that the Commission provide guidance to 
clarify when an SCI event has been ``resolved'' \912\ and in line with 
the particular comment that the concept of resolution should be linked 
directly to the definition of the SCI event itself,\913\ the Commission 
believes that an SCI event is resolved when the event no longer meets 
the definitions of a systems disruption, systems intrusion, or systems 
compliance issue, as defined in Rule 1000, and that an SCI entity's 
Rule 1002(b) reporting obligations are completed when an SCI entity 
submits a final report as required by Rule 1002(b)(4). Further, the 
Commission does not believe that it is necessary to prescribe that 
requests to SCI entities regarding updates should come solely from 
senior Commission staff, as suggested by one commenter.\914\ The 
Commission believes that requiring an SCI entity to update the 
Commission at such frequency as reasonably requested by a 
representative of the Commission provides appropriate flexibility to 
the Commission to request additional information as necessary, but does 
not anticipate that requests will be made by multiple members of the 
Commission staff because the Commission expects that such requests 
would be coordinated by a particular group of Commission staff that are 
assigned to handle specific reports from SCI entities.
---------------------------------------------------------------------------

    \912\ See supra notes 902-903 and accompanying text.
    \913\ See supra note 903 and accompanying text.
    \914\ See supra note 802 and accompanying text.
---------------------------------------------------------------------------

Final Report: Adopted Rule 1002(b)(4)
    Adopted Rule 1002(b)(4) requires that if an SCI event is resolved 
and the SCI entity's investigation of the SCI event is closed within 30 
days of the occurrence of the SCI event, then within five business days 
after the resolution of the SCI event and closure of the SCI entity's 
investigation regarding the SCI event, the SCI entity is to submit a 
final written notification pertaining to such SCI event to the 
Commission (``final report''). The final report is required to include: 
(i) A detailed description of: The SCI entity's assessment of the types 
and number of market participants affected by the SCI event; the SCI 
entity's assessment of the impact of the SCI event on the market; the 
steps the SCI entity has taken, is taking, or plans to take, with 
respect to the SCI event; the time the SCI event was resolved; the SCI 
entity's rule(s) and/or governing document(s), as applicable, that 
relate to the SCI event; and any other pertinent information known by 
the SCI entity about the SCI event; (ii) a copy of any information 
disseminated pursuant to Rule 1002(c) by the SCI entity to date 
regarding the SCI event to any of its members or participants; and 
(iii) an analysis of parties that may have experienced a loss, whether 
monetary or otherwise, due to the SCI event, the number of such 
parties, and an estimate of the aggregate amount of such loss. Rule 
1002(b)(4) also specifies that, if an SCI event is not resolved or the 
SCI entity's investigation of the SCI event is not closed within 30 
days of the occurrence of the SCI event, then, the SCI entity is 
required to submit a written notification pertaining to such SCI event 
to the Commission within 30 days after the occurrence of the SCI event 
containing the information required in Rules 1002(b)(4)(i)-(iii), to 
the extent known at the time. Within five business days after the 
resolution of such SCI event and closure of the investigation regarding 
such SCI event, the SCI entity is required to submit a final written 
notification pertaining to such SCI event to the Commission containing 
the information specified in the rule.
    As an initial matter, the Commission notes that several of the 
items that are specifically required to be described in the final 
report (as specified in adopted Rule 1002(b)(4)) were proposed to be 
required to be provided to the Commission under proposed Rule 
1000(b)(4)(ii), within a shorter time frame.\915\ The Commission 
believes that

[[Page 72330]]

the adopted rule, by requiring that this information be submitted to 
the Commission after resolution of an SCI event and closure of the SCI 
entity's investigation, will encourage SCI entities to devote resources 
first to resolving the SCI event, and providing status reports when 
required, and then to preparing a comprehensive final report. In 
particular, as some commenters suggested, certain information would be 
more accurate, and therefore more useful, if provided after an SCI 
event is resolved.\916\ The Commission believes that the information 
required under Rule 1002(b)(4) will provide the Commission with a 
comprehensive analysis to more fully understand and assess the impact 
caused by the SCI event. In addition, the Commission ordinarily would 
expect an SCI entity to include the root cause of an SCI event as part 
of ``any other pertinent information'' known about the SCI event. The 
Commission also believes that certain of the information requested by 
Rule 1002(b)(4) is more suitable to be provided after, rather than 
prior to, resolution of an SCI event. Specifically, much of the 
information required by Rule 1002(b)(4) (an analysis of parties that 
may have experienced a loss, whether monetary or otherwise, due to the 
SCI event, the number of such parties, and an estimate of the aggregate 
amount of such loss) can only be comprehensively known after the final 
resolution of an SCI event.\917\
---------------------------------------------------------------------------

    \915\ The Commission notes that while proposed Rule 
1000(b)(4)(iv)(C) specified that an SCI entity was required to 
provide a copy of any information disseminated on the SCI entity's 
publicly available Web site, adopted Rule 1002(b)(4) specifies that 
an SCI entity provide a copy of any information disseminated 
pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI 
event to any of its members or participants.
    \916\ See supra notes 870-878 and accompanying text.
    \917\ The Commission notes that a notification required pursuant 
to proposed Rule 1000(b)(4)(ii) required the SCI entity to provide 
information on the ``potential impact of the SCI event on the 
market,'' whereas adopted Rule 1002(b)(4)(ii)(A) requires a 
description of ``the SCI entity's assessment of the impact of the 
SCI event on the market.'' Because adopted Rule 1002(b)(4) requires 
a final report upon resolution of an SCI event and the closure of 
the SCI entity's investigation of the SCI event, the Commission 
believes it is appropriate that an SCI entity provide its assessment 
of the impact of the SCI event in the final report, rather than 
information on the SCI event's potential impact.
---------------------------------------------------------------------------

    Similarly, the Commission is revising the proposed requirement that 
SCI entities provide to the Commission a copy of any information 
disclosed by the SCI entity to date regarding the SCI event to any of 
its members or participants. First, rather than requiring that SCI 
entities provide a copy of ``any information disclosed by the SCI 
entity,'' the adopted rule requires that SCI entities provide a copy of 
any information ``disseminated pursuant to paragraph (c) of [Rule 
1002]'' by the SCI entity to date regarding the SCI event to any of its 
members or participants. The Commission believes that this refined 
requirement will more appropriately capture only the information needed 
for the Commission to assess compliance with the dissemination 
requirements of Rule 1002(c). Further, to limit the burden on, and 
provide additional flexibility to, SCI entities as they resolve SCI 
events, the adopted rule does not require this information to be 
included as part of a Form SCI submission until the final report is to 
be submitted to the Commission. The Commission believes that it is 
sufficient to require that this information be included in the final 
report because it is an important part of the record of an SCI event 
and SCI entity's response to such event.\918\ As noted above, one 
commenter questioned the purpose of this requirement and expressed 
concern that it may negatively impact open communication between an SCI 
entity and its members and participants,\919\ while another commenter 
questioned the feasibility, need, and potential impact of this 
requirement in light of the numerous communications that SCI entities 
will engage in with their members or participants.\920\ While the 
Commission recognizes that it is possible that the requirement could 
have some chilling effect on such communications, it believes that this 
information is important for SCI entities to share with the Commission 
because it is an efficient means for the Commission to assess whether 
SCI entities are complying with the dissemination requirements of Rule 
1002(c). Further, the Commission believes that, by requiring that SCI 
entities provide a copy only of information disseminated pursuant to 
Rule 1002(c) (rather than all information disclosed to members or 
participants regarding the SCI event), it addresses one commenter's 
concern that it would be difficult, unnecessary, and could impede open 
communication, to provide the Commission with a copy of all information 
disclosed to members or participants, which could include hundreds of 
individual communications via email or telephone for each SCI event.
---------------------------------------------------------------------------

    \918\ Under Rule 1002(b)(4), SCI entities are required to 
provide a copy of any information disseminated pursuant to Rule 
1002(c) by the SCI entity to date regarding the SCI event to any of 
its members or participants.
    \919\ See supra note 877.
    \920\ See supra note 878 and accompanying text. Specifically, 
this commenter noted that there could be hundreds of communications 
between the SCI entity and its members or participants during a 
systems incident and questioned the feasibility of, and need for, 
recreating and providing to the Commission a copy of all such 
communications. Further, the commenter noted that this requirement 
could have an unintended effect of discouraging open communication 
between the SCI entity and its members.
---------------------------------------------------------------------------

    The Commission also believes that, if an SCI event is not resolved 
or the SCI entity's investigation of the SCI event is not closed within 
30 days of the occurrence of the SCI event, it is reasonable to require 
that an SCI entity submit within thirty business days after the 
occurrence of the SCI event the information required in Rule 
1002(b)(4)(ii), to the extent known at the time, because this timeframe 
provides SCI entities with flexibility to continue their investigation 
while also apprising the Commission of relevant information discovered 
during the course of the SCI entity's investigation. Moreover, the rule 
takes into account the Commission's recognition that an SCI entity's 
investigation regarding an SCI may not yet be complete despite the fact 
that the SCI event itself has resolved. In such cases, within five 
business days after the SCI event has resolved and the investigation 
regarding the SCI event has closed, the Commission believes that it is 
reasonable and necessary to provide it with a comprehensive and 
complete understanding of the SCI event. Consequently, SCI entities are 
required to submit a final written notification that contains all 
information required by Rule 1002(b).
Goals of Adopted Commission Notification Rule
    As discussed in greater detail above, the Commission has carefully 
considered the views of commenters as well as what it believes is 
necessary for the Commission and its staff with respect to the timing 
and content of notifications regarding SCI events, and believes that 
the adopted rule will be less burdensome for SCI entities than if the 
proposed rule was adopted without modification, while still resulting 
in meaningful notice to the Commission and its staff with information 
about SCI events in a timely manner that permits the Commission to 
fulfill its oversight role.
    With regard to comments on the resource and efficiency demands of 
the notification requirements,\921\ the Commission believes that while 
SCI entities will need to devote resources to fulfilling the 
notification requirements, the Commission does not believe that these 
resources will diminish SCI entities' ability to respond to SCI events 
because it is the Commission's

[[Page 72331]]

experience that the staff that engages in corrective action is 
generally distinct from the staff that has been charged with notifying 
the Commission of systems issues. Consequently, the Commission does not 
believe that, due to this requirement, staff that engages in corrective 
action will be unable to fulfill its responsibilities after 
implementation of Regulation SCI.
---------------------------------------------------------------------------

    \921\ See supra notes 790-793.
---------------------------------------------------------------------------

    The Commission believes that adopted Rules 1002(b)(1)-(4) are 
responsive to concerns that the proposed Commission notification 
requirements would have required SCI entities to notify the Commission 
of information before all relevant facts are known.\922\ As discussed, 
in tandem with the revised triggering standard, which affords an SCI 
entity time to assess whether an SCI event has occurred,\923\ the 
adopted rule affords an SCI entity the flexibility to gather 
information for the 24-hour written notification on a good faith best, 
efforts basis,\924\ and adopted Rule 1002(b)(3) makes clear that an SCI 
entity is required to update the Commission to correct any materially 
inaccurate information previously provided, or when pertinent new 
information is discovered, until such time as the SCI event is 
resolved, and the SCI entity's investigation of the SCI event is 
closed. Further, the final report for a given SCI event is only 
required once, when both the SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed, with an interim report 
required only when an SCI event is not resolved or the SCI entity's 
investigation of the SCI event is not closed within 30 days of the 
occurrence of the SCI event. Taken together, the Commission believes 
that Rule 1002(b) does not require reporting before all relevant fact 
are known, which one commenter suggested would be counterproductive and 
harmful.\925\ Instead, the Commission believes that the rule is 
designed to provide SCI entities with a process that gives them 
sufficient time to submit information to the Commission when known. In 
addition, and in response to comment questioning the usefulness of the 
notification requirement for the Commission,\926\ the Commission 
believes that adopted Rule 1002(b) will foster a system for 
comprehensive reporting of SCI events, which should enhance the 
Commission's review and oversight of U.S. securities market 
infrastructure and foster cooperation between the Commission and SCI 
entities in responding to SCI events. The Commission also believes that 
the aggregated data that will result from the reporting of SCI events 
will enhance its ability to comprehensively analyze the nature and 
types of various SCI events and identify more effectively areas of 
persistent or recurring problems across the systems of all SCI 
entities. Some commenters suggested that the Commission provide to SCI 
entities regular summary-level feedback on SCI entities' notifications 
\927\ or provide examples of the types of SCI events that warrant 
notification.\928\ To the extent it believes that guidance or other 
information, including summary-level feedback, publications, or 
reference blueprints, would be appropriate to share, the Commission or 
its staff may do so in the future.
---------------------------------------------------------------------------

    \922\ See supra note 804 and accompanying text.
    \923\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \924\ See supra discussion of ``good faith, best efforts'' 
above.
    \925\ See supra note 804.
    \926\ See supra note 793.
    \927\ See supra note 806 and accompanying text.
    \928\ See supra note 807 and accompanying text.
---------------------------------------------------------------------------

d. Dissemination of Information--Rule 1002(c)
i. Proposed Rule 1000(b)(5)
    Proposed Rule 1000(b)(5) would have required an SCI entity to 
provide specified information relating to ``dissemination SCI events'' 
to SCI entity members or participants. The term ``dissemination SCI 
event'' was proposed to mean an SCI event that is a: (1) Systems 
compliance issue; (2) systems intrusion; or (3) systems disruption that 
results, or the SCI entity reasonably estimates would result, in 
significant harm or loss to market participants.
    Proposed Rule 1000(b)(5)(i)(A) would have required an SCI entity, 
promptly after any responsible SCI personnel becomes aware of a 
dissemination SCI event other than a systems intrusion, to disseminate 
to its members or participants the following information about such SCI 
event: (1) The systems affected by the SCI event; and (2) a summary 
description of the SCI event. Proposed Rule 1000(b)(5)(i)(B) would have 
required an SCI entity to further disseminate to its members or 
participants, when known: (1) A detailed description of the SCI event; 
(2) the SCI entity's current assessment of the types and number of 
market participants potentially affected by the SCI event; and (3) a 
description of the progress of its corrective action for the SCI event 
and when the SCI event has been or is expected to be resolved. Proposed 
Rule 1000(b)(5)(i)(C) would have further required an SCI entity to 
provide regular updates to members or participants on any of the 
information required to be disseminated under proposed Rules 
1000(b)(5)(i)(A) and (i)(B). In the case of a systems intrusion, the 
proposed rule permitted a limited delay in dissemination if the 
dissemination would compromise the security of the SCI entity's 
systems.\929\ Except for the delay in dissemination of information for 
systems intrusions in specified circumstances, the proposed rule did 
not distinguish dissemination obligations based on the severity or 
impact of a dissemination SCI event.
---------------------------------------------------------------------------

    \929\ See proposed Rule 1000(b)(5)(ii) (permitting a delay in 
dissemination of information regarding a systems intrusion if ``the 
SCI entity determines that dissemination of such information would 
likely compromise the security of the SCI entity's SCI systems or 
SCI security systems, or an investigation of the systems intrusion, 
and documents the reasons for such determination'').
---------------------------------------------------------------------------

ii. Comments Regarding Information Dissemination
    Two commenters generally supported proposed Rule 1000(b)(5).\930\ 
One commenter characterized it as ``one of the major benefits of th[e] 
proposal.'' \931\ Another commenter suggested broadening the proposal 
to require an SCI entity to reveal dissemination SCI events to the 
public at large, and not just to its members or participants.\932\ This 
commenter believed that public dissemination of the facts of an SCI 
event would help enhance investor confidence by preventing speculation 
and misinformation, and would provide important learning opportunities 
for the industry and other SCI entities.\933\
---------------------------------------------------------------------------

    \930\ See Angel Letter at 5; and MFA Letter at 7.
    \931\ See Angel Letter at 5. This commenter stated: ``Instead of 
keeping information about hardware failures, system intrusions, and 
software glitches private, sharing the information will alert others 
in the industry about such problems and help to reduce system wide 
costs of diagnosing problems, as well as result in improved 
responses to technology problems. These will serve as warnings to 
the other SCI entities to stay vigilant to prevent similar problems 
from occurring on their platforms.'' Angel Letter at 5.
    \932\ See MFA Letter at 7.
    \933\ See id.
---------------------------------------------------------------------------

    In contrast, many commenters urged the Commission to revise the 
proposed dissemination requirement.\934\ For example, a few commenters 
expressed concern that the proposal would require dissemination of too 
much information too soon.\935\ One of these commenters stated that the 
proposed rule would be counterproductive and harmful because

[[Page 72332]]

it would cause the release of information before all relevant facts are 
known and suggested dissemination should only be required when the SCI 
entity has credible information that can be acted upon.\936\ Another 
commenter suggested that dissemination should only be required when the 
information to be disseminated is certain and clear.\937\ Another 
commenter urged that, if immediate dissemination is required, then the 
information required to be disseminated should be limited to 
communication of the basic fact that there is a systems issue and 
additional information will be provided when known.\938\
---------------------------------------------------------------------------

    \934\ See, e.g., NYSE Letter at 28-29; FINRA Letter at 24; BATS 
Letter at 13; DTCC Letter at 11-12; OCC Letter at 16; CME Letter at 
9-10; ICI Letter at 4; Oppenheimer Letter at 2; Direct Edge Letter 
at 8; Omgeo Letter at 21; ITG Letter at 13; and FIA PTG Letter at 3.
    \935\ See, e.g., DTCC Letter at 12, NYSE Letter at 29; and ITG 
Letter at 13.
    \936\ See ITG Letter at 13. See also supra note 804 and 
accompanying text.
    \937\ See DTCC Letter at 12.
    \938\ See NYSE Letter at 29 (stating also that the scope of the 
information required to be provided is too extensive, particularly 
given the timing requirements of the proposed rule).
---------------------------------------------------------------------------

    Several commenters opposed requiring information dissemination to 
all members and participants.\939\ For example, some commenters urged 
that an SCI entity be required to provide information only to members 
or participants actually impacted by an SCI event, or that interact 
with the SCI system impacted, rather than to all members or 
participants of an SCI entity.\940\ One commenter recommended that an 
SCI entity be required to disseminate information only to persons 
reasonably likely to be affected by a significant systems issue.\941\ 
Two commenters stated that SCI entities should have reasonable 
discretion to determine who among their members and participants should 
receive notification of an SCI event, as well as the manner and timing 
for providing notice.\942\ A few commenters more broadly expressed 
concern that the proposed rule would result in over-reporting of 
information about SCI events and would have limited usefulness.\943\ 
Some of these commenters stated that the proposed approach would result 
in SCI entity members and participants becoming immunized to the 
notifications because they would receive too many notifications and 
therefore would not focus on the truly significant events.\944\
---------------------------------------------------------------------------

    \939\ See, e.g., MSRB Letter at 20-21; DTCC Letter at 11; CME 
Letter at 10; NYSE Letter at 28; FINRA Letter at 24-25; ISE Letter 
at 6-7; SIFMA Letter at 15; and OCC Letter at 17.
    \940\ See MSRB Letter at 20-21; DTCC Letter at 11; CME Letter at 
9; NYSE Letter at 28; FINRA Letter at 25; and ISE Letter at 6-7. In 
addition, one of these commenters sought clarification on whether 
the term ``participant'' refers to a formal participant or, more 
broadly speaking, any market participant that interacts with the SCI 
system in question. See MSRB Letter at 20. See also Omgeo Letter at 
21, and infra note 954.
    \941\ See NYSE Letter at 28.
    \942\ See SIFMA Letter at 15 (urging that an SCI entity should 
have discretion to determine which participants or members are 
affected and how to notify them); and OCC Letter at 17 (urging that 
an SCI entity should be able to limit the communication to those 
members and participants that are actually affected and to provide 
the communication on a confidential and secure basis when the SCI 
entity has reasonable certainty of the information that is required 
to be provided).
    \943\ See, e.g., CME Letter at 9; FIA PTG Letter at 3; and Omgeo 
Letter at 39. See also Fidelity Letter at 5 (requesting that the 
Commission provide greater specificity regarding the types of 
dissemination SCI events that must be disclosed and to whom 
disclosure must be made).
    \944\ See, e.g., Omgeo Letter at 40; FIA PTG Letter at 3; and 
CME Letter at 9.
---------------------------------------------------------------------------

    Several commenters suggested that the Commission apply the proposed 
dissemination requirement to fewer types of SCI events.\945\ For 
example, several commenters stated that information dissemination 
should only be required for material or significant SCI events.\946\ 
One commenter suggested that, for an SCI event that is ``de minimis,'' 
information dissemination to members or participants should not be 
required at all.\947\ This commenter suggested that a de minimis SCI 
event would be one that is limited in impact, brief in duration, or 
involves little or no member or participant harm.\948\ Another 
commenter noted that, as proposed, Commission notification would be 
required for a systems disruption if the systems disruption had a 
``material impact'' on the SCI entity's operations or on market 
participants, whereas information dissemination to members or 
participants would be required if an SCI entity reasonably estimated 
that the systems disruption would result ``in significant harm or loss 
to market participants.'' \949\ This commenter criticized the differing 
standards for Commission notification and member/participant 
notification and suggested that the Commission clarify the standards or 
adopt a uniform standard for both types of notifications.\950\
---------------------------------------------------------------------------

    \945\ See, e.g., NYSE Letter at 28; FIA PTG Letter at 3; FINRA 
Letter at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 
9-10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge 
Letter at 8.
    \946\ See NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter 
at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 9-10; 
ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 
8.
    \947\ See BATS Letter at 13.
    \948\ See id.
    \949\ See OCC Letter at 16.
    \950\ See id.
---------------------------------------------------------------------------

    Several commenters specifically opposed the proposed dissemination 
requirement for systems compliance issues. Some commenters urged that 
an SCI entity be required to disseminate information only for material 
or significant systems compliance issues.\951\ One of these commenters 
stated that prompt dissemination of information regarding systems 
compliance issues to members or participants might lead to widespread 
dissemination of extraneous and potentially inaccurate 
information.\952\
---------------------------------------------------------------------------

    \951\ See, e.g., FINRA Letter at 24; Joint SROs Letter at 9; 
SIFMA Letter at 12; BATS Letter at 13; MSRB Letter at 6; and CME 
Letter at 10.
    \952\ See Joint SROs Letter at 8.
---------------------------------------------------------------------------

    Regarding systems intrusions, a few commenters stated that 
dissemination of systems intrusions information could raise significant 
risks and security concerns.\953\ One commenter recommended that a 
dissemination requirement apply only in the case of members, 
participants, or clients for whom confidential data was disclosed, 
processing was impacted, or where such member, participant, or client 
could take further action to mitigate the risk of such disclosure.\954\ 
This commenter also expressed support for the limited exception for 
intrusions that would compromise an investigation or resolution of the 
systems intrusion, noting that once dissemination would no longer 
compromise an investigation or the resolution of the issue, the entity 
should notify materially affected members, participants, or clients.
---------------------------------------------------------------------------

    \953\ See DTCC Letter at 11; and NYSE Letter at 29. See also 
Direct Edge Letter at 3 (suggesting that, to ensure that sensitive 
information does not fall into the wrong hands, the Commission 
should require reporting of systems intrusions to the Commission, 
and only require public disclosure in instances where there is a 
risk of significant harm to the SCI entity's customers).
    \954\ See Omgeo Letter at 21.
---------------------------------------------------------------------------

    One commenter stated that information should not be disseminated 
regarding disruptions in regulatory or surveillance systems, nor should 
information be disseminated about intrusions or compliance issues, 
arguing that the information could be misused, or if disseminated too 
soon, could be inaccurate and misleading.\955\ Two other commenters 
also expressed concern that information dissemination should not be 
required when the information provided might be misused to the 
detriment of the markets or investors, such as with respect to systems 
intrusions or issues relating to surveillance systems.\956\
---------------------------------------------------------------------------

    \955\ See NYSE Letter at 29. See also supra note 935 and 
accompanying text.
    \956\ See ICI Letter at 4; and Oppenheimer Letter at 2.
---------------------------------------------------------------------------

iii. Rule 1002(c)
    In the SCI Proposal, the Commission stated that the intended 
purpose of the proposed rule was twofold: To aid members or 
participants of SCI entities

[[Page 72333]]

in determining whether their trading activity has been or might be 
impacted by the occurrence of an SCI event at an SCI entity so that 
they could consider that information in making trading decisions, 
seeking corrective action or pursuing remedies, or taking other 
responsive action; and to provide an incentive for SCI entities to 
devote more resources and attention to improving the integrity and 
compliance of their systems and preventing the occurrence of SCI 
events.\957\ Although commenters generally did not object to the 
Commission's stated rationale for proposed Rule 1000(b)(5), several 
commenters suggested that the proposed approach did not adequately 
consider circumstances in which the proposed information dissemination 
might not be helpful to the market or market participants, or could be 
detrimental to the markets or market participants. One commenter, 
however, urged that public dissemination of information regarding SCI 
events would help to prevent speculation and misinformation regarding 
such events.\958\
---------------------------------------------------------------------------

    \957\ See Proposing Release, supra note 13, at 18120.
    \958\ See supra note 933 and accompanying text.
---------------------------------------------------------------------------

    The Commission has carefully considered the views of commenters 
with respect to proposed Rule 1000(b)(5), and has determined to adopt 
it as Rule 1002(c), with several modifications in response to comment. 
In particular, the Commission has determined to eliminate the 
definition of ``dissemination SCI event'' from the final rule and adopt 
an information dissemination requirement that scales dissemination 
obligations in accordance with the nature and severity of an SCI event. 
In response to comment that the proposed rule would result in over-
reporting of information about SCI events and have limited usefulness, 
the Commission has further focused the rule from the proposal by 
requiring dissemination of information about SCI events that are not 
major SCI events only to affected SCI entity members and participants, 
and excepting de minimis SCI events and SCI events regarding market 
regulation or market surveillance systems from the information 
dissemination requirement.\959\ In the case of a ``major SCI event,'' 
the Commission agrees with the commenter who stated that requiring 
dissemination should help to prevent speculation and misinformation 
regarding such events.\960\ Therefore, in the case of a ``major SCI 
event,'' the adopted rule requires an SCI entity to disseminate 
information to all of its members or participants. At the same time, as 
with other SCI events, any SCI event that meets the definition of major 
SCI event that has had, or the SCI entity reasonably estimates would 
have, no or a de minimis impact on the SCI entity's operations or on 
market participants is excepted from the information dissemination 
requirement.\961\ The Commission believes the revised approach will 
better achieve the purpose of maximizing the utility of information 
disseminated to SCI entity members and participants while 
simultaneously reducing compliance burdens for SCI entities.
---------------------------------------------------------------------------

    \959\ See supra notes 943-956 and accompanying text.
    \960\ See supra note 933 and accompanying text.
    \961\ See Rule 1002(c)(4)(ii).
---------------------------------------------------------------------------

Rule 1002(c)(1): Information Dissemination for Systems Disruptions and 
Systems Compliance Issues
    Adopted Rule 1002(c)(1) generally addresses dissemination 
requirements for systems disruptions and systems compliance issues. 
Rule 1002(c)(1)(i) requires an SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event that is a systems disruption or systems compliance issue has 
occurred, to disseminate information about such SCI event, unless an 
exception applies. When the dissemination obligation is triggered,\962\ 
Rule 1002(c)(1)(i) requires an SCI entity to disseminate to the persons 
specified in Rule 1002(c)(3) information on the system(s) affected by 
the SCI event and a summary description of the SCI event. Thereafter, 
Rule 1002(c)(1)(ii) provides that, when known, an SCI entity shall 
promptly further disseminate: A detailed description of the SCI event; 
the SCI entity's current assessment of the types and number of market 
participants potentially affected by the SCI event; and a description 
of the progress of its corrective action for the SCI event and when the 
SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) 
provides that, until resolved, an SCI entity shall provide regular 
updates of any information required to be disseminated under Rules 
1002(c)(1)(i) and (ii). The specified types of information and the 
update requirements are unchanged from the proposal. The Commission 
continues to believe that, for the dissemination of information to be 
meaningful, it is necessary for an SCI entity to describe the SCI event 
in sufficient detail to permit a member or participant to determine 
whether and how it was affected by the SCI event and make appropriate 
decisions based on that determination.\963\ Adopted Rule 1002(c)(1)(i) 
requires that the information initially disseminated include the 
systems affected by the SCI event and a summary description of the SCI 
event, and only after responsible SCI personnel have a reasonable basis 
to conclude that a systems disruption or systems compliance issue has 
occurred. Implicit in this requirement is that the disseminated 
information be accurate. Without the dissemination of accurate 
information, the impact on the SCI entity's members or participants or 
the market may be more pronounced because market participants may not 
recognize that an SCI event is occurring, or may mistakenly attribute 
unusual market activity to some other cause.
---------------------------------------------------------------------------

    \962\ See supra Section IV.B.3.a (discussing the triggering 
standard).
    \963\ See Proposing Release, supra note 13, at 18120.
---------------------------------------------------------------------------

    Adopted Rule 1002(c)(1) also requires that required information be 
disseminated ``promptly.'' \964\ Although the Commission agrees that 
SCI entities should not prematurely disseminate information regarding 
an SCI event, lest it be inaccurate, speculative, misleading, or 
otherwise unhelpful, as some commenters were concerned about,\965\ the 
Commission does not agree with the commenter who suggested that 
information dissemination be provided at a time chosen by the SCI 
entity.\966\ The Commission believes that accurate information that is 
timely is more likely to aid a market participant in determining 
whether its trading activity has been or might be impacted by the 
occurrence of an SCI event than accurate information that is delayed. 
However, as compared to Commission notification, which is required to 
be provided immediately after an SCI entity has a reasonable basis to 
conclude that an SCI event has occurred, and which notice may be 
provided orally, dissemination of information to SCI entity members or 
participants is required to be provided promptly. The requirement for 
prompt dissemination, as opposed to immediate dissemination, is 
designed to provide some limited flexibility to an SCI entity to 
determine an efficient way to disseminate information to multiple 
potentially affected members or participants, or all of its members or 
participants, as the case may be, in a timely manner. Likewise, as new 
information becomes

[[Page 72334]]

known, immediate updates are not required, but an SCI entity is 
obligated to also disseminate updated information ``promptly'' after it 
is known. The Commission believes that adopted Rule 1002(c)(1) strikes 
an appropriate balance by requiring an SCI entity to disseminate 
specific information about SCI events, but also permits an SCI entity 
to have time to check relevant facts before disseminating that 
information. The Commission therefore believes that adopted Rule 
1002(c)(1) is responsive to comment that the proposed rule would have 
required release of information too soon, before it is determined to be 
credible, or before relevant facts were known.\967\
---------------------------------------------------------------------------

    \964\ The persons to whom the required information about systems 
disruptions and systems compliance issues is to be disseminated are 
specified in Rules 1002(c)(3) and (4).
    \965\ See also supra notes 935-938 and 933 and accompanying 
text.
    \966\ See supra note 942 and accompanying text.
    \967\ See supra notes 935-938 and accompanying text.
---------------------------------------------------------------------------

Rule 1002(c)(2): Information Dissemination for Systems Intrusions
    Adopted Rule 1002(c)(2) requires an SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event that is a systems intrusion has occurred, to disseminate a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or indirect SCI 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination. This rule applies to systems 
intrusions that are not de minimis events. In response to commenters 
stating that information about a systems intrusion in many cases will 
be sensitive and raise security concerns, and those urging that the 
dissemination requirement apply only in limited cases,\968\ the 
Commission notes that, although it does not wholly exclude systems 
intrusions from the dissemination requirement, the rule permits a delay 
in dissemination of any information about a systems intrusion if 
dissemination would compromise the security of the SCI entity's SCI 
systems or indirect SCI systems, or an investigation of the systems 
intrusion, and the SCI entity documents the reason for such 
determination.\969\ Adopted Rule 1002(c)(2) also provides that the 
content of the required disclosure for a systems intrusion is less 
detailed than required for other types of SCI events. These provisions 
are unchanged from the SCI Proposal.\970\ As stated in the SCI 
Proposal, the Commission continues to believe that there may be 
circumstances in which the dissemination of information related to a 
systems intrusion should be delayed to avoid compromising the 
investigation or resolution of a systems intrusion.\971\ Also, as 
stated in the SCI Proposal, the affirmative documentation required by 
Rule 1002(c)(2) is important to allow the Commission to ensure that SCI 
entities are not improperly invoking the limited exception provided by 
Rule 1002(c)(2).\972\ This delayed dissemination provision permits an 
SCI entity to delay providing information about an intrusion to its 
members or participants to protect legitimate security concerns. 
However, under Rule 1002(c)(2), if an SCI entity cannot, or can no 
longer, determine that information dissemination as required by Rule 
1002(c)(2) would likely compromise the security of the SCI entity's SCI 
systems or indirect SCI systems, or an investigation of the systems 
intrusion, no delay (or further delay, if applicable) in dissemination 
is permitted.\973\ Pursuant to Rule 1002(c)(2), information about a 
systems intrusion is required to be disseminated eventually, as the 
Commission believes that circumstances permitting a delay (i.e., 
dissemination of information would likely compromise the security of 
the SCI entity's SCI systems or indirect SCI systems, or an 
investigation of the systems intrusion), will not continue 
indefinitely.\974\
---------------------------------------------------------------------------

    \968\ See, e.g., supra notes 953-954 and accompanying text.
    \969\ See Rule 1002(c)(4) (excepting de minimis systems 
intrusions and intrusions into market regulation or market 
surveillance systems from the dissemination requirement) and Rule 
1001(c)(2) (permitting a delay in dissemination).
    \970\ The persons to whom the required information about a 
systems intrusion is to be disseminated (provided the circumstances 
warranting a delay do not apply) is specified in Rules 1002(c)(3) 
and (4).
    \971\ See Proposing Release, supra note 13, at 18120.
    \972\ See id.
    \973\ See id.
    \974\ Some commenters urged modifications to the proposed rule 
that would further circumscribe the proposed dissemination 
requirement for systems intrusions. See, e.g., supra notes 953-954 
and accompanying text (urging that dissemination for systems 
intrusions only be required for affected persons and only if 
material). These comments are addressed in the discussion of adopted 
Rules 1002(c)(3) and (4).
---------------------------------------------------------------------------

