Reg SCI: Ready for Opening Bell?

Less than three months remain before the November 3^rd, 2015 go-live date of Regulation Systems Compliance and Integrity (“Reg SCI”). While some impacted entities have made great progress toward compliance since the rule was finalized last December, many still have a great deal to do.

Reg SCI is a wide-reaching new regulatory regime aimed at improving the SEC’s oversight of the US securities market and the market’s operational stability. The rule applies to about 35 entities that make up the core of the market’s technological infrastructure (“SCI entities”).

Perhaps the most pressing activity for SCI entities is preparing for the completion of their first annual review by December 31^st of this year. This annual review must be performed by the entity’s “objective personnel”—i.e., people who were not involved in the development, testing, or implementation of the relevant systems (or involved in the Reg SCI compliance program itself). Many SCI entities are working to assemble teams of such personnel to carry out the review, which will include detailing the state of the entity’s compliance and identifying needed remediation.

SCI entities are simultaneously making progress in other compliance areas, especially categorizing their systems and implementing security controls. They are also finalizing Reg SCI policies and procedures and locating appropriate backup facilities for relevant systems. However, efforts to ensure that their third party vendors will be compliant with the rule have slowed due to uncertainty regarding the rule’s reach.

To aid SCI entities’ compliance efforts, the SEC has published a list of questions that may be asked during a Reg SCI examination and also established the SEC Outreach Program. Although we expect further SEC guidance in the coming months (particularly on third party vendor compliance), SCI entities should in our view continue making progress. They should be analyzing their third party vendors and documenting the basis for whether or not they likely perform a “key function” in order to be ready to determine the vendors’ in-or-out status shortly following the expected guidance.

As these compliance efforts will continue to necessitate systems changes in the next few months (by definition increasing the risk of “SCI events”), entities should consider temporarily freezing system changes shortly ahead of the November 3^rd, 2015 effective date to reduce the risk of early SCI events. To further ensure a smooth transition, entities should also provide scenario-based training to employees to prepare them for potential SCI events during the initial compliance period and beyond.

This post provides our view of the most significant compliance challenges faced by firms, and what firms should be doing now.

Compliance challenges ahead of November 3^rd, 2015

Based on our observations of SCI entities’ compliance efforts so far, we believe their attention will be focused on the following seven areas as the November 3^rd go-live date approaches.

Finding “objective personnel”

SCI entities must complete their first annual compliance review by December 31^st (“SCI Review”) and submit the report to the SEC by March 31, 2016. The SCI Review must be carried out by objective personnel with appropriate experience conducting similar reviews (e.g., reviews of systems).

The need for both objectivity and experience has reduced the pool of personnel at SCI entities who are capable of conducting these reviews. Many potential candidates are ruled out due to their past engagement with SCI systems while functions like internal audit that usually meet the objectivity requirement often do not have sufficient capacity to perform the task.

As a result, entities are considering (a) temporarily reassigning personnel from other internal IT audit activities, (b) hiring new employees, or (c) engaging third parties to carry out the SCI Review. Regardless of who performs the SCI Review, firms should document their annual review process including their evaluation of the reviewer’s objectivity, which we expect to be an area of focus for SEC examiners.

Identification of system risks

The annual SCI Review must include a risk assessment of SCI systems, and include a design and effectiveness review of associated internal controls (including security, development processes, and information technology governance).

As part of their Reg SCI compliance efforts, many SCI entities have already revisited their past systems issues and re-evaluated the improvements made to mitigate the risk of a re-occurrence. Furthermore, entities have reviewed their systems architecture and are now working to address weaknesses (e.g., single points of failure and undesirable system interdependencies). They are also enhancing their system monitoring to improve the detection of anomalies and prevent future systems disruptions.

SCI entities should further supplement these efforts with policies and procedures for identification and management of risks, and with continuous improvement of internal controls design and effectiveness. Referencing the adage “if you can’t measure it, you can’t improve it,” SCI entities should define, measure, and report internal controls metrics to senior management on an on-going basis (e.g., number of SCI events and de minimis events, software defects, and emergency system changes), to drive improvements over time.

Scrutiny of systems categorization and security controls

The rule sets the requirements for each SCI system based on its operational criticality and the impact the system’s malfunction would have on the securities market. To that end, each SCI system must be evaluated by the entity and assigned to one of the three system categories defined by the rule: critical SCI systems, SCI systems, and indirect SCI systems.

We believe that this categorization process will be among the first areas of focus for SEC examiners, as will systems security (based on this categorization) given the increasing frequency and impact of cyber incidents. They will seek to determine whether systems were appropriately categorized, and whether security controls effectively wall-off SCI systems from non-SCI systems. Examiners will also focus on whether SCI events were correctly reported.

