The Securities and Exchange Commission proposed amendments to expand and update Regulation Systems Compliance and Integrity (SCI), the set of rules adopted in 2014 to help address technological vulnerabilities in the US securities markets and improve SEC oversight of the core technology of key US securities markets entities (SCI entities).
The growth in electronic trading allows ever-increasing volumes of securities transactions in a broader range of asset classes at increasing speed by competing trading platforms, including those offered by broker-dealers that play multiple roles in the markets. New types of registered entities that are highly dependent on interconnected technology have entered the markets. The prevalence of remote workforces and increased outsourcing to third party providers continue to drive the markets’ and market participants’ reliance on new and evolving technology.
To reflect technological developments in the markets, the proposed amendments would expand the scope of SCI entities to include registered security-based swap data repositories; all clearing agencies that are exempt from registration; and certain large broker-dealers, in particular, those that exceed a total assets threshold or a transaction activity threshold in national market system stocks, exchange-listed options contracts, US Treasury securities, or Agency securities.
In addition, the SEC reopened the comment period for proposed cybersecurity risk management rules and amendments for registered investment advisers and funds.
The proposal would require all market entities to implement policies and procedures that are reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. A “covered entity” would need to report information about a significant cybersecurity incident promptly, but no later than 48 hours, after having a reasonable basis to conclude that the incident has occurred or is occurring.
Covered entities are certain broker-dealers, the Municipal Securities Rulemaking Board (MSRB), and all clearing agencies, national securities associations, national securities exchanges, Security-Based Swap Data Repositories (SBSDRs), Security-Based Swap Dealers (SBSDs) and transfer agents.