Rule 1002(c)(3): To Whom Information Is To Be Disseminated
    Adopted Rule 1002(c)(3) provides that the information required to 
be provided under Rules 1002(c)(1) and (2) promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event has occurred, shall be promptly disseminated by the SCI 
entity to those members or participants of the SCI entity that any 
responsible SCI personnel has reasonably estimated may have been 
affected by the SCI event, and promptly disseminated to any additional 
members or participants that any responsible SCI personnel subsequently 
reasonably estimates may have been affected by the SCI event. The rule 
further requires that, for major SCI events, such information shall be 
disseminated by the SCI entity to all of its members or participants. 
As noted, several commenters urged that an SCI entity be required to 
disseminate information relating to an SCI event only to those members 
or participants affected by the SCI event.\975\ Some suggested that an 
SCI entity have discretion to determine who should receive information 
regarding SCI events,\976\ and one suggested that SCI events warrant 
public disclosure.\977\ Others expressed more general concern that the 
breadth of the proposed dissemination requirement would result in over-
reporting of information about SCI events because they believed that 
SCI entities would over-report out of an abundance of caution \978\ or 
that SCI entity members and participants would become immunized to 
reports of SCI events and not focus on significant events.\979\
---------------------------------------------------------------------------

    \975\ See supra note 940 and accompanying text.
    \976\ See supra note 942 and accompanying text.
    \977\ See supra notes 932-933 and accompanying text.
    \978\ See supra note 943 and accompanying text.
    \979\ See supra notes 943-944 and accompanying text.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission 
believes that, to maximize the utility of information dissemination, a 
more tailored approach to who should receive information about an SCI 
event is warranted, based on an SCI event's impact. Because information 
about an SCI event is likely to be of greatest value to those market 
participants affected by it, who can use such information to evaluate 
the event's impact on their trading and other activities and develop an 
appropriate response, adopted Rule 1002(c)(3) requires prompt 
dissemination to those members or participants of the SCI entity that 
any responsible SCI personnel has reasonably estimated may have been 
affected by the SCI event. With respect to more serious SCI events, 
however, the Commission believes that dissemination to all members or 
participants of an SCI entity is warranted. Accordingly, under adopted 
Regulation SCI, certain SCI events will be defined as ``major SCI 
events.''
    Adopted Rule 1000 defines ``major SCI event'' as ``an SCI event 
that has

[[Page 72335]]

had, or the SCI entity reasonably estimates would have: (1) Any impact 
on a critical SCI system; or (2) a significant impact on the SCI 
entity's operations or on market participants.'' The Commission 
believes that dissemination of information regarding a major SCI event 
to all members or participants of an SCI entity is appropriate because 
major SCI events are likely to impact a large number of market 
participants (e.g., with respect to critical SCI systems, a disruption 
of consolidated market data or the clearance and settlement system, or 
an event significantly impacting the operations of an exchange).\980\ 
As noted, one commenter suggested broadening the proposed rule to 
generally require an SCI entity to reveal dissemination SCI events 
(other than intrusions) to the public at large. This commenter 
expressed the view that public dissemination of the facts of an SCI 
event would help ``enhance investor confidence by presenting the facts 
of the SCI event, preventing speculation and misinformation, and 
informing the public of corrective action being taken'' and would 
``serve as an important collective learning opportunity'' that would 
allow for ``SCI [e]ntities and market participants [to] learn from [the 
event] . . . and build upon their policies and controls as 
appropriate.'' This commenter stated further that such an ``industry 
protocol would help strengthen and enhance the integrity and security 
of our markets.'' \981\ The Commission agrees with this commenter that 
it is appropriate for an SCI entity to present the facts, prevent 
speculation and misinformation, and provide transparency about 
corrective action being taken when the impact of an SCI event is most 
likely to be felt by many market participants (i.e., when it is a major 
SCI event). In the context of a major SCI event, the Commission 
believes these goals can be achieved by requiring an SCI entity to 
disseminate information to all of its members or participants (as 
opposed to the ``public at large''). Moreover, the Commission believes 
it is appropriate to require dissemination of information on major SCI 
events to all of the SCI entity's members or participants because these 
market participants are the most likely to act on this information. 
Based on the experience of the Commission and its staff, when an entity 
disseminates information about a systems issue to all of its members or 
participants (e.g., on the entity's Web site), and that information has 
the potential to affect the market and investors more broadly 
(including market participants that may not be members or participants 
of the SCI entity reporting the event), such information is routinely 
picked up by financial or other media outlets, and also may be relayed 
to market participants for whom such information is relevant (e.g., by 
members or participants of SCI entities to their own clients). 
Therefore, the Commission believes that when information about a 
systems issue with broad potential impact is disseminated to all of an 
SCI entity's member or participants, such dissemination is tantamount 
to public dissemination.\982\ As such, the Commission believes that it 
can achieve the purposes of the rule without requiring public 
dissemination, and believes that any additional gain in benefits from 
public dissemination would be minimal. Rule 1002(c)(3) does not specify 
how an SCI entity is to disseminate information to all of its members 
or participants when required to do so, but the Commission believes 
that posting the information on a Web site accessible to, at a minimum, 
all of its member or participants (for example, on a ``systems status 
alerts'' page) would meet the rule's requirements.\983\
---------------------------------------------------------------------------

    \980\ At the same time, the Commission recognizes that some SCI 
events that meet the definition of ``major SCI event'' could also 
qualify as de minimis SCI events. Like other de minimis SCI events, 
they are excepted from the information dissemination requirement. 
See Rule 1002(c)(4).
    \981\ See supra notes 932-933.
    \982\ The Commission notes that one commenter referred to the 
dissemination provision in the SCI Proposal as the ``public 
dissemination provision of Proposed Reg SCI.'' See NYSE Letter at 
28. See also ICI Letter at 4 and Oppenheimer Letter at 4 (each 
supporting ``transparency of SCI events to members and participants 
of an SCI entity'' but recommending that the Commission only require 
``public dissemination'' where such information enhances investor 
protection).
    \983\ The Commission notes that, irrespective of the medium 
chosen to disseminate information to the SCI entity members or 
participants, the SCI entity would also be required to submit the 
disseminated information to the Commission as part of the report 
submitted pursuant to Rule 1002(b)(4). See supra Section IV.B.3.c.
---------------------------------------------------------------------------

    For an SCI event that is neither a major SCI event nor an event 
identified in Rule 1002(c)(4), however, the information specified in 
Rule 1002(c)(1) or (2), as applicable, is required to be disseminated 
by the SCI entity to those members or participants of the SCI entity 
that any responsible SCI personnel has reasonably estimated may have 
been affected by the SCI event.\984\ The Commission believes that an 
SCI entity is generally in the best position to identify those of its 
members or participants that are or are reasonably likely to be 
affected by such events. Under this approach, as commenters urged, 
members or participants not reasonably estimated to be affected by such 
events will not be the recipients of information likely to be 
irrelevant to them. The Commission believes that SCI entities will be 
able to analyze which members or participants are or reasonably likely 
will be impacted, and the rule requires SCI entities to disseminate 
information to such members or participants. The requirement that 
information is to be disseminated only to those members or participants 
that any responsible SCI personnel has reasonably estimated may have 
been affected by the SCI event (other than a major SCI event or a de 
minimis SCI event) addresses the concern raised by some commenters that 
members and participants will become immunized by receiving irrelevant 
notifications \985\ because, under the adopted approach, members or 
participants should only receive notifications relevant to them.
---------------------------------------------------------------------------

    \984\ In response to the commenter seeking clarification on 
whether the term ``participant'' refers to a formal participant or, 
more broadly speaking, any market participant that interacts with 
the SCI system in question (see supra note 940), for purposes of 
adopted Rule 1002, the term ``participant'' refers to a formal 
participant. The Commission also notes that, with respect to the 
MSRB, the term ``members'' as used in Regulation SCI includes 
entities that are registered with the MSRB, but does not include ``a 
member of the Board,'' which is the definition of ``member'' in MSRB 
Rule D-5.
    \985\ See supra notes 944 and 952 and accompanying text.
---------------------------------------------------------------------------

    Whereas the proposed rule would have required dissemination of 
information about certain SCI events to all SCI entity members and 
participants, the adopted rule requires dissemination only to those 
members and participants reasonably estimated to be affected by an SCI 
event (other than a major SCI event or a de minimis SCI event). Because 
it is possible that an SCI entity's reasonable estimate of members or 
participants affected may change as an SCI event unfolds, the adopted 
rule also requires prompt dissemination of information to newly 
identified members or participants reasonably estimated to be affected 
by an SCI event.\986\ This provision reflects the view that newly 
identified affected members or participants should receive prompt 
dissemination of information about an SCI event, just as those 
originally identified as affected members or participants. Although 
compliance with this requirement may result in an SCI entity 
disseminating information at several different times to

[[Page 72336]]

different members and participants, consistent with commenters' 
suggestions, the Commission believes that this requirement is 
appropriately tailored to result in information dissemination being 
provided to the relevant members or participants of an SCI entity.\987\
---------------------------------------------------------------------------

    \986\ Rule 1002(c)(1) requires that, among other things, the SCI 
entity must disseminate the SCI entity's current assessment of the 
types and number of market participants potentially affected by the 
SCI event, and until resolved, provide regular updates of this and 
any other information required to be disseminated under the rule.
    \987\ The Commission notes that an SCI entity would be in 
compliance with the rule if it disseminated the required information 
to all members or participants, rather than disseminating only to 
those members and participants it reasonably initially estimated to 
be affected by the event (which might require subsequent 
dissemination(s) to additional members or participants if its 
estimate regarding those members or participants that were affected 
by a given SCI event changes over time).
---------------------------------------------------------------------------

    If an SCI event is a de minimis event--i.e., is an SCI event that 
has had, or the SCI entity reasonably estimates would have, no or a de 
minimis impact on the SCI entity's operations or on market 
participants--the adopted rule does not impose any dissemination 
requirement.\988\
---------------------------------------------------------------------------

    \988\ See discussion of adopted Rule 1002(c)(4) below 
(excepting, among other things, de minimis systems SCI events from 
the dissemination requirement). See also supra Section IV.B.3.c 
(discussing Rule 1002(b)(5), which requires that, for de minimis SCI 
events, an SCI entity is required to: (i) Make, keep, and preserve 
records relating to all such SCI events; and (ii) submit to the 
Commission a report, within 30 calendar days after the end of each 
calendar quarter, containing a summary description of such systems 
disruptions and systems intrusions, including the SCI systems and, 
for systems intrusions, indirect SCI systems, affected by such 
systems disruptions and systems intrusions during the applicable 
calendar quarter).
---------------------------------------------------------------------------

Adopted Rule 1002(c)(4): Exceptions to the General Rules on Information 
Dissemination
    Adopted Rule 1002(c)(4) provides that the requirements of Rules 
1002(c)(1)-(3) shall not apply to: (i) SCI events to the extent they 
relate to market regulation or market surveillance systems; or (ii) any 
SCI event that has had, or the SCI entity reasonably estimates would 
have, no or a de minimis impact on the SCI entity's operations or on 
market participants. The Commission has added the exception in adopted 
Rule 1002(c)(4)(i) in response to comments that information should not 
be disseminated regarding disruptions in regulation and surveillance 
systems, because dissemination of such information to an SCI entity's 
members or participants or the public at large could encourage 
prohibited market activity.\989\ The Commission notes that the 
exception for market regulation or market surveillance systems is 
limited to dissemination of information about SCI events related to 
market regulation or market surveillance systems. Information about an 
SCI event that impacts other SCI systems would still be required to be 
disseminated in accordance with Rule 1002(c) even if that same SCI 
event also impacts market regulation or market surveillance systems.
---------------------------------------------------------------------------

    \989\ See supra notes 955-956 and accompanying text.
---------------------------------------------------------------------------

    The exception in Rule 1002(c)(4)(ii) for de minimis SCI events is 
consistent with the Commission's approach to excluding de minimis SCI 
events from the immediate Commission notification requirements in Rule 
1002(b), and is therefore responsive to comment that notification and 
dissemination of systems disruptions were subject to differing 
standards under the proposal,\990\ as well as to the comment that a de 
minimis SCI event should not be subject to dissemination.\991\ With 
respect to the comment that dissemination should only be required for 
material or significant SCI events,\992\ while the Commission is not 
limiting the dissemination requirement as suggested by these 
commenters, the exception for de minimis SCI events is responsive to 
this comment, to an extent. Moreover, the Commission believes that a 
materiality threshold would likely exclude from the information 
dissemination requirement a large number of SCI events that are not de 
minimis SCI events, but that an SCI entity's members or participants 
should be made aware of so that they can quickly assess the nature and 
scope of those SCI events and identify the appropriate response, 
including ways to mitigate the impact of the SCI events. The Commission 
also believes that, even without adopting a materiality threshold, the 
adopted definitions of SCI systems and indirect SCI systems 
significantly focus the scope of the Commission dissemination 
requirements from the SCI Proposal.
---------------------------------------------------------------------------

    \990\ See supra notes 949-950 and accompanying text.
    \991\ See supra notes 947-948 and accompanying text; Section 
IV.B.3.c (discussing Rule 1002(b)) and supra note 988 and 
accompanying text. The Commission notes that, because major SCI 
events are a subset of SCI events, the exception in Rule 
1002(c)(4)(ii) also applies to major SCI events that meet the 
requirements of that rule.
    \992\ See supra note 946 and accompanying text; see also supra 
notes 941 and 944 and accompanying text.
---------------------------------------------------------------------------

    Consistent with its statements in the SCI Proposal, the Commission 
notes that the requirements relating to dissemination of information in 
Regulation SCI relate solely to Regulation SCI.\993\ Nothing in adopted 
Regulation SCI should be construed as superseding, altering, or 
affecting the reporting obligations of SCI entities or their affiliates 
under other federal securities laws or regulations. Accordingly, in the 
case of an SCI event, SCI entities or their affiliates subject to the 
public company reporting requirements of Section 13 or Section 15(d) of 
the Exchange Act would need to comply with their disclosure obligations 
pursuant to those provisions (including, for example, with respect to 
Regulation S-K and Forms 10-K, 10-Q, and 8-K) in addition to their 
disclosure and reporting obligations under Regulation SCI.\994\ In 
addition, the Commission also wishes to highlight that the requirements 
of Rule 1002(c) address to whom and when SCI entities are obligated 
under Regulation SCI to disseminate information. Subject to any 
applicable laws or regulations, SCI entities still retain the 
flexibility to disseminate information--e.g., to their members or 
participants, the public, or market participants that interact with the 
affected SCI systems--at any time they determine to be appropriate.
---------------------------------------------------------------------------

    \993\ See Proposing Release, supra note 13, at 18119, n. 235.
    \994\ As an additional example, nothing in adopted Regulation 
SCI should be construed as superseding any obligations under 
Regulation FD. SCI entities may also wish to consider staff guidance 
on this topic. See CF Disclosure Guidance: Topic No. 2, 
Cybersecurity (October 13, 2011), available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.
---------------------------------------------------------------------------

4. Notification of Systems Changes--Rule 1003(a)
a. Proposed Definition of Material Systems Change, Proposed Rules 
1000(b)(6) and (b)(8)(ii)
    Proposed Rule 1000(a) would have defined the term ``material 
systems change'' as a change to one or more: (1) SCI systems of an SCI 
entity that: (i) Materially affects the existing capacity, integrity, 
resiliency, availability, or security of such systems; (ii) relies upon 
materially new or different technology; (iii) provides a new material 
service or material function; or (iv) otherwise materially affects the 
operations of the SCI entity; or (2) SCI security systems of an SCI 
entity that materially affects the existing security of such systems. 
In the SCI Proposal, the Commission set forth examples that it 
preliminarily believed could be included within the proposed definition 
of material systems change.\995\
---------------------------------------------------------------------------

    \995\ These examples included: Major systems architecture 
changes; reconfiguration of systems that would cause a variation 
greater than five percent in throughput or storage; the introduction 
of new business functions or services; changes to external 
interfaces; changes that could increase susceptibility to major 
outages; changes that could increase risks to data security; changes 
that were, or would be, reported to or referred to the entity's 
board of directors, a body performing a function similar to the 
board of directors, or senior management; and changes that could 
require allocation or use of significant resources. See Proposing 
Release, supra note 13, at 18105-06. These examples were cited in 
the 2001 Staff ARP Interpretive Letter. The Commission also stated 
its preliminary belief that any systems change occurring as a result 
of the discovery of an actual or potential systems compliance issue 
would be material. See id.

---------------------------------------------------------------------------

[[Page 72337]]

    Proposed Rule 1000(b)(6)(i) would have required an SCI entity, 
absent exigent circumstances, to notify the Commission in writing at 
least 30 calendar days before implementation of any planned material 
systems changes, including a description of the planned material 
systems changes as well as the expected dates of commencement and 
completion of implementation of such changes. If exigent circumstances 
existed, or if the information previously provided to the Commission 
regarding any planned material systems change had become materially 
inaccurate, proposed Rule 1000(b)(6)(ii) would have required the SCI 
entity to notify the Commission, either orally or in writing, with any 
oral notification to be memorialized within 24 hours after such oral 
notification by a written notification, as early as reasonably 
practicable. A written notification to the Commission made pursuant to 
proposed Rule 1000(b)(6) would have been required to be made 
electronically on Form SCI and include all information as prescribed in 
Form SCI and the instructions thereto.
    Proposed Rule 1000(b)(8)(ii) would have required each SCI entity to 
submit to the Commission a report, within 30 calendar days after the 
end of June and December of each year, containing a summary description 
of the progress of any material systems change during the six month 
period ending on June 30 or December 31, as the case may be, and the 
date, or expected date, of completion of implementation of such 
changes. A written notification to the Commission made pursuant to 
proposed Rule 1000(b)(8)(ii) would have been required to be made 
electronically on Form SCI and include all information as prescribed in 
Form SCI and the instructions thereto.
b. Quarterly and Supplemental Material Systems Change Reports--Rule 
1003(a)
i. Adopted Rule 1003(a)(1): Quarterly Material Systems Change Reports
    Many commenters viewed the proposed 30-day advance notification 
requirement for material systems changes as burdensome.\996\ For 
example, one commenter believed that the Commission significantly 
underestimated the number of material systems changes, and suggested 
that the proposal might require reporting of as many as 60 material 
systems changes per week, rather than that same amount per year, as the 
Commission estimated in the SCI Proposal.\997\ Some commenters stated 
that many SCI entities implement frequent agile modifications rather 
than major episodic or ``waterfall'' changes, and therefore viewed the 
proposed 30-day advance notification requirement as favoring a model 
that employs waterfall changes over agile changes.\998\ Several 
commenters stated more broadly that the proposed requirement would 
mandate constant reporting that would stifle innovation, interfere with 
an SCI entity's natural planning and development process, and 
potentially do more harm than good by curtailing an SCI entity's 
ability to respond to systems issues with appropriate fixes.\999\ 
Several commenters also expressed concern that the burden of reporting 
would incentivize an SCI entity to change its systems less often 
instead of making smaller and more frequent iterative systems 
adjustments, which they believed would be inconsistent with current 
software best practices, curtail innovation, and expose their systems 
to increased risk.\1000\ One commenter questioned the purpose of the 
proposed requirement, stating that the Commission has not presented any 
empirical evidence that major or material technology changes by SCI 
entities are in fact the leading cause of market disruption, and that 
non-material systems changes by SCI entities and non-SCI entities have 
a high likelihood of causing market disruptions, but they are not 
captured by the proposal.\1001\ At the same time, this commenter stated 
that providing 30-day advance notification of these non-material 
systems changes would hamstring SCI entities.\1002\
---------------------------------------------------------------------------

    \996\ See, e.g., NYSE Letter at 26; BATS Letter at 14; ISE 
Letter at 8; BIDS Letter at 14; UBS Letter at 3-4; SIFMA Letter at 
15; ITG Letter at 8 and 13; FIF Letter at 5; MFA Letter at 5-6; CME 
Letter at 11; FINRA Letter at 27; Joint SROs Letter at 7; and OTC 
Markets Letter at 20.
    \997\ See BATS Letter at 14. See also NYSE Letter at 26; and ISE 
Letter at 8 (stating that the proposal would require reporting of 
too many routine changes), and infra discussion of the definition of 
material systems change.
    \998\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
and ITG Letter at 8. ``Agile'' software development, which involves 
smaller, more frequent changes in software code, is contrasted with 
the ``waterfall'' methodology, which involves larger, episodic 
software overhauls.
    \999\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
BATS Letter at 14; and ITG Letter at 8. See also SunGard Letter at 
3.
    \1000\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; 
BATS Letter at 14; and ITG Letter at 8. See also SIFMA Letter at 16.
    \1001\ See SunGard Letter at 3.
    \1002\ See id.
---------------------------------------------------------------------------

    Some commenters also noted that Regulation ATS already requires an 
ATS to report material changes to the operation of the ATS at least 20 
calendar days prior to their implementation.\1003\ One of these 
commenters noted that it is common for an ATS to finalize the systems 
specifications for a change close to when the ATS wants to go live with 
the change, but the ATS must wait 20 days before implementation, and 
occasionally the questions from Commission staff can further delay 
implementation.\1004\ This commenter expressed concern that Regulation 
SCI would lengthen the notification requirement to 30 calendar days and 
broaden the requirement to include any significant systems change, not 
just a material change to the operation of the ATS.\1005\
---------------------------------------------------------------------------

    \1003\ See BIDS Letter at 14; and ITG Letter at 8.
    \1004\ See ITG Letter at 8.
    \1005\ See id.
---------------------------------------------------------------------------

    The Commission continues to believe that it is important to receive 
notifications of planned and implemented material changes to SCI 
systems or the security of indirect SCI systems in connection with its 
oversight of U.S. securities market infrastructure.\1006\ However, 
after considering the views of commenters regarding the 30-day advance 
notification requirement, the Commission is instead adopting a 
quarterly reporting requirement, which will permit the Commission and 
its staff to have up-to-date information regarding an SCI entity's 
systems development progress and plans, to aid in understanding the 
operations and functionality of the systems and any material changes 
thereto, without requiring SCI entities to submit a notification to the 
Commission for each

[[Page 72338]]

material systems change.\1007\ Specifically, Rule 1003(a)(1) requires 
an SCI entity, within 30 calendar days after the end of each calendar 
quarter, to submit to the Commission a report describing completed, 
ongoing, and planned material systems changes to its SCI systems and 
security of indirect SCI systems, during the prior, current, and 
subsequent calendar quarters, including the dates or expected dates of 
commencement and completion.\1008\
---------------------------------------------------------------------------

    \1006\ See Proposing Release, supra note 13, at 18122, 18144. As 
noted above, one commenter argued that the Commission has not 
presented any empirical evidence that major or material technology 
changes by SCI entities are in fact the leading cause of market 
disruption, and that non-material systems changes have a high 
likelihood of causing market disruptions. See supra note 1001 and 
accompanying text. The Commission notes that the primary purpose of 
Rule 1003(a) is not to prevent market disruptions. Rather, it is to 
keep the Commission and its staff informed of the systems changes 
that SCI entities determine to be material, which will assist the 
Commission with its oversight of U.S. securities market 
infrastructure. While the Commission acknowledges that non-material 
systems changes could cause market disruptions, the Commission 
agrees with this commenter that requiring Commission notification of 
all systems changes would be burdensome. See supra note 1002 and 
accompanying text (noting this commenter's view that providing 30-
day advance notification of non-material systems changes would 
hamstring SCI entities).
    \1007\ As discussed in more detail below, the Commission is also 
not adopting the proposed definition of material systems change or 
the proposed semi-annual reporting requirement.
    \1008\ Using the quarter ending December 31, 2014 as an example, 
an SCI entity would be required to submit a report by January 30, 
2015 (i.e., within 30 calendar days after December 31, 2014) that 
describes material systems changes that the SCI entity has made 
(including the dates when those changes commenced and were 
completed), are currently implementing (including the dates when 
those changes commenced and are expected to be completed), and plan 
to make (including the dates those changes are expected to commence 
and complete) for the period from October 1, 2014 (the beginning of 
the prior calendar quarter) through June 30, 2015 (the end of the 
subsequent calendar quarter). The next report that corresponds to 
the quarter ending March 31, 2015 would be required to be submitted 
by April 30, 2015. As discussed in more detail below, Rule 
1003(a)(2) requires an SCI entity to promptly submit a supplemental 
report notifying the Commission of a material error in or material 
omission from a report previously submitted under Rule 1003(a)(1).
---------------------------------------------------------------------------

    The Commission believes that elimination of the 30-day advance 
notification requirement for material systems changes is responsive to 
commenters who were concerned that the proposed approach was unsuited 
to the agile systems development methodology that some SCI entities use 
today. In particular, an SCI entity will have the ability to implement 
material systems changes without having to individually report each 
material systems change to the Commission 30 days in advance, which 
commenters noted could lead SCI entities to favor the waterfall 
methodology of systems changes over the agile methodology.\1009\ The 
Commission also believes that the adopted quarterly reporting 
requirement provides more flexibility to SCI entities with respect to 
the timing of implementing material systems changes. In particular, SCI 
entities will not be required to wait 30 calendar days after notifying 
the Commission in order to implement a material systems change. 
Therefore, the adopted rule is responsive to commenters who stated that 
the proposed rule would stifle innovation, interfere with an entity's 
planning and development process, and expose SCI entities' systems to 
risk. Moreover, the Commission believes that elimination of the 
proposed 30-day advance notification requirement is responsive to 
commenters' concern that ATSs are already required to report material 
changes to the operation of the ATSs at least 20 calendar days prior to 
implementation, and that proposed Regulation SCI would extend the 
advance notification period to 30 calendar days.\1010\
---------------------------------------------------------------------------

    \1009\ At the same time, because systems changes utilizing the 
waterfall methodology are often planned well in advance, these 
systems changes would generally be included in the quarterly report, 
as Rule 1003(a) requires the quarterly report to describe, among 
other things, planned material systems changes during the subsequent 
calendar quarter. However, this requirement of Rule 1003(a) is not 
limited to planned material systems changes utilizing the waterfall 
methodology, but also would apply to planned material systems 
changes utilizing other development methodologies, including the 
agile methodology.
    \1010\ The Commission notes that the adoption of Rule 1003(a) 
does not affect an SCI ATS's existing obligation under Rule 
301(b)(2)(ii) of Regulation ATS to file amendments on Form ATS at 
least 20 calendar days prior to implementing material change to the 
operation of the ATS. Therefore, with respect to a material systems 
change, an SCI ATS may be required to describe such change in a 
quarterly report under Rule 1003(a) and submit an amendment to Form 
ATS.
---------------------------------------------------------------------------

    The Commission also believes that adopting the quarterly reporting 
requirement instead of the 30-day advance notification requirement 
lessens SCI entities' burden of compliance as compared to the 
proposal.\1011\ For example, rather than submitting a Form SCI for each 
material systems change, an SCI entity is now required to submit four 
reports each year pursuant to Rule 1003(a)(1) and, as applicable, 
supplemental reports pursuant to Rule 1003(a)(2). To the extent certain 
material systems changes are related or similar, an SCI entity will not 
be required to separately notify the Commission of each change. 
Instead, the SCI entity can describe such related changes within the 
single quarterly report. The Commission also believes that this 
quarterly report process will provide the Commission and its staff with 
a more efficient framework to review material systems changes that are 
described in the larger context afforded by such periodic reports, 
rather than parsing every submission that reports a material systems 
change.\1012\
---------------------------------------------------------------------------

    \1011\ See supra notes 996-997 and accompanying text.
    \1012\ The Commission acknowledges that some systems changes 
deployed by an SCI entity may not by themselves be considered 
material by the SCI entity, but that, in the aggregate, can be 
considered material by the SCI entity (e.g., making a series of 
small systems changes over time in order to implement a broad 
systems change). The Commission believes that the adopted quarterly 
reporting requirement is better suited to capture such changes than 
the proposed 30-day advance notification requirement (i.e., 30-day 
advance notification for each single systems change that is by 
itself considered material by the SCI entity).
---------------------------------------------------------------------------

    One commenter expressed concern that the proposed exception for 
exigent circumstances was too narrow.\1013\ Because adopted Rule 
1003(a)(1) requires quarterly reports of material systems changes 
rather than 30-day advance notification of each material systems 
change, the Commission is not adopting the proposed ``exigent 
circumstances'' exception. Specifically, the Commission notes that the 
purpose of the exception was to accommodate situations where it would 
not be prudent or desirable for an SCI entity to delay a systems change 
simply to provide 30-day advance notification of the change. At the 
same time, the Commission notes that, because Rule 1003(a)(1) requires 
in part a description of completed, ongoing, and planned material 
systems changes during the prior and current calendar quarters, an SCI 
entity's quarterly report will be required to include a description of 
all material changes to its SCI systems or the security of its indirect 
SCI systems, including those that have been implemented in response to 
exigent circumstances during the prior and current calendar quarters.
---------------------------------------------------------------------------

    \1013\ See BATS Letter at 15.
---------------------------------------------------------------------------

    Several commenters suggested possible alternatives to the proposed 
requirements related to material systems changes. Some commenters 
suggested eliminating the proposed advance notification requirement for 
material systems changes.\1014\ One of these commenters explained that 
information regarding material systems changes would be available to 
the Commission during an inspection, but stated that, if an advance 
notification requirement is adopted, it should be folded into the 
proposed semi-annual reporting requirement.\1015\ Another commenter 
similarly urged that the Commission require only semi-annual reporting 
of material systems changes, as proposed in Rule 1000(b)(8).\1016\ One 
commenter supported the reporting of material systems changes in the 
annual SCI review report.\1017\ One commenter believed that information 
related to systems changes should be reported periodically.\1018\ 
Another commenter noted that if the Commission retains the 30-day 
advance notification requirement, it should be limited to material 
systems changes of only higher priority SCI systems and that

[[Page 72339]]

notifications of changes to lower criticality systems could be provided 
at the time of the change or periodically.\1019\
---------------------------------------------------------------------------

    \1014\ See MFA Letter at 7 and ITG Letter at 13-14. See also 
Joint SROs Letter at 8 (stating that material systems changes should 
be reported in a periodic, post-hoc basis, as was required under 
ARP).
    \1015\ See MFA Letter at 7.
    \1016\ See Direct Edge Letter at 8.
    \1017\ See CME Letter at 11.
    \1018\ See NYSE Letter at 27.
    \1019\ See SIFMA Letter at 15.
---------------------------------------------------------------------------

    Some commenters suggested that the Commission provide more 
flexibility and allow SCI entities more time to report material systems 
changes.\1020\ One commenter supported giving SCI entities discretion 
to determine the appropriate timing and format for reporting changes to 
the Commission, and stated that the current practice under ARP to 
submit quarterly reports that cover changes for the previous and 
upcoming quarters has proven effective in keeping the Commission staff 
apprised of planned and completed systems changes.\1021\
---------------------------------------------------------------------------

    \1020\ See NYSE Letter at 27; FINRA Letter at 27; and MSRB 
Letter at 22. See also CME Letter at 11 (stating ``instead of 
setting firm time limits under which an entity is required to submit 
notifications of material systems changes under Rule 1000(b)(6), the 
Commission should instead simply require `timely advance notice of 
all material planned changes to SCI systems that may impact the 
reliability, security, or adequate scalable capacity of such 
systems''').
    \1021\ See FINRA Letter at 27.
---------------------------------------------------------------------------

    One commenter suggested that SCI entities be required to keep 
records of all systems changes and technical issues, and make that 
information available to the Commission upon request.\1022\ If the 
Commission decides to retain the notification requirement, this 
commenter recommended that it be satisfied through periodic (ideally, 
quarterly) reporting of material systems changes.\1023\ One commenter 
believed the Commission should allow all 30-day advance notifications 
regarding pending material systems changes to be communicated orally, 
and only submitted in writing after development and testing is 
completed and the feature is finalized.\1024\
---------------------------------------------------------------------------

    \1022\ See OTC Markets Letter at 20.
    \1023\ See id. This commenter also noted that this would allow 
for the elimination of proposed Rule 1000(b)(6)(ii), which required 
notices for material inaccuracies in prior notifications. See OTC 
Markets Letter at 20-22. According to this commenter, quarterly 
updates would disclose material deviations from plans described in a 
previous report, whether stemming from inaccuracies in prior reports 
or new information that prompts beneficial deviations from a systems 
implementation plan. See id.
    \1024\ See Omgeo Letter at 22.
---------------------------------------------------------------------------

    The Commission believes that the adopted quarterly reporting 
requirement is responsive to commenters who requested additional 
flexibility or time for material systems change notifications, as well 
as to commenters who suggested that such notices be submitted on a 
periodic or quarterly basis.\1025\ The Commission does not agree with 
the commenters who suggested that the Commission completely eliminate 
the advance notification requirements. The Commission believes that 
advance notifications of planned material systems changes will help 
ensure that the Commission has up-to-date information regarding 
important future systems changes at an SCI entity, to aid in its 
understanding of the operations and functionality of the systems post-
change.\1026\ As adopted, Rule 1003(a)(1) requires an SCI entity to 
provide the Commission with advance notification of planned material 
systems changes in the current and subsequent quarters through the 
quarterly reports. As noted above, after considering the views of 
commenters, the Commission is not adopting the proposed 30-day advance 
notification requirement for each material systems change.
---------------------------------------------------------------------------

    \1025\ Because the Commission is only adopting a quarterly 
reporting requirement for material systems changes, the adopted 
approach is responsive to a commenter's suggestion that 
notifications of changes to lower criticality systems could be 
provided at the time of the change or periodically. See supra note 
1019 and accompanying text.
    \1026\ The Commission acknowledges that there may occasionally 
be unexpected material systems changes that are not reported to the 
Commission in advance, but expects that material systems changes 
generally will be planned well in advance and reported in the 
quarterly report accordingly.
---------------------------------------------------------------------------

    The Commission is also not adopting commenters' suggestion that 
material systems changes be reported semi-annually or annually.\1027\ 
As noted in the SCI Proposal, proposed Rule 1000(b)(8)(ii) required 
semi-annual reports because the proposal would have separately required 
information relating to each planned material systems change to be 
submitted at least 30 calendar days before its implementation.\1028\ 
Thus, in the SCI Proposal, the Commission stated its preliminary view 
that requiring ongoing summary reports more frequently would not be 
necessary.\1029\ At the same time, the Commission expressed the concern 
that a longer period of time would permit significant updates and 
milestones relating to systems changes to occur without notice to the 
Commission.\1030\ Because the Commission is not adopting the 30-day 
advance notification requirement, the Commission believes that it is 
appropriate to require more frequent reports of material systems 
changes than on a semi-annual basis. Further, as noted above, some 
commenters suggested quarterly reports, which is consistent with the 
practice of some entities under the ARP Inspection Program.\1031\
---------------------------------------------------------------------------

    \1027\ See supra notes 1015-1017 and accompanying text.
    \1028\ See Proposing Release, supra note 13, at 18124.
    \1029\ See id.
    \1030\ See id.
    \1031\ See supra notes 1021, 1023 and accompanying text.
---------------------------------------------------------------------------