To secure their systems, entities have most commonly implemented firewalls and controls of both the source and type of network traffic between SCI and non-SCI systems. However, to meet tougher Reg SCI requirements, entities should also consider more stringent access controls for system administrators (e.g., two factor authentication), purpose-built measures to prevent direct access to SCI systems from administrator desktops (e.g., jump hosts), and user behavior analytics to identify abnormal behavior and mitigate against threats from trusted insiders. All of these controls should be appropriately documented and adequately tested in preparation for the SCI Review and future SEC examinations.

Lack of clarity with respect to third party vendors

Reg SCI applies the same requirements to systems that directly support the “key functions” of SCI entities regardless of whether they are operated by the SCI entity itself or by a third party vendor. However, the rule’s unclear definition of “key functions” has challenged SCI entities that are trying to determine the exact limits of the rule’s reach into third parties.

As a result, many SCI entities have not yet determined all of their third party vendors that will fall within the rule’s scope. An industry consensus has formed to exclude from the rule’s scope public utilities (e.g., electricity providers and telecommunications providers), and vendors providing commercially available, industry agnostic products.

While a wait-and-see strategy (i.e., waiting for clarifying guidance from the SEC) may seem appealing to SCI entities at this point, SCI entities will ultimately be held responsible for their vendors’ compliance, so they should be analyzing each third party service provider and documenting the basis for whether or not they likely perform a “key function.” They should also attempt to determine their vendors’ potential compliance challenges.

Some SCI entities have started the analysis and are sharing the results with the SEC through the Outreach Program and engagement with SEC staff, to better inform anticipated SEC guidance.

Finally, SCI entities should assess the adequacy of their policies and procedures for third party oversight and risk management. In doing so, they should be prepared to demonstrate the efficacy of security controls in place that prevent third parties from accessing SCI systems beyond the third party’s purview.

Compliance monitoring

Under the rule, SCI entities must ensure that SCI systems operate in compliance with applicable rules and regulations, and they must report instances of non-compliance to the SEC as they arise.

As a result, entities have been creating a comprehensive inventory of applicable rules and regulations governing key market functions. In addition, most firms have by now assessed and identified gaps in their current event monitoring and detection capabilities.

Closing these gaps can be challenging and costly, as doing so often requires significant systems analysis and investment in monitoring and reporting infrastructure.

While addressing compliance gaps, entities should also consider investments in automated software testing capabilities to facilitate consistent testing of software enhancements, and to provide greater assurance that enhanced SCI systems will continue to operate in compliance with applicable rules and regulations. Improved testing capabilities can also provide critical data to evidence Reg SCI compliance.

Finally, it is important that entities’ software development processes include frequent engagement of internal regulatory staff. As conveyed by the SEC, regulatory staff must have a holistic view of proposed systems changes, and have the opportunity to evaluate their impact to ensure that SCI systems will remain compliant with applicable rules and regulations once the changes take effect.

Maintaining backup facilities

SCI entities are required to maintain backup facilities that would allow the entity to resume its activities within a short period following a wide-scale disruption. The rule also requires that these facilities be geographically separated from the entity’s main facilities in order to reduce the risk of both locations being impacted by the same disruptive force (e.g., natural disasters). However, since the rule does not prescribe a minimum distance between the main and backup facilities the decision has been left to entities themselves, resulting in leading SCI entities considering out-of-region recovery centers.

Aligned with the rule’s risk-based approach, SCI entities should determine their backup site location by considering probable disruptive events (e.g., natural disasters typically affecting the area). Pending further guidance from the SEC, this decision can be informed by industry best practices and lessons learned in the aftermath of hurricane Sandy (compiled by the SEC, FINRA, and CFTC). SCI entities should also ensure that they have designated a minimum number of their members or participants (necessary to create a fair and orderly market) to connect to the backup facility following a disruptive event.

Additionally, SCI entities should ensure that the ultimate backup site location and the process and rationale leading to that choice are well documented, as we expect examiners to ask detailed questions around consideration of risks and corresponding mitigating measures.

Collaboration between internal functions

Like other financial services firms, SCI entities have become increasingly subject to cyber attacks. Due to the risks such attacks pose beyond the targeted firm, the rule requires written notice to the SEC within 24 hours of any responsible personnel becoming aware of a systems intrusion.

This requirement compels the information security, technology, legal and compliance teams to develop a coordinated breach response process. To that end, firms should create cross-functional teams with clear assignment of responsibility, lines of communication, and governance in order to support internal and external reporting. The benefits of such action would go beyond Reg SCI compliance and help ensure that any cyber-attack is promptly escalated to the entity’s senior management in order to facilitate timely recovery.

The complete publication, including footnotes, is available here.