Digital Resilience in the US: SEC amendments follow EU counterparts
The U.S. SEC has published proposed amendments that will expand and update Regulation SCI to focus more on the evolving landscape of digital resilience.
Operational resilience has, for the past few years, been the poster child of UK and EU regulators. Following the technological fallout from COVID-19, and paired with ever-increasing digitization of financial services, operational resilience for technology is front and center.
However, while the EU charges ahead with the Digital Operational Resilience Act (affectionately known as DORA), and the UK awaits responses to a Discussion Paper on operational resilience for critical third parties, the U.S. has set its sights elsewhere (communications and recordkeeping, to be specific).
That is, until now when, on March 15, 2023, the Securities and Exchange Commission (SEC) glanced up from enforcement action for off-channel communication and proposed a significant expansion and modernization of Regulation SCI.
A brief history of Regulation SCI
Regulation Systems Compliance and Integrity (Regulation SCI) was initially adopted in 2014 and comprises a set of rules aimed at addressing the technological vulnerabilities of U.S. securities markets. It was designed to give the SEC oversight of the core technology used by securities firms, and to hold those firms to account for mitigating the risks posed by emerging and expiring tech.
However, since its implementation in 2014, Regulation SCI has not been updated. Given the pace and advancement of technology since 2014, this means that the current rule is considerably out of date. The SEC is therefore looking to modernize the new rule, acknowledging that “the growth in electronic trading allows ever-increasing volumes of securities transactions”, but that new market participants are “highly dependent on interconnected technology”.
As well as this, increasingly remote workforces and outsourced services now means that the use of technology within financial services is far broader, and therefore far riskier, than it was in 2014.
Expanding the application of Regulation SCI
In a bid to reflect the emerging reliance on technology within financial services, the SEC is expanding the reach of Regulation SCI so that it applies to a broader range of financial entities.
Currently, Regulation SCI includes self-regulatory organizations, alternative trading systems that meet certain volume stock thresholds, exclusive disseminators of consolidated market data, certain exempt clearing agencies, and certain competing consolidators of market data.
Under the proposed amendments, firms obliged to comply with Regulation SCI will be expanded to include regulated security-based swap data repositories, all clearing agencies exempted from registration, and certain broker-dealers that meet the requisite threshold. These new entities will need to adhere to existing Regulation SCI requirements, as well as a string of new developments.
New obligations for digital resilience
As well as expanding the firms that must comply with Regulation SCI, the SEC’s new proposals aim to strengthen and modernize the existing rule. In a bid to keep pace with emergent technological risk, the new proposals ask that firms include a number of new provisions within their policies and procedures, including:
+ An inventory, classification, and lifecycle management program for SCI systems
+ A program to manage and oversee third-party providers, including cloud service providers, that support of provide SCI
+ Business continuity and disaster recovery plans to address what would happen if a third-party SCI provider were to suffer an outage
+ A program to prevent unauthorized access to SCI systems and the information held within those systems
+ The identification of current SCI industry standards and assurance that any policies and procedures are consistent with those standards
In addition to these new provisions, the SEC wants to see that firms are including key third-party providers in their annual business continuity and disaster recovery testing. Testing forms a key focus of the SEC’s proposed changes, with a new obligation on firms to conduct annual penetration tests of the operational effectiveness of internal controls and the controls of third-party providers.
Third party or late to the party?
The SEC’s amendment broadly echoes regulatory movements of its European counterparts. However, where DORA came into effect in January 2023, the SEC is only now publishing proposals to consider the emerging risks of technological and third-party reliance. The same is true of proposed oversight requirements for investment advisers, published in October 2022, which set out six new areas of focus for due diligence, if implemented.
If anything, this serves to show the cyclical nature of financial regulation, which is often driven by the borrowing of ideas overseas. The SEC has placed a clear focus on compliant communications in the last few months, while UK-based firms have been grappling with questions around business continuity and the extent to which they must test for technological fall-over. The SEC is now approaching operational resilience, likely in the same way that the FCA will begin to focus on off-channel communication in the coming months.
Compliance teams should adopt the same approach and learn from their peers across the pond. If operational resilience is a daunting task, ask how those who have already grappled with it managed. If you don’t have a strategy for compliant communications, explore how US-based firms are tackling it after months of enforcement action.
Curiosity killed the cat, but breathes life into compliance
The key component here is proactive curiosity. Firms that take the time to consider what these proposed changes mean for their firm ahead of time will likely thrive in a heavily regulated environment. Increased concern around operational resilience is here, and firms should not wait for rule implementation before addressing their weaknesses. Consider:
– Will these amended rules now apply to your business?
– Is old or untested technology posing risks to your business?
– Do you have a plan if your technology fails? What about that of third-party vendors?
– Do you have defensible policies and procedures for digital resilience?
Risk doesn’t appear overnight, nor should it be tackled solely to meet regulatory obligations. It is insidious, and should be addressed in the due course of business operations.
The operational and digital resilience of third-party providers is becoming an increasing focus of global regulators. Choose a compliant communications solution that will withstand regulatory scrutiny, such as Global Relay.