    The Commission does not agree with the commenter who suggested that 
Regulation SCI should only require SCI entities to keep records of all 
systems changes and make that information available to the Commission 
upon request.\1032\ Similarly, the Commission does not agree with 
commenters who suggested that SCI entities be given discretion to 
determine the timing of the reports.\1033\ The Commission believes that 
quarterly reporting of material systems changes will help ensure that 
the Commission has, on an ongoing basis, a comprehensive view and up-
to-date information regarding material systems changes at an SCI 
entity.
---------------------------------------------------------------------------

    \1032\ See supra note 1022 and accompanying text. As discussed 
above, this commenter also stated that, if the Commission decides to 
retain the notification requirement for material systems changes, 
the Commission should require periodic (ideally, quarterly) 
reporting. See supra note 1023 and accompanying text. Adopted Rule 
1003(a)(1) is consistent with this commenter's alternative 
suggestion.
    \1033\ See supra note 1021 and accompanying text. See also supra 
note 1020.
---------------------------------------------------------------------------

    With respect to the commenter who suggested that all 30-day advance 
material systems change notifications should be provided orally, and 
submitted in writing only after the changes are fully tested and 
implemented,\1034\ the Commission notes that it is not adopting the 
proposed 30-day advance notification requirement for material systems 
changes.
---------------------------------------------------------------------------

    \1034\ See supra note 1024 and accompanying text.
---------------------------------------------------------------------------

    With respect to the commenter who suggested giving SCI entities 
discretion to determine the format for reporting changes to the 
Commission,\1035\ the Commission notes that Rule 1003(a) does not 
prescribe a specific style that the quarterly reports should take. The 
Commission intends for the quarterly report to allow the Commission and 
its staff to gain a sufficient level of understanding of the material 
systems changes that have been implemented, are on-going, and are 
planned for the future, which would aid the Commission and its staff in 
understanding the operations and functionality of the systems of an SCI 
entity and any changes to such systems. In particular, the Commission 
notes that Rule 1003(a)(1) only specifically requires the quarterly 
reports to ``describe'' the material systems changes and the dates or 
expected dates of their commencement and completion. Therefore, Rule 
1003(a)(1) gives each

[[Page 72340]]

SCI entity reasonable flexibility in determining precisely how to 
describe its material systems changes in the report in a manner that 
best suits the needs of that SCI entity as well as the needs of the 
Commission and its staff.\1036\ In addition, to the extent the 
Commission seeks additional information about a given change noted in a 
quarterly report, an SCI entity would be required to provide Commission 
staff with such information in accordance with Rule 1005 (Recordkeeping 
Requirements Related to Compliance with Regulation SCI).\1037\
---------------------------------------------------------------------------

    \1035\ See supra note 1021 and accompanying text.
    \1036\ See also Omgeo Letter at 43 (requesting that the 
Commission specify in the final rule the required content for a 
planned material systems change notification).
    \1037\ See infra Section IV.C.
---------------------------------------------------------------------------

    The Commission also notes that the quarterly reports are required 
to include descriptions of material systems changes during the prior 
calendar quarter that were completed, ongoing, or planned. Therefore, 
if a report for the first quarter of a given year discusses the SCI 
entity's plan to implement a particular series of material changes to 
an SCI system, Rule 1003(a)(1) requires that, in the report for the 
second quarter of that year, the SCI entity describe the material 
systems changes that were completed, ongoing, and planned in the first 
quarter, including the planned changes discussed in the prior quarter's 
report, as applicable.
    Several commenters expressed concern that the proposed 30-day 
advance notification requirement would potentially give the Commission 
new authority to ``reject'' a Form SCI filing describing material 
systems changes, similar to the way the Commission may reject an 
improperly filed proposed rule change pursuant to Rule 19b-4 under the 
Exchange Act.\1038\ Three commenters requested that the Commission 
clarify how proposed Rule 1000(b)(6) would relate to Rule 19b-4, 
suggesting that there may be unnecessary redundancy between the two 
processes.\1039\ Another commenter suggested limiting the types of 
changes that would require 30-day advance notification to those changes 
that are already required to be filed with the Commission as proposed 
rule changes for immediate effectiveness under Section 19(b)(3)(A) of 
the Exchange Act (excluding those filings that would not become 
operative for 30 days after the date of the filing because those 
filings would already provide the Commission with 30 days' advance 
notification of the material systems changes).\1040\ This commenter 
also noted that where a material systems change would be filed for 
approval under Section 19(b)(2) of the Exchange Act, the Section 
19(b)(2) approval process provides the Commission sufficient 
notification of the systems change.\1041\ One commenter stated that 
proposed Rule 1000(b)(6) was improperly premised on the notion that the 
Commission should be responsible for a minutely-detailed understanding 
of the IT infrastructure of SCI entities and for assessing prospective 
changes in advance of their implementation.\1042\
---------------------------------------------------------------------------

    \1038\ See Omgeo Letter at 23; and SIFMA Letter at 16. See 
Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b).
    \1039\ See KCG Letter at 19; Joint SROs Letter at 8; and FIF 
Letter at 5.
    \1040\ See MSRB Letter at 22.
    \1041\ See MSRB Letter at 22. This commenter also suggested that 
material systems changes (other than those filed pursuant to Rule 
19b-4 under the Exchange Act) be reported semi-annually, or that de 
minimis changes be excepted from the notice requirement altogether 
if the Commission continues to require 30-day advance notification. 
See MSRB Letter at 22-23. As discussed above, the Commission is 
adopting a quarterly reporting requirement for systems changes that 
an SCI entity determines to be material.
    \1042\ See Direct Edge Letter at 1, 8. See also ITG Letter at 
13-14 (stating that the Exchange Act does not enable the Commission 
to ``bootstrap its SRO rule review authority or its national market 
system authority to force regulated entities to submit upcoming 
material systems changes for agency approval'' and that ``the 
Commission need only receive notifications when they are a 
significant part of proposed rule changes by SROs or amendments to 
Form ATS of material changes to the operation of the ATS'').
---------------------------------------------------------------------------

    The Commission disagrees with commenters who believed that material 
systems change reports are redundant given the rule filing requirements 
of Rule 19b-4 under the Exchange Act, or that material systems change 
reports should not be required if the SCI entity submitted certain 
types of rule filings regarding the same change.\1043\ The Commission 
acknowledges that some systems changes require proposed rule changes 
under Rule 19b-4, and some Rule 19b-4 proposed rule changes result in 
systems changes. However, based on Commission staff's experience with 
the ARP Inspection Program and the rule filing process, the Commission 
believes that the type of information regarding systems changes 
included in rule filings is different from the type of information that 
will be included in reports on material systems changes. In particular, 
the technical details or specifications of SCI systems and indirect SCI 
systems are generally not specifically set forth in the rules of an SCI 
SRO. Therefore, technical information regarding systems changes is 
usually not set forth in rule filings. In addition, the Commission 
notes that the rule filing process and the material systems change 
reports serve different purposes. In particular, the material systems 
change reports are intended to inform the Commission and its staff of 
important technical changes to an SCI entity's systems. On the other 
hand, the rule filing process provides notice of changes to an SCI 
entity's rules, including, for example, the statutory basis for such 
changes, and in some cases seeks approval by the Commission of the rule 
changes. Therefore, if an SCI SRO submits a rule filing regarding a 
particular systems change and the change is also included in a material 
systems change report, the information included in the rule filing may 
not necessarily further the goal of the material systems change 
reporting requirement, and the information included in the material 
systems change report may not necessarily assist in the Commission's 
review of the rule filing. Moreover, commenters' concern regarding the 
redundancy between the rule filing process and the material systems 
change reports stemmed from concerns regarding the 30-day advance 
notification requirement. As discussed above, the Commission is not 
adopting a 30-day advance notification requirement.
---------------------------------------------------------------------------

    \1043\ See supra notes 1039-1041 and accompanying text. The 
Commission notes that the requirement under Regulation SCI to submit 
reports of material systems changes does not alter an SRO's 
obligation to file proposed rule changes, the obligation of 
participants of an SCI Plan to file a proposed amendment to such SCI 
Plan, or any other obligation any SCI entity may have under the 
Exchange Act or rules thereunder.
---------------------------------------------------------------------------

    The Commission also reiterates that the material systems change 
reports are intended to inform the Commission and its staff of such 
changes and help the Commission in its oversight of U.S. securities 
market infrastructure. Regulation SCI does not provide for a new 
approval process for SCI entities' material systems changes. As such, 
Commission staff will not use material systems change reports to 
require any approval of prospective systems changes in advance of their 
implementation pursuant to any provision of Regulation SCI,\1044\ or to 
delay implementation of material systems changes pursuant to any 
provision of Regulation SCI.\1045\
---------------------------------------------------------------------------

    \1044\ See supra note 1042 and accompanying text.
    \1045\ See supra note 1038 and accompanying text.
---------------------------------------------------------------------------

    Three commenters questioned the Commission's legal authority to 
adopt the proposed material systems change notification requirements, 
including, in particular, those set forth in proposed Rule 
1000(b)(6).\1046\ For the reasons

[[Page 72341]]

discussed above in Section IV.B.3.c, the Commission disagrees with 
these comments and believes that adopted Rule 1003(a) will assist the 
Commission in its oversight of U.S. securities market infrastructure 
consistent with its legal authority under the Exchange Act.
---------------------------------------------------------------------------

    \1046\ See NYSE Letter at 4 (stating the belief that 
``[a]uthority to facilitate a national market or assure economically 
efficient execution of securities transaction is remote from close, 
minute regulation of computer systems and computer security''); ITG 
Letter at 13 (stating the belief that the proposed notification 
requirement for material systems changes ``would extend the SEC's 
reach far beyond that of a securities regulator and instead enable 
it to regulate the IT process of marketplace participants'' and that 
the Exchange Act does not enable the Commission to ``bootstrap its 
SRO rule review authority or its national market system authority to 
force regulated entities to submit upcoming material systems changes 
for agency approval''); and KCG Letter at 19 (stating the belief 
that ``[t]he Commission does not have authority to stop 
implementation of systems changes by ATSs or systems changes that 
exchanges are not required to submit under Section 19(b) of the 
Exchange Act'').
---------------------------------------------------------------------------

    In light of the 30-day advance notification requirement in proposed 
Rule 1000(b)(6), some commenters suggested eliminating the semi-annual 
reporting requirement in proposed Rule 1000(b)(8)(ii) because they 
considered it duplicative and unnecessary.\1047\ One commenter believed 
that the required semi-annual reporting requirement was excessive and 
should instead be incorporated into the annual reporting obligations in 
proposed Rule 1000(b)(8)(i).\1048\ As discussed above, the Commission 
is adopting a quarterly reporting requirement under Rule 1003(a)(1) and 
is not adopting the proposed 30-day advance notification requirement. 
Therefore, the Commission is not adopting the requirement in proposed 
Rule 1000(b)(8)(ii) for semi-annual progress reports.
---------------------------------------------------------------------------

    \1047\ See Omgeo Letter at 24-25; and OCC Letter at 16.
    \1048\ See CME Letter at 11.
---------------------------------------------------------------------------

ii. Definition of Material Systems Change
    Commenters generally opposed the proposed definition of material 
systems change. Many commenters stated their belief that the term was 
too broad and would therefore necessitate an excessive number of 
notifications of material systems changes.\1049\ Some commenters 
believed that the definition should be revised and offered a variety of 
suggestions.\1050\ Several commenters advocated for creating a risk-
based definition whereby, for example, notifications are only required 
for those material systems changes that pose a risk to critical 
operations of an entity.\1051\ One commenter suggested that the 
requirement focus on SCI systems only.\1052\ One commenter stated that 
SCI entities should be afforded flexibility to establish reasonable 
standards for defining material systems changes for their 
systems.\1053\
---------------------------------------------------------------------------

    \1049\ See, e.g., BATS Letter at 14; MFA Letter at 6; ICI Letter 
at 4; BIDS Letter at 14; Liquidnet Letter at 3; FINRA Letter at 24-
26; MSRB Letter at 22; NYSE Letter at 26-27; Joint SROs Letter at 7; 
CME Letter at 5; Oppenheimer Letter at 3; OTC Markets Letter at 20-
21; and Direct Edge Letter at 3.
    \1050\ See, e.g., BATS Letter at 14-15 (recommending that only 
those material systems changes that are reported to an SCI entity's 
board of directors or similar body should be required to be reported 
to the Commission, which BATS stated is the standard it uses 
currently for the ARP Inspection Program); OCC Letter at 15 (stating 
that the reporting of systems changes to the board of directors, or 
to a similar governing body, is a more appropriate standard for 
determining materiality than reporting to ``senior management''); 
BIDS Letter at 14-15 (stating its belief that the Commission should 
define a ``material systems change'' to be a large-scale 
architectural upgrade, the implementation of industry-wide rules or 
other market structure changes, or other technology changes that may 
be required because of changes in trading rules defined in the 
exchange's or the ATS's trading rule book); and FIF Letter at 5 
(recommending that the term be defined to include significant 
functional enhancements, major technology infrastructure changes, or 
changes requiring member/participant notifications).
    \1051\ See, e.g., OCC Letter at 15; DTCC Letter at 16; Liquidnet 
Letter at 3; MFA Letter at 6; ICI Letter at 4; CME Letter at 5; and 
Direct Edge at 4.
    \1052\ See NYSE Letter at 27.
    \1053\ See FINRA Letter at 27.
---------------------------------------------------------------------------

    Several commenters sought guidance from the Commission on the 
materiality threshold, which commenters believed was unclear, 
explaining, for example, that the term ``material'' appears both in the 
term ``material systems change'' and in the definition of that 
term.\1054\ Similarly, several commenters requested that the Commission 
provide more guidance on the meaning of ``material'' in the context of 
systems changes because, although the wording of the proposed 
definition contained the concept of ``materiality,'' the commenters 
believed some of the examples provided in the SCI Proposal to be non-
material.\1055\ One commenter asked that the Commission clearly define 
what types of systems changes are not subject to the prior notification 
requirement in order to avoid receiving notices of all systems changes, 
material or otherwise.\1056\ One commenter asked that the Commission 
clarify the meaning of ``material'' and confirm that prior notification 
would not be required for changes that do not pertain to the production 
environment.\1057\
---------------------------------------------------------------------------

    \1054\ See Direct Edge Letter at 3-4; OCC Letter at 15; and NYSE 
Letter at 26.
    \1055\ See, e.g., Joint SROs Letter at 7; DTCC Letter at 15-16; 
Omgeo Letter at 23; OCC Letter at 15; FINRA Letter at 27; OTC 
Markets Letter at 20-21; BIDS Letter at 14; Direct Edge Letter at 3-
4; and ISE Letter at 8. See also supra note 1050.
    \1056\ See KCG Letter at 20.
    \1057\ See SIFMA Letter at 15-16.
---------------------------------------------------------------------------

    Rather than adopting a detailed definition of material systems 
change as proposed, Rule 1003(a)(1) requires an SCI entity to establish 
reasonable written criteria for identifying a change to its SCI systems 
and the security of indirect SCI systems as material and to report to 
the Commission those changes the SCI entity identified as material in 
accordance with such criteria. This change is responsive to a 
commenter's suggestion that SCI entities should be granted flexibility 
to establish reasonable standards for determining whether a systems 
change is material. In addition, the Commission does not believe that 
it is appropriate to adopt a precise definition for the term ``material 
systems change'' because SCI entities differ in nature, size, 
technology, business model, and other aspects of their businesses. The 
Commission notes that there currently is no industry definition of 
``material systems change'' that is applicable to all SCI entities that 
can serve as the basis for a precise definition of the term ``material 
systems change'' in Regulation SCI, and believes that whether a systems 
change is material is dependent on the facts and circumstances, such as 
the reason for the change and how it may impact operations. Moreover, 
requiring SCI entities to establish their own reasonable criteria for 
identifying material systems changes reflects the Commission's view 
that an SCI entity is in the best position to determine, in the first 
instance, whether a change, or series of changes, is material in the 
context of its systems. Because adopted Rule 1003(a)(1) allows each SCI 
entity to identify material systems changes, it is responsive to 
commenters' concern that the proposed definition was too broad and 
would result in an excessive number of notifications, and to 
commenters' suggestion that the definition should be revised.
    Further, the Commission's determination to not adopt the proposed 
definition of material systems change mitigates commenters' concern 
that the proposed definition was unclear. In particular, by eliminating 
the proposed definition of material systems change, the Commission 
seeks to eliminate the confusion caused by the proposed definition of 
this term, which contained the word ``material.'' Moreover, some 
commenters requested additional clarity on the definition of material 
systems change because they believed that some of the examples the 
Commission provided in the SCI Proposal were not material systems 
changes. Because adopted Rule 1003(a)(1) requires SCI entities to 
establish reasonable written criteria for identifying material systems 
changes, SCI entities will not be required to identify material systems 
changes in accordance with the detailed definition and examples from 
the SCI

[[Page 72342]]

Proposal. Rather, an SCI entity will have reasonable discretion in 
establishing the written criteria in order to capture the systems 
changes that it believes are material. Specifically, the Commission 
believes that adopted Rule 1003(a) is sufficiently flexible to allow 
each SCI entity to identify changes that it believes are material, 
which may include some of the suggestions identified by the commenters 
if an SCI entity determines such changes to be appropriate to include 
in its criteria for identifying material systems changes. For example, 
if an SCI entity reasonably believes that its systems changes are 
material if they involve significant functional enhancements, major 
technology infrastructure changes, or changes requiring member/
participant notifications, and such criteria is set forth in the SCI 
entity's reasonable written criteria, the SCI entity may identify 
material systems changes in accordance with such written criteria. 
Likewise, if an SCI entity reasonably believes that some of the 
examples of material systems changes identified in the SCI Proposal can 
appropriately serve as criteria for identifying material systems 
changes, and such criteria is set forth in the SCI entity's reasonable 
written criteria, the SCI entity may identify material systems changes 
in accordance with such written criteria.
    In response to a commenter's suggestion that the Commission clearly 
define what types of systems changes are not subject to the prior 
notification requirement in order to avoid notification of all systems 
changes, material or otherwise, the Commission notes that Rule 
1003(a)(1) specifically requires SCI entities to identify material 
systems changes and report only material systems changes. With respect 
to a commenter's question regarding whether prior notification would be 
required for changes that do not pertain to the production environment, 
the Commission notes that SCI systems do not include development and 
testing systems, although indirect SCI systems could include 
development and testing systems if they are not walled-off from SCI 
systems. Therefore, Rule 1003(a) could apply to material changes to the 
security of development and testing systems that are not walled-off 
from SCI systems. Finally, with respect to a commenter's suggestion 
that Rule 1003(a) focus only on SCI systems, the Commission believes 
that notifications of material systems changes regarding the security 
of indirect SCI systems is important to the Commission's oversight of 
U.S. securities market infrastructure. At the same time, the Commission 
notes that Rule 1003(a)(1) provides that each SCI entity establish its 
own reasonable criteria for identifying a change to the security of its 
indirect SCI systems as material. Therefore, to the extent that an SCI 
entity determines that certain changes to the security of its indirect 
SCI systems are not material in accordance with its reasonable written 
criteria, such changes are not required to be reported to the 
Commission.
    As with an SCI entity's other policies and procedures under 
Regulation SCI, Commission staff may review an SCI entity's established 
criteria relating to the materiality of a systems change (e.g., in the 
course of an examination) to determine whether it agrees with the SCI 
entity's assessment that such criteria is reasonable and in compliance 
with the requirements of Rule 1003(a). The Commission believes that, by 
providing SCI entities flexibility in establishing the criteria and 
reviewing SCI entities' established criteria, it strikes the proper 
balance between granting discretion to SCI entities and ensuring that 
SCI entities carry out their obligations under Regulation SCI.
iii. Adopted Rule 1003(a)(2): Supplemental Material Systems Change 
Reports
    A commenter who advocated for a quarterly reporting requirement 
noted that quarterly updates would disclose material deviations from 
plans described in a previous report, including those stemming from 
inaccuracies in prior reports.\1058\ Another commenter similarly noted 
that periodic reporting of any inaccuracies is sufficient for oversight 
purposes.\1059\ The Commission believes that there may be circumstances 
in which an SCI entity realizes that information previously provided to 
the Commission in a quarterly report was materially inaccurate or that 
the quarterly report omitted material information. The Commission 
believes that it should, on an ongoing basis, have complete and correct 
information regarding material systems changes at an SCI entity, rather 
than waiting until the next quarterly report to receive corrected 
information, as suggested by these commenters. The Commission is 
therefore adopting Rule 1003(a)(2), which requires an SCI entity to 
promptly submit a supplemental report to notify the Commission of a 
material error in or material omission from a report previously 
submitted under Rule 1003(a)(1). The Commission notes that the 
supplemental report requirement applies only if the error or omission 
in a prior report is material.
---------------------------------------------------------------------------

    \1058\ See OTC Markets Letter at 22.
    \1059\ See NYSE Letter at 28.
---------------------------------------------------------------------------

5. SCI Review--Rule 1003(b)
    Proposed Rule 1000(b)(7) required an SCI entity to conduct an SCI 
review of the SCI entity's compliance with Regulation SCI not less than 
once each calendar year, and submit a report of the SCI review to 
senior management of the SCI entity no more than 30 calendar days after 
completion of such SCI review.\1060\ Further, proposed Rule 
1000(b)(8)(i) required an SCI entity to submit to the Commission a 
report of the SCI review required by paragraph (b)(7), together with 
any response by senior management, within 60 calendar days after its 
submission to senior management of the SCI entity.\1061\
---------------------------------------------------------------------------

    \1060\ See proposed Rule 1000(b)(7) and Proposing Release, supra 
note 13, at Section III.C.5.
    \1061\ See proposed Rule 1000(b)(8)(i) and Proposing Release, 
supra note 13, at Section III.C.6.
---------------------------------------------------------------------------

    Proposed Rule 1000(a) defined the term ``SCI review'' to mean a 
review, following established procedures and standards, that is 
performed by objective personnel having appropriate experience in 
conducting reviews of SCI systems and SCI security systems, and which 
review contains: (1) A risk assessment with respect to such systems of 
the SCI entity; and (2) an assessment of internal control design and 
effectiveness to include logical and physical security controls, 
development processes, and information technology governance, 
consistent with industry standards.\1062\ In addition, the proposed 
definition provided that such review must include penetration test 
reviews of the SCI entity's network, firewalls, and production systems 
at a frequency of not less than once every three years.\1063\
---------------------------------------------------------------------------

    \1062\ See proposed Rule 1000(a) and Proposing Release, supra 
note 13, at Section III.C.5.
    \1063\ See id.
---------------------------------------------------------------------------

    The Commission is adopting the provisions relating to SCI reviews 
with modifications in response to comment. In addition, the Commission 
is adopting a definition of ``senior management'' in Rule 1000 for 
purposes of the SCI review requirement.
    Some commenters expressed support for the proposed requirements for 
SCI reviews,\1064\ with a few advocating that the SCI review be 
conducted by an independent third party, rather than ``objective 
personnel.'' \1065\ One commenter noted that it agreed that annual SCI 
reviews and reports can have a meaningful impact on improving

[[Page 72343]]

technology and business practices.\1066\ Another commenter expressed 
support for proposed Rule 1000(b)(7), but asked for clarification that 
any review of a processor under an NMS plan be performed independently 
of reviews of the same entity in other capacities (e.g., as an exchange 
or other SCI entity).\1067\
---------------------------------------------------------------------------

    \1064\ See, e.g., MSRB Letter at 23; Lauer Letter at 5; Better 
Markets Letter at 5; and Direct Edge Letter at 9.
    \1065\ See Lauer Letter at 5; Better Markets Letter at 5; and 
BlackRock Letter at 4.
    \1066\ See FIF Letter at 6 (expressing support for the SCI 
review requirement while also providing suggestions for 
modifications to the rule).
    \1067\ See Direct Edge Letter at 9.
---------------------------------------------------------------------------

    With regard to the suggestion that the Commission adopt a 
requirement that SCI reviews be conducted by an independent third party 
rather than ``objective personnel'' as proposed,\1068\ the Commission 
continues to believe that it is appropriate to permit SCI reviews to be 
performed by personnel of the SCI entity or an external firm, provided 
that such personnel are, in fact, objective and, as required by rule, 
have the appropriate experience to conduct reviews of SCI systems and 
indirect SCI systems. Experienced personnel should have the knowledge 
and skills necessary to conduct such reviews. In the SCI Proposal, the 
Commission noted that to satisfy the criterion that an SCI review be 
conducted by ``objective personnel,'' it should be performed by persons 
who have not been involved in the development, testing, or 
implementation of such systems being reviewed.\1069\ The Commission 
continues to believe that persons who were not involved in the process 
for development, testing, and implementation of the systems being 
reviewed would generally be in a better position to identify weaknesses 
and deficiencies that were not identified in the development, testing, 
and implementation stages. The Commission believes that, given the 
requirement that such personnel be ``objective,'' any personnel with 
conflicts of interest that have not been adequately mitigated to allow 
for objectivity should be excluded from serving in this role. In 
particular, the Commission believes that a person or persons conducting 
an SCI review should not have a conflict of interest that interferes 
with their ability to exercise judgment, express opinions, and present 
recommendations with impartiality. While the Commission recognizes 
that, as one commenter asserted, all personnel of an SCI entity could 
be viewed as having some level of conflict of interest,\1070\ the 
Commission believes that SCI entities can have appropriate policies and 
procedures in place to mitigate such conflicts or to help ensure that 
certain departments and/or specified personnel (such as internal audit 
departments) are appropriately insulated from such conflicts so as to 
be able to objectively conduct SCI reviews.\1071\
---------------------------------------------------------------------------

    \1068\ See supra note 1065 and accompanying text.
    \1069\ See Proposing Release, supra note 13, at 18123.
    \1070\ See Better Markets Letter at 5.
    \1071\ For example, the Commission believes that many entities 
implement a reporting structure pursuant to which internal audit 
employees or departments report directly to the board of directors 
or an audit committee of the board. The Commission notes that, while 
utilizing external personnel (i.e., third parties) to conduct an SCI 
entity's SCI review generally would not raise the same concerns 
regarding objectivity, the SCI entity would likewise need to 
mitigate any conflicts of interest that would prevent such personnel 
from meeting the objectivity standard required for an SCI review. 
For example, among the factors an SCI entity may consider in 
evaluating the objectivity of a third party review could be who 
within the SCI entity is managing the third party review, is setting 
the scope of review, is authorizing payment for such review, and has 
the authority to review and comment on the third party report, among 
others. Further, an SCI entity may consider the third party's 
ability to remain objective in light of any other services provided 
by the third party to the SCI entity.
---------------------------------------------------------------------------

    Accordingly, the Commission believes that the goals of Regulation 
SCI can be achieved through reviews by either internal objective 
personnel or external objective personnel. Taking into consideration 
the advantages and disadvantages associated with each approach, each 
SCI entity should make its own determination regarding the levels of 
review or assurance that can be provided by different personnel, the 
best means to ensure their objectivity, and whether it is appropriate 
to incur the additional costs of an independent third party review. An 
SCI entity may, for example, determine that it is appropriate to 
utilize personnel not employed by the SCI entity (i.e., third parties) 
to conduct such review each year or only on a less frequent, periodic 
basis (e.g., every three years), or only with regard to certain of its 
systems. In addition, with regard to one commenter's suggestion that an 
SCI review should be performed independently for each capacity in which 
an SCI entity acts, the Commission notes that the definition of SCI 
review and provisions of Rule 1003(b) require that an SCI entity 
perform a review, following established procedures and standards, for 
compliance with Regulation SCI that includes a risk assessment of the 
SCI entity's SCI systems and indirect SCI systems and an assessment of 
internal control design and effectiveness of such systems and does not 
require an SCI entity that serves in two different capacities with 
respect to Regulation SCI to conduct two independent SCI reviews. The 
Commission believes that, as a practical matter, an SCI entity may 
determine that, to comply with these requirements, it is necessary to 
conduct separate assessments and analysis for each capacity of the SCI 
entity, because the standards used, risk assessments, applicable 
policies and procedures, and assessment of internal control design and 
effectiveness are different with regard to the distinct and differing 
functions of the SCI entity in each capacity. For example, an entity 
that meets both the definition of an SCI SRO and a plan processor may 
determine that it is necessary to conduct separate reviews for each 
function performed, because, for instance, the findings of a risk 
assessment determine that certain SCI systems fall into the category of 
``critical SCI systems'' with regard to the functions of the plan 
processor, but not with regard to the functions of the SRO. At the same 
time, the Commission notes that, even where separate reviews are 
conducted, there may be certain overlap in conducting such reviews (for 
example, the entity may use the same objective reviewer for each 
function performed), such reviews may be conducted at the same time, 
and a single SCI review report may contain findings for each capacity.
    While other commenters also supported some form of review, many of 
these commenters stated that the term SCI review is defined too broadly 
and/or that the SCI review requirements should allow more 
flexibility.\1072\ Some commenters expressed concerns about the need to 
review all systems on an annual basis, which they argued could be 
costly, burdensome, and unnecessary.\1073\ Several commenters suggested 
the adoption of a risk-based approach for determining the scope of the 
review, which would entail conducting a risk assessment to determine 
which systems should be reviewed and how often.\1074\ Under such an 
approach, the highest risk systems would be reviewed more frequently 
than other, less critical systems, which could be reviewed less 
frequently than annually or on a rotational basis. Similarly, one

[[Page 72344]]

commenter recommended that SCI reviews should be focused only on those 
core systems capable of having a material impact on members or 
participants, and ``adjacent'' systems should not be subject to the 
review process.\1075\
---------------------------------------------------------------------------

    \1072\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; 
OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter 
at 16-17.
    \1073\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; 
OCC Letter at 19; NYSE Letter at 35; DTCC Letter at 16-17; and BIDS 
Letter at 11.
    \1074\ See, e.g., FINRA Letter at 39-41; OCC Letter at 19; NYSE 
Letter at 35; SIFMA Letter at 17; DTCC Letter at 16-17; LiquidPoint 
Letter at 3; and Omgeo Letter at 24. One commenter noted that the 
proposed SCI review requirement essentially eliminated the ability 
to utilize its current risk assessment approach to determine the 
frequency of review for each system (ranging from annually to once 
every four years). See FINRA Letter at 40.
    \1075\ See FIF Letter at 6.
---------------------------------------------------------------------------

    After considering the views of commenters, the Commission has 
determined to adopt the provisions relating to SCI reviews with 
modifications in response to comment.\1076\ Thus, adopted Rule 1003(b) 
requires an SCI entity to conduct an SCI review of the SCI entity's 
compliance with Regulation SCI not less than once each calendar 
year.\1077\ However, the Commission notes that, because it has revised 
the scope of the definition of ``SCI systems'' as described above, 
fewer systems of each SCI entity will be subject to the SCI review, 
thereby focusing the overall scope of the SCI review requirement.\1078\ 
Further, to address some commenters' concerns about the burdens and 
inflexibility of the proposed rule and the recommendation that the 
proposed rule utilize a more risk-based approach, the adopted rule is 
being revised to allow assessments of SCI systems directly supporting 
market regulation or market surveillance to be conducted, based upon a 
risk-assessment, at least once every three years, rather than 
annually.\1079\ SCI entities would be required to determine the 
specific frequency with which to conduct assessments of these systems 
depending on the risk assessment that they conduct as part of the 
annual SCI review, provided that these systems are assessed at least 
once every three years. The Commission believes that market regulation 
and market surveillance systems have the potential to pose less risk to 
an entity or the market than other SCI systems. While the Commission 
believes that these systems are essential to investor protection and 
market integrity and that they can pose a significant risk to the 
markets in the event of a systems issue, the Commission also believes 
that certain market regulation and market surveillance systems may not 
have as immediate or widespread of an impact on the maintenance of fair 
and orderly markets or an entity's operational capability as the other 
categories of systems included within the definition of SCI systems. 
While a systems issue affecting a trading system could result in the 
immediate inability of a market, and thus market participants, to 
continue trading on such system and potentially impact trading on other 
markets as well, the Commission believes that the temporary disruption 
or failure of a SCI entity's market regulation and/or market 
surveillance systems in the wake of a wide-scale disruption would 
likely not have as direct an impact on market participants' ability to 
continue to trade. Thus, after considering commenters' views regarding 
the costs and burdens of the proposed SCI review requirements, as well 
as the suggestion that the Commission incorporate more of a risk-based 
approach in Regulation SCI, the Commission believes that a longer 
frequency of review of these systems may be appropriate in cases where 
the risk assessment conducted as part of the SCI review results in such 
a determination. The Commission also notes that, as originally proposed 
the rule would have required penetration test reviews of the SCI 
entity's network, firewalls and development, testing, and production 
systems at a frequency of not less than once every three years in 
recognition of the potentially significant costs that may be associated 
with the performance of such tests.\1080\ However, consistent with 
modifications to the definition of SCI systems, references to 
development and test systems have been deleted in adopted Rule 
1003(b)(1)(i).\1081\ The Commission notes that SCI entities may, 
however, determine that based on its risk assessment, it is appropriate 
and/or necessary to conduct such penetration test reviews more 
frequently than once every three years.
---------------------------------------------------------------------------

    \1076\ See adopted Rule 1003(b). However, the Commission is 
moving the clause regarding penetration test reviews from the 
definition of SCI review into Rule 1003(b), which addresses the 
timing of reviews. Further, the adopted definition of SCI review 
will require that the objective reviewer have ``appropriate 
experience to conduct reviews'' rather than ``appropriate experience 
in conducting reviews'' as proposed. The Commission believes this 
revision is appropriate given that, prior to the adoption of 
Regulation SCI today, no individual or entity would have experience 
in conducting the specific SCI reviews required by Rule 1003(b). 
Rather, the Commission believes that there are individuals or 
entities that have experience in conducting reviews, audits, and/or 
testing similar to the functions that would be necessary to address 
certain aspects of the SCI review requirement, and thus, the 
objective reviewer should have this type of appropriate experience 
that would allow them to conduct SCI reviews in accordance with the 
requirements of Regulation SCI. Thus, as adopted, the term ``SCI 
review'' means ``a review, following established procedures and 
standards, that is performed by objective personnel having 
appropriate experience to conduct reviews of SCI systems and 
indirect SCI systems, and which review contains: (1) A risk 
assessment with respect to such systems of an SCI entity; and (2) An 
assessment of internal control design and effectiveness of its SCI 
systems and indirect SCI systems to include logical and physical 
security controls, development processes, and information technology 
governance, consistent with industry standards.'' See Rule 1000. 
Further, the Commission is moving the requirement relating to 
reports to the Commission on SCI reviews from proposed Rule 
1000(b)(8) into Rule 1003(b) so that all provisions regarding SCI 
reviews are in the same rule.
    \1077\ See adopted Rule 1003(b)(1).
    \1078\ The Commission also notes that it has clarified that the 
definition of ``indirect SCI systems'' includes only those systems 
that have not been effectively logically or physically separated 
from SCI systems. Thus, the scope of the SCI review is also more 
focused than what some commenters may have believed. It is also 
further focused by the elimination of references to development and 
test systems from the penetration test requirement in adopted in 
Rule 1003(b)(1)(i).
    \1079\ See adopted Rule 1003(b)(1)(ii).
    \1080\ As noted by some commenters, penetration tests are highly 
technical and would require special expertise, and thus the 
Commission believes such testing could potentially require 
substantial costs. See, e.g., DTCC Letter at 17; and Omgeo Letter at 
44. See also infra Sections V.D.2.d and VI.C.2.b.vi (discussing 
estimated costs associated with the SCI review requirement, which 
takes into consideration the costs of penetration testing) and 
Proposing Release, supra note 13, at 18123 (stating that the 
Commission seeks to balance the frequency of such tests with the 
costs associated with performing the tests). As noted in the SCI 
Proposal, the Commission believes that the penetration test reviews 
should help an SCI entity evaluate the system's security and 
resiliency in the face of attempted and successful intrusions. See 
id.
    \1081\ See supra Section IV.A.2.b (discussing elimination of 
development and test systems from the definition of SCI systems).
---------------------------------------------------------------------------

    The Commission is not, however, adopting a broader risk-based 
approach to determine the required frequency of an SCI review (i.e., 
for SCI systems other than market regulation and market surveillance 
systems), as suggested by some commenters.\1082\ The Commission 
believes that a critical element to ensuring the capacity, integrity, 
resiliency, and availability of SCI systems and indirect SCI systems is 
conducting an annual objective review to assess the risks of an SCI 
entity's systems and the effectiveness of its internal information 
technology controls and procedures. Such reviews will not only assist 
the Commission in improving its oversight of the technology 
infrastructure of SCI entities, but also each SCI entity in assessing 
the effectiveness of its information technology practices, helping to 
ensure compliance with the safeguards provided by the requirements of 
Regulation SCI, identifying potential areas of weakness that require 
additional or modified controls, and determining where to best devote 
resources. Further, the Commission believes that the competitive 
environment of today's securities markets drives SCI entities to 
continually update, modify, and introduce new technology and systems, 
often in an effort to meet specific business needs and achieve ``quick-
to-market'' results, potentially without

[[Page 72345]]

adequate focus on ensuring the continuous integrity of its systems. In 
addition, given today's fast-paced nature of technological advancement, 
existing controls can quickly become obsolete or ineffective and the 
relative criticality or risk nature of a system can change over time as 
well.\1083\ Further, as one commenter noted, it is not uncommon for 
entities to experience repeated unsuccessful attempts to gain access to 
their systems,\1084\ which the Commission believes can expose certain 
vulnerabilities not identified previously and, if successful, also 
create new vulnerabilities and risk. For these reasons, the Commission 
believes that it is appropriate to require an SCI entity to conduct an 
SCI review of its applicable systems not less than once every 12 
months.\1085\
---------------------------------------------------------------------------

    \1082\ See supra note 1074 and accompanying text.
    \1083\ In addition, the Commission believes changes in personnel 
with access to SCI systems throughout the year can create additional 
risk that should be considered in evaluating the risks of any 
particular system.
    \1084\ See SIFMA Letter at 11.
    \1085\ The Commission notes that, while the rule requires that 
an SCI review be conducted ``not less than once each calendar 
year,'' an SCI entity may determine that it is appropriate to 
conduct an assessment of an SCI system more frequently, particularly 
for critical SCI systems. See adopted Rule 1003(b)(1).
---------------------------------------------------------------------------

    Further, the Commission notes that, as described in detail above, 
Regulation SCI is consistent with a risk-based approach in several 
areas, and thus, a risk assessment is appropriate in order to determine 
the standards and requirements applicable to a given SCI system. As 
such, the Commission believes that it is appropriate to require SCI 
entities to conduct a risk-based assessment with regard to its SCI 
systems and indirect SCI systems as part of its SCI review at least 
annually to help ensure that SCI entities are meeting the requirements 
of Regulation SCI.\1086\
---------------------------------------------------------------------------

    \1086\ See adopted Rule 1003(b) and Rule 1000 (definition of 
``SCI review'').
---------------------------------------------------------------------------

    For the reasons noted above, the Commission believes it is 
appropriate to require that SCI reviews be conducted at least annually, 
rather than utilizing a risk-based approach to determine the frequency 
of the required SCI review.\1087\ At the same time, the Commission 
notes that this provision is consistent with a risk-based approach in 
that SCI entities may design the scope and rigor of the SCI review for 
a particular system based on its risk assessment of such system, 
provided that the review meets the requirements of the rule, such as 
including an assessment of internal control design and effectiveness to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards \1088\ and performing penetration test reviews at least once 
every three years.\1089\
---------------------------------------------------------------------------

    \1087\ However, as discussed above, an SCI entity may conduct an 
SCI review of its market regulation and market surveillance systems 
based upon its risk assessment of such systems, but not less than 
once every three years. See adopted Rule 1003(b)(1)(ii).
    \1088\ See adopted Rule 1000 (definition of ``SCI review'').
    \1089\ See adopted Rule 1003(b)(1)(i).
---------------------------------------------------------------------------

    Some commenters sought clarification on various aspects of the SCI 
review requirement. One commenter stated that the term SCI review, as 
proposed, expanded significantly on what is required under ARP and 
asked for greater specificity as to the objectives and intended scope 
of the SCI review.\1090\ This commenter suggested, as an alternative, 
that the Commission establish an ``agreed upon procedures'' approach, 
which would involve outlining specific SCI review objectives and 
procedures that would be performed by an objective reviewer.\1091\ One 
commenter also requested that the Commission clarify whether there is a 
distinction between the existing ARP report and the SCI review and 
whether the ARP practice of on-site inspections would be 
eliminated.\1092\
---------------------------------------------------------------------------

    \1090\ See FINRA Letter at 39-40.
    \1091\ See id. at 40.
    \1092\ See OCC Letter at 19.
---------------------------------------------------------------------------

    With regard to the comment seeking clarity on the scope of the 
review as compared to what is done under the current ARP Inspection 
Program,\1093\ as noted in the SCI Proposal, the requirement for an 
annual SCI review was intended to formalize a practice in place under 
the current ARP Inspection Program in which SROs conduct annual systems 
reviews following established audit procedures and standards that 
result in the presentation of a report to senior SRO management on the 
recommendations and conclusions of the review.\1094\ Specifically, the 
ARP Policy Statements called for each SRO to have its automated systems 
reviewed annually by an ``independent reviewer'' \1095\ and stated that 
independent reviews and analysis should: ``(1) Cover significant 
elements of the operations of the automation process, including the 
capacity planning and testing process, contingency planning, systems 
development methodology and vulnerability assessment; (2) be performed 
on a cyclical basis by competent and independent audit personnel 
following established audit procedures and standards; and (3) result in 
the presentation of a report to senior SRO management on the 
recommendations and conclusions of the independent reviewer, which 
report should be made available to Commission staff for its review and 
comment.'' \1096\ Similar to (1) above, the definition of SCI review 
requires the review to contain an assessment of internal control design 
and effectiveness of its SCI systems and indirect SCI systems to 
include logical and physical security controls, development processes, 
and information technology governance, consistent with industry 
standards. Consistent with element (2), an SCI review must be performed 
by objective personnel having appropriate experience to conduct reviews 
of SCI systems and indirect SCI systems and must be performed following 
established procedures and standards. Finally, like item (3), Rule 
1003(b)(2)-(3) requires SCI entities to submit a report of the SCI 
review to senior management after completion of the review, and 
following submission to senior management, to submit a report of the 
SCI review to the Commission, along with any response by senior 
management. Senior management, after reviewing the report, should note, 
in addition to any other response that may be made, any material 
inaccuracy or omission that, to their knowledge, is in the report. In 
this regard, the Commission recognizes that senior managers, by virtue 
of their positions and experience, may have differing levels of 
knowledge regarding their entity's SCI systems and indirect SCI systems 
and compliance with Regulation SCI.
---------------------------------------------------------------------------

    \1093\ See supra note 1092 and accompanying text. See also supra 
note 1090 and accompanying text.
    \1094\ See Proposing Release, supra note 13, at 18123.
    \1095\ See ARP I, supra note 1, at 48706-07. ARP I provided that 
an ``independent reviewer'' could be either an internal auditor 
group or an external audit firm so long as the independent reviewer 
had the competence, knowledge, consistency, and independence 
sufficient to perform the role.
    \1096\ See ARP II, supra note 1, at 22491. In ARP II, the 
Commission also explained that, in its view, ``a critical element to 
the success of the capacity planning and testing, security 
assessment and contingency planning processes for [automated] 
systems is obtaining an objective review of those planning processes 
by persons independent of the planning process to ensure that 
adequate controls and procedures have been developed and 
implemented.'' Id.
---------------------------------------------------------------------------

    While the SCI review requirement in Rule 1003 is based on the ARP 
review and report, a greater number of automated systems meeting the 
definition of SCI system or indirect SCI system would be subject to the 
SCI review requirements because the scope of Regulation SCI expands 
upon the current ARP Inspection Program. The Commission notes that the 
SCI review is not a substitute for inspections and

[[Page 72346]]

examinations conducted by Commission staff, and therefore SCI entities 
should expect that technology systems inspections and examinations will 
continue following the adoption of Regulation SCI. Along with 
notifications of material systems changes under adopted Rule 1003(a) 
and SCI event notifications pursuant to adopted Rule 1002(b), one 
purpose of SCI reviews will be to aid the Commission and its staff in 
understanding the operations and risks associated with the applicable 
systems of an SCI entity.
    In addition, as noted above, one commenter, in seeking further 
clarity on the scope of the SCI review requirement, suggested that the 
Commission take an ``agreed upon approach'' which would outline more 
specific review objectives and procedures that would be performed by 
the objective reviewer. The Commission believes that an SCI entity 
should have the ability to design the specific parameters of an SCI 
review within the confines of the general framework of the rule, 
including identifying its own review objectives and procedures, given 
the SCI entity's in-depth knowledge of, and familiarity with, its own 
systems and their attendant risks. As such, the adopted rule is 
designed to provide a general framework for the scope of the SCI review 
by specifying that the review must include a risk assessment of SCI 
systems and indirect SCI systems and an assessment of the internal 
control design and effectiveness of its systems in certain areas.\1097\ 
At the same time, the rule provides flexibility by permitting the 
review to be conducted ``following established procedures and 
standards,'' which would be identified and established by the SCI 
entity itself.\1098\
---------------------------------------------------------------------------

    \1097\ See adopted Rule 1000 (defining ``SCI review'').
    \1098\ See id.
---------------------------------------------------------------------------

    Some commenters expressed views on the provisions requiring SCI 
entities to submit reports of the SCI review to senior management of 
the SCI entity and to the Commission. Specifically, two commenters 
supported the proposed requirement that reports of the SCI review be 
submitted to senior management of the SCI entity no later than 30 days 
after completion of the SCI review.\1099\ One commenter urged that 
senior management of an SCI entity certify the report before it is 
submitted to the Commission in order to promote accountability at the 
highest ranks of the SCI entity.\1100\ Another commenter believed that 
45 days for submission of such reports to senior management would be 
more appropriate as a target timeframe given the complexity of the 
issues addressed in an SCI review, and that should this target fail to 
be met, the Board of Directors Audit Committee (or similar governing 
body) should be informed of the reason therefor.\1101\ Two commenters 
recommended that the distribution cycle within proposed Rule 
1000(b)(8)(i) be modified so that individual, focused audit reports 
resulting from rotational reviews could be bundled and distributed to 
the Commission on a regular basis (semi-annually or quarterly).\1102\
---------------------------------------------------------------------------

    \1099\ See MSRB Letter at 23; and FIF Letter at 6.
    \1100\ See Better Markets Letter at 6.
    \1101\ See DTCC Letter at 17.
    \1102\ See OCC Letter at 19; and DTCC Letter at 17.
---------------------------------------------------------------------------

    The Commission does not believe that it is necessary to require 
senior management certification of the report of the SCI review, as 
suggested by one commenter.\1103\ Adopted Rules 1003(b)(2)-(3) require 
that the SCI entity submit a report of the SCI review to senior 
management of the SCI entity no more than 30 calendar days after 
completion of such SCI review, and that the SCI entity submit a report 
of the SCI review, together with any response by senior management, to 
the Commission and the board of directors of the SCI entity or the 
equivalent of such board within 60 calendar days after its submission 
to senior management. Because reports of SCI reviews and any responses 
by senior management are required to be filed using Form SCI under the 
Exchange Act and Regulation SCI, it is unlawful for any person to 
willfully or knowingly make, or cause to be made, a false or misleading 
statement with respect to any material fact in such reports or 
responses.\1104\
---------------------------------------------------------------------------

    \1103\ See supra note 1100 and accompanying text.
    \1104\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 
78ff(a).
---------------------------------------------------------------------------

    The Commission recognizes that senior management certifications are 
used in other regulatory contexts, including in some Commission rules 
and regulations.\1105\ However, at this time, the Commission believes 
that, in light of the other requirements for an SCI entity, the goals 
of Regulation SCI can be achieved without the imposition of an 
additional requirement on SCI entities for senior management 
certification. Specifically, the Commission believes that the adopted 
requirements promote the responsibility and accountability of senior 
management of an SCI entity by helping to ensure that senior management 
receives and reviews reports of SCI reviews, is made aware of issues 
relating to compliance with Regulation SCI, and is encouraged to 
promptly establish plans for resolving such issues.
---------------------------------------------------------------------------

    \1105\ See, e.g., 17 CFR 240.15c3-5(e)(2) (chief executive 
officer certification under the Market Access Rule); and 17 CFR 
240.13a-14 (principal executive and principal financial officer 
certification of disclosure in annual and quarterly reports).
---------------------------------------------------------------------------

    The Commission is also adopting a definition of ``senior 
management'' in Rule 1000 to make clear which individuals at an SCI 
entity must receive and review the report of the SCI review. The 
Commission believes that, in the context of the SCI review requirement, 
senior management should not be limited to a single individual or 
officer of an SCI entity. Thus, ``senior management,'' for purposes of 
adopted Rule 1003(b) is defined as an SCI entity's Chief Executive 
Officer, Chief Technology Officer, Chief Information Officer, General 
Counsel, and Chief Compliance Officer, or the equivalent of such 
employees or officers of an SCI entity. The Commission believes that, 
in order to achieve the goals of the rule to promote increased 
awareness and oversight of the technology infrastructure at an SCI 
entity by its most senior employees and officers, it is important that 
the SCI entity's senior management team receive and carefully review 
reports of SCI reviews. The Commission believes that these employees 
and officers, or their functional equivalent, represent the executive, 
technology, legal, and compliance functions that are necessary to 
effectively review the reports of SCI reviews. The Commission also 
believes that awareness by an SCI entity's senior management of SCI 
reviews and issues with Regulation SCI compliance should help to 
promote a focus by senior management on such reviews and issues, 
enhance communication and coordination regarding such reviews and 
issues among business, technology, legal, and compliance personnel, 
and, in turn, strengthen the capacity, integrity, resiliency, and 
availability of the systems of SCI entities. To help ensure that 
persons at the highest levels of an SCI entity are made aware of any 
issues raised in the SCI review, the Commission is also adopting a 
requirement for each SCI entity to submit to its board of directors or 
the equivalent of such board a report of the SCI review and any 
response by senior management within 60 calendar days after the 
submission of the report to senior management of the SCI entity.
    With regard to one commenter's suggestion that SCI entities should 
be given 45 days rather than 30 days to submit the report of the SCI 
review to senior management (and that it should be only a target 
timeframe rather than a

[[Page 72347]]

requirement),\1106\ the Commission notes that the 30-day timeframe is 
based on the Commission's experience with the current ARP Inspection 
Program that an ARP entity is able to consider the review and prepare a 
report for senior management consideration prior to the submission to 
the Commission.\1107\ The Commission acknowledges that a greater number 
of systems will be subject to the SCI review requirement than the 
current ARP Inspection Program given the definitions of SCI system and 
indirect SCI system,\1108\ and that the issues addressed in an SCI 
review may be complex. However, the Commission notes that the adopted 
timeframe, while based on experience with the current ARP Inspection 
Program, also takes into account these factors.\1109\ Further, the 
Commission believes that the complexity of the issues presented during 
an SCI review would more likely affect the timing of conducting and 
completing the SCI review, rather than the timing for submitting a 
report of the review to senior management. The Commission, therefore, 
continues to believe that this requirement is appropriate. The 
Commission also notes that the requirement to submit the annual report 
to the Commission within 60 calendar days after its submission to 
senior management is similarly based on the Commission's experience 
with the ARP Inspection Program that this time period is a sufficient 
period to enable senior management to consider such review or report 
before submitting it to the Commission.\1110\ Because an SCI entity 
will already have prepared the report and any response by senior 
management for filing with the Commission, the Commission believes that 
an SCI entity will not need significant additional time to submit the 
same report and response to its board of directors or the equivalent of 
such board.
---------------------------------------------------------------------------

    \1106\ See supra note 1101 and accompanying text.
    \1107\ See Proposing Release, supra note 13, at 18123.
    \1108\ The Commission also notes, however, that as discussed 
above, the scope of systems subject to Regulation SCI has been 
refined from what was proposed.
    \1109\ The Commission notes that, while the ARP II Release 
recommended that an SRO's independent review should result in the 
presentation of a report to senior SRO management on the 
recommendations and conclusions of the independent review and such 
report should be made available to Commission staff, it did not 
provide recommended time periods for the submission of such reports. 
See ARP II Release, supra note 1. The adopted 30-day time period is 
based on experience with the ARP Inspection Program, as well as a 
consideration of the scope of the review required under Regulation 
SCI.
    \1110\ See Proposing Release, supra note 13, at 18124.
---------------------------------------------------------------------------

    Contrary to the suggestion of some commenters, the Commission does 
not believe it is appropriate to allow an SCI entity to delay the 
submission of SCI review reports to the Commission in order to bundle 
several reports together and submit them on a quarterly or semi-annual 
basis. Rather, the Commission believes that it is important to receive 
such reports in a timely manner after completion of the SCI review, so 
that the Commission is made aware of potential areas of weakness in an 
SCI entity's systems that may pose risk to the entity or the market as 
a whole, as well as areas of non-compliance with the provisions of 
Regulation SCI, without undue delay.
    With respect to clearing agencies, two commenters noted that the 
SCI review requirement potentially might overlap with staff guidance 
for clearing agencies that calls for an annual report on internal 
controls and recommended that the Commission consider further 
coordination on potential redundancies.\1111\ The Commission notes that 
the section in the guidance provided in the Announcement for Standards 
for the Registration of Clearing Agencies referenced by commenters is 
distinct from the adopted SCI review requirement, as such section in 
the guidance relates to the review and evaluation of clearing agencies' 
accounting controls.\1112\ In contrast, the SCI review requirement 
involves a risk assessment and assessment of internal control design 
and effectiveness of all of an SCI entity's SCI systems and indirect 
SCI systems.
---------------------------------------------------------------------------

    \1111\ See OCC Letter at 19-20; and DTCC Letter at 18 (citing 
Securities Exchange Act Release No. 16900, 45 FR 41920, available 
at: http://sec.gov/rules/other/34-16900.pdf).
    \1112\ See Securities Exchange Act Release No. 16900 (June 17, 
1980), 45 FR 41920 (June 23, 1980).
---------------------------------------------------------------------------

    Finally, it should be noted that the required review and timely 
reporting to the Commission will enable the Commission and Commission 
staff to monitor the quality of compliance with Regulation SCI, 
thoroughness and robustness of SCI reviews, and the responses of senior 
management to such reviews. Accordingly, the Commission will be in a 
position to consider enhancing these regulatory requirements in the 
future, if necessary.
6. SCI Entity Business Continuity and Disaster Recovery Plans Testing 
Requirements for Members or Participants--Rule 1004
    Adopted Rule 1004 addresses testing of SCI entity business 
continuity and disaster recovery plans, including backup systems, by 
SCI entity members or participants. Rule 1004 corresponds to proposed 
Rule 1000(b)(9), and is adopted with certain modifications in response 
to comment, as discussed below.
a. Proposed Rule 1000(b)(9)
    Proposed Rule 1000(b)(9)(i) required each SCI entity, with respect 
to its BC/DR plans, to require participation by designated members or 
participants in scheduled functional and performance testing of the 
operation of such plans, in the manner and frequency specified by the 
SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) 
further required each SCI entity to coordinate the testing of such 
plans on an industry- or sector-wide basis with other SCI entities. 
Proposed Rule 1000(b)(9)(iii) would have additionally required each SCI 
entity to designate those members or participants it deems necessary, 
for the maintenance of fair and orderly markets in the event of the 
activation of its BC/DR plans, to participate in the testing of such 
plans, and notify the Commission of such designations and its standards 
for such designation on Form SCI.
b. Comments and Commission Response
    The Commission received significant comment on proposed Rule 
1000(b)(9) and is adopting it with revisions, as Rule 1004. As more 
fully discussed below, the adopted rule requires designation of a more 
limited set of SCI entity members and participants for mandatory 
participation in BC/DR testing than the proposed rule. Further, the 
adopted rule does not require an SCI entity to file designation 
standards or member/participant designations with the Commission on 
Form SCI, as was proposed, but instead an SCI entity must keep records 
of its standards and designations. The scope, frequency, and 
coordination aspects of the proposed rule are adopted as proposed.
i. Mandatory BC/DR Testing Generally
    Some commenters expressed general support for the goals of proposed 
Rule 1000(b)(9).\1113\ One commenter in particular stated that ``[i]t 
is vital that as many firms as possible participate in [market-wide] 
testing with conditions as realistic as possible.'' \1114\ According to 
this commenter, broader mandatory participation in testing would be 
``one of the most valuable parts of Regulation SCI and will do the most 
to ensure improved market network reliability.''\1115\ Another 
commenter

[[Page 72348]]

expressed support for broad participation in BC/DR testing, but also 
expressed concern that the testing requirement would put SCI entities 
at a competitive disadvantage versus non-SCI entities.\1116\
---------------------------------------------------------------------------

    \1113\ See, e.g., Angel Letter at 9; UBS Letter at 4-5; and FIF 
Letter at 6-7.
    \1114\ See Angel Letter at 9.
    \1115\ See id. at 10.
    \1116\ See FIF Letter at 7.
---------------------------------------------------------------------------

    Several commenters objected to the proposed mandatory testing 
requirement for SCI ATSs.\1117\ For example, two commenters suggested 
that few ATSs are critical enough to warrant inclusion in the proposed 
mandatory testing requirement.\1118\ One commenter urged that only SCI 
entities that provide market functions on which other market 
participants depend be subject to the requirements for separate backup 
and recovery capabilities.\1119\ Another commenter stated that the 
added benefit of requiring fully redundant backup systems is almost 
impossible to measure while the cost of implementation is significant, 
and added further that fully redundant systems and increased testing do 
not guarantee a flawless backup plan.\1120\
---------------------------------------------------------------------------

    \1117\ See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter 
at 15.
    \1118\ See BIDS Letter at 5, 8; and ITG Letter at 15.
    \1119\ See KCG Letter at 8.
    \1120\ See Group One Letter at 3.
---------------------------------------------------------------------------

    Two commenters stated that the current voluntary coordinated 
testing organized by SIFMA \1121\ already attracts significant 
participation without any mandate in place.\1122\ However, a different 
commenter noted the difficulties it has encountered in fostering 
participation in its voluntary disaster recovery exercises, and stated 
that, despite encouraging users to participate in its disaster recovery 
exercises, participation levels were only 20 percent of its targeted 
high volume client base.\1123\ One commenter sought clarification on 
whether the requirements of proposed Rule 1000(b)(9) would apply only 
to trading and clearance systems, or would extend to other SCI systems 
as well.\1124\ Two commenters asked whether third parties that perform 
critical market functions for an SCI entity, such as data vendors and 
service bureaus, would be subject to the proposed requirement.\1125\ 
One commenter stated that testing by an SCI entity of its business 
continuity capabilities should not be required to be coordinated with 
members.\1126\ According to this commenter, ``[t]he entire point of 
[business continuity plan testing] would be to not coordinate it with 
customers, and assess whether operations out of [backup] facilities was 
seamless to members and other market participants.'' \1127\ One 
commenter stated that it would be more appropriate for SCI entities' 
members and participants to be responsible for their own business 
continuity plans and testing.\1128\ The Commission has carefully 
considered commenters' views on the need for all SCI entities to be 
subject to the proposed mandatory testing requirement. The Commission 
continues to believe that adopted Rule 1004 should apply to all SCI 
entities.
---------------------------------------------------------------------------

    \1121\ SIFMA organizes an annual industry-wide testing exercise 
for firms and exchanges to submit and process test orders using 
their backup facilities. Participation is voluntary. See http://www.sifma.org/services/bcp/industry-testing/.
    \1122\ See CME Letter at 13; and Tellefsen Letter at 7-8.
    \1123\ See Omgeo Letter at 26 (noting also that it lacks the 
ability to require participation by its clients).
    \1124\ See FINRA Letter at 37.
    \1125\ See FINRA Letter at 39; and MSRB Letter at 25.
    \1126\ See Direct Edge Letter at 9.
    \1127\ See id.
    \1128\ See SIFMA Letter at 17. In addition, some commenters 
believed that ATSs should be excluded from requiring members or 
participants to test, given that ATSs and their broker-dealer 
participants are already subject to FINRA Rule 4370, which relates 
to BC/DR plans. See FIA PTG Letter at 5; and BIDS Letter at 9.
---------------------------------------------------------------------------

    Whereas adopted Rule 1001(a)(2)(v) requires that each SCI entity's 
policies and procedures include BC/DR plans and specifies recovery 
goals and geographic diversity requirements for such plans,\1129\ 
adopted Rule 1004 sets forth certain minimum requirements for SCI 
entity testing of its BC/DR plans. Adopted Rule 1004, like proposed 
Rule 1000(b)(9), aims to reduce the risks associated with an SCI 
entity's decision to activate its BC/DR plans and help to ensure that 
such plans operate as intended, if activated, by requiring that an SCI 
entity include participation by certain members and participants in 
testing of the SCI entity's BC/DR plans. Although some commenters, 
including several ATSs, argued that ATSs should be excluded from 
requiring members or participants to test because, according to these 
commenters, ATSs are less critical to the orderly functioning of the 
markets than other SCI entities,\1130\ the Commission believes that 
eliminating any category of SCI entity--including SCI ATSs--from the 
testing requirement would undermine the goal of maintaining fair and 
orderly markets in the wake of a wide-scale disruption, and assuring 
the smooth and effective implementation of an SCI entity's BC/DR 
plans.\1131\ The Commission continues to believe that a testing 
participation requirement will help an SCI entity to ensure that its 
efforts to develop effective BC/DR plans are not undermined by a lack 
of participation by members or participants that the SCI entity 
believes are necessary to the successful activation of such 
plans.\1132\ As stated in the SCI Proposal, the Commission believes 
that a factor in the shutdown of the equities and options markets in 
the wake of Superstorm Sandy was the exchanges' belief regarding the 
inability of some market participants to adequately operate from the 
backup facilities of all market centers.\1133\ And, although testing 
protocols were in place and the chance to participate in such testing 
was available, the member participation rate was low.\1134\ The 
Commission does not agree with comments that seamless operation of 
backup facilities should not require coordination of testing, or that 
the fact that members and participants have their own BC/DR plans and 
testing means that they should not be required, if designated, to 
participate in the testing of an SCI entity's BC/DR plans.\1135\ The 
Commission continues to believe that testing of the effectiveness of 
back-up arrangements in recovering from a wide-scale disruption is a 
sound principle, and that, without the participation of significant 
members or participants of SCI entities, the effectiveness of such 
testing could be

[[Page 72349]]

undermined. Based on its experience with the ARP Inspection Program, 
the Commission understands that many SCI entities have already made 
significant investments in their backup facilities.\1136\ The 
Commission believes that the requirements of Rule 1004 will help to 
ensure that such facilities will be effective in the event they are 
needed.\1137\
---------------------------------------------------------------------------

    \1129\ See supra Section IV.B.1.b (discussing the requirement 
that an SCI entity have reasonable policies and procedures that 
include business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient 
and geographically diverse and that are reasonably designed to 
achieve next business day resumption of trading and two-hour 
resumption of critical SCI systems following a wide-scale 
disruption).
    \1130\ See supra note 1118 and accompanying text.
    \1131\ See supra Section IV.A.1 (discussing the Commission's 
rationale for adopting the definition of SCI entity as proposed). 
See supra Section IV.B.1.b (discussing the BC/DR requirements in 
Rule 1001(a)(2)(v) for SCI entities). See also infra Sections 
VI.C.1.c and VI.C.2.b.vii (discussing competitive concerns raised by 
requiring SCI entities to require members or participants to 
participate in the SCI entities' BC/DR testing).
    \1132\ See Proposing Release, supra note 13, at 18125.
    \1133\ See id. at 18158. See also id. at 18091. The Commission 
notes that its basis for adopting a mandatory testing rule is 
independent of whether the market closures in the wake of Superstorm 
Sandy were appropriate to protect the health and safety of exchange 
personnel.
    \1134\ See id. at 18158 and text accompanying n. 83 at 18091. In 
addition, based on the discussions of Commission staff with market 
participants in the months following Superstorm Sandy, the 
Commission understands that many market participants had previously 
engaged in connectivity testing with backup facilities, and yet 
remained uncomfortable about switching over to the use of backup 
facilities in advance of the storm.
    \1135\ Nor does the Commission agree that Rule 1004 would be 
duplicative of FINRA Rule 4370, as Rule 1004 relates to 
participation by members or participants in the testing of an SCI 
entity's business continuity plans, whereas FINRA Rule 4370 relates 
to the testing of the member's or participant's own business 
continuity plan. See supra note 539 and accompanying text.
    \1136\ See infra Section VI.B.2 (stating that nearly all 
national securities exchanges already have backup facilities that do 
not rely on the same infrastructure components as those used by 
their primary facility).
    \1137\ See 2003 BCP Policy Statement, supra note 512, at 56658 
(stating: ``The effectiveness of back-up arrangements in recovering 
from a wide-scale disruption should be confirmed through 
testing.''). See also Interagency White Paper, supra note 512, at 
17811 (identifying ``a high level of confidence, through ongoing use 
or robust testing, that critical internal and external continuity 
arrangements are effective and compatible'' as one of three 
important business continuity objectives). See also supra Section 
IV.B.1.b (discussing adopted Rule 1001(a)(2)(v)).
---------------------------------------------------------------------------

    In response to commenters who questioned the need for mandatory 
participation by SCI entity members and participants,\1138\ the 
Commission believes that current voluntary industry-led testing has 
been useful because it annually brings together a wide variety of 
market participants, including many SCI entities, and involves a range 
of asset classes.\1139\ The current industry-led testing program 
coordinated by SIFMA therefore could provide a foundation for the 
development of the testing required by Rule 1004. However, because 
participation rates by members and participants in voluntary testing 
generally has been low, the Commission believes that a mandatory 
participation requirement is the best means to achieve effective and 
coordinated BC/DR testing with assured participation by the more 
significant SCI entity members and participants.\1140\ In addition, 
although the Commission generally agrees with the comment that ``[i]t 
is vital that as many firms as possible participate in [market-wide] 
testing with conditions as realistic as possible,'' \1141\ because of 
the burden and costs of requiring participation by all SCI entity 
members and participants, regardless of their market significance, the 
Commission believes it is appropriate to adopt a more measured approach 
to mandatory participation in BC/DR testing.\1142\ The Commission is 
therefore adopting a BC/DR testing designation requirement that applies 
to all SCI entities, but does not apply to all members and participants 
of SCI entities, as discussed below.\1143\
---------------------------------------------------------------------------

    \1138\ See supra notes 1117-1122 and accompanying text.
    \1139\ See http://www.sifma.org/services/bcp/industry-testing/ 
(in which SIFMA describes its annual BC/DR test held annually in 
October, which includes assets classes such as commercial paper, 
equities, options, futures, fixed-income, settlement, payments, 
Treasury auctions and market data).
    \1140\ See supra note 1123 (noting Omgeo's comment that 
voluntary participation levels are low). See also Proposing Release, 
supra note 13, at 18091, n. 83 and accompanying text (noting that 
press reports indicated that a large number of NYSE members did not 
participate in NYSE's contingency plan testing that occurred seven 
months prior to Superstorm Sandy).
    \1141\ See supra note 1114 and accompanying text.
    \1142\ In addition, because the Commission recognizes that the 
coordination of such testing is complex and time-consuming, it has 
provided for a compliance date for the coordination requirement of 
Rule 1004(d) that is 12 months after the compliance date required 
for other provisions of Regulation SCI. See Section IV.F.
    \1143\ In response to commenters seeking clarification on the 
types of systems that would be subject to the mandatory testing 
requirement (see supra notes 1124-1125 and accompanying text), 
because the required testing is BC/DR testing, all systems necessary 
for an SCI entity to successfully activate it BC/DR plan would be 
included.
---------------------------------------------------------------------------

ii. SCI Entity Designation of Members or Participants for Participation 
in BC/DR Testing--Rules 1004(a)-(c)
    Several commenters raised concerns about the proposed requirement 
that SCI entities exercise discretion to designate members or 
participants for participation in coordinated BC/DR testing under 
proposed Rule 1000(b)(9).\1144\ After careful consideration of the 
views of commenters, the Commission is adopting the requirement that 
SCI entities designate certain members or participants to participate 
in testing BC/DR plans with certain modifications from the proposal. As 
proposed, the rule would have required each SCI entity to designate 
those members or participants it ``deems necessary, for the maintenance 
of fair and orderly markets in the event of the activation of its 
business continuity and disaster recovery plans . . .'' The Commission 
has determined instead to require that each SCI entity designate those 
members or participants ``that the SCI entity reasonably determines 
are, taken as a whole, the minimum necessary for the maintenance of 
fair and orderly markets in the event of the activation of such 
plans.'' This change is broadly consistent with the suggestion of one 
commenter to revise the criteria for designation to those firms 
``critical to the operation of the SCI entity.'' \1145\ However, the 
Commission believes that the adopted standard is more appropriate in 
that it focuses on the ability of the SCI entity to maintain fair and 
orderly markets under its BC/DR plan.\1146\
---------------------------------------------------------------------------

    \1144\ See NYSE Letter at 33; FIF Letter at 6-7; Omgeo Letter at 
26; Fidelity Letter at 6; and Angel Letter at 10.
    \1145\ See ISE Letter at 9.
    \1146\ As discussed more fully in Section IV.B.6.b.iv infra, the 
Commission also believes that the adopted standard could, but would 
be unlikely to, cause members or participants to elect to withdraw 
from participation in an SCI entity (particularly a smaller SCI 
entity) to save on the cost of connectivity fees.
---------------------------------------------------------------------------

    Several commenters suggested eliminating SCI entity discretion and 
setting forth in the rule clear, objective criteria (such as trading 
volume) for which members or participants would be required to 
participate in testing.\1147\ One commenter suggested that the 
Commission require that all members or participants that represent a 
meaningful percentage of the volume in the marketplace participate in 
the testing in order to capture the more significant market 
participants, while recognizing the financial burden such testing may 
pose for smaller entities.\1148\ This commenter believed that giving 
discretion to SCI entities in this area might lead to regulatory 
arbitrage and a race to the bottom regarding how many and which members 
or participants are designated to participate in testing.\1149\ On the 
other hand, another commenter commented that the discretion 
contemplated by the proposal keeps the rule flexible enough to 
accommodate SCI entities conducting a diverse range of business 
activities.\1150\ This commenter also suggested that SCI entities 
should not be required to report to the Commission who they have 
designated to test, and instead should only be required to keep a 
record of who they have designated.\1151\
---------------------------------------------------------------------------

    \1147\ See NYSE Letter at 33; Omgeo Letter at 26; Angel Letter 
at 10; and FIF Letter at 6.
    \1148\ See NYSE Letter at 33.
    \1149\ See NYSE Letter at 33.
    \1150\ See CME Letter at 12.
    \1151\ See id. at 13.
---------------------------------------------------------------------------

    In response to commenters who were concerned about the 
discretionary aspect of the designation requirement,\1152\ the 
Commission believes the SCI entity is in the best position to determine 
which of its members or participants collectively represent sufficient 
liquidity for the SCI entity to maintain fair and orderly markets in a 
BC/DR scenario following a wide-scale disruption. The Commission 
believes such determinations require the exercise of reasonable 
judgment by each SCI entity, and are not well-suited for a ``one-size-
fits-all'' objective measure determined by the Commission. For example, 
if the Commission were to establish an objective measure (e.g., based 
on a specified percentage of trading volume),

[[Page 72350]]

it might represent a meaningful percentage for some SCI entities, but 
not for others. Thus, the rule requires that each SCI entity establish 
standards for the designation of those members or participants that the 
SCI entity ``reasonably'' determines are, taken as a whole, the minimum 
necessary for the maintenance of fair and orderly markets in the event 
of the activation of its BC/DR plans. This adopted provision is in lieu 
of the proposed requirement, which would have required an SCI entity to 
designate those members or participants it ``deems necessary'' for the 
maintenance of fair and orderly markets in the event of the activation 
of its BC/DR plans. Because the adopted rule requires an SCI entity's 
determination to be reasonable, it provides some degree of flexibility 
to SCI entities but also imposes a check on SCI entity discretion, 
which the Commission believes should help prevent an SCI entity's 
designations from being overly limited. In response to concerns that a 
discretionary designation requirement would lead to regulatory 
arbitrage and a race to the bottom regarding how many and which members 
or participants are designated to participate in testing, the 
Commission believes that this is unlikely to occur because each SCI 
entity will be subject to the same requirement and will be required to 
make a reasonable determination that the designated members or 
participants are those that are the minimum necessary for it to 
maintain fair and orderly markets in the event of activation of its BC/
DR plans. Further, the Commission believes that broad participation in 
BC/DR testing will enhance the utility of the testing, and that 
allowing non-designated members or participants the opportunity to 
participate in such testing generally will further this goal. 
Therefore, the Commission encourages SCI entities to permit non-
designated members or participants to participate in the testing of the 
SCI entity's BC/DR plans if they request to do so.
---------------------------------------------------------------------------

    \1152\ See supra notes 1144, 1147-1149 and accompanying text.
---------------------------------------------------------------------------

    Consistent with the recommendation of one commenter, however, the 
Commission has determined not to require that each SCI entity notify 
the Commission of its designations and its standards for designation on 
Form SCI as proposed. Instead, an SCI entity's standards, designations, 
and updates, if applicable, would be part of its records and therefore 
available to the Commission and its staff upon request.\1153\ Unlike de 
minimis systems disruptions and de minimis systems intrusions, which 
may occur with regularity (and for which a quarterly summary report 
would aid Commission oversight of systems whose proper functioning is 
central to the maintenance of fair and orderly markets), the 
establishment of standards for designation, the designations 
themselves, and updates to such standards or designations are likely to 
occur less frequently. Thus, the Commission believes it is sufficient 
for the Commission to review records relating to such designations when 
the Commission determines that it is necessary to do so to fulfill its 
oversight role, such as during its examination of an SCI entity.\1154\ 
More broadly, the Commission believes this revision is generally 
consistent with modifications that the Commission has made in response 
to comment that proposed Regulation SCI would have required unnecessary 
and burdensome notice and reporting submissions.
---------------------------------------------------------------------------

    \1153\ See infra Section IV.C.1 (discussing SCI entity 
recordkeeping requirements).
    \1154\ See supra Sections IV.A.3 and IV.B.3.c (discussing the 
rationale for quarterly reporting of de minimis systems disruptions 
and de minimis systems intrusions).
---------------------------------------------------------------------------

    Some commenters questioned whether many SCI entities, particularly 
non-SROs and ATSs, have the authority to require their members or 
participants to participate in such testing.\1155\ Another commenter 
more generally stated that it was unclear how an SCI entity could 
enforce a requirement that its customers engage in BC/DR testing.\1156\ 
In response to these comments, the Commission believes that SCI SRO 
rulemaking authority and non-SRO contractual arrangements would enable 
SCI entities to implement this requirement.\1157\ Specifically, SROs 
have the authority, and legal responsibility, under Section 6 of the 
Exchange Act, to adopt and enforce rules (including rules to comply 
with Regulation SCI's requirements relating to BC/DR testing) 
applicable to their members or participants that are designed to, among 
other things, foster cooperation and coordination with persons engaged 
in regulating, clearing, settling, processing information with respect 
to, and facilitating transactions in securities, to remove impediments 
to and perfect the mechanism of a free and open market and a national 
market system, and, in general, to protect investors and the public 
interest.\1158\ Further, SCI entities that are not SROs have the 
ability to include provisions in their contractual agreements with 
their participants (such as their subscriber or participant agreements) 
requiring such parties to engage in BC/DR testing.
---------------------------------------------------------------------------

    \1155\ See Omgeo Letter at 26; MSRB Letter at 24; BIDS Letter at 
8; LiquidNet Letter at 4; and SIFMA Letter at 17. See also ITG 
Letter at 15-16.
    \1156\ See SIFMA Letter at 17-18 (suggesting that the Commission 
instead adopt a ``BCP testing requirement more akin to the `best 
practices' described in the Interagency White Paper'').
    \1157\ While some designated members or participants of SCI 
entities might choose to withdraw from membership or participation 
in an SCI entity if they assess the cost of participating in BC/DR 
testing to be too great, the Commission believes that other aspects 
of their involvement with the SCI entity, including an interest in 
maintaining a profitable business relationship, will factor 
significantly into any decision regarding their continued membership 
or participation in the SCI entity. See also infra Sections VI.C.1.c 
and VI.C.2.b.vii (discussing competition between SCI entities and 
non-SCI entities in relation to the requirements under Rule 1004).
    \1158\ See Section 6 of the Exchange Act, 15 U.S.C. 78f.
---------------------------------------------------------------------------

    Other commenters focused on the potential impact of the rule on the 
members or participants designated to participate in testing. One 
commenter pointed out that, without clearly defined industry level 
coordination, some members or participants may be overburdened by being 
subject to multiple individual tests with various SCI entities.\1159\ 
Another commenter asked the Commission to clarify what the obligation 
is for firms that are members or participants at multiple SCI 
entities.\1160\ Several commenters expressed concern that the 
Commission underestimated the costs and burdens of the proposed 
testing.\1161\ According to some of these commenters, under the 
proposal, certain firms, such as market makers and other firms 
performing important market functions, could be required to maintain 
connections to the backup sites of a number of SCI entities, at 
significant cost.\1162\ A group of commenters requested that the scope 
be targeted to only cover those instances in which an SCI entity 
determines to enact its disaster recovery plans.\1163\ One commenter 
agreed that the designation requirement could be relaxed and still 
achieve the provision's aim, because the bulk of the liquidity at a 
market center is provided by a small number of firms.\1164\ Another 
commenter asked the Commission to give designated firms the

[[Page 72351]]

ability to opt-out if they have a good reason.\1165\
---------------------------------------------------------------------------

    \1159\ See OCC Letter at 18.
    \1160\ See DTCC Letter at 13.
    \1161\ See FINRA Letter at 37-39; OCC Letter at 18; Fidelity 
Letter at 6; Joint SROs Letter at 15-16; ISE Letter at 9; and Group 
One Letter at 3. See also infra Section VI (discussing the costs and 
burdens of the requirement, including the costs for members or 
participants to participate in BC/DR testing).
    \1162\ See FINRA Letter at 37-39; OCC Letter at 18; and Fidelity 
Letter at 6 (expressing concern an SCI entity might cast a wide net 
with its designation powers to include more firms than necessary).
    \1163\ See Joint SROs Letter at 16 (noting the complexity of 
testing a scenario in which a market participant may have enacted 
its business continuity plan but can still access an SCI entity 
through the primary facility).
    \1164\ See Tellefsen Letter at 9.
    \1165\ See Fidelity Letter at 6.
---------------------------------------------------------------------------

    The Commission believes that adoption of a more focused designation 
requirement that requires SCI entities to exercise reasonable 
discretion to identify those members or participants that, taken as a 
whole, are the ``minimum necessary'' for the maintenance of fair and 
orderly markets in the event of the activation of such plans is likely 
to result in a smaller number of SCI entity members or participants 
being designated for participation in testing as compared to the SCI 
Proposal. Because the Commission believes that SCI entities have an 
incentive to limit the imposition of the cost and burden associated 
with testing to the minimum necessary to comply with the rule, it also 
believes that, given the option, most SCI entities would, in the 
exercise of reasonable discretion, prefer to designate fewer members or 
participants to participate in testing, than to designate more. On 
balance, the Commission believes that adopted rule will incentivize SCI 
entities to designate those members and participants that are in fact 
the minimum necessary for the maintenance of fair and orderly markets 
in the event of the activation of their BC/DR plans, and that this 
should reduce the number of designations to which any particular member 
or participant would be subject, as compared to the SCI Proposal, and 
would potentially simplify efforts for SCI entities to coordinate BC/DR 
testing, as required by adopted Rule 1004(d). Despite the modifications 
from the proposal, it remains possible, as some commenters noted, that 
firms that are members of multiple SCI entities will be the subject of 
multiple designations, and that multiple designations could require 
certain firms to maintain connections to and participate in testing of 
the backup sites of multiple SCI entities. The Commission believes this 
possibility, though real, may be mitigated by the fact that multiple 
designations are likely to be made to firms that are already connected 
to one or more SCI entity backup facilities, since they represent 
significant members or participants of the applicable SCI entities; and 
that, because some SCI entity backup facilities are located in close 
proximity to each other, multiple connections to such backup facilities 
may be less costly than if SCI entity backup facilities were not so 
located. The Commission recognizes that there will be greater costs to 
a firm being designated by multiple SCI entities to participate in the 
testing of their BC/DR plans than to a firm designated by only one SCI 
entity. However, the Commission believes that these greater costs are 
warranted for such firms, as they represent significant participants in 
each of the SCI entities for which they are designated, and their 
participation in the testing of each such SCI entity's BC/DR plans is 
necessary to evaluate whether such plans are reliable and effective. 
The designation of a firm to participate in the BC/DR testing of an SCI 
entity means that such firm is significant, as the SCI entity has 
reasonably determined it to be included in the set of its members or 
participants that is, ``taken as a whole, the minimum necessary for the 
maintenance of fair and orderly markets in the event of the activation 
of such plans.'' Nonetheless, the Commission acknowledges that there 
may be instances in which an SCI entity has reasonably designated a 
firm to participate in BC/DR testing, and the firm is unwilling to bear 
the cost of participation in BC/DR testing with a given SCI entity. In 
such instances, there may be firms that opt out of such testing by 
withdrawing as a member or subscriber of one or more SCI entities, but 
the Commission believes that is unlikely. In particular, the Commission 
believes that it is unlikely that a firm determined to be significant 
enough to be designated to participate in testing by an SCI entity 
would choose to withdraw its membership or participation in an SCI 
entity solely because of the costs and burdens of Regulation SCI's BC/
DR testing provisions. The Commission also believes that such firm is 
likely to be a larger firm with greater resources and a significant 
level of participation in such SCI entity, and is likely to already be 
connected to the backup facility of the SCI SRO that is designating it 
to test.\1166\ Moreover, the Commission does not agree with the 
suggestion made by one commenter that the Commission give designated 
firms the ability to ``opt-out'' if they have a good reason,\1167\ 
because the ability to opt-out in this manner would render 
participation in BC/DR testing voluntary which, as discussed above, is 
unlikely to result in adequate BC/DR testing.\1168\ The Commission 
continues to believe, as stated in the SCI Proposal, that ``unless 
there is effective participation by certain of its members or 
participants in the testing of [BC/DR] plans, the objective of ensuring 
resilient and available markets in general, and the maintenance of fair 
and orderly markets in particular, would not be achieved.'' \1169\ 
Although the Commission recognizes that testing of a BC/DR plan does 
not guarantee flawless execution of that plan, the Commission believes 
that a tested plan is likely to be more reliable and effective than an 
inadequately tested plan.\1170\
---------------------------------------------------------------------------

    \1166\ See infra Section IV.B.6.b.iv.
    \1167\ See Fidelity Letter at 6.
    \1168\ See supra note 1140 and accompanying text.
    \1169\ See Proposing Release, supra note 13, at 18091, 18125.
    \1170\ Further, because the Commission believes that increased 
participation in BC/DR testing is likely to enhance the utility of 
the testing, the Commission encourages SCI entities to permit 
members or participants that do not meet the SCI entity's reasonable 
designation standards to participate in such testing if they request 
to do so.
---------------------------------------------------------------------------

iii. Scope, Timing, and Frequency of BC/DR Testing--Rule 1004(b)
    The SCI Proposal specified that the type of testing for which 
designees would be required to participate was ``scheduled functional 
and performance testing of the operation of [BC/DR] plans, in the 
manner and frequency specified by the SCI entity, at least once every 
12 months.'' \1171\ After careful consideration of the views of 
commenters, the Commission is adopting the scope, frequency, and timing 
requirements in the rule as proposed. Specifically, adopted Rule 
1004(b) requires that an SCI entity's designees participate in 
``scheduled functional and performance testing of the operation of [BC/
DR] plans, in the manner and frequency specified by the SCI entity, 
provided that such frequency shall not be less than once every 12 
months.''
---------------------------------------------------------------------------

    \1171\ See proposed Rule 1000(b)(9)(i).
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission noted that functional testing 
is commonly understood to examine whether a system operates in 
accordance with its specifications, whereas performance testing 
examines whether a system is able to perform under a particular 
workload.\1172\ The Commission added that functional and performance 
testing should include not only testing of connectivity, but also 
testing of an SCI entity's systems, such as order entry, execution, 
clearance and settlement, order routing, and the transmission and/or 
receipt of market data, as applicable, to determine if they can operate 
as contemplated by its business continuity and disaster recovery 
plans.\1173\ With regard to the proposed scope of testing, several 
commenters expressed specific concerns about the requirement for 
``functional and performance'' testing of BC/DR

[[Page 72352]]

plans.\1174\ Specifically, one commenter expressed concern about the 
logistical challenges of conducting functional and performance testing 
at the same time.\1175\ Two commenters expressed concern that requiring 
firms to perform industry-wide, end-to-end testing by processing 
transactions in their disaster recovery systems would introduce risk to 
the markets because such testing would increase the chance that test 
transactions could inadvertently be introduced into production 
systems.\1176\ Another commenter stated that a full functional test 
across all primary and recovery data centers for any significant number 
of members or participants would require substantial time to conduct 
and may require market downtime, as would a full performance 
test.\1177\ One group of commenters suggested that the scope of the 
requirement should be revised to only cover ``functional and 
operational testing'' of disaster recovery plans, but requested 
additional guidance with regard to the scope of testing required to 
establish the effectiveness of disaster recovery plans.\1178\ This 
group of commenters expressed concern about the ``complexity and cost 
associated with establishing an effective coordinated test script that 
captures the significant number of possibilities that may occur to each 
significant market participant or SCI entity'' and recommended that the 
scope of the coordinated functional and operational testing 
requirements be revised to cover those instances in which an SCI entity 
determines to enact its disaster recovery plan.\1179\ Two commenters 
believed the tests should be ``scenario-based'' to recreate as closely 
as possible the actual conditions that would trigger widespread use of 
BC/DR plans.\1180\
---------------------------------------------------------------------------

    \1172\ See Proposing Release, supra note 13, at 18125, n. 267.
    \1173\ See id. at 18126.
    \1174\ See, e.g., FINRA Letter at 37; OCC Letter at 18; and DTCC 
Letter at 12.
    \1175\ See FINRA Letter at 37 (stating that combining 
performance testing with functional testing on weekends would be 
difficult and possibly not feasible because an end-to-end functional 
test combined with a stress test would require much more time to 
accommodate processing volumes than would be afforded in an 
abbreviated non-business day session).
    \1176\ See OCC Letter at 17-18 (stating that its systems and 
systems of many member firms are configured to prevent test activity 
from being processed by production or disaster recovery systems); 
and DTCC Letter at 12 (stating similarly that the testing proposed 
by Rule 1000(b)(9) (as opposed to communication and connectivity 
testing) would not be supported by most SCI entities' current 
systems configurations, and encouraging the Commission to consider 
this in adopting testing requirements).
    \1177\ See Omgeo Letter at 26-27. This commenter urged a more 
limited scope of testing. Specifically, this commenter urged the 
Commission to focus on ``smoke testing,'' which it characterized as 
a more limited form of testing to validate that system functionality 
is fully deployed and operational in the new recovered or resumed 
production environment, and with respect to the goals of performance 
testing, a more limited set of system operations to assure that the 
recovery system would perform those operations at roughly comparable 
speeds as those performed on the main production systems. This 
commenter further stated that, in both cases, the purpose of these 
tests would be to validate that the backup or recovery systems have 
the necessary functionality to perform the service required of the 
SCI systems, and have sufficient capacity to process the production 
workloads at roughly comparable levels of performance, rather than 
to test the actual functional or performance characteristics of the 
backup or alternate recovery systems in their own right. See Omgeo 
Letter at 27.
    \1178\ See Joint SROs Letter at 15-16.
    \1179\ See id. at 16.
    \1180\ See FIF Letter at 7; and UBS Letter at 4.
---------------------------------------------------------------------------

    Adopted Rule 1004(b) provides that the scope of required testing is 
``functional and performance testing of the operation of BC/DR plans.'' 
As stated in the SCI Proposal, such functional and performance testing 
should include not only testing of connectivity, but also testing of an 
SCI entity's systems, such as order entry, execution, clearance and 
settlement, order routing, and the transmission and/or receipt of 
market data, as applicable, to determine if they can operate as 
contemplated by its business continuity and disaster recovery 
plans.\1181\ In response to commenters expressing concern about the 
breadth of the requirement, the Commission notes that the rule requires 
functional and performance testing of the ``operation of [BC/DR] 
plans.'' While the type of testing required by adopted Rule 1004(b) is 
more rigorous than some types of testing urged by some commenters, the 
Commission does not believe that the requirement for ``functional and 
performance testing of the operation of such plans'' requires 
additional testing that is as burdensome as that feared by some of 
those commenters. Importantly, ``functional and performance testing of 
the operation of [BC/DR] plans'' entails testing that goes beyond 
communication and connectivity testing, and beyond validation testing, 
which are more limited types of testing urged by some commenters. But 
the requirement to conduct ``functional and performance testing of the 
operation of [BC/DR] plans'' does not mean that a full test of the 
functional and performance characteristics of each backup facility is 
required to be conducted all at once and in coordination with other SCI 
entities all at the same time, as some commenters characterized the 
proposed requirement.\1182\ Specifically, the Commission notes that the 
testing of BC/DR plans, which is required by Rule 1004, is different 
from testing of the function and performance of backup facilities 
generally.\1183\ What Rule 1004 requires is coordinated testing to 
evaluate annually whether such backup facilities of SCI entities can 
function and perform in accordance with the operation of BC/DR plans in 
the event of wide-scale disruption. In addition, the Commission notes 
that performance testing, which examines whether a system is able to 
perform under a particular workload, is not synonymous with ``stress 
testing,'' in which capacity limits are tested, and therefore should 
not require as much time to conduct as one commenter suggested.
---------------------------------------------------------------------------

    \1181\ See Proposing Release, supra note 13, at 18126.
    \1182\ Conducting the required testing is not intended to 
require market downtime, but permits a range of possibilities, as 
SCI entities determine to be appropriate, including weekend testing, 
as well as testing in segments over the course of a year, if SCI 
entities determine that, to meet the requirements of the rule, a 
single annual test cannot be properly conducted within a single 
period of time (e.g., over the course of a weekend).
    \1183\ Testing of the function and performance of backup 
facilities generally would occur before such facilities are launched 
into production (such as pursuant to Rule 1001(a)), and Regulation 
SCI does not impose a requirement for coordinating such testing with 
other SCI entities.
---------------------------------------------------------------------------

    In response to commenters concerned that the required testing would 
necessitate system reconfigurations,\1184\ the Commission understands 
that the requirement to test backup facilities may require technology 
adjustments to permit testing activity to be processed by BC/DR 
systems, and believes that such adjustments to permit testing are 
warranted to achieve the goal, as discussed above, of achieving 
reliable and effective BC/DR plans at SCI entities. The Commission also 
believes that such system reconfigurations would be less burdensome 
than a Commission rule requiring the establishment of a dedicated 
environment for safe end-to-end testing that accurately simulates the 
trading environment, which some commenters suggested might be 
appropriate. One group of commenters noted the ``complexity and cost 
associated with establishing an effective coordinated test script,'' 
and urged that the scope of the coordinated testing be ``narrowed to 
cover those instances in which an SCI entity determines to enact its 
disaster recovery plan.'' The Commission acknowledges that 
establishment of an effective coordinated test script will involve

[[Page 72353]]

some costs and complexity, but believes that this is an important first 
step in establishing robust and effective testing under the rule. The 
Commission encourages SCI entities to develop one or more test scripts 
contemplating a wide-scale disruption and the enactment by SCI entities 
in the region of the wide-scale disruption of their BC/DR plans.
---------------------------------------------------------------------------

    \1184\ See supra note 1176 and accompanying text. See also 
Tradebook Letter at 2-3 (stating its view that ``the only way to 
test integration from order generation to allocation and then 
through to final settlement, is in the production environment'' and 
``test tickers that operate in the production environment are the 
only way to reliably simulate exactly what will happen in the 
production environment with a live order'').
---------------------------------------------------------------------------

    Further, the Commission notes that nothing in Rule 1001(a) nor Rule 
1004 requires that an SCI entity's BC/DR plan specify that its backup 
site must fully replicate the capacity, speed, and other features of 
the primary site. Similarly, SCI entity members and participants are 
not required by Regulation SCI to maintain the same level of 
connectivity with the backup sites of an SCI entity as they do with the 
primary sites.\1185\ In the event of a wide-scale disruption in the 
securities markets, the Commission acknowledges that an SCI entity and 
its members or participants may not be able to provide the same level 
of liquidity as on a normal trading day. In addition, the Commission 
recognizes that the concept of ``fair and orderly markets'' does not 
require that trading on a day when business continuity and disaster 
recovery plans are in effect will reflect the same levels of liquidity, 
depth, volatility, and other characteristics of trading on a normal 
trading day. Nevertheless, the Commission believes it is critical that 
SCI entities and their designated members or participants be able to 
operate with the SCI entities' backup systems in the event of a wide-
scale disruption. Therefore, Rule 1004 requires that an SCI entity's 
BC/DR plan that meets the requirements of Rule 1001(a)(2)(v) be tested 
for both its functionality and performance as specified by the SCI 
entity's BC/DR plan.
---------------------------------------------------------------------------

    \1185\ See infra Section VI.C.2.b.vii (discussing the estimated 
costs of adopted Rule 1004).
---------------------------------------------------------------------------

    In addition, several commenters addressed testing more 
generally.\1186\ For example, some commenters urged that comprehensive, 
industry-wide, end-to-end testing could be enhanced if there were 
uniform test tickers supported by the testing infrastructure at all SCI 
entities.\1187\ Two commenters urged the establishment of principles 
for end-to-end, integrated testing.\1188\ Specifically, one of these 
commenters suggested that SCI entities, the Commission, and relevant 
third-parties think about how to establish a dedicated environment 
where end-to-end testing could be done safely, and where it could 
accurately simulate the trading environment.\1189\ This commenter also 
suggested that testing plans concentrate on high volume periods, stress 
testing common order types, and focusing on securities that generally 
experience low liquidity.\1190\ This commenter believed that industry-
wide testing should include derivatives and cross-asset scenarios, and 
possibly include some involvement by foreign regulators and markets as 
well.\1191\ While the suggestions of these commenters are not 
inconsistent with the rule's requirement for functional and performance 
testing of BC/DR plans, the Commission has determined not to require 
them because the Commission does not believe, at this time, that these 
suggestions are necessary in every instance to achieve reliable and 
effective BC/DR plans at SCI entities. However, to the extent an SCI 
entity believes them to be appropriate for its systems, these 
suggestions could be utilized in its BC/DR plans testing.
---------------------------------------------------------------------------

    \1186\ See Tradebook Letter at 1-3; CAST Letter at 9; FIA PTG 
Letter at 2; and CoreOne Letter at 3-7.
    \1187\ See Tradebook Letter at 2-3; CAST Letter at 9; and FIA 
PTG Letter at 2.
    \1188\ See CoreOne Letter at 3; and Tradebook Letter at 1-3.
    \1189\ See CoreOne Letter at 3.
    \1190\ See id. at 3-4.
    \1191\ See id. at 7.
---------------------------------------------------------------------------

    Importantly, the adopted rule does not prescribe how SCI entities 
are to develop plans for functional and performance testing of order 
entry, execution, clearance and settlement, order routing, and the 
transmission and/or receipt of market data, as applicable, to determine 
if these functions can operate as contemplated by SCI entity BC/DR 
plans. Thus, as with the proposed requirement, the adopted rule 
provides an SCI entity with discretion to determine the precise manner 
and content of the BC/DR testing required pursuant to Rule 1004, and 
SCI entities have discretion to determine, for example, the duration of 
the testing, the sample size of transactions tested, the scenarios 
tested, and the scope of the test. Therefore, while comments urging the 
creation of uniform test tickers, establishment of principles for end-
to-end testing, mandatory types of test scripts, and cross-asset and 
cross-jurisdictional coordination are matters that SCI entities may 
wish to consider in implementing the testing required by the rule, the 
Commission does not believe it is appropriate to mandate such details 
in Regulation SCI. To do so would be more prescriptive than the 
Commission believes is appropriate, as this requirement is designed to 
provide SCI entities flexibility and discretion in determining how to 
meet it. The Commission believes that the adopted testing requirement 
will help to improve securities market infrastructure resilience by 
helping to ensure not only that an SCI entity can operate following an 
event that triggers its BC/DR plans, but also that it can do so with a 
greater level of confidence that its core members or participants are 
also ready based on experience during testing. The Commission is 
adopting Rule 1004(b) substantively as proposed because it gives SCI 
entities discretion to develop a test that meets the requirements of 
the rule.
    One commenter recommended requiring that each entity be run 
entirely under its backup plan at least one day a year for a full 
trading day, and that the entire market run off of the backup sites at 
least once a year.\1192\ While adopted Rule 1004 would not preclude 
this approach, the Commission notes that other commenters disagreed 
with the wisdom of it.\1193\ Specifically, one group of commenters 
stated that the risks of testing in a ``live production environment on 
a periodic basis'' outweigh the benefits.\1194\ Another commenter 
stated that requiring SCI entities to operate using their backup 
facilities would increase the risk of erroneous quotes and orders 
entering the marketplace.\1195\
---------------------------------------------------------------------------

    \1192\ See Angel Letter at 10.
    \1193\ See Joint SROs Letter at 15; and Group One Letter at 2.
    \1194\ See Joint SROs Letter at 15.
    \1195\ See Group One Letter at 2.
---------------------------------------------------------------------------

    After careful consideration of these comments, the Commission has 
determined not to prescribe the time of day or week during which 
testing shall occur. In addition, the adopted rule does not require an 
SCI entity to test its BC/DR plan in live production, but also does not 
prohibit an SCI entity from testing its BC/DR plans in live production, 
either, if an SCI entity determines such a method of testing to be 
appropriate. The Commission continues to believe that SCI entities are 
in the best position to structure the details of the test in a way that 
would maximize its utility.
    With respect to testing frequency, one commenter agreed with the 
proposal that an SCI entity's BC/DR plans, including its backup 
systems, be tested ``at least once every 12 months.'' \1196\ One 
commenter stated that the rule should explicitly set forth the required 
frequency of testing.\1197\ One commenter believed that two coordinated 
industry tests per year would be more appropriate.\1198\ One commenter

[[Page 72354]]

believed that testing once per year is arbitrary, and suggested that a 
risk-based approach might justify testing certain systems with more or 
less frequency.\1199\
---------------------------------------------------------------------------

    \1196\ See DTCC Letter at 13
    \1197\ See NYSE Letter at 33.
    \1198\ See FIF Letter at 6.
    \1199\ See MSRB Letter at 24.
---------------------------------------------------------------------------

    The Commission is adopting as proposed the requirement that testing 
occur not less than once every 12 months. Although commenters offered 
differing views on the appropriate frequency for the required 
testing,\1200\ the Commission continues to believe that a testing 
frequency of once every 12 months is an appropriate minimum frequency 
that encourages regular and focused attention on the establishment of 
meaningful and effective testing. In the context of coordinated BC/DR 
testing, the Commission believes the key is for testing to occur 
regularly enough to offer practical utility in the event of a wide-
scale disruption without imposing undue cost, and that a minimum 
frequency of one year achieves this balance. This requirement does not 
prevent SCI entities from testing more frequently, but rather is 
intended to give SCI entities the flexibility to test their BC/DR 
plans, including their backup systems, at more frequent intervals if 
they find it appropriate to do so.
---------------------------------------------------------------------------

    \1200\ See supra notes 1196-1199.
---------------------------------------------------------------------------

iv. Industry- or Sector-Wide Coordination--Rule 1004(d)
    Proposed Rule 1000(b)(9)(a)(ii) specified that an SCI entity would 
be required to coordinate the testing of BC/DR plans on an industry- or 
sector-wide basis with other SCI entities. The Commission received 
significant comment on this aspect of the proposal.
    Two commenters supported the coordinated testing requirement.\1201\ 
Specifically, one of these commenters stated that a coordination 
requirement targets an area where technology risks have left the 
markets more vulnerable, namely, the complex ways that firms 
interact.\1202\ This commenter favored market-wide testing as a way to 
better manage that risk.\1203\ This commenter also stated that 
coordination is vital because the more SCI entities and member firms 
that participate in testing, the more realistic that testing will 
be.\1204\ Another commenter noted that one of the most important steps 
in validating and maintaining systems integrity is an effective BC/DR 
model and urged the Commission to promptly advance a program to 
introduce a new and more comprehensive BC/DR testing paradigm.\1205\
---------------------------------------------------------------------------

    \1201\ See Angel Letter at 9; and UBS Letter at 4.
    \1202\ See Angel Letter at 9.
    \1203\ See id.
    \1204\ See id.
    \1205\ See UBS Letter at 4-5. This commenter also stated that 
improved BC/DR testing should not be delayed until Regulation SCI is 
adopted. See UBS Letter at 5.
---------------------------------------------------------------------------

    In contrast, some commenters opposed the proposed comprehensive, 
coordinated testing structure.\1206\ Some commenters stated that 
coordinating testing presents significant technological and logistical 
challenges that need to be weighed carefully.\1207\ One commenter 
stated that coordinated testing is a good aspirational goal, but 
expressed concern that too much is outside of the control of an 
individual SCI entity, and therefore the rule should, at most, require 
SCI entities to attempt to coordinate such testing.\1208\ Another 
commenter stated that the fixed-income market is so fragmented that 
coordinated testing is difficult to conduct and much less 
imperative.\1209\
---------------------------------------------------------------------------

    \1206\ See DTCC Letter at 12-13; FINRA Letter at 37-39; OCC 
Letter at 17-18; and ISE Letter at 8.
    \1207\ See LiquidPoint Letter at 4; and SIFMA Letter at 17-18. 
See also supra notes 1175-1177 and accompanying text.
    \1208\ See CME Letter at 13.
    \1209\ See TMC Letter at 3.
---------------------------------------------------------------------------

    Some commenters offered suggestions on how to improve the proposed 
coordination requirement. One commenter urged that coordination only be 
required among providers of singular services in the market (i.e., 
exchanges that list securities, exclusive processors under NMS plans, 
and clearing and settlement agencies).\1210\ Some commenters believed 
that coordination would work best if it was organized by an entity with 
regulatory authority over SCI entities, or by an organization 
designated by the Commission to fulfill that role.\1211\ One such 
commenter supported coordinating testing through a Commission-approved 
plan, provided SCI entities have the right to maintain the 
confidentiality of certain critical information.\1212\ Another 
commenter recommended that the Commission work with the CFTC to adopt a 
coordinated approach to dealing with technology issues across financial 
markets, including through participation by derivatives exchanges in 
testing alongside their equity markets counterparts.\1213\
---------------------------------------------------------------------------

    \1210\ See Direct Edge Letter at 9.
    \1211\ See DTCC Letter at 13; OCC Letter at 18; and NYSE Letter 
at 33.
    \1212\ See NYSE Letter at 33.
    \1213\ See Angel Letter at 12.
---------------------------------------------------------------------------

    After careful consideration of the comments, the Commission has 
determined to adopt the coordination requirement as proposed. 
Specifically, Rule 1004(d) requires that an SCI entity ``coordinate the 
testing of [BC/DR] plans on an industry- or sector-wide basis with 
other SCI entities.'' The Commission recognizes that coordinating 
industry- or sector-wide testing among SCI entities and their 
designated members or participants may present logistical challenges. 
Because of these challenges, the Commission does not believe that a 
more prescriptive approach is warranted. Instead, the coordination 
requirement provides discretion to SCI entities to determine how to 
meet it.
    The Commission does not agree with commenters suggesting that the 
Commission should assume leadership on the organization of coordinated 
testing, designate an organization to fulfill that role, or require a 
``Commission-approved plan'' for testing, because it believes at this 
time that SCI entities can achieve coordination more quickly and 
efficiently without the imposition of a formal procedural framework 
that these suggestions would entail.\1214\ In response to comment 
suggesting that coordination should be aspirational rather than 
required, the Commission believes that, because trading in the U.S. 
securities markets today is dispersed among a wide variety of 
exchanges, ATSs, and other trading venues, and is often conducted 
through sophisticated trading strategies that access many trading 
platforms simultaneously, requiring SCI entities to coordinate testing 
would result in testing under more realistic market conditions.\1215\ 
The Commission also continues to believe that it would be more cost-
effective for SCI entity members and participants to participate in 
testing of SCI entity BC/DR plans on an industry- or sector-wide basis 
than to test with each SCI entity on an individual basis because such 
coordination would likely reduce duplicative testing efforts.\1216\ In

[[Page 72355]]

addition, if SCI entities that are ``providers of singular services'' 
in the markets (i.e., which the Commission believes would be synonymous 
with SCI entities that are providers of ``critical SCI systems'') lead 
coordination efforts on behalf of all SCI entities, such an approach 
would not be impermissible under Rule 1004(d), provided all SCI 
entities agreed to such an approach.
---------------------------------------------------------------------------

    \1214\ With respect to the suggestion that there be a Commission 
approved plan, the Commission notes that Rule 608 of Regulation NMS 
is designed to facilitate participation in NMS plans by self-
regulatory organizations, which does not include SCI entities that 
are not SCI SROs, including SCI ATSs. The Commission notes that at 
least one commenter suggested that the Commission work with the CFTC 
to adopt a coordinated approach to testing. But, as discussed above, 
the Commission believes that Regulation SCI is an important step to 
reduce the risks associated with a decision to activate BC/DR plans. 
And, although the Commission may in the future consider additional 
initiatives to promote further coordination with the CFTC, in the 
Commission's view, this initial step of adopting Regulation SCI 
should not be delayed.
    \1215\ See Proposing Release, supra note 13, at 18126.
    \1216\ In response to comment that coordinated BC/DR testing is 
not needed in the current fixed-income market, the Commission notes 
that it has determined to exclude ATSs trading only municipal 
securities or corporate debt securities from the scope of Regulation 
SCI. See supra notes 189-192 and accompanying text (discussing the 
exclusion of ATSs trading only fixed-income securities from the 
definition of SCI ATS).
---------------------------------------------------------------------------

    In response to commenters who more generally expressed concern 
about the rule subjecting SCI entity members and participants to 
multiple duplicative and costly testing requirements,\1217\ the 
Commission notes that the flexibility provided in the adopted 
coordination requirement, in tandem with the more focused adopted 
mandatory designation requirement should mitigate these concerns. As 
discussed above, adoption of a more focused designation requirement 
that requires SCI entities to exercise reasonable discretion is likely 
to reduce the extent to which SCI entity member or participant 
designations overlap and possibly result in a smaller number of SCI 
entity members or participants being designated for participation in 
testing than as contemplated by the SCI Proposal, and a fewer number of 
members or participants designated to participate in testing should 
simplify efforts to coordinate testing. However, as some commenters 
noted, it remains possible that, despite coordination, some firms that 
are members of multiple SCI entities may be designated to participate 
in testing with multiple SCI entities at greater cost than if they had 
been designated by only one SCI entity, and may be required to test 
more than once annually, as this may be necessary for each SCI entity 
to meet its obligations under the rule. Though the Commission 
recognizes that the possibility of being designated by multiple SCI 
entities to participate in the testing of their BC/DR plans may be 
costly, the Commission ultimately believes that such a cost is 
appropriate to help ensure that the BC/DR plan of each SCI entity is 
useful and effective. If, for example, a firm is designated for 
mandatory testing by multiple SCI entities, it would be so designated 
because each such SCI entity determines that such firm is necessary to 
the successful activation of its BC/DR plan. The Commission recognizes 
that it is conceivable that a firm that is required to participate in 
testing with multiple SCI entities assesses the costs and burdens of 
participating in every such test to be too great, and makes its own 
business decision to withdraw its membership or participation in one or 
more such SCI entities so as to avoid the costs and burdens of such 
testing, but believes such scenario to be unlikely. Specifically, the 
Commission believes that it is unlikely that a firm determined to be 
significant enough to be designated to participate in testing by an SCI 
entity (even a smaller SCI entity) would choose to withdraw its 
membership or participation in an SCI entity solely because of the 
costs and burdens of Regulation SCI's BC/DR testing provisions. The 
Commission also believes that such firm is likely to be a larger firm 
with greater resources and a significant level of participation in such 
SCI entity, and is likely to already be connected to the backup 
facility of the SCI SRO that is designating it to test. The Commission 
continues to believe that SCI entities are best suited to find the most 
efficient and effective manner in which to test its BC/DR plans.\1218\
---------------------------------------------------------------------------

    \1217\ See supra notes 1159-1160 and accompanying text.
    \1218\ See Proposing Release, supra note 13, at 18126.
---------------------------------------------------------------------------

    Furthermore, the Commission is also adopting a longer compliance 
period with regard to the industry- or sector-wide coordinated testing 
requirement in adopted Rule 1004(d).\1219\ Specifically, SCI entities 
will have 21 months from the Effective Date to coordinate the testing 
of an SCI entity's business continuity and disaster recovery plans on 
an industry- or sector-wide basis with other SCI entities pursuant to 
adopted Rule 1004(d). In sum, the Commission believes that Rule 1004, 
as adopted, will enhance the resilience of the infrastructure of the 
U.S. securities markets.
---------------------------------------------------------------------------

    \1219\ See infra Section IV.F (discussing the delayed 
implementation time for adopted Rule 1004(d)).
---------------------------------------------------------------------------

C. Recordkeeping, Electronic Filing on Form SCI, and Access--Rules 
1005-1007

    Adopted Rules 1005 through 1007 specify several additional 
requirements of Regulation SCI relating to recordkeeping and electronic 
filing and submission. As discussed below, the Commission has 
determined not to adopt the proposed provision regarding Commission 
access to the systems of an SCI entity because the Commission can 
adequately assess an SCI entity's compliance with Regulation SCI 
through existing recordkeeping requirements and examination authority, 
as well as through the new recordkeeping requirement in Rule 1005 of 
Regulation SCI.
1. Recordkeeping--Rules 1005-1007
a. Recordkeeping Related to Compliance With Regulation SCI--Rule 1005
    Proposed Rule 1000(c) required SCI SROs to make, keep, and preserve 
all documents relating to their compliance with Regulation SCI, as 
prescribed in Rule 17a-1 under the Exchange Act. Proposed Rule 1000(c) 
required SCI entities other than SCI SROs to: Make, keep, and preserve 
at least one copy of all documents relating to their compliance with 
Regulation SCI; keep these documents for not less than five years, the 
first two years in a place that is readily accessible to the Commission 
or its representatives for inspection and examination; and promptly 
furnish to Commission representatives \1220\ copies of any of these 
documents upon request. Further, proposed Rule 1000(c) provided that, 
upon or immediately prior to ceasing to do business or ceasing to be 
registered under the Exchange Act, an SCI entity must ensure that the 
required records are accessible to the Commission and its 
representatives in a manner required by Rule 1000(c) for the remainder 
of the period required by Rule 1000(c).
---------------------------------------------------------------------------

    \1220\ As discussed above, the Commission has renamed the ARP 
Inspection Program the Technology Controls Program. See supra note 
6.
---------------------------------------------------------------------------

    The Commission received one comment letter supporting proposed Rule 
1000(c).\1221\ The Commission is adopting Rule 1000(c) as proposed, but 
re-designated as Rule 1005.\1222\
---------------------------------------------------------------------------

    \1221\ See MSRB Letter at 25. As discussed above, some 
commenters suggested recordkeeping in lieu of certain Commission 
reporting requirements. See, e.g., supra note 881 and accompanying 
text.
    \1222\ The Commission notes that adopted Rule 1005 replaces the 
term ``SCI security systems'' with ``indirect SCI systems'' as 
described in more detail in Section IV.A.2.d. Furthermore, internal 
cross references to Rules 1000(c)(2)(i) and (c)(2)(ii) in Rule 
1000(c)(2)(iii) were updated to paragraphs (b)(1) and (b)(2) of Rule 
1005 in accordance with the renumbering of the rule.
---------------------------------------------------------------------------

    As noted in the SCI Proposal, SCI entities are already subject to 
recordkeeping requirements,\1223\ but records relating to Regulation 
SCI may not be specifically addressed in certain

[[Page 72356]]

current recordkeeping rules.\1224\ As adopted, Rule 1005 specifically 
addresses recordkeeping requirements for SCI entities with respect to 
records relating to Regulation SCI compliance.
---------------------------------------------------------------------------

    \1223\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 
CFR 240.17a-3 and 17a-4, applicable to broker-dealers; and 17 CFR 
242.301-303, applicable to ATSs.
     It has been the experience of the Commission that SCI entities 
presently subject to the ARP Inspection Program (nearly all of whom 
are SCI SROs that are also subject to the recordkeeping requirements 
of Rule 17a-1(a)) do generally keep and preserve the types of 
records that would be subject to the requirements of Rule 1005. 
Nevertheless, the Commission continues to believe that Regulation 
SCI's codification of these preservation practices will support an 
accurate, timely, and efficient inspection and examination process 
and help ensure that all types of SCI entities keep and preserve 
such records.
    \1224\ See Proposing Release, supra note 13, at 18128.
---------------------------------------------------------------------------

    With respect to SCI SROs, Rule 17a-1(a) under the Exchange Act 
requires every national securities exchange, national securities 
association, registered clearing agency, and the MSRB to keep and 
preserve at least one copy of all documents, including all 
correspondence, memoranda, papers, books, notices, accounts, and other 
such records as shall be made and received by it in the course of its 
business as such and in the conduct of its self-regulatory 
activity.\1225\ In addition, Rule 17a-1(b) requires these entities to 
keep all such documents for a period of not less than five years, the 
first two years in an easily accessible place, subject to the 
destruction and disposition provisions of Rule 17a-6.\1226\ Rule 17a-
1(c) requires these entities, upon request of any representative of the 
Commission, to promptly furnish to the possession of Commission 
representatives copies of any documents required to be kept and 
preserved by it pursuant to Rules 17a-1(a) and (b).\1227\ Therefore, as 
noted in the SCI Proposal, the breadth of Rule 17a-1 under the Exchange 
Act is such that it would require SCI SROs to make, keep, and preserve 
records relating to their compliance with Regulation SCI.\1228\ The 
Commission continues to believe that it is appropriate to cross-
reference Rule 17a-1 in Rule 1005 to be clear that all SCI entities are 
subject to the same recordkeeping requirements regarding compliance 
with Regulation SCI. The Commission also continues to believe that it 
is appropriate to adopt recordkeeping requirements for SCI entities 
other than SCI SROs that are consistent with the recordkeeping 
requirements applicable to SROs under Rule 17a-1 under the Exchange 
Act. The Commission believes it is important to require such records be 
kept at both SCI SROs and SCI entities other than SCI SROs because such 
records are essential to understanding whether an SCI entity is meeting 
its obligations under Regulation SCI, to assess whether an SCI entity 
has appropriate policies and procedures with respect to its technology 
systems, to help identify the causes and consequences of an SCI event, 
and to understand the types of material systems changes occurring at an 
SCI entity.\1229\
---------------------------------------------------------------------------

    \1225\ See 17 CFR 240.17a-1(a). Such records would, for example, 
include copies of incident reports and the results of systems 
testing.
    \1226\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange 
Act states: ``Any document kept by or on file with a national 
securities exchange, national securities association, registered 
clearing agency or the Municipal Securities Rulemaking Board 
pursuant to the Act or any rule or regulation thereunder may be 
destroyed or otherwise disposed of by such exchange, association, 
clearing agency or the Municipal Securities Rulemaking Board at the 
end of five years or at such earlier date as is specified in a plan 
for the destruction or disposition of any such documents if such 
plan has been filed with the Commission by such exchange, 
association, clearing agency or the Municipal Securities Rulemaking 
Board and has been declared effective by the Commission.'' 17 CFR 
240.17a-6(a).
    \1227\ See 17 CFR 240.17a-1(c).
    \1228\ See Proposing Release, supra note 13, at 18128.
    \1229\ To achieve the goals for which the recordkeeping 
requirements are designed, and to comply with the recordkeeping 
requirements of Rule 17a-1 and Rule 1005 of Regulation SCI, SCI 
entities must ensure that the records that they make, keep, and 
maintain are complete and accurate.
---------------------------------------------------------------------------

    Further, as noted above, the definitions of SCI system and indirect 
SCI system include systems operated ``on behalf of'' an SCI entity by 
third parties. An SCI entity retains legal responsibility for systems 
operated on its behalf and, as such, is responsible for producing to 
Commission representatives records required to be made, kept, and 
preserved under Regulation SCI, even if those records are maintained by 
third parties, and the SCI entity is responsible for ensuring that such 
third parties produce those requested documents, upon examination or 
other request. Accordingly, the Commission believes that an SCI entity 
should have processes and requirements in place, such as contractual 
provisions with a third party, to ensure that it is able to satisfy the 
requirements of Regulation SCI for systems operated on its behalf by a 
third party, including the recordkeeping requirements in Rule 
1005.\1230\ The Commission believes that if an SCI entity is unable to 
ensure compliance with Regulation SCI with regard to third party 
systems or recordkeeping, it should reassess its decision to outsource 
its systems or recordkeeping.
---------------------------------------------------------------------------

    \1230\ See also Rule 1007, which states that, if records 
required to be filed or kept by an SCI entity under Regulation SCI 
are prepared or maintained by a service bureau or other 
recordkeeping service on behalf of the SCI entity, the SCI entity is 
required to ensure that the records are available for review by the 
Commission and its representatives by submitting a written 
undertaking, in a form acceptable to the Commission, by such service 
bureau or other recordkeeping service, signed by a duly authorized 
person at such service bureau or other recordkeeping service.
---------------------------------------------------------------------------

    The Commission believes that Rule 1005 will facilitate its 
inspections and examinations of SCI entities and assist it in 
evaluating an SCI entity's compliance with Regulation SCI. In 
particular, Rule 1005 should facilitate Commission examination of SCI 
entities by helping to reduce delays in obtaining relevant records 
during an examination. Therefore, as noted in the SCI Proposal, the 
Commission's ability to examine for, and enforce compliance with, 
Regulation SCI could be hampered if an SCI entity were not required to 
adequately provide accessibility to its records for the full proposed 
retention period.
    Further, while many SCI events may occur, be discovered, and be 
resolved in a short time frame, there may be other SCI events that may 
not be discovered until months or years after their occurrences, or may 
take significant periods of time to fully resolve. In such cases, 
having an SCI entity's records available even after it has ceased to do 
business or be registered under the Exchange Act would be beneficial. 
Because SCI events have the potential to negatively impact trade 
execution, price discovery, liquidity, and investor participation, the 
Commission believes that its ability to oversee the securities markets 
could be undermined if it is unable to review records to determine the 
causes and consequences of one or more SCI events experienced by an SCI 
entity that deregisters or ceases to do business. This information 
should provide an additional tool to help the Commission reconstruct 
important market events and better understand how such events impacted 
trade execution, price discovery, liquidity, and investor 
participation.
b. Service Bureau--Rule 1007
    Proposed Rule 1000(e) required that, if the records required to be 
filed or kept by an SCI entity under Regulation SCI were prepared or 
maintained by a service bureau or other recordkeeping service on behalf 
of the SCI entity, the SCI entity ensure that the records are available 
for review by the Commission and its representatives by submitting a 
written undertaking, in a form acceptable to the Commission, by such 
service bureau or other recordkeeping service and signed by a duly 
authorized person at such service bureau or other recordkeeping 
service. Further, the written undertaking was required to include an 
agreement by the service bureau designed to permit the Commission and 
its representatives to examine such records at any time or from time to 
time during business hours, and to promptly furnish to the Commission 
and its representatives true, correct, and current electronic files in 
a form acceptable to the Commission or its representatives or hard 
copies of any, all, or any part of such records,

[[Page 72357]]

upon request, periodically, or continuously and, in any case, within 
the same time periods as would apply to the SCI entity for such 
records. Proposed Rule 1000(e) also provided that the preparation or 
maintenance of records by a service bureau or other recordkeeping 
service would not relieve an SCI entity from its obligation to prepare, 
maintain, and provide the Commission and its representatives with 
access to such records.
    The Commission did not receive any comments on proposed Rule 
1000(e) and is adopting Rule 1000(e) as proposed, but re-designated as 
Rule 1007. As noted in the SCI Proposal, Rule 1007 is substantively the 
same as the requirement applicable to broker-dealers under Rule 17a-
4(i) of the Exchange Act.\1231\ The Commission continues to believe 
that this requirement will help ensure the Commission's ability to 
obtain required records that are held by a third party who may not 
otherwise have an obligation to make such records available to the 
Commission. In addition, the Commission continues to believe that the 
requirement that SCI entities obtain from such third parties a written 
undertaking will also help ensure that such service bureau or other 
recordkeeping service is aware of its obligation with respect to 
records relating to Regulation SCI. The Commission believes that this 
requirement will help ensure that the Commission has prompt and 
efficient access to all required records, including those housed at a 
service bureau or any other recordkeeping service.\1232\
---------------------------------------------------------------------------

    \1231\ 17 CFR 240.17a-4(i). See Proposing Release, supra note 
13, at 18129.
    \1232\ See 17 CFR 240.17a-4(i) (records preserved or maintained 
by a service bureau).
---------------------------------------------------------------------------

2. Electronic Filing and Submission of Reports, Notifications, and 
Other Communications--Rule 1006
    Proposed Rule 1000(d) required that, except with respect to 
notifications to the Commission made pursuant to proposed Rule 
1000(b)(4)(i) (Commission notification of certain SCI events) or oral 
notifications to the Commission made pursuant to proposed Rule 
1000(b)(6)(ii) (Commission notification of certain material systems 
changes), any notification, review, description, analysis, or report to 
the Commission required under Regulation SCI be submitted 
electronically on Form SCI and include an electronic signature. 
Proposed Rule 1000(d) also required that the signatory to an 
electronically submitted Form SCI manually sign a signature page or 
document, in the manner prescribed by Form SCI, authenticating, 
acknowledging, or otherwise adopting his or her signature that appears 
in typed form within the electronic filing. This document would be 
required to be executed before or at the time Form SCI is 
electronically submitted and would be required to be retained by the 
SCI entity in accordance with the recordkeeping requirements of 
Regulation SCI. The Commission is adopting Rule 1000(d) substantially 
as proposed, as discussed below, but re-designated as Rule 1006.
    One commenter supported the electronic submission of Form 
SCI.\1233\ One commenter suggested that the Commission should make 
clear that Regulation SCI filings do not need to be made in a tagged 
data format such as XBRL, which could be costly.\1234\ Another 
commenter stated that the electronic signature requirement was 
appropriate only if the final rule included a safe harbor for good 
faith reporting of SCI events.\1235\ According to this commenter, the 
requirement that there be an electronic signature and a manual 
signature could put SCI entity personnel at risk if it is later 
determined that there were factual errors, omissions, or other flaws in 
the initial filing.\1236\
---------------------------------------------------------------------------

    \1233\ See MSRB Letter at 25.
    \1234\ See OTC Markets Letter at 4. See also FINRA Letter at 28.
    \1235\ See Omgeo Letter at 20.
    \1236\ See id.
---------------------------------------------------------------------------

    After consideration of the comments, the Commission is adopting 
Rule 1000(d) substantially as proposed, and with updated internal cross 
references to reflect revisions to other aspects of Regulation SCI, as 
adopted. Specifically, Rule 1006 provides that notifications made 
pursuant to Rule 1002(b)(1) (immediate Commission notification of SCI 
events) and updates made pursuant to Rule 1002(b)(3) (updates regarding 
SCI events) are not required to be filed on Form SCI.\1237\ As noted in 
the SCI Proposal, Rule 1006 is intended to provide a uniform manner in 
which the Commission would receive--and SCI entities would provide--
written notifications, reviews, descriptions, analyses, or reports made 
pursuant to Regulation SCI.\1238\ Rule 1006 should therefore allow SCI 
entities to efficiently draft and submit the required reports, and for 
the Commission to efficiently review, analyze, and respond to the 
information provided.\1239\ In addition, the Commission believes that 
filing Form SCI in an electronic format would be less burdensome and 
more efficient for SCI entities and the Commission than mailing and 
filing paper forms.\1240\ Further, after considering comments regarding 
the burden of submitting Form SCI in a tagged data format such as XBRL, 
the Commission is not requiring the use of XBRL formatting for Form 
SCI. Rather, certain fields in Sections I-III of Form SCI will require 
information to be provided by SCI entities in a format that will allow 
the Commission to gather information in a structured manner (e.g., the 
submission type and SCI event type in Section I), whereas the exhibits 
to Form SCI will allow SCI entities to provide narrative responses, 
such as through a text format. Further, the Commission also is 
specifying that documents filed through the EFFS system must be in a 
text-searchable format without the use of optical character 
recognition. If, however, a portion of a Form SCI submission (e.g., an 
image or diagram) cannot be made available in a text-searchable format, 
such portion may be submitted in a non-text-searchable format.\1241\ 
The Commission believes that requiring documents to be submitted in a 
text-searchable format (with the limited exception noted) is necessary 
to allow Commission staff to efficiently review and analyze information 
provided by SCI entities. In particular, a text-searchable format 
allows Commission staff to better gather, analyze and use data 
submitted as exhibits, whereas a non-text-searchable format submission 
would require significantly more steps and labor to review and analyze 
data. The Commission notes that word processing and spreadsheet 
applications that are widely used by many businesses, including SCI 
entities, generate documents in this format.
---------------------------------------------------------------------------

    \1237\ See supra Section IV.B.3.c (discussing the Commission 
notification requirement for SCI events). Adopted Rule 1006 refers 
to an electronically ``filed'' Form SCI, rather than an 
electronically ``submitted'' Form SCI as proposed in Rule 
1000(d)(1). This change clarifies that notices and reports required 
to be submitted under Regulation SCI are filings under the Exchange 
Act and Regulation SCI. See proposed and adopted 17 CFR 249.1900 
(stating that Form SCI shall be used to ``file'' notices and reports 
as required by Regulation SCI). See also amended Rule 24b-2 
(referring to material ``filed'' in electronic format on Form SCI).
    \1238\ See Proposing Release, supra note 13, at 18129-30.
    \1239\ See id. at 18130.
    \1240\ The Commission will implement Form SCI through the 
electronic form filing system (``EFFS'') currently used by SCI SROs 
to file Form 19b-4 filings. See Securities Exchange Act Release No. 
50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the 
EFFS for use in filing Form 19b-4). See also Proposing Release, 
supra note 13, at 18130.
    \1241\ See General Instructions to Form SCI, Item A.
---------------------------------------------------------------------------

    As noted above, one commenter stated that the electronic signature 
requirement was appropriate only if the

[[Page 72358]]

final rule included a safe harbor for good faith reporting of SCI 
events. The Commission is adopting the electronic signature requirement 
as proposed. The Commission notes that, as discussed above in Section 
IV.B.3.c, immediate Commission notification following an SCI event and 
updates regarding the SCI event may be given orally; the 24-hour 
Commission notification is required to be made on a good faith, best 
efforts basis; and the final Commission notification is not required 
until the resolution of the SCI event and the completion of the SCI 
entity's investigation of the SCI event. The Commission also notes that 
the purpose of the electronic signature requirement on Form SCI is to 
ensure that the person submitting the form to the Commission has been 
properly authorized by the SCI entity to submit the form on its 
behalf.\1242\ Therefore, the electronic signature requirement would not 
put SCI entity personnel at risk if the SCI entity later determines 
that there were factual errors, omissions, or other flaws in the 
initial filing. As such, the Commission does not agree with the comment 
that the electronic signature requirement was appropriate only if the 
final rule included a safe harbor for good faith reporting of SCI 
events.\1243\
---------------------------------------------------------------------------

    \1242\ Additionally, similar to use of the EFFS in the context 
of electronic filing of Form 19b-4, by using a digital ID for each 
duly authorized signatory providing an electronic signature, both 
the Commission and an SCI entity may be assured of the authenticity 
and integrity of the electronic filing of Form SCI. See infra 
Section V.D.2.e (noting the necessity of completing a form to gain 
access to EFFS).
    \1243\ The same rationale also applies to the requirement for 
manual signature in Rule 1006.
---------------------------------------------------------------------------

Amendment To Facilitate Electronic Filing Requirements
    In addition, to permit implementation of Rule 1006,\1244\ the 
Commission is adopting an amendment to Rule 24b-2 under the Exchange 
Act.\1245\ Rule 24b-2 currently provides confidential treatment 
requests and the confidential portion of an electronic filing may be 
submitted in paper format only.\1246\ The Commission is amending Rule 
24b-2 by amending the rule's preliminary note, and paragraph (b) of the 
rule to clarify that under Rule 24b-2, confidential treatment requests 
and the confidential portion of an electronic filing may be submitted 
in paper format only, unless Rule 24b-2 provides otherwise. The 
Commission also is adding a new paragraph (g) to Rule 24b-2 to provide 
an electronic means by which an SCI entity may request confidential 
treatment of its filings on Form SCI. New paragraph (g) will provide 
that an SCI entity's electronic filings on Form SCI pursuant to 
Regulation SCI must include any information with respect to which 
confidential treatment is requested (``confidential portion''), and 
provide that, in lieu of the procedures described in Rule 24b-2b, an 
SCI entity may request confidential treatment of all information 
submitted on Form SCI by completing Section IV of Form SCI. The 
Commission's amendment provides an exception from Rule 24b-2's paper-
only request for confidential treatment for all Form SCI filings, and 
specifically permits an SCI entity to electronically request 
confidential treatment of all information filed on Form SCI in 
accordance with Regulation SCI. The Commission believes that allowing 
for electronic submission of confidential treatment requests will 
reduce the burden on SCI entities by not requiring a separate paper 
submission, and provided the confidential treatment request is properly 
made, will expedite Commission review of the requests for confidential 
treatment, as all information submitted on Form SCI will be deemed to 
be the subject of the request for confidential treatment.
---------------------------------------------------------------------------

    \1244\ See Rule 1006, 17 CFR 242.1006; see also General 
Instruction E to Form SCI (requiring Form SCI and exhibits to be 
filed electronically under Rule 1006).
    \1245\ 17 CFR 240.24b-2.
    \1246\ See 17 CFR 240.24b-2.
---------------------------------------------------------------------------

    If such a confidential treatment request is properly made, the 
Commission will keep the information collected pursuant to Form SCI 
confidential to the extent permitted by law.\1247\
---------------------------------------------------------------------------

    \1247\ The Freedom of Information Act (``FOIA'') provides at 
least two pertinent exemptions under which the Commission has 
authority to withhold certain information. FOIA Exemption 4 provides 
an exemption for ``trade secrets and commercial or financial 
information obtained from a person and privileged or confidential.'' 
5 U.S.C. 552(b)(4). FOIA Exemption 8 provides an exemption for 
matters that are ``contained in or related to examination, 
operating, or condition reports prepared by, on behalf of, or for 
the use of an agency responsible for the regulation or supervision 
of financial institutions.'' 5 U.S.C. 552(b)(8).
---------------------------------------------------------------------------

3. Access to the Systems of an SCI Entity
    Proposed Rule 1000(f) would have required each SCI entity to 
provide Commission representatives reasonable access to its SCI systems 
and SCI security systems to assess the SCI entity's compliance with 
Regulation SCI.\1248\ In the SCI Proposal, the Commission noted that 
the proposed rule would facilitate the access of representatives of the 
Commission to such systems of an SCI entity either remotely or on site, 
noting, for example, that with such access, Commission representatives 
could test an SCI entity's firewalls and vulnerability to 
intrusions.\1249\ Further, the Commission noted that the proposed rule 
was intended to be consistent with the Commission's current authority 
with respect to access to records generally \1250\ and could help 
ensure that Commission representatives have ready access to the SCI 
systems and SCI security systems of SCI entities in order to evaluate 
an SCI entity's practices with regard to the requirements of Regulation 
SCI.\1251\ As discussed below, the Commission has determined not to 
adopt the proposed requirement because it believes it can achieve the 
goal of the proposed rule through its existing recordkeeping 
requirements and examination authority, as well as through the new 
recordkeeping requirement in Rule 1005 of Regulation SCI.
---------------------------------------------------------------------------

    \1248\ See proposed Rule 1000(f) and Proposing Release, supra 
note 13, at Section III.D.3.
    \1249\ See Proposing Release, supra note 13, at 18130.
    \1250\ See Proposing Release, supra note 13, at 18130 (citing 
Section 17(b) of the Exchange Act, as well as Sections 11A, 6(b)(1), 
15A(b)(2), and 17A(b)(3)(A) of the Exchange Act).
    \1251\ See Proposing Release, supra note 13, at 18130.
---------------------------------------------------------------------------

    Many commenters criticized the SCI Proposal's discussion of the 
proposed access requirement as permitting unfettered access by third 
parties that could pose significant security risks to an SCI entity's 
systems.\1252\ Potential issues identified by commenters included 
unauthorized access to confidential information,\1253\ risk and damage 
to systems,\1254\ and contractual issues with third party 
vendors.\1255\ One commenter stated that the Commission should bear in 
mind that access to such highly sensitive environments of SCI entities 
carries a duty of care commensurate with the sensitivity of the access 
and information involved.\1256\
---------------------------------------------------------------------------

    \1252\ See, e.g., NYSE Letter at 34; BATS Letter at 15; ISE 
Letter at 10; MSRB Letter at 25-26; Omgeo Letter at 28-29; SIFMA 
Letter at 18-19; FIF Letter at 7; Fidelity Letter at 5-6; 
LiquidPoint Letter at 4; ITG Letter at 16; KCG Letter at 20-21; 
Joint SROs Letter at 17-18; OCC Letter at 20; UBS Letter at 5; 
Tellefsen Letter at 10; and FINRA Letter at 41.
    \1253\ See, e.g., FINRA Letter at 41; and Omgeo Letter at 29.
    \1254\ See, e.g., Omgeo Letter at 29; and ITG Letter at 16.
    \1255\ See, e.g., SIFMA Letter at 19.
    \1256\ See OCC Letter at 20.
---------------------------------------------------------------------------

    While several commenters advocated for the elimination of the 
proposed access provision,\1257\ some commenters recommended ways to 
refine the proposed requirement while still achieving its goals.\1258\ 
These

[[Page 72359]]

suggestions included: Limiting the category of Commission staff to whom 
access could be provided; \1259\ providing the Commission with access 
to ``configuration and information flows of the system, instead of 
direct access;'' \1260\ providing the Commission with reports and 
metrics on systems vulnerabilities rather than direct access; \1261\ 
requiring only that SCI entities demonstrate for Commission staff their 
controls and safeguards and compliance with the rule; \1262\ mandating 
training of Commission staff and supervision of Commission staff access 
by SCI entity personnel; \1263\ and requiring that an SCI entity's 
staff conduct any tests while Commission staff observed, rather than 
providing Commission staff with direct access.\1264\ One commenter also 
noted that the concept of reasonable access was vague.\1265\ Other 
commenters asked that the Commission more clearly prescribe what would 
constitute ``reasonable access.'' \1266\ One commenter also recommended 
that SCI entities provide an individual contact for a designated 
Commission representative to communicate and meet with regarding an SCI 
entity's systems.\1267\
---------------------------------------------------------------------------

    \1257\ See, e.g., ITG Letter at 16; and CME Letter at 11.
    \1258\ See, e.g., NYSE Letter at 34; OCC Letter at 20; ISE 
Letter at 10; DTCC Letter at 14; CME Letter at 11; Omgeo Letter at 
29; Joint SROs Letter at 18; and MSRB Letter at 26.
    \1259\ See, e.g., NYSE Letter at 34.
    \1260\ See NYSE Letter at 34.
    \1261\ See, e.g., ISE Letter at 10; DTCC Letter at 14; OCC 
Letter at 20; and CME Letter at 11.
    \1262\ See, e.g., Omgeo Letter at 28-29; and DTCC Letter at 14.
    \1263\ See MSRB Letter at 26.
    \1264\ See OCC Letter at 20.
    \1265\ See, e.g., ITG Letter at 16.
    \1266\ See, e.g., MSRB Letter at 26; Joint SROs Letter at 18; 
and FINRA Letter at 41.
    \1267\ See SIFMA Letter at 19.
---------------------------------------------------------------------------

    A few commenters also questioned whether the proposed access 
requirement is authorized by Section 17(b) or Section 11A of the 
Exchange Act, as stated in the SCI Proposal.\1268\ Other commenters 
considered the proposed access requirement unnecessary and questioned 
the Commission's justification for needing this authority.\1269\ 
Another commenter pointed out that this type of access is authorized by 
other sections of the Exchange Act and an additional provision in 
Regulation SCI is redundant.\1270\
---------------------------------------------------------------------------

    \1268\ See NYSE Letter at 34; BATS Letter at 15; and CME Letter 
at 11.
    \1269\ See FINRA Letter at 41; BATS Letter at 15; Omgeo Letter 
at 28-29; and Fidelity Letter at 5.
    \1270\ See Angel Letter at 18.
---------------------------------------------------------------------------

    After consideration of the views of commenters, the Commission has 
determined not to adopt the proposed reasonable access provision 
because it believes it can achieve its goals through existing 
recordkeeping requirements and its examination authority, as well as 
through the new recordkeeping requirement in Rule 1005 of Regulation 
SCI. As discussed in the SCI Proposal, the reasonable access provision 
was designed to help ensure that the Commission was able to evaluate an 
SCI entity's practices with regard to the requirements of proposed 
Regulation SCI.\1271\ The Commission believes that it can adequately 
assess an SCI entity's compliance with Regulation SCI through its 
authority provided by existing provisions of the Exchange Act and rules 
thereunder, as well as through the additional recordkeeping provisions 
being adopted today in Rule 1005 of Regulation SCI, as described above. 
In this regard, as discussed above, Section 17(a) of the Exchange Act 
provides the Commission with the authority to adopt recordkeeping 
rules, and the breadth of Rule 17a-1 thereunder is such that it would 
require SCI SROs to make, keep, and preserve records relating to their 
compliance with Regulation SCI, including records produced by SCI 
systems and indirect SCI systems.\1272\ Further, adopted Rule 1005 
specifically imposes requirements on each SCI entity (other than SCI 
SROs) to, among other things: Make, keep, and preserve at least one 
copy of all documents relating to its compliance with Regulation SCI; 
keep all such documents for a period of not less than five years, the 
first two years in a place that is readily accessible to the Commission 
or its representatives for inspection and examination; and upon request 
of any representative of the Commission, promptly furnish to the 
possession of such representative copies of any documents required to 
be kept and preserved by it pursuant to Rules 1005(b)(1) and (2).\1273\ 
The Commission also notes that Section 17(b) of the Exchange Act 
authorizes the Commission to conduct reasonable periodic, special, or 
other examinations of all records maintained by the entities described 
in Section 17(a).\1274\ These examinations can be conducted ``at any 
time, or from time to time,'' as the Commission ``deems necessary or 
appropriate in the public interest, for the protection of investors, or 
otherwise in furtherance of the purposes of [the Exchange Act].'' 
\1275\
---------------------------------------------------------------------------

    \1271\ See Proposing Release, supra note 13, at 18130.
    \1272\ See supra note 1251 and accompanying text.
    \1273\ See supra Section IV.C.1 (discussing recordkeeping 
requirements of adopted Rule 1005). As noted above, the 
recordkeeping requirements also extend to records of third parties. 
Specifically, an SCI entity is responsible for producing to 
Commission representatives records required to be made, kept, and 
preserved under Regulation SCI, even if those records are maintained 
by third parties, and the SCI entity is responsible for ensuring 
that such third parties produce those requested documents, upon 
examination or other request. See id.
    \1274\ See Section 17(b) of the Exchange Act, 15 U.S.C. 78q(b).
    \1275\ Id.
---------------------------------------------------------------------------

    Taken together, the Commission believes that these provisions 
afford the Commission the authority and ability to assess SCI entities' 
compliance with the requirements of Regulation SCI, rendering the 
adoption of a reasonable access provision unnecessary. Pursuant to this 
authority, in some circumstances, the Commission's assessment of an SCI 
entity's compliance may require appropriate access to certain SCI 
systems in coordination with the relevant SCI entity. In particular, 
the Commission's ability to assess the accuracy and completeness of an 
SCI entity's records with regard to Regulation SCI, including the 
written policies and procedures established and maintained pursuant to 
Rule 1001 and the report of the SCI review prepared in accordance with 
Rule 1003(b), and to evaluate whether SCI entities are otherwise 
complying with Regulation SCI, may necessitate the observation of SCI 
systems and indirect SCI systems by Commission representatives.\1276\
---------------------------------------------------------------------------

    \1276\ The Commission notes that, under the ARP Inspection 
Program, such access has been routinely requested by Commission 
staff and provided by ARP entities.
---------------------------------------------------------------------------

    The Commission believes that such access would not require an SCI 
entity to agree to remote or direct access by Commission personnel to 
an SCI entity's systems, such as by permitting Commission staff to run 
tests or use system scanning tools on its SCI systems or indirect SCI 
systems. Rather, as suggested by some commenters, access would entail 
allowing Commission staff to observe the SCI entity's SCI systems and 
indirect SCI systems with appropriate safeguards, including through 
systems demonstrations for Commission staff performed by the SCI entity 
and running tests on an SCI system with Commission staff onsite to 
observe.\1277\ The Commission believes that such access does not raise 
the potential security risks posed by unrestricted third party access 
to SCI systems.\1278\
---------------------------------------------------------------------------

    \1277\ See supra notes 1262 and 1264 and accompanying text.
    \1278\ The Commission believes that the elimination of the 
proposed reasonable access provision addresses the other comments on 
this provision.
---------------------------------------------------------------------------

D. Form SCI

    Pursuant to proposed Rule 1000(d), subject to certain exceptions, 
notices, reports, and other information required

[[Page 72360]]

to be provided to the Commission under Regulation SCI would have been 
required to be submitted electronically through the EFFS on proposed 
Form SCI.\1279\ Proposed Form SCI included detailed instructions 
regarding the specific information that SCI entities would have been 
required to submit to the Commission. After careful consideration of 
comments, the Commission is adopting Form SCI with certain 
modifications, as further discussed below. These modifications to 
proposed Form SCI correspond to the changes to the Commission 
notification and reporting requirements as adopted, each of which is 
discussed in greater detail above.\1280\
---------------------------------------------------------------------------

    \1279\ Proposed Rule 1000(d) provided exceptions for 
notifications under proposed Rule 1000(b)(4)(i) and oral 
notifications pursuant to proposed Rule 1000(b)(6)(ii).
    \1280\ See supra Sections IV.B.3.c, IV.B.4, and IV.B.5 
(discussing the reporting requirements of the adopted regulation). 
See also supra Section IV.B.6 (discussing the business continuity 
and disaster recovery plans testing requirement for SCI entity 
members or participants, and elimination of the proposed Commission 
notification requirement related to member or participation 
designations).
---------------------------------------------------------------------------

    Adopted Rule 1006 provides that, except with respect to 
notifications to the Commission made pursuant to Rule 1002(b)(1) or 
updates to the Commission made pursuant to Rule 1002(b)(3), all 
notifications, reviews, descriptions, analyses, or reports to the 
Commission required to be submitted under Regulation SCI must be filed 
electronically on Form SCI. Form SCI solicits information through a 
series of questions designed to elicit short-form answers, but also 
requires SCI entities to provide information and/or reports in 
narrative form by attaching specified exhibits. All filings on Form SCI 
require that an SCI entity identify itself and indicate the basis for 
submitting the form. Specifically, an SCI entity would indicate on the 
form the specific type of submission it is making: A notification 
regarding an SCI event pursuant to Rule 1002(b)(2); a final report or 
interim status report regarding an SCI event pursuant to Rule 
1002(b)(4); a quarterly report on de minimis systems disruptions and de 
minimis systems intrusions pursuant to Rule 1002(b)(5)(ii); a quarterly 
report of material systems changes pursuant to Rule 1003(a)(1); a 
supplemental report of material system changes pursuant to Rule 
1003(a)(2); or a submission of the report of an SCI review, together 
with any response by senior management, pursuant to Rule 1003(b)(3). In 
addition, Form SCI permits, but does not require, SCI entities to 
utilize the form to submit initial notifications of SCI events pursuant 
to Rule 1002(b)(1), as well as updates regarding SCI events pursuant to 
Rule 1002(b)(3). Moreover, if an SCI entity decides to withdraw a 
previously submitted Form SCI, it would complete page 1 of Form SCI and 
select the appropriate check box to indicate the withdrawal. A filing 
on Form SCI also requires that an SCI entity provide additional 
information on attached exhibits, as discussed below. Because Form SCI 
is a report that is required to be filed under the Exchange Act and 
Regulation SCI, it is unlawful for any person to willfully or knowingly 
make, or cause to be made, a false or misleading statement with respect 
to any material fact in Form SCI.\1281\
---------------------------------------------------------------------------

    \1281\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 
78ff(a).
---------------------------------------------------------------------------

    Several commenters addressed the information required by Form SCI 
as well as the submission process for the form. One commenter asked a 
number of questions on how the submission process would work in 
practice, including: (i) Whether the form would be rejected by the 
Commission if information was missing; (ii) whether the Commission 
would deem it a failure to comply with Regulation SCI if a Form SCI is 
rejected for incompleteness and the SCI entity is unable to resubmit 
within the applicable reporting time frame; (iii) how SCI entities 
would update or correct information previously submitted on Form SCI; 
(iv) will the EFFS system be available for Form SCI submissions during 
non-business hours and whether there is an alternative means to submit 
notifications if the EFFS system is down or unavailable; (v) who at the 
Commission would be reviewing submissions and whether they would be 
familiar with technical jargon; and (vi) whether the SCI entities will 
be expected to attach documentation supporting the descriptions 
provided in the exhibits.\1282\ The commenter also expressed several 
concerns, including: (i) The amount of time it would take SCI entities 
to master the new submission process for proposed Form SCI and 
suggested a delayed implementation or transition period; (ii) that the 
form could encourage SCI entities to guess where they are missing 
information if a form could be rejected for incomplete information; 
(iii) that a submission that needs to be updated or corrected would not 
be considered timely filed; (iv) that the updating procedure could 
become burdensome if the SCI entity needed to explain the reason for 
any changes to information previously provided; and (v) that 
submissions would be more burdensome if technical notifications and 
reports needed to be translated into plain English.\1283\ Another 
commenter requested that the electronic filing system that the 
Commission puts in place to receive Form SCI submissions be made 
available on weekends and outside normal business hours.\1284\ This 
commenter also suggested that the Commission remain open to changes to 
Form SCI as it and SCI entities gain experience with the use of Form 
SCI and that the Commission should work with SCI entities to test the 
electronic submission system to ensure its operational 
capability.\1285\
---------------------------------------------------------------------------

    \1282\ See FINRA Letter at 28-30.
    \1283\ See id.
    \1284\ See MSRB Letter at 19, 25. See also FINRA Letter at 29 
(questioning whether the EFFS system would be available during non-
business hours for Form SCI submissions).
    \1285\ See MSRB Letter at 25-26.
---------------------------------------------------------------------------

    The Commission has considered these comments and has addressed many 
of the issues raised by commenters by revising the substantive 
requirements of adopted Rules 1002 and 1003, as well as making certain 
changes to the adopted form. With respect to a commenter's question 
regarding whether a Form SCI would be rejected if information was 
missing,\1286\ as stated in the General Instructions for Form SCI, an 
SCI entity must provide all information required by the form, including 
the exhibits. The General Instructions for Form SCI also state that a 
filing that is incomplete or similarly deficient may be returned to the 
SCI entity, and any filing so returned will be deemed not to have been 
filed with the Commission.\1287\ In response to the commenter who 
expressed concern that a submission that needed to be updated or 
corrected would not be considered timely filed, the Commission notes 
that an SCI entity is responsible for submitting a complete and correct 
Form SCI within the time period specified in the relevant provisions 
under Regulation SCI.\1288\ At the same time, the Commission notes

[[Page 72361]]

that, while the SCI event notification under Rule 1002(b)(2) is 
required to be provided within 24 hours of any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event 
occurred, information for such notifications is only required to be 
provided on a good faith, best efforts basis. For other types of 
notifications and reports required to be submitted on Form SCI, SCI 
entities have more time to prepare such submission, and to ensure that 
the information provided is complete and correct.
---------------------------------------------------------------------------

    \1286\ See supra note 1282 and accompanying text.
    \1287\ While the Commission has the ability to reject a Form SCI 
filing, the Commission notes that the Form SCI submission process is 
different from the Form 19b-4 filing process. Specifically, SCI 
entities file Form SCI to provide notification to the Commission 
regarding SCI events and material systems changes, and reports of 
SCI reviews. On the other hand, SROs file Form 19b-4 for immediately 
effective rule changes or to seek Commission approval of rule 
changes. Therefore, the process for rejecting a Form 19b-4 filing 
does not apply to Form SCI submissions.
    \1288\ With respect to a commenter's concern that SCI entities 
may have to guess where information is missing if a form could be 
rejected for incomplete information, the Commission intends there to 
be communication between Commission staff and SCI entity personnel 
in instances where a Form SCI is rejected to discuss the information 
missing in the submission and anything else necessary to comply with 
the form requirements. See supra note 1283 and accompanying text.
---------------------------------------------------------------------------

    With respect to a commenter's question regarding how SCI entities 
would update or correct information previously submitted on Form SCI, 
the Commission notes that the rules under Regulation SCI already 
provide for updates for many of the Form SCI submissions. Specifically, 
Rule 1002(b)(2) requires certain information to be submitted on a good 
faith, best efforts basis within 24 hours of any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred. Rule 1002(b)(3) requires SCI entities to provide updates 
regarding SCI events until the SCI event is resolved and the SCI 
entity's investigation of the SCI event is closed.\1289\ As such, SCI 
entities may use the updates under Rule 1002(b)(3) to correct or update 
previously submitted information. Also, Rule 1003(a)(2) requires SCI 
entities to submit supplemental reports to notify the Commission of any 
material error in or material omission from a previously submitted 
material systems change report.
---------------------------------------------------------------------------

    \1289\ As discussed in detail in Section IV.B.3.c above, Rule 
1002(b)(3) allows SCI entities to discuss the update with Commission 
staff orally, rather than by completing the form, although an SCI 
entity may use Form SCI if it chooses to do so. To the extent an SCI 
entity chooses to utilize the form for such updates, the written 
updates can facilitate the Commission's tracking and assessment of 
SCI events.
---------------------------------------------------------------------------

    With respect to the Form SCI submissions where the rules do not 
specifically provide for updates (i.e., SCI event notifications under 
Rule 1002(b)(4), quarterly SCI event notifications under Rule 
1002(b)(5), report of SCI reviews under Rule 1003(b)(3)), if an SCI 
entity discovers that a previously submitted Form SCI must be corrected 
or updated, the SCI entity should contact Commission staff as it 
corrects or updates the prior submission. In addition, an SCI entity 
will be able to withdraw and re-submit a previously submitted Form 
SCI.\1290\ However, as noted above, an SCI entity is responsible for 
submitting a complete and correct Form SCI within the time period 
specified in the relevant provisions under Regulation SCI.\1291\
---------------------------------------------------------------------------

    \1290\ See General Instructions to Form SCI, Item F.
    \1291\ As noted above, one commenter expressed concern that an 
updating procedure could become burdensome if the SCI entity needs 
to explain the reason for any changes to information previously 
provided. See supra note 1283 and accompanying text. The Commission 
notes that, with respect to rules under Regulation SCI that require 
updates, those rules specify the information that is required to be 
contained in an update, and do not require an explanation of the 
reason for the update. With respect to the Form SCI submissions 
where the rules do not specifically provide for updates, as noted 
above, the SCI entity can contact Commission staff as the SCI entity 
corrects or updates the prior submission.
---------------------------------------------------------------------------

    In addition, in response to comments,\1292\ the Commission notes 
that Form SCI does not require SCI entities to attach documentation 
supporting the descriptions in the exhibits, although SCI entities will 
be able to do so if they so choose by attaching the documentation as 
part of the relevant exhibit. Moreover, in response to the commenter 
who asked who at the Commission would be reviewing submissions and 
whether they would be familiar with technical jargon, the Commission 
notes that appropriate Commission staff from different offices or 
divisions with the necessary expertise to understand the Form SCI 
submission will review it depending on the nature of the submission 
(i.e., legal or technical), and thus, it is not necessary for SCI 
entities to translate technical jargon into plain English.
---------------------------------------------------------------------------

    \1292\ See supra notes 1282-1283 and accompanying text.
---------------------------------------------------------------------------

    In response to the commenter who expressed concern as to the amount 
of time it would take SCI entities to master the Form SCI submission 
process and suggested delayed implementation, the Commission believes 
that, by utilizing the EFFS system currently used by many SROs for Rule 
19b-4 and Rule 19b-7 filings, it will allow for a quicker and smoother 
implementation of the Form SCI submission process for certain SCI 
entities, and allow the Commission to apply its experience with EFFS to 
facilitate the submissions of notifications and reports required by 
Regulation SCI. Nevertheless, the Commission notes that it is delaying 
the date for compliance with Regulation SCI, as discussed in Section 
IV.F below. The Commission does not expect that the Form SCI submission 
process will require substantial time for SCI entities to master and 
the delayed date for compliance with Regulation SCI provides SCI 
entities with more time to learn and adopt it.
    With respect to commenters' question regarding whether the EFFS 
system will be available during non-business hours and whether there is 
an alternative means to submit notifications if the EFFS system is down 
or unavailable,\1293\ the Commission notes that, as is the case with 
Rule 19b-4 and Rule 19b-7 filings, EFFS is available 24 hours a day. If 
EFFS becomes unavailable for a period of time, the Commission 
recognizes that SCI entities will not be able to submit any required 
notifications during that time period, and the Commission would expect 
the SCI entities to file any required notifications promptly once it 
becomes available. In response to the commenter who suggested that the 
Commission remain open to changes to Form SCI and that the Commission 
work with SCI entities to test the electronic submission system to 
ensure its operational capability, the Commission expects, as it has 
done with the SRO rule filing process, to periodically evaluate the 
effectiveness of the submission process for Form SCI, as well as the 
form itself, and may consider improvements in the future as 
appropriate.\1294\ The Commission also notes that it expects, prior to 
the compliance date, that its staff will provide materials to SCI 
entities regarding the operation of the electronic filing system to 
submit Forms SCI. Furthermore, the Commission will perform internal 
testing to help ensure the operational capability of EFFS prior to the 
compliance date.
---------------------------------------------------------------------------

    \1293\ See supra notes 1282, 1284 and accompanying text.
    \1294\ See supra note 1285 and accompanying text.
---------------------------------------------------------------------------

1. Notice of SCI Events Pursuant to Rule 1002(b)
    Proposed Rule 1000(b)(4) would have required each SCI entity to 
submit certain information regarding SCI events to the Commission using 
proposed Form SCI.\1295\ The Commission is adopting proposed Rule 
1000(b)(4) as Rule 1002(b) with certain modifications, which are 
discussed above in Section IV.B.3.c.
---------------------------------------------------------------------------

    \1295\ Proposed Rule 1000(d) provided an exception for 
notifications under proposed Rule 1000(b)(4)(i).
---------------------------------------------------------------------------

    With respect to Commission notifications under Rule 1002, adopted 
Form SCI requires an SCI entity to provide the following information in 
a short, standardized format: (i) Whether the Commission has previously 
been notified of the SCI event pursuant to Rule 1002(b)(1); (ii) the 
type of submission (i.e., an initial notification pursuant to Rule 
1002(b)(1), a notification pursuant to Rule 1002(b)(2), an update 
pursuant to Rule 1002(b)(3), a final report pursuant to Rule 
1002(b)(4), or an interim status report

[[Page 72362]]

pursuant to Rule 1002(b)(4)); (iii) the type(s) of SCI event (i.e., 
systems compliance issue, systems disruption, or systems intrusion); 
\1296\ (iv) the date/time the SCI event occurred; (v) the duration of 
the SCI event; (vi) when responsible SCI personnel had a reasonable 
basis to conclude that an SCI event occurred; (vii) whether the SCI 
event has been resolved and, if so, the date/time of resolution; (viii) 
whether the SCI entity's investigation of the SCI event is closed and, 
if so, the date of closure; (ix) the estimated number of market 
participants potentially impacted by the SCI event; (x) whether the SCI 
event is a major SCI event; (xi) the types of systems impacted (i.e., 
trading, clearance and settlement, order routing, market data, market 
regulation, market surveillance, or indirect SCI systems) and the name 
of such system(s); and (xii) whether any critical SCI system(s) are 
impacted by the SCI event and, if so, the types of such critical SCI 
systems (i.e., systems that directly support functionality relating to: 
Clearance and settlement systems of clearing agencies; openings, 
reopenings, and closings on the primary listing market; trading halts; 
initial public offerings; the provision of consolidated market data; 
exclusively listed securities; or systems that provide functionality to 
the securities markets for which the availability of alternatives is 
significantly limited or nonexistent and without which there would be a 
material impact on fair and orderly markets) and a description of such 
systems.
---------------------------------------------------------------------------

    \1296\ Some SCI events may meet the definition of more than a 
single SCI event type, and the form permits SCI entities to check 
one, two, or all three SCI event types.
---------------------------------------------------------------------------

    If an SCI entity chooses to utilize Form SCI to submit an initial 
notification required by Rule 1002(b)(1), an SCI entity will be able to 
submit a short description of the SCI event, and be allowed to attach 
documents regarding such SCI event as part of Exhibit 6 of Form SCI if 
the SCI entity chooses to do so.
    For a notification required by Rule 1002(b)(2), in addition to 
providing the applicable standardized information on Form SCI as 
discussed above, an SCI entity is required to submit an Exhibit 1. An 
SCI entity is required to provide the following information on a good 
faith, best efforts basis in the Exhibit 1: (i) A description of the 
SCI event, including the system(s) affected; and (ii) to the extent 
available as of the time of notification, the SCI entity's current 
assessment of the types and number of market participants potentially 
affected by the SCI event; the potential impact of the SCI event on the 
market; a description of the steps the SCI entity has taken, is taking, 
or plans to take, with respect to the SCI event; the time the SCI event 
was resolved or timeframe within which the SCI event is expected to be 
resolved; and any other pertinent information known by the SCI entity 
about the SCI event.
    If an SCI entity chooses to utilize Form SCI to submit an update 
required by Rule 1002(b)(3), an SCI entity will be able to submit a 
short description of the update, and be allowed to attach documents 
regarding such update as part of Exhibit 6 of Form SCI if the SCI 
entity chooses to do so.
    For a submission required by Rule 1002(b)(4), in addition to 
providing the applicable standardized information on Form SCI as 
discussed above, adopted Form SCI also requires an SCI entity to 
indicate if it is a final report or an interim status report and submit 
an Exhibit 2. If an SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed within 30 calendar days of the 
occurrence of the SCI event, an SCI entity must file a final report 
under Rule 1002(b)(4)(i)(A) within five business days after the 
resolution of the SCI event and closure of the investigation regarding 
the SCI event. However, if an SCI event is not resolved or the SCI 
entity's investigation of the SCI event is not closed within 30 
calendar days of the occurrence of the SCI event, an SCI entity must 
file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 
calendar days after the occurrence of the SCI event. For SCI events in 
which an interim status report is required to be filed, an SCI entity 
must file a final report under Rule 1002(b)(4)(i)(B)(2) within five 
business days after the resolution of the SCI event and closure of the 
investigation regarding the SCI event. For any submission required by 
Rule 1002(b)(4), an SCI entity is required to provide the following 
information in the Exhibit 2: (i) A detailed description of: The SCI 
entity's assessment of the types and number of market participants 
affected by the SCI event; the SCI entity's assessment of the impact of 
the SCI event on the market; the steps the SCI entity has taken, is 
taking, or plans to take, with respect to the SCI event; the time the 
SCI event was resolved; the SCI entity's rule(s) and/or governing 
document(s), as applicable, that relate to the SCI event; and any other 
pertinent information known by the SCI entity about the SCI event; (ii) 
a copy of any information disseminated pursuant to Rule 1002(c) by the 
SCI entity to date regarding the SCI event to any of its members or 
participants; and (iii) an analysis of parties that may have 
experienced a loss, whether monetary or otherwise, due to the SCI 
event, the number of such parties, and an estimate of the aggregate 
amount of such loss. As noted above, if an SCI entity submits an 
interim written notification under Rule 1000(b)(4)(i)(B), the SCI 
entity is required to provide the information specified in Exhibit 2, 
but only to the extent known at the time. The SCI entity is also 
required to subsequently submit a final report under Rule 
1000(b)(4)(i)(B) and provide all the information specified in Exhibit 
2.
    Rule 1002(b)(5) states that the Commission notification 
requirements under Rules 1002(b)(1)-(4) do not apply to any SCI event 
that has had, or the SCI entity reasonably estimates would have, no or 
a de minimis impact on the SCI entity's operations or on market 
participants. Rule 1002(b)(5)(i) instead requires that an SCI entity 
make, keep, and preserve records relating to all such SCI events and 
Rule 1002(b)(5)(ii) requires an SCI entity to submit to the Commission 
quarterly reports containing a summary description of such de minimis 
systems disruptions and de minimis systems intrusions. For a quarterly 
report required by Rule 1002(b)(5), an SCI entity is required to 
indicate the end date of the applicable calendar quarter for which the 
report is being submitted. The SCI entity is also required to submit an 
Exhibit 3, containing a summary description of such de minimis systems 
disruptions and de minimis systems intrusions, including the SCI 
systems and, for systems intrusions, the indirect SCI systems, affected 
by such de minimis systems disruptions and de minimis systems 
intrusions during the applicable calendar quarter.
2. Notices of Material Systems Changes Pursuant to Rule 1003(a)
    Proposed Rule 1000(b)(6) would have required an SCI entity to 
provide advance Commission notifications of material systems changes. 
Proposed Rule 1000(b)(8)(ii) would have required an SCI entity to 
submit to the Commission semi-annual reports on material systems 
changes. As discussed in detail in Section IV.B.4 above, many 
commenters were critical of the proposed reporting framework with 
respect to material systems changes, including the 30-day advance 
notification procedure. After considering the views of commenters, the 
Commission is not adopting the 30-day advance notification requirement 
or the semi-annual reporting requirement

[[Page 72363]]

for material systems changes. Rather, an SCI entity is required to 
submit quarterly reports for material systems changes under Rule 
1003(a)(1). An SCI entity is also required under Rule 1003(a)(2) to 
promptly submit a supplemental report notifying the Commission of a 
material error in or material omission from a report previously 
submitted under Rule 1003(a).
    One commenter raised a concern that an advance notification could 
be rejected by the Commission for inadequate description and result in 
a delay to a planned systems change.\1297\ As noted above in Section 
IV.B.4, the Commission is adopting a quarterly reporting system that 
does not require the advanced notification of individual planned 
material systems changes required by proposed Rule 1000(b)(6). The 
adopted framework is intended to keep the Commission and its staff 
apprised of systems changes at SCI entities while reducing the burdens 
related to notifying the Commission of such changes and allowing for 
the various types of development processes used by SCI entities 
(including agile development processes). Also, as noted above in 
Section IV.B.4, Regulation SCI does not provide for a new review or 
approval process for SCI entities' material systems changes. As such, 
Commission staff will not use material systems change reports to 
require any approval of prospective systems changes in advance of their 
implementation pursuant to any provision of Regulation SCI, or to delay 
implementation of material systems changes pursuant to any provision of 
Regulation SCI.\1298\
---------------------------------------------------------------------------

    \1297\ See SIFMA Letter at 16.
    \1298\ At the same time, the Commission notes that the General 
Instructions for Form SCI state that a filing that is incomplete or 
similarly deficient may be returned to the SCI entity, and any 
filing so returned will be deemed not to have been filed with the 
Commission.
---------------------------------------------------------------------------

    For a notification required by Rule 1003(a) (including supplemental 
reports under Rule 1003(a)(2)), an SCI entity is required to indicate 
the end date of the applicable calendar quarter for which the report is 
being submitted and submit an Exhibit 4. For a notification required by 
Rule 1003(a)(1), Exhibit 4, is required to contain a description of 
completed, ongoing, and planned material changes to its SCI systems and 
the security of its indirect SCI systems, during the prior, current, 
and subsequent calendar quarters, including the dates or expected dates 
of commencement and completion. For a notification required by Rule 
1003(a)(2), Exhibit 4 is required to contain the supplemental report of 
a material error in or material omission from a report previously 
submitted under Rule 1003(a)(1).\1299\
---------------------------------------------------------------------------

    \1299\ See General Instructions to Form SCI, Item C.
---------------------------------------------------------------------------

3. Reports of SCI Reviews Pursuant to 1003(b)
    Proposed Rule 1000(b)(8)(i) would have required an SCI entity to 
submit to the Commission a report of the SCI review required by 
proposed Rule 1000(b)(7), together with any response by senior 
management, within 60 calendar days after its submission to senior 
management of the SCI entity. As discussed above in Section IV.B.5, the 
Commission is adopting this Commission reporting requirement as 
proposed. There were no comments on proposed Form SCI with respect to 
reports of SCI reviews.
    For a notification required by Rule 1003(b), an SCI entity is 
required to indicate on Form SCI the date of completion of the SCI 
review and the date of submission of the SCI review to the SCI entity's 
senior management. An SCI entity is also required to submit an Exhibit 
5, containing the report of the SCI review that was submitted to the 
SCI entity's senior management, along with any response to the report 
by senior management.\1300\
---------------------------------------------------------------------------

    \1300\ As discussed in Section IV.B.5, the SCI review would 
contain: (1) A risk assessment with respect to SCI systems and 
indirect SCI systems of an SCI entity; and (2) an assessment of 
internal control design and effectiveness of SCI systems and 
indirect SCI systems to include logical and physical security 
controls, development processes, and information technology 
governance, consistent with industry standards.
---------------------------------------------------------------------------

4. Notification of Member or Participant Designation Standards and List 
of Designees
    Proposed Rule 1000(b)(9) would have required an SCI entity to 
notify the Commission of its members or participants that have been 
designated for business continuity and disaster recovery plans testing, 
as well as the standards for such designation. Proposed Rule 1000(b)(9) 
would have also required SCI entities to promptly update such 
notification after any changes to its list of designees or standards 
for designation. As discussed above in Section IV.B.6, the Commission 
is not adopting these Commission notification requirements.
5. Other Information and Electronic Signature
    Proposed Form SCI would have required an SCI entity to provide the 
Commission with contact information for the systems personnel, 
regulatory personnel, and senior officer responsible for addressing an 
SCI event, including the name, title, telephone number, and email 
address of such persons. Proposed Form SCI would also have given the 
SCI entity an option to provide contact information for an additional 
systems personnel and regulatory personnel. Finally, proposed Form SCI 
would have required an electronic signature to help ensure the 
authenticity of the Form SCI submission.
    Adopted Form SCI more generally requires an SCI entity to provide 
contact information for a person who is prepared to respond to 
questions for a particular submission. Form SCI continues to require an 
electronic signature to help ensure the authenticity of the Form SCI 
submission. The Commission believes that these requirements will 
expedite communications between Commission staff and SCI entities, 
because they will help identify the person or persons responsible for 
communicating with Commission staff about an SCI event even though one 
or more other persons may be responsible for addressing and resolving 
the SCI event, and also help ensure that only authorized personnel at 
each SCI entity submit filings required by adopted Regulation SCI.

E. Other Comments Received

1. Applying Regulation SCI to Security-Based Swap Data Repositories and 
Security-Based Swap Execution Facilities
    As noted in the SCI Proposal, on July 21, 2010, the President 
signed the Dodd-Frank Act into law.\1301\ The Dodd-Frank Act was 
enacted, among other things, to promote the financial stability of the 
United States by improving the accountability and transparency of the 
nation's financial system.\1302\ Title VII of the Dodd-Frank Act 
provides the Commission and the CFTC with the authority to regulate 
over-the-counter derivatives.
---------------------------------------------------------------------------

    \1301\ The Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act'').
    \1302\ See Dodd-Frank Act Preamble.
---------------------------------------------------------------------------

    In particular, as noted in the SCI Proposal, Section 763 of the 
Dodd-Frank Act amends the Exchange Act by adding new statutory 
provisions to govern the regulation of various entities, including 
security-based swap data repositories (``SB SDRs'') and security-based 
swap execution facilities (``SB SEFs'').\1303\

[[Page 72364]]

Under the authorities of Section 13(n) of the Exchange Act, applicable 
to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB 
SEFs, the Commission proposed rules for these entities with regard to 
their automated systems' capacity, resiliency, and security.\1304\ In 
the SB SDR Proposing Release and the SB SEF Proposing Release, 
respectively, the Commission proposed Rule 13n-6 and Rule 822 under the 
Exchange Act, which would set forth the requirements for these entities 
with regard to their automated systems' capacity, resiliency, and 
security. In each release, the Commission stated that it was proposing 
standards comparable to the standards applicable to SROs, including 
exchanges and clearing agencies, and other registrants, pursuant to the 
Commission's ARP standards.\1305\ The SCI Proposal described in detail 
the SB SDR and SB SEF proposals relating to systems' capacity, 
resiliency, and security; the comments received on those proposals; and 
the differences between proposed Regulation SCI and those 
proposals.\1306\
---------------------------------------------------------------------------

    \1303\ See Dodd-Frank Act, Section 763 (adding Sections 13(n), 
3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the 
Commission to harmonize to the extent possible Commission regulation 
of SB SDRs and SB SEFs with CFTC regulation of swap data 
repositories (``SDRs'') and swap execution facilities (``SEFs'') 
under the CFTC's jurisdiction, an endeavor that Commission staff is 
undertaking as it seeks to move the SB SDR and SB SEF proposals 
toward adoption. See Dodd-Frank Act, Section 712 (directing the 
Commission, before commencing any rulemaking with regard to SB SDRs 
or SB SEFs, to consult and coordinate with the CFTC for purposes of 
assuring regulatory consistency and comparability to the extent 
possible).
    \1304\ See Securities Exchange Act Release Nos. 63347 (November 
19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6 
under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing 
Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28, 
2011) (proposing new Rule 822 under the Exchange Act applicable to 
SB SEFs) (``SB SEF Proposing Release''). See also Dodd-Frank Act, 
Section 761(a) (adding Section 3(a)(75) of the Exchange Act) 
(defining the term ``security-based swap data repository''), and 
Section 761(a) (adding Section 3(a)(77) of the Exchange Act) 
(defining the term ``security-based swap execution facility'').
    \1305\ See SB SDR Proposing Release, supra note 1304, at 77332 
and SB SEF Proposing Release, supra note 1304, at 10987.
    \1306\ See Proposing Release, supra note 13, at 18133-34.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission recognized that there could be 
differences between Regulation SCI, as adopted, and Rules 13n-6 and 
822, if adopted. Therefore, the Commission sought comment on whether it 
should propose to apply the requirements of Regulation SCI, in whole or 
in part, to SB SDRs and/or SB SEFs.\1307\ In addition, the Commission 
sought comment on what--if the Commission were to propose to apply some 
or all of the requirements of Regulation SCI to SB SDRs or SB SEFs--
would be the most appropriate way to implement such requirements for SB 
SDRs and SB SEFs.\1308\ However, the Commission also noted that, should 
the Commission decide to propose to apply the requirements of 
Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a 
separate release discussing such a proposal.\1309\
---------------------------------------------------------------------------

    \1307\ See id. at 18134-37.
    \1308\ See id. at 18137-38. As noted in the SCI Proposal, 
although the Commission has issued a policy statement regarding the 
anticipated sequencing of the compliance dates of final rules to be 
adopted by the Commission for certain provisions of Title VII of the 
Dodd-Frank Act, the precise timing for adoption of or compliance 
with any final rules relating to SB SDRs or SB SEFs is not known at 
this time. See Securities Exchange Act Release No. 67177 (June 11, 
2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on 
the Sequencing of the Compliance Dates for Final Rules Applicable to 
Security-Based Swaps Adopted Pursuant to the Securities Exchange Act 
of 1934 and the Dodd-Frank Wall Street Reform and Consumer 
Protection Act).
    \1309\ See Proposing Release, supra note 13, at 18134.
---------------------------------------------------------------------------

    One commenter supported the inclusion of SB SEFs and possibly SB 
SDRs under proposed Regulation SCI.\1310\ Several commenters supported 
some form of harmonization, but were cognizant of the practical 
differences between options and equities, on the one hand, and 
derivatives, on the other.\1311\
---------------------------------------------------------------------------

    \1310\ See Tellefsen Letter at 5.
    \1311\ See DTCC Letter at 18-19; and NYC Bar Letter at 2-5. See 
also CoreOne Letter at 5-7.
---------------------------------------------------------------------------

    In the context of considering whether Regulation SCI should apply 
to SB SDRs or SB SEFs, one commenter supported principles-based rules 
relating to systems compliance and integrity, and generally believed 
that principles applicable to one type of system should be applicable 
to all types of systems.\1312\ This commenter noted that the Commission 
should not promulgate principles-based rules that would apply different 
principles to different systems, unless such difference is clearly 
warranted by the facts and circumstances relating to and the purpose of 
a particular system.\1313\ This commenter also commented that, because 
technology continues to evolve at a rapid pace and because specific and 
technical rules may create conflicting standards, any attempt to 
provide specific and technical rules should be avoided, unless the 
context clearly warrants such specific and technical rules.\1314\ This 
commenter concluded that the similarities between certain SCI entities 
and SB SDRs and SB SEFs do not provide a clear justification for a 
different set of rules.\1315\
---------------------------------------------------------------------------

    \1312\ See NYC Bar Letter at 3.
    \1313\ See id. at 3-4.
    \1314\ See id. at 4.
    \1315\ See id. This commenter also specifically noted that 
important market systems should not have differing recovery 
requirements without a clear justification, particularly in light of 
a Congressional mandate in the Dodd-Frank Act to ensure regulatory 
consistency and comparability, to the extent possible. See NYC Bar 
Letter at 5.
---------------------------------------------------------------------------

    One commenter noted that SB SDRs should have standards that are 
consistent with, but not identical to, those of SCI entities.\1316\ 
According to this commenter, the functions that SB SDRs perform are 
significantly different from those performed by SCI entities.\1317\ 
However, this commenter supported applying to SB SDRs: Proposed Rule 
1000(b)(1)(i)(A)-(E); \1318\ requirements relating to Commission 
notification of SCI events (by adopting the notification provisions 
described in proposed Rule 13n-6(3)); and requirements for business 
continuity planning and testing (but SB SDRs should not be required to 
test with other SB SDRs given the structure of the proposed SB SDR 
Regulations).\1319\ Finally, rather than making Regulation SCI 
applicable to SB SDRs, this commenter recommended that these provisions 
be incorporated into Rule 13n-6.\1320\
---------------------------------------------------------------------------

    \1316\ See DTCC Letter at 18.
    \1317\ See id.
    \1318\ However, this commenter noted that specific industry 
standards should be adopted for SB SDRs, rather than adopting 
existing standards that were largely developed before repositories 
were developed and were not intended to cover these types of 
entities. See id.
    \1319\ See id. at 18-19.
    \1320\ See id. at 19.
---------------------------------------------------------------------------

    The Commission appreciates the comments received on the potential 
application of Regulation SCI to SB SDRs and SB SEFs. As noted above, 
should the Commission decide to propose to apply the requirements of 
Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a 
separate release discussing such a proposal and would take these 
comments into account.
2. Applying Regulation SCI to Broker-Dealers Other Than SCI ATSs and 
Other Types of Entities
    Regulation SCI, as proposed and as adopted, would apply to national 
securities exchanges, registered securities associations, registered 
clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt 
clearing agencies subject to ARP. It would not apply to other types of 
market participants, such as market makers or other broker-dealers. As 
noted in the SCI Proposal, recent events have highlighted the 
significance of systems integrity of a broader set of market 
participants than those included in the definition of SCI entity.\1321\ 
Also, as

[[Page 72365]]

noted in the SCI Proposal, some broker-dealers have grown in size and 
importance to the market in recent years.\1322\ As such, the Commission 
recognized that systems disruptions, systems compliance issues, and 
systems intrusions at broker-dealers could pose a significant risk to 
the market.\1323\ The Commission also noted that Rule 15c3-5 under the 
Exchange Act,\1324\ which requires brokers or dealers with market 
access to implement risk management controls and supervisory procedures 
to limit risk, already seeks to address certain risks posed to the 
markets by broker-dealer systems.\1325\
---------------------------------------------------------------------------

    \1321\ See Proposing Release, supra note 13, at 18138, n. 334.
    \1322\ See id. at 18138, n. 335.
    \1323\ See id. at 18138.
    \1324\ 17 CFR 240.15c3-5.
    \1325\ See supra note 114 and Proposing Release, supra note 13, 
at 18138-39.
---------------------------------------------------------------------------

    The Commission did not propose to apply Regulation SCI to 
registered broker-dealers (other than SCI ATSs) or to other types of 
entities not covered by the definition of SCI entity. As noted in the 
SCI Proposal, if the Commission were to decide to propose to apply the 
requirements of Regulation SCI to such entities, the Commission would 
issue a separate release discussing such a proposal.\1326\ 
Nevertheless, in the SCI Proposal, the Commission sought comment on 
whether such entities should be subject to Regulation SCI in whole or 
in part.\1327\
---------------------------------------------------------------------------

    \1326\ See id. at 18139.
    \1327\ See id. at 18139-41.
---------------------------------------------------------------------------

    Some commenters stated that the Commission should expand the 
definition of SCI entity to include broker-dealers.\1328\ One commenter 
stated that the goals of Regulation SCI could not be met without 
expanding the definition of SCI entity to include the following types 
of broker-dealers: Exchange market maker, OTC market maker, and any 
other broker or dealer that executes orders internally by trading as a 
principal or crossing orders as an agent.\1329\ This commenter stated 
that these entities should be included because they play a critical 
role in the markets, handle market share that exceeds that of certain 
SCI ATSs, and, like exchanges and ATSs, rely heavily on sophisticated 
automated systems.\1330\ Another commenter also believed that the 
objectives of Regulation SCI could more readily be achieved if the 
regulation also applied to market makers, high-frequency trading firms, 
and other broker-dealers because the activities of these types of 
entities could present systemic risks to the market.\1331\
---------------------------------------------------------------------------

    \1328\ See NYSE Letter at 8-10; and Liquidnet Letter at 2-3. 
Another commenter expressed its view that inclusion of order routing 
systems within the definition of ``SCI systems'' puts SCI entities 
at a competitive disadvantage against broker-dealers that are not 
covered by Regulation SCI. See BATS Letter at 4. See also supra 
notes 48-50, 94-96, and 152 and accompanying text (discussing 
comments regarding broadening the coverage of ``SCI entity'' and 
``SCI ATS'' and the effect of the adopted ATS thresholds on barriers 
to entry), and infra Section VI.C.1.c (discussing the effect of 
Regulation SCI on competition between SCI entities and non-SCI 
entities).
    \1329\ See NYSE Letter at 9.
    \1330\ See id.
    \1331\ See Liquidnet Letter at 2.
---------------------------------------------------------------------------

    In connection with questions in the SCI Proposal regarding the 
application of Regulation SCI to broker-dealers other than SCI ATSs, 
one commenter urged the Commission to broaden the definition of SCI 
entity to include any entity with direct electronic access to equity 
markets because the equity markets can be disrupted by a single 
server.\1332\ Another commenter stated that all direct access 
proprietary trading market participants (including high frequency 
market participants) should be included as SCI entities because of 
their significant footprint in the markets, past incidents like Knight 
Capital Group's massive trading losses from a systems malfunction in 
August 2012,\1333\ and flaws in the existing compliance controls and 
practices of such firms.\1334\ One commenter stated that Regulation SCI 
should be extended to any trading platforms that transact significant 
volume, including systems that are not required to register as an ATS, 
because all executions are against the bids and offers of a single 
dealer.\1335\
---------------------------------------------------------------------------

    \1332\ See Lauer Letter at 3. See also supra notes 212-213 
(explaining that the Commission believes that many systems with 
direct market access are captured by the adopted definition but the 
Commission is not expanding the scope of Regulation SCI to include 
other broker-dealer entities and their systems at this time).
    \1333\ See Proposing Release, supra note 13, at 18090, n. 70 
(discussing Knight's systems malfunction in August 2012).
    \1334\ See Leuchtkafer Letter at 1-7. See supra notes 124-126 
and accompanying text (discussing the Commission's determination to 
not apply Regulation SCI to non-ATS broker-dealers at this time).
    \1335\ See BlackRock Letter at 4.
---------------------------------------------------------------------------

    A few commenters further argued that Rule 15c3-5 under the Exchange 
Act is not sufficient by itself and therefore some broker-dealers 
should be treated as SCI entities.\1336\ One of these commenters stated 
that non-ATS broker-dealers should be treated as SCI entities because 
Rule 15c3-5, concerning the implementation of risk management and 
supervisory controls to limit risk associated with routing orders to 
exchanges or ATSs, does not address reliability or integrity of the 
systems that implement such controls.\1337\
---------------------------------------------------------------------------

    \1336\ See Lauer Letter at 3 and NYSE Letter at 9.
    \1337\ See NYSE Letter at 9.
---------------------------------------------------------------------------

    Many other commenters stated more generally that broker-dealers 
should not be captured by the definition of SCI entity.\1338\ Several 
commenters stated that they do not support the expansion of Regulation 
SCI to all broker-dealers because broker-dealers generally perform 
functions that do not have any systemic impact on the operation of the 
national market system and are presently subject to numerous 
regulations that require the establishment of controls (such as the 
Market Access Rule, Rule 17a-3, and Rule 17a-4), making Regulation SCI 
duplicative and unduly burdensome.\1339\
---------------------------------------------------------------------------

    \1338\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter 
at 5; FSI Letter at 3; WF Letter at 2; Fidelity Letter at 4; KCG 
Letter at 14-17; LiquidPoint Letter at 4; and FSR Letter at 2-3, n. 
5.
    \1339\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter 
at 5; WF Letter at 2; KCG Letter at 15-17; LiquidPoint Letter at 4; 
and FSR Letter at 2-3, n. 5.
---------------------------------------------------------------------------

    One commenter stated that broker-dealers are currently subject to 
high standards of systems compliance and integrity by FINRA and state 
laws, and disciplinary actions for failure to maintain sufficient 
protection of customer data and supervisory policies.\1340\ Moreover, 
this commenter noted that, if potential systems issues could be 
addressed by Regulation SCI as applied to SCI entities, there would be 
no need to apply Regulation SCI to broker-dealers conducting activities 
on behalf of retail clients.\1341\ This commenter stated that 
additional regulation would only be warranted after a meticulous cost-
benefit analysis and implementation of the additional regulation at the 
lowest cost to firms and investors.\1342\ This commenter concluded that 
the inclusion of broker-dealers would raise investors' costs and is 
unnecessary.\1343\
---------------------------------------------------------------------------

    \1340\ See FSI Letter at 3.
    \1341\ See id.
    \1342\ See id.
    \1343\ See id.
---------------------------------------------------------------------------

    Another commenter believed that non-SCI ATS broker-dealers should 
not be included in the definition of SCI entity because, despite the 
longstanding practice of retail brokers routing their customers' orders 
to market markers for execution, those market makers are not 
critical.\1344\ Moreover, this commenter believed that FINRA's rules 
with respect to broker-dealers are more appropriate than the SCI 
Proposal, and FINRA rules hold broker-dealers accountable and do not 
shield them from liability.\1345\ This commenter stated that the 
combination of Commission and FINRA rules on

[[Page 72366]]

broker-dealers ensures that broker-dealers are sufficiently regulated, 
although this commenter stated that FINRA could provide additional 
guidance on its rules in light of the weaknesses revealed by Superstorm 
Sandy.\1346\ Similarly, another commenter stated that broker-dealers 
should not be regulated under Regulation SCI because broker-dealer 
operational regulation has been overseen almost entirely by 
FINRA.\1347\ Specifically, FINRA member broker-dealers are required to 
create and implement written supervisory procedures covering the 
operation of their business.\1348\ According to this commenter, this 
process allows broker-dealers to devise procedures that keep them in-
line with FINRA and Commission regulations, and allows FINRA to focus 
on bigger picture issues impacting the broker-dealer industry.\1349\
---------------------------------------------------------------------------

    \1344\ See KCG Letter at 14.
    \1345\ See id. at 14-15.
    \1346\ See id. at 14-17.
    \1347\ See OTC Markets Letter at 11.
    \1348\ See id.
    \1349\ See id.
---------------------------------------------------------------------------

    In addition, one commenter stated that the Commission should not 
propose a requirement that SCI SROs require their members to institute 
policies and procedures similar to those required under Regulation 
SCI.\1350\ According to this commenter, SCI SROs already impose 
regulatory requirements addressing similar concerns as those that 
Regulation SCI is designed to address.\1351\
---------------------------------------------------------------------------

    \1350\ See WF Letter at 2.
    \1351\ See id. at 2-3.
---------------------------------------------------------------------------

    One commenter stated that the term SCI entity should not encompass 
clearing broker-dealers or transfer agents because they are not 
involved in ``real-time'' trading activities and therefore there would 
not be any material impact on critical market functions should their 
systems fail.\1352\ Additionally, this commenter stated that because 
Regulation SCI ``is designed to formalize the Commission's existing ARP 
Program,'' and clearing broker-dealers and transfer agents do not 
participate in ARP, those entities should not be included within the 
scope of Regulation SCI.\1353\ Another commenter echoed these positions 
with respect to transfer agents, and also stated that transfer agents 
should not be included within the definition of SCI entity because the 
majority of transfer agents do not have electronic connectivity to SCI 
entities.\1354\ Additionally, this commenter stated that larger 
transfer agents are already required to have business continuity plans 
and written policies and procedures to ensure that their systems are 
robust and will function as intended.\1355\ In determining whether to 
expand the scope of SCI entities, one commenter commented that the 
Commission should consider the role of an entity in the securities 
markets and the risks presented by that entity, and stated that 
transfer agents should not be covered because they raise fewer risks to 
the markets than the proposed SCI entities, as their systems do not 
directly support the functions intended to be targeted by the SCI 
Proposal.\1356\ Another commenter similarly stated that transfer agents 
should not be covered because there is little chance that a problem 
with a transfer agent's operations would impact market activity.\1357\
---------------------------------------------------------------------------

    \1352\ See Fidelity Letter at 4.
    \1353\ See id.
    \1354\ See STA Letter at 2.
    \1355\ See id.
    \1356\ See ICI Letter at 3.
    \1357\ See Oppenheimer Letter at 2.
---------------------------------------------------------------------------

    The Commission appreciates the comments received on the potential 
application of Regulation SCI to broker-dealers other than SCI ATSs and 
other types of entities. As noted above, should the Commission decide 
to propose to apply the requirements of Regulation SCI to these 
entities, the Commission would issue a separate release discussing such 
a proposal and would take these comments into account.

F. Effective Date and Compliance Dates

    Several commenters provided recommendations for when the 
requirements of Regulation SCI should go into effect and/or when SCI 
entities should be required to comply with the various requirements of 
the regulation.\1358\ Each commenter recommended allowing what they 
believed to be sufficient time for SCI entities to prepare for what 
they perceived as complex or substantial regulatory 
responsibilities.\1359\
---------------------------------------------------------------------------

    \1358\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC 
Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 
7; and OTC Markets Letter at 4, 22-23.
    \1359\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC 
Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 
7; and OTC Markets Letter at 4, 22-23.
---------------------------------------------------------------------------

    Several commenters suggested that the implementation period should 
vary between those entities and/or systems currently subject to the ARP 
Inspection Program and those that are not.\1360\ For example, one 
commenter suggested an implementation period of no less than two years 
for SCI systems that are subject to the ARP Inspection Program and 
three years for all other systems.\1361\ Similarly, another commenter 
recommended that certain systems of non-ARP participants should be 
provided at least an additional one year transition period, after a 
six-month delayed effectiveness after final approval of Regulation SCI 
for SCI systems of current ARP participants that are trading, clearance 
and settlement, and order routing systems.\1362\ Another commenter 
stated that systems currently covered by the ARP Inspection Program 
should be granted two years to phase-in the rule and that non-ARP 
systems would need a phase-in period of at least four years.\1363\ One 
commenter also noted more generally that the time needed to meet the 
new requirements of Regulation SCI will vary by the type of SCI entity 
and the level of its current participation in the ARP Inspection 
Program.\1364\
---------------------------------------------------------------------------

    \1360\ See, e.g., FINRA Letter at 41-42; DTCC Letter at 3; and 
OTC Markets Letter at 4, 22-23.
    \1361\ See FINRA Letter at 41-42.
    \1362\ See MSRB Letter at 39-40.
    \1363\ See OTC Markets Letter at 4, 22-23.
    \1364\ See DTCC Letter at 3.
---------------------------------------------------------------------------

    Some commenters requested a special phase-in period for ATSs. 
Specifically, two commenters suggested that ATSs should be given six 
months after meeting the given threshold in the definition of SCI ATS 
to come into compliance with Regulation SCI.\1365\
---------------------------------------------------------------------------

    \1365\ See KCG Letter at 19; and SIFMA Letter at 7. See also 
adopted Rule 1000 (definition of ``SCI ATS'') and supra Section 
IV.A.1.b (discussing definition of ``SCI ATS'').
---------------------------------------------------------------------------

    Other commenters provided detailed suggestions for a phase-in 
compliance timeline for the requirements of Regulation SCI.\1366\ For 
example, one commenter suggested implementing the rule in three phases 
so that it would apply: (1) After initial six-month delayed 
effectiveness, to SCI systems of current ARP participants that are 
trading, clearance and settlement, and order routing systems, and after 
one additional year, to such systems of non-ARP participants (for at 
least one annual cycle); (2) to indirect SCI systems relating to the 
systems in phase one (for at least one annual cycle); and (3) to SCI 
systems that are market data, regulation and surveillance systems and 
related indirect SCI systems.\1367\ Another commenter believed the rule 
should be phased-in over four stages, where each SCI entity would: (1) 
Review its SCI systems risk-based assessment with Commission staff; (2) 
review and update its policies and procedures to reasonably ensure 
compliance with Regulation SCI; (3) implement such policies and 
procedures; and (4) conduct an annual review.\1368\
---------------------------------------------------------------------------

    \1366\ See MSRB Letter at 39-40; and OCC Letter at 2-3.
    \1367\ See MSRB Letter at 40.
    \1368\ See OCC Letter at 3.

---------------------------------------------------------------------------

[[Page 72367]]

    Other commenters recommended individual compliance deadlines for 
certain requirements of Regulation SCI.\1369\ Specifically, two 
commenters suggested that phased-in compliance should be permitted for 
proposed Rule 1000(b)(9) addressing testing of SCI entity business 
continuity and disaster recovery plans by SCI entity members or 
participants.\1370\ Specifically, one commenter believed that, if end-
to-end business continuity and disaster recovery plans testing were to 
be required, it should be phased-in to allow SCI entities to conduct 
testing of specific SCI systems over time, rather than be required to 
conduct a full end-to-end test, which it stated cannot be done within a 
reasonable timeframe.\1371\ The other commenter recommended a phased-in 
approach to implementation of broader BC/DR testing over a period of 
years.\1372\ One commenter recommended that the Commission institute an 
implementation period for the Commission notification requirement under 
proposed Rule 1000(b)(4) to allow SCI entities to prepare for what the 
commenter believed to be an increase in the number of notifications 
that would be required.\1373\ This commenter also noted generally that 
business continuity and end-to-end testing requirements,\1374\ the two-
hour recovery time objective,\1375\ and adopting the required policies 
and procedures may take longer to comply with than other provisions of 
Regulation SCI.\1376\
---------------------------------------------------------------------------

    \1369\ See OCC Letter at 2-3, 11, and 18; and SIFMA Letter at 
18.
    \1370\ See adopted Rule 1004 and supra Section IV.B.6 
(discussing business continuity and disaster recovery plans testing 
requirements).
    \1371\ See OCC Letter at 18.
    \1372\ See SIFMA Letter at 18.
    \1373\ See OCC Letter at 11; see also adopted Rule 1002(b) and 
supra Section IV.B.3.c (discussing the Commission notification 
requirement for SCI events). One commenter also expressed concern 
about SCI entities being able to effectively make submissions on 
Form SCI upon Regulation SCI becoming effective, and urged 
Commission staff to work with the SCI entities in the development, 
testing, and implementation of the Form SCI electronic submission 
system, including provision of any systems requirements (e.g., 
supported browsers, required certificates, or authentication 
protocols). See MSRB Letter at 25. Another commenter requested that 
the Commission provide SCI entities sufficient time to learn the new 
Form SCI submission process, and recommended that the Commission 
delay implementation of Form SCI until SCI entities and Commission 
staff have gained experience with the Regulation SCI reporting 
requirements. See FINRA Letter at 28. In the alternative, this 
commenter recommended that the Commission provide a transition 
period for SCI entities to establish their processes for submission 
of Form SCI. See FINRA Letter at 28.
    \1374\ See adopted Rule 1004 and supra Section IV.B.6 
(discussing business continuity and disaster recovery plans testing 
requirements).
    \1375\ See adopted Rule 1001(a)(2)(v) and supra Section IV.B.1.b 
(discussing the policies and procedures requirement and the two-hour 
recovery time objective).
    \1376\ See OCC Letter at 2-3; see also adopted Rule 1001 and 
supra Sections IV.B.1-2 (discussing the policies and procedures 
requirement for operational capability and systems compliance).
---------------------------------------------------------------------------

    Regulation SCI will become effective 60 days after publication of 
the rules in the Federal Register (``Effective Date''). As proposed, 
SCI entities would have been required to meet the requirements of 
Regulation SCI on the Effective Date. However, after consideration of 
the views of commenters, the Commission has determined to adopt a 
compliance date for Regulation SCI of nine months after the Effective 
Date, except as described below with regard to: (1) ATSs newly meeting 
the thresholds in the definition of ``SCI ATS;'' and (2) the industry- 
or sector-wide coordinated testing requirement, which will have 
different compliance periods. The Commission believes that the 
importance of strengthening the technology infrastructure of key market 
participants, the potential significant risks posed by systems issues 
to the U.S. securities markets, and the significant number of recent 
systems issues at various trading venues, necessitates as prompt an 
implementation of the requirements of Regulation SCI by SCI entities as 
possible. At the same time, the Commission understands that SCI 
entities will need time to prepare for the obligations imposed by 
Regulation SCI and, accordingly, believes that this nine-month time 
frame provides SCI entities adequate time to meet the requirements of 
Regulation SCI. While certain commenters suggested longer compliance 
periods or phased-in compliance periods, the Commission understands 
that entities currently subject to the ARP Inspection Program may 
already comply with certain requirements of Regulation SCI. In 
addition, the Commission also believes that SCI entities that have not 
previously participated in the ARP Inspection Program may also 
currently operate in accordance with certain of the adopted 
requirements. For example, the Commission believes that most SCI 
entities generally have in place policies and procedures designed to 
ensure its systems' capacity, integrity, resiliency, availability, and 
security and that most SCI entities already take corrective actions in 
response to systems issues.
    Further, the Commission notes that, as described above, it has 
further focused the scope of the requirements of Regulation SCI from 
the SCI Proposal and, thus, has lessened the potential burdens on SCI 
entities.\1377\ Therefore, the Commission believes that many of the 
concerns expressed by commenters regarding the time that would be 
needed to prepare for the responsibilities imposed by Regulation SCI 
have been significantly mitigated or addressed by this overall 
refinement of the rules and obligations of SCI entities. For example, 
as discussed above, the Commission has further focused the definition 
of ``SCI systems'' and clarified the scope of ``indirect SCI systems,'' 
which will result in fewer systems being subject to the requirements of 
Regulation SCI.\1378\ In addition, the Commission notification 
provision will require immediate Commission notice of fewer SCI events 
than as proposed as a result of the refining of several definitions and 
the adoption of an exception from the immediate reporting requirements 
for de minimis SCI events, which will instead be subject to 
recordkeeping requirements and/or a quarterly reporting obligation, as 
applicable.\1379\ Further, the Commission has clarified that an SCI 
entity's policies and procedures relating to the capacity, integrity, 
resiliency, availability, and security of its SCI systems and indirect 
SCI systems can to be tailored to a particular SCI system's criticality 
and risk, contrary to the belief of some commenters that the rule 
required all systems to be held to the same standards.\1380\ The 
Commission also notes that it expects, prior to the compliance date, 
that its staff will provide information to SCI entities regarding the 
operation of the electronic filing system to submit Forms SCI.
---------------------------------------------------------------------------

    \1377\ See supra Section III (providing a summary of the key 
modifications from the SCI Proposal) and Section IV (providing a 
detailed discussion of changes from the SCI Proposal).
    \1378\ See supra Sections IV.A.2.b and IV.A.2.d (discussing the 
definitions of ``SCI systems'' and ``indirect SCI systems''). The 
Commission notes that the refining of these definitions also reduces 
the need to phase-in compliance based on type of system as suggested 
by one commenter, because fewer systems overall will be subject to 
the regulation than proposed and many systems for which the 
commenter urged a delay in compliance will not be covered by the 
regulation, as adopted.
    \1379\ See supra Section IV.B.3.c (discussing the Commission 
notification requirement). As discussed above, SCI entities will be 
required to make, keep, and preserve records relating to all de 
minimis SCI events and to report de minimis systems disruptions and 
de minimis systems intrusions quarterly.
    \1380\ See supra Section IV.B.1 (discussing the requirement for 
policies and procedures to achieve capacity, integrity, resiliency, 
availability, and security).
---------------------------------------------------------------------------

    With regard to some commenters' suggestions that there should be 
different compliance periods for SCI entities currently subject to the 
ARP Inspection Program and those that do not currently participate in 
the ARP Inspection Program (or phased-in compliance based, in part, on 
this

[[Page 72368]]

distinction), as noted above, the Commission believes that both 
categories of entities already have some level of processes or 
procedures in place that are in compliance with the requirements of 
Regulation SCI. Further, given the voluntary nature of the current ARP 
Inspection Program, the Commission believes that the extent of current 
compliance with the requirements of adopted Regulation SCI by entities 
subject to the ARP Inspection Program varies for different entities. In 
addition, as noted above, Regulation SCI has a broader scope than the 
current ARP Inspection Program and imposes mandatory requirements on 
entities subject to the rules, and accordingly will require all SCI 
entities (both ARP entities and non-ARP entities) to take steps, 
including implementing necessary systems changes, to meet the 
requirements of Regulation SCI. For these reasons, the Commission 
believes that it is appropriate to provide all SCI entities nine months 
to become compliant with the requirements of Regulation SCI.
    With regard to two commenters' suggestions that the Commission 
should adopt specific phased-in compliance periods based on type of 
entity (i.e., ARP or non-ARP), type of system, or other factors, the 
Commission believes that such an approach is not necessary for the 
reasons stated above. Further, the Commission believes that having 
multiple phases of compliance would create unnecessary complexity and 
raise practical difficulties for implementation.
    At the same time, the Commission believes that it is appropriate to 
provide additional compliance periods for limited aspects of Regulation 
SCI, as requested by some commenters. Specifically, the Commission 
believes that ATSs meeting the volume thresholds in the definition of 
``SCI ATS'' for the first time should be provided an additional six 
months from the time that the ATS first meets the applicable thresholds 
to comply with the requirements of Regulation SCI.\1381\ The Commission 
believes that this additional six-month period is appropriate and 
necessary to allow an SCI ATS the time needed to take steps to meet the 
requirements of the rules, rather than requiring compliance immediately 
upon meeting the volume thresholds. The Commission also believes that 
this additional compliance period should give a new ATS entrant the 
opportunity to initiate and develop its business by allowing additional 
time before a new ATS must incur the costs associated with compliance 
with Regulation SCI.\1382\
---------------------------------------------------------------------------

    \1381\ See supra note 1365 and accompanying text. See also supra 
Section IV.A.1.b (discussing the definition of ``SCI ATS,'' 
including the applicable volume thresholds and the inclusion of a 
six-month compliance period within the definition). For example, if 
a new ATS begins operations in January 2016 and subsequently meets 
the volume thresholds in the definition of ``SCI ATS'' for four out 
of the six months ending December 31, 2016, it would have until June 
30, 2017 to become compliant with the requirements of Regulation 
SCI.
    \1382\ See supra note 152 and accompanying text.
---------------------------------------------------------------------------

    The Commission is also adopting a longer compliance period with 
regard to the industry- or sector-wide coordinated testing requirement 
in adopted Rule 1004(d).\1383\ Specifically, SCI entities will have 21 
months from the Effective Date to coordinate the testing of an SCI 
entity's business continuity and disaster recovery plans on an 
industry- or sector-wide basis with other SCI entities pursuant to 
adopted Rule 1004(d). Given that the compliance date for the other 
requirements of Regulation SCI is nine months from the Effective Date, 
this will provide SCI entities an additional year (12 months) beyond 
the compliance date for the other requirements of Regulation SCI (for a 
total of 21 months) to comply with Rule 1004(d). The Commission 
believes that this additional time period is appropriate in light of 
commenters' concerns regarding the complexity and logistical challenges 
posed by the requirement.\1384\ The Commission expects SCI entities to 
work cooperatively to address these logistical hurdles and to carefully 
plan such testing, and believes that the additional time for compliance 
should help to ensure that such testing is implemented effectively.
---------------------------------------------------------------------------

    \1383\ See supra Section IV.B.6.b.iv (discussing the coordinated 
testing requirement of adopted Rule 1004(d)).
    \1384\ See id.
---------------------------------------------------------------------------

    If any provision of Regulation SCI, or the application thereof to 
any person or circumstance, is held to be invalid, such invalidity 
shall not affect other provisions or application of such provisions to 
other persons or circumstances that can be given effect without the 
invalid provision or application.

V. Paperwork Reduction Act

    Certain rules under Regulation SCI impose new ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA'').\1385\ An agency may not conduct or 
sponsor, and a person is not required to respond to, a collection of 
information unless it displays a currently valid control number. In 
accordance with 44 U.S.C. 3507 and 5 CFR 1320.11, the Commission 
submitted these collections of information to the Office of Management 
and Budget (``OMB'') for review. The title for the collection of 
information requirement is ``Regulation Systems Compliance and 
Integrity.'' The collection of information was assigned OMB Control No. 
3235-0703.
---------------------------------------------------------------------------

    \1385\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    In the SCI Proposal, the Commission solicited comments on the 
collection of information burdens associated with Regulation SCI. In 
particular, the Commission asked whether commenters agree with the 
Commission's estimate of the number of respondents and the burden 
associated with compliance with Regulation SCI.\1386\ In addition, the 
Commission asked whether SCI entities would outsource the work 
associated with compliance with Regulation SCI.\1387\ Some commenters 
noted that the Commission underestimated the burdens that would be 
imposed by proposed Regulation SCI.\1388\ As discussed above, the 
Commission received 60 comment letters on the proposal. Some of these 
comments relate directly or indirectly to the PRA. These comments are 
addressed below.
---------------------------------------------------------------------------

    \1386\ See Proposing Release, supra note 13, at 18155.
    \1387\ See id. at 18154-55.
    \1388\ See, e.g., Joint SRO Letter at 18-19; CME Letter at 4-5; 
OCC Letter at 11-12.
---------------------------------------------------------------------------

A. Summary of Collection of Information

    Regulation SCI includes four categories of obligations that require 
a collection of information within the meaning of the PRA. 
Specifically, an SCI entity is required to: (1) Establish specified 
written policies and procedures, and mandate participation by 
designated members or participants in certain testing of the SCI 
entity's business continuity and disaster recovery plans; (2) provide 
certain notifications, disseminate certain information, and create 
reports; (3) take corrective actions, and identify critical SCI 
systems, major SCI events, de minimis SCI events, and material systems 
changes; and (4) comply with recordkeeping requirements.
1. Requirements To Establish Written Policies and Procedures and 
Mandate Participation in Certain Testing
    Rule 1001 requires SCI entities to establish policies and 
procedures with respect to various matters. Rule 1001(a) requires each 
SCI entity to establish, maintain, and enforce written policies and 
procedures reasonably designed to ensure that its SCI systems and, for 
purposes of security standards, indirect SCI systems, have levels of 
capacity,

[[Page 72369]]

integrity, resiliency, availability, and security, adequate to maintain 
the SCI entity's operational capability and promote the maintenance of 
fair and orderly markets. Rule 1001(a)(2) specifies that such policies 
and procedures are required to include, at a minimum: (i) The 
establishment of reasonable current and future technology 
infrastructure capacity planning estimates; (ii) periodic capacity 
stress tests of such systems to determine their ability to process 
transactions in an accurate, timely, and efficient manner; (iii) a 
program to review and keep current systems development and testing 
methodology for such systems; (iv) regular reviews and testing, as 
applicable, of such systems, including backup systems, to identify 
vulnerabilities pertaining to internal and external threats, physical 
hazards, and natural or manmade disasters; (v) business continuity and 
disaster recovery plans that include maintaining backup and recovery 
capabilities sufficiently resilient and geographically diverse and that 
are reasonably designed to achieve next business day resumption of 
trading and two-hour resumption of critical SCI systems following a 
wide-scale disruption; (vi) standards that result in such systems being 
designed, developed, tested, maintained, operated, and surveilled in a 
manner that facilitates the successful collection, processing, and 
dissemination of market data; and (vii) monitoring of such systems to 
identify potential SCI events. Rule 1001(a)(3) requires each SCI entity 
to periodically review the effectiveness of the policies and procedures 
required by Rule 1001(a), and take prompt action to remedy deficiencies 
in such policies and procedures. Rule 1001(a)(4) states that an SCI 
entity's policies and procedures shall be deemed to be reasonably 
designed if they are consistent with current SCI industry standards, 
which are required to be comprised of information technology practices 
that are widely available to information technology professionals in 
the financial sector and issued by an authoritative body that is a U.S. 
governmental entity or agency, association of U.S. governmental 
entities or agencies, or widely recognized organization, though 
compliance with current SCI industry standards is not the exclusive 
means to comply with the requirements of Rule 1001(a).
    Rule 1001(b)(1) requires each SCI entity to establish, maintain, 
and enforce written policies and procedures reasonably designed to 
ensure that its SCI systems operate in a manner that complies with the 
Act and rules and regulations thereunder and the entity's rules and 
governing documents, as applicable. Rule 1001(b)(2) specifies that such 
policies and procedures are required to include, at a minimum: (i) 
Testing of all SCI systems and any changes to SCI systems prior to 
implementation; (ii) a system of internal controls over changes to SCI 
systems; (iii) a plan for assessments of the functionality of SCI 
systems designed to detect systems compliance issues, including by 
responsible SCI per